tech-notez.com

* CTRL+C (Copy)
* CTRL+X (Cut)
* CTRL+V (Paste)
* CTRL+Z (Undo)

* DELETE (Delete)
* SHIFT+DELETE (Delete the selected item permanently without placing the item in the Recycle Bin)
* CTRL while dragging an item (Copy the selected item)
* CTRL+SHIFT while dragging an item (Create a shortcut to the selected item)
* F2 key (Rename the selected item)
* CTRL+RIGHT ARROW (Move the insertion point to the beginning of the next word)
* CTRL+LEFT ARROW (Move the insertion point to the beginning of the previous word)
* CTRL+DOWN ARROW (Move the insertion point to the beginning of the next paragraph)
* CTRL+UP ARROW (Move the insertion point to the beginning of the previous paragraph)
* CTRL+SHIFT with any of the arrow keys (Highlight a block of text)
* SHIFT with any of the arrow keys (Select more than one item in a window or on the desktop, or select text in a document)
* CTRL+A (Select all)
* F3 key (Search for a file or a folder)
* ALT+ENTER (View the properties for the selected item)
* ALT+F4 (Close the active item, or quit the active program)
* ALT+ENTER (Display the properties of the selected object)
* ALT+SPACEBAR (Open the shortcut menu for the active window)
* CTRL+F4 (Close the active document in programs that enable you to have multiple documents open simultaneously)
* ALT+TAB (Switch between the open items)
* ALT+ESC (Cycle through items in the order that they had been opened)
* F6 key (Cycle through the screen elements in a window or on the desktop)
* F4 key (Display the Address bar list in My Computer or Windows Explorer)
* SHIFT+F10 (Display the shortcut menu for the selected item)
* ALT+SPACEBAR (Display the System menu for the active window)
* CTRL+ESC (Display the Start menu)
* ALT+Underlined letter in a menu name (Display the corresponding menu)
* Underlined letter in a command name on an open menu (Perform the corresponding command)
* F10 key (Activate the menu bar in the active program)
* RIGHT ARROW (Open the next menu to the right, or open a submenu)
* LEFT ARROW (Open the next menu to the left, or close a submenu)
* F5 key (Update the active window)
* BACKSPACE (View the folder one level up in My Computer or Windows Explorer)
* ESC (Cancel the current task)
* SHIFT when you insert a CD-ROM into the CD-ROM drive (Prevent the CD-ROM from automatically playing)
* CTRL+SHIFT+ESC (Open Task Manager)

Dialog box keyboard shortcuts

If you press SHIFT+F8 in extended selection list boxes, you enable extended selection mode. In this mode, you can use an arrow key to move a cursor without changing the selection. You can press CTRL+SPACEBAR or SHIFT+SPACEBAR to adjust the selection. To cancel extended selection mode, press SHIFT+F8 again. Extended selection mode cancels itself when you move the focus to another control.

* CTRL+TAB (Move forward through the tabs)
* CTRL+SHIFT+TAB (Move backward through the tabs)
* TAB (Move forward through the options)
* SHIFT+TAB (Move backward through the options)
* ALT+Underlined letter (Perform the corresponding command or select the corresponding option)
* ENTER (Perform the command for the active option or button)
* SPACEBAR (Select or clear the check box if the active option is a check box)
* Arrow keys (Select a button if the active option is a group of option buttons)
* F1 key (Display Help)
* F4 key (Display the items in the active list)
* BACKSPACE (Open a folder one level up if a folder is selected in the Save As or Open dialog box)

Microsoft natural keyboard shortcuts

* Windows Logo (Display or hide the Start menu)
* Windows Logo+BREAK (Display the System Properties dialog box)
* Windows Logo+D (Display the desktop)
* Windows Logo+M (Minimize all of the windows)
* Windows Logo+SHIFT+M (Restore the minimized windows)
* Windows Logo+E (Open My Computer)
* Windows Logo+F (Search for a file or a folder)
* CTRL+Windows Logo+F (Search for computers)
* Windows Logo+F1 (Display Windows Help)
* Windows Logo+ L (Lock the keyboard)
* Windows Logo+R (Open the Run dialog box)
* Windows Logo+U (Open Utility Manager)

Accessibility keyboard shortcuts

* Right SHIFT for eight seconds (Switch FilterKeys either on or off)
* Left ALT+left SHIFT+PRINT SCREEN (Switch High Contrast either on or off)
* Left ALT+left SHIFT+NUM LOCK (Switch the MouseKeys either on or off)
* SHIFT five times (Switch the StickyKeys either on or off)
* NUM LOCK for five seconds (Switch the ToggleKeys either on or off)
* Windows Logo +U (Open Utility Manager)

Windows Explorer keyboard shortcuts

* END (Display the bottom of the active window)
* HOME (Display the top of the active window)
* NUM LOCK+Asterisk sign (*) (Display all of the subfolders that are under the selected folder)
* NUM LOCK+Plus sign (+) (Display the contents of the selected folder)
* NUM LOCK+Minus sign (-) (Collapse the selected folder)
* LEFT ARROW (Collapse the current selection if it is expanded, or select the parent folder)
* RIGHT ARROW (Display the current selection if it is collapsed, or select the first subfolder)

Shortcut keys for Character Map

After you double-click a character on the grid of characters, you can move through the grid by using the keyboard shortcuts:

