A. Create Directory for Certificate

[root@ipv6]# cd /etc/mail
[root@ipv6 /etc/mail]# ls
Makefile                aliases.db              freebsd.submit.mc       mailertable.sample      virtusertable.sample
README                  freebsd.cf              helpfile                sendmail.cf
access.sample           freebsd.mc              mailer.conf             spamassassin
aliases                 freebsd.submit.cf       mailer.conf.old         submit.cf
[root@ipv6 /etc/mail]# mkdir -p -m555 certs
[root@ipv6 /etc/mail]# chown root:mail certs
[root@ipv6 /etc/mail]# chmod 550 certs

B. Locate OpenSSL
[root@ipv6 /etc/mail]# locate ssl
/etc/ssl
/etc/ssl/openssl.cnf
/usr/bin/openssl

C. Generate RSA Key with file name ipv6indonet.ppm using openSSL
[root@ipv6 /etc/mail/certs]#  /usr/bin/openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout ipv6indonet.pem  -out ipv6indonet.pem
Generating a 1024 bit RSA private key
………………..++++++
………++++++
writing new private key to ‘ipv6indonet.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NOC
Organizational Unit Name (eg, section) []:Noc_Noc
Common Name (eg, YOUR name) []:demolitionman
Email Address []:demolitionman@localhost

[root@ipv6 /etc/mail]# chmod 500 certs/cert.pem
[root@ipv6 /etc/mail]# chown root:0 certs/cert.pem
[root@ipv6 /etc/mail]# cat ipv6indonet.pem >> certs/cert.pem

D. Create qpopper file configuration
[root@ipv6 /var/log]# vi /etc/mail/qpopper.config
set tls-support = alternate-port
set tls-version = default
set tls-server-cert-file = /etc/mail/certs/ipv6indonet.pem

E. Change/Add option for Inetd Qpopper to load ’secured’ qpopper.config
Change pop3 to pop3s [unless the config would not work]
[root@ipv6 /var/log]# vi /etc/inetd.conf

pop3s   stream  tcp6    nowait  root    /usr/local/sbin/popper  popper -l1 -f /etc/mail/qpopper.config
pop3s   stream  tcp     nowait  root    /usr/local/sbin/popper  popper -l1 -f /etc/mail/qpopper.config

F. Restart INETD
[root@ipv6 /var/log]# killall -9 inetd
[root@ipv6 /var/log]# /usr/sbin/inetd
[root@ipv6 /var/log]# telnet 202.159.33.33 110
Trying 202.159.33.33…
telnet: connect to address 202.159.33.33: Connection refused
telnet: Unable to connect to remote host
[root@ipv6 /var/log]# telnet 202.159.33.33 995
Trying 202.159.33.33…
Connected to ipv6.indo.net.id.
Escape character is ‘^]’.
^]
telnet> quit
Connection closed.

[root@ipv6 /var/log]# telnet 2404:170:33::33 995
Trying 2404:170:33::33…
Connected to 2404:170:33::33.
Escape character is ‘^]’.
quit
^CConnection closed by foreign host.

IPv6 also listening on port 995

a. rahman isnaini r.sutan
Powered by Um Geir.

Forgotten Web Admin Password to Login to IP Cop ?

From Console after you can login using root :

htpasswd /var/ipcop/auth/users admin
New password :
Re-type new password :

== You should now be able to login ==

Proxy :

If you enable advance Proxy on this IP Cop Engine.
The cache of the visited page, stored at /var/log/cache
So /var directory needs to be allocated with a big size of disk partition.

a. rahman isnaini r.sutan

A bit tricky..

You can only set Admin/Root password for accessing the terminal console / remote once you have configured DHCP Server during the setting.
If you pass this step, then you will not have your root/admin password.

Admin password is needed to login to IPCop web management on default port TCP 81.

rgs
a. rahman isnaini r.sutan

Quoted from Gnawgnu’s Realm Blog the similar thing also happened on my laptop while trying to connect to a 3G mobile network.

Symantec End Point Uninstallation has stopped Remote Access Connection Manager and dialing to Mobile Network APN, gave me the “Connection Terminated” pop up box. Googling somewhere on Huawei website in which the 3G modem being used, they said that Remote Access Connection Manager supposed to be Started.

Looking at my windows XP services, thie Remote Access Connection Manager is stopped. Trying to start the service, it returns with error “Access Denied”.

For me I have done only deleting Key “88″ at RASMAN on regedit.

