aoe:security

addresses to block

http://isc.sans.org/diary.html?storyid=5434&rss

85.255.112.0 
85.255.127.255

open ports

lsof -i

port scan

nmap -sS -p T:0-65535 -T 4 localhost
nmap -sU -p U:0-65535 -T 4 localhost

Ports being scanned by black.cirt.vt.edu as informed on 8-8-2007 and verified on helios 2007-8-23
21	tcp	ftp
22	tcp	ssh
23	tcp	telnet
25	tcp	smtp
80	tcp	http
135	tcp	msrpc
139	tcp	netbios-ssn
443	tcp	https
445	tcp	microsoft-ds
548	tcp	afpovertcp
1433	tcp	ms-sql
1521		Oracle
1525		Oracle
3306	tcp	mysql
3389	tcp	ms-term-serv (not scanned)
5003	tcp	FileMaker
5432	tcp	postgres
6969	tcp	bittorrent tracker
6881	tcp	bittorrent clients
6882	tcp	bittorrent clients
6883	tcp	bittorrent clients
6884	tcp	bittorrent clients
6885	tcp	bittorrent clients

to listen and see who's calling:

nc -l -p 1026 -u -v

Sniffing packets:

An example tcpdump command:

tcpdump -nn -i eth0 -s 1514 -w file.cap 'tcp and port 5050'

This command will capture full ethernet packets (1500 MTU + 14 bytes for the frame header), binding to interface eth0 (-i switch), and write to a file called “file.cap”. The end of the command line is the bpf, filtering packets matching tcp port 5050 (both source and destination). The -nn disables name and port resolution.

tcpdump -s 200 -XX -vvv icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

This command captures 200 bytes instead of the default 60 bytes, displays them in hex and ascii and only displays icmp packets that are not echo requests and echo replies.

Wireshark:

The biggest advantage for using tshark is that it includes a ring buffer for packet capturing. If you find yourself dropping packets with tcpdump, try using tshark with the ring buffer.

The following command runs tshark binding to interface en0 (-i) , disabling name resolution (-n), and using a ring buffer rotating files after every 10000K (-b filesize:10000) and writing to a basename of “foo” (-w foo).

tshark -i en0 -b filesize:10000 -w foo -n

You end up with files named as follows:

foo_00001_20070831000015
foo_00002_20070831000039

xinetd

edit hosts.allow

ALL: 172.16.1.  : allow
ALL: 128.173.   : allow
ALL: 198.82.    : allow
ALL: .vt.edu    : allow
ALL: .aoe.vt.edu : allow

edit hosts.deny

ALL: ALL

IpSec (Windows)

http://www.microsoft.com/technet/network/security/ipsecld.mspx

Sample list

Role	Direction	From/to	Interface IP address	IP Protocol	TCP/UDP port
Web—regular	in	all	131.107.1.1	TCP	80
Web—SSL	in	all	131.107.1.1	TCP	443
SMTP	in, out	all, all	131.107.1.2	TCP	25
POP3—regular	in	all	131.107.1.2	TCP	110
POP3—SSL	in	all	131.107.1.2	TCP	995
IMAP4—regular	in	all	131.107.1.2	TCP	143
IMAP4—SSL	in	all	131.107.1.2	TCP	993

Domain Controllers

from AOE System Administrators Guide

Role	Direction	From/to	Interface IP address	IP Protocol	TCP/UDP port	pluto	neptune
Simple Services
netbios
netbios-ns					137
netbios-dgm					138
netbios-ssn					139
SMB
microsoft-ds					445
Kerberos
kerberos					88
kpasswd5					464
kerberos-adm					749
krb5_prop					754
krbupdate					760
LDAP
ldap					389
ldapssl					636
globalcatLDAP					3268
globalcatLDAPssl					3269
IDMUPassSync					6677
profile
profile					136
msdts
msdtc					3372
http
http					80
https					443
IIS					1027
lpd
http					515
Remote Access Services
RDP
RDP					3389
telnet
telnet					23
MS RPC
msrpc					135
msrpc_high					593
Sun RPC
rpc bind					111
rpc service					5000-5020

[root@hephaistos ~]# nmap pluto

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-13 06:57 EDT
Warning: Hostname pluto resolves to 2 IPs. Using 128.173.188.25.
Interesting ports on 128.173.188.25:
Not shown: 1663 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
515/tcp  open  printer
593/tcp  open  http-rpc-epmap
610/tcp  open  npmp-local
636/tcp  open  ldapssl
1025/tcp open  NFS-or-IIS
1027/tcp open  IIS
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-term-serv
MAC Address: 00:30:48:81:5D:9D (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 1.999 seconds

[root@hephaistos ~]# nmap neptune

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-13 07:06 EDT
Warning: Hostname neptune resolves to 2 IPs. Using 128.173.188.26.
Interesting ports on neptune.aoe.vt.edu (128.173.188.26):
Not shown: 1663 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
606/tcp  open  urm
636/tcp  open  ldapssl
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-term-serv
MAC Address: 00:30:48:72:86:38 (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 1.865 seconds

[root@hephaistos ~]# nmap neptune2

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-13 07:07 EDT
Warning: Hostname neptune2 resolves to 2 IPs. Using 128.173.188.28.
Interesting ports on neptune2.aoe.vt.edu (128.173.188.28):
Not shown: 1665 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
111/tcp  open  rpcbind
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
866/tcp  open  unknown
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1241/tcp open  nessus
MAC Address: 00:30:48:8F:76:3B (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 1.957 seconds

servers

printers.aoe.vt.edu

Printers is running a ipsec to limit access from campus, plus, the windows firewall rules are running also. This presented a problem when accessing from wireless in that the windows firewall 'File Sharing' exception was limited to the local subnet. I placed a custom list using 128.173.0.0/255.255.0.0 and 198.82.0.0/255.255.0.0.

