Skip to content

Archive

Archive for September, 2014

240914_Ubuntu_Boot_Free_Space

 

df -l   –> Check the free space

dpkg -l linux-image-\* | grep ^ii  –> List all Kernals

sudo apt-get purge linux-image-3.8.0-42-generic  –> Remove OLD Kernal

 

Cryptolocker: How to avoid getting infected and what to do if you are.

 The details are sorrid, but in a nutshell what happens is a crytolocker virus gets onto your computer, locks all your pertinent files and demands a ransom amount so you can get your files back. Those who pay the ones delivering the virus will become more bold and will start demanding more money.

What can you do to protect your company?
Create some Group Policies to lock down likely places for Malware / Spyware / Grayware / Cryptodefense and other likely .exe programs from running:

– Open up Group Policy and create new GPO
– Title this policy Disable .exe from %appdata% and click OK
– Right click on this policy and select Edit
– Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
– Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
– Right click on Additional Rules and click on ‘New Path rule’ and then enter the following
information and then click OK

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData (Win 7)

Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData subfolders (Win 7)

Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)

The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe

Create your new path rules as seen above

 

Setting up LogAnalyzer syslog server – Analysis & Reporting

I’ve done this on Ubuntu Server 13.x

Install the following repository.

sudo apt-get install build-essential apache2 php5 php5-gd libapache2-mod-php5 mysql-server php5-mysql rsyslog

Edit /etc/rsyslog.conf and uncomment or add the following.

Setting the server to accept inbound syslog messages on UDP port 514.

# provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

Next, since the log analyzer runs on php, we need to tell apache how to handle php pages. Edit /etc/apache2/apache2.conf and add in the following item underneath “DefaultType None

DefaultType text/plain

Addtype application/x-httpd-php .php

Note: If this step is not done properly, you will get a message when loading the syslog web page prompting you to save the file instead of Apache displaying the file.

Download the latest LogAnalyzer from the adiscon web site – http://loganalyzer.adiscon.com/downloads

cd /opt

wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.6.tar.gz

Unzip and extract the file.

gunzip loganalyzer-3.6.6.tar.gz

tar -xvf loganalyzer-3.6.6.tar

Copy the LogAnalyzer /src/ folder to the Apache www root or subfolder, copy the install script, make executable, and run the install scripts. It’s important to run the configure script from the same directory that will hold the syslog php files.

mkdir /var/www/syslog

cp -r /opt/loganalyzer-3.6.6/src/* /var/www/syslog

cp -r /opt/loganalyzer-3.6.6/contrib/*.sh /var/www/syslog

chmod +x /var/www/syslog/*.sh

cd /var/www/syslog/

./configure.sh

Grant Apache access to syslog.

usermod -G adm www-data

Use a web browser to hit the new web service at http://SERVERNAME/syslog/install.php. The page will show a message stating the service is not configured. Follow the steps to setup your syslog front end.