Moran IT Content Signing

Tanium content published by Moran IT is signed with our organizations private key.  By placing our public key within a special directory of your server, you can safely import content Moran IT has signed and published.

We have put together a zip file with our public keys and an installer batch script.  If you download the zip file to your Tanium server and execute the batch script, as administrator, your infrastructure will be updated to accept signed content from Moran IT.

This content is published and shared on the Tanium Community website, and adding our keys keeps the security of content delivered from Moran IT safe.

If you would like to setup your own signing keys and process… feel free to ask questions here or contact your TAM and mention this blog.

If you’d like to explore the various solutions I’ve built for Tanium, you can browse them here.

Advertisements

Configuring Windows Update with Tanium

There really is only two ways to configure the Windows Update Agent:  Manually through UI or the Windows Update API.  Unfortunately as an enterprise admin, you need to use command line utilities to configure endpoints and Microsoft does not provide that.  Thus, I’ve put together a really quick command line utility that uses the Windows Update API to allow you to configure using our favorite platform… Tanium.

Download Solution Pack

First thing you must do is download the entire Tanium solution pack for Windows Update.   Once you’ve downloaded the Windows_Update.xml, you must import it through your Console->Authoring->Import Content.

wu1

You’ll find it contains multiple sensors, packages and saved questions for reading and changing the configuration.

Ensure Package Files Download

wu2One of the packages requires external files that are downloaded from files.danielheth.com.  These files are served up via https and thus you must configure my Certificate Authority in order for your Tanium Server to properly download from that location.  You must also configure a White Listed URL as well.  You can read more about doing this at https://danielheth.com/2015/02/02/secure-downloading-of-package-files-with-tanium/

OR you can simply download the three files manually and update the Distribute Windows Update Tools package.  We will explore this second option in this article:

Download all following files:

  1. https://files.danielheth.com/7za.exe
  2. https://files.danielheth.com/install-wu4tanium.vbs
  3. https://files.danielheth.com/wu4tanium.zip

Then edit the Distribute Windows Update Tools package by going to Console->Authoring->Packages, filtering by “Distribute Windows Update Tools” and edit the correct package.  Then “Delete” all three files linked to this package…

wu3

Now we will “Add Local Files…” for each of the three files we downloaded earlier.

wu4

Now that we have all three “local” files uploaded into the package we’re ready to start using this solution…

Windows Update Dashboard

Included in the solution pack is a new dashboard which groups all the functionality together in a single location.  Browse to that dashboard by looking under “Other Dashboards” and finding the one called Windows Update.

wu5

As you can see from the screenshot, there are two included saved questions.  One lets you know about the installation status of the special utility we’re using and the other uses that utility to return the current status of the Windows Update Agent using the API.

Deploy Windows Update Tools

I already have one system deployed with the utility, but my other 9+ systems do not have it.  I can drill down to determine what the names of these systems are and distribute to specific machines, but I want my entire infrastructure to have this utility.  Thus I will right click on the “No” answer and deploy the package we edited before, the Distribute Windows Update Tools package.  Complete the deployment of that action and within 10 or so minutes, you should start seeing the Windows Update Configuration appear in the right answer grid.

wu6

Configure Windows Update Status

The Windows Update Agent has a few modes of operation:

  • Not Configured means “not configured” by the user or by a Group Policy administrator.  Users are periodically prompted to configure Automatic Updates.
  • Disabled is self explanatory… Users are not notified of important updates for the computer.
  • Notify Before Download prompts users to approve updates before it downloads or installs the updates.
  • Notify Before Installation will download the updates but prompt users to approve the updates before installation.
  • Scheduled Installation will automatically install updates according to the schedule that is configured by the user or by the wu4tanium utility.

To make changing this mode-of-operation status easy, I’ve included a Configure Windows Update Status package with the above described options.  Select the configuration answers that are not configured as you want and launch this package to change it.

wu7

Configure Windows Update Schedule

If you chose to schedule the automatic installation of updates you can use the Configure Windows Update Schedule package to change the day and time updates will install.

