In a previous post I looked at how to install LibreNMS which is easily one of the most straightforward network monitoring tools around. It’s easy to use, works out of the box, and is really pretty to look at. In this post I’ll look at how to enable ping monitoring non-snmp devices.

Update: In a previous revision I stated that you could also enable alerting on services. Currently that doesn’t look like it is possible. I’d add that information back here if I can figure it out.

Whilst most devices now-a-days provide SNMP management there are still a tonne of devices which either don’t support SNMP or where you just don’t need to manage them. Those devices may still need monitoring though and a simple alert when a device goes offline is something that’s very straightforward to set up.

1. LibreNMS has no inbuilt ping support, it only supports SNMP enabled devices, so we’re going to make use of the Nagios Plugin set to provide additional monitoring. SSH on to your LibreNMS server and lets install the plugins.

   sudo apt-get install nagios-plugins

2. Once they are installed, you’ll need to enable support for the plugins in LibreNMS.

   sudo emacs /opt/librenms/config.php

3. Add the following lines to the bottom of your LibreNMS config.php file and save.

   $config['show_services'] = 1;
$config['nagios_plugins'] = "/usr/lib/nagios/plugins";

4. Now you just need to ensure that the ICMP nagios check file is enabled for execution by LibreNMS. The command and output should look like this. You need to be able to see the x in the permission string at the start of the line.

   ls /usr/lib/nagios/plugins/check_icmp -l
-rwsr-xr-x 1 root root 59440 Mar 12 2014 check_icmp

5. Finally, you need to make sure that the services checks are run. Edit the /etc/cron.d/librenms file and make sure the following line is at the bottom before saving.

   */5 * * * * librenms /opt/librenms/check-services.php >> /dev/null 2>&1

6. Pop over to your LibreNMS web portal and hit Refresh. You should see a services menu appear. This is where you will manage all the non-snmp checks.
   
7. Click Add Service to add a new service check.
   
8. The Device is the IP of the machine that *does* the check. In our case use your LibreNMS IP address. Set the type to ICMP and enter the IP address to be pinged in the IP Address box. Click Add Service. Note: You *MUST* enter a description otherwise managing multiple alerts becomes an absolute nightmare.
9. Click on Services > All Services to see your list of services. You should now see your new ping test there.
   

The post How to enable basic ping testing in LibreNMS appeared first on Oliver Marshall.

Reporting is a key part of any IT position and nowhere is this more apparent than when it comes to web filtering. Being able to block or filter users requests is one thing, but reporting on who was blocked, and why, is every bit as important.

This is why thismorning I was asked to report on images being viewed by certain users. There was a concern about the content of the images but not the site. The files were hosted on legitimate, un-blocked, websites but there was a worry that the images themselves might be counter to some of the policies and agreements we have in place internally.

This was a difficult one to report on. Though our smoothwall gives you a decent number of reporting options, none of them currently show the images themselves, just the URLs of the images.

So I created the following powershell script. This will go through the output of the “Complete user audit trail” report from a Smoothwall and download any pictures mentioned there in to a folder with the same name as the report. Then you can easily scroll through the images and look for the ones you need.

1. Run your “Complete user audit trail” by logging on to your Smoothwalls web console and clicking on Logs and Reports > Reports > User Reports > Complete User Audit Trail. Enter the Username and click Run Report.
2. Save the report as a CSV file by clicking CSV in the top right corner of the report screen.
   
3. Rename the CSV file after the user so that it’s easy to find.
4. Copy the Powershell script below in to a file in the same directory and call it “Smoothwallquery.ps1”.
5. Run the following command line. The only parameter is -file which points to the csv file you just saved.

   smoothwallquery.ps1 -file test.user.csv

6. You should now get a folder named after the user with the images that were visited during that report period.

The powershell script

Here’s the powershell script. If you have any questions feel free to use the comment section.