Quoted :

Endpoint kills remote access connection manager (Error 5: Access is denied)

To add to the fun, the uninstaller for Endpoint doesn’t always get rid of all the problems that came with it. In one case, all the remote access services crapped out so VPN’s were unavailable. If you try to create a new VPN, the window options all gray out. I saw a solution on the symantec boards which recommend doing a full manual uninstall.
https://forums.symantec.com/syment/board/message?board.id=endpointcust&thread.id=1844
Uninstall instructions:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248?Open&src=ent_gold_nam
One user did comment on this blog that reinstalling Endpoint resolved issues that another admin he knew was experiencing. You may want to try that or a combination of a full uninstall/reinstall, etc.

Posted by Gnawgnu at 18:26

Anonymous said…

Even after Endpoint was successfully uninstalled, and the Microsoft KB article http://support.microsoft.com/?kbid=329441 was followed, there was an additional RASMAN\PPP\EAP key that needed to be deleted. You must delete 25 and 26 as in the KB, as well as the Symantec Endpoint subkey 17. Then Remote Access Connection Manager will again start.

Event Viewer Error [From Mufti Blog]

• Remote Access Connection Manager failed to start because it could
  not create buffers. Restart the computer. Access is denied. (Error,
  Source: RasMan)
• The Remote Access Connection Manager service was successfully sent a
  start control. (Information, Source: Service Control Manager)
• The Remote Access Connection Manager service entered the stopped
  state. (Information, Source: Service Control Manager)
• The Remote Access Connection Manager service terminated with the
  following error: Access is denied. (Information, Source: Service
  Control Manager)

a. rahman isnaini r.sutan

Once you have installed SEP Client / Agent on a Desktop.
The default policy of Firewall on SEP Control Manager is blocking your IPv6 Connection.
If you are insist to have this IPv6 Connection, please ask your Admin to allow IPv6 on SEP Dashboard.

rgs
a. rahman isnaini r.sutan

To protect your SEP Client / Agent from being removed by unwanted person with Admin privilege on a Desktop, you can use Password Challenge to complete Uninstall process.

This policy can be set on SEP Control Manager on the Server.

rgs

a. rahman isnaini r.sutan

Security is always interesting to be discussed.
As we all know, everyday there are tons of threat being generated/created.

Anyway, Dial Up Connection as one of media.
Still need to be secured, for instance this media used for a backup connection of a crucial banking application.

This Media is running over a shared network platform with millions of other users.
Therefor the Banking transactions needs to be secured from only a trusted place/PSTN number.

The Radius by default has the ability to do the authentication based not Only Username & Password that the dialing user has been set up and entered. It also can match the “Caller ID”.

So the successful connection needs to have username, password and caller id information.
If one of them doesn’t match, the connection will totally failed.

a. rahman isnaini r.sutan

> AuthByPolicy ContinueWhileAccept
>
> DBSource dbi:mysql:radius:localhost
> DBUsername newrad
> DBAuth BlaBlaB
>
> NoDefault
> NoDefaultIfFound
>
> AuthSelect select PASSWORD, \
> if(’%{Service-Rate}’ is null or PREPAID != ‘9′, UNIT * 60, \
> floor((UNIT / 0%{Service-Rate}) * 0%{Service-Unit})) as TIMEOUTSECOND, \
> if(PREPAID = ‘9′, ‘%R’, DOMAIN) \
> from SUBSCRIBERS where (USERNAME = ‘%U’) \
> and (SUBNET IN (’makassar’,'yogyakarta’,'banjarmasin’,'bontang’,'madiun’,'mataram’,'purwokerto’,'purwakarta’,'indo-cilegon’,'pekanbaru’,'lampung’,'testpws’,'pandaan’,'tegal’,’semarang’,'balikpapan’,'jambi’,'pekalongan’,'kudus’,'palembang’,’salatiga’,'magelang’,'mojokerto’,'malang’,'kediri’,'bandung’,’surabaya’,'psiantar’,'denpasar’,'cirebon’,'tasikmalaya’,’solo’) or \
> (PREPAID is not NULL)) \
> and ((UNIT > if(PREPAID=’9′,0%{Service-Rate},0)) or UNIT IS NULL) \
> # and (DOMAIN = ‘%R’ or (DOMAIN = ” and ‘%R’ is null)) \
> and (FIRSTUSED is null \
> # or UNIX_TIMESTAMP() < (7776000 + FIRSTUSED) \
> or UNIX_TIMESTAMP() < EXPIRED)
>
> AuthColumnDef 0, Encrypted-Password, check
> AuthColumnDef 1, Session-Timeout, reply
> AuthColumnDef 2, Calling-Station-Id, check

Question/Issue:
How to block certain websites for access by clients in an organization, so we need to create a custom IPS policy to block access to websites

Solution:
NOTE: This rule is created to block Google,this rule can be used to block any website that is needed by making changes accordingly.
NOTE: The following steps require that you have Network Threat Protection and Intrusion Prevention installed on the client.

