Install Symantec Endpoint Protection on Debian Jessie

Syamntec endpoint protection is not only shipping for Windows systems, but also for OS-X and Linux systems.
Installing it on a debian jessie server does require some manual steps to have all features enabled.

The first step is to create a package in your SEP installation, simplest with a web downloadlink which you can later use to fetch the package via wget.

1. Install Java 8
2. Download JCE from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
3. Install the cryptografic files into "/usr/lib/jvm/java-8-oracle/jre/lib/security"
4. Ony 64-bit systems enable i386 packages and install glibc in 32bit edition
   dpkg --add-architecture i386
   apt-get update
   apt-get install libc6:i386
5. On 64-bit systems install the linux-headers to allow compilation of the realtime scan kernel modules
   apt-get install linux-headers-amd64
6. Download your SEP package from your server wget http://<your-sep-server>/EmailInstallPackages/xxxxxxxxxxxx/sep/SymantecEndpointProtection.zip
7. Unzip zip package
8. bash ./install.sh -i  

Installing Java 8 on Debian Jessie

Installation Oracle Java 8 on Debian Jessie

Debian 8 alias Jessie ships with OpenJDK 7 which is fine in many cases. But sometimes you need a more recent version.
In that case you can use the ubuntu ppa archives as install source.

Just type these commands in the console of your Debian system and it should install just fine, also providing automatic security upgrades as they become available.

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" > /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" >> /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer
java -version

Upgrading from Debian 6 Openswan to Debian 8 Strongswan

When upgrading from Debian 6 to Debian 8, then IPSEC softwarestack is changed from Openswan to Strongswan.
The switch itself is not a big thing, but when you still have other Openswan IPSEC partners, you will have to change your Strongswan config a little bit.
Otherwise the two IPSEC implementations won't be able to build the VPN tunnel.

On the Openswan end of the VPN you will see such messages in your auth.log file:

Jan 28 11:58:55 fw pluto[1279]: "vpn01" #746: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #670 {using isakmp#4 msgid:6c3f1671 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #669: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #669: starting keying attempt 5 of an unlimited number
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #747: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #669 {using isakmp#4 msgid:23eb99a9 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #4: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #4: received and ignored informational message
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #4: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #4: received and ignored informational message
Jan 28 11:58:55 fw pluto[1279]: "vpn01" #4: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

On the Strongswan side, you see this in the daemon.log:

Jan 28 12:16:52 vpn01 ipsec[13909]: 09[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
Jan 28 12:16:52 vpn01 ipsec[13909]: 09[ENC] generating INFORMATIONAL_V1 request 2468276578 [ HASH N(NO_PROP) ]

This is dues to some IKE mismatch (The OpenSWAN IKEv2 implementation has does not respect all standards)
You can solve this issue by specifying IKEv1 for the connection in your ipsec.conf on the Strongswan side:

keyexchange=ikev1

This should solve the problem.
Sometimes (Depending the Openswan setttings) you also have to add this to your connection  definition on the Strongswan side:

esp=aes128-sha1-modp2048!

Removing Windows Intune client (4 methods)

Hi there, just a quick and simple overview on how to remove a Windows Intune client installation.

Method 1

The best way of achieving this would be to retire the client from the Windows Intune admin console. This removes the client software on the target systems.

Method 2

If you don't have access to the admin console (for whatever reasons) uninstalling a recent version of the client can only be done with the help of some batch scripts and an executable which can be downloaded from Microsoft.
Uninstall download

After executing the exe some files will be extracted. Copy these files to the client and execute the batch files (method 2):

• AgentUninstall_AIS.cmd
• AgentUninstall_Intune.cmd

After some time the folder C:\Program Files\Microsoft\OnlineManagement should only hold some logfiles. Reboot the client.

At this moment you can enroll the client into Windows Intune again or install a SCCM client to manage the client again.

Method 3

1. Open an admin command prompt
2. Navigate to C:\Program Files\Microsoft\OnlineManagement\Common
3. Run “ProvisioningUtil /UninstallAgents WindowsIntune” (method 3)

Method 4

Uninstall is also possible via WMI.
wmic product where “name like ‘%intune%'” call uninstall

Using ftdi_sio with linux kernel 3.12 and up

A few years ago I did post some informations on how to use a Bixolon BCD-1100 or a Epson DM-D110 displays attached via USB to a linux system.

This works fine, unless you upgrade your Linux system to a kernel with version 3.12 or greater.

