Monday, November 22, 2010

Security Onion: SSH Keys

Security Onion is remastered using Remastersys.  As part of the remastering process, Remastersys removes the SSH Host keys.  The end result is that, even though the SSH daemon is running, it will not accept any connections.

To generate SSH host keys, use the ssh-keygen command as follows:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' 
The SSH daemon will then accept connections normally.  

The next version of Security Onion will include SSH host key generation in its Setup script. 

Sunday, November 21, 2010

Security Onion: Update Manager Breaks Sguil

Sguil relies on older version of the tcl/tk packages, so upgrading to newer versions will break Sguil.  I was aware of this potential issue and used the following command to put the packages on hold to try to prevent them from being upgraded.
aptitude hold itcl3 itk3 iwidgets4 tcl8.3 tclx8.3 tclsh 
This seems to work in preventing aptitude from upgrading those packages, but it doesn't prevent Update Manager from upgrading them.  To prevent this, you can do the following.
aptitude -y install wajig 
wajig hold itcl3 itk3 iwidgets4 tcl8.3 tclx8.3 tclsh
If you've already run Update Manager and Sguil is currently broken, do the following to revert to the required versions.
aptitude remove tcl8.5 itcl3 tk8.5 itk3 iwidgets4
wget http://mirrors.kernel.org/ubuntu/pool/universe/i/itcl3/itk3_3.2.1-3.1_i386.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/i/itcl3/itcl3_3.2.1-3.1_i386.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/t/tclx8.3/tclx8.3_8.3.5-6_i386.deb
dpkg -i *.deb
aptitude -y install iwidgets4
If all went well, Sguil should launch correctly with no errors and Update Manager should be prevented from breaking Sguil again. 

This will be fixed in the next version of Security Onion.

Monday, November 15, 2010

SANS 401 Security Essentials mentored by Doug Burks in Augusta GA

I'll be mentoring SANS 401 Security Essentials in Augusta, GA on Thursday nights starting March 3, 2011. ISSA members are eligible for a 25% discount!

SANS 401 Security Essentials mentored by Doug Burks in Augusta GA

Why should you take SANS 401 Security Essentials?


* Considering the SANS Cyber Guardian program, SANS GSE (GIAC Security Expert) certification, or a Masters degree from the SANS Technical Institute? SANS 401 Security Essentials is required for each of these.


* Complement your CISSP. If you've already taken the CISSP, SANS 401 Security Essentials is the perfect technical complement. It takes all the theory that you learned at a high level for the CISSP and applies it in a very practical and updated manner. SANS 401 is "where the rubber meets the road".

* Are you a Systems Administrator or Network Engineer who would like to learn more about security? This course gives a very thorough overview of security theory and practice. Additionally, the tools and techniques that you learn in this class are directly applicable to your current job (and will prepare you for the future).

* Augment your Windows/Linux skills. Highly experienced with Windows, but not so much with Linux? Or the other way around? SANS 401 Security Essentials dedicates an entire section to Windows security and another entire section to Linux security.


These are just a few reasons to register for SANS 401 Security Essentials. For more information, please see:

SANS 401 Security Essentials mentored by Doug Burks in Augusta GA

Don't forget that ISSA members are eligible for a 25% discount! If you would like to register for the ISSA and/or SANS 401, please let me know and I'll be glad to help!

Wednesday, November 3, 2010

Security Onion: Intrusion Detection for your Network in Minutes


Thanks to all those who came out to the Security Onion presentation! For those who were unable to attend, I've made the slides available here:
https://docs.google.com/present/edit?id=0ATQ65xrcMwNEZGZxMmp0ZnNfMTNnc3JzanpkYw&hl=en
Please let me know if you have any questions or problems. I welcome any and all feedback!