Lab Machines

Role	Direction	From/to	Interface IP address	IP Protocol	TCP/UDP port

SSSL Lab machines

severian

Role	Direction	From/to	Interface IP address	IP Protocol	TCP/UDP port
gps - custom	in	campus	local-host	TCP	30002
gps - custom	in	128.173.89.201 (euripides.ece.vt.edu) (Whitamore GPS lab)	local-host	TCP	5002-5005

typhon

Role	Direction	From/to	Interface IP address	IP Protocol	TCP/UDP port
gps - custom	in	campus	local-host	TCP	30002
gps - custom	in	128.173.89.201 (euripides.ece.vt.edu) (Whitamore GPS lab)	local-host	TCP	5002-5005
nfs for pc-104's	in	192.168.0.0	192.168.0.254	TCP	30002

licenseserver

licenseserver3

licenseserver4

AGI		27001
Autodesk	2080	27000
Comsol	1718
PTC (Mathcad)	7788
Star CCM+	1999
Intel fortran compiler	28518

iptables (Linux)

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html

/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

chkconfig iptables on

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Some kind of logging:

iptables -t filter -I INPUT -m state --state NEW -p udp -s ! aries.aoe.vt.edu -d aries.aoe.vt.edu -j LOG --log-prefix=" New_udp "
iptables -t filter -I INPUT -m state --state NEW -p tcp -s ! aries.aoe.vt.edu -d aries.aoe.vt.edu -j LOG --log-prefix=" New_tcp "

iptables -t filter -I INPUT -m state --state NEW -p udp -s ! `hostname` -d `hostname` -j LOG --log-prefix=" New_udp "
iptables -t filter -I INPUT -m state --state NEW -p tcp -s ! `hostname` -d `hostname` -j LOG --log-prefix=" New_tcp "

Save and restore: iptables

licenseserver2

no firewall on old license server output:

[root@licenseserver2 ~]# nmap -sS -r -p T:0-65535 localhost

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-08-10 10:01 EDT
Interesting ports on licenseserver2.aoe.vt.edu (127.0.0.1):
(The 65528 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
111/tcp   open  rpcbind
631/tcp   open  ipp
16286/tcp open  unknown
27000/tcp open  flexlm0
32768/tcp open  unknown
32779/tcp open  sometimes-rpc21

Nmap run completed -- 1 IP address (1 host up) scanned in 26.695 seconds

[root@licenseserver2 ~]# nmap -sU -r -p U:0-65535 localhost

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-08-10 10:00 EDT
Interesting ports on licenseserver2.aoe.vt.edu (127.0.0.1):
(The 65527 ports scanned but not shown below are in state: closed)
PORT      STATE         SERVICE
111/udp   open|filtered rpcbind
123/udp   open|filtered ntp
631/udp   open|filtered unknown
948/udp   open|filtered unknown
5621/udp  open          unknown
7931/udp  open          unknown
32768/udp open|filtered omad
32769/udp open|filtered unknown
60189/udp open          unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 28.585 seconds

Supermicro licenseserver2 with firewall on

[root@licenseserver2 ~]# nmap -sS -p T:0-65535 -T 4 localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-10 07:33 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 65532 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
631/tcp open  ipp
695/tcp open  unknown

Nmap finished: 1 IP address (1 host up) scanned in 3.775 seconds
[root@licenseserver2 ~]# nmap -sU -p U:0-65535 -T 4 localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-10 07:34 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 65531 closed ports
PORT      STATE         SERVICE
514/udp   open|filtered syslog
631/udp   open|filtered unknown
689/udp   open|filtered unknown
692/udp   open|filtered unknown
56217/udp open          unknown

Nmap finished: 1 IP address (1 host up) scanned in 6.590 seconds

Role	Direction	From/to	Interface IP address	IP Protocol	TCP/UDP port
ami_elm (AMI Products)	in	all	licenseserver2	UDP	5621
surfgen/lmgrd	in	all	licenseserver2	TCP	27000
mathlm (mathematica)	in	all	licenseserver2	TCP	16286
asi_elm (Gasp)	in	all	licenseserver2	UDP	7931
surfgen/gridgend	in	all	licenseserver2	TCP	34000
surfgen/ami-squeeze gridgend	in	all	licenseserver2	TCP	1542
visualdoc/lmgrd	in	all	licenseserver2	TCP	27002
visualdoc/lmgrd	in	all	licenseserver2	TCP	56708

Add these lines to /etc/sysconfig/iptables

# Limit ssh to campus
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 22 -j ACCEPT

# surfgen
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27000 -j ACCEPT
# visualdoc
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 56708 -j ACCEPT
# mathlm
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 16286 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p tcp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32779 -j ACCEPT
# ami_elmd
-A RH-Firewall-1-INPUT -p udp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 5621 -j ACCEPT
# asi_elmd
-A RH-Firewall-1-INPUT -p udp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 7931 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p udp -s 198.82.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32769 -j ACCEPT

# surgen
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27000 -j ACCEPT
# visualdoc
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 27002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 56708 -j ACCEPT
# mathlm
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 16286 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p tcp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32779 -j ACCEPT
# ami_elmd
-A RH-Firewall-1-INPUT -p udp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 5621 -j ACCEPT
# asi_elmd
-A RH-Firewall-1-INPUT -p udp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 7931 -j ACCEPT
# gridgen ?
-A RH-Firewall-1-INPUT -p udp -s 128.173.0.0/16 -d licenseserver2.aoe.vt.edu --dport 32769 -j ACCEPT

nfs servers

[root@alexandria ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

# Preamble
*filter

# Input Chain
:INPUT ACCEPT [0:0]

# Forward Chain
:FORWARD ACCEPT [0:0]

# Ouptut Chain
:OUTPUT ACCEPT [0:0]

# RH-Firewall-1-INPUT chain
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT

# Trusted Devices
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

# Low-level protocols
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

# Stateful outgoing connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 22 -j ACCEPT

# FTP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 --dport 21 -j ACCEPT

# Samba
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 128.173.0.0/16 --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 198.82.0.0/16  --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 128.173.0.0/16 --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 198.82.0.0/16  --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16  --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16  --dport 445 -j ACCEPT

