tag:blogger.com,1999:blog-60047630926299868042024-02-18T18:46:46.383-07:00... . . . ..."True knowledge exists in knowing that you know nothing."
- Socrates, CISO of AntiochisJBhttp://www.blogger.com/profile/17952633025129203130noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6004763092629986804.post-21674347984797769592015-08-26T22:58:00.001-06:002015-08-26T23:15:35.691-06:00PuTTY TutorialSome of the step-by-step tutorials within <a href="https://www.packtpub.com/networking-and-servers/solarwinds-server-application-monitor-deployment-and-administration/" target="_blank">SolarWinds Server & Application Monitor: Deployment and Administration</a> make use of PuTTY, a handy open source SSH and telnet client. It is mentioned early on in the book that a PuTTY tutorial is outside of its scope. This article is intended to help bridge that gap, and provide some detail and tutorials on how to use PuTTY, for people new to the application.<br />
<br />
<a name='more'></a><b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 21.3333339691162px;">What is PuTTY?</span></b><br />
<blockquote class="tr_bq" style="float: left;">
<span data-dobid="hdw">put·ty</span><span class="lr_dct_ph"><br />ˈpədē/</span><i>noun</i><br />
a soft, malleable, grayish-yellow paste, made from whiting and raw linseed oil, that hardens after a few hours and is used chiefly for sealing glass panes in wooden window frames.</blockquote>
<br />
<br />
<br />
No... that is not PuTTY, it is not a grayish-yellow paste. PuTTY is <b><i>free</i></b>, easy to use, and allows you to connect to anything which accepts SSH, Telnet, Rlogin, or Serial connections. You can use it to connect to most, if not all, of you networking gear, such as firewalls, routers, switches, wireless access points, etc. This also includes operating systems, such as Linux, Mac, iOS, Android, etc.<br />
<br />
Microsoft recently announced (June 2015) that the PowerShell team is working to create a way to use PowerShell with SSH. This is very good news for Windows shops, but in coming years we may start to see that PuTTY is no longer the de facto standard for these Windows shops.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 16pt;"><b>Downloading PuTTY</b></span><br />
As mentioned above, PuTTY is freeware, you can download it here:<br />
<a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html" target="_blank">http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html</a><br />
<br />
If you aren't sure which version to grab, for ease of use and sake of demonstration, just choose <i>putty<version>-installer.exe</i>.<br />
<br />
Feeling generous? Need good karma? Donate to the PuTTY team of volunteers:<br />
<a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-donations" target="_blank">http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#faq-donations</a><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 16pt;"><b>Installing PuTTY</b></span><br />
After downloading, you will of course need to launch the installation package.<br />
<ol>
<li>Browse to your download location and launch <i>putty<version>-installer.exe</i>.</li>
<li>If you get a <b>User Account Control</b> prompt then select <b>Yes</b>.</li>
<li>Select your preferred installation location.</li>
<li>Leave the default selections and click <b>Next</b> a few times then <b>Finish</b>.</li>
</ol>
<ul>
</ul>
You can now find PuTTY in your Start Menu; I generally pin it to the desktop or taskbar.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 16pt;"><b>Using PuTTY</b></span><br />
Launch PuTTY by selecting it from your Start Menu, or by the desktop shortcut which you created.<br />
<br />
After launching it you will be taken to the <i>Sessions </i>category. This is the default landing page, where you will spend most of your time. The first impression may be a little overwhelming as there are a number of different items to choose from within the <i>Category</i> pane to the left.<br />
<br />
In most cases, all that you will need to do is simply leave everything alone, type a Host Name or an IP of a device or server, and then click the <i>Open</i> button. This works normally because SSH is selected by default and pointing to its default port of 22. This will not work for all devices or servers, as there are a number of different possibilities; for example, a device may be using a different port than 22 for SSH.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt;"><b>Logging</b></span><br />
