decepticon_eazy_e
-
Posts
164 -
Joined
-
Last visited
Posts posted by decepticon_eazy_e
-
-
I'm looking for help running tests against DNS servers. I want to list all the subdomains for a specific domain. So I try to use the dig command with axfr and it fails every time.
dig @ns.SOA.com somedomain.com axfr
Am I doing it wrong or are modern dns servers hardened and no longer accept this query? Is there a better way to do this? For example, so I build a dns server and try to replicate records to query? Would the axfr command be accepted if it came from a dns server? If so, what is the 'check' that I would be passing, so I could spoof it.
Next DNS question along the same lines, I want to do reverse dns lookups. It also seems that all the DNS servers I tried don't accept this, which is the proper behavior after hardening. However we all know, not EVERYBODY does the proper settings and there is always somebody out there with some default settings. Are the queries wrong or am I just not finding a server that allows reverse dns? Anyone know of some servers that accept reverse dns?
Anyone know a good resource to find these one in a million dns servers?
-
The NIC teaming is usually done by the 3rd party software, like Intel or Broadcom. On both of those, the individual addresses disappear and you have one shared address. Unless you add secondary IPs to the team, of course. Check the software that will do your teaming and you'll find out.
-
Very good observation you made there, I guess that will depend on how the school want to use the network. I think connecting to a central server, would be a good option cause you can control what users do and how the information is accessed.
Since we have covered everything else in this thread, it's worth taking this point out of the argument. VLANs and subnets are NOT how you will achieve this next goal. You need something else to limit or regulate the content. Controlling what users can do and how info is accessed is the job of a couple more devices. You need a content management device and/or firewall, something like Websense. You'll also need an enterprise level monitoring system if you want to see HOW the information is accessed. Having file share permissions in Active Directory is one step, but once the information is out of that 'secure' folder, you don't have any control of it. You seem to elude to wanting more than that. I'm going to assume you really don't need more than that, but just understand none of those goals can be met with the built in technology of a switch or small/med (translate: affordable!) router. You are onto another topic or area of technology altogether now.
-
If you want to break down the network into small sub networks, I would first recommend learning how ip subnet works and once you fully understand. Buy a network switch that has Vlan capabilities.
Creating vlans would be the best practice to segment your network, and that will also improve your network performance, as each subdomain will have its own broadcasting domain.
For example say the school has 100 PCs. You break it down into 4 groups or 4 vlan groups each one of them holding a total of 25 nodes each. The good thing about this approach is security, one subnet can not interfere or talk to the other one unless you have configured some routing protocol like Rip Or IGMP.
Hope this helps.
True, but you left out... 99% of all managed switches will do VLANs. VLANs are a layer 2 concept, so a layer 2 switch will do vlans. You need to buy a layer 3 switch to do what you suggest. The VLANs cannot talk to each other without some device routing the information between them, even on the same switch. A layer 3 switch would have a route processor (RP) built in and that would do the job. Otherwise you need a router attached to that switch and trunk all the VLANs to the router, etc. VLAN routing is not something built in to every switch.
Honestly, if the network is as large as 100 workstations, and you have good switches, you would see a slow down with this configuration. 100 workstation is not a big network. That's 100+ IPs, which fits fine in a class C subnet. When you need to use large subnets because of the amount of workstations, then you'll need this. I'm talking 1000+
-
I don't fully understand subnetting or TCP/IP, but I heard a talk where this network admin (I can't remember the show I heard it from or what his job title was) broke his business's network down and let only the PR people use Facebook instead of letting the entire network use Facebook. I also read that subnet reduces packet collisions.
Short answer, I seriously doubt it.
But you came here for a decent answer so I'll elaborate...
First, learn about subnetting and or TCP/IP if you plan to implement because by implementing a thing you are now 'supporting' a thing. When it's broken, you typically go back to the guy who put it in to fix it.
When you learn about OSI Layers, you'll find out packets are Layer 3 objects. You will need a layer 3 capable device to route the packets from one network (or subnet) to another. You will need a layer 3 switch or a router. If you have one of these devices, you'll need to learn to configure it. If you want to limit different networks to different resources (i.e. facebook), you will need something like a firewall or content management device (some routers and high end switches do this). You'll need to learn to configure that also.