# NFS Clients
-A RH-Firewall-1-INPUT -s aries.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s athena.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s bacchus.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s courier.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s dorcas.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s drotte.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s ericjohnson.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s galerkin.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s genecliff.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s halley.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s helios.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s hephaistos.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s idesk.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s lotus.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s lyapunov.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s neptune.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s orion.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s pluto.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s severian.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s sirius.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s typhon.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s valkyrie.aoe.vt.edu -j ACCEPT
-A RH-Firewall-1-INPUT -s vonkarman.aoe.vt.edu -j ACCEPT

# Tivoli Backup
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s tsmserver.cc.vt.edu  --dport 1500 -j ACCEPT
-A RH-Firewall-1-INPUT -s tsmserver.cc.vt.edu -j ACCEPT

# ntp  --not needed ??
# -A input --proto udp -s ntp-1.vt.edu ntp --jump ACCEPT
# -A input --proto udp -s ntp-2.vt.edu ntp --jump ACCEPT
# -A input --proto udp -s ntp-3.vt.edu ntp --jump ACCEPT
# -A input --proto udp -s ntp-4.vt.edu ntp --jump ACCEPT

# Postamble
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Denyhosts

/usr/share/denyhosts/data/allowed-hosts

172.16.1.*
128.173.*
198.82.*

yum

Unix box setup

Kerberos

       Realm: AOE.VT.EDU
         KDC: neptune.aoe.vt.edu:88,pluto.aoe.vt.edu:88
Admin Server: neptune.aoe.vt.edu:749,pluto.aoe.vt.edu:749
               [*] Use DNS to resolve hosts to realms
               [*] Use DNS to locate KDCs for realms

NIS

Domain: aoe Server: alexandria.aoe.vt.edu

logwatch

mount

/etc/fstab

s/default/tcp

Other

When adding nfs client machinges, be sure to modify these files on the servers:

/etc/sysconfig/iptables
/etc/hosts
/etc/securenets
/etc/exports

sshd

When a machine will not use the kerberos password, check

/etc/ssh/sshd_config

ssl certificates

required for gentoo remote printing administration

openssl req -new -x509 -keyout /etc/cups/ssl/server.key -out /etc/cups/ssl/server.crt -days 365 -nodes

