Spenser Reinhardt's presentation on Securing Your Nagios Server.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
Cisco and Pxosys teamed up for this Webinar, we will walk you through the Threat Landscape and recent DNS Ransomware cases, and explain why DNS Security is important in your Security Stack within your Organization. We are going to look on a Cisco Umbrella Live Demo and see the potential of the platform from the easy deployment, reporting, and blocking & mitigate Threats from day Zero. A Q&A is going to end the event to clarify any questions that arise during the demo event. Attendees will receive a Cisco Umbrella Free Trial (30 days) at the end of the event.
Visit www.pxosys.com to know more about us.
Topics covered in the webinar:
- IPv6 segment routing
- synchronizing DNS parent and child zones using the DNS protocol
- Status update on Knot-DNS 2.0 DNS Server and the Knot-DNS resolver
- DNSSEC look-aside validation (DLV) sunset
- network tuning for DNS zone transfers
- Use cases for IPv6 extension headers
- Zonemaster DNS and DNSSEC testing tool
- DNS based DDoS attacks
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security PluginAlessandro Silva
Vulnerabilidade é uma falha no desenvolvimento de software que pode ser explorada por um potencial atacante para ganhar acesso à sua rede ou sistema. O uso de serviços mal configurados, senhas fracas e a presença de pacotes que contenham bugs ou falhas de segurança são brechas que podem ser exploradas a qualquer momento. O Zabbix Security Insights é uma solução que implementa o monitoramento de vulnerabilidades usando o Zabbix, o recurso nativo conhecido como UserParameter e o plugin de segurança do Yum, disponível no Red Hat Enterprise Linux/CentOS/Fedora e distribuições derivadas, para coletar informações sobre as vulnerabilidades e posteriormente gerar um dashboard com visões de segurança, para o melhor gerenciamento e conformidade. Através de uma apresentação e posteriormente uma demo, Administradores de Sistemas e Gestores de TI serão capazes de entender como usar a solução Zabbix Security Insights para monitorar proativamente as vulnerabilidades e minimizar o risco de possíveis invasões por falhas de segurança já conhecidas.
IPv6 is slowly making its way into our environments and we need to be aware of how it impacts the systems we manage. This presentation takes us through a basic review of the protocol from a pentesters perspective
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
thwackCamp 2013: Building a Large-Scale SolarWinds InstallationSolarWinds
SolarWinds IT management products are designed to scale to IT infrastructure of all sizes, from SMBs with less than 50 devices, to large enterprise deployments with over 100K devices. Join SolarWinds customer Cardinal Health and SolarWinds Product Management as they discuss some of the considerations for deploying SolarWinds in a large, distributed environment.
Cisco and Pxosys teamed up for this Webinar, we will walk you through the Threat Landscape and recent DNS Ransomware cases, and explain why DNS Security is important in your Security Stack within your Organization. We are going to look on a Cisco Umbrella Live Demo and see the potential of the platform from the easy deployment, reporting, and blocking & mitigate Threats from day Zero. A Q&A is going to end the event to clarify any questions that arise during the demo event. Attendees will receive a Cisco Umbrella Free Trial (30 days) at the end of the event.
Visit www.pxosys.com to know more about us.
Topics covered in the webinar:
- IPv6 segment routing
- synchronizing DNS parent and child zones using the DNS protocol
- Status update on Knot-DNS 2.0 DNS Server and the Knot-DNS resolver
- DNSSEC look-aside validation (DLV) sunset
- network tuning for DNS zone transfers
- Use cases for IPv6 extension headers
- Zonemaster DNS and DNSSEC testing tool
- DNS based DDoS attacks
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security PluginAlessandro Silva
Vulnerabilidade é uma falha no desenvolvimento de software que pode ser explorada por um potencial atacante para ganhar acesso à sua rede ou sistema. O uso de serviços mal configurados, senhas fracas e a presença de pacotes que contenham bugs ou falhas de segurança são brechas que podem ser exploradas a qualquer momento. O Zabbix Security Insights é uma solução que implementa o monitoramento de vulnerabilidades usando o Zabbix, o recurso nativo conhecido como UserParameter e o plugin de segurança do Yum, disponível no Red Hat Enterprise Linux/CentOS/Fedora e distribuições derivadas, para coletar informações sobre as vulnerabilidades e posteriormente gerar um dashboard com visões de segurança, para o melhor gerenciamento e conformidade. Através de uma apresentação e posteriormente uma demo, Administradores de Sistemas e Gestores de TI serão capazes de entender como usar a solução Zabbix Security Insights para monitorar proativamente as vulnerabilidades e minimizar o risco de possíveis invasões por falhas de segurança já conhecidas.
