Friday, February 17, 2017

DoD CAC on a MAC Login Troubleshooting

Like many of you, I'm now a Mac dude; however, if you are DoD this can become an insane headache (see any Mac article on militarycac.com)

In this example below, we had a common iMac that everyone uses and at OS X Sierra you can now use CAC to login! In my case, I put my CAC in and it automagically associated my CAC with that common user account ... not MY account!

Here's how to removed the CAC from the other user account and get it on yours. You'll need these things to continue:


  1. Your CAC reader and CAC
  2. Terminal
All of this magic happens because of the Apple term command sc_auth. We'll be using it exclusively to fix our stuff. 

  1. Open a terminal (I always just do ⌘+spacebar)
  2. Type sudo -s
  3. Type cd /etc
  4. Type rm authorization.cac (If this does not exist, then yay! We're good to go)
  5. Making sure your CAC is inserted and is available to Mac OS (Be sure to open Keychain Access and your CAC certs should be at the top of the list, if they are not, you're CAC reader is not installed or the OS can't see your certs) Type:
    1. sc_auth hash (You should see your 3 DoD certs pop up with a hash string in front of your name. This is good because the OS now knows what your certs are)
    2. Now, this is cool, but you probably don't know which one is your PIV account for signing into your Mac, so type: sc_auth identities and you should see the hash along with "Certificate for PIV Authentication (lastname.first.middle.cacid)", this is the one we want! 
    3. Now, to remove the previous CAC connection to any other account type:
      1. sc_auth unpair -u username (obviously replacing username with some name)
    4. Now, copy the hash for your PIV certificate and we'll now pair with your user account. The command to type/run is:
      1. sc_auth pair -u username -h 39DDR9FXI9XFKK9X9FKEKO3 (Obviously, put your PIV hash there)
    5. You should now be prompted (if you're logged into the Mac OS X account you want to use your CAC on) for your PIN and you're set! 
    6. You're done! Now go to the login screen and you should be prompted for a CAC PIN on your account. 

TL;DR:
sc_auth unpair -u old username
sc_auth identities
(copy PIV hash)
sc_auth pair -u goodusername -h (HASH GOES HERE)
Prompted for PIN 

Tuesday, April 5, 2016

Amazon AWS GovCloud S3 Syncing .... and you can too!

So, you're in fancy pants AWS GovCloud and you need to sync between a directory on your EC2 instance and an S3 bucket, right? ARE YOU IN LUCK MY FRIEND:

What you'll need:

1. An AWS access key and the corresponding secret key. You can find these in IAM and create one just for this; however, you are limited to 2 AWS access keys for any API fancy connections. Always save your keys somewhere super safe.
2. Some EC2 instance that you need to either backup or sync contents.

How to:

1. On your EC2 instance you first need to setup "aws configure" to let the instance know HOW to connect to your s3 bucket with your credentials, so we're going to type:

[ec2-user@ip]$ aws configure

2. This will bring up the following prompts and these instructions are for GovCloud users, but you can use whatever region you are in:

  a. Paste in your access key ID:  AWS Access Key ID [ ]: 
 b. Paste in your secret key:  AWS Secret Access Key [ ]: 
  c. Enter your default region name: Default region name [ ]: us-gov-west-1
  i. NOTE: This has to be exact otherwise the aws command line will not know how to get to your bucket. If you don't know it, login to S3, click on any file you have in there and take a look at the properties, then check out the "Link:". Everything after the "s3-" up to the first "." is your region. E.g., mine is always s3-us-gov-west-1.amazonaws.com. So my region is: us-gov-west-1
  d. Leave default output format at none: Default output format [None]:
 e. Hit enter at the last step and it will spit you back out to the command prompt. 

3. Yay! That part is done. Now we can test by listing the contents of a bucket:

aws s3 ls s3://nameofbucket

  Note: You literally just need the name of the bucket in S3. So you don't need to put s3-us-gov-west-1.amazonaws.com/bucketofstuff ... from here on out, just but s3://bucketofstuff

4. If that worked you should see a nice ls listing of your bucket on s3! We're getting closer! 

5. Now to test syncing all the data FROM an S3 bucket to a directory on your EC2 instance:

  a. cd into the directory you'd like the data in first
  b. Then type: aws s3 sync s3://nameofbucket .
  c. It should now spit out the downloaded files into the directory your in. Sweet! 
  d. I'm old school so I want to SEE the data I'm putting in a dir, but yes, you can skip the "." and put in the literal path, e.g., /home/ec2-user/stuff or whatever dir you're syncing data with. 

6. Now to go the other way:

aws s3 sync /name/of/dir/ s3://nameofbucket
  
  a. Note: this will push EVERYTHING in the dir to the s3 bucket and overwrite
  b. In the case of the step 5 example where we're IN the directory we're putting data in, you'd just type: aws s3 sync . s3://nameofbucket 

7. AWESOME. Now you can setup a crontab for backups or get super-mega-fancy and put the AWS command line stuff on your Windows or Mac and push to S3 from ANYWHERE! Just remember to always have your AWS access key's handy and you're set. 



P.S. If you get lost, here's the S3 command line page and it will show you how to do wget's, cp's, and of course sync.

P.P.S. Don't forget to check permissions on your S3 bucket if you can't upload/download. You'll need to have at least "Upload/Delete" for an authenticated AWS user.  