DNS

[stedwar1@hephaistos ~]$ cat /home/sysadmin/dns/ip.txt
# Request additional IP addresses from hostmaster@cns.vt.edu
#
# Current Nameservers:
#
# 198.82.247.98         milo.cns.vt.edu
# 198.82.247.66         jeru.cns.vt.edu
#
# ------------------------------------------------------------------------------# Current IP numbers for Torgersen Hall
#
# gateway: 128.173.48.1
# subnet mask: 255.255.248.0
# broadcast: 128.173.55.255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.49.[220-235]
#
# ------------------------------------------------------------------------------# Current IP numbers for Whittemore Hall
#
# gateway: 128.173.88.1
# subnet mask: 255.255.252.0
# broadcast: 128.173.91.255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.90.[108-109]
#
#128.173.90.108 .aoe.vt.edu                     ; Sat Lab, 633C Whittemore
#
# ------------------------------------------------------------------------------# Current IP numbers for Norris Hall
#
# gateway: 128.173.
# subnet: 255.255.
# broadcast: 128.173..255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.161.[30-39]
#
# ------------------------------------------------------------------------------# Current IP numbers for AOE Hancock (Simulator lab)
#
# gateway: 128.173.164.1
# subnet: 255.255.252.0
# broadcast: 128.173.167.255
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.167.[1-46]
#
128.173.167.1   flightsim.aoe.vt.edu            ; Flight simulator control computer
128.173.167.2   dictum-factum.aoe.vt.edu        ; Indigo^2
128.173.167.3   drotte.aoe.vt.edu               ; SSSL Linux PC
#128.173.167.4  turbodog.aoe.vt.edu             ; PCLand PIV 2.4GHz
128.173.167.5   simlab.aoe.vt.edu               ; Simlab NAT 10.194.194.0/255.255.0
128.173.167.6   oetjens.aoe.vt.edu              ; Bill Oetjen's computer
128.173.167.7   simlab-mac.aoe.vt.edu           ; MAC G4 desktop, flight sim lab Hancock
#128.173.167.8  newcastle.aoe.vt.edu            ; Power Computing Computers
#128.173.167.9  bass.aoe.vt.edu                 ; SGI Octane
#128.173.167.10 guinness.aoe.vt.edu             ; SGI Origin 2000
#128.173.167.11  longshot.aoe.vt.edu            ; Rackmounted P4 (In cockpit)
128.173.167.12  drtalos.aoe.vt.edu              ; 214 Hancock
128.173.167.13  sevra.aoe.vt.edu                ; STL comp in hancock
128.173.167.14  wicked-ale.aoe.vt.edu           ; Dell 266
128.173.167.15  dorcas.aoe.vt.edu               ; Dell, Hancock SSSL
128.173.167.16  sputnik.aoe.vt.edu              ; 214 Hancock
128.173.167.17  theclas.aoe.vt.edu              ; 214 Hancock
128.173.167.18  triskele.aoe.vt.edu             ; 214 Hancock
128.173.167.19  typhon.aoe.vt.edu               ; 214 Hancock
128.173.167.20  sssl711.aoe.vt.edu              ; Space Lab Webcam
#128.173.167.21 bulldurham.aoe.vt.edu           ; Bull Durham workstation; flight simulator lab
128.173.167.22  jolenta.aoe.vt.edu              ; 214 Hancock
128.173.167.23  father-inire.aoe.vt.edu         ; Sim Lab
128.173.167.24  sssl-biborg.aoe.vt.edu          ; 214 Hancock
#
# ------------------------------------------------------------------------------# Current IP information for AOE hosts in Femoyer Hall:
# 128.173.105.1      default router
# 255.255.255.0      subnet mask
# 128.173.105.255    broadcast
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.105.[24-56]
#
# Current IP address assignments for AOE hosts in Femoyer Hall:
#
128.173.105.24  ritz.aoe.vt.edu                 ; Sun Blade 1000, 205 Femoyer
128.173.105.25  fem203.aoe.vt.edu               ; Dell 8100, 203 Femoyer
128.173.105.26  structures1.aoe.vt.edu          ;
128.173.105.27  twain.aoe.vt.edu                ; Lab7 Workstation
128.173.105.28  nitewolf.aoe.vt.edu             ; Lab7 Print Server
128.173.105.29  voltaire.aoe.vt.edu             ; OptiPlex GX240, 219 Femoyer
128.173.105.30  hemingway.aoe.vt.edu            ; OptiPlex GX240, 219 Femoyer
128.173.105.31  fem332.aoe.vt.edu               ; Dell Optiplex GX 270, 332 Femoyer
128.173.105.32  optim.aoe.vt.edu                ; Macintosh, 204 Fem
128.173.105.33  seuss.aoe.vt.edu                ; OptiPlex GX240, 219 Femoyer
128.173.105.34  asterix.aoe.vt.edu              ; OptiPlex GX240, 219 Femoyer
128.173.105.35  rkafafy.aoe.vt.edu              ; ??, 329 Femoyer
128.173.105.36  obelix.aoe.vt.edu               ; OptiPlex GX240, 219 Femoyer
128.173.105.37  vortex.aoe.vt.edu               ; research, 323 Femoyer, cheol han
128.173.105.38  mikim3.aoe.vt.edu               ; Dell Dimension 4000, 317 Femoyer
128.173.105.39  rkafafy2.aoe.vt.edu             ; ??? Femoyer
128.173.105.40  ato.aoe.vt.edu                  ; 204 Femoyer