Don't worry about packet collisions unless you have a layer 2 only network. Again, when you learn about the layers, you'll find out frames are at layer 2. Hubs and switches are the devices that route frames, switches don't broadcast every frame so you won't have collisions. At some point early in your self education you'll find out about collision domains vs broadcast domains. If you have switches (not hubs) in your school, you have many collision domains and one broadcast domain. Don't worry about this, I don't think people had this problem since the 80's... that's why CDMA was created.
-
Short answer is Comp B will not see the router or Comp A. Also Comp B will have an invalid IP, that is the network number, the first usable number will be 129.
In the real world, it can get really goofy, and this is why overlapping networks with similar numbers are BAD and you need to keep that stuff organized and vlan'd. If you only change the subnet mask of Comp B, the above statement is true from the perspective of Comp B. Comp A and the router will still have the /24 mask. That means that Comp B will see broadcasts because they go from 0-255 there. Comp B will try to answer those broadcasts and traffic will get mixed up.... I've seen this happen and it's hard as hell to troubleshoot. But for your exams and labs, ignore this rant, it shouldn't happen on paper! Moral of this story is get your subnet masks matching on everything!
-
My setup:
Laptop (running Windows 7) - connected wirelessly to router and internet.
-Wireless: DHCP, 192.168.2.x
-LAN: Static.
--IP: 192.168.0.1
--Mask: 255.255.255.0
Hub - connected to laptop's LAN card
Xbox (running XBMC) - DHCP, connected to hub
Various other systems that might be connected at one time or another - DHCP, connected to hub
I was using Tftpd32 manually for a while but I decided I'd like to make my setup somewhat permanent by including the hub and running Tftpd32 at startup. Minimizing Tftpd32 to the system tray is buggy though (popping up at least twice every boot up before minimizing to tray) and the newest version doesn't even maintain the server interface I select (LAN NIC). I found this instead and I really like it, especially since it can start as a service, is has no GUI, and it immediately goes to the tray. I've got it working with the DHCP and all, but what I would like is to have my Xbox and other systems have access to the internet as well as my laptop. I read a bit about subnets and IP routing, but I don't understand everything and nothing I have tried has worked. Everywhere I've looked, people are told to setup a firewall or proxy server on the "middle" computer, but I'd rather not do something like this because I'm sure there is another, simpler way to achieve what I'd like. Using a proxy server would also mean I'd have to setup the other devices to use the proxy for all connections other than local ones. So, I'd appreciate everybody's input on the different ways I could effectively use DHCP to give out addresses, allow the networked computers to access the internet, and still maintain access to my laptop.
p.s. I tried Windows built in ICS, but when it was enabled I didn't have access to my laptop from my Xbox or any other computers. I want more control over it than ICS gives anyways. Also, the wireless router has DHCP and DNS servers running (if that helps).
Thanks in advance.
You really have a hub? If it's really a hub, throw that thing away and upgrade.
Select the 2 interfaces on the laptop (wifi and lan) and make them a bridge. Your laptop becomes a bit transparent in the network but the 2 interfaces become a pass-through, which is what you need.
-
So I have taken on a new client, 3 office doctors practice, and they are running in a mixed mode AD environment. They have 2 DC's and an exchange controller, all of which are running w/o any form of raid, on older home brew machines. This would be fine if they didn't contain critical information, such as medical records, and their email!! So I am now fraught with trying to put some redundancy into this accident waiting to happen, but I fear I may be over my head; It's been quite a while since I have done AD, I did get my MCSE years ago and never really used. So my thought is to get a very redundant machine and migrate these machines to VM's, any issues with Exchange and DC's on VM? Critical points here are redundancy and ease of backup / restore. Any thoughts?
Regards,
John
Build redundancy into the box and you should be fine. RAID, dual NICs, ECC ram, dual CPUs, etc. When you do a P2V on the others, you should have no problem, but the Exchange conversion will take forever unless you take it offline. You will have to make them live without email for a weekend to get this done right.
