download 9.9.8 and 9.10.3

https://bkraft.fr/blog/bind_9_10_3_and_bind_9_9_8/

http://olex.openlogic.com/packages/bind/9.10.2#package_detail_tabs

Linux Upgrade DNS.....dirty hand

https://forum.directadmin.com/showthread.php?t=46055

For people with CentOS 5 or 6 + DA it is easy to update.

Check if the bind rpm is installed:

Code:

rpm -qv bind

Check if the version is the same:

Code:

named -v

If it is (which is in most cases) you can safely use yum to update the package:

Code:

yum clean all

yum update bind

If it returns no errors, check again to see it's version:

Code:

named -v

or

https://www.godaddy.com/help/update-bind-on-your-linux-dedicatedvirtual-dedicated-server-4690

1. Connect to your server via SSH (more info).
2. Switch to the root user (more info).
3. Type cp /etc/sysconfig/named /etc/sysconfig/named.bak
4. Type yum clean all.
5. Type yum update bind

If not start up

cd /etc/init.d
mv named named.backup
wget -O named http://www.directadmin.com/named
chmod 755 named
/sbin/chkconfig named reset

Nessus Console command update

2015-10-12 3:26 AM EDT by Tenable Support

Hello Albert, Thanks for reply,If nessus scanner has access to Tenable plugin server,could you please execute below command on scanner command terminal and let me know if this help get plugin updated. On nessus scanner open and run command prompt as Administrator C:\Program Files\Tenable\Nessus\nessuscli update --all C:\Program Files\Tenable\Nessus\nessusd -R Once done clear web browser cache and login to Nessus UI.

Linux Upgrade OPENSSL

http://www.cyberciti.biz/faq/howto-openssl-security-update-cve20150291-cve20150204-cve20150290-cve20150207-cve20150286/

How To Patch and Protect OpenSSL Vulnerability # CVE-2015-0291 CVE-2015-0204 [ 19/March/2015 ]

How to find openssl version on a Linux?

The syntax is as follows:

Find openssl version on a CentOS/RHEL/SL/Fedora Linux

openssl version
## or ##
sudo yum list installed openssl

## how do I find out my distro version? ##
lsb_release -a
## or use ## 
cat /etc/*-release



CentOS/RHEL/Fedora Linux

Type the following yum command to patch openssl as root user to patch openssl:
sudo yum clean all

To install the updates, use the yum command as follows:
sudo yum update

To only update the OpenSSL package and its dependencies, use the following yum command:
sudo yum update openssl


Sample outputs:
Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
epel-debuginfo/metalink                                  |  13 kB     00:00
rhel-x86_64-server-6                                     | 1.5 kB     00:00
rhel-x86_64-server-6/primary                             |  21 MB     00:05
rhel-x86_64-server-6                                                14680/14680
rhel-x86_64-server-6-debuginfo                           | 1.3 kB     00:00
rhel-x86_64-server-6-debuginfo/primary                   | 1.1 MB     00:00
rhel-x86_64-server-6-debuginfo                                        5939/5939
rhel-x86_64-server-optional-6                            | 1.5 kB     00:00
rhel-x86_64-server-optional-6/primary                    | 2.0 MB     00:00
rhel-x86_64-server-optional-6                                         8239/8239
rhel-x86_64-server-optional-6-debuginfo                  | 1.3 kB     00:00
rhel-x86_64-server-optional-6-debuginfo/primary          | 681 kB     00:00
rhel-x86_64-server-optional-6-debuginfo                               3571/3571
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.5 will be updated
--> Processing Dependency: openssl = 1.0.1e-30.el6_6.5 for package: openssl-devel-1.0.1e-30.el6_6.5.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.5 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
================================================================================
 Package          Arch      Version               Repository               Size
================================================================================
Updating:
 openssl          x86_64    1.0.1e-30.el6_6.7     rhel-x86_64-server-6    1.5 M
Updating for dependencies:
 openssl-devel    x86_64    1.0.1e-30.el6_6.7     rhel-x86_64-server-6    1.2 M
 
Transaction Summary
================================================================================
Upgrade       2 Package(s)
 
