Categories
Compression Encryption FREE Freeware Linux Utility Windows

7-Zip File Archiver and Compression Utility (FreeWare)

7-Zip (aka 7zip) is a file archiver with a high compression ratio.

7-Zip Features

  • High compression ratio in new 7z format with LZMA compression
  • Supported formats:
    • Packing / unpacking: 7z, ZIP, GZIP, BZIP2 and TAR
    • Unpacking only: ARJ, CAB, CHM, CPIO, DEB, DMG, HFS, ISO, LZH, LZMA, MSI, NSIS, RAR, RPM, UDF, WIM, XAR and Z.
  • For ZIP and GZIP formats, 7-Zip provides a compression ratio that is 2-10 % better than the ratio provided by PKZip and WinZip
  • Strong AES-256 encryption in 7z and ZIP formats
  • Self-extracting capability for 7z format
  • Integration with Windows Shell
  • Powerful File Manager
  • Powerful command line version
  • Plugin for FAR Manager
  • Localizations for 74 languages

7-Zip is open source software. Most of the source code is under the GNU LGPL license. The unRAR code is under a mixed license: GNU LGPL + unRAR restrictions. Check license information here: 7-Zip license.

You can use 7-Zip on any computer, including a computer in a commercial organization. You don’t need to register or pay for 7-Zip. But you can make a donation to support further development of 7-Zip.

7-zip home page.
7-zip download.
7zip Windows 7 (64 and 32 bit)
7zip Windows 2008 (64 and 32 bit)

Categories
Encryption FTP Linux SFTP SSH Windows

freeFTPd

freeFTPd is a FTP/FTPS/SFTP server that enables user to access remote files over TCP/IP network such as Internet. Unlike FTP, FTPS and SFTP protocols provide security and strong encryption of data – great for insecure network.

Categories
Encryption FTP Linux SFTP SSH Windows

freeSSHD

freeSSHd, like it’s name says, is a free implementation of an SSH server. It provides strong encryption and authentication over insecure networks like Internet. Users can open remote console or even access their remote files thanks to buit-in SFTP server.

Categories
Encryption FTP Linux Passwords Security SSH Windows

Setting up a SFTP Server on Windows

This tutorial will help you turn your Windows based system into a SecureFTP server.

Background
Secure Shell (SSH) is a program that lets you log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. When using ssh, the entire login session, including transmission of password, is encrypted and therefore is very secure.

You may have noticed that many webhosts allow ssh access. This means that you can login to their webserver and execute many UNIX commands (the ones they allow you access to) on your account. Not only can you connect to other computers that provide SSH access, but you can also allow others to connect to your computer using SSH.

To take this one step further, you can also turn your Windows PC into a Secure FTP (SFTP) server. SFTP is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in clear text over the Internet. It is similar to FTP, but because it uses a different protocol, you must use a FTP client that supports SFTP (more about that later).

Installing SSH on Windows
Most UNIX based systems (Linux and OSX) come with SSH preinstalled, so connecting to a remote host is very easy. However, if you run a Windows system, you need to download some additional software to make the SSH programs available to you. Fortunately a free open-source project called SSHWindows, provides a nice Windows installer that will setup the SSH client and Server on your system.

Your first step will be to download the Binary Installer Release from SSHWindows. Once downloaded, run the installer and be sure to install both the client and server components.

Configure the SSH Server
In this next step, I have summarized the information that is included with the readme.txt that is included with SSHWindows (it can be found in c:program filesopensshdocs)
Your first configuration step is to set up the passwd file. You will need to set up the passwd file before any logins can take place.

Passwd creation is relatively easy and can be done using two programs that are included with SSHWindows – mkgroup and mkpasswd. Both of these programs are located in the c:program filesopensshbin directory.

To begin creating the group and passwd files, open a command prompt window and navigate to the c:program filesopenssh directory.

You must first create a group file. To add all local groups on your computer to the group file, type the command as shown below:

mkgroup -l >> ..etcgroup

You will now need to create a passwd file. Any users in the passwd file will be able to log on with SSH. For this reason, it is recommended that you add users individually with the -u switch. To add a user to the passwd file type the command shown below:

mkpasswd -l -u username >> ..etcpasswd

NOTE: the username specified above must be an existing windows login account.

Creating Home Directories for you Users
In the passwd file, you will notice that the user’s home directory is set as /home/username, with username being the name of the account. In the default install, the /home directory is set to the default profile directory for all users. This is usually c:documents and settings.

If you want to change this location you will need to edit the passwd file. The passwd file is in plain text and can be edited in Notepad or any text editor. The last two entries for each user are safe to edit by hand. The second to last entry (/home/username) can be replaced with any other directory to act as that user’s home directory. It’s worth noting that when you run SSH on windows, you are actually running SSH in a scaled down version of cygwin, which is a Unix emulator for Windows. So, if you will be placing the user somewhere outside the default directory for their Windows profile, you will need to use the cygdrive notation.