Since Kernel 3.12 you will see this in the logs:
# dmesg
ftdi_sio: unknown parameter 'vendor' ignored
ftdi_sio: unknown parameter 'product' ignored 


The problem is, that these two parameters where only intended to be used by developers for testing purposes. So they have now been removed from the 3.12 kernel.
But fortunaly, the linux guys did provide a official way to specify the vendor and product ID's.

We can find it in the file: /sys/bus/usb-serial/drivers/ftdi_sio/new_id.
This file contains a pair of vendor and product id, so all we need is to put those values into this file, doing something like this:

/sbin/modprobe ftdi_sio
echo "1208 0780" > /sys/bus/usb-serial/drivers/ftdi_sio/new_id

If you wish to have it automatically configured, just update your /etc/udev/rules.d/50-dmd110.rules file as follows:

ATTR{idProduct}=="0780", ATTR{idVendor}=="1208", RUN+="/sbin/modprobe -q ftdi_sio" RUN+="/bin/sh -c 'echo 1208 0780 > /sys/bus/usb-serial/drivers/ftdi_sio/new_id'",  OWNER="root", MODE="0666"

or for the /etc/udev/rules.d/51-bixolonBCD1100.rules

ATTR{idVendor}=="1504", ATTR{idProduct}=="0011", RUN+="/sbin/modprobe -q ftdi_sio"  RUN+="/bin/sh -c 'echo 1504 0011 > /sys/bus/usb-serial/drivers/ftdi_sio/new_id'",  OWNER="root", MODE="0666"

or for the  /etc/udev/rules.d/52-star-bcd122u.rules
ATTR{idVendor}=="0519", ATTR{idProduct}=="0007", RUN+="/sbin/modprobe -q ftdi_sio"  RUN+="/bin/sh -c 'echo 0519 0007 > /sys/bus/usb-serial/drivers/ftdi_sio/new_id'",  OWNER="root", MODE="0666"

Please note that you still need to use the correct serial port settings.
The bcd122u for example runs at 19200 baud as where most others are using 9600 baud.

Monitoring HTTPS (and other SSL) certificates with Zabbix

In this year, we had a lot of security issues with SSL certificates, mostly in HTTPS, but also in other protocols using TLS/SSL.

The most serious concern is the poodle attack on SSLv3 connections.
The recommended setting is to disable SSLv3 in all your services.

The other issue is, that SHA1 is deprecated for HTTPS certificates, especially when the certificate expiration date is after 1. january 2017.
Google (and other web browser software developper) will gradually tell you, that
the certificates are not thrustworthy or even invalid.

You will find a lot of links in the web how to secury your server systems against poodle, and also on how to renew your certificates, so they don't use SHA1 anymore.

But how to make sure all your systems are correctly configured and the certificates in a valid range?
With Zabbix this is very simple, I have made a Zabbix template available, so you can integrate monitoring and alerting of SSL certificates in Zabbix.

You can download the Zabbix Template(s) and the ssl/tls check script from this link.

1. Place the ssltls.check script in your zabbix external script folder and make it executable.
2. Then import the template(s) and assign them to your server(s).

The HTTPS Template checks on Port 443 for the SSL things we described above. In addition it also checks the expirationdate and hash of your certificate.

The FTP template checks if TLS is activated on your FTP server and then checks for correct ssl working. It does no hash and 2017 expiration checks, since this is only relevant for webbrowsers.
The POP_IMAP_SMTP template checks if TLS is activae on POP,IMAP,SMTP,SMTP Submission and the POP3/IMAPS and SMTP services. It does no hash and 2017 expiration checks, since this is only relevant for webbrowsers.

The ssl check script is based on a version from Simon Kowallik, I did extend it to
also be able to check for the digest algorithm and detect the poodle vulnerability.

Link for SSLv3 disabling on various server products

Don't write boilerplate code for java objects any longer

When you write java classes, you usually have many properties you expose via getter/setter methods.
This gives a lot of code, which is not very interesting to write and maintain, but for the sake of java bean (and other reasons) you will do it correctly.

It's one of the features of the IDE that you can let them generate the proper getter/setter methods.
Usually it's called something like "Encapsulate property access". You then select the properties you wish setter/getter created and you are done, the idea puts the correct code in your class.

Nice, but, it could be simpler.
The drawback of all this is, that you fill up your class file with a lot of set/get code which you usually don't want to see.

Fortunally there is help for this as well.
Look at the project Lombook.

