pfSense – SquidGuard and AVScan – Virtual Environment

pfsense-av-contentfilter
pfSense – Squid – SSL Interception – SqudGuard Webfilter – AVScan

The above Test lab performed in a VMware vSphere environment . Inside pfSense SquidGuard and Squid Antivirus enabled in the same time for http and SSL protocol. Configuring squid as SSL splice will make AV Scan unusable. similarly if we configure it as SSL Bump then squidGuard will not work.

In order to overcome this we can use above solution. We need 2 Pfsense instanse to cover entire solution. I have used 2 pair of Pfsense in 2 physical server to make it Active -Standby environment.

The below tire of pfSense is used for Explicit proxy (Squid and AV) and the top tire used for Webfilter.

The above diagram is self explanatory for advance pfsense users. I will post configuration details in next post. Thank you.

 

Advertisements

Splunk HA Index Clustering

Splunk Cluster Deployment

Deploying splunk in HA index clustering is bit tricky if don’t understand the context how splunk actually developed it.

We need atleast one Master node, one Search head and one or many indexer (Peer Node).The basic idea is to sync index data across indexer , so if one indexer down we still have the searchable data.

In the virtual lab I have used 4 Splunk instance (Enterprise). One Firewall Pfsense HAproxy and Webserver (docker) to generate syslogs sent to one indexer.

 

<Dig>

 

Webserver – 192.168.200.20

Pfsense – 192.168.200.1

Splunk1 (Master) – 192.168.200.11

Splunk2 (Peer -Indexer) – 192.168.200.12

Splunk3 (Search Head) – 192.168.200.13

Splunk4 (Peer -Indexer) – 192.168.200.14

 

ESXI – ALL the four splunk instance, Pfsense HAproxy and Webserver on Centos Docker installed running successfully.

image001

My Webserver – 192.168.200.20 Listening on port 4000

Demo docker hello page

image002The Above Webserver is behind Pfsense HAproxy firewall which forwarding logs to Splunk indexer. We can even use webserver to send log directly to splunk. I just tried to simulate an enterprise web environment.

Pfsense Firewall HAproxy to send logs to Splunk on port 514-

Configured splunk 4 (192.168.200.14 ) in the firewall to send HAproxy syslog.

image003

Configure Master node –

Now login to Splunk1 – 192.168.200.11 and make it master node –  Go to Settings > Distributed Environment> Index Clustering

image004

Click on “enable index clustering” and then select “Master Node” and hit next

image005

Make sure your Replication factor matches your number or Peer Node you are going to configure. In my case I have 2 peer ndoe to be configured. Enable Master node, it will ask for restart.

image006

Configure Search head –

 A search head that performs only searching, and not any indexing, is referred to as a dedicated search head. Search head clusters are groups of search heads that coordinate their activities. Will configure search head here the instance 192.168.200.13

image007

image008

Configure Peer nodes –

Same way we need to navigate to Index Clustering in the peer node. In my case Splunk2 (192.168.200.12) and Splunk4(192.168.200.14) are the peer nodes.

We need to put master URL and port. Make sure master node is listening on that port.Also need to mention Secret if any you have specified during master configuration.

image009

image010

Config Validation –

 

After successful configuration of Master node, search head and indexer (peers) will look like below.

Master Node

image011

Search head

image012

 

Indexer -Peer Nodes

image013

image014

 

Lets Create Index  –

 

NOTE – When splunk is part of Index cluster , we should not create any index in peer nodes or search head. We will create index only in Master node. There is no way to create index via GUI to replicate. We must have to create in CLI by editing indexes.conf file.

To edit indexes.conf file in master , login to splunk instance via SSH and navigate to

/opt/splunk/etc/master-apps/_cluster/local

image015

***make the permission of indexes.conf to  755 and chown to splunk:splunk

Create a file “indexes.conf” and create index as below – I used index name as “hapxy” refer to haproxy

 image016

After create and save the file here , login to splunk GUI master node and push the config across peers

Login to http://192.168.200.11:8000 and navigate to “Distributed environment” > Index Clustering > Edit > Config bundle Actions

image017

Do Validate and Check restart

image018

Push the changes click on “Push”

image019

 

Now login to peers nodes and create UDP data input for the “hapxy” index. Its not mandatory to create in both peers. Here  I have added one input in Splunk4 – 192.168.200.14

Login to splunk4 GUI and navigate to Settings > Data > Data inputs > UDP > New Local UDP

image020

image021

Sourcetype as “Haproxy:http” and select index as “hapxy”

image022

Now click on “Preview and Submit”. We are now successfully created the index.

Makes sure pfsense sending the logs to this index.Login to 192.168.200.14 via ssh and run tcpdump  and access our website – tcpdump -vv -i ens192 port 514

image023

Great we can see logs are getting landed in our peer node 192.168.200.14

Now login to peer node GUI and we should be seeing the index count and able to search the index –  Settings > indexes

image024

Navgate to Search to search the log – generally splunk homepage

image025

 

So far we are GOOD, we can see logs in our peer nodes. now login to master node and we should be able to see the “hapxy” index is in sync

image026

Its time to login and try to initiate our search from “Search Head” -Login to Splunk3 – 192.168.200.13

image027

We are seeing our events while searching from search head. Great stuff. Now what happen if one indexer fail ! Lets do that , login to one indexer and make it down. SSH to splunk4 192.168.200.14 and shutdown, and check the status in Master node.