Total download size: 2.7 M
Is this ok [y/N]: n
Exiting on user Command
[root@txvip1 ~]#
[root@txvip1 ~]# yum update openssl
Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin, security
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.5 will be updated
--> Processing Dependency: openssl = 1.0.1e-30.el6_6.5 for package: openssl-devel-1.0.1e-30.el6_6.5.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.5 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
============================================================================================
 Package             Arch         Version                  Repository                  Size
============================================================================================
Updating:
 openssl             x86_64       1.0.1e-30.el6_6.7        rhel-x86_64-server-6       1.5 M
Updating for dependencies:
 openssl-devel       x86_64       1.0.1e-30.el6_6.7        rhel-x86_64-server-6       1.2 M
 
Transaction Summary
============================================================================================
Upgrade       2 Package(s)
 
Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): openssl-1.0.1e-30.el6_6.7.x86_64.rpm                          | 1.5 MB     00:00
(2/2): openssl-devel-1.0.1e-30.el6_6.7.x86_64.rpm                    | 1.2 MB     00:00
--------------------------------------------------------------------------------------------
Total                                                       6.4 MB/s | 2.7 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssl-1.0.1e-30.el6_6.7.x86_64                                         1/4
  Updating   : openssl-devel-1.0.1e-30.el6_6.7.x86_64                                   2/4
  Cleanup    : openssl-devel-1.0.1e-30.el6_6.5.x86_64                                   3/4
  Cleanup    : openssl-1.0.1e-30.el6_6.5.x86_64                                         4/4
  Verifying  : openssl-1.0.1e-30.el6_6.7.x86_64                                         1/4
  Verifying  : openssl-devel-1.0.1e-30.el6_6.7.x86_64                                   2/4
  Verifying  : openssl-1.0.1e-30.el6_6.5.x86_64                                         3/4
  Verifying  : openssl-devel-1.0.1e-30.el6_6.5.x86_64                                   4/4
 
Updated:
  openssl.x86_64 0:1.0.1e-30.el6_6.7
 
Dependency Updated:
  openssl-devel.x86_64 0:1.0.1e-30.el6_6.7
 
 

Do I need to reboot my server/laptop/computer powered by Linux?

Short answer - yes, you need to reboot your computer/server to make all the necessary changes. Sysadmin should plan on updating as soon as possible or use maintenance reboot window:

sudo reboot

Linux DNS Bind update

https://www.godaddy.com/help/update-bind-on-your-linux-dedicatedvirtual-dedicated-server-4690

UPDATE BIND ON YOUR LINUX DEDICATED/VIRTUAL DEDICATED SERVER

Some of the information in this article is advanced material we make available as a courtesy. Please be advised that you are responsible for properly following the procedures below. Customer Support cannot assist with these topics.

We strongly encourage you to keep the DNS service BIND (Berkeley Internet Name Domain) updated with the latest version on your Dedicated Server.

Note to Red Hat 9 Customers If you are running a Virtual Private Server (VPS) with the Red hat 9 operating system, you will need to either upgrade to a more current operating system or download the source RPM from the BIND website for your version of BIND and compile it on your server.

To Update BIND

1. Connect to your server via SSH (more info).
2. Switch to the root user (more info).
3. Type cp /etc/sysconfig/named /etc/sysconfig/named.bak
4. Type yum clean all.
5. Type yum update bind.

The system will then proceed to update all the needed packages for you automatically.

If you are running Parallels Plesk Panel there are certain packages that can be installed that will interfere with Parallels Plesk Panel's functionality. If you have not already, please add the following line to your /etc/yum.conf to ensure that YUM does not update any packages that may break Parallels Plesk Panel.

exclude=bind-chroot caching-nameserver

Adding this line to the configuration file will prevent yum from ever being able to update these packages. This can cause issues in the future should you want to use yum to update anything listed as an exclude.