There are services out there that will catch or host your email until your server comes back online and then push it all down, this would also be a nice service to keep running in case of server failure.
-
Hi , im running a ESXI 3.5 server with ubuntu server and cent os 5.3 on the same terabyte hard drive. Ive installed another 4 terabyte drives to my machine but i don't know how to add those newly installed drives to the virtual machines so that they show up within the vm so they can be accessed.
Could someone please help
Regards
I'm gonna guess you put those 4 other drives on a RAID card or some other PCI expansion card. Did you check to see if those are on the vmware HAL?
-
you can also social engineer a staff member of company x by either dropping a USB key with a payload preinstalled and hope that employee of company x will use said USB key and then depending on the payload on the USB key you can get access that way OR you can attempt to find an internal phone directory in some way to company x and use social engineering skills to determine the IP address of a box inside the network by posing as a rep from a company that services the servers such as VmWare or the like
Getting the actual IP address is pretty trivial. For example, not every server is hosted elsewhere. There's a good chance something is hosted locally if it's a large enough company. For example, we keep our website hosted elsewhere, but our Exchange in house where we get to back it up and keep it safe. Once you find an IP address, you can pretty easily get the range, ping sweeps are legal. You can ping as much as you want around the world with no consequence. With that in mind, if they did get attacked and you did the ping sweep from your house, you will be on a short list of destinations for the FBI to visit. DO IT FROM A STARBUXXX WIFI.
As previously mentioned, the most successful attack would be from the inside out. Social engineering or trojan exploits, etc. You would be surprised how easy a telco shirt and tool box will get you past the front desk.
Otherwise you would need to exploit vulnerable services. Here's where it gets fuzzy. A ping is a legitimate request from computer to computer. A port scan is not, it is an active inquiry into a system that is not your own. This might be where you cross the line. Again, do this from NOT your house. Find a vulnerable service and apply the zero day (that you wrote!! ;/).
These are the basics of a pen test, study up on pen testing for more on this topic. Many good books out there, "Stealing the ______" (network/continent/etc) is a really good series by experienced authors, it's all fiction, but the methods are real.
-
is there anything you can do with this information
Wed, 16. Sep 2009 220.237.82.XXX 1077712 KB Wed, 16. Sep 2009 94.23.197.XXX 366955 KB Wed, 16. Sep 2009 69.203.144.XXX 3920745 KB Wed, 16. Sep 2009 68.103.245.XXX 10800 KB
It follows a list of all /16 networks having downloaded via your account today:
68.103.0.0/16 (68.103.0.0 - 68.103.255.255) 69.203.0.0/16 (69.203.0.0 - 69.203.255.255) 94.23.0.0/16 (94.23.0.0 - 94.23.255.255) 220.237.0.0/16 (220.237.0.0 - 220.237.255.255)
these ip addresses hacked into my rapidshare account yesterday and caused me a million problems.
Cancel your Rapidshare account so nobody else can use it. Problem solved.
-
Yes, you could be right sir :-|
but since we have soo many VMs inside the SAN datastore backing it up to the NAS took soo long to finish ~ approx. 29 hrs which is over lapped 4 hrs.
see the current server deployment diagram, I make it easier for you to see the network connection.
The reason that I chose this configuration is that direct connection from the SAN into the ESXi servers without anything in the middle, can eliminate the single point of failure caused by the Switch and also provide redundancy.
each color in the iSCSI network is different IP subnet by itself. from the ESXi into the production network i put two cable connected to two different ports and then add those pNIC into same vSwitch for failover
Any kind of comments will be greatly appreciated.
If you really have a terabyte to back up, that's probably an accurate time. I really don't think backing up the VMFS partition is the best/fastest solution. There's probably a few servers that don't need nightly incrementals, so you could eliminate those. Then apply backup solutions to the VMs themselves. Find an agent that does a dedupe before sending the data to disk/tape.
You do have alot to backup, and perhaps outsourcing a solution would best if you're stuck. I think you have to put some serious money into this in some form, either prof services or backup software or backup hardware...