Login to master node and navigate to index clustering –

image028Oops Splunk4 is down. But no worries, lets login to search head and we should be able to see our data and search them successfully,

image029

 

YES!!! We are good. We can see all of our logs in the event of a peer node offline.

 

Thank you!!!!

 

 

 

ESXi 6.0 not detectiing network interface

This is a common problem with ESXi. Though vmware include most of the well known network driver, still its has some limitation.

During my installation I found hat atheros network adapter was not recognize by the ESXi.

So shall i stop here ? No not at all.

What we need to do ?

1) extract the Original ESXi ISO image

2) Include the Atheros network driver for ESXi

3) Build new ISO

And we are good to go.

Find out your network interface card. During the installation, you can always do Alt+F1 and type

# lspci | grep -i net

00:03:05.0 Network controller: Atheros  AR8132 Fast Ethernet Controller

Search for ESXi driver file (try google)

I found here

https://vibsdepot.v-front.de/wiki/index.php/List_of_currently_available_ESXi_packages

Download the ZIp file or .vib file of the driver.

Download the ESX customiser, its an easy tool to extract and re-build the ISO, including the driver.

http://vibsdepot.v-front.de/tools/ESXi-Customizer-v2.7.2.exe

And just follow the instruction.

Boot the server with newly build ISO image and see the magic 🙂

Enjoy!!!

Manage HyperV server 2012 R2 from windows 7

We can easily manage hyperv server from win7 machine. follow below steps,

Next, go to Start – Control Panel and click on Programs.

clip_image001

Next, you’ll see an option to Turn Window features on or off. Click on this option.

clip_image002

Under Remote Server Administration Tools – Role Administration Tools, find the option for Hyper-V Tools, check the checkbox and click OK. You can now type Hyper-V Manager at the Start Menu

clip_image004

You can now type Hyper-V Manager at the Start menu or go to Start – Administrative Tools -Hyper-V Manager.

clip_image006

In case you don’t see the option RSAT, please download bellow update from Microsoft and you will be able to see the option ,

https://www.microsoft.com/en-us/download/details.aspx?id=7887

Firefox blocks Flash, and Facebook calls for its death – Source CNN.com

Firefox blocks Flash, and Facebook calls for its death
By David Goldman @DavidGoldmanCNN
adobe flash logo
Adobe Flash, the much-loathed, bug-plagued relic of a browser plugin, just got a big nail driven into its coffin.

Mozilla blocked Flash by default in its Firefox browser late Monday night, a day after Facebook’s (FB, Tech30) security chief called for Adobe to kill Flash once and for all.

The Flash-bashing picked up last week after revelations that the spyware giant known as the Hacking Team had been using Flash to remotely take over people’s computers and infect them with malware. (That discovery took place after the Hacking Team was itself hacked. Documents revealed in the breach showed that the Hacking Team exploited two critical vulnerabilities in Flash’s code.)

“It is time for Adobe to announce the end-of-life date for Flash,” tweeted Facebook security chief Alex Stamos on Sunday.

Mozilla’s support chief Mark Schmidt quickly followed suit by tweeting that all versions of Flash had been turned off in Firefox. That means Firefox users will not be able to turn on the plug-in to access Flash content — they’ll have to seek out another browser if they need to use Flash.

Adobe (ADBE) did not immediately respond to a request for comment.
flash firefox

The good news for Firefox users is that most won’t notice a change. Just under 11% of websites use Flash, according to W3Techs, a technology survey company.

Flash is a type of software called “middleware,” an add-on extension to the browser that allows rich content to be viewed. It had been widely used a decade ago, powering most of the Web’s games, animations and videos. When YouTube launched in 2005, its videos were entirely Flash-based, requiring its audience to install the Flash plug-in software in order to watch YouTube media.

But the tide began to turn in 2010, when Steve Jobs wrote an open letter rant about Adobe’s security, blaming the company’s Flash player for being “the number one reason Macs crash” and citing Flash for having “one of the worst security records in 2009.”

Jobs was right — Flash does have a miserable security record, and continued to be bug-ridden long after publishing his open letter. It habitually tops Symantec’s annual list of vulnerable plug-in programs.

The iPhone never supported Flash. Though Android smartphones originally supported Flash — and used that fact as a selling point — Adobe killed Flash support for all smartphones in 2011. YouTube has been experimenting with playing videos natively in the browser several years ago and officially parted ways with Flash in January 2015.

Despite the clear momentum against Flash, Mozilla said there’s a chance that Flash will be re-enabled on Firefox some day.

“To be clear, Flash is only blocked until Adobe releases a version which isn’t being actively exploited by publicly known vulnerabilities,” Schmidt added.

So it’s not the final nail, but we’re getting closer to Flash’s death.

Related: This company sells spy tools to evil governments

Related: 1.1 million fingerprints exposed in hack
CNNMoney (New York) July 14, 2015: 11:19 AM ET