To access any folder on any drive letter, add /cygdrive/DRIVELETTER/ at the beginning of the folder path. As an example, to access the winntsystem32 directory on the *c:* drive you would use the path:

/cygdrive/c/winnt/system32

Connecting to your SFTP Server
To connect to your new SFTP server, you will need to download an FTP client that supports SFTP. I use Filezilla which is a nice free FTP and SFTP client. You might also try WinSCP which is another free SFTP client.

To test if your server is running, create a new connection in your client and specify SFTP as the server type, 22 as the port, and localhost or 127.0.0.1 as the server name. You will also need to provide the user account and password for any account that you added to your passwd file. Now connect to the server. If all went well, you should see a directory listing where you pointed the home folder to. If not, there are a couple of things to check. Make sure your Windows firewall is set to allow traffic over port 22 and finally double check your passwd file to make sure that the account you added is actually there.

Security
Because SSH allows access to only Windows user accounts, you can restrict access based upon NTFS file permissions. As such, SFTP does not provide for chroot jails (a Unix method for locking a user to his/her home directory). Simply lock down your filesystem for that user, and SFTP will respect that.

Summary
In the end, setting up an SFTP server turned out to be a very effortless task. With a couple of open source programs and a couple of command-line commands, you can up and running in no time at all!

Categories
Amazon Web Services AWS EC2 Encryption FTP Linux Passwords PuTTY S3 SSH Windows

A quick overview of PuTTY and SSH for AWS Newbies

Linux Access with SSH & PuTTY

This post will (attempt) to explain what SSH and PuTTY are so that as a user you understand the terminology of AWS and so that you can be productive in the environment. This post will not attempt to make you an expert in SSH. For best practices in implementing SSH, I strongly recommend a book dedicated to hardening *nix (Linux, Unix, Solaris, etc).

SSH

In the early days, not that long ago really, of networking, very simple tools were used to work with remote computers: telnet as a console, ftp for file copying, rsh for remote command execution and others. These were easy to configure and use tools. They were client server in that a software component needed to run on both the local machine (client) and the remote machine (server).

While easy to use, they were very insecure. They made no pretense at verifying that the calling host really was the calling host. Everything was username/password based and both the username and the password were passed around the network in cleartext. If you intercepted the little data packages that were being routed around the network (with a sniffer for example), you would be able to extract the login credentials. Even if you encrypted all of your data, your credentials were still in the clear.

SSH is an attempt (quite successful) to fix those insecurities without making things anymore complex than they need to be. SSH stands for Secure SHell. However, SSH is not really a command shell, it is rather a protocol that encrypts communications. That means that programs that use SSH can work like telnet or ftp but will be more secure.

Note: Technically, SSH is also a tool. There is a client terminal program called SSH. It’s a non-graphical command line tool that provides a window which executes a command shell on the remote system.

SSH offers multiple modes of connecting but for the purposes of AWS, we will talk about key based access. To make things more secure, EC2 uses a key based authentication. Before starting an instance, you need to create a key pair.

Note: The below explanation of SSH is a gross over simplification. I am just trying to give you a feel for what is going on. If you really want to understand the technical details, I really do recommend that you purchase a book. My personal recommendation is SSH, The Secure Shell: The Definitive Guide from O’Reilly.

When an instance starts up for the first time, EC2 copies the ssh key that you created to the proper directory on the remote server. The remote server will be running the SSH Server software.

You will then use an SSH client to connect to the server. The client will ask for some information proving that the server really is who it says it is. The first time you connect to a server, the client won’t have that information available so it will prompt you to vertify that the server is legitimate.

You verify that information by comparing a thumbprint. Verifying a host is a bit beyond this book but do an internet search for for “ssh host thumbprint”. You’ll find a variety of articles explaining it in detail.

Once the client accepts the host, the client will send secret information to the host. This is your key data. If the host is able to make a match, it will authenticate you and let you login in. If the host then asks for a password, you key did not work and something is not configured properly. In my experience, it will probably be that your client key file is not in the place your client is expecting it to be.

What happens next depends on the tool you are using. If you are using a terminal program, ssh for example, you will now have a command prompt. If you are using sftp or scp, you will be able to copy files.

In addition to command line tools, there are GUI tools that use the SSH protocol. WinSCP is an excellent SCP client for Windows.

Regardless of the tools you use, SSH is busy encrypting everything you send over the wire. The SSH protocol has evolved over the years, and will probably evolve even more in the future, but it is currently running a very secure form of encryption.

If you are running Linux, you are pretty much finished at this point. SSH ships with every Linux distribution that I am aware of. If you are using Windows, however, you either need to install CyWin (a unix environment that runs in windows), or you’ll want to get PuTTY.
PuTTY

You can download all of the programs discussed in this section at:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

I honestly have no idea why PuTTY is spelled PuTTY. I can figure the TTY part of it is from the Unix command that output a display. I’m not sure bout the Pu though.

