Archive

Post-RHCE: Studying for RHCSS, part 1 of 3: Network Services

Published by bobgerman on April 14, 2008 in Information Technology. Comments

Beyond RHCE, Red Hat offers “certificates of expertise” which, when stacked together, become advanced certifications.

The RHCSS, Red Hat Certified Security Specialist, requires three exams:

Course Length Course Fee Exam
RHS333 Network Services 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS429SELinux Policy Administration 4 days $2,898 EX429

The RHCDS, Red Hat Certified Datacenter Specialist, requires three exams:

Course Length Course Fee Exam
RH401 Deployment, Virtualization & Systems Mgmt 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS436 Clustering and Storage Mgmt 4 days $3,998 EX429

The RHCA, the ultimate commercial-facing certification in the Red Hat family (there are further certs available for trainers and those conducting examinations, but to me those fall into the “academic” classification). RHCA requires five exams: the three from the RHCDS cert, one from the RHCSS cert, and one additional:

Course Length Course Fee Exam
RHS333 Network Services 4 days $2,898 EX333
RH401 Deployment, Virtualization & Systems Mgmt 4 days $2,898 EX333
RH423 Directory Services and Authentication 4 days $2,898 EX423
RHS436 Clustering and Storage Mgmt 4 days $3,998 EX429
RH442 System Monitoring and Performance Tuning 4 days $2,898 EX429

For now, let’s focus on the RHCSS, and more granularly on the first exam of the trifecta required for the RHCSS, the Network Services exam. Since there is an overwhelming lack of curriculum, study guides, etc., online or in print, I present here the objectives from Red Hat’s own course description, as well as links to books that will most certainly aid in your studying, as well as being permanent references on the relevant topics.

RHS333: Red Hat Enterprise Security: Network Services

What you will learn:

RHS333 goes beyond the essential security coverage offered in the RHCE curriculum and delves deeper into the security features, capabilities, and risks associated with the most commonly deployed services. Among the topics covered in this four-day, hands-on course are the following:

1. The Threat Model and Protection Methods
* Internet threat model and the attacker’s plan
* System security and service availability
* An overview of protection mechanisms
2. Basic Service Security
* SELinux
* Host-based access control
* Firewalls using Netfilter and iptables
* TCP wrappers
* xinetd and service limits
3. Cryptography
* Overview of cryptographic techniques
* Management of SSL certificates
* Using GnuPG
4. Logging and NTP
* Time synchronization with NTP
* Logging: syslog and its weaknesses
* Protecting log servers
5. BIND and DNS Security
* BIND vulnerabilities
* DNS Security: attacks on DNS
* Access control lists
* Transaction signatures
* Restricting zone transfers and recursive queries
* DNS Topologies
* Bogus servers and blackholes
* Views
* Monitoring and logging
* Dynamic DNS security
6. Network Authentication: RPC, NIS, and Kerberos
* Vulnerabilities
* Network-managed users and account management
* RPC and NIS security issues
* Improving NIS security
* Using Kerberos authentication
* Debugging Kerberized Services
* Kerberos Cross-Realm Trust
* Kerberos Encryption
7. Network File System
* Overview of NFS versions 2, 3, and 4
* Security in NFS versions 2 and 3
* Improvements in security in NFS4
* Troubleshooting NFS4
* Client-side mount options
8. OpenSSH
* Vulnerabilities
* Server configuration and the SSH protocols
* Authentication and access control
* Client-side security
* Protecting private keys
* Port-forwarding and X11-forwarding issues
9. Electronic Mail with Sendmail
* Vulnerabilities
* Server topologies
* Email encryption
* Access control and STARTTLS
* Anti-spam mechanisms
10. Postfix
* Vulnerabilities
* Security and Postfix design
* Configuring SASL/TLS
11. FTP
* Vulnerabilities
* The FTP protocol and FTP servers
* Logging
* Anonymous FTP
* Access control
12. Apache security
* Vulnerabilities
* Access control
* Authentication: files, passwords, Kerberos
* Security implications of common configuration options
* CGI security
* Server side includes
* suEXEC
13. Intrusion Detection and Recovery
* Intrusion risks
* Security policy
* Detecting possible intrusions
* Monitoring network traffic and open ports
* Detecting modified files
* Investigating and verifying detected intrusions
* Recovering from, reporting, and documenting intrusions