IPv6 is slowly making its way into our environments and we need to be aware of how it impacts the systems we manage. This presentation takes us through a basic review of the protocol from a pentesters perspective
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
thwackCamp 2013: Building a Large-Scale SolarWinds InstallationSolarWinds
SolarWinds IT management products are designed to scale to IT infrastructure of all sizes, from SMBs with less than 50 devices, to large enterprise deployments with over 100K devices. Join SolarWinds customer Cardinal Health and SolarWinds Product Management as they discuss some of the considerations for deploying SolarWinds in a large, distributed environment.
Speaker: Tom Spitzer, Vice President, Engineering, EC Wise, Inc.
Session Type: 40 minute main track session
Level: 200 (Intermediate)
Track: Security
MongoDB Community Server provides a wide range of capabilities for securing your MongoDB installation. In this session, we will focus on access control features, including authentication and authorization mechanisms, that enable you to enforce a least privilege model on user accounts. We will also discuss strategies for enabling and maintaining service and application accounts. Next we will present the encryption capabilities that are available in the community edition and discuss their benefits and possible shortcomings. Finally, we will talk about application level protections your developers can implement to keep risky code from getting to your MongoDB instance.
What You Will Learn:
- The workings of the MongoDB User Management Interface, the Authentication Database, basic Authentication mechanisms (SCRAM-SHA-1 and certificates), Roles, and Role Based Access controls – plus best practices for using these features to improve the security of your database.
- How to use TLS/SSL for transport encryption, application encryption options, and field level redaction.
- How injection attacks work and how to minimize the risk of injection attacks.
Caching and tuning fun for high scalabilityWim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
Webinar: Automate IBM Connections Installations and morepanagenda
IBM Connections pink is based on Conductor for Containers, which provides a collection of tools to work with Docker containers and Kubernetes. To manage containers in large environments, lots of DevOps are using Ansible (an agentless software to automate administration tasks).
So why not use these tools to prepare your Connections operating system, like creating users, adding security settings or install all necessary packages to deploy DB2, Installation Manager, and WebSphere Application Server? Or use one of the available roles or tasks to automate even the installation of WebSphere, create cell and profiles …
In this session, you get the basics of Ansible and some hands-on to start the learning journey into ‘cloud’ based software management.
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
How Smart Thermostats Have Made Us VulnerableRay Potter
This is a co-speaker session, featuring Ray Potter, who spoke at RSA '14 alongside his mentor and advisor, Whit Diffie, and Yier Jin, an Assistant Professor at the University of Central Florida who has earned recognition for his work cracking the Nest thermostat. As we are seven months away from the conference, with plenty of time for additional developments, please view these talking points and flow as a living framework. Their slide deck will be fully updated in early April 2015 to address new research and timely examples in addition to the Nest research.
After short biographical introductions, Potter and Jin will begin by discussing current security and privacy concerns. This segment will cover IoT and Wearable devices that are available at the time of the conference, as well as exceptional examples that are rumored, upcoming, and potentially some that have already been discontinued. (Samsung Galaxy Gear watch, I'm looking at you!)
Jin will continue into his own research on the Nest learning thermostat. He will address the infrastructure of the IoT poster child, including an assessment and security analysis of the firmware and hardware. Jin will continue, speaking specifically about the boot process and device initialization.