128.173.105.41  helios.aoe.vt.edu               ; Patil Lab linux box
128.173.105.42  tethys.aoe.vt.edu               ; 204 Femoyer
128.173.105.43  vtech-raed.aoe.vt.edu           ; 329 Femoyer, Dell Dimension 4200
128.173.105.44  reynolds.aoe.vt.edu             ; Sun Blade 100, 332 Femoyer
128.173.105.45  euler-fem.aoe.vt.edu            ; Dell Lattitude, 219 Femoyer
128.173.105.46  davinci.aoe.vt.edu              ; 219 Femoyer
128.173.105.47  patil-lab2.aoe.vt.edu           ; Dell Optiplex, 211 Femoyer
128.173.105.48  prandtl.aoe.vt.edu              ; 219 Femoyer
128.173.105.49  fourier.aoe.vt.edu              ; SunBlade 1000 205 Femoyer
128.173.105.50  blasius.aoe.vt.edu              ; 219 Femoyer
128.173.105.51  structuresprinter.aoe.vt.edu    ; Print Server - 205 Femoyer
128.173.105.52  mavandyk.aoe.vt.edu             ; Personal Desktop of Matthew VanDyke
128.173.105.53  femoyer-temp.aoe.vt.edu         ; Temporary IP for machine-setups in Femoyer
#128.173.105.54 gtech2.aoe.vt.edu               ; 330-332 Femoyer, DELL 3GHZ
128.173.105.55  patil-lab1.aoe.vt.edu           ; Dell Optiplex, 201 Femoyer
128.173.105.56  nautilus.aoe.vt.edu             ; Dr. Neu, Research, Femoyer
#The following ip's have been returned to cns:
#128.173.105.57 cheshirecat.aoe.vt.edu          ; 319 Femoyer (Linux)
#128.173.105.58 cwoolsey-grad.aoe.vt.edu        ; 327 Femoyer
#128.173.105.59 ssadek.aoe.vt.edu               ; 321 Femoyer
#128.173.105.60 wright.aoe.vt.edu               ; 219 Femoyer
#128.173.105.61 eyes.aoe.vt.edu                 ; 323 Femoyer
#128.173.105.62 superman.aoe.vt.edu             ; 323 Femoyer
#128.173.105.63 astarte.aoe.vt.edu              ; Femoyer Mostafa M. Abdalla
# ------------------------------------------------------------------------------# Current IP information for AOE hosts in Ware Lab:
#
# 128.173.116.1      default router
# 255.255.252.0      subnet mask
# 128.173.119.255    broadcast
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.116.[185-196]
#
# Specific IP address assignments for AOE hosts in Ware Lab:
#
128.173.116.185 warelab.aoe.vt.edu              ; Ware Lab PC for HokieSat
#
# ------------------------------------------------------------------------------# Current IP information for AOE hosts in Randolph Hall:
#
# 128.173.188.1      default router
# 255.255.252.0      subnet mask
# 128.173.191.255    broadcast
#
# Current IP addresses assigned to AOE in this subnet:
#
# 128.173.188.[24-99]
# 128.173.189.[1-23]
# 128.173.191.[1-75]
#
# Specific IP address assignments for AOE hosts in Randolph Hall:
#
128.173.188.24  artemis.aoe.vt.edu              ; Syslog, NUT, and Nessus
128.173.188.25  pluto.aoe.vt.edu                ; Dell PowerEdge 2400, 313B Randolph
128.173.188.26  neptune.aoe.vt.edu              ; Dell OptiPlex GX1, 313B Randolph
128.173.188.27  athena.aoe.vt.edu               ; secondary file server, 313 Randolph Hall
128.173.188.28  temporary.aoe.vt.edu            ; Used for testing machines
128.173.188.29  frontdesk.aoe.vt.edu            ; Front Desk NAT
128.173.188.30  jowang.aoe.vt.edu               ; Apple G4, 217(?) Randolph
128.173.188.31  naira.aoe.vt.edu                ; Naira Hovakimyan Desktop Randolph 224B
128.173.188.32  shmlab.aoe.vt.edu               ; Randolph 33A TP03B - Hallauer
128.173.188.33  an1003.aoe.vt.edu               ; 100 Annex, Dr. Simpson's group128.173.188.34  lotus.aoe.vt.edu                ; Linux Workstation, Randolph 1
128.173.188.35  gl-mercury.aoe.vt.edu           ; Dell Dimension XPS, 315 Randolph
128.173.188.36  ericjohnson.aoe.vt.edu          ; 313 Randolph Hall
128.173.188.37  schaub-dt.aoe.vt.edu            ; Dr. Schaub Desktop, 2XX Randolph
128.173.188.38  peggy.aoe.vt.edu                ; Sue Teal desktop
128.173.188.39  idesk.aoe.vt.edu                ; Dell 670n, 315 Randolph
128.173.188.40  nsl01.aoe.vt.edu                ; Dell Dimension 4700, 1A Randolph
128.173.188.41  patali.aoe.vt.edu               ; Dell Workstation, flat panel, 213D Randolph
128.173.188.42  licenseserver4.aoe.vt.edu       ; Server Rack, 315 Randolph
128.173.188.43  alexandria.aoe.vt.edu           ; Main file server, 313 Randolph128.173.188.44  marchman.aoe.vt.edu             ; Dell, Marchman's Office
128.173.188.45  orion.aoe.vt.edu                ; SGI Power Challenge, 313B Randolph
128.173.188.46  simpson.aoe.vt.edu              ; Dell 8300, 218 Randolph
128.173.188.47  hyperx.aoe.vt.edu               ; Gateway, basement  Randolph
128.173.188.48  foushee.aoe.vt.edu              ; Power Macintosh, 215 Randolph
128.173.188.49  williams.aoe.vt.edu             ; Dell Something, 215 Randolph