In the SEPM console, in the system navigation bar, click Policies.
In the View Policies navigation bar, select Intrusion Prevention.
In the Tasks list, click Add a Custom Intrusion Prevention Signatures.
In the Custom Intrusion Prevention Signatures window, set the Name of the policy to Block Google (just an example, you can choose the website that you need to block).

Read the rest of this entry »

This month, my Mobile Internet Connection having a big problem.
Since the speed based on Quota, SMTP Virus / Trojan made my lovely Quota Usage to Zero Byte left.
So, I have to work on extremely slow 16 Kbps in average ?… oh man !. Though Indosat claimed 64 Kbps

Dear my office, I’m sorry If my “Enter” button pressed even double faster then it’s shadow.. and the configuration will take effect in 5 minutes

a. rahman isnaini r.sutan

Lately my laptop goes slow.
All resource has been checked and non of significantly & higly in used by a specific service.
Even idle process percentage is more than enough to some more applications.

Using DU Meter, I have been noticing a suspicious & continious Outgoing traffic.
Never aware of this thing out before since I’m working on the High Speed of LAN Connection.
All Internet Connection keeps going on ‘Normaly’.

Till I shocked & found that my Volume Based 3G Service was reached end of blood
It takes less than two weeks to vanish my Quota.

Suspicious things are :
- Virus that generates attack to Port TCP 445 [MICROSOFT DS]
- Virus that generates attack to Port TCP 25 [SMTP]

Both of them are realy damn tough :).
Microsoft DS Virus is pretty much easier to handle rather than SMTP Virus [google everywhere].
This SMTP Virus is generated by Windows Original Services Ran by : “generic host process for win32 services” under SVCHOST.EXE

I even cannot find and edit such file that SVCHOST.EXE running to stop Generic Host Process For Win32 Services at the start up.
It was realy an integrated things.

What I Have done so far and stops this SMTP Virus :

1. Check Their Activity [NETSTAT -AN]

The attempts is starting by Sending numbers of SYN_SENT to the nearest neighbor till computers at the edge of the world once upon you ready have your internet connection is up [Clever huh ?].
It’s Establish the SMTP connection to some/many of IPs.
And You realy know you didn’t send anything at all, nor any of Mail Client Opens / Runs.

netstat -an | more

Active Connections

Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
TCP    127.0.0.1:1043         127.0.0.1:1044         ESTABLISHED
TCP    127.0.0.1:1044         127.0.0.1:1043         ESTABLISHED
TCP    127.0.0.1:1047         0.0.0.0:0              LISTENING
TCP    202.159.104.3:139      0.0.0.0:0              LISTENING
TCP    202.159.104.3:17068    203.190.241.43:25      SYN_SENT
TCP    202.159.104.3:17070    203.190.241.44:25      SYN_SENT
TCP    202.159.104.3:17072    203.190.241.45:25      SYN_SENT
TCP    202.159.104.3:17073    203.190.241.46:25      SYN_SENT
TCP    202.159.104.3:17074    203.190.241.47:25      SYN_SENT
TCP    202.159.104.3:17075    203.190.241.48:25      SYN_SENT
UDP    0.0.0.0:445            *:*
UDP    0.0.0.0:500            *:*
UDP    0.0.0.0:1025           *:*
UDP    0.0.0.0:1033           *:*
UDP    0.0.0.0:1110           *:*
UDP    0.0.0.0:1132           *:*
UDP    0.0.0.0:2894           *:*
UDP    0.0.0.0:4500           *:*

2. Download & Install Advance Task Manager

This software shows you, all activities in your computer.
Include all hidden process that you have never seen on a Windows Standard Task Manager.
Check at “Internet Connection” Tab and have a good look carefuly at box below “Internet Connections from or to the Programs on Your Computer”.

You should see in the coloumn Address “[IP Adderess Destination]:SMTP”.
That’s It !.
The Process on the left is : “svchost.exe”.
Double click this row, Advance Task Manager brings you to Programs Tab… with Coloumn “Process|PID|…”
And Higlights “Generic host process for win32 services”… Now CHECK & REMEMBER the PID.

3. Open Windows Default Task Manager

Match the PID & the Process “svchost.exe”. [note PID is realy Important]
Once you found the correct process svchost.exe & PID, do End Process
Now, You are Free !.. but only for a While.

4. Anyway, pls do Re-Patch your “Generic host process for win32 services”.

Ask Google Please

– a. rahman isnaini r.sutan