I would like all my systems to download and automatically install updates every day at 1am.  To do that, select all the configurations that do not match your desires, Right click and Deploy Action.  Select the Configure Windows Update Schedule package from the dropdown and two parameters will appear.  One to specify the day of the week and the other the hour.  The hour is specified in 24-hour “military” time and is only configurable for on-the-hour.

wu8

After 10 minutes, the Windows Update Configuration answer grid will start updating with the newly configured schedule.  The Windows Update Config sensor is set with a max age of 10min, thus we must wait that long before the sensors script is executed again and the new configuration starts appearing in the answer grid.

Conclusion

I hope this helps those of you who wish to use the Windows Update Agent to update your systems rather than using a more involved patching solution. 

Note that this solution DOES NOT USE the Tanium file/shard downloading functionality… each endpoint will download updates directly from Microsoft.

Also I have only tested this on Windows 7 systems.  It is possible the Windows Update API will not function as coded on other versions of Windows.  If you wish to view the code for the wu4tanium utility, it is available on github.  Feel free to fork that project to add functionality or compatibility with other versions of Windows.

Secure Downloading of Package Files with Tanium

As you are building content, specifically packages, for Tanium, you may find you need to add one or more files related to the package.  Often times you want to have TLS to secure those and thus download them via HTTPS.  If you’re like me your organization has it’s own certificate authority and you sign your own website certificates.  As such you must give Tanium your CA certificate in order to validate the any of your webservers signed with this custom CA.  This is extremely easy to do…

Certificate Chain

Tanium stores the authorized certificate chain within a subdirectory of the Tanium Server…  \Program Files\Tanium\Tanium Server\Apache24\conf\installedcacert.crt

Tanium reserves the right to change this file as they see fit… thus we must copy this file to a new location and add the text version of our companies CA into this file and save it to a new location. 

For my “company”, Moran IT… Our public certificate looks like this in text form:

Moran Certificate Authority
==========================
—–BEGIN CERTIFICATE—–
MIIGDzCCA/egAwIBAgIJANMncJKfhIjFMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJVUzERMA8GA1UECAwIQXJrYW5zYXMxEzARBgNVBAcMClNwcmluZ2RhbGUx
FDASBgNVBAoMC01vcmFuLCBJbmMuMQswCQYDVQQLDAJJVDEkMCIGA1UEAwwbTW9y
YW4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYJKoZIhvcNAQkBFg5jYUBtb3Jh
bml0LmNvbTAeFw0xNDA3MTAxOTUxMjhaFw0yNDA3MDcxOTUxMjhaMIGdMQswCQYD
VQQGEwJVUzERMA8GA1UECAwIQXJrYW5zYXMxEzARBgNVBAcMClNwcmluZ2RhbGUx
FDASBgNVBAoMC01vcmFuLCBJbmMuMQswCQYDVQQLDAJJVDEkMCIGA1UEAwwbTW9y
YW4gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYJKoZIhvcNAQkBFg5jYUBtb3Jh
bml0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOnkgbJVkJLt
+nwB+sUK0nnpOq0LiILir9utUTXh0XegrKDfUiEBFtJ2JbFEPWmwjhrwZGn/HHSw
S+92VD39pL8a5+iBfI9g7sK+3JxcPYKMUOzgePGSrEwVo8OY3s9lmhfoUxCEVgVF
/WPjKJMmgzRKL8SSy7ZlblylAr48C9tIIBUErk5F8IfceT27TfEoBosKQjexv6Kq
oX5eJUx6ry8AXbqPi0kmPIqQffHGydlyLycDa3SAfOh8PbLAdH3K0IIpQKsxBICo
vUIpnq4hrAqGRXiLNmj0C0jb0Fxa+d+kUZIeGY3aNUHfihVKj2v/Y09+88L8ORiL
AtZn5Tfr0mOhKY4s9nWv8vHGuuzFiMbS1evrmxq8/2cUnA9mIb+ZowQ7fAgHzjaV
UTnLqdb+QZZRzEMemKSj4rf6AjidXzFjg2tdXcx2j5KZLKvFmUCQXsKkS3SG24pL
k1hVauJJNyUvkgp1mho9hK1INAA6JnEwHehY9i147AsmjqepoMDT/zTD2Y3UPnwC
3TNUpyVFlVaG0tKyzgWjKttVbvO5rSzwrzPNBWdFEWnVpuWiNp3FTWFQbA1NqwUq
k7efD9VM1lskfgyRqJ56jcQRaCHV7W0ncceVdlkrcvDn05OzDYfxQurU/+JE5vNc
Iko4V2fcmIITDUNvzadicLgqT2uiuP8xAgMBAAGjUDBOMB0GA1UdDgQWBBTBL5Gs
OMqI/FDxr2mYt0GSpAQpDjAfBgNVHSMEGDAWgBTBL5GsOMqI/FDxr2mYt0GSpAQp
DjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQCY8KG201hgc4IXAv/w
4gwkXygUHU6hnWSt1W5BFnLrHBOR5JWA9AKa2vc1SXUhgC03oVcxAZBDj6UKycC0
787Qf2hdjzBSrUw56DEcIrA3A/ciq+YE1/GNpGmcgCEai546zHGBvEFdCcHXsFZu
OjJSZvvggw+1URl8qN8SIz40DA/MGALHBcbNBs1amqlgeSNV5t7zVSfE4v0DNPf+
HE1x+dylvAJuOZAmTeuBNzL9vsTGXw7Mymw4nJqNvDccBJLgPFwhRZcEa1fUqihU
+zMtOSlBs3YO2Wa4qczLorn/SDO1BFLZD+R+W1nUYy9gBi9owWQqdWRv5nB/i1Ps
X3/vB887TbK5/mlLOVLUKupdFE24/g32uElSsX7pLcPpQSiDZd+A6zEgWLaX6j7s
P0PdekimFLrbPfRKXB1v9/hn+z5H4SzUyGlVVWl5Epd32qx5DSPXIwfSrQ1iYYL3
htzx3K6yIdKDWX9Pe/BSSt9Oz78g+i9N66yGY3fE0I54w22Pbwq0dt0UnhKksZJP
SwWzveaqWXejtTUwHf1OYd/IikaKLcNk4cRk5WZvDcd6v29q09wdLYp9URiZ1/bR
pVrfdyeLWNELyLHTgAgbYSUUP3SloFFf9RI5BZgrv+epI+cQRtS0xsXKJnYWVJP0
QcB0/FvjhuWyVWS1u0qRtVLhLg==
—–END CERTIFICATE—–

The first two lines are just a marker… simply copy/paste the above orange text into the installedcacert.crt file and save it as \Program Files\Tanium\Tanium Server\Apache24\conf\mit-installedcacert.crt

If you have any issues getting a text version of your CA certificate… Read up on reformatting a certificate:  https://kb.tanium.com/Certificate_Management#Reformatting_a_Signed_Certificate

Modify Registry and Restart Services

Now we need to tell Tanium where our newly modified CA chain file is.  Browse to HKLM\Software\Wow6432Node\Tanium\Tanium Server     And edit the TrustedCertPath variable by adding a “mit-“ to the beginning of the filename.

crt1

Now we just need to restart the Tanium Server and Apache services to have our new certificate authority chain load.

Conclusion

The topic I just covered is detailed in the Troubleshooting_Packages kb article over in the Tanium KB, but I find a personal walkthrough can be helpful.

If you are using any packages that download files from files.danielheth.com, you will need to copy the above orange text into your installedcacert.crt file to allow that download to happen properly.  Otherwise you will always receive the “SSL cannot be verified…” error.

