Thursday, 3 July 2014

Syslog server with Graylog2

Previously I have used various types of syslog server, such as WhatsUpGold, ManageEngine, rSyslog (into text files) and LogAnalyzer. Each of these had their merits, however I recently stumbled upon Graylog2 and wanted to give it a try.

I have decided to move from RHEL to Debian moving forward, several reasons for that but at the end of the day just a personal preference. Therefore the guide below is Debian based, however can be easily adapted to any distro.


I installed this on a VM, using 2 vCPU cores and 4GB RAM (3 would suffice), and 50GB HDD (20GB would suffice)...let's begin:

Install packages
apt-get install -y openjdk-7-jre-headless pwgen mongodb vim curl

Configure the database
mongo
   use admin
   db.addUser('admin', '<admin password>')
   db.auth('admin', '<admin password>')
   use graylog2
   db.addUser('grayloguser', '<graylog password>')
   db.auth('grayloguser', '<graylog password>')
   exit


Install and configure ElasticSearch
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.10.deb
dpkg -i elasticsearch-0.90.10.deb
echo 'cluster.name: graylog2' >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart


Install Graylog2 (http://graylog2.org/download)
cd /opt
wget https://github.com/Graylog2/graylog2-server/releases/download/0.20.3/graylog2-server-0.20.3.tgz
tar xvf graylog2-server-0.20.3.tgz
ln -s /opt/graylog2-server-0.20.3 /opt/graylog2-server
cp /opt/graylog2-server/graylog2.conf.example /etc/graylog2.conf


Generate a secret for the config (96 char)
pwgen -s 96|head -1

Generate a password for the admin user
echo -n p4ssw0rd | shasum -a 256

Add these to the Graylog2 config file
vim /etc/graylog2.conf

Alternatively use these commands to do it automatically
sed -ie "s/^password_secret =$/password_secret = `pwgen -s 96|head -1`/g" /etc/graylog2.conf
sed -ie "s/^root_password_sha2 =$/root_password_sha2 = `echo -n p4ssw0rd|sha256sum|awk '{print $1}'`/g" /etc/graylog2.conf


Create an init script
vim /etc/init.d/graylog2

---Copy below this line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts GrayLog2
# Description: Starts GrayLog2 using start-stop-daemon
### END INIT INFO 

NAME=graylog2
GL_HOME=/opt/graylog2-server
GL_PID=/var/run
CMD=$1
start() { 

     echo "Starting $NAME ..."
     java -jar $GL_HOME/graylog2-server.jar &
}
stop() {
     PID=`cat $GL_PID/$NAME.pid`
     echo "Stopping $NAME ($PID) ..."
     kill $PID
}
restart() {
     echo "Restarting graylog2-server ..."
     stop
     start
}
case "$CMD" in
     start)
          start 

          ;;
     stop)
          stop
          ;;
     restart)
          restart
          ;;
*)
          echo "Usage $0 {start|stop|restart}"
          RETVAL=1
esac

---End---

chmod 755 /etc/init.d/graylog2
update-rc.d graylog2 defaults
/etc/init.d/graylog2 start


Install Graylog2 web interface
cd /opt
wget https://github.com/Graylog2/graylog2-web-interface/releases/download/0.20.3/graylog2-web-interface-0.20.3.tgz
tar xvf graylog2-web-interface-0.20.3.tgz
ln -s /opt/graylog2-web-interface-0.20.3 /opt/graylog2-web-interface


Enter the secret created previously into the config file (/opt/graylog2-web-interface/conf/graylog2-web-interface.conf)
Alternatively use this command to do it automatically

sed -ie "s/^application.secret=\"\"/application.secret=\"`grep ^password_secret /etc/graylog2.conf|awk '{print $3}'`\"/g" conf/graylog2-web-interface.conf

Configure the REST URI
vim /opt/graylog2-web-interface/conf/graylog2-web-interface.conf
graylog2-server.uris="http://127.0.0.1:12900/"