CBL blocks the good guys (temporarily)

Published by bobgerman on April 13, 2008 in Information Technology. Comments

Welcome to the real world, CBL. We understand, it’s not your fault. These things happen. We all have to do so much work to continue blocking the s**tball, beheading-candidate spammers that continuously deluge our mailboxes with advertisements for cheap diplomas, erection subsidizers and pump-and-dump stock scams, that it’s easy to misifre once in a while.

From their website:

2008-04-10 CBL Listing Problem: Commencing at approximately 5AM UTC on 2008-04-10, and lasting as much as 5 hours in some cases, a technical problem in one of our contributory feeds resulted in a number of invalid CBL listings, including some corresponding to servers at a few ISPs and other sites.

The feed was removed from operation as soon as we became aware of the issue and have purged all the IPs it listed in the last 48 hours as a precaution. We have verified that this has taken effect in everything the CBL publishes. Here at the CBL we take false positives extremely seriously, and we do apologize for this issue. We have taken steps to ensure that this cannot happen again in the future.

To further ensure the problem is resolved everywhere, we advise the relatively small number of email administrators who retrieve their copy of the CBL via zone transfer to ensure that they have fetched the CBL at least once after 10:30AM UTC on 2008-04-10 to ensure that the erroneous listings have been purged from their systems. Note that the vast majority of sites use the CBL via direct DNSBL query or zone transfers every 2 hours or less, and thus no action is necessary.

Virtualization Strategies, Part 1: Introduction and groundwork

Published by bobgerman on April 13, 2008 in Information Technology. Comments

Ready to take the plunge into VMware? Like the idea of server consolidation but don’t know where to start? Here’s a quick primer, that might save you some research time.

Hosts and Guests

A Host is the base operating system of the physical server. A Guest is an installed virtual machine server. Generally speaking, the Host operating system is independent of the Guest operating systems, and once you have a host system running, you can run just about any operating system inside of it as a Guest.

Choose Your Platform and Virtualization Software

I combined these two tasks because platform is often dependent on virtualization software. Xen uses Unix/Linux based Hosts, VMware uses Windows or Linux, Microsoft VM uses a Microsoft base. Parallels has products for Windows, Linux and even Mac, and seems to be growing, but it remains to be seen where their products will eventually converge focus. Parallels products include Parallels Desktop for Mac, Parallels Workstation, which seems to be comparable to VMware Workstation, and Parallels Virtuozzo, which was SWSoft’s virtualization product. SWSoft’s aggressive marketing led to fairly deep penetration in the large hosting provider markets, so Parallels may have a shot at serious competition in this arena.

I know that being RHCE-certified means I should be rocking Xen, but I haven’t gotten my feet wet in it yet. I have, however, heard good things about its virtualization methodology. Ask me again in a couple of weeks, or feel free to discuss your experiences in comments.

My primary focus has been VMware. There are things I really like about VMware. I’ve been happy with performance so far, even in just the Workstation version, but especially under ESX. There are plenty of comparisons out there between VMware, Microsoft Virtual Server and/or Xen, but they are largely unscientific and anecdotal, and some don’t even specify which version of VMware is being used. The consensus seems to be that Xen is faster than VMware (probably Workstation) which is faster than Microsoft Virtual Server.