One last thing as well, you will likely need to add files.danielheth.com to your whitelisted URLs.  This can be done within the Console->Administration->Whitelisted URLs    then “Add New URL Expression as follows:

crt2

Creating OpenVPN Server and Setting up OpenVPN Clients

I recently setup a remote office that houses my huge Virtual Host machine and wanted private/encrypted access to that network from where ever I am.  Thus I turned to OpenVPN as a solution after a little bit of research (see this BestVPN Article).  This article covers the basics of setting up an OpenVPN server on a Ubuntu server sitting behind a NAT firewall. 

Let’s start on the Ubuntu Server…
Enter root first…

$ sudo su

Setup OpenVPN Server

Starting with a Ubuntu computer you’d like to make the OpenVPN Server… Install OpenVPN and Easy-RSA

$ apt-get install openvpn easy-rsa -y

Certificates

The first thing to know about OpenVPN is we’ll be setting things up to use certificates.  It is the most secure method and requires you to manually distribute the client certificates and configuration files.  The method you choose determines the security.  Most secure is to hand deliver the certs on an encrypted thumb drive.

Certificate Authority

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn.

$ mkdir /etc/openvpn/easy-rsa
$ cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.

export KEY_COUNTRY=”CountryCode”
export KEY_PROVINCE=”MyStateOrProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”Organization Name”
export KEY_EMAIL=”vpn@example.com”
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN

Enter the following to generate the master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ cp openssl-1.0.0.cnf openssl.cnf
$ source vars
$ ./clean-all

Run the following command to generate CA certificate and CA key:

$ ./build-ca

Server Certificates

Next, we will generate a certificate and private key for the server:

$ ./build-key-server server

Client Certificates

Each client will need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal while being user root:

$ ./build-key client

Generate Diffie Hellman Parameter

This is a unique key used for our VPN Server, Enter the following command to generate DH parameter.

$ ./build-dh
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

$ cd /etc/openvpn/easy-rsa/keys/
$ cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

Client Configuration File

We need to copy and edit the client configuration file.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn

Edit file client.ovpn,
$ vi /home/client.ovpn

Set the VPN server host name/IP address:

remote [public ip or hostname of your vpn server] 1194

Distributing Client Certificates

You must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.

ca.crt
client.crt
client.key
client.ovpn

You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone gets ahold of your keys, they can easily intrude and get full access to your virtual private network.

Configuring VPN Server

Copy the file server.conf.gz file to /etc/openvpn/ directory.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:
$ gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,
$ vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

[…]
push “redirect-gateway def1 bypass-dhcp”
[…]

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

[…]
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
[…]

Uncomment the following lines:

[…]
user nobody
group nogroup
[…]

Save and close the file.

IP forwarding and routing Configuration

Edit sysctl.conf file,
$ vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
$ sysctl -p

Enter the following command to enable IP forwarding:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

Start OpenVPN Server

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
$ service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:
$ ifconfig

Network Router Configuration

We need to do two things on your router and how you do them greatly depends on your router.  I’m assuming you have a hardware router hooked up to your DSL, Cable or other type of internet connection and you’re setting up a Ubuntu VPN server on the internal network and want to access other computers on that internal network once your remote clients have authenticated into the VPN tunnel.

1. Your VPN server should have an internal static IP address… We need to tell your router to route all 10.8.0.0 traffic to your VPN server so when your VPN clients connect they can communicate with your internal network.

2. Open external port 1194 tcp and udp and point it at your VPN server’s internal static IP address.

Clients

Now we have the files needed to put on your clients, your server is all setup, and your router is configured correctly… it’s time to look at setting up clients.  I created a client certificate for each of my three workstations… each running a different OS:  Mac OS X, Ubuntu 14.04, and Windows 7.  I want to validate and connect into my VPN remote network from all three systems… but configuring their client is slightly different on each.  Below I go into details on setting each one up.