I do know what PuTTY is though. PuTTY is a very simple implementation of an MS-Windows SSH terminal client. When I say it is simple, I mean that as a complement. This is a tool that does not get in the way.

You tell PuTTY to connect to a remote server and, as long as your keys are configured, it will connect you. If are not using keys, you can connect with passwords (if the host allows that). As a best practice, keys are recommends over passwords.

PuTTY is the terminal client but you can get a couple of other tools from the same author. PSFTP and PSCP offer secure file transfers. These tools are as easy to use as PuTTY and work pretty much the same way.

For command line syntax and configuration, take a look at the documentation at the link above.

A note about SSH keys and PuTTY, they are not compatible. This same web site offers a utility called PuTTYgen. When you create a key pair for EC2, you download that file to your local machine. PuTTYgen converts that file (a .pem file) to a private key file (a .ppk file).

PuTTY Key Generator


PuTTY Key Generator

The tool is named puttygen.exe. Run the executable and the above window pops up. To convert an amazon key to a PuTTY key, use the menu option Conversions ? Import Key. Load the .pem file that you downloaded and press the Save Private Key button.

It will warn you about leaving the passphrase blank. That’s ok.

Save the file to the location that PuTTY has been configured to look in for it’s keys.

Categories
Encryption Linux Passwords Windows

Linux User Commands

Every user who has access to a Linux system needs a login and a password. Each user must belong to a primary group and for security or access purposes can belong to several secondary groups.

In order to create new logins, modify or delete users, you must already be logged in as root. The root login is the highest level and only certain individuals should have access to the root account.

useradd – Adding a new user
Options:
-d home directory
-s starting program (shell)
-p password
-g (primary group assigned to the users)
-G (Other groups the user belongs to)
-m (Create the user’s home directory

Example: To add a new user with

  • a primary group of users
  • a second group mgmt
  • starting shell /bin/bash
  • password of xxxx
  • home directory of bubba
  • create home directory
  • a login name of bubba

useradd -gusers -Gmgmt -s/bin/shell -pxxxx -d/home/bubba -m bubba

usermod – Modifying existing user
Options:
-d home directory
-s starting program (shell)
-p password
-g (primary group assigned to the users)
-G (Other groups the user belongs to)

Example: To add the group ‘others’ to the user bubba

usermod -Gothers bubba

userdel – Deleting a user
Options:
-r (remove home directory)

Example: To remove the user ‘bubba’ and his home directory

userdel -r bubba

passwd – User’s Password
Options:
user’s name (Only required if you are root and want to change another user’s password)

Example: To change the password for the account you are currently logged in as…
passwdEnter existing passwordEnter new passwordEnter new password again (to validate)

Example: To change the password for the user ‘bubba’ (only you are logged in as root)…
passwd bubbaEnter existing password (can be either bubba’s password or root’s password)Enter new passwordEnter new password again (to validate)

Where user and group information stored
User names and primary groups are stored in /etc/passwd. This file can be directly edited using the ‘vi’ editor, although this is not recommended. Format of the file is…
User (name normally all lower case)
Password (encrypted – only contains the letter ‘x’)
User ID (a unique number of each user)
Primary Group ID
Comment (Normally the person’s full name)
Home directory (normally /home/
Default shell (normally /bin/bash)
Each field is separated by a colon.
Passwords for each user are stored in /etc/shadow. This file should only be changed using the passwd command.
Group information is stored in /etc/group. This file can be directly edited using the ‘vi’ editor. Format of the file is…
Group name
Group password (hardly ever used)
Group ID
User names (separated by commas)
Each field is separated by a colon.

Default files
When a new user is created, the default files and directories that are created are stored in /etc/skel.

This directory can be modified to fit your needs. Modifications only effect new users and does not change anything for existing users.

su – Switch User
To switch to another user, use the su command. This is most commonly used to switch to the root account.

Example: To switch to root account…suEnter root’s passwd
Example: To switch to the user ‘bubba’…su bubbaEnter bubba’s or root’s passwd

To return to original user, enter exit

Categories
Encryption Linux Passwords Windows Windows 2000

Linux Command: iwconfig

NAME

iwconfig – configure a wireless network interface

SYNOPSIS

iwconfig [interface]
iwconfig interface [essid X] [nwid N] [mode M] [freq F]
[channel C][sens S ][ap A ][nick NN ]
[rate R] [rts RT] [frag FT] [txpower T]
[enc E] [key K] [power P] [retry R]
[commit]
iwconfig –help
iwconfig –version

DESCRIPTION

Iwconfig is similar to ifconfig(8), but is dedicated to the wireless interfaces. It is used to set the parameters of the network interface which are specific to the wireless operation (for Example: the frequency). Iwconfig may also be used to display those parameters, and the wireless statistics (extracted from /proc/net/wireless).

