Posted on

Setup WordPress on Ubuntu

Here are the steps I use when setting up WordPress on new Ubuntu server.

  1. Log into the console and grab a root shell
    Note: I don’t like typing sudo in front of every command

    $ sudo bash
  2. Install an ssh server to make remote management easy 
    # apt-get install openssh-server
  3. Install a LAMP stack
    Note: You will need to remember the root password you setup for MySQL

    # apt-get install lamp-server^
  4. Download the latest wordpress 
    # wget http://wordpress.org/latest.tar.gz
  5. Extract the archive file 
    # tar -xzvf latest.tar.gz
  6. Make a folder to hold the wordpress install 
    # mkdir /var/www/wordpress
  7. Move all the WordPress files to folder you created 
    # cp -r ~/wordpress/* /var/www/wordpress
  8. Create a mysql user account and database for wordpress. 
    Note: Will need the root password created when installing the lamp stack

    # mysql -u root -p
  9. Create now a new database for wordpress 
    Note: Replace WordPress with any name of your choice

    mysql> CREATE DATABASE WordPress;
  10. Add now a new mysql user for wordpress
    Note: Replace “username” with any name of your choice

    mysql> CREATE USER username;
  11. Assign a password to the wordpress mysql user
    Note: Replace “abcd” with your own password

    mysql> SET PASSWORD FOR 'username' = PASSWORD('abcd');
  12. Grant the wordpress user all privileges for the wordpress database 
    mysql> GRANT ALL PRIVILEGES ON WordPress.* TO 'username' IDENTIFIED BY 'abcd';
  13. After setting up the database and user, exit MySQL 
    mysql> exit;
  14. Create a WordPress configuration file by copying the template
    Note: If you installed in another directory, then correct the given path to your own.

    # cp /var/www/wordpress/wp-config-sample.php /var/www/wordpress/wp-config.php
  15. Edit the WordPress configuration (wp-config.php) so it contains your MySQL information
    Note: I use nano for all text editing, but feel free to use whatever tickles your fancy

    # nano /var/www/wordpress/wp-config.php
  16. Insert now your MySQL settings you have just created by replacing:
    • database_name_here   —> with the database name you have created. For this tutorial, it’s named “WordPress”
    • username_here  —> with the MySQL user you have created earlier
    • password_here  —> with the password you assigned to the MySQL user

    Note: After editing is complete, exit nano by a ctrl-x, then y to save

  17. Create an Apache config for the WordPress site by copying the default 
    # cp /etc/apache2/sites-available/default /etc/apache2/sites-available/wordpress
  18. Open the config you copied to edit it 
    # nano /etc/apache2/sites-available/wordpress
  19. Edit the wordpress config as follows:
    • Change the DocumentRoot and Directory to /var/www/wordpress
    • Edit the “AllowOverride” options to say All instead of None

     

  20. Disable the default apache config, enable the WordPress apache config, and enable the rewrite module 
    # a2dissite default && a2ensite wordpress && a2emod rewrite
  21. Create a .htaccess to hold the wordpress rewrite rules 
    # touch /var/www/wordpress/.htaccess
  22. Give the apache service rights to the folder and allow editing of the .htaccess file 
    # chown -R www-data:www-data /var/www/wordpress/
# chmod -v 664 /var/www/wordpress/.htaccess
  23. Restart apache to reload settings 
    # apachectl restart

Finished.

Posted on

Create an IDS on the Cheap

Having an Intrusion Detection System isn’t optional for network admins that are audited. An IDS is also very handy to have as it shows you everything that is going on. You don’t have to spend a lot of money on this, especially since most of the best tools are free. In my case, I wanted: network intrusion detection, network inventorying, and security scanning. I spent a lot of time messing around with separate packages for getting the functionality I wanted, but it was a pain to manage them all separately. I finally found an all-in-one system which met all of my requirements. OSSIM provides snort, nagios, ntop, and nessus (and various other security tools); this met all of my needs. It comes in the form of an installable debian linux image. Get it here.

I used an old PC as my server, adding an additional nic. When installing, I had to boot with –aspi=off since the power management settings on the board weren’t detected properly. After getting over that hurdle, I simply entered options applicable for my environment via the wizard that is provided. After the installation finished, I had to spend some time configuring. I made this guide piecing together info from various sources.