Or automatically...
sed -ie "s/^graylog2-server.uris=\"\"/graylog2-server.uris=\"http:\/\/127.0.0.1:12900\/\"/g" conf/graylog2-web-interface.conf


Create an init script
vim /etc/init.d/graylog2

---Copy below line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2-web-interface
# Required-Start: $graylog2
# Required-Stop: $graylog2
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts graylog2-web-interface
# Description: Starts graylog2-web-interface using start-stop-daemon
### END INIT INFO
NAME=graylog2-web-interface
GL_HOME=/opt/graylog2-web-interface/bin
GL_PID=/var/run
CMD=$1
start() {
     echo "Starting $NAME ..."
     $GL_HOME/graylog2-web-interface &
}
stop() {
     PID=`cat $GL_PID/$NAME.pid`
     echo "Stopping $NAME ($PID) ..."
     kill $PID
}
restart() {
     echo "Restarting $NAME..."
     stop
     start
}
case "$CMD" in
     start)
          start
          ;;
     stop)
          stop
          ;;
     restart)
          restart
          ;;
*)
          echo "Usage $0 {start|stop|restart}"
          RETVAL=1
esac

---End---

chmod 755 /etc/init.d/graylog2-web-interface
update-rc.d graylog2-web-interface defaults
/etc/init.d/graylog2-web-interface start



Fire up a browser and navigate to your graylog2 installation:
https://ipofserver:9000
Login with the admin account and the p4ssw0rd you created previously.

Configure your devices to send syslogs to this new server, and then instruct graylog2 to listen for the relevant incoming logs via
System > Inputs
Syslog UDP > Launch new input


Personally I use the following settings:
allow_override_date: true
port: 514
bind_address: 0.0.0.0
store_full_message: true
recv_buffer_size: 1048576
force_rdns: true


Finally, and because I only had a handful of devices and couldn't be bothered to create the DNS/rDNS, I simply added the hostnames of the devices to the hosts file to make navigating the logs a little easier.

Enjoy a fast, stable, open-source syslog server!






Friday, 18 October 2013

Active Directory group based authentication for Cisco ASA AnyConnect

The purpose of this article will be to authenticate SSL AnyConnect VPN users to a specific profile dependant on their Active Directory (AD) group membership.

First we need an AD user account that will be used by the ASA to query LDAP.  This doesn't need to be a domain admin or anything, so just create a user with a strong password (set it so password doesn't expire etc).

We will also need to create, or take note of the AD group that will be used to identify to which VPN profile users will be authorised to access.  For example, in this article we will have an AD group called "Grp_GI_VPN_Tech", any user that is a member of that group will be authorised to access our AnyConnect profile named the same (I used the same names, you don't have to).
They won't however be able to access any other profile (unless they are a member of the relevant group as well).

So first step, let's set up our ASA to be able to query LDAP:
Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add
Now create a name for the group, such as "VPN-LDAP", select protocol LDAP and leave the rest as default.

Now select your new server group, and we are going to add your domain controller(s) to the group from the next section (Servers in the Selected Group).
Select the interface via which your DC is accessible, likely Inside.
Enter the IP of the DC
Server port: 389 (unless you're using LDAP over SSL)
Server type: Microsoft
Base DN: This determines where the ASA will look for users, in my case our users are spread out from the root OU, and therefore I will put the root of my domain.  If your users were for example all under Users then you could go one level up.  Eg. CN=Users,DC=mydomain,DC=loc
Scope: Determines to which sub-level the ASA will search
Naming Attribute: sAMAccountName
Login DN: This will be the user you created earlier to query LDAP, enter the fully distinguished name
Login Password: The strong password you created earlier
Leave the rest as default.
If you have a secondary DC, add that in the same way as above, your AAA Server Group will then have two servers configured for redundancy.