Ubuntu Client

I’ll assume you are using this system as a Ubuntu workstation/laptop and have a graphical interface… thus want to use Network Manager to connect in.  First we’ll need to install two items:
$ sudo apt-get install openvpn network-manager-openvpn

Navigate…
System Settings->Network->+ (hit pluse in bottom left)
Choose VPN interface and hit Create
Select OpenVPN from the type list and hit Create
Specify the Gateway (public ip or domain name of your vpn server)
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.

Save that and you’re done.  You should now connect into your VPN and run a few ping and other tests. 

Mac Client

My primary laptop is a Mac, so let’s go there next.  Here you’ll need to install a VPN client application called TunnelBlick.  https://www.tunnelblick.net/

Once you’ve installed the application, you need to dbl-click on your client.ovpn file.  The ovpn file type has been associated with Tunnelblick when it was installed and will open up the file allowing you to add that connection ot your available list.  Once done, simply connect into the VPN and run your tests.

Windows Client

Visit http://sourceforge.net/projects/securepoint and download the windows OpenVPN client.
Launch the Securepoint SSL VPN client, dbl click the tray icon when it appears, and select New. 
Next
Enter Name of your VPN Connection and hit Next
Enter the Public IP or Domain Name of your VPN server, the port you configured (default is 1194) and I prefer TCP connections due to reliability reasons… then hit Next
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.
Hit Next
Under Advanced Settings
– check the “Comp-LZO” checkbox
– uncheck the “Auth user/pass” checkbox
– leave all others at their Defaults
hit Next
Lastly hit Finish

 

All done… let me know if you have any questions below.

Add Intelligence to your Home

home_automationI hobby in home automation and love to fiddle around with my home’s system.  As such, I was recently asked to design a system for someone’s new home. New to them, but the home is considered an “existing” home since it is fully built.  This is important to remember when designing a home automation solution for someone.

The following is what I recommended to them, figured you guys would be interested in some of the decisions I’d made regarding their new HS solution:

———————————————————–
Wireless Internet Router:
Before I decided on a business class non-wireless router… i was looking seriously at this one:

ASUS RT-ACU Dual-Band ($192.99) http://www.newegg.com/Product/Product.aspx?Item=N82E16833320115

But that might be too expensive… so go with one of it’s cheaper models ($107.99): http://www.newegg.com/Product/Product.aspx?Item=33-320-062%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20

Either one will set you up for wireless within the house. If you want to extend that coverage to a majority of your yard… consider going with a high-power wireless access point ($275): http://www.newegg.com/Product/Product.aspx?Item=N82E16833168099 This would extend your wireless coverage to a major portion of your yard.

If you’ll be adding a separate shop like your current one, you have two options for internet connections out there…

  1. Underground Wiring: http://www.platt.com/platt-electric-supply/Category-Cables-Cable-Outdoor-Rated/Honeywell-Genesis/50901008/product.aspx?zpid=611774
  2. Get a second outdoor access point to connect your house and shop together.

Reasons for connecting your shop…

  • a. you could setup a computer in the shop which is connected to a big screen TV. This could be a cheap one like the one for computer control… and it would run a program which puts the security system up on the TV.
  • b. Wireless internet would keep your cellular data usage on your phone low while you’re out there… pulling up video cameras takes a lot of bandwidth. If you’re on your cellular connection, better hope you have unlimited internet… otherwise be near a wireless access point.
  • c. If you choose not to run video surveillance wires to your shop… you can pick up wireless or wired IP cameras which will let you monitor them.

———————————————————–
Computer Control ~ $250
Would Need: PC, Controller, Modules — Cost: $159.94 + (each light) 38.81… plus shipping
You don’t need a super powerful system as the brain for your home. It basically does a lot of "watching" of sensors which is not particular resource intensive.

