Posts

Patch Tuesday February 2015

Another month, another patch Tuesday!

Microsoft has released eight updates to address vulnerabilities in Windows, Internet Explorer and the Office package.
Adobe has released security updates to address multiple vulnerabilities in Flash Player. Check the link below and make sure you are running the latest version available.

Some of these vulnerabilities could allow elevation of privilege, denial of service, remote code execution, or security feature bypass that allows an attacker to take control of the affected system. It is advised to upgrade as soon as possible.

More information:
Microsoft
Adobe

Patch Tuesday January 2015

Another month, another patch Tuesday!

Microsoft has released eight updates to address vulnerabilities in Microsoft Windows.

Adobe has released security updates to address multiple vulnerabilities in Flash Player.

Some of these vulnerabilities could allow elevation of privilege, denial of service, remote code execution, or security feature bypass that allows an attacker to take control of the affected system. It is advised to upgrade as soon as possible.

More information:
Microsoft
Adobe

Patch Tuesday December 2014

Another month, another patch Tuesday!

Microsoft has released updates to address vulnerabilities in Exchange, Windows, Internet Explorer, and the Office suite.
Adobe has released security updates to address multiple vulnerabilities in Flash, Reader, Acrobat, and ColdFusion.

It is advised to update as soon as possible as some of these vulnerabilities could allow elevation of privilege, remote code execution, or disclosure of information – basically taking over your system.

More information:
https://technet.microsoft.com/library/security/ms14-dec
http://helpx.adobe.com/security/products/flash-player/apsb14-27.html
http://helpx.adobe.com/security/products/reader/apsb14-28.html
http://helpx.adobe.com/security/products/coldfusion/apsb14-29.html

Patch Tuesday November 2014

Another month, another patch Tuesday!

Microsoft issued sixteen security bulletins for various products that’s then translated into fourteen patches, including a fix to a critical Schannel vulnerability (MS14-066) which could allow remote execution if an attacker sends specially crafted packets to a Windows Server (there is however currently no public exploit for this).
Adobe has released multiple security hotfixes for Adobe Flash Player and Adobe Air.

More information:
https://technet.microsoft.com/library/security/ms14-nov
http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Patch Tuesday October 2014

Another month, another patch tuesday!

Microsoft issued eight security bulletins that address over two dozen vulnerabilities, including previously mentioned SandWorm.

Adobe has released security hotfixes for ColdFusion versions for all platforms. These hotfixes address a security permissions issue that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator. Cross-site scripting and cross-site request forgery vulnerabilities are also addressed in the hotfixes.

Adobe has also released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.

Oracle has released critical updates to a large amount of software (see link below), but amongst the most noticable are Oracle Database, Solaris, MySQL, VirtualBox and Java.

More information:
http://helpx.adobe.com/security/products/coldfusion/apsb14-23.html
http://helpx.adobe.com/security/products/flash-player/apsb14-22.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
https://technet.microsoft.com/library/security/ms14-oct

Patch Tuesday September 2014

Another month, another patch tuesday!

For this month’s Patch Tuesday, Microsoft have, amongst other things, released updates for Internet Explorer, which addresses 37 CVEs. The other updates include an update to Improve Credentials Protection and Management(adds additional users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system, as well as Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution and Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

Adobe on the other hand have opted to just supply updates to Adobe Flash for today, and will have updates available for Adobe Reader and Acrobat on the 15th of September.

More information:
https://technet.microsoft.com/library/security/ms14-sep
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html

Patch Tuesday August 2014

Another month, another patch tuesday!

Microsoft has released updates to address vulnerabilities in Windows, Office, SQL Server, Server Software, .NET Framework, and Internet Explorer as part of the Microsoft Security Bulletin Summary for August 2014. Some of these vulnerabilities could allow remote code execution, elevation of privilege, or security feature bypass.

Adobe has released security updates to address multiple vulnerabilities in Flash Player, Adobe Reader and Acrobat. Exploitation of these vulnerabilities could potentially allow an attacker to take control of the affected system.
Users and administrators are encouraged to review Adobe Security Bulletins APSB14-18 and APSB14-19, and apply the necessary updates.

More information:
https://technet.microsoft.com/library/security/ms14-aug
http://helpx.adobe.com/security/products/reader/apsb14-19.html
http://helpx.adobe.com/security/products/flash-player/apsb14-18.html

https://www.us-cert.gov/ncas/current-activity/2014/08/12/Adobe-Releases-Security-Updates-Flash-Player-Adobe-Reader-and
https://www.us-cert.gov/ncas/current-activity/2014/08/12/Microsoft-Releases-August-2014-Security-Bulletin

How to install Logstash on Windows Server 2012 with Kibana in IIS.