128.173.188.50  hephaistos.aoe.vt.edu           ; Mac Mini 313 Randolph
128.173.188.51  office-mac.aoe.vt.edu           ; Dr. Chris Hall's laptop
128.173.188.52  aoeshop.aoe.vt.edu              ; Dell Dimension XPS R450, Randolph basement
128.173.188.53  workroombw.aoe.vt.edu           ; Workroom printer/copier
128.173.188.54  lyapunov.aoe.vt.edu             ; Leigh McCue number cruncher 226 Randolph
128.173.188.55  simpson-old.aoe.vt.edu          ; Gateway E-3000, ??? Randolph
128.173.188.56  euler-ran.aoe.vt.edu            ; Dell Latitude Laptop
128.173.188.57  nsl02.aoe.vt.edu                ; Dell Dimension 4700, 1A Randolph
128.173.188.58  designjet.aoe.vt.edu            ; DesignJet 450C, 217 Randolph
128.173.188.59  brown5.aoe.vt.edu               ; Dell Optiplex, 311 Randolph
128.173.188.60  sirius.aoe.vt.edu               ; Macintosh G3, 315 Randolph
128.173.188.61  godzilla.aoe.vt.edu             ; Dell XPS R450, Basement
128.173.188.62  hallauer.aoe.vt.edu             ; Dell Optiplex, 213B Randolph
128.173.188.63  daemos.aoe.vt.edu               ; Lubos workstation, 315 Randolph
128.173.188.64  galerkin.aoe.vt.edu             ; Dell Precision 380, Scientific Linux 4
128.173.188.65  shosder.aoe.vt.edu              ; Serhat Hosder Laptop
128.173.188.66  workroomcolor.aoe.vt.edu        ; Workroom printer/copier
128.173.188.67  kolmogorov.aoe.vt.edu           ; PCLand, 26 Randolph, Dr. Simpson's Group
128.173.188.68  vonkarman.aoe.vt.edu            ; Gateway 1ghz Athlon, Scientific Linux 4
128.173.188.69  boetjens.aoe.vt.edu             ; Gateway, Bill Oetjens' office
128.173.188.70  blackbird.aoe.vt.edu            ; PC Land P3 550, Wind tunnel PC128.173.188.71  hp4050.aoe.vt.edu               ; HP LaserJet 4050N, Design Lab
128.173.188.72  dl-sayer.aoe.vt.edu             ; Dell P4,3Ghz Workstation, 217 Randolph
128.173.188.73  lab7-rts.aoe.vt.edu             ; Edgar Orsi
128.173.188.74  kelowe.aoe.vt.edu               ; 209 Randolph Annex
128.173.188.75  dl-shepard.aoe.vt.edu           ; Dell P4, 3Ghz Workstation, 217 Randolph
128.173.188.76  skinf.aoe.vt.edu                ; Custom Built, ? Rand. Annex
128.173.188.77  courier.aoe.vt.edu              ; Departmental mail server, 313 Randolph
128.173.188.78  agave.aoe.vt.edu                ; Dell Dimension XPS, 331A Randolph
128.173.188.79  dl-schirra.aoe.vt.edu           ; Dell P4,3Ghz Workstation, 217 Randolph
128.173.188.80  reception.aoe.vt.edu            ; 215 Randolph
128.173.188.81  melnikov.aoe.vt.edu             ; McCue Linux workstation
128.173.188.82  hydrolab2.aoe.vt.edu            ; Gateway P233 (Roaming)
128.173.188.83  rwalters.aoe.vt.edu             ; Apple G4 Laptop, 215 Randolph
128.173.188.84  nslnat.aoe.vt.edu               ; NSL NAT, Randolph 01
128.173.188.85  malrubius.aoe.vt.edu            ; Gateway, 311 Randolph
128.173.188.86  gwibo.aoe.vt.edu                ; In Randolph Annex
128.173.188.87  bacchus.aoe.vt.edu              ; Web Server, 313 Randolph
128.173.188.88  nsl03.aoe.vt.edu                ; Woolsey Lab
#128.173.188.89 distance2.aoe.vt.edu            ;
128.173.188.90  licenseserver.aoe.vt.edu        ; Gateway P200, 315 Randolph
128.173.188.91  phoebe.aoe.vt.edu               ; Graduate Lab Workstation -- PPC Linux
128.173.188.92  hugheslt.aoe.vt.edu             ; Pentium laptop, 224C Randolph
128.173.188.93  griffith.aoe.vt.edu             ; 24 Randolph
128.173.188.94  aries.aoe.vt.edu                ; Dual Athlon rackmount Linux workhorse
128.173.188.95  atlantis01.aoe.vt.edu           ; Macintosh G5 Cluster Node
128.173.188.96  atlantis02.aoe.vt.edu           ; Macintosh G5 Cluster Node
128.173.188.97  atlantis03.aoe.vt.edu           ; Macintosh G5 Cluster Node
128.173.188.98  atlantis04.aoe.vt.edu           ; Macintosh G5 Cluster Node
128.173.188.99  cnc.aoe.vt.edu                  ; Randolph 15 Shop CNC Computer
#128.173.189.1   oberon.aoe.vt.edu              ;
128.173.189.2   michigan.aoe.vt.edu             ; Sun UltraSparc 10, Yong Cao
128.173.189.3   neu.aoe.vt.edu                  ; Dell Optiplex GX110, 215 Randolph
128.173.189.4   halley.aoe.vt.edu               ; Power Mac running Linux
128.173.189.5   yko.aoe.vt.edu                  ; PowerMac 9600/200, Andy Ko's Office
128.173.189.6   nsl-lpr.aoe.vt.edu              ; Woolsey Lab Printer
128.173.189.7   jsajdak.aoe.vt.edu              ; 103 Randolph Annex
128.173.189.8   brown4.aoe.vt.edu               ; Dr. Brown's Graduate Student
128.173.189.9   johnson.aoe.vt.edu              ; PowerMac 7300/200, Randolph 224B
128.173.189.10  severa.aoe.vt.edu               ; Dell Flat Panel STL, Randolph 311A
128.173.189.11  scooby.aoe.vt.edu               ; Dell Optiplex, Randolph 26
128.173.189.12  shaggy.aoe.vt.edu               ; Dell Optiplex, Randolph 26
128.173.189.13  sandbox.aoe.vt.edu              ; Sysadmin NAT, Randolph 313
128.173.189.14  velma.aoe.vt.edu                ; Dell Optiplex, Randolph 26
128.173.189.15  daphne.aoe.vt.edu               ; Dell Optiplex, Randolph 26
128.173.189.16  ldvdaq.aoe.vt.edu               ; Used in bllab, 015 Randolph
128.173.189.17  aoe17.aoe.vt.edu                ; Unknown - Some newer Apple
128.173.189.18  licenseserver3.aoe.vt.edu       ; License server (server rack)
#128.173.189.19  netmagic1.aoe.vt.edu           ; OpenBSD Firewall for GL and servers.
128.173.189.20  dl-sprucegoose.aoe.vt.edu       ; Flat panel Dell, design lab extension Randolph
128.173.189.21  devenport-dock.aoe.vt.edu       ; Dell Insipron 8200, 224E Randolph
128.173.189.22  lwoffice.aoe.vt.edu             ; HP JetDirect External, 215 Randolph
128.173.189.23  devenport-lt2.aoe.vt.edu        ; Dell Inspiron 8200
128.173.191.1   genecliff.aoe.vt.edu            ; SunFire 280R, 313 Randolph