I’d go with something like this ($109.99): http://www.newegg.com/Product/Product.aspx?Item=N82E16883255979

To control stuff you’ll need a Z-Wave Controller ($49.95): http://store.homeseer.com/store/Aeon-Labs-Aeotec-Z-Stick-S2-Z-Wave-USB-Interface-P746C66.aspx

Appliance/Lighting modules to control desk lamps and such…

Other Z-Wave Recommendations

———————————————————–
Security ~ $250
Need: Alarm System Kit, Door/window sensors and Wire… Costs: $221 + (each door/window) $1.57 + (each motion) $15.55 + $40… + shipping

The security system comes in a kit with almost everything for the core system: http://store.homeseer.com/store/DSC-KIT32-219CP01NT-Hybrid-Wireless-Security-System-Kit-P1154C236.aspx (you’ll need the kit $213.50 + AC Power Transformer $7.50 + IT-100 Integration Interface $59.94 [get the it-100 interface if you’re doing the computer control])

Just because you pick and install the security system yourself doesn’t mean you can’t get professional security monitoring ($8.95/month): http://www.smarthome.com/alarm.html

SENSORS:
I’d also recommend wiring it yourself… it’s a hell of a lot cheaper, and I believe it is more reliable.

You’ll also need 4-conductor wire, for wiring the keypad to the box and computer if you wanted that.

Wireless sensors are a lot more expensive but saves a lot in labor
If you go wireless, you’ll require a wireless signal receiver ($55.18): http://store.homeseer.com/store/DSC-RF5132-433-PowerSeries-Wireless-Receiver-P1159C235.aspx

———————————————————–
Video Surveillance

You have two main options for video…

  1. Use a DVR which is a single purpose device and records connected computer for upwards of 1-2 weeks with the started 4-cameras. This option includes an iPhone app but it too is single purpose and can only view cameras, a separate app is required to for home control and remote security. This option can be WAY cheaper than option 2…
  2. Use wired or wireless IP cameras. This option is more expensive because each camera is a self-contained mini computer which connects to your wireless router or wired in using cat5 cable.

OPTION 1 – self contained DVR.
Need: DVR 4-camera Kit… Costs: $249 + $79… + shipping
I’d recommend you go with a DVR; this one is 8-channel with 4 cameras and wire included: http://www.newegg.com/Product/Product.aspx?Item=N82E16881192198

It doesn’t have a hard drive, so you’ll want to pick one up… 1Tb Hard Drive ($79): http://www.newegg.com/Product/Product.aspx?Item=N82E16822136776 (avoid Seagate since they can get really hot)

This DVR has 8 channels… so you can add 4 more cameras, includes wire, for only ($109): http://www.newegg.com/Product/Product.aspx?Item=81-339-014&ParentOnly=1

The DVR supports up to (2) 1Tb hard drives… Each camera will provide 30gigs of video every 24 hours. So with this 4 camera system… a 1Tb hard drive will support a week’s worth of video. If you add the additional 4 cameras, that’ll cut it to only 3.5 days, so get a second 1Tb hard drive to keep it at a week.

OPTION 2 – IP Camera, recorded on the computer
Need: IP Camera… Costs: $30 + (each camera) $100
If you want live monitoring this is great and can be fully integrated into the home control/security iPhone app and doesn’t require any additional equipment.

If you want to record it, then a cheap $30 software (http://www.blueirissoftware.com/) will turn the control computer into a DVR…just remember to get a large hard drive.

For wireless, I’d recommend getting the more expensive router or the outdoor one since video is bandwidth heavy.

Lots of wireless cameras are available here (avg $100/ea): http://store.homeseer.com/store/Netcams-C194.aspx

For wired cameras, use the Foscam wide angle ethernet cameras ($105): http://www.newegg.com/Product/Product.aspx?Item=9SIA1R00M31192

Foscam also has a wired/wireless version, but not wide angle ($95): http://www.newegg.com/Product/Product.aspx?Item=9SIA1PK0MG8083

I would highly recommend wide angle… it distorts the image but shows you more without having to push the camera further away from your target.