#Check command line params
Param (
 [string]$file
)

#Is the -file param used, if not, complain.
if (-not($file)) {Throw "Please provide a CSV filename to parse"}


#Configure the proxy connection
(New-Object System.Net.WebClient).Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

#Import the CSV file
$csv = import-csv $file

#get just the CSV file basename
$csvbase = (get-item $file).basename

#Create a folder using the name of the file.
New-Item -ErrorAction Ignore -ItemType directory -Path $csvbase

#Go through each line in the CSV
$csv | ForEach-Object { 

 #Increment our loop counter
 $i++

 if ($_.url -like "*.jpg" -or $_.url -like "*.png" -or $_.url -like "*.gif") { 
 
 #Get the filename from the URL for saving the file
 $pieces=$_.url.split("/")
 $numpieces=$pieces.Count
 $outputfilename=$pieces[$NumOfPieces-1]

 #Output the filename we are working on
 write-host $_.url


 try {
 #Grab the file from the URL and save it. Prepends the index so that we can allow for duplicate filenames.
 Invoke-WebRequest -uri $_.url -OutFile $csvbase\$i"__"$outputfilename
 $fileswritten++
 } catch {
 #If we have an error then display something nice
 write-host "Not valid URL/Content Not Found - " $_.url 
 $webfail++
 }
 
 }
 }

 #Display some nice finishing info
 write-host `n`n
 write-host "------------------------------------"
 write-host $fileswritten files written to .\$csvbase. There were $webfail errors getting files.

The post How to view the images a user has viewed using Smoothwall reports and Powershell appeared first on Oliver Marshall.

Have you ever wanted to install Windows updates with a reboot, rather than a shutdown? By default Windows will only install updates on Shutdown, and rebooting with pending updates just leaves them waiting.

I needed to schedule a whole number of PCs to install their updates and reboot, without any user being present, so that they were ready and waiting for when the next training session occurred. Luckily I stumbled upon ShutdownWithUpdates by Dennis Babkin. This great utility allows you issue a shutdown or reboot command from the command prompt, or via a script from your RMM tool, and have all the currently pending updates installed in the process.

The following command line will issue a reboot command and install any pending updates. It’s that simple.

shutdownwithupdates /r /f

I’ve included a download link for ease of use and the instructions are below.

DESCRIPTION:
================
Utility that initiates installation of pre-downloaded updates on the Windows system & reboots, or shuts it down. Note that if Windows updates were not downloaded prior to calling this utility, the OS will simply perform the power operation.


Usage: ShutdownWithUpdates [/s | /r | /hs | /g | /a | /?] [/f] [/v] [/nu]
        [/m \\computer] [/t x] [/c "msg"] [/d [p|u:]xx:yy]

  /s    Install updates & shut down computer.
         (Updates must be already downloaded on computer being shut down.)
  /r    Install updates & reboot computer.
         (Updates must be already downloaded on computer being rebooted.)
  /hs   Install updates & initiate hybrid shut-down of computer. (Windows 8)
         (Updates must be already downloaded on computer being shut down.)
  /g    Install updates & reboot computer & restart registered applications.
         (Updates must be already downloaded on computer being rebooted.)
  /abo  Go to advanced boot options menu. (Windows 8)
         (Updates will not be installed.)
  /a    Abort previous shut-down/rebooting.
         (Can be used only during previous time-out period.)
  /?    Show command line help.
  /f    Use forced action.
         WARNING: May result in the loss of unsaved data on target computer!
  /v    Show user confirmation before proceeding.
         (Local computer only. It is shown before time-out is initiated.)
  /nu   Not to install updates.
  /m \\computer    Specify target/remote computer.
  /t x  Set time-out before performing action to x seconds.
         (Valid range is 0-315360000, or 10 yrs, with a default of 0.)
  /c "msg"      Message to be displayed in the interactive shutdown dialog box.
                 (Maximum of 512 characters is allowed.)
  /d [p|u:]xx:yy  Reason for shut-down or rebooting (used for logging):
                   p if action was planned.
                   u if action was user-defined.
                   (If neither p or u is used, assumes unplanned.)
                   xx = major reason number (less than 65536.)
                   yy = minor reason number (greater than 65536.)
                        (Reason numbers can be decimal or hex if begin with 0x)
        For major and minor reason values check "System Shutdown Reason Codes":
         msdn.microsoft.com/en-us/library/windows/desktop/aa376885(v=vs.85).aspx