All these parameters and statistics are device dependent. Each driver will provide only some of them depending on hardware support, and the range of values may change. Please refer to the man page of each device for details.

PARAMETERS

essid
Set the ESSID (or Network Name – in some products it may also be called Domain ID). The ESSID is used to identify cells which are part of the same virtual network. As opposed to the AP Address or NWID which define a single cell, the ESSID defines a group of cells connected via repeaters or infrastructure, where the user may roam transparently. With some cards, you may disable the ESSID checking (ESSID promiscuous) with off or any (and on to reenable it). If the ESSID of your network is one of the special keywords (off, on or any), you should use — to escape it.
Examples:
iwconfig eth0 essid any
iwconfig eth0 essid “My Network”
iwconfig eth0 essid — “ANY”

nwid/domain
Set the Network ID (in some products it may also be called Domain ID). As all adjacent wireless networks share the same medium, this parameter is used to differenciate them (create logical colocated networks) and identify nodes belonging to the same cell. This parameter is only used for pre-802.11 hardware, the 802.11 protocol uses the ESSID and AP Address for this function. With some cards, you may disable the Network ID checking (NWID promiscuous) with off (and on to reenable it).
Examples:
iwconfig eth0 nwid AB34
iwconfig eth0 nwid off

freq/channel
Set the operating frequency or channel in the device. A value below 1000 indicates a channel number, a value greater than 1000 is a frequency in Hz. You may append the suffix k, M or G to the value (for example, “2.46G” for 2.46 GHz frequency), or add enough ’0’. Channels are usually numbered starting at 1, and you may use iwlist(8) to get the total number of channels, list the available frequencies, and display the current frequency as a channel. Depending on regulations, some frequencies/channels may not be available. When using Managed mode, most often the Access Point dictates the channel and the driver may refuse the setting of the fre-
quency. In Ad-Hoc mode, the frequency setting may only be used at initial cell creation, and may be ignored when joining an existing cell. You may also use off or auto to let the card pick up the best channel (when supported).
Examples:
iwconfig eth0 freq 2422000000
iwconfig eth0 freq 2.422G
iwconfig eth0 channel 3
iwconfig eth0 channel auto

sens
Set the sensitivity threshold. This is the lowest signal level for which the hardware will consider receive packets usable. Positive values are assumed to be the raw value used by the hardware or a percentage, negative values are assumed to be dBm. Depending on the hardware implementation, this parameter may control various functions. This parameter may control the receive threshold, the lowest signal level for which the hardware attempts packet reception, signals weaker than this are ignored. This may also controls the defer threshold, the lowest signal level for which the hardware considers the channel busy. Proper setting of those thresholds prevent the card to waste time receiving background noise. Modern designs seems to control those thresholds automatically. On modern cards, this parameter may control handover/roaming threshold, the lowest signal level for which the hardware remains associated with the current Access Point. When the signal level goes below this threshold the card starts looking for a new/better Access Point.
Example:
iwconfig eth0 sens -80

mode
Set the operating mode of the device, which depends on the network topology. The mode can be Ad-Hoc (network composed of only one cell and without Access Point), Managed (node connects to a network composed of many Access Points, with roaming), Master (the node is the synchronisation master or acts as an Access Point), Repeater (the node forwards packets between other wireless nodes), Secondary (the node acts as a backup master/repeater), Monitor (the node is not associated with any cell and passively monitor all packets on the frequency) or Auto.
Example:
iwconfig eth0 mode Managed
iwconfig eth0 mode Ad-Hoc

ap
Force the card to register to the Access Point given by the address, if it is possible. When the quality of the connection goes too low, the driver may revert back to automatic mode (the card selects the best Access Point in range). You may also use off to re-enable automatic mode without changing the current Access Point, or you may use any or auto to force the card to reassociate with the currently best Access Point.
Example:
iwconfig eth0 ap 00:60:1D:01:23:45
iwconfig eth0 ap any
iwconfig eth0 ap off

nick[name]
Set the nickname, or the station name. Some 802.11 products do define it, but this is not used as far as the protocols (MAC, IP, TCP) are concerned and completely useless as far as configuration goes. Only some diagnostic tools may use it.
Example:
iwconfig eth0 nickname “My Linux Node”

rate/bit[rate]
For cards supporting multiple bit rates, set the bit-rate in b/s. The bit-rate is the speed at which bits are transmitted over the medium, the user speed of the link is lower due to medium sharing and various overhead.