If you have never made any changes to your yum.conf file you can use the following procedure to make this update:

1. Connect to your server via SSH (more info).
2. Switch to the root user (more info).
3. Type echo "exclude=bind-chroot caching-nameserver" >> /etc/yum.conf

Once this is complete you can run the yum update statements at the top of the article. If you receive an error similar to the following:

Error: Missing Dependency: bind = 31:9.4.2-3.fc7 is needed by package caching-nameserver

or

Error: Missing Dependency: bind = 31:9.4.2-3.fc7 is needed by package bind-chroot

You may need to remove bind-chroot and/or caching-nameserver from your server prior to upgrading. To do this you can do the following:

1. Connect to your server via SSH (more info).
2. Switch to the root user (more info).
3. Type yum -y remove bind-chroot caching-nameserver.

The removal of these packages can cause adverse effects on your server. You may need to restore the version of /etc/sysconfig/named that you backed up by using the following command:

cp /etc/sysconfig/named.bak /etc/sysconfig/named

This will install the most up to date version of BIND on your server. As the server administrator it will be your responsibility to determine whether or not a version update will cause any conflicts on your server. It is your responsibility to troubleshoot any issues that arise from performing this update.

Fortigate SSL VPN config

Fortigate Movie teach how to configuration the SSL VPN

https://www.youtube.com/watch?v=lqYbNqZSPRA

http://travelingpacket.com/2014/03/21/fortigate-fortios-5-0-6-ssl-vpn-configuration/

The best information available for anything fortinet is always found at docs.fortinet.com. This entry will show the needed steps to create a SSL VPN via the web interface.

Creating the SSL VPN has many working parts that come together to make one of the best Remote access VPNs out there. In this example we are creating a Split tunnel VPN, and enabling Tunnel mode.

The SSL VPN is one of the best features of the device, it has an open license, so you can have as many people connect as the device hardware supports. No crazy licensing for SSL VPN as with Cisco and Sonicwall. You can also utilize the VPN to get select information to users based on their AD security group. For example if you have a business with users traveling all the time, you might have a certain portal for one group of users and have their internal bookmarks and file shares, and completely different portal for office staff users.  Another great benifit is in the protocol itself, SSL is almost never blocked by outbound firewall policies. A lot of companies (hotels, hospitals) and educational institutions block IPSEC from leaving the network which stops your remote access VPN from connecting.

Steps:

1. Create Address object for SSL Subnet and Internal networks

2. Create route for new subnet

3. Create Users/User group for user authentication

4. Config the VPN Portal

5. Config the VPN settings

6. Create the SSL VPN policy, including the projected subnet for Split Tunnel.

7. Create policy to allow traffic from the Lan to SSL, and from SSL to Lan.

1. Create Address object for SSL Subnet and Internal networks

We will create an address object with the Subnet of our SSL VPN clients. I would recommend using a crazy private IP subnet as to not conflict with Home/work local subnets.

Then we need to create another object for our Protected subnet. This is our internal network that we want the remote user to be able to access. If there are multiple subnets it might be better to add an address object group.

2. Create route for new VPN subnet

Since the SSL VPN is a “interface” we will route our subnet across of it. Notice our device is ssl.root, and that removes our needed gateway.

3.  Create Users/User group for user authentication

There are many different ways to configure authentication within the device. You can authenticate VPN users against LDAP, Radius, or local accounts. In this example I am just using local accounts, but using LDAP or Radius is a much better option. You can use just individual users, or groups to authenticate to within the VPN policy. I would go ahead and create a User group so that you can add any local, radius, or ldap users into it in the future.

I am creating a user group call SSL_VPN and in this case its just local. If I wanted to add a LDAP/Radius server to authenticate against, I could just add the remote server. If I wanted to get even more specific and say authenticate against a security group within LDAP I would just modify the remote server portion of the user group to add that.

4. Config the VPN Portal

The portal is the landing page of the SSL VPN. It is a great place to add book marks, shortcuts for RDP, or info for users. For example, we have an internal sharepoint site for users, by placing a link on the portal, users they just have to click and Whola, instant access. This is great because installing the VPN client which allows tunnel mode requires admin access to the PC. If a user is traveling or at a hotel they might not have this access. Other great uses are RDP session, and file shares. Both will launch in a Java applet window and allow you access to RDP/SMB.

We are using the “Full-access” Portal, this is just a name. I added the IP Pool for the clients to get tunnel addresses. You can customize the page to any specification. A note, you can also fully edit your VPN login page to reflect your company logo, etc. You can do this by adding in the feature under system – admin- features and enabling it.