Potter will share his thoughts with the attendees, engaging Jin in dialogue on the attack vectors of the Nest and other connected endpoints. This section of the talk will include discussion of the repercussions of the device vulnerabilities - worst case scenarios, including the enablement of other criminal activity, privacy leakage, and extensive attacks via the local network due to compromised IoT devices.
The session will continue with Potter sharing his expertise on compliance, security standardization and encryption. This look at the upside of benchmarked assurance will give attendees food for thought in future innovation. Jin will offer insight on enhancing the design flow for security in the constrained devices, including secure boot protocols and hardware-supported trust computation.
The duo will wrap up the presentation with an outlook on the burgeoning industry of connected devices. With their appreciation for innovation and technology, tempered by their professional expertise in security, Jin and Potter share an optimistic view for the future with significant caveats for consumers who hope to achieve ideal and safe results with IoT and Wearables.
Ведущий: Пол Викси
Система доменных имен (DNS) предлагает отличный вид на локальную и глобальную сети, что дает возможность исследовать действия киберпреступников и методы атак. В докладе будет показано, как обезопасить DNS и использовать ее для защиты других подключенных объектов. Докладчик подробно расскажет о подмене кэша DNS, расширениях защиты для протокола DNS (DNSSEC), DDoS-атаках, ограничении скорости передачи, межсетевом экране DNS и пассивном DNS-мониторинге.
Similar to Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server (20)
Best Practices? That’s like asking how long is a piece of string! While every environment is different, there are however a number of configurations, tweaks and methods that can be of great benefit for your Nagios XI environment. This talk will cover a variety of Best Practice topics for Nagios XI ranging from flexible object configurations through to back end performance enhancements.
Trevor McDonald - Nagios XI Under The Hood - What happens when a check is run? What are the parts that move behind the scenes to turn a service check into a notification? In this talk, Trevor will walk through the check process from start to finish, giving an overview of the components involved at each step.
Sean Falzon - Nagios - Resilient NotificationsNagios
Sean will be discussing several approaches to notification types for real world Nagios deployments. This will include a few methods for handling on call rosters, sending SMS from fully visualized data centers, and resilient notifications by integrating with phone systems for voice notifications.
Marcus Rochelle - Landis+Gyr - Monitoring with Nagios Enterprise EditionNagios
Marcus Rochelle - Landis+Gyr - Monitoring with Nagios Enterprise - This presentation will take a close look at how the Enterprise
Edition of NagiosXI is used within Landis+Gyr to monitor
systems, applications, and utility networks. You will get a strong view of the full capability and possibilities of Nagios XI when leveraged with open source software products.
Landis+Gyr trusts Nagios XI over all other tools to monitor Smart Grids and more.
Janice Singh - Writing Custom Nagios Plugins - New to Nagios and wanting to expand its use with your own
custom plugins? This presentation will show you how to write your own plugins and integrate it into Nagios.
Dave Williams - Nagios Log Server - Practical ExperienceNagios
Dave Williams - Nagios Log Server - Practical Experience. -
This session will detail the green field deployment of Nagios Log Server in a client environment consisting of HP LAN Switches, 3PAR disk storage, HP Blade Chassis with Flex Fabric using
VMware, Hyper-V, Exchange & Citrix.
Mike Weber - Nagios and Group Deployment of Service ChecksNagios
This presentation will show how you can create groups of checks like CPU metrics, Oracle metrics or IIS metrics and push them to all of the hosts that require them. The presentation will provide a script that will allow you to select and implement hundreds of groups of checks that have been developed for NRPE, NCPA, WMI, NSClient++, NRDP and NRDS.
Mike Guthrie - Revamping Your 10 Year Old Nagios InstallationNagios
Mike Guthrie - Revamping Your 10 Year Old Nagios Installation - Mike Merideth from VictorOps talks about the challenges of
sharing responsibility for monitoring in the DevOps world. Learn several strategies for keeping your configuration correct,
consistent, and up-to-date when several people are working on it.
Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...Nagios
Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring as a Service - Learn about the trials and challenges Agile Networks faced while converting their Nagios XI instance over to service outside customers.