#128.173.191.2  alexandria-nfs.aoe.vt.edu       ; Main file server, 313 Randolph128.173.191.3   brown3.aoe.vt.edu               ; GW2K E-3300, Randolph 311B
128.173.191.4   fred.aoe.vt.edu                 ; Dell Optiplex, Randolph 26
128.173.191.5   rhea.aoe.vt.edu                 ; GW2K E-3000, Randolph 217A
128.173.191.6   scrappy.aoe.vt.edu              ; Dell Optiplex, Randolph 26
128.173.191.7   dl-valdez.aoe.vt.edu            ; Design Lab P4P800 blue Asus Pentium 4 computer
128.173.191.8   tweedy.aoe.vt.edu               ; 26 Randolph
128.173.191.9   severian.aoe.vt.edu             ; Dual Athlan, 313 Randolph
128.173.191.10  falcon.aoe.vt.edu               ; P133 Gateway, 109 Randolph Annex
128.173.191.11  gstaffor.aoe.vt.edu             ; IBM P133, Basement
128.173.191.12  distance1.aoe.vt.edu            ; Supermicro Rackmount, 313 Randolph
128.173.191.13  distance2.aoe.vt.edu            ; Supermicro Rackmount, 313 Randolph
128.173.191.14  brown.aoe.vt.edu                ; GW2K PII 233, Rand 311B
128.173.191.15  cliff-lt.aoe.vt.edu             ; Dr. Cliff's Apple G3 Laptop
128.173.191.16  chall2.aoe.vt.edu               ; Dell Optiplex 200, Randolph 228
128.173.191.17  kutta.aoe.vt.edu                ; Fluid Lab
128.173.191.18  morr.aoe.vt.edu                 ; 108 Randolph Annex
128.173.191.19  msimbula.aoe.vt.edu             ; 108 Randolph Annex
128.173.191.20  hyekim.aoe.vt.edu               ; Gateway A1200, Rand 219C
128.173.191.21  stedwar1.aoe.vt.edu             ; Supersonic Lab, Randolph
128.173.191.22  rstillin.aoe.vt.edu             ; 108 Randolph Annex
128.173.191.23  brown2.aoe.vt.edu               ; Something, Randolph 311B
128.173.191.24  george2.aoe.vt.edu              ; Dell, 100 Randolph Annex
128.173.191.25  grossman-lt.aoe.vt.edu          ; MacOS Apple G4 Laptop(Grossman)
128.173.191.26  byun-lt.aoe.vt.edu              ; Dr. Byun's laptop(exp.01/01/2002)
128.173.191.27  cwoolsey-lt.aoe.vt.edu          ; IBM Laptop, 217D Randolph
128.173.191.28  smissoum.aoe.vt.edu             ; 217? Randolph Hall
128.173.191.29  hughes.aoe.vt.edu               ; IBM 350-P133, Old Conf Room
128.173.191.30  annexprinter.aoe.vt.edu         ; Print server in AOE Annex
128.173.191.31  confroom.aoe.vt.edu             ; Dell Optiplex, Conference Room,Rand
128.173.191.32  cascade.aoe.vt.edu              ; Randolph Annex, 103
128.173.191.33  dl-osprey.aoe.vt.edu            ; Dell Optiplex GX240, 217 Randolph
128.173.191.34  jbenning.aoe.vt.edu             ; Jeremy Bennington's, 26 Randolph
128.173.191.35  dl-chernobyl.aoe.vt.edu         ; Dell Optiplex GX240, 217 Randolph
128.173.191.36  dl-bhopal.aoe.vt.edu            ; Dell Optiplex GX240, 217 Randolph
128.173.191.37  bllab.aoe.vt.edu                ; Boundary Layer Lab, Randolph
128.173.191.38  hp2300.aoe.vt.edu               ; 315 Randolph Hall
128.173.191.39  gl-newton.aoe.vt.edu            ; Dell Optiplex GX240, 315 Randolph
128.173.191.40  kapaniaimac.aoe.vt.edu          ; Temporary Setup Account, 331 Randolph
128.173.191.41  gl-gauss.aoe.vt.edu             ; Dell Optiplex GX240, 315 Randolph
128.173.191.42  kapania.aoe.vt.edu              ; Apple G4, 213E Randolph
#128.173.191.43 hps.aoe.vt.edu                  ; Virtual Web Server for HPS
128.173.191.44  gl-euclid.aoe.vt.edu            ; Dell Optiplex GX240, 315 Randolph
128.173.191.45  kimhm.aoe.vt.edu                ; --
128.173.191.46  nsl04.aoe.vt.edu                ; dell dimension 4700, 1A Randolph Hall
128.173.191.47  dl-polarlander.aoe.vt.edu       ; Gateway A1000, 217 Randolph
128.173.191.48  dl-maine.aoe.vt.edu             ; Gateway A1000, 217 Randolph
128.173.191.49  dl-titanic.aoe.vt.edu           ; Gateway A1000, 217 Randolph
128.173.191.50  dl-akron.aoe.vt.edu             ; Gateway A1000, 217 Randolph
128.173.191.51  dl-challenger.aoe.vt.edu        ; Gateway A1000, 217 Randolph
128.173.191.52  dl-apollo1.aoe.vt.edu           ; Gateway A1000, 217 Randolph
128.173.191.53  gateway2.aoe.vt.edu             ; Gateway A1000, 217 Randolph
128.173.191.54  dl-lusitania.aoe.vt.edu         ; Gateway A1000, 217 Randolph
128.173.191.55  dl-hindenberg.aoe.vt.edu        ; Gateway A1000, 217 Randolph
128.173.191.56  vaio.aoe.vt.edu                 ; Sony VAIO Laptop
128.173.191.57  dl-columbia.aoe.vt.edu          ; Flat panel Dell, Design lab extension Randolph
128.173.191.58  licenseserver2.aoe.vt.edu       ; The other License Server (runs Linux)
128.173.191.59  george-lt.aoe.vt.edu            ; George's Sony Laptop, 100 Randolph Annex
128.173.191.60  gl-mimas.aoe.vt.edu             ; Gateway A1000, 315 Randolph
128.173.191.61  gl-encaladus.aoe.vt.edu         ; Gateway A1000, 315 Randolph
128.173.191.62  gl-hyperion.aoe.vt.edu          ; Gateway A1000, 315 Randolph
128.173.191.63  gl-iapetus.aoe.vt.edu           ; Gateway A1000, 315 Randolph
128.173.191.64  gl-phoebe.aoe.vt.edu            ; Gateway A1000, 315 Randolph
128.173.191.65  cwoolsey-dt.aoe.vt.edu          ; Dell ?, 217D Randolph
128.173.191.66  asang.aoe.vt.edu                ; Randolph Annex 107
128.173.191.67  maccdr.aoe.vt.edu               ; Power Macintosh G3, 311 Randolph
128.173.191.68  berryman.aoe.vt.edu             ; John Berryman - 311A Randolph
128.173.191.69  jschetz-lt.aoe.vt.edu           ; Dell Latitude, 219D Randolph
128.173.191.70  valkyrie.aoe.vt.edu             ; Sun Blade 1000, 217C Randolph
128.173.191.71  hp4550.aoe.vt.edu               ; HP 4550, 215 Randolph Hall
128.173.191.72  granlund.aoe.vt.edu             ; 109 Randolph Annex
#128.173.191.74  loughboro.aoe.vt.edu            ; Temporary account for loughboro visiting group (expires 4/4/04)
#128.173.191.75  smullani.aoe.vt.edu             ; Graduate lab randolph, gateway 31XX
#
#
#
# ------------------------------------------------------------------------------#
#
#Names for hosts:
#
#Uranus
#   umbriel.aoe.vt.edu
#   titania.aoe.vt.edu

