Tag: Security

Posted on

Ports, Protocols, and Services (PPS)

Introduction

This is my attempt to keep track of various ports, protocols, and services for successful deployments of solutions.

Active Directory

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
135TCPepmapDCE endpoint resolutionRPC Endpoint Mapper
389TCP/UDPldapLightweight Directory Access ProtocolLDAP
636TCPldapsldap protocol over TLS/SSL (was sldap)LDAP SSL
3268TCPmsft-gcMicrosoft Global CatalogLDAP GC
3269TCPmsft-gc-sslMicrosoft Global Catalog with LDAP/SSLLDAP GC SSL
53TCP/UDPdomainDomain Name ServerDNS
88TCP/UDPkerberosKerberosKerberos
445TCPmicrosoft-dsMicrosoft-DSSMB
464TCP/UDPkpasswdkpasswdKerberos Password V5

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts

https://learn.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

Dynamic Host Configuration Protocol (DHCP)

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
67UDPbootpsBootstrap Protocol ServerDHCP (Server)
68UDPbootpcBootstrap Protocol ClientDHCP (Client)

Domain Name System (DNS)

TCP/UDP: 53 domain Domain Name Server DNS

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
53TCP/UDPdomainDomain Name ServerDNS

Network Time Protocol (NTP)

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
123TCP/UDPntpNetwork Time ProtocolNTP

Server Message Block (SMB)

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
139TCPnetbios-ssnNETBIOS Session ServiceSMB
445TCPmicrosoft-dsMicrosoft-DSSMB

Microsoft SQL Server

Port NumberTCP/UDPIANA Service NameIANA DecriptionCommon Use
1433TCPms-sql-sMicrosoft-SQL-ServerMicrosoft SQL

VMware Cloud Foundation

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
443TCPhttpshttp protocol over TLS/SSLHTTP/S
22TCPsshThe Secure Shell (SSH) ProtocolSSH
5480TCPVMware Appliance Management Interface (VAMI)
9543TCP
902TCP
514TCPshellSyslog

VMware Horizon

Port NumberTCP/UDPIANA Service NameIANA DescriptionCommon Use
8443TCPpcsync-httpsPCsync HTTPSBlast Extreme traffic
443TCPhttpshttp protocol over TLS/SSLAuthentication
22443TCP/UDPBlast Extreme traffic
3389TCPms-wbt-serverMS WBT ServerRemote Desktop Protocol (RDP)

https://techzone.vmware.com/sites/default/files/Horizon-Network-Ports-with-All-Connection-Types-and-All-Display-Protocols.png

Helpful Links

Posted on

Adding a Computer Account to MS SQL Server for a VMware App Volumes Manager Database

ref: https://www.enhansoft.com/updated-how-to-create-a-sql-server-computer-account-login/

This post will probably work for other use cases, but I am specifically needing it for VMware App Volumes Manager.

Open SQL Server Management Studio (SSMS)

Expand Security

Right-click Logins

Select New Login…

1. Do not use the Search… button! Type the Login name: as 

DOMAIN\computer-name$

The dollar sign is necessary to signify the account as a computer and not the name of a user. (ref: https://social.technet.microsoft.com/Forums/en-US/eec574c0-5421-4d7a-a806-a3c5af3d29bf/why-in-samaccount-name-of-computer-account-in-active-directory?forum=winserverDS)

2. Choose the Windows authentication radio button.

3. Select the Default database for App Volumes Manager if it was already created. You can assign it later after creating the database if needed.

4. Select the Default language

Do not click OK!

On the Server Roles page, choose the sysadmin checkbox to grant the role to the user. Don’t click OK, yet.

On the User Mapping page, Choose the checkbox next to the database being mapped to the user (computer) account (assuming the database has already been created).

Click OK.

Verify the computer account is added to the list of logins.

This concludes this post.

Posted on

VMware ESXi SSL Certificate Signing Request (CSR)

Need to replace the certificates with a custom certificate from a commercial or corporate Certificate Authority (CA)? You are going to need a Certificate Signing Request (CSR).