You may append the suffix k, M or G to the value (decimal multiplier : 10^3, 10^6 and 10^9 b/s), or add enough ’0’. Values below 1000 are card specific, usually an index in the bit-rate list. Use auto to select automatic bit-rate mode (fallback to lower rate on noisy channels), which is the default for most cards, and fixed to revert back to fixed setting. If you specify a bit-rate value and append auto, the driver will use all bitrates lower and equal than this value.
Examples :
iwconfig eth0 rate 11M
iwconfig eth0 rate auto
iwconfig eth0 rate 5.5M auto

rts[_threshold]
RTS/CTS adds a handshake before each packet transmission to make sure that the channel is clear. This adds overhead, but increases performance in case of hidden nodes or a large number of active nodes. This parameter sets the size of the smallest packet for which the node sends RTS ; a value equal to the maximum packet size disables the mechanism. You may also set this parameter to auto, fixed or off.
Examples :
iwconfig eth0 rts 250
iwconfig eth0 rts off

frag[mentation_threshold]
Fragmentation allows to split an IP packet in a burst of smaller fragments transmitted on the medium. In most cases this adds overhead, but in a very noisy environment this reduces the error penalty and allow packets to get through interference bursts. This parameter sets the maximum fragment size ; a value equal to the maximum packet size disables the mechanism. You may also set this parameter to auto, fixed or off.
Examples :
iwconfig eth0 frag 512
iwconfig eth0 frag off

key/enc[ryption]
Used to manipulate encryption or scrambling keys and security mode.

To set the current encryption key, just enter the key in hex digits as XXXX-XXXX-XXXX-XXXX or XXXXXXXX. To set a key other than the current key, prepend or append [index] to the key itself (this won’t change which is the active key). You can also enter the key as an ASCII string by using the s: prefix.

Passphrase is currently not supported. To change which key is the currently active key, just enter [index] (without entering any key value).

off and on disable and reenable encryption.

The security mode may be open or restricted, and its meaning depends on the card used. With most cards, in open mode no authentication is used and the card may also accept non-encrypted sessions, whereas in restricted mode only encrypted sessions are accepted and the card will use authentication if available.

If you need to set multiple keys, or set a key and change the active key, you need to use multiple key directives. Arguments can be put in any order, the last one will take precedence.
Examples :
iwconfig eth0 key 0123-4567-89
iwconfig eth0 key [3] 0123-4567-89
iwconfig eth0 key s:password [2]
iwconfig eth0 key [2]
iwconfig eth0 key open
iwconfig eth0 key off
iwconfig eth0 key restricted [3] 0123456789
iwconfig eth0 key 01-23 key 45-67 [4] key [4]

power
Used to manipulate power management scheme parameters and mode. To set the period between wake ups, enter period ???value???. To set the timeout before going back to sleep, enter timeout ???value???. You can also add the min and max modifiers. By default, those values are in seconds, append the suffix m or u to specify values in milliseconds or microseconds. Sometimes, those values are without units (number of beacon periods, dwell or similar).

off and on disable and reenable power management. Finally, you may set the power management mode to all (receive all packets), unicast (receive unicast packets only, discard multicast and broadcast) and multicast (receive multicast and broadcast only, discard unicast packets).
Examples :
iwconfig eth0 power period 2
iwconfig eth0 power 500m unicast
iwconfig eth0 power timeout 300u all
iwconfig eth0 power off
iwconfig eth0 power min period 2 power max period 4

txpower
For cards supporting multiple transmit powers, sets the transmit power in dBm. If W is the power in Watt, the power in dBm is P = 30 + 10.log(W). If the value is postfixed by mW, it will be automatically converted to dBm.

In addition, on and off enable and disable the radio, and auto and fixed enable and disable power control (if those features are available).
Examples :
iwconfig eth0 txpower 15
iwconfig eth0 txpower 30mW
iwconfig eth0 txpower auto
iwconfig eth0 txpower off

retry
Most cards have MAC retransmissions, and some allow to set the
behaviour of the retry mechanism.
To set the maximum number of retries, enter limit ???value???. This
is an absolute value (without unit). To set the maximum length
of time the MAC should retry, enter lifetime ???value???. By
defaults, this value in in seconds, append the suffix m or u to
specify values in milliseconds or microseconds.

You can also add the min and max modifiers. If the card supports automatic mode, they define the bounds of the limit or lifetime. Some other cards define different values depending on packet size, for example in 802.11 min limit is the short retry limit (non RTS/CTS packets).
Examples :
iwconfig eth0 retry 16
iwconfig eth0 retry lifetime 300m
iwconfig eth0 retry min limit 8

commit
Some cards may not apply changes done through Wireless Extensions immediately (they may wait to aggregate the changes or apply it only when the card is brought up via ifconfig). This command (when available) forces the card to apply all pending changes. This is normally not needed, because the card will eventually apply the changes, but can be useful for debugging.

DISPLAY

For each device which supports wireless extensions, iwconfig will display the name of the MAC protocol used (name of device for proprietary protocols), the ESSID (Network Name), the NWID, the frequency (or channel), the sensitivity, the mode of operation, the Access Point address, the bit-rate, the RTS threshold, the fragmentation threshold, the encryption key and the power management settings (depending on availability).