Now our ASA can query LDAP, we can start making the VPN's:
Configuration > Remote Access VPN > AnyConnect Connection Profiles
First we should enable AnyConnect on our outside interface, if not already done, therefore select the option and choose your interface, then select to bypass the interface ACLs for inbound sessions.
We will also select to allow users to select the connection profile on the login page, although they will see all of your profiles when they connect, they will only be able to access the ones that you determine via their AD group membership.
So far we should be looking something like this (dependant on your interfaces).

Now let's create our Connection Profile, select Add in the section below:
Name: Call this what you like, I find it useful to label it the same as your AD group, for easy management, so for our example I am going to call it Grp_GI_VPN_Tech.
Alias: This is what your users will see on their AnyConnect client, so label this clearly for them, such as "Tech Department".
Method: AAA
AAA Server Group: Here we select the group we created previously, in this example VPN-LDAP
Client Address Assignment: Depending on how you want to assign your VPN users an IP address will determine what you put here.  For this example I am going to have the ASA assign an IP address by creating an IP range within Client Address Pools.
Group Policy: We need to create this next, so for now just select any existing policy, such as DfltGrpPolicy
Enable SSL VPN client protocol
Disable IPsec(IKEv2) client protocol
Add your DNS/WINS/Domain Name
The advanced options we leave as default so press OK.

Now let's create our Group Policy (not related to AD GPO).
Configuration > Remote Access VPN > Group Policies
Add a new Internal Group Policy:
We can leave most of the General options inherited, however add the name you want (again I will keep it simple by using Grp_GI_VPN_Tech)
Under More Options we will explicitly define the following:
IPv4 Filter: Here we need to make an ACL determining what we want to allow our users to access on our inside LAN, eg. RDP to our terminal server, DNS query against our DC etc
Simultaneous Logins: Put here how many users should access at once, dependant on your licensing
Connection Profile Lock: Select our connection profile we created previously

Under the Servers tab, explicitly define your DNS/WINS/Default Domain again

If you want to use Split Tunneling, then select your Policy and Network List under Advanced > Split Tunneling.
The rest can be left as default, so press OK.

Now we go back to our AnyConnect Connection Profile and select our newly created Group Policy where we previously just used DfltGrpPolicy.


The final step is to restrict users to only access the VPN that their AD group membership allows, so navigate to Configuration > Remote Access VPN > Dynamic Access Policies
Here we need to add a new policy:
Policy Name: For simplicity, I will call this Grp_GI_VPN_Tech
ACL Priority: Doesn't really matter, let's just start at 100 and count down for each new VPN we make in future
Select User has ALL of the following AAA Attributes values...
Add a new criteria:
AAA Attribute Type: Cisco
Connection Profile: Grp_GI_VPN_Tech
OK
Add a new criteria:
AAA Attribute Type: LDAP
Attribute ID: memberOf
Value: = Choose your AD group, example here is Grp_GI_VPN_Tech of course
OK
Now ensure the Action is set to Continue, and press OK.
The final step now is to deny access for unauthorised users, so Edit the DfltAccessPolicy and ensure it is set to Terminate, supply a message for the users here if you like.


We should now be good to go, so fire up your test client and test.

Of course, you will need to repeat the steps for each additional VPN you create (except your AAA Server Groups, they don't need to be touched).

Please comment if you find anything incorrect, or have any questions!




Saturday, 4 May 2013

Cisco Client VPN Configuration


This was set up on a 857W running IOS 12.4-15-T12
There is already a Site to Site configured so this will be set up as priority 2.
LAN : 192.168.0.0/24
VPN : 172.16.0.0/24

Phase 1 policy parameters
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2


VPN client address pool
crypto isakmp client configuration address-pool local poolname
ip local pool poolname 172.16.0.1 172.16.0.254


VPN client group
crypto isakmp client configuration group groupname
key psk
pool poolname
acl aclname
crypto isakmp keepalive 300
crypto isakmp xauth timeout 60