-
Hi All,
I'm looking for your suggestion and advise in utilizing the empty unused Local SATA-II datastore for my VM.
I've got the following ESXi 4.0 build 164009 and a valid license of vSphere Essentials license, therefore I could use VCB but the problem is that using NBD from the SAN into the backup server is way too slow :-| it took 55 hrs to fullbackup the whole 1 TB VMFS partition (D2D over 2 network subnet).
and now I'm thinking that rather than using backup solution Is it possible to clone the VM on the fly to more than 2 datastore like clustering service fault tolerance? (in this case to local datastore and the SAN_VMFS) in case there is a failure in the SAN, the VM can run off the Local Datastore, well it doesn't have to be realtime though.
or perhaps there is a VCB backup that can copy the VM from he SAN VMFS into the local datastore vmfs ? that is also possible.
Any kind of comments will be greatly appreciated.
Thanks
The problem with backing up the actual VM files is that they are running and constantly changing. You need an agent that will recognize this and deal with it, or that will stop the processes and run the backup automatically. You could clone it live and call that a backup, I suppose. I wouldn't call any of those options clustering.
VMFS is slow, VMware will admit that. But they didn't create it to be fast, they created it to be solid for the files to sit in. If your resources over commit and it starts a SWAP file, your server will CRAWL. The purpose is to keep files contiguous and ready to pull into ram. VMs don't run off the disk, they just sleep there. They get up and go to work in the RAM.
So you need to find an agent that understands VMs, typically we recommend backup solutions that run INSIDE the VM. Something more traditional like commvault or networker. These agents run on the windows OS and backup like they were physical machines. Rarely do we backup the VMDK files, especially running ones.
-
So i splurged and ordered 8 gigs of ram and another hard drive.
Im debating trying either windows 7 or ipc(hakintosh) on the other drive..
Then i was thinking what if i turned it into a vm server and had virtual os/s worth it for a main pc or stick to full o's non visualized.
If you use ESXi, you don't get to use it as PC, you must have another PC to pull a remote desktop.
If you do anything graphics related, don't virtualize it, no support or performance.
-
I used this network monitor prog for that.
Maybe it help you and it's free!
Turn on SNMP on the port the WAP is connected to and monitor the bandwidth of that port. PRTG is a good free windows based monitor, based on MRTG.
-
If you want to see just how secure apple products are, check out this news report:
http://abclocal.go.com/wpvi/video?id=6996090
23 MacBook Pros, 14 iPhones, and 9 iPods
To be fair, this has nothing to do with the security of Apple products. That could have been any computer store with any brand electronics. You smash a plate glass window with a rock and grab all that stuff in 31 seconds, it won't matter what brand it was. It could have been 23 HP laptops, 14 blackberrys, and 9 Zunes.
-
Take the modem/router with you to work. How hard could this be? Put it in your bedroom and lock it. You act like the guy has complete control over your life and you this is a last resort. If the roommate is that unreasonable, kick him out!
-
WOL is a layer 2 broadcast, so unless you are on the same subnet of the local lan, you aren't going to be able to reach his mac address to send the packet in the first place. As far as I know, WOL does not work over the internet.
Totally right, if it's a Layer 2 broadcast, it won't pass through a router (or layer 3 device-without special circumstances).
"The Magic Packet is a broadcast frame" -wiki
Frames don't travel the internet, packets do. Bottom line is you would need a device in his VLAN or subnet (not just lan) to deliver the WOL frame.
-
Their reasoning is that they deploy services and functionality that uses these ports and various ip addresses. I disagree and call bullshit.
I asked them to supply a list of a few ports and ip addresses to connect to and they said they can't. I called bullshit.
I asked them to supply technical references for other companies and they told me they can't and that all companies either open the ports or t1 to them. I called bullshit.
There's a third option that uses port 80/443 for a connection to a Citrix presented application. The install rep tells me that it doesn't have the same functionality as the locally installed client. I ask if he can provide a list of functionality that it does not provide. He tells me that it's to long to list.
So I request the "list". I call bullshit, again, and quote the install doc telling me that the the citrix presented application is the EXACT same application installed locally.