* RIGHT ARROW (Move to the right or to the beginning of the next line)
* LEFT ARROW (Move to the left or to the end of the previous line)
* UP ARROW (Move up one row)
* DOWN ARROW (Move down one row)
* PAGE UP (Move up one screen at a time)
* PAGE DOWN (Move down one screen at a time)
* HOME (Move to the beginning of the line)
* END (Move to the end of the line)
* CTRL+HOME (Move to the first character)
* CTRL+END (Move to the last character)
* SPACEBAR (Switch between Enlarged and Normal mode when a character is selected)

Microsoft Management Console (MMC) main window keyboard shortcuts

* CTRL+O (Open a saved console)
* CTRL+N (Open a new console)
* CTRL+S (Save the open console)
* CTRL+M (Add or remove a console item)
* CTRL+W (Open a new window)
* F5 key (Update the content of all console windows)
* ALT+SPACEBAR (Display the MMC window menu)
* ALT+F4 (Close the console)
* ALT+A (Display the Action menu)
* ALT+V (Display the View menu)
* ALT+F (Display the File menu)
* ALT+O (Display the Favorites menu)
MMC console window keyboard shortcuts

* CTRL+P (Print the current page or active pane)
* ALT+Minus sign (-) (Display the window menu for the active console window)
* SHIFT+F10 (Display the Action shortcut menu for the selected item)
* F1 key (Open the Help topic, if any, for the selected item)
* F5 key (Update the content of all console windows)
* CTRL+F10 (Maximize the active console window)
* CTRL+F5 (Restore the active console window)
* ALT+ENTER (Display the Properties dialog box, if any, for the selected item)
* F2 key (Rename the selected item)
* CTRL+F4 (Close the active console window. When a console has only one console window, this shortcut closes the console)

Remote desktop connection navigation

* CTRL+ALT+END (Open the Microsoft Windows NT Security dialog box)
* ALT+PAGE UP (Switch between programs from left to right)
* ALT+PAGE DOWN (Switch between programs from right to left)
* ALT+INSERT (Cycle through the programs in most recently used order)
* ALT+HOME (Display the Start menu)
* CTRL+ALT+BREAK (Switch the client computer between a window and a full screen)
* ALT+DELETE (Display the Windows menu)
* CTRL+ALT+Minus sign (-) (Place a snapshot of the entire client window area on the Terminal server clipboard and provide the same functionality as pressing ALT+PRINT SCREEN on a local computer.)
* CTRL+ALT+Plus sign (+) (Place a snapshot of the active window in the client on the Terminal server clipboard and provide the same functionality as pressing PRINT SCREEN on a local computer.)

Microsoft Internet Explorer navigation

* CTRL+B (Open the Organize Favorites dialog box)
* CTRL+E (Open the Search bar)
* CTRL+F (Start the Find utility)
* CTRL+H (Open the History bar)
* CTRL+I (Open the Favorites bar)
* CTRL+L (Open the Open dialog box)
* CTRL+N (Start another instance of the browser with the same Web address)
* CTRL+O (Open the Open dialog box, the same as CTRL+L)
* CTRL+P (Open the Print dialog box)
* CTRL+R (Update the current Web page)
* CTRL+W (Close the current window)

* Cable – bulk Category (Cat) 5, 5e, 6 or higher cable
* Wire Cutters – to cut and strip the cable if necessary
* For Patch Cables: RJ45 Plugs
* RJ45 Crimper

* For Fixed Wiring: RJ45 Jacks
* 110 Punch Down Tool

Recommended:

* Wire Stripper
* Cable Tester

About the Cable:
You can find bulk supplies of the cable at many computer stores or most electrical or home centers. You want UTP (Unshielded Twisted Pair) cable of at least Category 5. Cat 5 is required for basic 10/100 functionality, you will want Cat 5e for gigabit (1000BaseT) operation and Cat 6 or higher gives you a measure of future proofing. Bulk cable comes in many types, there are 2 basic categories, solid and braided cable. Braided cable tends to work better in patch applications for desktop use. It is more flexible and resilient than solid cable and easier to work with, but really meant for shorter lengths. Solid cable is meant for longer runs in a fixed position. Plenum rated cable must be used whenever the cable travels through an air circulation space. For example, above a false ceiling or below a raised floor. It may be difficult or impossible to tell from the package what type of cable it is, so peal out an end and investigate.

Here is what the internals of the cable look like:

Internal Cable Structure and Color Coding

Inside the cable, there are 8 color coded wires. These wires are twisted into 4 pairs of wires, each pair has a common color theme. One wire in the pair being a solid or primarily solid colored wire and the other being a primarily white wire with a colored stripe (Sometimes cables won’t have any color on the striped wire, the only way to tell which is which is to check which wire it is twisted around). Examples of the naming schemes used are: Orange (alternatively Orange/White) for the solid colored wire and White/Orange for the striped cable. The twists are extremely important. They are there to counteract noise and interference. It is important to wire according to a standard to get proper performance from the cable.

About RJ45 Plugs and Jacks:
The RJ45 plug is an 8-position modular connector that looks like a large phone plug. There are a couple variations available. The primary variation you need to pay attention to is whether the connector is intended for braided or solid wire. For braided/stranded wires, the connector has sharp pointed contacts that actually pierce the wire. For solid wires, the connector has fingers which cut through the insulation and make contact with the wire by grasping it from both sides. The connector is the weak point in an ethernet cable, choosing the wrong one will often cause grief later. If you just walk into a computer store, it’s nearly impossible to tell what type of plug it is. You may be able to determine what type it is by crimping one without a cable.