The parameters displayed have the same meaning and values as the parameters you can set, please refer to the previous part for a detailed explanation of them. Some parameters are only displayed in short/abbreviated form (such as encryption). You may use iwlist(8) to get all the details. Some parameters have two modes (such as bitrate). If the value is prefixed by ‘=’, it means that the parameter is fixed and forced to that value, if it is prefixed by ‘:’, the parameter is in automatic mode and the current value is shown (and may change).

Access Point/Cell
An address equal to 00:00:00:00:00:00 means that the card failed to associate with an Access Point (most likely a configuration issue). The Access Point parameter will be shown as Cell in ad-hoc mode (for obvious reasons), but otherwise works the same.

If /proc/net/wireless exists, iwconfig will also display its content.
Note that those values will depend on the driver and the hardware specifics, so you need to refer to your driver documentation for proper interpretation of those values.

Link quality
Overall quality of the link. May be based on the level of contention or interference, the bit or frame error rate, how good the received signal is, some timing synchronisation, or other hardware metric. This is an aggregate value, and depends totally on the driver and hardware.

Signal level
Received signal strength (RSSI – how strong the received signal is). May be arbitrary units or dBm, iwconfig uses driver meta information to interpret the raw value given by /proc/net/wireless and display the proper unit or maximum value (using 8 bit arithmetic). In Ad-Hoc mode, this may be undefined and you should use iwspy.

Noise level
Background noise level (when no packet is transmitted). Similar comments as for Signal level.

Rx invalid nwid
Number of packets received with a different NWID or ESSID. Used to detect configuration problems or adjacent network existence (on the same frequency).

Rx invalid crypt
Number of packets that the hardware was unable to decrypt. This can be used to detect invalid encryption settings.

Rx invalid frag
Number of packets for which the hardware was not able to prop erly re-assemble the link layer fragments (most likely one was missing).

Tx excessive retries
Number of packets that the hardware failed to deliver. Most MAC protocols will retry the packet a number of times before giving up.

Invalid misc
Other packets lost in relation with specific wireless operations.

Missed beacon
Number of periodic beacons from the Cell or the Access Point we have missed. Beacons are sent at regular intervals to maintain the cell coordination, failure to receive them usually indicates that the card is out of range.

FILES

/proc/net/wireless

SEE ALSO

ifconfig, iwspy, iwlist, iwevent, iwpriv, wireless.

Reference: http://linuxcommand.org/man_pages/iwconfig8.html

Categories
Cisco Encryption Firewall Linux Networking Passwords SSH SSL VPN Windows Windows 2000

Creating Client SSL VPN on Cisco ASAs

Introduction

This document how to allow remote access VPN connections to the ASA from the Cisco AnyConnect 2.0 client.
Prerequisites
Requirements

Ensure that you meet these requirements before you attempt this configuration:

*

Basic ASA configuration that runs software version 8.0
*

ASDM 6.0(2)

Components Used

The information in this document is based on these software and hardware versions:

* Cisco ASA 8.0(2), ASDM 6.0 (2)
* Cisco AnyConnect 2.0
Background Information

The Cisco AnyConnect 2.0 client is an SSL-based VPN client. The AnyConnect client can be utilized and installed on a variety of operating systems, such as Windows 2000, XP, Vista, Linux (Multiple Distros) and MAC OS X. The AnyConnect client can be installed manually on the remote PC by the system administrator. It can also be loaded onto the security appliance and made ready for download to remote users. After the application is downloaded, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections. This example makes the AnyConnect client ready to download upon successful browser-based SSL authentication.

For more information on the AnyConnect 2.0 client, refer to AnyConnect 2.0 Release Notes.

Note: MS Terminal Services is not supported in conjunction with the AnyConnect client. You cannot RDP to a computer and then initiate an AnyConnect session. You cannot RDP to a client that is connected via AnyConnect.

Note: The first installation of AnyConnect requires the user to have admin rights (whether you use the standalone AnyConnect msi package or push the pkg file from the ASA). If the user does not have admin rights, a dialog box appears that states this requirement. Subsequent upgrades will not require the user that installed AnyConnect previously to have admin rights.

Configure
Step 1. Configure a Self-Issued Certificate

By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. You can purchase your own certificate from vendors, such as Verisign or EnTrust, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted. Complete this step in order to generate a self-issued certificate that persists when the device is rebooted.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Certificate Management, and then choose Identity Certificates.
3.

Click Add, and then click the Add a new identity certificate radio button.
4.

Click New.
5.

In the Add Key Pair dialog box, click the Enter new key pair name radio button.
6.

Enter a name to identify the keypair.

This example uses sslvpnkeypair.
7.

Click Generate Now.
8.

In the Add Identity Certificate dialog box, ensure the newly created key pair is selected.
9.

For Certificate Subject DN, enter the fully qualified domain name (FQDN) that will be used to connect to the VPN terminating interface.

CN=sslvpn.cisco.com
10.

