Category: System Administration

Cisco ASA 5512-X Allow outside/external ssh access

To enable external SSH access to a brand new Cisco ASA 5512-X, follow these example instructions:
X.X.X.X is the IP address you wish to allow access from.
yourusername is the username you want to use
XXXXXXXXXXXXXXXXX is your password

ciscoasa# conf t
ciscoasa(config)# ssh X.X.X.X 255.255.255.255 outside
ciscoasa(config)# crypto key generate rsa general-keys modulus 2048
ciscoasa(config)# username yourusername password XXXXXXXXXXXXXXXXX
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh version 2

You may also want to set an enable password:
ciscoasa(config)# enable password XXXXXXXXXXXXXXXXX
(You should probably make this different to your user password)

[del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]

CVE-2015-0235 “Ghost” Linux glibc vulnerability

For those that missed it, CVE-2015-0235 (aka Linux Ghost) was announced today which details a glibc library bug that is still on many Linux distributions. glibc is used by many applications including webservers, mail servers, php applications etc.

The specific bug was in the gethostbyname() and gethostbyname2() functions (hence “ghost” name!), so only applications that call these are potentially vulnerable. Even then, there is limited scope for exploitation, but there already has been a PoC for the Exim mail server developed so it certainly is possible (given the right conditions). Luckily, these two functions lack IPv6 support, so many newer applications and services have chosen to stop using these functions, and instead use IPv6-enabled functions instead. As has been seen however, some popular ones such as Exim do still use the older IPv4-only functions.

The bug itself has been around since 2000, and was inadvertently patched in August 2014 without realising the implications. Unfortunately since the security issues were not detected at the time, many Linux distributions didn’t back-port the patch into Linux distributions. This is what has occurred today.

Accordingly, we have now taken the following actions:

  • All standard-level webservers globally and chroot environments have been patched and restarted between 6:30AM and 7:15AM this morning.
  • All mail servers were patched and restarted between 6:30AM and 7:15AM this morning.
  • We will be taking the following actions that may result in a few minutes downtime for some sites tonight:

  • All protected-level webservers globally and chroot environments will be patched and restarted overnight at varying times (critical maintenance alert will have been received by all affected customers). As these are all behind load balancers, this shouldn’t have any end-user affect.
  • RackCorp monitoring services will be restarted throughout the day. This may result in some performance graphs being slightly skewed at times.
  • In addition:

  • VM Hosts will have no noticeable impact.
  • Load Balancer services will have no noticeable impact.
  • RackCorp API services will have no noticeable impact (however some unrelated database maintenance is scheduled for tonight that may result in queries taking a few seconds longer than usual).
  • Content delivery services are unaffected.
  • Network services are unaffected.
  • In terms of customer patch cycles, we are treating this as a critical bug for some customers, and moderate (normal patch cycle) for others depending upon the attack vector surface area. All affected customers will have received an email accordingly. If you are unsure of the impact for your specific services, please raise a support ticket accordingly.

    Additional useful resources:
    Ars Technica Writeup on Linux Ghost
    gethostbyname() vs getaddrinfo() by Erratasec

    [del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]

    RackAdmin – RackCorp’s in-house developed web hosting and network management platform

    One of the key principles behind our company is emphasis on in-house custom developed solutions based on open source software.

    A bespoke open source foundation provides us with

    • Maximum reliability as bugs can be patched before official fixes are available
    • Maximum performance thanks to streamlined and lean code
    • Maximum flexibility and extensibility to meet our customers and our own specific needs
    • Minimising cost and licensing which helps keeps prices competitive

    These principles form the basis on which is why we built RackAdmin, the backbone of our company since foundation. A custom, in house developed management platform which provides end-user account management, option and service provisioning including reseller management and geo-location and automated billing. All within a slick and easy to use interface and an API.

    rackadmin_landing

    Rackadmin provides is a streamlined,slick and easy to use solution to manage your web hosting needs

    Read more »

    [del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]

    .ssh authorized_keys and centos / redhat / selinux enabled Linux solution

    Just a quick note that if you ever create /home or /home/user or /home/user/.ssh or /home/user/.ssh/authorized_keys that you’ll need to reset the selinux contexts for the coresponding files/directories or else sshd won’t be allowed to access your authorized_keys file!

    If your /home isn’t very large (and /home was what you created), the easiest way of fixing things is to run this:

    restorecon -R -v /home

    Otherwise if you added /home via useradd AND the user home dir then you can probably get away with just:

    restorecon -R -v /home/user

    This will reset the contexts placed on /home/user/.ssh/*

    [del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]

    BIOS Firmware Update ISO for SuperMicro Boards

    The use of floppy images for updating Bios images on SuperMicro boards such as the X9SCL or X9SCM are long over.  The images are far too big (8MB).  So the only way to do the bios update is to build a bootable DOS ISO, built with the firmware files.

    This is easier said than done ofcourse, but here’s some simple instructions if you’re using windows that you can follow:

    Step 1: FDOEMCD

    Go here: http://www.fdos.org/bootdisks/
    Download a tool called FDOEMCD.builder.zip
    Unzip it on your local computer (don’t follow these instructions without unziping)
    64-Bit OS users will have additional step to ALSO go to http://smithii.com/cdrtools/ and download cdrtools-latest.zip. Unzip it then copy the mkisofs.exe and cygwin1.dll files from the zip file and put it into the FDOEMCD.builder folder from above (replacing any existing version of these files).

    Step 2: BIOS Flash Files

    Go here: http://www.supermicro.com/support/bios/  (Or your equivalent for your BIOS), and download the correct version for your motherboard – warning – getting it wrong can permanentely destroy your motherboard – warning – 🙂
    Unzip the contents of your bios download into the CDROOT folder.  You should have files such as AFUDOSU.SMC and AMI.bat.  If not then this tutorial isn’t for you (sorry!)

    Now because the ISO will be read only, we need to shortcut the AMI.bat file a little bit….
    rename AFUDOSU.SMC to AFUDOSU.EXE
    create a new batch file called ami2.bat and put the following in it:
    afudosu.exe %1 /FDT /MER /OPR

    Now start up a dos prompt in windows and go to the corresponding FDOEMCD.builder folder and run makeiso.bat.

    You now have fdoem.iso.  This is your bootable ISO with all your files on it (yay!)

    Mount it using your favorite IPMI or burn it to CD and use it.  We just mount it using Supermicro’s IPMI.

    Once it has booted, just run “ami2.bat x9scm2.608” (or equivalent) and away you go.

     

    A big thanks to the guys that made FDOEMCD Builder.  Without that tool this BIOS update ISO building process would be a lot harder!

     

    POST-INSTALL NOTE: Bios 2.00 which is on the SuperMicro website at this time seems to have a bug on some dual ethernet motherboards.  (such as the X9SCL!).  SuperMicro knows about it and has an app that you can add to the ISO as per the above instructions which can fix the ethernet port.  I don’t want to publicly make available a link to SuperMicro’s patching software but if you’re really desparate like we were then let us know….

    [del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]