RJ45 jacks come in a variety styles intended for several different mounting options. The choice is one of requirements and preference. RJ45 jacks are designed to work only with solid cable. Most jacks come labeled with color codes for either T568A, T568B or both. Make sure you end up with the correct one.

Here is a diagram and pin out:

RJ45 Plug and Jack Pin Out

Ethernet Cable Pin Outs:
There are two basic cable pin outs. A straight through cable, which is used to connect to a hub or switch, and a cross over cable used to operate in a peer-to-peer fashion without a hub/switch. Generally all fixed wiring should be run as straight through. Some ethernet interfaces can cross and un-cross a cable automatically as needed, a handy feature.

The Difference Between Straight Through, Crossover, And Rollover Cables

There are generally three main types of networking cables: straight-through, crossover, and rollover cables. Each cable type has a distinct use, and should not be used in place of another.

Straight-Through Cables

Straight-through cables get their name from how they are made. Out of the 8 pins that exist on both ends of an Ethernet cable, each pin connects to the same pin on the opposite side. Review the diagram below for a visual example:

Notice how each wire corresponds to the same pin. This kind of wiring diagram is part of the 568A standard. The 568B standard achieves the same thing, but through different wiring. It is generally accepted to use the 568A standard as pictured, since it allows compatibility with certain telephone hardware- while 568B doesn’t.

Straight-through cables are primarily used for connecting unlike devices. A straight-through cable is typically used in the following situations:

Use a straight-through cable when:

* 1. Connecting a router to a hub

* 2. Connecting a computer to a swtich

* 3. Connecting a LAN port to a switch, hub, or computer

Note that some devices such as routers will have advanced circuitry, which enables them to use both crossover and straight-through cables. In general, however, straight-through cables will not connect a computer and router because they are not “unlike devices.”

Crossover Cables

Crossover cables are very similar to straight-through cables, except that they have pairs of wires that crisscross. This allows for two devices to communicate at the same time. Unlike straight-through cables, we use crossover cables to connect like devices. A visual example can be seen below:

Notice how all we did was switch the orange-white and green-white wires, and then the orange and green wires. This will enable like devices to communicate. Crossover cables are typically used in the following situations:

Use a crossover cable when:

* 1. Connecting a computer to a router

* 2. Connecting a computer to a computer

* 3. Connecting a router to a router

* 4. Connecting a switch to a switch

* 5. Connecting a hub to a hub

While the rule of thumb is to use crossover cables with like devices, some devices do not follow standards. Others provide support for both types of cables. However, there is still something that both crossover and straight-through cables can’t do.

Rollover Cables

Rollover cables, like other cabling types, got their name from how they are wired. Rollover cables essentially have one end of the cable wired exactly opposite from the other. This essentially “rolls over” the wires- but why would we need to do such a thing? Rollover cables, also called Yost cables, usually connect a device to a router or switch’s console port. This allows a programmer to make a connection to the router or switch, and program it as needed. A visual example can be seen below:

Notice that each wire is simply “rolled over.” These types of cables are generally not used very much, so are usually colored differently from other types of cables.

Router Name # shft+ctrl+6 Break Key
Router Name # write erase To clear all previous configurations
Router Name # reload Reboot the router
Router Name # setup Setup command brings up the configuration dialog box.

Router Show Commands
Router Name # sh ? shows parameters supported by the router
Router Name # sh int shows status of all interfaces
Router Name # sh int s0 shows status of interface you selected, ie: s0, s1, e0, e1, …
Router Name # sh ip int view ip parameters
Router Name # sh ip int brief brief summary of all interfaces and status
Router Name # sh ip route shows networks available to interface and routing table
Router Name # sh proc cpu shows CPU utilization on router
Router Name # sh mem shows memory utilization
Router Name # sh mem big to see the largest blocks of memory
Router Name # sh log to check recent history of router
Router Name # sh version shows summary of hardware and reason for last reload
Router Name # sh diag shows more detailed hardware information
Router Name # sh flash shows IOS file
Router Name # sh run shows running configurations on router ( version 10.3 and above )
Router Name # wr t shows running configurations on router (version 10.3 below/above)
Router Name # sh env all shows current router temps, power supply and general health of router
Router Name # sh env table shows warning levels for shutdown to take place
Router Name # sh startup-config shows saved config in NVRAM
Router Name # sh controllers(int) shows serial line configurations. Make sure a space is used for int. ie: s 0
Router Name # sh cdp neighbor shows directly connected neighbors
Router Name # sh cdp neighbors detail shows detail of directly connected devices: (router, bridge, switch)
Router Name # sh cdp int shows which interfaces are running CDP
Router Name # sh arp shows lan devices and mac address’ ( arp table )
Router Name # sh ip arp shows the arp table in the router
Router Name # sh protocol shows which protocols are configured
Router Name # sh ip protocol shows routing protocol configured and parameters
Router Name # sh ip route isis displays all routes in the route table that originated in ISIS
Router Name # sh isis spf-log displays information on the duration/cause of recent SPF runs
Router Name # sh isis database displays all information known by ISIS
Router Name # sh isis database detail … displays contents of entire LSP (add router info, hr1.lga2.00-00)
Router Name # sh isis topology summary of best path from router to every other router
Router Name # sh ip bgp lists all routes learned from bgp
Router Name # sh ip bgp <route> shows BGP information for that particular route, use w/ sh ip rou
Router Name #sh ip bgp community-list add list # to end of string. Bgp routes that match a given list
Router Name # sh ip bgp filter-list bgp routes that match a given AS path filter list
Router Name # sh ip bgp neigh(address) shows the details on a route in the route table
Router Name # sh ip bgp sum used to view the status of a BGP session
Router Name # sh route-map (name) show the details of a specific route-map
Router Name # sh adjacency detail adjacency table used by CEF. Verify router/device is discovered
Router Name # sh ip cef to view the CEF cache or FIB (forwarding information base) table
Router Name # sh ip cef summary gives an overview of the cef entries
Router Name # sh cef not-cef-switched if CEF is enabled, this will show packets not being CEF switched
Router Name # sh standby displays the information on the operation of HSRP
Router Name # sh standby brief displays a summary of interfaces running HSRP
Router Name # sh standby (interface) displays state of the port, hello intervals, MAC address, config
R# sh mpls traffic-eng tunnels tunnel # displays tunnels between hops in a route masked by MPLS