Click Advanced, and enter the FQDN used for the Certificate Subject DN field.

For example, FQDN: sslvpn.cisco.com
11.

Click OK.
12.

Check the Generate Self Signed Certificate check box, and click Add Certificate.
13.

Click OK.
14.

Click Configuration, and then click Remote Access VPN.
15.

Expand Advanced, and choose SSL Settings.
16.

In the Certificates area, choose the interface that will be used to terminate the SSL VPN (outside), and click Edit.
17.

In the Certificate drop-down list, choose the self-signed certificate that you generated earlier.
18.

Click OK, and then click Apply.

Step 2. Upload and Identify the SSL VPN Client Image

This document uses the AnyConnect SSL 2.0 client. You can obtain this client at the Cisco Software Download Website. A separate Anyconnect image is required for each operating system that remote users plan to use. For more information, refer to Cisco AnyConnect 2.0 Release Notes.

Once you obtain the AnyConnect client, complete these steps:

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Client Settings.
4.

In the SSL VPN Client Images area, click Add, and then click Upload.
5.

Browse to the location where you downloaded the AnyConnect client.
6.

Select the file, and click Upload File.

Once the client uploads, you receive a message that states the file was uploaded to flash successully.
7.

Click OK.

A dialog box appears to confirm that you want to use the newly uploaded image as the current SSL VPN client image.
8.

Click OK.
9.

Click OK, and then click Apply.
10.

Repeat the steps in this section for each operating system-specific Anyconnect package that you want to use.

Step 3. Enable Anyconnect Access

In order to allow the AnyConnect client to connect to the ASA, you must enable access on the interface that terminates SSL VPN connections. This example uses the outside interface in order to terminate Anyconnect connections.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then choose SSL VPN Connection Profiles.
3.

Check the Enable Cisco AnyConnect VPN Client check box.
4.

Check the Allow Access check box for the outside interface, and click Apply.

Step 4. Create a new Group Policy

A group policy specifies the configuration parameters that should be applied to clients when they connect. This example creates a group policy named SSLClientPolicy.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and choose Group Policies.
3.

Click Add.
4.

Choose General, and enter SSLClientPolicy in the Name field.
5.

Uncheck the Address Pools Inherit check box.
6.

Click Select, and then click Add.

The Add IP Pool dialog box appears.
7.

Configure the address pool from an IP range that is not currently in use on your network.

This example uses these values:
*

Name: SSLClientPool
*

Starting IP Address: 192.168.25.1
*

Ending IP Address: 192.168.25.50
*

Subnet Mask: 255.255.255.0
8.

Click OK.
9.

Choose the newly created pool, and click Assign.
10.

Click OK, and then click More Options.
11.

Uncheck the Tunneling Protocols Inherit check box.
12.

Check SSL VPN Client.
13.

In the left pane, choose Servers.
14.

Uncheck the DNS Servers Inherit check box, and enter the IP address of the internal DNS server that the AnyConnect clients will use.

This example uses 192.168.50.5.
15.

Click More Options.
16.

Uncheck the Default Domain Inherit check box.
17.

Enter the domain used by your internal network. For example, tsweb.local .
18.

Click OK, and then click Apply.

Configure Access List Bypass for VPN Connections

When you enable this option, you allow the SSL/IPsec clients to bypass the interface access list.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Bypass Interface Access List.
4.

Ensure the Enable inbound SSL VPN and IPSEC Sessions to bypass interface access lists check box is checked, and click Apply.

Step 6. Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections

When VPN clients connect to the ASA, they connect to a connection profile or tunnel group. The tunnel group is used to define connection parameters for specific types of VPN connections, such as IPsec L2L, IPsec remote access, clientless SSL, and client SSL.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand SSL VPN.
3.

Choose Connection Profiles, and click Add.
4.

Choose Basic, and enter these values:
*

Name: SSLClientProfile
*

Authentication: LOCAL
*

Default Group Policy: SSLClientPolicy
5.

Ensure the SSL VPN Client Protocol check box is checked.
6.

In the left pane, expand Advanced, and choose SSL VPN.
7.

Under Connection Aliases, click Add, and enter a name to which users can associate their VPN connections. For example, SSLVPNClient.
8.

Click OK, and then click OK again.
9.

At the bottom of the ASDM window, check the Allow user to select connection, identified by alias in the table above at login page check box, and click Apply.

Step 7. Configure NAT Exemption for AnyConnect Clients

NAT exemption should be configured for any IP addresses or ranges you want to allow the SSL VPN clients to access. In this example, the SSL VPN clients need access to the internal IP 192.168.50.5 only.

Note: If NAT-control is not enabled, this step is not required. Use the show run nat-control command to verify. In order to verify through ASDM, click Configuration, click Firewall, and choose Nat Rules. If the Enable traffic through the firewall without address translation check box is checked, you can skip this step.

ASDM Procedure

1.