Security

Describe the logging system including syslog, logwatch, epilog and how they all relate with Artemis.
yp broken on email and sudo. Possibly still using NIS?
Changing ssh ports for
- licenseserver2
- courier
- athena
- possibly alexandria
- any others
email setting for DenyHosts from atlantis01
firewall for
- athena
- artemis
- typhon
- genecliff
- atlantis
- licenseserver2
- killians
iptables file to edit
- to add reporting
DenyHosts for enterprise (or iptables)
- tcp_wrappers - ssh does not respect hosts.deny
hosts.allow still locks me out sometimes
Turn off: (licenseserver2)
- sendmail accepting connections?
- ipp

Endpoint

'firewalled' notice in network connections is not listed
Does not automatically select Outlook scanning.

sputnik.lib.vt.edu attack

noticed log entries on 12/19/2007 after SANS class of authentication attempts from 128.173.125.230, SPUTNIK.
HC++ querey on IP gives:

Domain Name lib.vt.edu

Primary Contact       Mike Linkous <DODGER@VT.EDU>
* sent Mike an email and he proply left a phone message stating the machine had to be rebuilt.

ntsyslog from these:

Failure audits range 12/18/2007 10:07:19PM until 12/19/2007 8:37:04 AM on Licenseserver3
Failure audits range 12/28/2007 8:49:14PM until 12/19/2007 6:41:15 AM on Licenseserver4
sphinx
licenseserver

Other Machines attacked also

dl-titanic
Others?

Not attacked:

dl-maine

ramblings and port stuff

At Caltech, they have a guest SSID that gives you an RFC 1918 address behind NAT. You have to read a ToS and agree to be nice. Additionally, they rate limit each client to ~768 kbps and only pass

tcp/22 (ssh), 
tcp/80 (http), 
tcp/443 (https), 
udp/1701 and tcp/1701 (l2tp), and 
udp/1723 and tcp/1723 (pptp)

through to the outside world. Despite those restrictions, I was able to browse the web, ssh to my machines, and use the VPN for everything else during my stay.

ubuntu security

http://www.itsecurity.com/features/ubuntu-secure-install-resource/

protect grub

http://ubuntuforums.org/showthread.php?t=7353

brute force defense

http://bsdly.blogspot.com/2009/04/slow-brute-zombies-are-back.html

one post listed this technique:

DELETED ACCOUNT said...

    Since I can enumerate ahead of time the list of sources of acceptable SSH connections, I use TCP wrappers to help the zombies out:

    In /etc/hosts.allow (extended TCP wrapper syntax):

    sshd : validnet/validmask \
    127.0.0.0/255.0.0.0 \
    : ALLOW

    sshd : ALL : banners /var/db/banners \
    : twist /bin/sleep 60


    The other component:

    % cat /var/db/banners/sshd
    SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901


    Legitimate connections from within the IP space defined by validnet/validmask are passed to sshd normally. Everything else gets something that looks valid, the TCP connection is held open for up to 60 seconds, and then it closes. It's analogous to PF-spamd's blacklisting behavior.

severian droppped packets

From 10.0.50.70 - 83842 packets to udp(47624,47624,47624,47624,47624,47624,47624,47624,47624,47624,47624)
From 10.0.50.72 - 1813 packets to udp(47624,47624,47624,47624)
From 10.0.50.74 - 456 packets to udp(47624,47624,47624,47624)

May 13 09:17:12 severian kernel: FIREWALL-DROPPED IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:18:2c:2c:05:08:00 SRC=10.0.50.70 DST=255.255.255.255 LEN=80 TOS=0x00 PREC=0x00 TTL=128 ID=27364 PROTO=UDP SPT=3403 DPT=47624 LEN=60

10182c2c0508
10182c2c1708
10182c3a2f08

Looks like local network udp communication from vtcadlab.

Port 2343 udp, National Instruments Lookout

Maybe:

http://zone.ni.com/devzone/cda/tut/p/id/3681

remote ssh wireshark

http://wiki.wireshark.org/CaptureSetup/Pipes

wireshark -k -i <( ssh -l root IP-of-probe /usr/bin/tshark -i eth0 -w - port 53 )

Browser Check

http://browsercheck.qualys.com

Find_SSNs

to run Find_SSNs on alexandria2:

python Find_SSNs.pyw -p /export/facultystaff3/stedwar1 -o ./ -t html -a

python Find_SSNs.pyw -?


Proper usage on Linux, Unix and Macs:
NoGUI: python Find_SSNs.pyw -p /search/folder -o /output/folder -t html -a
GUI: python Find_SSNs.pyw

Proper usage on Windows:
NoGUI: Find_SSNs.exe -p c:/search/folder -o c:/output/folder -t html -a
GUI: Find_SSNs.exe

Notes:
-p The folder to search.
-o The folder to write reports to.
-t may be html or csv
-a may be replaced by -s (search for SSNs only) or -c (search for CCNs only)

sed -i 's/file\:\/\/\/\/export/file\:\/\/\/\/home/g' Find_SSNs.html
sed -i 's/"Open the file">\/export/"Open the file">\/home/g' Find_SSNs.html

this command line looks for previoiusly found ssns in cdhall-ssns.txt in his FindSSNs.txt

sed 's/-//g' cdhall-ssns.txt |grep -v ^$ |while read i ; do grep $i diskhogs/cdhall/Find_SSNs.txt; done

This line looks in all the Find_SSNs.brief.txt file and counts

find . -iname Find_SSNs.brief.txt -exec wc -l {} \; |grep -v ^0|sort -n

less search for ssn pattern

/[0-9]{3}[- ][0-9]{2}[- ][0-9]{4}

Table of Contents