Router Enable commands

To Enable A Port
·         Router Name# config t
· Router Name# int (+ interface you are designating, token ring must put in ring speed 16 or 4)
· Router Name# ip address _._._._ (mask)
· Router Name# no shut

To Disable A Port
·         Router Name# int (interface or port)
·         Router Name# shut

To Enable A Protocol

Different protocols will have different instructions below is a generic example:
·         Router Name# config t
·         Router Name# router (protocol type + any extensions needed in instructions)
·         Router Name# network (+ IP address)

To Disable A Protocol
·         Router Name# config t
·         Router Name# no router (+ protocol type)

To Change Router Name
·        Router Name# config t
·         Router Name# hostname Jim (global command)
·         Router Name# ctrl z

From Config T settings:
·         Router Name# ctrl z (to save settings and execute the command)
·         Router Name# ctrl c (starts over, abort)
·         Router Name# write mem (saves everything to NV Ram)
·         Router Name# write t (shows running configurations, also can use show run)
·         Router Name# telnet (to telnet into another router)
·         Router Name# ip host name (name & address – To Build Host Table – Global Command)
·         Router Name# no host (to remove a host name)

* On a 4000 series router you must specify what type of media is being used:
·         Router Name# config t
·         Router Name# int (+ interface you plan to configure, ie: e0, s0, … screen changes, major command)
·         Router Name# media-type 10baseT (or whichever media is being used, sub command)

To Enable RIP
·         Router Name# config t
·         Router Name# router rip
·         Router Name# network (+ network address, ie: 150.111.0.0 )
·         Router Name# int (+ interface you plan to configure, ie: e0, s0, … screen changes)
·         Config-if# ip address 150.11.1.1 255.255.255.0 (full statement with subnet mask, sub command)
·         Config-if# no shut (this logically activates the interface, required at every interface configuration)

To Enable SNMP
·         Router Name# config t
·         Router Name# snmp server community public (RO, RW)

To Enable IPX (Novell)
·         Router Name# config t
·         Router Name# ipx routing
·         Router Name# int (+ interface you plan to configure, ie: e0, s0, … screen changes)
·         Router Name# ipx network (ipx address)

Router Name # sh ipx servers –>shows ipx servers on the network

Router Name # sh ipx route –>shows ipx networks seen by the routers

Router Name # sh ipx traffic –>shows ipx related protocols

Router Name # sh ipx int –>view ipx address on an interface

To Enable VTY
·         Router Name# config t enable password cisco enter (global command)
·         Router Name# line vty 0 4
·         Router Name# login
·         Router Name# password cisco

Switch commands
Switch1> ? responds with main help menu
Switch1> hist to view a listing of previous commands used
Switch1> show ? responds with various show commands
Switch1> show ver information about IOS and hardware components
Switch1> show module quick view of status on all modules
Switch1> show port provides general summary of all ports: errors, collisions, speed, duplex
Switch1> show port (#) specific information for a individual port
Switch1> show port status provides single line general summary of all ports
Switch1> show mac (port#) summary information on what has been sent and received on a given port
Switch1> show test (module#) if a module is in failed status, show test will show specifics
Switch1> show log shows history of switch on a per module basis
Switch1> show config shows configurations on switch
Switch1> show system shows uptime and levels of utilization
Switch1> show vlan lists the VLAN’s that are resident on the switch
Switch1> show cam lists the LAN switch transparent bridging table
Switch1> sh cam (mac address)     to locate a single MAC address
Switch1> show cam dynamic lists all dynamically learned MAC addresses
Switch1> show span lists info on a port listening/diagnostics feature (switched port analyzer)
Switch1> show spantree (port#)     allows you to see the spantree status of a specific port
Switch1> show trunk provides a summary of the ports in trunking mode

source: http://www.voyagernet.com/cisco/ROUTERS3.htm

The TCP/IP suite is illustrated here in relation to the OSI model

source: http://www.protocols.com/pbook/tcpip1.htm

]]> http://arunjohn.wordpress.com/2009/10/31/tcp-ip-2/feed/ 0 arunvarughese tcpipmap http://arunjohn.wordpress.com/2009/10/26/maintaining-iis-log-files/ http://arunjohn.wordpress.com/2009/10/26/maintaining-iis-log-files/#comments Mon, 26 Oct 2009 11:56:40 +0000 arunvarughese http://arunjohn.wordpress.com/?p=45 ]]> Many network administrators by now have encountered serious Web server intrusions that have resulted in legal action. Often IIS logs are the primary evidence used to track down Web intruders.

