DNS additional options for security issue

Basic on named default setting, here just highlight the additional option/setting for security issue. FYI :-)

option {
......
......
version "invisible dns version"; //Hide the dns version
minimal-responses yes; //For detail, see https://www.isc.org/software/bind/advisories/cve-2012-5166
allow-recursion {192.168.1.0/24;}; // or you can set recursion no
allow-transfer {none;}; //For master, allow slave dns to get the record
allow-notify {192.168.1.135;}; //For slave, allow master dns to update the record
};


logging {
        channel default_log {
                file "data/named.run";
                severity dynamic;
                print-time yes;
        };
        channel audit_log {
                file "/var/log/named/audit_log";
                severity debug;
                print-time yes;
        };
channel queries_log {
                file "/var/log/named/queries.log"
                severity dynamic;
                print-time yes; };

        category default {default_log;};
        category general {default_log;};
        category security {audit_log;};
        category config {audit_log;};
        category notify {audit_log;};
        category queries {queries_log;};
};

view inner {
 match-client {192.168.1.0/24;};
 zone mydomain.com {
 ......
 allow-transfer {192.168.1.246;}; //For master, allow slave dns to get the record
 };

 zone localhost {
 ......
 allow-update {none;};
 };
}; //inner

view outer { match-client {any;};
 zone mydomain.com {
 ......
 };

}; //outer

Zimbra - Distribution list control by Milter server

Enable Milter server

from web admin console:
Configure - Global Settings - MTA
check Enable milter server

by command:
[root@mail ~]$ su - zimbra
[zimbra@mail ~]$ zmprov ms `zmhostname` zimbraMilterServerEnabled TRUE
[zimbra@mail ~]$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.

[zimbra@mail ~]$ zmmtactl restart
Rewriting configuration files...done.
postfix/postfix-script: refreshing the Postfix mail system Stopping saslauthd...done.
Starting saslauthd...done.
Stopping opendkim... done.
Started opendkim: pid 12355

[zimbra@mail ~]$ zmmilterctl start Starting milter server...done.
[zimbra@mail ~]$ zmmilterctl status Milter server is running.

Specific senders for a distribution list
zmprov grr dl distributionlist@yourdomain.dom usr user@yourdomain.dom SendToDistList

Allow specific domain to send to a distribution list 
zmprov grr dl distributionlist@yourdomain.dom dom thedomain.dom SendToDistList

Deny specific domain to send to a distribution list 
zmprov grr dl distributionlist@yourdomain.dom dom thedomain.dom -SendToDistList

OSPF LSA type

LSA type 1 – Router LSAs are sent from a router to other routers in the same area. It contains information regarding the routers interfaces in the same area, relevant interfaces IPs, its adjacent routers on those interfaces and sub networks

LSA type 2 – Network LSAs are generated by the DR on a multi access segment, and provides similar information to an LSA type 1 for the multi access segment and subnet which it belongs
LSA type 3 – Network Summary LSAs are generated by ABRs and contain the subnets & costs but omit the topological data from all subnets in one area and sent to another area via the ABR
LSA type 4 -ASBR summary LSAs are from ASBRs and are identical in structure to a type 3 LSA and sent when crossing an AS boundary
LSA type 5 -Are AS external LSAs which are originated by ASBRs and describe external networks
LSA type 6 – Is defined as a Group Membership LSA but not used in Cisco devices
LSA type 7 -NSSA External LSAs are generated by the ASBR in an NSSA area
LSA type 8 – Is defined as a External Attribute LSA but not used in Cisco devices
LSA types 9 to 11 – Defined as Opaque LSAs and are reserved for future expansion

ref.: http://communitystring.com/2008/07/ospf-lsa-types/

Area Type	Type 1 & 2 (within area)	Type 3 (from other areas)	Type 4	Type 5	Type 7
Standard & backbone	Yes	Yes	Yes	Yes	No
Stub	Yes	Yes	No	No	No
Totally stubby	Yes	No	No	No	No
NSSA	Yes	Yes	No	No	Yes
Totally stubby NSSA	Yes	No	No	No	Yes

ref.: https://learningnetwork.cisco.com/docs/DOC-7924

OSPF - Normal, Stub, Totally Stub and NSSA Area Differences

ref.: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094aaa.shtml#definestub

Normal	None
Stub	No Type 5 AS-external LSA allowed
Totally Stub	No Type 3, 4 or 5 LSAs allowed except the default summary route
NSSA	No Type 5 AS-external LSAs allowed, but Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse
NSSA Totally Stub	No Type 3, 4 or 5 LSAs except the default summary route, but Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed

more information about LSA type:

http://raycheang.blogspot.com/2012/03/ospf-lsa-type.html

VMware virtual disk operation with vmkfstools

Extend virtual disk
vmkfstools -X 30G /vmfs/volumes/datastore_name/vm_name/vm_name.vmdk
here 30G is not extra space, which is the total space finally.
to see the detail please check http://kb.vmware.com/kb/1007266 

CA management - tinyca

TinyCA is a program with a simple graphical user interface that makes managing a small CA (Certification Authority) easy.  TinyCA works as a frontend for openssl and can deal with several independent CAs.
With TinyCA you can create and manage x509 and S/MIME server and client certificates.  You can choose between RSA and DSA keys, as well as between different digest algorithms.
The certificates can be exported as PEM, DER, TXT and PKCS#12 or as a convenient archive containing both key and certificate.  Certificates can be revoked by adding them to a certificate revocation list.

Juniper screen OS debug transaction flow

Capturing Debug flow basic:

Cl db

Set ff src-ip x.x.x.x dst-ip y.y.y.y

Set ff src-ip y.y.y.y dst-ip x.x.x.x

(where

x.x.x.x== client ip which is accessing the server y.y.y.y==public ip of server i.e VIP ip of the server)

debug flow basic

(Then initiate the concerned traffic from source x.x.x.x to y.y.y.y)

Get db str

Undebug all

Cl db

Capturing snoop detail

Cl db

Snoop filter ip src-ip x.x.x.x dst-ip y.y.y.y direction both Snoop detail len 1514 Snoop (and then press `y?)

(Then initiate the concerned traffic from source x.x.x.x to y.y.y.y)

Get db str

Snoop off