For workstation-based Virtual Machine solutions, my preference is to house everything on a Unix or Linux base, with no graphical interface, reducing overhead. More specifically, my current preference is a CentOS base, and I’ll tell you why. Under Red Hat and Fedora-based systems, VMware generally needs to compile the VMMON for the working kernel. Because Fedora kernel updates are so frequent, this means that you will be running vmware-config.pl frequently to recompile vmmon, etc. CentOS is directly derivative of Red Hat Enterprise Linux (RHEL), and features far fewer kernel updates. There is a trade-off, of course, if you need to use things on the same PC which require newer kernel features. I have heard from a colleague that Debian’s approach may be a bit more sane in terms of its packaging these things (NVidia drivers have the same underlying problem of needing a recompile during kernel upgrades, and Debian may have conquered that as well) but again, I have not yet experienced it. I have a fundamental shortage of servers and time to do this type of research.

If you’ve read this far, you’ve read enough for today. I’ll continue this at a later date.

New job, and refocused priorities, and finally my weather is here.

Published by bobgerman on April 12, 2008 in Linux and Work. Comment

So I’ve got a new job, working for a security consulting company in northern Virginia. I’m working with a bunch of really sharp guys, using a lot of great advanced technology. It’s exciting.

Meanwhile, I’m also studying for more advanced certifications, although I haven’t nailed down exactly where to take it just yet. I think I may ultimately continue down the Red Hat path for a while, aiming eventually for RHCA, which would end up costing at least $4,500 for the exams alone. I function better on self-study than on classroom curriculum, which is good, because the classes for this series would cost a total of around $19K if I took them all. The tactic I’m using is to write articles on isp-guru.com as study aids, and then study the materials myself. I find that teaching helps me to learn. So regardless of whether anyone actually reads it, if I write as if I have an audience, then I fulfill multiple purposes: (1) I help myself learn; (2) I potentially help others; and (3) in the spirit of <i>if you build it, they will come</i>, I build up one of my sites which has been monetized for advertising, and hopefully populate it with useful materials for actual studying. I started with the first three articles for studying for the RHCSS cert (Red Hat Certified Security Specialist), which are set for release over the next few days. If things work out, I may be able to consider writing a study guide for that cert.

I’ll be working on my kayak some more this weekend. The plan is to install the deckbeam and carlins. After that is complete, I will be able to turn it over and snip the wires. Then I can begin the process of sanding in preparation for glassing the hull.

I’m really happy with the weather over the past couple of days. If I can just line my commute up properly with traffic situations, I’ll be sitting pretty. Sitting in the rush hour bumper-to-bumper in the heat SUCKS on a motorcycle.

Damned activation keys…

Published by bobgerman on April 12, 2008 in Information Technology. Comments

So you’re about to rebuild your WinXP system on another box, but you can’t find all those damned product activation keys. How annoying. You’ve got the software working already, you just need to activate the products on the other box. Enter RockXP, a tool that lets you quickly scan and recover all installed MS product activation keys on your Windows box. I ran it yesterday on one of my XP VMs, and recovered activation keys for XP, Office XP 2003 Pro, and Visio 2003 Pro, all within seconds. Good times. Thanks, Stephen, for cluing me in to that one.

More Fredericksburg Art…

Published by bobgerman on April 6, 2008 in Art. Comment

Friday night we went to a wine tasting with friends.  After getting our drink on, we traipsed over to Libertytown to see Mirinda’s latest painting.  it was Darryl who pointed out the familiar location of the setting of the painting.  It was the rear patio seating area at the Kenmore Inn, where we’ve had drinks a few times.  I don’t know why I didn’t catch it it at first.  Perhaps I was trying to understand the significance of the deviled eggs.

Big changes…

Published by bobgerman on April 6, 2008 in Motorcycle. Comments

I’m back on two wheels again. I’m about to start a new job, so I had to pick up some transportation. I ended up picking up my brother-in-law’s 2006 Honda VTX 1300. It’s like my last bike’s big sister. 200cc bigger in engine displacement, with the same custom cruiser stylings. Custom paint job (maroon with ghost flames), plenty of chrome, a windshield, a backrest, and custom pipes (I believe they are Bub Jug Huggers) that are assertively loud. Stock Honda pipes always make the bike sound like the Jetsons’ car.