Proving that your log files are credible requires that you provide convincing arguments that they are trustworthy and therefore valid as evidence. You must take measures to protect the accuracy, authenticity, and accessibility of your IIS log files. Below are some tips that should increase the credibility of your IIS logs.

Log File Accuracy

Accuracy means that you can prove that your log file data truly represents the activity on your Web server. Even the smallest inaccuracy can bring into question the validity of the entire set of data. The following steps help ensure that your data is accurate:

Log Everything – Configure your IIS logs to record every available field. While some admins see little value in storing this extra information, every field has some significance in a forensics investigation.

Furthermore, gathering information about Web visitors helps establish that an attack came from a specific computer system or logged in user. For example, suppose a defendant claims a hacker had broken into his computer and installed a backdoor proxy server, then used that backdoor proxy to attack other systems. How do you prove that the traffic came from a specific user’s Web browser or was a proxied attack from someone else? While this cannot always be proven, the more information you collect, the better chance you have of making this case.

Keeping Time – Synchronize your IIS servers to an external time source using the Windows Time service. If you use a domain, the time service will automatically be synchronized to the domain controller. On a standalone server, you can synchronize to an external source by setting the following registry entries:

Key: HKLM\SYSTEM\CurrentControlSet|Services\W32Time\Parameters\
Setting: Type
Type: REG_SZ
Value: NTP

Key: HKLM\SYSTEM\CurrentControlSet|Services\W32Time\Parameters\
Setting: NtpServer
Type: REG_SZ
Value: tock.usno.navy.mil (see http://tycho.usno.navy.mil/ntp.html for a list of public NTP servers.)

Key: HKLM\SYSTEM\CurrentControlSet|Services\W32Time\Parameters\
Setting: Period
Type: REG_SZ
Value: 24 (Indicates times per day to synchronize. A value of 24 synchronizes once every hour, you may need less.)

Another time issue is that IIS records logs using UTC time. This is supposed to help synchronization issues when running servers in multiple time zones. However, Windows calculates UTC time by offsetting the value of the system clock with the system time zone. The only way to be sure the UTC time is correct is to ensure that the local time zone setting is accurate.

One trick is to verify that this is to set IIS to roll over logs using local time. You can later verify the server’s time zone setting by looking at the first entries in the log file. If your server is set at UTC -0600, then the first log entries should appear around 18:00 (00:00 – 06:00 = 18:00). Because UTC doesn’t follow daylight savings, you must also consider the date. For example, UTC – 6:00 will actually be -5:00 half the year.

Use Multiple Sensors – It is hard to disprove a log entry if two separate devices record the same information. By combining logs from several devices, you strengthen the value of each. Firewall logs, IDS logs, and even something as simple as TCPDump can help prove that an IP address hit a specific server at a specific time. See http://www.iissecurity.net/4361.htm for an example of using Snort to supplement IIS logs.

Avoid Missing Logs – One problem with IIS logs is that if the server does not get any hits in a 24-hour period, no log file is created. But when no log file exists, there is no way of knowing if the server got no hits (say it was offline for a day) or if the log file was actually deleted. To avoid this problem, I like to schedule a few hits each day to ensure there is always a log.

To do this,  use Graburl which you can download from http://www.kiraly.com/software/utilities/graburl/

Using the Task Scheduler, and schedule two hits to the Web server: one from localhost and the other from an external host. The command line is :

Graburl.exe www.example.com

The reason for scheduling two hits is that the first from localhost verifies that the server is running and the second verifies that it is visible on the Internet. Further, the second hit also verifies the time synchronization. If the second hit is scheduled to occur at 1:00 AM every day, the corresponding log entry should always occur at 1:00 AM. In general, scheduled requests help prove that the logging mechanism is functioning properly.

If the Web server is powered off for a period of more than 24 hours, no log file will be recorded, but your EventLog will indicate that the server had been powered off. Following these steps, if a log file is missing, it is probably because the file was intentionally deleted.

Log File Authenticity

Log files can be said to be authentic if it can be proven that they have not been modified since they were originally recorded. IIS log files are simple text files that can easily be modified. The file date and time stamps can also easily be modified. In their default state, IIS log files cannot be proven authentic, but by following a few tips you can remedy this.

Move the Logs – To begin ensuring authenticity, move the IIS logs off the Web server. If a server has been compromised, you must consider that the log files too could have been compromised. Move the logs to a master server then move them offline to a tape, CD, or WORM device as quickly as possible.

Signatures, Encryption & Checksums – The only way to be absolutely sure a log file has not been modified is to sign and encrypt the logs using PGP or some other public-key encryption scheme. File signatures are helpful because if a single file is corrupted, it does not invalidate the rest of the logs. You can also use a tool such as Fsum to quickly generate MD5 hashes for the files. Store the signatures and hashes with the logs but also store a secure copy in a separate location.

Note that if you use an automated process for signing log files, you should always follow up with a manual signature by a trusted administrator.

When encrypting files, you should consider what impact that will have on the created, modified, and access dates. You may want to record these dates in a separate location by using a utility such as Fdir.

Work With Copies – When doing any log file analysis, never work with the original files. Make copies before performing any post-processing or log file analysis. Making sure that original logs are never touched helps you establish that they are still authentic and in their original form.

Ensure System Integrity – You should always keep up to date on service packs and hotfixes to ensure that your system files are valid. You should also audit all changes to binary files in your WINNT directory. If an intruder is able to modify system files that record log files, the usability of the log files as evidence suddenly come into question.