I use the certificate-manager tool (see below) included with vCenter to generate all of my requests. I found recently that you can skip this altogether if you can include the certificate’s key from the CA. In the traditional method, though, you will generate a CSR, submit to CA, and receive back a custom signed certificate.

/usr/lib/vmware-vmca/bin/certificate-manager
  • Connect to your Platform Services Controller (PSC) via SSH. This could be the same as your vCenter server.
  • Create a temporary directory to store your files in when you run the certificate-manager tool. Create a directory for each system you intend to generate CSR files for. I use the following format for my directory:
/tmp/hostname1
/tmp/hostname2
...
/tmp/hostnamen
  • Run the certificate-manager tool: 
/usr/lib/vmware-vmca/bin/certificate-manager
  • Select option 1 to replace the Machine SSL.
  • Provide the administrator username if the SSO domain is not default or press Enter.
  • Provide the administrator password.
  • Select option 1 to Generate Certificate Signing Request(s)…
  • Provide an Output directory path such as 
/tmp/hostname

The next information you will be requested to enter is for the certificate.

  • Country – Use two digit code (https://www.iso.org/obp/ui/#search)
  • Name – Use the fully qualified domain name of the server here
  • Organization – Name of your organization
  • OrgUnit – Name of your department
  • State – The state where the system resides (no abbreviations)
  • Locality – The city where the system resides
  • IPAddress – IP address of the system
  • Email – Email address for person or department responsible for administration of the system
  • Hostname – It’s best to always include a fully qualified domain name as well as a short name.
  • Proper value of VMCA ‘Name’ – I use the fully qualified domain name here

Press option 2 to Exit certificate-manager. Your csr and key files will be stored at the location you specified.

Apple Computer

If you use an Apple computer, you can use scp in the Terminal to copy the files.

$mkdir ~/Documents/Certificates/hostname/
$cd ~/Documents/Certificates/hostname/
$scp [email protected]:/tmp/hostname/*.* .

Windows Computer

If you use Windows, I recommend WinSCP. You will first need to set the shell on the Platform Services Controller to Bash.

chsh -s /bin/bash root

Follow the instructions of your CA on how to submit the CSR to be signed.

Posted on

Terribly Embarrassing Admin Moment

I am still quite new to WordPress. I was finally able to get time to clean out my basement, cobble together an old PC and get my favorite flavor of Linux installed. Of course, there was an unnecessary struggle there, but I won’t get into details. Low and behold, I am up and running. About a week or so after the initial install, I received an update notice for WordPress. Ok, easy enough, I can just click on the upgrade button, right? Wrong, and after messing around with this for over three days, it is finally updated.

First, I do not trust FTP so I immediately ruled that out as a method to upgrade. I immediately went the SSH2 route. I needed an article to assist me though and did a few minutes of searching. Finally, I came across an article by Justin Ellingwood on Digital Ocean titled, “How To Configure Secure Updates and Installations in WordPress on Ubuntu”. (https://www.digitalocean.com/community/tutorials/how-to-configure-secure-updates-and-installations-in-wordpress-on-ubuntu) The article is for Ubuntu so I knew right away I would have to adapt to make it work on my box.

In the article, Justin mentions creating a new user, ‘wp-user’.

sudo add-user wp-user

What I failed to realize was that it could have been anything. What I later came to realize was that my already established user account, the one I used to login to the box, would have sufficed as that is what worked for me in the end. Looking back, I wish the article would have done something like the next code snippet, given a warning, made a note, or just screamed, “If you already have a user account, please skip to the next section.

sudo adduser <new user>

I defintely did learn quite a bit along the way, though, so not all was lost. I learned that the apache daemon running on my server should be owned by my user account and not the httpd process. I made the appropriate change, restarted httpd, and prayed the site would still display. It did, so that worked out well.

I also got a refresher in Linux permissions and setting owners. The one thing I still do not think is working as I intended, though, is using the SSH keys. I ended up getting SSH working, but with username and password. I mucked around the wp-config.php file and changed a few constants but could never figure out a combination to get the key-based authentication working. The instructions are even provided in the WordPress Codex. (https://codex.wordpress.org/Editing_wp-config.php#WordPress_Upgrade_Constants)

So yeah, this was quite a learning experience for me. One I hope to never have to suffer through again.