Migrating from Zimbra to Zimbra (ZCS to ZCS)

There can be a number of reasons for migrating from one mail server to another, the commonest being “running low on disk storage”. Other reasons may include “the need to having a failover mail server” in case of any catastrophic event that may compromise the active email server, among others.

In other words, this same technique can be used to create a clone of your currently running email server to ensure redundancy.

In order to have virtually zero down time, we will proceed as follows :

  1. Set the DNS TTL Entries pertinent to the mail server to the shortest possible time (Ideally this is done a day before to make sure the ttl propagates accordingly)
  2. Prepare a fully working new server
  3. Import all existing domains from the old server.
  4. Import all existing accounts, passwords, distribution lists, and aliases from the old server
  5. Move all DNS Pointers and firewall port forwards to the new server (or leave the DNS Pointers as they are, and simply swap the servers’ I.P. Addresses old to new, and new to old. (More about this later)
  6. Make sure that new mail is arriving  on the new server.
  7. Make sure users are able to connect and use the new server.
  8. Export Mailbox data from the old server, and import it to the new while the new server is running

1. Preparing the new server

Go ahead and install zimbra on the new server. Make sure to use the same version as that on your old mail server. You can follow the guide here. You will need to setup the new mail server with the same settings as the old server, but with a different IP and domain name.

In case you have more than one domain on your old mail server, create only one main domain on the new mail server as the other domains will be imported automatically during the course of the migration.

Remember that if you intend to install a “letsencrypt” certificate later on (note that this is not covered in this blog), your server name needs to be the same as your http://webmail.domain.com name. It’s commonplace for people to use webmail.domain.com.

Warning : Most of the commands executed during export, and more importantly during import, may take hours. These should be run directly from  a console session. If you have absolutely no choice but to run the commands remotely, make sure you use the “screen” command, so that if the connection gets interrupted, you can connect back to your screen, without disrupting any running scripts.

2. The exportation phase

Before we begin the exportation part, we need  to make sure we have enough storage space, which can be accessed from both “old” and “new” servers. The old server may have some sufficient space enough for the exportation to be done, but in case it does not, the way to go would be  to remote mount an NFS share from the new server (since the new server is technically believed to have sufficient free space), on the old server and use it as the intermediate storage.Other ways include an external usb drive, a network attached storage, etc.

Continue reading “Migrating from Zimbra to Zimbra (ZCS to ZCS)”

Installing and configuring cacti on ubuntu to monitor the network

In a recent article, http://“https://blog.renu.ac.ug/index.php/2020/06/17/using-Cacti-to-monitor-your-bandwidth-consumption/”, we learnt how to monitor bandwidth consumption using Cacti and the assumption was that your service provider had given you access to their own Cacti tool which they use to monitor your consumption.

In this article, we shall learn how to install and configure Cacti on your own server either on premise or in the cloud.

Our installation focus is going to be on Ubuntu though it could also be installed on Windows which requires installation of a lot more software as compared to Linux. If you want to install on windows use the link below,

“http://“https://subscription.packtpub.com/book/networking_and_servers/97817 88299183/1/ch01lvl1sec11/installing-Cacti-on-a-windows-system”

With your own Cacti you will be able to monitor not only the bandwidth consumption but also the state (up or down) of your devices and how long they have been in that state.

Continue reading “Installing and configuring cacti on ubuntu to monitor the network”

Intel Reports

Accessible RDP

This report identifies hosts that have Remote Desktop (RDP) Service running and accessible to the world on the Internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information gathering on a target host as the SSL certificate used by RDP often contains the system’s trivial hostname.

Remedy: Disable RDP from being world accessible by applying firewall rules either at the border or at the server itself

 

Accessible Telnet

This report identifies hosts that have a Telnet instance running on port 23/TCP that accessible on the Internet. Telnet provides no encryption and may expose sensitive information or system credentials.

Remedy: Disable Telnet service and use more secure protocols such as SSH or firewall the telnet services

 

SSL Scan

This report identifies hosts that allow the use of SSL v3.0 with cipher-block chaining (CBC) mode ciphers which are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. See US-CERT alert TA14-290A at: https://www.us-cert.gov/ncas/alerts/TA14-290A for more information on this vulnerability and exploit.