Click Configuration, and then click Firewall.
2.

Choose Nat Rules, and click Add.
3.

Choose Add NAT Exempt Rule, and enter these values:
*

Action: Exempt
*

Interface: inside
*

Source: 192.168.50.5
*

Destination: 192.168.25.0/24
*

NAT Exempt Direction: NAT Exempt outbound traffic from interface ‘inside’ to lower security interfaces (Default)
4.

Click OK, and then click Apply.

Step 8. Add Users to the Local Database

If you use local authentication (the default), you must define user names and passwords in the local database for user authentication.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand AAA Setup, and choose Local Users.
3.

Click Add, and enter these values:
*

Username: matthewp
*

Password: p@ssw0rd
*

Confirm Password: p@ssw0rd
4.

Select the No ASDM, SSH, Telnet or Console Access radio button.
5.

Click OK, and then click Apply.
6.

Repeat this step for additional users, and then click Save.

Verify SSL VPN Client Connections

Use the show vpn-sessiondb svc command in order to verify connected SSL VPN clients.

ciscoasa(config-group-policy)#show vpn-sessiondb svc

Session Type: SVC

Username : matthewp Index : 6
Assigned IP : 192.168.25.1 Public IP : 172.18.12.111
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 35466 Bytes Rx : 27543
Group Policy : SSLClientPolicy Tunnel Group : SSLClientProfile
Login Time : 20:06:59 UTC Tue Oct 16 2007
Duration : 0h:00m:12s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

ciscoasa(config-group-policy)#

The vpn-sessiondb logoff name username command logs off users by user name. An Administrator Reset message is sent to the user when disconnected.

ciscoasa(config)#vpn-sessiondb logoff name matthewp
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name “matthewp” logged off : 1

ciscoasa(config)#

Categories
Encryption Linux Passwords Windows

Linux User & Group Management Add Delete Change

useradd – Adding a new user
Options:

* -d home directory
* -s starting program (shell)
* -p password
* -g (primary group assigned to the users)
* -G (Other groups the user belongs to)
* -m (Create the user’s home directory

Example: To add a new user with

* a primary group of users
* a second group mgmt
* starting shell /bin/bash
* password of xxxx
* home directory of roger
* create home directory
* a login name of roger

useradd -gusers -Gmgmt -s/bin/shell -pxxxx -d/home/roger -m roger

top of page
usermod – Modifying existing user

Options:

* -d home directory
* -s starting program (shell)
* -p password
* -g (primary group assigned to the users)
* -G (Other groups the user belongs to)

Example: To add the group ‘others’ to the user roger
usermod -Gothers roger

top of page
userdel – Deleting a user

Options:

* -r (remove home directory)

Example: To remove the user ‘roger’ and his home directory
userdel -r roger

top of page
passwd – User’s Password
Options:

* user’s name (Only required if you are root and want to change another user’s password)

Example: To change the password for the account you are currently logged in as…

passwd
Enter existing password
Enter new password
Enter new password again (to validate)

Example: To change the password for the user ‘roger’ (only you are logged in as root)…

passwd roger
Enter existing password (can be either roger’s password or root’s password)
Enter new password
Enter new password again (to validate)

top of page
Where user and group information stored

User names and primary groups are stored in /etc/passwd. This file can be directly edited using the ‘vi’ editor, although this is not recommended. Format of the file is…

* User name (normally all lower case)
* Password (encrypted – only contains the letter ‘x’)
* User ID (a unique number of each user)
* Primary Group ID
* Comment (Normally the person’s full name)
* Home directory (normally /home/
* Default shell (normally /bin/bash)

Each field is separated by a colon.

Passwords for each user are stored in /etc/shadow. This file should only be changed using the passwd command.

Group information is stored in /etc/group. This file can be directly edited using the ‘vi’ editor. Format of the file is…

* Group name
* Group password (hardly ever used)
* Group ID
* User names (separated by commas)

Each field is separated by a colon.

Default files

When a new user is created, the default files and directories that are created are stored in /etc/skel.

This directory can be modified to fit your needs. Modifications only effect new users and does not change anything for existing users.

top of page
su – Switch User

To switch to another user, use the su command. This is most commonly used to switch to the root account.

Example: To switch to root account…
su
Enter root’s passwd

Example: To switch to the user ‘roger’…
su roger
Enter roger’s or root’s passwd

To return to original user, enter exit

Categories
Encryption SSH System Process Windows

Windows Process Information: sshd.exe

Process name: Cygwin OpenSSH Secure Shell Daemon

sshd.exe is a process belonging to the Cygwin OpenSSH Secure Shell Daemon which offers a encrypted and secure shell across the Internet. f you don’t know why OpenSSH is on your system, you almost certainly do NOT want it. It is not installed by anything as default, and by its nature it can be used to bypass traditional security precautions.

Recommendation

sshd.exe should not be disabled as it is required for essential applications to function properly.