Update your linux patch level

Nothing fancy here. Its debian, so use apt to install patches

  1. ssh into the OSSIM server as the admin user
    #ssh root@192.168.1.3
  2. Update the package list, install patches, and reboot 
    #apt-get update
#apt-get upgrade
#reboot

Configure Network Interfaces

The LAN that needs monitored is 192.168.1.0/24. Simply change the LAN address to suite your network. The OSSIM server has two nics: one with an IP address (192.168.1.3) used for management and another operating in promiscuous mode (0.0.0.0) for sniffing. Configure a port on the main backbone switch, a gigabit smart switch which all of my servers and internet connection sit on, to be a spanning  or mirroring port of all other ports. This means that the port would receive a mirror of all traffic on all other ports; this is what the promiscuous nic is plugged into. The management interface (192.168.1.3) is plugged into a separate switch that is chained to my backbone switch. Change the OSSIM network configuration to reflect this setup.

  1. Edit the interfaces configuration using your favorite linux text editor; I like nano 
    #nano /etc/network/interfaces
  2. Set the /etc/network/interfaces file to be the following, you would need to replace addresses with ones applicable for your network. 
    auto lo eth0 eth1
iface lo inet loopback
 
# The primary network interface
# Used for web management
iface eth0 inet static
        address 192.168.1.3
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        # dns-* options
        dns-nameservers 192.168.1.8
      
 
#eth1  is for monitoring the LAN A network
# no ip address, promiscuous mode
iface eth1 inet manual
        up ifconfig $IFACE 0.0.0.0 up
        up ifconfig $IFACE promisc
        down ifconfig $IFACE down
  3. Save and close the file. Restart the network interfaces 
    #/etc/init.d/networking restart
  4. Configure ntop to use the promiscuous nic 
    #dpkg-reconfigure ntop
  5. Configure snort to use the proper interface 
    #nano /etc/snort/snort.debian.conf

    Set the /etc/snort/snort.debian.conf to be the following:

    DEBIAN_SNORT_HOME_NET="192.168.1.0/24"
DEBIAN_SNORT_INTERFACE="eth1"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"

     

Install Oinkmaster and Update Snort Rules

Oinkmaster is a program used to update snorts detection rules. You will need to go to snort.org and sign up to receive an oink key; this lets your download rules.

  1. Install Oinkmaster 
    #apt-get install oinkmaster
  2. Edit Oinkmaster Configuration File 
    #nano /etc/oinkmaster.conf
  3. Add Rule URLS to Oinkmaster Configuration File 
    url = http://www.snort.org/pub-bin/oinkmaster.cgi/<your oink code>/
snortrules-snapshot-2.7.tar.gz
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<your oink code>/
Community-Rules-CURRENT.tar.gz
  4. Dowload and Install Rules 
    #oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules
    #perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

Fix RRD Graphs

Ossim includes RRD for graphing values, I noticed that a table used for this purpose was missing. Here is how to fix that.

  1. Go to your home folder and create a text file holding code for the missing table 
    #cd ~
#nano snort.event_stats.sql
  2. Paste the following into the newly created file 
    CREATE TABLE `event_stats` (
`timestamp` datetime NOT NULL,
`sensors` int(10) unsigned NOT NULL,
`sensors_total` int(10) unsigned NOT NULL,
`uniq_events` int(10) unsigned NOT NULL,
`categories` int(10) unsigned NOT NULL,
`total_events` int(10) unsigned NOT NULL,
`src_ips` int(10) unsigned NOT NULL,
`dst_ips` int(10) unsigned NOT NULL,
`uniq_ip_links` int(10) unsigned NOT NULL,
`source_ports` int(10) unsigned NOT NULL,
`dest_ports` int(10) unsigned NOT NULL,
`source_ports_udp` int(10) unsigned NOT NULL,
`source_ports_tcp` int(10) unsigned NOT NULL,
`dest_ports_udp` int(10) unsigned NOT NULL,
`dest_ports_tcp` int(10) unsigned NOT NULL,
`tcp_events` int(10) unsigned NOT NULL,
`udp_events` int(10) unsigned NOT NULL,
`icmp_events` int(10) unsigned NOT NULL,
`portscan_events` int(10) unsigned NOT NULL,
PRIMARY KEY (`timestamp`),
KEY `sensors_idx` (`sensors`),
KEY `sensors_total_idx` (`sensors_total`),
KEY `uniq_events_idx` (`uniq_events`),
KEY `categories_idx` (`categories`),
KEY `total_events_idx` (`total_events`),
KEY `src_ips_idx` (`src_ips`),
KEY `dst_ips_idx` (`dst_ips`),
KEY `uniq_ip_links_idx` (`uniq_ip_links`),
KEY `source_ports_idx` (`source_ports`),
KEY `dest_ports_idx` (`dest_ports`),
KEY `source_ports_udp_idx` (`source_ports_udp`),
KEY `source_ports_tcp_idx` (`source_ports_tcp`),
KEY `dest_ports_udp_idx` (`dest_ports_udp`),
KEY `dest_ports_tcp_idx` (`dest_ports_tcp`),
KEY `tcp_events_idx` (`tcp_events`),
KEY `udp_events_idx` (`udp_events`),
KEY `icmp_events_idx` (`icmp_events`),
KEY `portscan_events_idx` (`portscan_events`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

    Save the file and run the following command to create the eventstats table in the snort database.