This post is currently outdated, please have a look here to see a up to date version: https://ulyaoth.com/tutorials/how-to-install-elastic-stack-5-4-on-windows-server-2016/

This post is a repost from Sjir Bagmeijer’s personal website, you can find a more up to date post on his website:
https://ulyaoth.com/tutorials/how-to-install-elastic-stack-5-4-on-windows-server-2016/

In this guide I will show that it is also possible to run Logstash on a Windows Server 2012 machine and use IIS as web server. This guide probably requires some improvements and optimizations but it should give you a good example of how to set everything up.

Please, be aware that you will probably have to configure Kibana in a different way then I did to make everything look shiny, and you will probably have to use a different kind of logstash configuration to make things show as you would like. I am also aware that Logstash provides all-in-one pages that have ElasticSearch and Kibana built in, however I still feel setting things up separately is more appropriate.

The config below is just meant to be an example to show that everything works just as fine on Windows as it does on Linux.

If you are interested in Linux then please have a look at my other guide at:
http://bfblogg.wpengine.com/blog/how-to-install-logstash-with-kibana-interface-on-rhel/

Now lets start with the guide!

Step 1: Download Logstash, Kibana and ElasticSearch.
Simpely go to “http://www.elasticsearch.org/overview/elkdownloads/

Logstash: https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.zip
Kibana: https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.zip
Elasticsearch: https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.2.1.zip

Step 2: Extract all packages
I created myself a folder called “basefarm” in “c:\basefarm\” and extracted all folders there to make it easier.

So, for me it looks like this now:
c:\basefarm\elasticsearch
c:\basefarm\kibana
c:\basefarm\logstash

Step 3: Download the JDK version of Java and install it.
Go to the Java website: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Accept the license and then download: “Windows x64 (jdk-8u5-windows-x64.exe)” package.
Now install it!

Step 4: Add the JAVA_HOME variable to the server
Now right click on “This PC” and choose “Properties” on the right bottom site next to your computer and full computer name click on Change settings.
On the window that opens go to the Advanced tab and click on “Environment Variables”.
at the bottom box called “System Variables” click on “new” and add the following:
Variable Name: JAVA_HOME
Variable value: C:\Program Files\Java\jdk1.8.0_05

It should look like this:

Step 5: Download the required configuration files
Logstash.conf: https://github.com/sbagmeijer/ulyaoth/blob/master/guides/logstash/windows/logstash.conf

Place this file in:
C:\basefarm\logstash\bin

ulyaoth.json:
https://raw.githubusercontent.com/sbagmeijer/ulyaoth/master/guides/logstash/kibana/dashboard/ulyaoth.json

Place this file in:
C:\basefarm\kibana\app\dashboards

rename “ulyaoth.json” to “basefarm.json” so you end up with “C:\basefarm\kibana\app\dashboards\basefarm.json”.

Step 6: Configure Kibana & Logstash
Open the file: C:\basefarm\kibana\config.js

and change the following line:
default_route : ‘/dashboard/file/default.json’,

to:
default_route : ‘/dashboard/file/basefarm.json’,

Now open the file: C:\basefarm\kibana\app\dashboards\basefarm.json

and change the following line:
“title”: “Ulyaoth: Logstash Search”,

to:
“title”: “Basefarm: Logstash Search”,

Step 7: Install IIS
Go to “Server Manager” and choose “Add Roles and Features Wizard” from the list here choose “Web Server (IIS)” now go further and let it install.

Step 8: Open IIS Manager and stop the “Default Web Site”
Just press the stop button like you see below in the picture:

Step 9: Create a new website for Kibana as shown below
Right click on “sites” in the left part of IIS Manager and click “Add Website”.

Fill it in something like this:

It should automatically start.

Step 10: Start Elasticsearch and put it on auto-start
Open a console and go to “c:\basefarm\elasticsearch\bin\”
now type the following command:
service install

You should see something like:

Now type the following:
service manager

You should see the elasticsearch service manager:

You have to change on the tab the “Startup type” from Manual to Automatic and then press “Apply”. This should make Elasticsearch start automatically on server boot.

This window contains some more options such as how much memory Elasticsearch will use. You can find this under the “Java” tab. I would suggest to make this fitfor your server if you have a server that will handle a huge amount of logs. I would increase the “Maximum Memory Pool: 1024” at least to a higher amount.