Matt Bruzek - Monitoring Your Public Cloud With NagiosNagios
Matt Bruzek - Monitor Public Cloud Use Nagios to monitor your public cloud. - No debian installer for Nagios 4? No problem! Deploy your public cloud with Juju and you can connect Nagios core services to your Ubuntu instances in the cloud. In this session, Matt will quickly go over the basic concepts of Juju and spend the rest of the time walking through examples of deploying Nagios monitoring solutions
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Nagios
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs. - Lee will present how he overcame timeperiod issues, through the use of MK_Livestatus, Pushbullet, and scripts to notify of him of alerts while he is at work. All the user needs to do is execute a command at the start of their shift, and they will receive all their notifications until their shift ends.
Eric Loyd - Fractal Nagios - Learn how Nagios XI can be used to monitor Nagios Log Server (NLS) and Nagios Network Analyzer (NNA), how Nagios Log Server and Nagios Network Analyzer can leverage Nagios XI for alerting, and how to use Nagios Log Server and Nagios Network Analyzer to monitor each other and Nagios XI and Nagios Core, including remote execution environments.
Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...Nagios
Marcelo Perazolo, Lead Software Architect, IBM Corporation - In this session, Marcelo will describe how Nagios can be
integrated and extended for the monitoring of a typical
power-based converged infrastructure, and how it interfaces with existing element managers to provide a single point of integration for passive and active monitoring purposes.
Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...Nagios
Tracking Boeing Satellites With Nagios - Learn how Nagios Core redefined support of the on-orbit fleet of Boeing satellites and changed the way Mission Operations are performed with the next generation of satellites.
Nagios Log Server greatly simplifies the process of searching your log data. Set up alerts to notify you when potential threats arise, or simply filter your data to quickly audit your system. With Log Server, you get all of your data in one location, with high availability and fail-over built right in. Quickly monitor your servers with configuration wizards and start monitoring your logs in minutes.
Learn more here: https://www.nagios.com/products/nagios-log-server/
Free download (60 day trial): https://www.nagios.com/downloads/nagios-log-server/
Network Analyzer provides an in-depth look at all network traffic sources and potential security threats allowing system admins to quickly gather high-level information regarding the health of the network as well as highly granular data for complete and thorough network analysis.
Dorance Martinez Cortes' presentation on customizing Nagios. The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference.
Google Calendar is a versatile tool that allows users to manage their schedules and events effectively. With Google Calendar, you can create and organize calendars, set reminders for important events, and share your calendars with others. It also provides features like creating events, inviting attendees, and accessing your calendar from mobile devices. Additionally, Google Calendar allows you to embed calendars in websites or platforms like SlideShare, making it easier for others to view and interact with your schedules.
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...Peter Gallagher
In this session delivered at Leeds IoT, I talk about how you can control a 3D printed Robot Arm with a Raspberry Pi, .NET 8, Blazor and SignalR.
I also show how you can use a Unity app on an Meta Quest 3 to control the arm VR too.
You can find the GitHub repo and workshop instructions here;
https://bit.ly/dotnetrobotgithub
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server
1. Securing Your Nagios Server
Spenser Reinhardt
SReinhardt@nagios.com
Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare.
Information poses more of a problem. It can exist in more than one place; be
transported halfway across the planet in seconds; and be stolen without your
knowledge. — Bruce Schneier
2. 2
Who am I?
Nagios employee (2012)
Active Def Con member and speaker
OWASP Member
CTF Creator
Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund
Burke
3. 3
Why Should You Care?
Yearly number of attacks are only increasing
Sophistication of attacks are ever increasing
Whether you like it or not, chances are you will be a
target
Nagios servers, hold many privileged keys.
Privacy is not for the passive. — Jeffrey Rosen
5. 5
Why you should consider this?
Vital network information
Notifies administrators and teams of issues
Relatively low difficulty
The Defenders Dilemma
“An attacker need only find one way onto the network, a defender must close all holes.”