Statistics for these servers can be found here.

Remedy: Use TLS,  patch OpenSSL or disable SSLv3

 

Compromised Websites

This report is a list of all the websites we – or our collaboration partners – have been able to identify and verify to be compromised. These websites might be used for sending spam, participating in DDoS attacks, redirecting users to exploit kits etc.

A large subset of these compromises are caused by outdated versions of CMSes such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.

As always, there is no guarantee that there are no additional infections/compromises on any IP we report on. We have seen several different criminal groups abusing the same compromised system for different purposes. The same IP/domain that is hosting a spambot may also be used for infecting unsuspecting users. We recommend investigating systems with the assumption that there are more compromises on the systems than what is reported.

Remedy: Upgrade the CMS

 

Open IPMI

This report identifies hosts that have the Intelligent Platform Management Interface (IPMI) service open (port 623/UDP) and accessible from the Internet.

IPMI is the base of most of the Out Of Band / Lights Out management suites and is implemented by the server’s Baseboard Management Controller (BMC). The BMC has near complete access and control of the server’s resources, including, but not limited to, memory, power, and storage. Anyone that can control your BMC (via IPMI), can control your server.

IPMI instances in general are known to contain a variety of vulnerabilities, some more serious than other. In short; you really do not want to expose IPMI to the Internet. If you are not convinced yet, please take a look at the excellent work by Dan Farmer on IPMI security issues at http://fish2.com/ipmi/ and US-CERT alert TA13-207A at https://www.us-cert.gov/ncas/alerts/TA13-207A

Statistics for these servers can be found here.

Remedy:

  • Restrict IPMI to Internal Networks
  • Utilize strong passwords
  • Encrypt the traffic
  • Require authentication and disable anonymous logins

 

Open Memcached

This report identifies hosts that have the Memcached key-value store (see memcached.org for more information) running and accessible on the Internet. Since this service does not support authentication, any entity that can access the MemCached instance can have complete control over the key-value store.

In addition, instances of MemCacheD that are accessible via UDP may be abused in amplification-style denial of service attacks.

Remedy:

  • Bind Memcached to a local interface
  • Disable this UDP service if not required
  • Protect your server with conventional network security best practices such as restricting access to MemCacheD
  • Install available security updates

 

SSL Freak Scan

This report identifies hosts that allow the use of SSL/TLS with RSA_EXPORT ciphers (aka “export-grade” encryption). Hosts using these weakened ciphers can be used in a man-in-the-middle attack which forces a browser to use a weak export key, which is easily crackable. This is called a FREAK (Factoring RSA Export Keys) attack. More information on the FREAK attack can be found at https://www.smacktls.com and https://www.digicert.com/blog/freak-attack-need-know/

Remedy

  • Disable support for all export-grade cipher suites on your servers.
  • Patch OpenSSL
  • On the client side, patch the browsers

 

Open Portmapper

This report identifies hosts that have the Portmapper service (see Wikipedia for general information on this service) running and accessible on the public Internet. This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks (see US-CERT Alert TA14-017A) and Level3’s Blog for more information).

In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.

The analogous shell command to mimic our portmapper scan is:

rpcinfo -T udp -p [IP]

And the analogous shell command that mimics our probe of the mountd program is:

showmount -e [IP]

Remedy

  • Disable portmapper

 

Open mDNS

This report identifies hosts that have the mDNS service (see https://en.wikipedia.org/wiki/Multicast_DNS for more information) running and accessible from the Internet. mDNS can be probed in a unicast fashion and can respond in methods similar to a standard dns server.

Our initial probe tests to see if mDNS is accessible on the Internet and collects the information that it discloses, including a list of services that may be accessible via further mDNS probes. If a host is found to have the services “_workstation._tcp.local” or “_http._tcp.local” running, secondary probes are performed to collect whatever system information is returned. Some of the information that may be returned includes: trivial name of the device, IPv4 and IPv6 address(es) of the device (this may include RFC1918 addresses that are not meant to be leaked), MAC address information of the device, and potentially other information.