 

If you have recommendations, alternatives, or just want to comment, leave it below… I respond to all, but spam.

TMG and BigFix BESClient

No series of posts would be complete if I didn’t relate it back to my new fabulous job some how…

The Microsoft Threat Management Gateway is secure by default.  This means everything you want to do or rather connect to online must be configured properly within the TMG console.  The BigFix Enterprise Client is no different.

By default the BigFix infrastructure communicates on port 52311.  Therefore we must let TMG know that we’d like our clients to talk over this port.

Below is a graphical step by step on how this is done:

1. Lets start by creating a new row…

ForeFront TMG->Firewall Policy->Tasks (tab)->Create Access Rule

1

2. Of course we’ll be Allowing this port to communicate

2

3. We’ll be creating a brand new protocol… so hit Add then in the Add Protocols window click New->Protocol

3    4

4. Name your protocol…

5

5. We’ll be adding the BigFix TCP port 52311 here… (You may have deployed via a different port… specify your custom BigFix port here…)

6  7   8

6. We have no secondary connections that are needed… so click next and hit finish

9   10

7. Next we will expand the “User-Defined” branch and choose our “BigFix Communication Protocol” we just defined and hit Add->Close->Next

11  12

8. Specify who is allowed to communicate… Source which should be your internal network.

13

9. And specify our destination which in my case I am setting up a secondary site and all these clients will communicate with my BigFix Root server somewhere else on the internet.  (later on I’ll setup a relay on one of the computers at this location and adjust TMG firewall rules.)

14

10.  Because BigFix is my main management for all my computers, I want every computer to have permissions to communicate via this port… so I’ll leave the default “All Users” here… Next->Finish

15   16

 

We’ll probably want to make sure this is our first firewall rule so it is not interfered with by some other rule.  After hitting finish it should look like this:

17

Lastly we’ll need to “Apply” this new rule set in order to get things working.

18

Compiling NMap on a fresh install of SuSE 11.0

So, I’m researching the NMAP tool from Insecure.org… and needed to compile it on my various linux test boxes.

suse1:~/nmap # ./configure
checking whether NLS is requested… yes
checking build system type… i686-pc-linux-gnu
checking host system type… i686-pc-linux-gnu
checking for gcc… no
checking for cc… no
checking for cl.exe… no
configure: error: in `/root/nmap’:
configure: error: no acceptable C compiler found in $PATH
See `config.log’ for more details.

Only problem is they are fresh installations with the minimum of options during the setup of the computers. IE: I went with basic server options with no additional packages during the install of each flavor of Linux.

So where do I go from here… welp, download and compile of course.
In the end I needed 15 different rpm packages from my SuSE DVD… and they needed to be installed in the following order:

1. gmp-4.2.2-30.1.i586.rpm
2. libmpfr1-2.3.1-4.1.i586.rpm
3. cpp43-4.3.1_20080507-6.1.i586.rpm
4. cpp-4.3-39.1.i586.rpm
5. linux-kernel-headers-2.6.25-8.1.noarch.rpm
6. glibc-devel-2.8-14.1.i586.rpm
7. libstdc.43-devel-4.3.1_20080507-6.1.i586.rpm
8. libstdc.43-4.3.1_20080507-6.1.i586.rpm
9. libgomp43-4.3.1_20080507-6.1.i586.rpm
10. libmudflap43-4.3.1_20080507-6.1.i586.rpm
11. gcc43-4.3.1_20080507-6.1.i586.rpm
12. gcc43-c.4.3.1_20080507-6.1.i586.rpm
13. gcc-4.3-39.1.i586.rpm
14. gcc-c.4.3-39.1.i586.rpm
15. make-3.81-103.1.i586.rpm

I’ve posted them at my files webiste http://files.moranit.com/SuSE11/

After installing all of these, the remaining installation proceedure outlined on the nmap website went perfectly… I now have a working version on my SuSE 11.0 text box.