    #cat snort.event_stats.sql | mysql -p snort

Update Other Components

Some of the components that come with OSSIM are old, but you can easily update them by following instructions found in the OSSIM forums.

  1. Upgrade Nmap: see here.
  2. Upgrade Nessus: see here.
  3. Update Nessus rules using Alienvault’s free feed: see here.

It would be wise to reboot after installing all of the above. Afterwards, go to the web interface of your OSSIM server http://<ossim ip address>. You should see something like this:

Define your LAN(s) and run some nessus scans. Happy monitoring.

Cheers.

Posted on

Upgrading Windows 2003 Domain to 2008 Domain

Fortunately, my company is enrolled in a 6 year microsoft subscription. This probably sounded appealing when Microsoft partners gave their speech (a year before they had a dedicated IT professional). I admit that it is nice to have a server license with the ability to upgrade to the current version at the time of my choosing. A company definitely saves money over time. Anyheuw, thats what I did. I have a single forrest with one domain.

The domain I inherited was originally a windows 2000 domain. This became obvious after examining the selected options and functional levels. Apart from these inconveniences, upgrading from 2003 DCs to 2008 DCs was a snap. Important: You will need to raise the forrest and domain functional levels to 2k3 native to do the upgrade, unless thats where your forrest/domain is now. Windows 2k3 forrest/domains are in a Win2k compatibility functional level by default. Make sure to give your functional raise some time to propagate.  

After my forrest and domain functional levels were raised, I moved all 5 fsmo roles to a single “virgin” 2003 DC that was born for this adventure. This served to eliminate possible third-party/previous install conflicts.  Domain controllers seem to become a slave of small third-party semi-important services on a small Windows domain = too many on mine to think about fighting with.

Next I did a series of health tests on my Active Directory. I used Windows 2003 support tools to out put a series of tests’ results to text files and studied them a bit. The Event Viewer is also helpful when improving AD health.  Upgrading to a new AD schema wont improve existing AD problems, it will only complicate them. At the very least, make sure that dcdiag and netdiag tests all pass and fix the event logged errors on your DCs.

After AD was healthy and all controllers were synced up, I put up a new 2k8 server and joined it to the domain. From my newly created win2k3 box, I prepped my domain for 2k8 

  1. Insert Win2k8 DVD (either x64 or x86 = depending on what the “virgin” 2k3 domain controller is) and copy the adprep folder (on the DVD its \sources\adprepto the HD
  2. Upgrade AD definitions in the forrest: cmd to the root of the folder you copied -> adprep.exe /forrestprep
  3. Allow the domain to take advantage of what the forrest has to offer: stay in cmd -> adprep.exe /domainprep
  4. Upgrade the group policy to match the newly updated AD schema of the domain: adprep.exe /domainprep /gpprep
  5. Optionally allow for read only domain controllers: adprep.exe /rodcprep
From my 2k8 box, I ran dcpromo (command line) and followed the wizard. Make sure to select advanced options and add to the existing forrest & domain. Good to go. From there created another 2k8 (x64) controller and demoted/removed my old 2k3 controllers. Hint: If you are demoting, turn off Trend Micro on the DCs if thats what you use for AntiVirus.
All in all, I think 2k8 runs a better domain controller than 2k3. Its definitely less boring to push buttons in = more intuitive. Memory usage is greater in 2k8 than that in 2k3 to handle Windows Domain roles. However, its memory usage does improve performance…or maybe I am fooled by a more resonsive GUI over terminal services. In any case, I am a fan of the greater control over my domain via the updated Group Policy/DNS options; just make sure you raise your forrest & domain functional levels to 2k8 reap all the benefits. (P.S. This means you cannot have domain controllers running anything less than 2k8)
Now its time to replace the 2k3 exchange/windows box with a 2k7 exchange/2k8 windows (x64) box. The enhanced, built-in spam filtering of Exchange 2k7 looks good to me right now. Recently, my users have been getting mail saying things such as “I have kidnapped your baby, give me money to see her again” and “click here” to get your gift card. As much as I am a fan of gift cards, I care too much for the children to allow the kidnapping/ransom notes to continue.
Cheers.