6. 6
Apache Modifications Overview
Remove Apache and PHP version-ing
Virtual host restrictions
Forced SSL redirection
Stronger SSL certificates and algorithms
Mod_Security
“Security through obscurity, is only secure until it is discovered”
7. 7
Removing Version Information
Apache: /etc/httpd/conf/httpd.conf
ServerTokens ProductOnly
ServerSignature Off
PHP: /etc/php.ini
expose_php Off
HTTP/1.1 302 Found
Date: Sat, 21 Sep 2013 15:51:01 GMT
Server: Apache
Location: https:///
Connection: close
Content-Type: text/html; charset=iso-8859-1
Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial
lightning, breaches of security can be counted on to strike twice unless the route of compromise
has been shut off. — FedCIRC
8. 8
Restricting Apache Virtual Hosts
/etc/http/conf.d/nagiosxi.conf (default)
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
/etc/http/conf.d/nagiosxi.conf (restricted)
# Order allow,deny
# Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.168.0/24 10.1.2.0/255.255.255.0 nagios.com
Order rules are opposite IP tables, last evaluated rule
that matches connections applies
Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country
Energy, NSW Australia
9. 9
Force SSL Redirection
/etc/httpd/conf.d/https.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Forces all pages loaded with http, to redirect to
https.
Pages can be requested insecurely still, but will be
redirected immidiately
There are risks and costs to a program of action--but they are far less than the long range cost of
comfortable inaction. — John F. Kennedy
10. 10
Increasing SSL Security
As openssl requires a password for aes256, we will need to
generate a new key, give it a password, and then remove the
password before we generate anything else:
cd /etc/pki/tls/private
openssl genrsa -aes256 -out ca.key.pass 2048
OR
openssl genrsa -aes256 -out ca.key.pass 4096
Type in the password you used above when asked as the
following command will strip the password:
openssl rsa -in ca.key.pass -out ca.key
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
cp ca.crt ../certs/
One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum
11. 11
Increasing SSL Security (2)
Modify the files in /etc/httpd/conf.d to add the following
lines directly after the </directory> line.
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:!
CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts
across the electrified borders. — Ronald Reagan
12. 12
Mod_Security
Install Mod_Security Packages
yum install mod_security_crs-extras mod_security mod_security_crs
Download and copy my exclusions rule list
cd /tmp
wget http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.conf
cp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/
Troubleshooting
tail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.{0,75}”
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id
"950901"]
SecRuleRemoveById [ID Number]
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we
come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
13. 13
Database Alterations – Root User
Root MYSQL Password
mysqladmin -u root -pnagiosxi password NewPassword
/root/scripts/automysqlbackup
PASSWORD=NewPassword
/usr/local/nagiosxi/scripts/backup_xi.sh
mysqlpass="NewPassword"
/usr/local/nagiosxi/scripts/restore_xi.sh
mysqlpass="NewPassword"
/usr/local/nagiosxi/var/xi-sys.cfg
mysqlpass='NewPassword'
Phishing is a major problem because there really is no patch for human stupidity — Mike
Danseglio
14. 14
Database Alteration – Changing Passwords
Changing a MySQL password, non-root users
mysqladmin -u root -p
use mysql;
set password for 'ndoutils'@localhost =
password('NewPassword');
flush privileges;
quit;
When it comes to privacy and accountability, people always demand the former for themselves and
the latter for everyone else. — David Brin
15. 15
Database Alterations – NagiosQL User
/usr/local/nagiosxi/html/config.inc.php:
"pwd" => 'n@gweb',
"password" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist:
"pwd" => 'n@gweb',
"password" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved:
"pwd" => 'n@gweb',
"password" => 'n@gweb',
/usr/local/nagiosxi/etc/components/ccm_config.inc.php:
"password" => "n@gweb",
/usr/local/nagiosxi/html/includes/components/ccm/config.inc.php:
'password' => 'n@gweb',
/usr/local/nagiosxi/html/includes/components/ccm/ccm.inc.php:
$password = grab_array_var($cfg['db_info'
['nagiosql'],'pwd','n@gweb');