Covering logging first may feel a bit like putting the cart before the horse, but there's a reason for it. Understanding that PuTTY can and will log all of your Command Line Interface (CLI) output is very beneficial. It can save you time and money down the road. For example, you may eventually use vendor provided professional services to assist in the deployment and/or configuration for a device. Beforehand if you ask them to log their PuTTY output and send it to you afterwards then it can be an excellent reference tool later on down the road. In addition you may make a change to a server or device and months later forget how you did it or what you did.<br />
<br />
The <i>Logging</i> category settings can be found under <i>Session</i> <span style="font-family: Wingdings;">à</span> <i>Logging</i>. From here you can choose where the log files will be stored, by default they are stored in the PuTTY installation directory.<br />
<br />
Rather than listing what each option does, I will explain what works the best for me:<br />
<ol>
<li>Select <i>Logging</i> by selecting <b>Session</b> <span style="font-family: Wingdings;">à</span> <b>Logging</b> from the <i>Category</i> pane.</li>
<li>Ensure <b>All session output</b> is selected.</li>
<li>Ensure <b>Always append to the end of it</b> is selected.</li>
<li>Leave the additional options as default.</li>
<li>Change the default <span style="font-family: Courier New, Courier, monospace;">putty.log</span> file name to <span style="font-family: Courier New, Courier, monospace;">putty-&h-&y&m&d-&t.log</span>.</li>
<ul>
<li>This will automatically prefix the host name you are connecting to, the year-month-day, and the time to the log file name.</li>
</ul>
<li>Select <b>Session</b> from the <i>Category</i> pane.</li>
<li>Select <b>Default Settings</b> from <i>Saved Sessions</i>.</li>
<li>Click the <b>Save</b> button to the right.</li>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja1CHOkcPeA5215BPW2odF26muHtkVmudzcYWsrkoWQZwsekZgxdycD4TjKw_YgcgLI59xXJUczyJiA9inLzclDKMC3S6ZJJo6zV0y9Ry_iMRjQ_eCyKBCnI2sZpxjlM_IiD67mkNdyVNC/s1600/PuTTY_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja1CHOkcPeA5215BPW2odF26muHtkVmudzcYWsrkoWQZwsekZgxdycD4TjKw_YgcgLI59xXJUczyJiA9inLzclDKMC3S6ZJJo6zV0y9Ry_iMRjQ_eCyKBCnI2sZpxjlM_IiD67mkNdyVNC/s320/PuTTY_02.jpg" width="320" /></a></div>
<div>
<br /></div>
<div>
You can adjust the procedure to whatever suits your needs, the point is it is best to configure, or at least be aware of logging before you start diving into managing devices and servers with PuTTY.</div>
<br />
<div class="MsoNormal">
<o:p></o:p></div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt;"><b>Saved Sessions</b></span><br />
As mentioned above, when launching PuTTY you are taken to the <i>Sessions</i> category. Towards the bottom right you will find <i>Saved Sessions</i>. These are essentially bookmarks which you can use to quickly connect to a device or server without remembering the Host Name or IP.<br />
<br />
To begin with, you will only have a <i>Default Settings</i> saved session. If you make any changes to the categories, such as <i>Window Appearance</i> or <i>Logging</i>, and wish to retain the setting after restart, then make sure to go back to <i>Session</i>, select <i>Default Settings</i>, and click the <i>Save</i> button to the right. Likewise, if you create a custom <i>Saved Session</i>, and have loaded it by clicking the <i>Load</i> button, then make sure to select it, and then click the <i>Save</i> button after making any changes.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt;"><b>Create a PuTTY Saved Session for an SSH connection</b></span><br />
As an example I will create a <i>Saved Session</i> to use for connecting to my FortiGate 60D firewall via SSH.<br />
<ol>
<li>Launch <b>PuTTY</b>.</li>
<li>Enter <span style="font-family: Courier New, Courier, monospace;">FortiGate 60D</span> in the field below <b>Saved Sessions</b>.</li>
<li>Enter 192.168.1.99 in the field below <b>Host Name (or IP address)</b>.</li>
<li>Leave port 22 as is, since this is how the device is configured.</li>
<li>Click the <b>Save</b> button to the right of your <i>Saved Sessions</i>.</li>
<ul>
<li>Notice that the name FortiGate 60D still appears in the text field. This indicates that it is the currently loaded <i>Saved Session</i>.</li>
</ul>
</ol>