5. Config the VPN settings

The VPN settings consists of the IP pool, Port used, encryption strength, and of course DNS/WINs servers. If you want to push your domain name so that DNS will resolve to this interface, its a CLI command. I will do another entry on it.

6. Create the SSL VPN policy, including the projected subnet for Split Tunnel.

This is where we actually allow access from the internet to our VPN portal. It is also where we specify our Protected subnets, which are the subnets injected into the clients routing table. You can also specify what portal certain users will see. For example, if you had a group of teachers who needed to get to the Teacher portal, and an admins group that needs to have a different portal and ACL to get to all servers.

Notice we select VPN as type, then incoming interface. The Local protected subnets are what we are pushing into the routing table of our client.

Next create an new Authentication policy.

From here select your user group that we created earlier, if you want individual users select those as well. You can also enable UTM if you feel its needed.

Now just save all the settings

7. Create policy to allow traffic from the Lan to SSL, and from SSL to Lan.

For the last step we need to create policies to allow traffic in both directions. By default all traffic is blocked between interfaces int he firewall. The SSL VPN is an interface, so we need to allow traffic to it.

Just create a policy with Source interface being ssl.root, and allow all traffic to your LAN (or however you see is best to secure) and then another policy from LAN to ssl.root.

Thats it! There are some optional configs dealing with Certs on both sides, and much stronger encryption methods.

Notes*

If you have a MPLS, or DMZ interface where you need  VPN clients to access you will have to create another VPN policy going from WAN to – DMZ, or WAN to MPLS and just mirror the WAN-to-lan SSL VPN policy. You will also have to modify the protected subnets with that interfaces network. If anyone has trouble with this feel comment and I will explain better.

On top of that you will need to create more ssl.root to DMZ and DMZ to ssl.root policies to allow access between the interfaces.

About these ads

Share this:

• Twitter
• Facebook
• Google

Fortigate Firewall, Fortigate, SSL VPN, VPN

← Monitoring the Vyatta firewallCisco ASA IPSEC site to site VPN IOS 8.3+ →

Windows backup script for personal in CUSCS

xcopy "d:\CUHK SCS\mailbox\*" n:\2_Albert\pcbk\mailbox

xcopy "d:\CUHK SCS\*" n:\2_Albert\pcbk\ /s /i

xcopy "d:\network\*" n:\2_Albert\SFire\ /s /i


xcopy C:\Users\alberthui\AppData\Roaming\Thunderbird\Profiles\dh0cxcuy.default\Mail\* n:\2_Albert\servermail /s /i

Linux ---Named install centos 6

https://www.digitalocean.com/community/tutorials/how-to-install-the-bind-dns-server-on-centos-6

How To Install the BIND DNS Server on CentOS 6

Preamble

This article will show you how to setup and configure the BIND DNS Server. If you are looking for a guide on how to use DigitalOcean's integrated DNS service, you may want to review the "How to Set Up a Host Name with DigitalOcean" article instead.

Before we begin, it is recommended you have at least two cloud servers to run your nameservers. Two nameservers are suggested to assure your primary and secondary servers are redundant in case of failure. You may want to consider using two different POP's as well. For example, we've used San Francisco 1 and New York 1. For the purpose of this guide, it will be assumed you are configuring both a primary and secondary name server.

It is worth noting that if you are managing a large number of domains this may not be the most viable solution, as you will need to manually add domains on both the master and slave nameservers. With that said, running your own nameservers is a great way to have more direct control over your hosting infrastructure, and assert full control over your DNS records.

As with any new server, it's always important to ensure your system is up to date. You can verify this by checking for updates using yum as follows:

yum update -y

(Note: In DigitalOcean, we call our cloud servers as "droplets". We will use both terms throughout this tutorial)

Initial BIND Installation

To begin, we will need to install the BIND and BIND Utilities packages using yum.

yum install bind bind-utils -y

Next, we'll open the BIND (named) configuration file and make several modifications.

nano -w /etc/named.conf

Your "options" section should appear as follows, replacing 2.2.2.2 with the IP of your second droplet.

options {
     #listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query { any; };
        allow-transfer     { localhost; 2.2.2.2; };
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

Above, listen-on must be commented to listen on all available interfaces. Recursion should be turned off to prevent your server from being abused in "reflection" DDoS attacks. The allow-transfer directive whitelists transfers to your secondary droplet's IP. Furthermore, we have changed the allow-query directive to "any" in order to allow users proper access to hosted zones.

