Preparing virtual test machine for Ansible

For this example I have used CentOS

Once you have downloaded and created your VM, you need first to configure your network interface.

In CentOs this can be completed by the network script. They are located in the following location:

/etc/sysconfig/network-script/

In my example I have to amend ifcfg-ens33 configuration file.

If you use DHCP then the only change you need to make is to set it up to be activated during the boot.

Then install Ansible as per my other post: https://wordpress.com/post/amionrails.wordpress.com/1790

How to install Ansbile on CentOS/Redhat

This is pretty simple.

  1. Install EPEP first

    sudo apt-get install epel-release

First add EPEL

Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).

EPEL packages are usually based on their Fedora counterparts and will never conflict with or replace packages in the base Enterprise Linux distributions. EPEL uses much of the same infrastructure as Fedora, including buildsystem, bugzilla instance, updates manager, mirror manager and more.

  1. Install Ansible

Ansible is the simplest way to automate apps and IT infrastructure. Application Deployment + Configuration Management + Continuous Delivery

sudo apt-get install ansible

All done!

List of Security Testing Tools

List of some interesting testing tools:

BackTrack –  Open Source Penetration Test Tool
Burp Suite –  Professional Software for web security testing
IBM Rational AppScan –  Commercial Web Application Security Scanner
Metasploit – Open Source Penetration Test Tool
Nessus – Freeware Network Security Vulnerability Scanner
Nikto – Open Source Web Site Security Scanner
Paros – Freeware Interception Proxy
soapUI – Web Services Testing Tool
sqlmap – Open Source SQL Injection Tool
WebScarab – Freeware Interception Proxy
WSDigger – Freeware Web Services Scanner
WSFuzzer – Freeware Web Service Scanner
ZAP  – OWASP Zed Attack Proxy

OWASP Testing Guide v4
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

OWASP Top Ten Project
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Web application Security Consortium (WASC) – 2008 Web Application Security Statistics
http://projects.webappsec.org/w/page/13246989/Web-Application-Security-Statistics

OWASP Developers’ Guide
https://www.owasp.org/index.php/Category:OWASP_Guide_Project

HOW TO FIX LOCAL IP DISCLOSURE IN IIS 7+

HOW TO FIX LOCAL IP DISCLOSURE IN IIS 7+

This issues seems to not exist on IIS 8.5 (Windows 2012)

This does not fix IP disclosure for WA sites.

Settings:

Proper SSL needs to be setup (Required)

Site cannot be under WA (Windows Authentication)

https://appstudio.verivo.com/display/coredoc/Configuring+IIS+Security

https://www.iis.net/configreference/system.webserver/serverruntime

  • The alternateHostNameattribute specifies a host name that is different from the computer name in the HTTP Content-location header.

Check configuration

  1. Identify issue. Look for a local ip in the response.

» curl -v -0 -H Host: https://www.example.com/images 

* STATE: DO => DO_DONE handle 0x800485f8; line 1357 (connection #0)

* STATE: DO_DONE => WAITPERFORM handle 0x800485f8; line 1484 (connection #0)

* STATE: WAITPERFORM => PERFORM handle 0x800485f8; line 1494 (connection #0)

* HTTP 1.1 or later with persistent connection, pipelining supported

< HTTP/1.1 301 Moved Permanently

< Content-Type: text/html; charset=UTF-8

< Location: https://xx.xx.xxx.xx/images/   local ip is there

* Server Microsoft-IIS/7.5 is not blacklisted

< Server: Microsoft-IIS/7.5

< X-Powered-By: ASP.NET

< Date: Fri, 16 Dec 2016 13:21:03 GMT

< Connection: close

Check the config

 

C:\Windows\System32\inetsrv>appcmd.exe list config -section:system.webServer/ser

verRuntime

 

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:”www.example.com” /commit:apphost

Then check it again.

STATE: DO => DO_DONE handle 0x800485f8; line 1357 (connection #0)

* STATE: DO_DONE => WAITPERFORM handle 0x800485f8; line 1484 (connection #0)

* STATE: WAITPERFORM => PERFORM handle 0x800485f8; line 1494 (connection #0)

* HTTP 1.1 or later with persistent connection, pipelining supported

< HTTP/1.1 301 Moved Permanently

< Content-Type: text/html; charset=UTF-8

< Location: https://www.example.com/images/

* Server Microsoft-IIS/7.5 is not blacklisted

< Server: Microsoft-IIS/7.5

< X-Powered-By: ASP.NET

< Date: Fri, 16 Dec 2016 13:28:16 GMT

< Connection: close

< Content-Length: 174

 

Unable to change password because of ‘Current Kerberos password’

You have probably installed Kerberos with your Linux installation hence the passwd is not longer working for local users.

Use the auth-pam-update as root and disable kerberos authentication to fix this problem.

Please only do it if you don’t use Kerberos.

How to decrypt a private key and prepare SSL certificate for IIS installation

Once you have got necessary files.

Encrypted private key and certification file you need to do the following

Decrypt the private key

openssl rsa -in example.encrypted.key -out example.key

Enter passphrase for example.encrypted.key:

Add encrypted key to certificate and create a new certificate with a key already in it to install in IIS

openssl pkcs12 -inkey example.key -in example.crt -export -out example.pfx

You need to provide a password to it.

Once done on Windows Server use run command ->  mmc ->Snap in ->Certificate and Import the certificate or just double click on the certification and add to personal folder under Local Machine.

Many Thanks

Raf