Men are only as good as their technical development allows them to be. — George Orwell
16. 16
Database Alterations – Ndoutils User
/usr/local/nagios/etc/ndo2db.cfg
db_pass=n@gweb
/usr/local/nagiosxi/html/config.inc.php:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved:
"pwd" => 'n@gweb',
/usr/local/nagvis/etc/nagvis.ini.php
dbpass="n@gweb"
Be careful and you will save many men from the sin of robbing you. — Ed Howe
17. 17
Database Alterations - Postgres
psql -U nagiosxi
ALTER USER nagiosxi WITH PASSWORD
'NewPassword';
/usr/local/nagiosxi/var/xi-sys.cfg
pgsqlpass='nagiosxi'
/usr/local/nagiosxi/scripts/backup_xi.sh
pg_dump -c -U nagiosxi nagiosxi >
$mydir/pgsql/nagiosxi.sql
/usr/local/nagiosxi/scripts/restore_xi.sh
psql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql
/usr/local/nagiosxi/html/config.inc.php:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved:
"pwd" => 'n@gweb',
One of the tests of leadership is the ability to recognize a problem
before it becomes an emergency. — Arnold Glascow
18. 18
Locking Down IPtables
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s 192.168.1.25 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s 192.168.1.25 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s 192.168.1.45 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s 192.168.1.200 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s 192.168.1.0/24. -j ACCEPT
Iptables -A INPUT -m state --state NEW -p udp --dport 53 -s 192.168.1.200 -j ACCEPT
Iptables -A INPUT -m state --state ESTABLISHED -p tcp -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
Service iptables save
It's not good enough to have a system where everyone (using the system) must be trusted, it must also
be made robust against insiders! — Robert Morris
19. 19
OS Hardening
ASLR Exec Shield
sshd configuration
aide
SeLinux
GRSecurity Kernel Patches
Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we
should probably do something about taking better care of our data. But we usually don't, because we
quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery.
— Nik Cubrilovic
20. 20
ASLR Exec Shield
Address Space Layout Randomization
kernel.randomize_va_space = 1
Exec Shield
kernel.exec-shield = 1
Both can be enabled by modifying
/ect/sysctl.conf and running sysctl -p or
rebooting the system.
A good programmer is someone who always looks both ways before crossing a one-way street. —
Doug Linder
21. 21
SSHD Config
/etc/ssh/sshd_conf
Protocol 2
SyslogFacility AUTH
LoginGraceTime 1m
PermitRootLogin no
MaxAuthTries 3
MaxSessions 5
MaxStartups 3
IgnoreRhosts yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding no
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we
come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
22. 22
Aide installation and configuration
yum install aide
curl
http:assets.nagios.com/downloads/nagiosxi/xi_security/aid
e.conf.{selinux,non-se} -o /etc/aide.conf
aide --init
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
aide –check
System updates, nagios updates, config changes, etc will
cause aide warnings.
AIDE, version 0.14
### All files match AIDE database. Looks okay!
The best way to get management excited about a disaster plan is to burn down the building across the
street. — Dan Erwin, Security Officer, Dow Chemical Co
23. 23
SELinux
Initially created and still greatly maintained by NSA
Enforces Mandatory Access Control (MAC)
Application and User Domain Restrictions
Execution restrictions
Port use restrictions
Additional file permissions
But not quite ready for Nagios XI
In theory, one can build provably secure systems. In theory, theory can be applied to practice but in
practice, it can't. — M. Dacier, Eurecom Institute
24. 24
GRSecurityPaX
Kernel based security patches
True ASLR and Stack protections
Role-based Access Control (RBAC)
Chroot advantages
Breaks RHEL Warranty by kernel modification
You can't hold firewalls and intrusion detection systems accountable. You can only hold people
accountable. — Daryl White, DOI CIO
25. 25
Questions? - Thank You!
History has taught us: never underestimate the amount of money,
time, and effort someone will expend to thwart a security system. It's
always better to assume the worst. Assume your adversaries are better
than they are. Assume science and technology will soon be able to do
things they cannot yet. Give yourself a margin for error. Give
yourself more security than you need today. When the unexpected
happens, you'll be glad you did. — Bruce Schneier