   

  

Amazon AMI Linux Apache PHP Baseline Setup

Most of my web apps are just basic Apache with PHP. Here's a quick install for the bare minimums with support for ssl, mbstring, and gd libraries. Important if you'd like to do some file management stuff on the front end:

sudo yum install -y httpd php mod_ssl php-mbstring php-gd

That will get you rolling with some fancy pants PHP mods!!

Don't forget to mod your /etc/php.ini for file size and all that jazz.

Friday, March 25, 2016

SuSE SLES 12 Single User Mode w/ Networking

For some crazy reason, SAMBA on my brand new SLES12 box was corrupt/wonky/broken. So, no logins, and a weird "module is unknown" error when you would attempt to login with correct credentials; only to be told get outta here.

I scoured the Google's looking for help and was able to patch together something to get it working ... or at least get networking in single user mode to work! Here's the steps:

1. Reboot/Startup your box and hold shift at the Grub bootup screen

2. Once at the SuSE splash screen, press "e" key for edit into Grub.
3. You should now be at the Grub 2.0 screen, find the line that starts with "linux" and press END key.


4. At the end of that line, type in "single", then hit F10 to save/boot up.
5. Now, you should be taken to single user mode, enter root's password and BANG! you're in!
6. Now, this is the weird part to get the network to start: You need to wait a good minute for all of the bootup scripts and services to start, then (and only then) can you get the NIC to load/activate on the network with your previous network settings so we can get to zypper or apt-get and reload/update everything. Once you've waited enter:

/sbin/service network start

You should now have super fun times network access so you can zypper update/install things to your hearts content! You're welcome!! 


Wednesday, March 4, 2015

Mod_Security - Get 401 Errors Out of Relevant Status Logs!

Congrats, you're on your way to hard core security with mod_security! But now you're audit log is filling up faster than a North Dakota Bear at a Golden Coral (Sorry, Brian) with general errors that DO NOT trigger any mod_sec rules.

Normally, out of the box, you'll have mod_security's SecAuditEngine rules set like so:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04)"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog "|bin/rotatelogs.exe -l -f f:/logs/%Y-%m-%d-modsec-audit.log 86400"


Or ... something close to that. Let's break down the REGEX on the line for SecAuditLogRelevantStatus:

?:5 -- Log anything that is a 500 level error, e.g., 500 Internal Server Error or the lovely 503 Service Unavailable. 


4(?!04) -- Log any 400 level error EXCEPT for any 404 errors.

I'm all for the 500 level errors being logged as those should never happen, but for my modsec_audit log I'm FILLING up with about a million 401's that I could care less about. Apache is going to grab these anyway in a much more compressed format, so I don't need to also see these in my modsec log. So, to fix that (and if you're a REGEX noob like me) just modify that 4(?!04) line to read:

 "^(?:5|4(?!04|01)"

By adding that "|01" to the end, we're just saying any 404 OR 401's, which, Apache is going to grab for you anyway. 

Hope that clears up your mod_sec logs!!  

Friday, February 20, 2015

Windows Firewall IP Scope Limit is 1000 Entries

1,000 ENTRIES IS THE MAX WINDOWS FIREWALL RULES WILL ACCEPT.

For the longest time, we've been building in-house security tools to keep bad actors out of our Apache, or at the least, keep them from banging on our ports. One of the C# tools we built will do a REGEX search in Apache's logs and if it sees something fishy will automatically add it to the Windows Firewall via an inbound rule for port 80 and 443 we created called "Block Apache Punks". (It used to have a very rated R name before. They made me change it. Use your imagination). Here's what it normally looks like when you're making an individual IP entry:


And then when you hit OK, it'll appear that it's taking it, but when you hit apply on your rule, you will see the error: "The array bounds are invalid." and it will NOT accept your entry. Because you've hit the limit. Which is dumb. It's 2015. Why is this happening.




We never looked it up, but heard there was a limit to the amount of IP's and CIDR addresses you could add to this list ... well, we found out last week what that number is: It's 1,000, like the big fat text above.


Hopefully, you'll come across this from a Google search and realize you NEED to move to something with much much more flexibility in your OpsSec plan for keeping out the bad guys. As I type this, we're moving to Apache mod_security with about 20 rules already and the ability to add infinite IP's if we need to. Something we should have done a long long time ago.

Wednesday, February 18, 2015

Windows 8.1 Offline Activation

Windows 8.1 is pretty slick, but if you're on NIPRnet, there is 0% chance it will activate itself over the network. Gone are the days of using the 1-800 number to call Microsoft and activate over the phone with 40 some odd digits, so if you're lucky enough to move to Windows 8.1 (Bye bye Pass-the-Hash Hacks!) here's how to activate IF you have a product key handy (Thanks, MSDN Subscription!)

1. Copy your product key to the clipboard

2. Right click on the Windows 8.1 Start Thingy and choose Run


3. Now type "slui 3" and hit Enter. This kicks off the Windows Activation Client and the option "3" tells slui to run the GUI.


4. You should see the below, where you'll paste your Win 8.1 key and hit close .. no need to wait for the spinning "I'm working on something" circle gif that will load. 

5. That's it! Enjoy not being harassed every week about your activation key. YOU'RE WELCOME.