Have a Process – Keep in mind that a well-established and documented process can actually help establish authenticity. An established procedure that produces consistent results may help establish that the files are valid and authentic. Furthermore, be sure to have a documented and consistent method for capturing additional evidence (such as using network diagnostic utilities against an attacker’s IP address) because business records created in anticipation of litigation may not always be admissible in court. This is especially true if law enforcement asks you (without proper court orders) to use a tool such as a sniffer on your network to gather additional evidence.

Establishing a process means creating a document that outlines each manual or automated step taken. Furthermore, any scripts you use in log file processing should also contain comments explaining exactly what processing is taking place. The techniques you use in your process should be generally accepted procedures for log file management.

Access Control

Once a log file is created, it is important to prevent the file from being accessed and audit any authorized and unauthorized access. If you properly secure and audit a log file using NTFS permissions, you will have documented evidence to help establish its credibility.

Restrict File Access – A log file needs certain permissions so that IIS is able to write to the file. But after the log is closed, no one should have permissions to modify the file contents. You may want to consider scheduling a command to lock down file permissions and auditing after a log file is closed. Also, when you move log files, be sure that NTFS permissions are set correctly in the new location.

Chain of Custody – As you move log files from the server and later to an offline device, you should keep track of where the file goes. This can be done either through technical or non-technical methods. For example, one client of mine seals their backup tapes and uses a label that can be used to record the physical movement of the tape. Tracking custody of evidence is especially important when retrieving the contents of a backup in a criminal investigation.

source :http://www.securityfocus.com/infocus/1639

1. Finding out bottlenecks.
2. Disk (storage) bottlenecks.
3. CPU and memory bottlenecks.
4. Network bottlenecks.

• 1: top – Process Activity Command

The top program provides a dynamic real-time view of a running system i.e. actual process activity. By default, it displays the most CPU-intensive tasks running on the server and updates the list every five seconds.

Commonly Used Hot Keys

The top command provides several useful hot keys:

Hot Key       Usage
t                 Displays summary information off and on.
m               Displays memory information off and on.
A                Sorts the display by top consumers of various resources.
f                  Enters an interactive configuration screen for top.
o                 Enables you to interactively select the ordering within top.
r                  Issues renice command.
k                 Issues kill command.
z                 Turn on or off color/mono

• 2: vmstat – System Activity, Hardware and System Information

The command vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity

Display Memory Utilization Slabinfo:   # vmstat -m

Get Information About Active / Inactive Memory Pages : # vmstat -a

• 3: w – Find Out Who Is Logged on And What They Are Doing

w command displays information about the users currently on the machine, and their processes.

# w username

• 4: uptime – Tell How Long The System Has Been Running

The uptime command can be used to see how long the server has been running. The current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.

1 can be considered as optimal load value. The load can change from system to system. For a single CPU system 1 – 3 and SMP systems 6-10 load value might be acceptable.

• 5: ps – Displays The Processes

ps command will report a snapshot of the current processes. To select all processes use the -A or -e option:

ps is just like top but provides more information.

To See Threads ( LWP and NLWP)

# ps -AlFH

To See Threads After Processes

# ps -AlLm

Print All Process On The Server

# ps ax
# ps axu

Print A Process Tree

# ps -ejH
# ps axjf
# pstree

Print Security Information

# ps -eo euser,ruser,suser,fuser,f,comm,label
# ps axZ
# ps -eM

See Every Process Running As User Arun

# ps -U arun -u arun u

Set Output In a User-Defined Format

# ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
# ps -eopid,tt,user,fname,tmout,f,wchan

Display Only The Process IDs of Lighttpd

# ps -C lighttpd -o pid=
OR
# pgrep lighttpd
OR
# pgrep -u arun php-cgi

Display The Name of PID 55977

# ps -p 55977 -o comm=

Find Out The Top 10 Memory Consuming Process

# ps -auxf | sort -nr -k 4 | head -10

Find Out top 10 CPU Consuming Process

# ps -auxf | sort -nr -k 3 | head -10

• 6: free – Memory Usage

The command free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.

• 7: iostat – Average CPU Load, Disk Activity

The command iostat report Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions and network filesystems (NFS).

• 8: sar – Collect and Report System Activity

The sar command is used to collect, report, and save system activity information. To see network counter, enter:

# sar -n DEV | more

To display the network counters from the 24th:

# sar -n DEV -f /var/log/sa/sa24 | more

You can also display real time usage using sar:

# sar 4 5

• 9: mpstat – Multiprocessor Usage

The mpstat command displays activities for each available processor, processor 0 being the first one. mpstat -P ALL to display average CPU utilization per processor:
# mpstat -P ALL

• 10: pmap – Process Memory Usage

The command pmap report memory map of a process. Use this command to find out causes of memory bottlenecks.
# pmap -d PID
To display process memory information for pid # 47394, enter:
# pmap -d 47394

Sample Outputs:

47394:   /usr/bin/php-cgi
Address           Kbytes Mode  Offset           Device    Mapping
0000000000400000    2584 r-x– 0000000000000000 008:00002 php-cgi
0000000000886000     140 rw— 0000000000286000 008:00002 php-cgi
00000000008a9000      52 rw— 00000000008a9000 000:00000   [ anon ]
0000000000aa8000      76 rw— 00000000002a8000 008:00002 php-cgi
000000000f678000    1980 rw— 000000000f678000 000:00000   [ anon ]
000000314a600000     112 r-x– 0000000000000000 008:00002 ld-2.5.so
000000314a81b000       4 r—- 000000000001b000 008:00002 ld-2.5.so
000000314a81c000       4 rw— 000000000001c000 008:00002 ld-2.5.so
000000314aa00000    1328 r-x– 0000000000000000 008:00002 libc-2.5.so
000000314ab4c000    2048 —– 000000000014c000 008:00002 libc-2.5.so
…..
……
..
00002af8d48fd000       4 rw— 0000000000006000 008:00002 xsl.so
00002af8d490c000      40 r-x– 0000000000000000 008:00002 libnss_files-2.5.so
00002af8d4916000    2044 —– 000000000000a000 008:00002 libnss_files-2.5.so
00002af8d4b15000       4 r—- 0000000000009000 008:00002 libnss_files-2.5.so
00002af8d4b16000       4 rw— 000000000000a000 008:00002 libnss_files-2.5.so
00002af8d4b17000  768000 rw-s- 0000000000000000 000:00009 zero (deleted)
00007fffc95fe000      84 rw— 00007ffffffea000 000:00000   [ stack ]
ffffffffff600000    8192 —– 0000000000000000 000:00000   [ anon ]
mapped: 933712K    writeable/private: 4304K    shared: 768000K

Here ,the last line is very important:

* mapped: 933712K total amount of memory mapped to files
* writeable/private: 4304K the amount of private address space
* shared: 768000K the amount of address space this process is sharing with others

• 11: netstat-Network Statistics

The command netstat displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

• 12:  ss – Socket Statistics

The ss command is used to dump socket statistics. It allows showing information similar to netstat.

• 13: iptraf – Real-time Network Statistics

The iptraf command is interactive colorful IP LAN monitor. It is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. It can provide the following info in easy to read format:

* Network traffic statistics by TCP connection
* IP traffic statistics by network interface
* Network traffic statistics by protocol
* Network traffic statistics by TCP/UDP port and by packet size
* Network traffic statistics by Layer2 address

• 14: tcpdump – Detailed Network Traffic Analysis

The tcpdump is simple command that dump traffic on a network. However, you need good understanding of TCP/IP protocol to utilize this tool. For.e.g to display traffic info about DNS, enter:
# tcpdump -i eth1 ‘udp port 53′

To display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets, enter:
# tcpdump ‘tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’

To display all FTP session to 202.54.1.5, enter:
# tcpdump -i eth1 ‘dst 202.54.1.5 and (port 21 or 20′

To display all HTTP session to 192.168.1.5:
# tcpdump -ni eth0 ‘dst 192.168.1.5 and tcp and port http’

• 15: strace – System Calls

Trace system calls and signals. This is useful for debugging webserver and other server problems.

• 16: /Proc file system – Various Kernel Statistics

/proc file system provides detailed information about various hardware devices and other Linux kernel information.
Common /proc examples:
# cat /proc/cpuinfo
# cat /proc/meminfo
# cat /proc/zoneinfo
# cat /proc/mounts

• 17: Nagios – Server And Network Monitoring

Nagios is a popular open source computer system and network monitoring application software. You can easily monitor all your hosts, network equipment and services. It can send alert when things go wrong and again when they get better. FAN is “Fully Automated Nagios”. FAN goals are to provide a Nagios installation including most tools provided by the Nagios Community. FAN provides a CDRom image in the standard ISO format, making it easy to easilly install a Nagios server. Added to this, a wide bunch of tools are including to the distribution, in order to improve the user experience around Nagios.

• 18: Cacti – Web-based Monitoring Tool

Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices. It can provide data about network, CPU, memory, logged in users, Apache, DNS servers and much more.

• 19: KDE System Guard – Real-time Systems Reporting and Graphing

KSysguard is a network enabled task and system monitor application for KDE desktop. This tool can be run over ssh session. It provides lots of features such as a client/server architecture that enables monitoring of local and remote hosts. The graphical front end uses so-called sensors to retrieve the information it displays. A sensor can return simple values or more complex information like tables. For each type of information, one or more displays are provided. Displays are organized in worksheets that can be saved and loaded independently from each other. So, KSysguard is not only a simple task manager but also a very powerful tool to control large server farms.

• 20: Gnome System Monitor – Real-time Systems Reporting and Graphing

The System Monitor application enables you to display basic system information and monitor system processes, usage of system resources, and file systems. You can also use System Monitor to modify the behavior of your system. Although not as powerful as the KDE System Guard, it provides the basic information which may be useful for new users:

* Displays various basic information about the computer’s hardware and software.
* Linux Kernel version
* GNOME version
* Hardware
* Installed memory
* Processors and speeds
* System Status
* Currently available disk space
* Processes
* Memory and swap space
* Network usage
* File Systems
* Lists all mounted filesystems along with basic information about each.

And a few more tools ..

* nmap - scan your server for open ports.
* lsof - list open files, network connections and much more.
* ntop web based tool – ntop is the best tool to see network usage in a way similar to what top command does for processes i.e. it is network traffic monitoring software. You can see network status, protocol wise distribution of traffic for UDP, TCP, DNS, HTTP and other protocols.
* Conky - Another good monitoring tool for the X Window System. It is highly configurable and is able to monitor many system variables including the status of the CPU, memory, swap space, disk storage, temperatures, processes, network interfaces, battery power, system messages, e-mail inboxes etc.
* GKrellM - It can be used to monitor the status of CPUs, main memory, hard disks, network interfaces, local and remote mailboxes, and many other things.
* vnstat - vnStat is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s).
* htop - htop is an enhanced version of top, the interactive process viewer, which can display the list of processes in a tree form.
* mtr - mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

source : http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html

/etc/aliases – Where the user’s name is matched to a nickname for e-mail.