Before you close the window make sure to press “Start” so it actually will run right now 🙂

This is everything to start ElasticSearch automatically on boot. To test that it is working, open a browser and go to this url: http://127.0.0.1:9200/

If you see a json string something like what you see below in the picture then it means it is running:

Step 11: Start Logstash & Autostart it
For this step we need another small program to create a proper Windows service, so please go ahead and download “NSSM” (the Non-Sucking Service Manager) from: http://nssm.cc/
http://nssm.cc/release/nssm-2.23.zip

Once you have the zip file simply unzip it and copy the file from the unzipped folder you now have: “nssm-2.23\win64” (nssm.exe) to “C:\basefarm\logstash\bin” so it should result in you having “C:\basefarm\logstash\bin\nssm.exe”.

I know you technically do not have to copy this file but just to keep things clean and to have this available for any future use you never know. 🙂

Now open a Command Prompt and type:
cd C:\basefarm\logstash\bin

And then type the following:
nssm install logstash

You will now see a GUI to create a server fill in the following:
Path: C:\basefarm\logstash\bin\logstash.bat
Startup directory: C:\basefarm\logstash\bin
Arguments: agent -f C:/basefarm/logstash/bin/logstash.conf

It should look like this:

If all looks okay double check on the “Details” tab that “Startup Type” is set to “Automatic” and then press “Install service”. This should be all for Logstash to automatically start on server boot.

If you wish to adjust the memory Logstash does use then simpely open the file “C:\basefarm\logstash\bin\logstash.bat” and the change the following two lines accordingly to the amount of memory you wish it to use:
[code]
set LS_MIN_MEM=256m
set LS_MAX_MEM=1g
[/code]

Step 12: Edit your host file (optional)
This step I only do because I run everything on a test server with no internet connection.

open: C:\Windows\System32\drivers\etc\hosts

Now add:
127.0.0.1 loghost.basefarm.com

And save the file.

Now reboot your server so you can test that everything is automatically coming online.

This is all you should have to do once the server is back online you have logstash up and running so just go to:
http://loghost.basefarm.com/

And you should see:

As you can see, your Kibana IIS logs are shipped now to the Logstash instance.

Just remember, if you run this website over the internet you probably need to make sure port 9200 is accessible but I would restrict it to internal use only so Kibana can reach it but not the outside world.

If you want to ship logs from another server to your loghost server I would suggest to have a look into a program called “nxlog” (http://nxlog-ce.sourceforge.net/) this is a fairly simple way of shipping logs to Lgstash and works perfect on Wndows.

If you have any suggestions to improve this guide then please feel free to or update the configs on GitHub or to provide me the information so I can update the guide and help others!

I also would like to thank “Milo Bofacher” for pointing to “nssm” and “nxlog”!

Patch Tuesday April 2014

Microsoft and Adobe have had their regular Patch tuesday for the month.

Microsoft

Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for Microsoft Word addresses the issues described in Microsoft Security Advisory 2953095. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.

We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003.

Adobe

Adobe has released security updates for Adobe Flash Player 12.0.0.77 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.346 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions

More information:
http://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-updates.aspx
http://helpx.adobe.com/security/products/flash-player/apsb14-09.html

Patch Tuesday February 2014

Microsoft has fixed a number of critical updates which should be applied as quickly as possible through Windows Update. These vulnerabilities can cause someone to potentially take over your system. This month, Microsoft is also recommending users to install EMET which is a free toolkit for deploying and configuring security mitigation technologies (it assists with keeping your Windows system more secure).

Adobe has released a security update for Adobe Shockwave Player 12.0.7.148 and earlier versions on the Windows and Macintosh operating systems. This fixes a Critical vulnerability, so users of Adobe Shockwave need to upgrade directly.
It’s not everyone who has Shockwave, but if you do you can see what version of Shockwave you have here; http://www.adobe.com/shockwave/welcome/
Should you not see an animation below the “ADOBE SHOCKWAVE PLAYER” test then that means you don’t have Shockwave (and should not install the update).
Those running an old version of Shockwave should uninstall it if they don’t need it for something specific, or update if it is really required to use Shockwave (it’s not common to need it): http://get.adobe.com/shockwave/

More information:
http://helpx.adobe.com/security/products/shockwave/apsb14-06.html
http://technet.microsoft.com/en-us/security/bulletin/ms14-feb
http://blogs.technet.com/b/msrc/archive/2014/02/11/safer-internet-day-2014-and-our-february-2014-security-updates.aspx