Phase 2 policy parameters
crypto ipsec transform-set transform-2 esp-3des esp-sha-hmac
crypto dynamic-map mapname 2
set transform-set transform-2
reverse-route


Crypto map
crypto map mapname client authentication list userlist
crypto map mapname isakmp authorization list groupname
crypto map mapname client configuration address respond
crypto map mapname 2 ipsec-isakmp dynamic mapname
interface external
crypto map mapname


Define the phase 2 proxy ID
ip access-list extended aclname
permit ip 172.16.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any


Exclude the client VPN range from the NAT rule
ip nat inside source list 101 interface external overload
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any




Cisco Site to Site VPN Configuration


This was set up on a 857W running IOS 12.4-15-T12
There is also a client VPN configured on this router.
Local subnet : 192.168.0.0/24
Remote subnet : 10.10.0.0/16
Peer IP : 5.5.8.8

Phase 1 parameters
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2


Pre Shared Key
crypto isakmp key psk address 5.5.8.8 no-xauth

Transform set
crypto ipsec transform-set transform-1 esp-aes esp-sha-hmac

Crypto map
crypto map mapname 1 ipsec-isakmp
set peer 5.5.8.8
set transform-set transform-1
match address aclname


Interesting traffic
ip access-list extended aclname
permit ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255


Remove from NAT rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255

Inbound ACL
interface bridge to internal network
ip access-group aclname2 out
ip access-list extended aclname2
permit udp host 10.10.4.8 192.168.0.1 0.0.0.225
deny ip 10.10.5.0 0.0.0.255 any
permit ip any any








Squeezelite on Fedora

I've found squeezelite to be superior to SqueezeSlave, specificially for player synchronisation.
The install is as simple as downloading the (i386) binary from here.

Because I prefer to run this as a service, and because I found no example startup scripts online, I wrote my own.  I'm no expert at this sort of thing, so it may well not work on your machine, but it should be just a case of a few small tweaks.


#!/bin/sh

### BEGIN INIT INFO
# Provides:          squeezelite
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Script to start squeezelite
# Description:       Service script for squeezelite, command line squeezebox player
### END INIT INFO

. /etc/init.d/functions

USER=j.doe                              # The user logged in to Gnome, required to use Pulse
NAME=Squeezelite                        # Name of the player
LMS=127.0.0.1                           # IP of the media server
LOG=/var/log/squeezelite.log            # Log file
LOCKFILE="/var/lock/subsys/squeezelite"
RETVAL=0

start() {    
        echo -n $"Starting Squeezelite daemon: "
        daemon --user $USER squeezelite-i386 -z -f $LOG -n $NAME $LMS &
        RETVAL=$?
        echo
        touch $LOCKFILE
        return $RETVAL


stop() {    
       echo -n $"Stopping Squeezelite daemon: "
       killproc squeezelite-i386    
       echo
       RETVAL=$?
       rm -f $LOCKFILE
       return $RETVAL
}    

restart() {
        stop
        sleep 5
        start
}

case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart)
                restart
                ;;
        status)
                status squeezelite
                ;;
        condrestart)
                [ -e $LOCKFILE ] && restart
                ;;
        *)
                echo $"Usage: $0 {start|stop|status|restart|condrestart}"
                RETVAL=1
esac

exit $RETVAL


Thursday, 23 August 2012

iPerf

iPerf is a small, open-source, cli app designed to run on Linux (but has been ported to Windows) which is very useful in measuring throughput on a network.

It runs between two machines on a network, and has various options and features viewable on the man pages (or --help for Windows).

One machine acts as the server;
iperf -s
And the other machine acts as the client;
iperf -c [server ip]

Some useful options :

-t x : This sets the time (in seconds) to run the test for, default is 10 sec
-P x : The number of parallel transfers to run, this will generally increase throughput
-w xKB : TCP window size, increasing this will generally increase throughput as well

Example:

iperf -c 192.168.0.2 -t 30 -P 10 -w 256KB