/etc/fstab – List of devices and their associated mount points. Edit this file to add CD-ROMs, DOS partitions and floppy drives at startup.

/etc/mtab – This changes continuously as the file /proc/mount changes. In other words, when filesystems are mounted and unmounted, the change is immediately reflected in this file.

/etc/mtools.conf - Configuration for all the operations (mkdir, copy, format, etc.) on a DOS-type filesystem.

/etc/motd – Message of the day broadcast to all users at login.

/etc/rc.d/rc.local – Bash script that is executed at the end of the login process. Similar to autoexec.bat in DOS. You can put your own initialization stuff in here if you don’t want to do the full Sys V style init stuff.

/etc/crontab – Lists commands and times to run them for the cron deamon.

/etc/cron.* – There are 4 directories that automatically execute all scripts within the directory at intervals of hour, day, week or month.

/etc/group – Similar to /etc/passwd but for groups rather than users.

/etc/gshadow – Used to hold the group password and group administrator password information for shadow passwords.

/etc/hosts – A list of all known host names and IP addresses on the machine.

/etc/hosts.allow – Man page same as hosts_access. Read by tcpd at least.

/etc/hosts.deny – Man page same as hosts_access. Read by tcpd at least.

/etc/httpd/conf – Paramters for the Apache web server

/etc/inittab – Specifies the run level that the machine should boot into.

/etc/resolv.conf - Defines IP addresses of DNS servers.

/etc/smb.conf - Config file for the SAMBA server. Allows file and print sharing with Microsoft clients.

/etc/passwd – The user database with fields giving the username, real name, home directory, encrypted password and other information about each user.

/etc/printcap – A configuration file for printers.

/etc/rc.d/rc0.d – Contains files used to control run level 0. Usually these files are softlink files.

/etc/rc.d/rc1.d - Contains files to control run level 1. Scripts beginning with an S are for start, K for kill.

/etc/rc.d/rc.sysinit – Init runs this when it starts.

/etc/sysconfig/clock – Used to configure the system clock to Universal or local time and set some other clock parameters.

/etc/sysconfig/i18n – Controls the system font settings.

/etc/sysconfig/init – This file is used to set some terminal characteristics and environment variables.

/etc/sysconfig/keyboard – Used to configure the keyboard.

/etc/sysconfig/network-scripts/ifcfg-interface – Defines a network interface.

/etc/X11/xorg.config – Config file for X11. Here you can setup the mouse, keyboard, monitor and video card.

/proc/cpuinfo – Information about the processor such as its type, make and performance.

/proc/devices – A list of devices configured into the currently running kernel.

/proc/dma – Shows which DMA channels are being used at the moment.

/proc/filesystems – Filesystems that are configured into the kernel. The file used to detect filesystems if the /etc/filesystems does not exist.

/proc/ioports – Shows which I/O ports are in use at the moment.

/proc/interrupts – Shows which interrupts are in use and how many of each there have been.

/proc/kcore – An image of the physical memory of the system.

/proc/kmsg – Messages output by the kernel. These are also routed to syslog.

/proc/ksyms – Symbol table for the kernel.

/proc/loadavg – The load average of the system.

/proc/meminfo – Information about memory usage, both physical and swap.

/proc/modules – Which kernel modules are currently loaded.

/proc/mounts – Contains information on filesystems currently mounted, similar to /etc/mtab

/proc/net – Contains status information about network protocols.

/proc/self – A symbolic link to the process directory of the program that is looking at /proc. When 2 process look at proc, they get different links.

/proc/stat – Various statistics about the system such as the number of page faults since the system was booted.

/proc/uptime – The time the system has been up.

/proc/version – The kernel version.

• Create and start a container

To create and start a container, run the following commands:

[host-node]# vzctl create CTID –ostemplate osname
[host-node]# vzctl set CTID –ipadd a.b.c.d –save
[host-node]# vzctl set CTID –nameserver a.b.c.d –save
[host-node]# vzctl start CTID

Here CTID is the numeric ID for the container; osname is the name of the OS template for the container, and a.b.c.d is the IP address to be assigned to the container.

Example:

[host-node]# vzctl create 101 –ostemplate fedora-core-5-minimal
[host-node]# vzctl set 101 –ipadd 10.1.2.3 –save
[host-node]# vzctl set 101 –nameserver 10.0.2.1 –save
[host-node]# vzctl start 101

Your freshly-created container should be up and running now; you can see its processes:

[host-node]# vzctl exec CTID ps ax

• Enter to and exit from the container

To enter container give the following command:

[host-node]# vzctl enter CTID
entered into container CTID
[container]#

To exit from container, just type exit and press Enter:

[container]# exit
exited from container VEID
[host-node]#

• Stop and destroy the container

To stop container:

[host-node]# vzctl stop CTID
Stopping container …
Container was stopped
Container is unmounted

And to destroy container:

[host-node]# vzctl destroy CTID
Destroying container private area: /vz/private/CTID
Container private area was destroyed

source: http://wiki.openvz.org/Getting_started_with_OpenVZ_live_CD