Next, we'll want to add a new zone for our first domain, you should add the following to your named.conf below the existing zones.

        zone "mydomain.com" IN {
                type master;
                file "mydomain.com.zone";
                allow-update { none; };
        };

After saving named.conf with the changes above, we're ready to create our first zone file.

Configure BIND Zones

Firstly, we'll need to open the zone file, using the name you specified in the configuration above. (Ex: mydomain.com.zone)

nano -w /var/named/mydomain.com.zone

We'll add the following contents to our newly created file. You should replace the applicable information with your own, where 1.1.1.1 is the IP of your first droplet, 2.2.2.2 is the IP of your second droplet and 3.3.3.3 is the IP you wish to point the domain itself to, such as a droplet running a webserver. You are free to add additional entries in the same format.

$TTL 86400
@   IN  SOA     ns1.mydomain.com. root.mydomain.com. (
        2013042201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
; Specify our two nameservers
  IN NS  ns1.mydomain.com.
  IN NS  ns2.mydomain.com.
; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.
ns1  IN A  1.1.1.1
ns2  IN A  2.2.2.2

; Define hostname -> IP pairs which you wish to resolve
@  IN A  3.3.3.3
www  IN A  3.3.3.3

We can now start named for the first time. This may take several minutes while named generates therndc.key file, which only occurs on first execution.

service named restart

Once named has started successfully, we'll want to ensure that it is enabled as a startup service, by running the following:

chkconfig named on

By now, we should have a fully operational primary nameserver. You can verify that BIND is working correctly by running the following command, replacing 1.1.1.1 with the IP of your first droplet.

dig @1.1.1.1 mydomain.com

If you recieve a response which includes an answer and authority section, your nameserver has been configured correctly.

Slave Nameserver Configuration

With our primary nameserver configured, we'll now setup a slave nameserver on our second cloud server.

As always, please assure your system is up to date by checking for updates with yum as follows:

yum update -y

We can start by installing BIND (and related utilities) on the second droplet, in the same manner as the first:

yum install bind bind-utils -y

We'll proceed by opening named.conf and making the same changes we made previously, ommitting the "allow transfer" line. This directive is unnecessary as we will only be transfering records from our primary name server.

nano -w /etc/named.conf

options {
  #listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query { any; };
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

We will add the zone we configured on the first droplet, this time changing the "type" directive to slave, instead of master. You should replace "1.1.1.1" with your first droplet's IP address.

zone "mydomain.com" IN {
 type slave;
 masters { 1.1.1.1; };
 file "mydomain.com.zone";
};

After configuring our slave zone, we'll start named. Again this may take several minutes while our rndc.keyfile is initially generated.

service named start

As with the first cloud server, we want to assure named is set to run at startup with the following:

chkconfig named on

Your slave nameserver should now be up and running. You can verify that it is fully operational by usingdig again, replacing 2.2.2.2 with the IP of your second droplet.

dig @2.2.2.2 mydomain.com

After any changes you make to the master zone files, you will need to instruct BIND to reload. Remember, you must also increment the "serial" directive to ensure synchronicity between the master and slave.

To reload the zone files, we need to run the following command on the master nameserver, followed by the slave:

rndc reload

BIND in a chroot environment

It is generally advised to install the additional package "bind-chroot" which will drop the privileges of BIND into a chroot environment.

Luckily, the CentOS package makes this extremely simple. The only aspect worth noting is that active paths for BIND will change to their chrooted equivalents, for example /var/named becomes/var/named/chroot/var/named With CentOS 6, you will not need to move any files as the package automatically creates hard symlinks to the non-chrooted directories.

If you'd like to enable this feature for the added security which it provides, you can do the following:

yum install bind-chroot -y
service named restart