Query TechnoMedia

WINDOWS SERVER 2019, AD INSTALL

There is No Forest Functional Level for 2019, only 2016

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

CentOS 7 Partition

Steps

sudo yum install parted -y
sudo parted /dev/sdX mklabel gpt
sudo parted -a opt /dev/sdX mkpart primary ext4 0% 100%
sudo mkfs.ext4 -L labelname /dev/sdX1
mkdir -p /mnt/foldername
nano /etc/fstab
LABEL=labelname /mnt/foldername ext4 defaults 0 2
mount -a

Guide to install Zoneminder on Centos 7 Different Partition

Add EPEL Repo

sudo yum install epel-release -y

Add RPM Fusion Repo

sudo yum install https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm

Add Remi Repo

sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y

Update OS

sudo yum update -y

Install mod_ssl

sudo yum install mod_ssl -y

Disable SELinux

vi /etc/selinux/config
SELINUX=disabled

Add MariaDB Repo

vi /etc/yum.repos.d/MariaDB.repo

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Install MariaDB Server & MariaDB Client

sudo yum install MariaDB-server MariaDB-client -y

Enable MariaDB

systemctl enable mariadb

Enable PHP version repository:

sudo yum install yum-utils -y
sudo yum-config-manager --enable remi-php73

Install PHP with some common PHP modules

sudo yum install php php-fpm php-gd php-mbstring php-opcache php-pdo php-mysqlnd -y

Enable PHP-FPM service

systemctl enable php-fpm

Install Zoneminder

sudo yum install zoneminder

Moving the MariaDB Data Directory

mysql -u root -p
select @@datadir;
+----------------------+
|    @@datadir         |
+----------------------+
| /var/lib/mysql/      |
+----------------------+

Stop MariaDB

sudo systemctl stop mariadb

Sync MariaDB

sudo rsync -av /var/lib/mysql /mnt/dblocation

Rename old MariaDB folder

sudo mv /var/lib/mysql /var/lib/mysql.bak

Configure MariaDB server.cnf

vi /etc/my.cnf.d/server.cnf

[mysqld]
datadir=/mnt/cctv/database
socket=/mnt/cctv/database/mysql.so

ConfigConfigure MariaDB client.cnf

vi /etc/my.cnf.d/mysql-clients.cnf

[client]
port=3306
socket=/mnt/cctv/database/mysql.sock

Create mysql folder for symbolic link

mkdir /var/lib/mysql

sudo chown mysql:mysql mysql

ln -s /mnt/folder/databasefolder/mysql.sock /var/lib/mysql/mysql.sock

Create DB for Zoneminder

mysql -uroot -p < /usr/share/zoneminder/db/zm_create.sql

mysql -uroot -p -e "grant all on zm.* to 'zmuser'@localhost identified by 'zmpassword';"

mysqladmin -uroot -p reload

Change Timezone PHP

vi /etc/php.ini

date.timezone = Asia/Kuala_Lumpur

Open Firewall Ports

sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Enable and Start httpd service

systemctl enable httpd
systemctl start httpd

Enable and start Zoneminder service

systemctl enable zoneminder
systemctl start zoneminder

Access Zoneminder Via https://serverip/zm

Install Pritunl VPN on CentOS7

Add MongoDB Repo

nano /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc

Add Pritunl Repo

nano /etc/yum.repos.d/pritunl.repo
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1

Install epel-release and Update

yum install epel-release
sudo yum update

Disable SELinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing . 
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected, 
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Installing Pritunl

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A

gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp

sudo yum -y install pritunl mongodb-org

Change Firewall Settings

sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Start and Enable MongoDB and Pritunl

sudo systemctl start mongod pritunl
sudo systemctl enable mongod pritunl

Visit Pritunl Web Interface

https://PublicIP or https://privateIP

Get Pritunl Setup Key

type
pritunl setup-key

Copy the Result and enter into Database Setup on WebUI
Ex: 09f117c70a6354459a9ebb8d71ddb37be

Pritunl Service will restart after saving the setup key
to get temporary password