It’s very nicely balanced, it feels really comfortable to ride, and inspires confidence. I’ll need it. My commute is some 60 miles, and the train is no longer an option. I keep telling myself the career opportunity and the money make it worth it. The commute isn’t bad, really. I’ll just feel a little better when I have an alternative besides the bike, for wet weather.

New Bike

Boat progress

Published by bobgerman on March 31, 2008 in Boats. Comments

I finally got around to working on my kayak again. When I last updated here, I had completed all of the stitching, and was awaiting the “glue phase.” Then I got distracted for, idunno, a year or so. Today I went down and filleted and glassed the chines, and gave the entire interior a coat of epoxy - bow, stern and cockpit. Now it cures for 72 hours, at which point I can give it a second coat of epoxy and then move on to the next phase… whatever that is.

Right now, despite a half hour of scrubbing an a half hour of picking, I still have a bunch of epoxy on my hands. Man, I hate epoxy. I’ll try and put up a picture tomorrow.

Secrets of the famed Red Hat RHCE Exam…

Published by bobgerman on March 29, 2008 in Information Technology. Comments

LogoGotcha. No secrets here. Once you’ve worked that hard and endured that stress-ball of an examination, second only to Cisco’s CCIE Lab in terms of mental strain, you will NOT want to risk losing it by violating Red Hat’s confidentiality agreement. They can sue you, too, so you won’t event want to do it for money.

I sat for the exam yesterday. I arrived early, as it was in the center of traffic hell in Tysons Corner. I picked up a drink at the Blimpie (THEY HAVE A BLIMPIE IN THE BUILDING. HOW COOL IS THAT?) There were maybe ten of us total. I’m pretty sure everyone I spoke with had taken it once before. I had not. I have, however, sat for MANY other exams, so I wasn’t intimidated. It COULDN’T be as hard as CCIE, right? RIGHT??? No cell phones during the exam. Check. No students from Syria, Iran, or a few other hostile countries may sit for the exam. Something about encryption export regulations, he said. Maybe they don’t want any of them obtaining the cert, for which they will be actively recruiting shortly. That could be a good sign. “They” being high-dollar employers, hopefully.

First part, break-fix. Instant feedback. Nailed it 100%. Called home for congratulations. Catered lunch. Would it violate the CA to discuss the coffee and lunchmeat varieties available? Yummy.

Second part, install-config. I swear, I touched EVERY technology I could think of during this portion. I approached it by making circles next to each task, putting a dot when I thought they were done, filling them in when they had been tested as well as possible after reboot. I was surprised when I had been through all tasks and still had 35 minutes left. I used the time to double-check each task after another reboot, making checkmarks down the left side of my pages.

Training? Nil. I used Red Hat’s own exam/course objectives as a guideline, alternating between the Red Hat Deployment Guide and Jang’s study guide (updated for RHEL 5), spending the last two days cramming on the subjects in which I knew I was weak, and practicing break/fix scenarios in VMWare machines on my laptop. It’s easy to solve a problem when you know what caused it, BUT… if you DO it enough times, you will recognize the symptoms right away and find the solution immediately.

I called home again to report that I felt really positive about the experience, especially after nailing the first half. I was pretty positive that I had nailed the second half as well, but since some of it wasn’t described quite as clearly as I would have liked, and some of it was virtually untestable, I wondered how much that could potentially take off of my score.

I got home and immediately checked my email. First half: 100% as expected. Second half: RHCT portion, 93%. RHCE portion, 89%. WELL within the passing range. I didn’t just pass, I kicked its ass.

I wish I could tell you exactly what you need to know to pass that exam. All I can tell you, honestly, is do what I did, and be prepared to know EVERYTHING. It’s that kind of exam. They WILL test you on objectives in which you are weak. So don’t be weak.

RHCE

Published by bobgerman on March 28, 2008 in Information Technology, Linux and Personal. Comments

I had a good day today.

Section 1: 100%

Section 2: 93% on RHCT requirements, and 89% on the RHCE requirements.

RHCEPDF