Remedy

  • Disable the mDNS service unless required
  • Restrict access to trusted clients, for example by blocking incoming connections to port 5353/UDP on the firewall.
  • On Ubuntu, apt-get remove avahi-daemon

Open LDAP

This report identifies hosts that have an LDAP instance running on port 389/UDP and accessible on the Internet. These hosts are often Active Directory servers. In addition to allowing for an ~60x amplification vector, the data that is disclosed by the server could reveal large amounts of information about the network that the server resides on.

Remedy

  • Restrict LDAP access to only services that require it – most times these are local services. Can be implemented by use of a firewall

 

Accessible SMB

This report identifies hosts that have an SMB instance running on port 445/TCP and accessible on the Internet. This service should not be exposed to the Internet

Remedy

  • Do not expose the SMB service to the Internet but rather restrict it to where it is used

 

Accessible CiscoSmartInstall

This report identifies hosts that have the Cisco Smart Install feature running and accessible to the Internet at large. This feature can be used to read or potentially modify a switch’s configuration.

More details can be found on Cisco’s PSIRT blog.

Remedy

  • Cisco strongly recommends disabling the Smart Install feature with the no vstack configuration command.

 

DNS Scan (Open Resolver)

The Shadowserver Foundation is currently undertaking a project to search for publicly available recursive DNS servers. The goal of this project is to identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.

These servers have the potential to be used in DNS amplification attacks and if at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.

Remedy

  • Ensure that the authoritative DNS servers can only service requests for known domains
  • Recursive DNS servers should only do recursion for known networks such as institutional ones

 

NTP Version

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.

To manually test if a system is vulnerable to this, you can use the command: ntpq -c rv [ip]

Statistics for these servers can be found here.

Instructions for restricting READVAR can be found here.

Remedy

  • Disable inbound traffic on port 123/UDP

Open SNMP

This report identifies hosts with SNMPv2 publicly accessible and responding to the community “public” that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.

The OID being probed for is 1.3.6.1.2.1.1.1.0 (sysDescr) and if the host responds to that probe, the host is then probed for OID 1.3.6.1.2.1.1.5.0 (sysName). The analogous shell commands would be:

snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.1.0

snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.5.0

Remedy

  • Use a strong community string other than “public”

 

Open NetBios

This report identifies hosts that have the NetBIOS service running and accessible on the Internet. These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.

The analogous shell command (from a windows box) to identify these hosts would be:

nbtstat -A [ip]

Remedy

  • Do not expose the NetBIOS service to the Internet but rather restrict it to where it is used on port 137/UDP

Open SSDP

This report identifies hosts that have the Simple Service Discovery Protocol (SSDP) running and accessible on the Internet. These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.

Remedy

  • Do not expose the SSDP service to the Internet but rather restrict it to where it is used on port 1900/UDP

 

Open TFTP

This report identifies hosts that have the TFTP service running and accessible on the Internet. Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. We are not testing to see if file upload is enabled.

Please note that unlike other UDP services that we test for, the response from TFTP is often received on a port that is different than what was queried! Probes sent to a host on port 69/UDP may generate responses that source from ephemeral high ports.

Remedy

  • Do not expose the TFTP service to the Internet but rather restrict it to where it is used on port 69/UDP unless it is required

 

Open HTTP

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and accessible on the Internet.

Remedy

  • This report is just informational but where it is not required, disable the HTTP service

 

Open NATPMP

This report identifies hosts that have the NAT Port Mapping Protocol (NAT-PMP) running and accessible on the Internet. These services have the potential to expose information about a clients network on which this service is accessible. Information on this vulnerability can be found here.

Remedy

  • Deploy firewall rules to block untrusted hosts from being able to access port 5351/UDP.
  • Consider disabling NAT-PMP on the device if it is not absolutely necessary.

 

Open MSSQL

This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet. These services have the potential to expose information about a clients network on which this service is accessible and the service itself can be used in UDP amplification attacks.

Remedy

  • Deploy firewall rules to block untrusted hosts from being able to access MS-SQL Server

 

Vulnerable ISAKMP

This report identifies hosts that have a vulnerable IKE service accessible on the Internet. For more information please see the Cisco Security Advisory

Remedy

  • Implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
  • You are advised to monitor affected systems.

 

Botnet

This report contains a list of IPs that may have been compromised and now part of  a bigger bot network

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system
  • Apply security patches to applications running on the affected systems

 

Sinkhole HTTP Drone

These IP addresses are all the devices that joined the Shadowserver Sinkhole server that did not arrive through the usage of an HTTP referrer. Since the Sinkhole server is only accessed through previously malicious domain names, only infected system, or security researchers should be seen in this list.