sudo pritunl default-password

Change new password

Configure Server

Click Server and Add Server

Can Put hostname as server name

ELK Cisco ASA, Elastiflow Sample Config

Cisco ASA Config

input {
  	udp {
    	port => 5014
    	type => "cisco-asa"
  	}
}
filter {
  if [type] == "cisco-asa" {
    grok {
      match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
    }
    date {
      match => ["timestamp",
        "MMM dd HH:mm:ss",
        "MMM d HH:mm:ss",
        "MMM dd yyyy HH:mm:ss",
        "MMM d yyyy HH:mm:ss",
		"dd MMM yyyy HH:mm:ss",
		"dd/MMM/yyyy:HH:mm:ss Z"
      ]
    }
    if "_grokparsefailure" not in [tags] {
      mutate {
        rename => ["cisco_message", "message"]
        remove_field => ["timestamp"]
      }
    }
    grok {
      match => [
        "message", "%{CISCOFW106001}",
        "message", "%{CISCOFW106006_106007_106010}",
        "message", "%{CISCOFW106014}",
        "message", "%{CISCOFW106015}",
        "message", "%{CISCOFW106021}",
        "message", "%{CISCOFW106023}",
        "message", "%{CISCOFW106100}",
        "message", "%{CISCOFW110002}",
        "message", "%{CISCOFW302010}",
        "message", "%{CISCOFW302013_302014_302015_302016}",
        "message", "%{CISCOFW302020_302021}",
        "message", "%{CISCOFW305011}",
        "message", "%{CISCOFW313001_313004_313008}",
        "message", "%{CISCOFW313005}",
        "message", "%{CISCOFW402117}",
        "message", "%{CISCOFW402119}",
        "message", "%{CISCOFW419001}",
        "message", "%{CISCOFW419002}",
        "message", "%{CISCOFW500004}",
        "message", "%{CISCOFW602303_602304}",
        "message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "message", "%{CISCOFW713172}",
        "message", "%{CISCOFW733100}"
      ]
    }
	syslog_pri { }
		geoip {
      		add_tag => [ "GeoIP" ]
      		database => "/elastiflow/geoipdb/GeoLite2-City.mmdb"
      		source => "src_ip"
    	}
	if [geoip][city_name]      == "" { mutate { remove_field => "[geoip][city_name]" } }
    	if [geoip][continent_code] == "" { mutate { remove_field => "[geoip][continent_code]" } }
    	if [geoip][country_code2]  == "" { mutate { remove_field => "[geoip][country_code2]" } }
    	if [geoip][country_code3]  == "" { mutate { remove_field => "[geoip][country_code3]" } }
    	if [geoip][country_name]   == "" { mutate { remove_field => "[geoip][country_name]" } }
    	if [geoip][latitude]       == "" { mutate { remove_field => "[geoip][latitude]" } }
    	if [geoip][longitude]      == "" { mutate { remove_field => "[geoip][longitude]" } }
    	if [geoip][postal_code]    == "" { mutate { remove_field => "[geoip][postal_code]" } }
    	if [geoip][region_name]    == "" { mutate { remove_field => "[geoip][region_name]" } }
    	if [geoip][time_zone]      == "" { mutate { remove_field => "[geoip][time_zone]" } }
	geoip {
      		add_tag => [ "Whois" ]
      		database => "/elastiflow/geoipdbs/GeoLite2-City.mmdb"
      		source => "src_ip"
    	}
  }
}

output {
elasticsearch {
    hosts => ["ElasticIP:9200"]
    index => "cisco-%{+xxxx.ww}"
    user => "elastic"
    password => "elastic"
	}
}

To Read from Log File

Replace

input {
  	udp {
    	port => 5014
    	type => "cisco-asa"
  	}
}

With

input {
  file {
    type => "CISCO-ASA"
    path => [ "/var/log/CISCO/CiscoLogs.log" ]
  }

Elastiflow Setup

Configure JVM Memory

sudo nano /etc/logstash/jvm.options
-Xms4g
-Xmx4g

Logstash Plugin

sudo /usr/share/logstash/bin/logstash-plugin install logstash-codec-sflow
sudo /usr/share/logstash/bin/logstash-plugin update logstash-codec-netflow
sudo /usr/share/logstash/bin/logstash-plugin update logstash-input-udp
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-dns
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-translate

Install & Setup

wget https://github.com/robcowart/elastiflow/archive/master.zip

sudo apt-get install -y unzip
unzip master.zip
sudo cp -a elastiflow-master/logstash/elastiflow/. /etc/logstash/elastiflow/	
sudo cp -a elastiflow-master/logstash.service.d/. /etc/systemd/system/logstash.service.d/

Configure Pipeline
sudo nano /etc/logstash/pipelines.yml

Create Index
curl -X POST http://ELASTICHOST:5601/api/saved_objects/index-pattern/elastiflow-* -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @/PATH/TO/DESTINATION/elastiflow.index_pattern.json

Create Dashboard
Download https://github.com/robcowart/elastiflow
Navigate to elastiflow-master\kibana
Navigate to Management, Saved Objects and Import 7.0 Dashboard

Configure Conf File

Change nameserver to
nameserver => "${ELASTIFLOW_NAMESERVER:ELKIP}

30_output_10_single.logstash.conf
user => "${ELASTIFLOW_ES_USER:elastic}"
password => "${ELASTIFLOW_ES_PASSWD:elastic}"