You will now see the new <i>Saved Session</i> appear below <i>Default Settings</i>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7TMg0GDQ2cChtL_NFo6uRWU54xqwgfddGSXE62pP1omwtbI6DhK01dnB234ii6jc_2y9Dov_DB_K8wUi7seZObMein-WdV4jSeJf7Qp3u3apscVizb3qbpt737sqUFOeudb_gyLtBiKso/s1600/PuTTY_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7TMg0GDQ2cChtL_NFo6uRWU54xqwgfddGSXE62pP1omwtbI6DhK01dnB234ii6jc_2y9Dov_DB_K8wUi7seZObMein-WdV4jSeJf7Qp3u3apscVizb3qbpt737sqUFOeudb_gyLtBiKso/s320/PuTTY_01.jpg" width="320" /></a></div>
<br />
This creates a quick way to connect to the device or server, by simply <b>Double Clicking</b> the <i>Saved Session</i>, or selecting it and clicking the <b>Open</b> button.<br />
<ol>
</ol>
<b style="font-family: Arial, Helvetica, sans-serif; font-size: 16pt;">Summary</b><br />
I hope some of this has been useful for you, and I appreciate you taking the time to read it. The tutorials and information provided are intended to be a high level overview of PuTTY. If you have any questions regarding what was covered, or about anything which was not covered, then please leave a comment below and I will gladly make an update to the post.JBhttp://www.blogger.com/profile/17952633025129203130noreply@blogger.com0tag:blogger.com,1999:blog-6004763092629986804.post-88350771299702998042015-08-21T23:53:00.002-06:002015-08-22T17:46:50.614-06:00SNMP Security ConsiderationsIn <i>Chapter 1</i> of <a href="https://www.packtpub.com/networking-and-servers/solarwinds-server-application-monitor-deployment-and-administration/" target="_blank"> SolarWinds Server & Application Monitor: Deployment and Administration</a> you will find a number of different tutorials on how to configure SNMP on your physical and virtual infrastructure. The intent of the book is to get SolarWinds up and running quickly with minimal hassle. As such, all procedures and examples reference SNMPv2c read-only community strings. As mentioned in the book, this post is an extension of <i>Chapter 1, Deployment Strategy</i>, to highlight some SNMP security considerations and best practices.<br />
<br />
<a name='more'></a><br />
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 21.3333339691162px;">Community String Common Mistakes</span></b><br />
More often than not, community strings are pre-configured on network devices with the following:<br />
read-only: <span style="font-family: Courier New, Courier, monospace;">public</span><br />
read-write: <span style="font-family: Courier New, Courier, monospace;">private</span><br />
<ul>
<li>There is a significant security risk in leaving them as <span style="font-family: Courier New, Courier, monospace;">public</span> and/or <span style="font-family: Courier New, Courier, monospace;">private</span>. Change both of the default community strings to something secure.</li>
<li>Assign complex and secure community strings. Treat community strings as you would for passwords assigned to highly privileged accounts such as Domain Admin accounts. </li>
<li>Do not remove a community string and leave it blank. It can be assumed that this, for example, disables read-write, but that is not accurate.</li>
</ul>
In 2000 the SANS (SysAdmin, Audit, Networking, and Security) Institute listed this common mistake in their top 10 critical security threats. Meaning this has been a problem for a long time, and it's astonishing how many organizations still have <span style="font-family: Courier New, Courier, monospace;">public</span> and <span style="font-family: Courier New, Courier, monospace;">private</span> set on a number of devices.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 16pt;"><b>Version Breakdown</b></span><br />
Presently, there are three SNMP versions SNMPv1, SNMPv2c, and SNMPv3. Which version should I use? The short answer is use SNMPv3 unless you absolutely have to use SNMPv2c and just don't use SNMPv1. Keep reading for the reasoning behind this.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt;"><b>SNMPv1</b></span><br />
Introduced in 1998. Do you still use Windows 98? No. So don't use SNMPv1. :)<br />
<ul>
<li>Pros:</li>
<ul>
<li>Easy to configure via community string based authentication.</li>
<li>Compatible with legacy devices.</li>
</ul>
<li>Cons:</li>
<ul>
<li>Plain text password (i.e. community string) with no encryption, meaning a simple packet sniffer could result in some of the subsequent cons.</li>
<li>Exposure of your internal network topology.</li>
<li>Unauthorized modification of system configuration data.</li>
<li>Manipulation of access control lists (ACL).</li>
<li>Denial-of-Service (DoS) attack vulnerability.</li>