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system
  • Apply firewall filters on the server to allow only required traffic. 

 

Drone Bruteforce

This report identifies hosts that have been observed performing brute force attacks.

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system
  • Apply firewall filters on the server to allow only required traffic. 

 

Blacklist

This report is the aggregation of a variety of different Blacklist providers. The purpose in sharing this information is to alert the end-users that specific IP addresses of theirs have been flagged by providers as possibly malicious and different services might be impacted because of this blacklisting. The option to remove any system from a blacklist will vary by the provider. Some will have a well documented process and some will demand payment for removal.

Remedy

  • Identify the blacklisted host and use blacklist provider steps to delist its IP address. Identification can also help in determining the real cause of the blacklist

Darknet

A darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers or services. I.e., externally no packet should be directed to that address space.These systems are most likely sending or generating suspicious traffic hence signs of compromise.

Remedy

  • Monitor the affected systems for any suspect traffic flowing to and fro the system – if there are any applications generating this traffic, apply patches or disable where unnecessary. 

 

Configuration of Radsecproxy with f-ticks

  1. Download package radsecproxy and nettle library from internet.
  2. Extract these tar files by using
    # tar -xvf radsecproxy-1.6.5.tar.gz
    # tar -xvf nettle-2.7.1.tar.gz
  3. Move into nettle folder by using
    # cd nettle-2.7.1
  4. Install gcc compiler which is nettle’s prerequisite
    # yum install *gcc*
  5. Install Nettle by running the following commands:
    #./configure –prefix=/usr && make
  6. To test the results, issue:
    # make check
  7. Now, as the root user:
    # make install
  8. Now,Move into radsecproxy folder
    # cd radsecproxy-1.6.5
  9. Now,Type the command
    #./configure –enable-fticks
    # make
    # make check
    # make install
  10. Put radsecproxy configuration file in /usr/local/etc/ folder
    # cp radsecproxy.conf /usr/local/etc/
  11. Start the radsecproxy by using command
    # radsecproxy
  12. Install apache server
    # yum install httpd*
  13. Open file httpd.conf.
    # vim /etc/httpd/conf/httpd.conf
  14. Uncomment NameVirtualHost and put the IP of server by replacing * such as NameVirtualHost IP-OF-THE-MACHINE:80
  15. In VirtualHost,Edit
    <VirtualHost IP-OF-THE-MACHINE:80>
    ServerAdmin root@ IP-OF-THE-MACHINE
    DocumentRoot /radsecproxy-1.6.5/
    ServerName IP-OF-THE-MACHINE
    </VirtualHost>
  16. Check it in browser by http:// IP-OF-THE-MACHINE/f-ticks

Comodo SSL Certificates

The administrators at RENU will create for you an account for access to https://cert-manager.com/customer/eI4Africa

Prerequisites

  • Administrator account for access to https://cert-manager.com/customer/eI4Africa
  • OpenSSL on your local/working machine
  • Validated Entry for the domain (Covered below). Using email validation is a tested and easier method and this requires you to have access to one of the following email addresses. (Assuming your domain is  utamu.ac.ug);  admin@utamu.ac.ug, hostmaster@utamu.ac.ug

Continue reading “Comodo SSL Certificates”

NTP Server on CentOS 7

Step 1: Install and configure NTP daemon

 
1. NTP server package is provided by default from official CentOS /RHEL 7 repositories and can be installed by issuing the following command.

# yum install ntp

2. After the server is installed, first go to official NTP Public Pool Time Servers, choose your Continent area where the server physically is located, then search for your Country location and a list of NTP servers should appear. Continue reading “NTP Server on CentOS 7”

Zimbra: Install a Comodo SSL Certificate

1. Get the bundle from Comodo in crt format, or sometimes like a zip file. You can also login to https://cert-manager.com/customer/eI4Africa and download the X.509 Root/Intermediate(s) bundle.

2.  Copy the downloaded bundle to the mail server under /tmp. The bundle contains the following files:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt

Continue reading “Zimbra: Install a Comodo SSL Certificate”