With this project you write your class like this:

01 import lombok.AccessLevel;
02 import lombok.Setter;
03 import lombok.Data;
04 import lombok.ToString;
05
06 @Data public class DataExample {
07   private final String name;
08   @Setter(AccessLevel.PACKAGE) private int age;
09   private double score;
10   private String[] tags;
11   
12   @ToString(includeFieldNames=true)
13   @Data(staticConstructor="of")
14   public static class Exercise<T> {
15     private final String name;
16     private final T value;
17   }
18 }

 

These 18 lines of code do the same as these 118 lines of plain java coding:

001 import java.util.Arrays;

002
003 public class DataExample {
004   private final String name;
005   private int age;
006   private double score;
007   private String[] tags;
008   
009   public DataExample(String name) {
010     this.name = name;
011   }
012   
013   public String getName() {
014     return this.name;
015   }
016   
017   void setAge(int age) {
018     this.age = age;
019   }
020   
021   public int getAge() {
022     return this.age;
023   }
024   
025   public void setScore(double score) {
026     this.score = score;
027   }
028   
029   public double getScore() {
030     return this.score;
031   }
032   
033   public String[] getTags() {
034     return this.tags;
035   }
036   
037   public void setTags(String[] tags) {
038     this.tags = tags;
039   }
040   
041   @Override public String toString() {
042     return "DataExample(" + this.getName() + ", " + this.getAge() + ", " + this.getScore() + ", " + Arrays.deepToString(this.getTags()) + ")";
043   }
044   
045   protected boolean canEqual(Object other) {
046     return other instanceof DataExample;
047   }
048   
049   @Override public boolean equals(Object o) {
050     if (o == this) return true;
051     if (!(o instanceof DataExample)) return false;
052     DataExample other = (DataExample) o;
053     if (!other.canEqual((Object)this)) return false;
054     if (this.getName() == null ? other.getName() != null : !this.getName().equals(other.getName())) return false;
055     if (this.getAge() != other.getAge()) return false;
056     if (Double.compare(this.getScore(), other.getScore()) != 0) return false;
057     if (!Arrays.deepEquals(this.getTags(), other.getTags())) return false;
058     return true;
059   }
060   
061   @Override public int hashCode() {
062     final int PRIME = 59;
063     int result = 1;
064     final long temp1 = Double.doubleToLongBits(this.getScore());
065     result = (result*PRIME) + (this.getName() == null ? 0 : this.getName().hashCode());
066     result = (result*PRIME) + this.getAge();
067     result = (result*PRIME) + (int)(temp1 ^ (temp1 >>> 32));
068     result = (result*PRIME) + Arrays.deepHashCode(this.getTags());
069     return result;
070   }
071   
072   public static class Exercise<T> {
073     private final String name;
074     private final T value;
075     
076     private Exercise(String name, T value) {
077       this.name = name;
078       this.value = value;
079     }
080     
081     public static <T> Exercise<T> of(String name, T value) {
082       return new Exercise<T>(name, value);
083     }
084     
085     public String getName() {
086       return this.name;
087     }
088     
089     public T getValue() {
090       return this.value;
091     }
092     
093     @Override public String toString() {
094       return "Exercise(name=" + this.getName() + ", value=" + this.getValue() + ")";
095     }
096     
097     protected boolean canEqual(Object other) {
098       return other instanceof Exercise;
099     }
100     
101     @Override public boolean equals(Object o) {
102       if (o == this) return true;
103       if (!(o instanceof Exercise)) return false;
104       Exercise<?> other = (Exercise<?>) o;
105       if (!other.canEqual((Object)this)) return false;
106       if (this.getName() == null ? other.getValue() != null : !this.getName().equals(other.getName())) return false;
107       if (this.getValue() == null ? other.getValue() != null : !this.getValue().equals(other.getValue())) return false;
108       return true;
109     }
110     
111     @Override public int hashCode() {
112       final int PRIME = 59;
113       int result = 1;
114       result = (result*PRIME) + (this.getName() == null ? 0 : this.getName().hashCode());
115       result = (result*PRIME) + (this.getValue() == null ? 0 : this.getValue().hashCode());
116       return result;
117     }
118   }
119 }

 

 

 

 

So with project lombok you can concentrate on the real code, and the annotations do expand on build to the boilerplate code.
There are many options in lombok to also generate other things for java classes, be sure to look at the documentation.

There is just one "bad" thing about it:
By definition annotations should not create java code, but in this case I think it is worth the "break" of rules.