<li>Format string attack vulnerability.</li>
<li>Buffer overflow attack vulnerability.</li>
<li>32bit counters.</li>
</ul>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt;"><b>SNMPv2c</b></span><br />
There are three variants of SNMPv2c, the other two being SNMPv2 and SNMPv2u. SNMPv2c is the only one listed in this <i>version breakdown</i>, as the other two were not widely adopted. Well... not adopted at all really, due to complexity (security), which unfortunately (unwisely) outweighed usability. SolarWinds uses SNMPv2c unless you explicitly choose SNMPv1 (let's not do that) or SNMPv3 (much better idea).<br />
<ul>
<li>Pros:</li>
<ul>
<li>Easy to configure via community string based authentication.</li>
<li>Widely compatible and adoptable.</li>
<li>Obviously, some improvements over SNMPv1; different message formats, a couple new commands (con actually as you will see below), and 64bit counters. </li>
</ul>
<li>Cons:</li>
<ul>
<li>Plain text SNMPv1 style community string authentication, with no encryption.</li>
<li>All of the SNMPv1 security related cons...</li>
<li>The addition of the <span style="font-family: Courier New, Courier, monospace;">get-bulk-request</span> command allows an intruder to grab the entire MIB OID subtree, introducing the risk of a Distributed Reflective Denial of Service (DRDoS) attack.</li>
</ul>
</ul>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt;"><b>SNMPv3</b></span><br />
In this corner we finally have <i>some</i> security, weighing in at decent. SNMPv3 shares the same fundamental architecture as SNMPv1 and SNMPv2c. Note, I have a pending blog post to provide a guide for configuring SNMPv3 on a few different platforms.</div>
<div>
<ul>
<li>Pros:</li>
<ul>
<li>User-based Security Model (USM).</li>
<ul>
<li>Hash-based authentication via message digest algorithm (MD5) or secret hash algorithm (SHA1), mitigating the risk involved with plain text community string authentication.</li>
<li>Encryption with Data Encryption Standard in Cipher Block Chaining mode (DES-CBC).</li>
</ul>
<li>Some enhanced functional improvements over SNMPv2c in regards to the administrative framework.</li>
</ul>
<li>Cons:</li>
<ul>
<li>More complicated to configure and maintain, adding some administrative effort.</li>
<li>Only "weighing in at decent" security because:</li>
<ul>
<li>DES is susceptible to brute force attacks.</li>
<li>No form of key management for the DES symmetric secret keys.</li>
<li>Debatable man-in-the-middle (MITM) attack vulnerability, mitigated by strong passwords.</li>
</ul>
<li>Minor performance reduction when compared to earlier versions.</li>
</ul>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 16pt;"><b>Summary</b></span>
</div>
<div>
Do not let the cons of SNMPv3 deter you. It is still incredibly more secure than SNMPv1 and SNMPv2c. That said, if you're ambitious and want to kick it up a notch, then you may want to check out <a href="http://www.net-snmp.org/" target="_blank">Net-SNMP</a>.</div>
JBhttp://www.blogger.com/profile/17952633025129203130noreply@blogger.com0tag:blogger.com,1999:blog-6004763092629986804.post-86936052176615270992014-01-23T21:44:00.000-07:002015-08-22T03:11:57.527-06:00How To Create An Unprivileged WMI Service AccountIn <i>Chapter 1</i> of <a href="https://www.packtpub.com/networking-and-servers/solarwinds-server-application-monitor-deployment-and-administration/" target="_blank"> SolarWinds Server & Application Monitor: Deployment and Administration</a> you will find a step-by-step guide on how to create an Active Directory service account for WMI polling purposes. The tutorial instructs you to create the account with Domain Admin privileges. This is useful to get things up and running, for testing purposes, and for troubleshooting. That said, as stated in the book, once you roll things into production it is not a recommended best security practice.<br />
<br />
<a name='more'></a>The technical staff over at SolarWinds were nice enough to write a detailed KB article on how to create what I like to call an Unprivileged WMI Service Account.<br />
<br />
You can find the KB article here:<br />
<a href="http://knowledgebase.solarwinds.com/kb/questions/3304/How+to+create+a+non-administrator+user+for+SAM+polling." target="_blank"><span style="font-size: x-small;">http://knowledgebase.solarwinds.com/kb/questions/3304/How+to+create+a+non-administrator+user+for+SAM+polling.</span></a>JBhttp://www.blogger.com/profile/17952633025129203130noreply@blogger.com0