He then tells me to talk to our sales rep and leads me to believe that he's obviously trying to pull something.
This is bloomberg.com btw and their wonderful Bloomberg service.
-----------
Believe me I know the issues with the ephemeral ports. He wants us to open the ports, including various other ports, on our firewall to the WAN. From internal sources to external sources and vice versa.
We actually have a firewall vendor which is a great company. It's a Squid proxy firewall, btw. They've stated that they block that port range. It's one of the reasons why we don't use regular FTP sessions.
All these hoops to jump through to get a T1 installed? I call BS, I assume they also are arranging an IDS service for you (and will charge you for it). I've had to work around those situations before, however I was always given a very clear (and short) list of firewall rules to configure. The ones I've dealt with drop an appliance on the network, have me configure a mirror port on a switch or put the device inline and allow them remote access to the device. The customer pays them for active network monitoring and that's what they get.
No ISP should request you open ports or install anything for them, so I assume you've left something out in this story and might have a similar situation that I ran into. Either way, you should be allowed to get a full, technical, explanation of any changes you need to make to YOUR equipment.
-
Thats a great question. I know it can be done, but not sure how to do it on the server side. Any SA's that can answer this would be nice, because I am curious now as to how you do it from one server as well.
I know you can have multiple dhcp pools on a router and set up trunking with multiple subinterfaces pointing to multiple vlans for giving out addresses in each pool, but I'm not sure how you do multiple pools on a server from one interface, and have it know what subnet to give to each lan into.
You create a new scope or sub-scope for the VLAN/network that the DHCP server does NOT reside in. You give the ip-helper command to point to the dhcp server for the other vlan. Then in the DHCP configuration you use the network ID (or something like that) and give the number that corresponds to the VLAN, i.e. Vlan 200.
Pretty simple on a MS server.
-
Ah I figured physical separation may have been the best idea, thanks a bundle for clearing that up for me Vako. Looks like its Visio time. XD
If you trust VLANs then physical separation isn't needed, just virtual. Some people don't trust vlans, not sure why, but I can respect that. Also the benefit here is more NIC ports for all your connections, instead of 2 for this one and 2 for that one, you get 4 for this one.
-
Hello,
I have been reading up on intrusion detection systems, and seen that it looks like a hardware firewall with an IDS is the best way to go, but i dont have a whole lot of money. So i was wondering if anyone can recommend a good IDS that will work with windows vista, and also one for ubuntu.
I heard of Snort but it says there is a 5 day lapse? on the free version which i guess means that i can not review the results of the present day until 5 days later? I am looking for something easy to use and also get real time results. Thanks.
Snort is free, try that first. You will not find an IDS that works out of the box. You have to tune and tweak them to eliminate false positives. This will not be a 20 minute project, this will take you a couple of months. Longer on a home network since there will be no attacks to watch for and flag.
-
Took my CCENT test today and passed! 902 out of 1000. Now I have to schedule the second test, and once I pass that, I will be CCNA certified. Next class I want to take is the Cisco CCNA-Voice class, then I can start on my Microsoft certs.
Congrats!! Good luck on the next one!
-
So i have ESXi setup for a customer with dual gigabit. I setup the public address 63.xxx.xxx.xxx one the first one and I need to set a static private ip like 192.168...blah blah blah address on the 2nd one. I tried looking through the console to do it but I couldn't find anything for the 2nd and same with the vSphere client..
what am i missing??
I assume you are giving the management console port the IP of 63.x.x.x? That's the only management (service console) port. You would need to create another one to give it another IP address. I don't believe ESXi allows that, ESX3.5 does.
I see no reason to put that out on the open internet, I recommend you give it an internal IP and use your firewall to allow access into that IP address. You can at least control or white list the allowed IPs then.
Why Websense?
in Security
Posted
This is usually the answer to Why Websense?
Because in a Cisco firewall config you get 2 choices, Websense or Secure Computing(now McAfee). Of those 2 choices, I'll pick Websense 11 out of 10 times.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_filter.html#wp1045692
Even if they only ever sold to customers with a Cisco ASA, that's still a few million sales with reoccurring license fees, that's some major money for R&D.