Exit Codes:
 0      if success.
 -1     if general failure in the module.
 Other  if error, will contain "System Error Code". For details check:
         msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx


Examples:
(1) Install updates and reboot local computer without a delay:
    (Fail if unsaved user data on computer.)

      ShutdownWithUpdates /r

(2) Install updates and shut down local computer after 30 sec delay:
    (Force applications with unsaved data to close & lose data! Show message.)

      ShutdownWithUpdates /s /f /t 30 /c "Forced shut-down in 30 sec!"

(3) Do not install updates and reboot remote computer after a 20 sec delay:
    (Fail if unsaved user data on remote computer.)
    (Specify reason as planned, application issue, installation.)

      ShutdownWithUpdates /r /nu /m \\MYSERVER /t 20 /d p:0x00040000:0x00000002

The post How to install Windows updates with a reboot appeared first on Oliver Marshall.

Those of you working in the educational sector will now that Smoothwall devices are pretty much ubiquitous and you’ll be familiar with their web filtering and blocking features. Such blocking, along with good reporting, forms the basis of any decent eSafety policy. In the just-released Framlington software update Smoothwall are putting in place the building blocks to take eSafety reporting to the next level.

What’s the problem?

The problem with traditional blocking is that it’s a very blunt tool. Simply blocking a site doesn’t take in to account that some people might need access to it, as a result we tend to end up with fairly complex tiers of rulesets which allow some people access but block others. These can be difficult to manage and can’t ever account for all possible combinations of requirement.

In an ever changing world we increasingly want to educate users about the dangers of some topics, which can be difficult if all sites relating to that topic are blocked.

Smoothwall have the answer

Welcome Smoothwalls SafeGuard reporting. SafeGuarding reports aim to take a bigger-picture view of a users web habits, taking in to account what sites they have been visiting and showing an overall risk assessment based on the number of sites they have visited that might breach a policy and what type of sites they are. Reports are broken down in to categories including Suicide, Abuse, Radicalisation, Substance Abuse, Bullying, Criminal Activity and Adult Content. Users are assigned a risk level based on the number of sites within a category that they visit.

Users at risk in a Radicalisation report

By clicking in to a users name within a report you can see the breakdown of what sites were visited and the category assigned to those sites. This is great stuff so far, as it shows an eSafety officer the habits of a given user, and an indication as to the risk that they are under, without necessarily interfering with a users web activities. But the real power of these new reports come when Smoothwall put it in to context for you.

Each users site usage and risk assessment is clearly shown

By clicking on the time and date of a site visit you are shown the chronological history leading up to that breach. That is, you can put that users risk in to context.

A user who was looking at My Little Pony, who then visited a gun site, only to carry on viewing pony related material, is probably not at risk. They probably just clicked on an advert by mistake – I’m not entirely sure which gun-runner would advertise to My Little Pony fans, but you get the idea. However a user who shows a history of viewing gun related sites and images leading up to the time of the breach is clearly wilfully looking online for such material. That person can be introduced to your eSafety or Safeguarding Officer.

The chronological events leading up to a site breach.

It’s a really powerful tool which gives eSafety Officers a great insight in to who is doing what and the context behind it. It isn’t yet perfect, far from it as it’s missing any ability to export reports for offline access or the ability to catergorise sites yourself (you are currently dependant on Smoothwall to do it for you), but it gives you an indication as to where Smoothwall are going and why they are so good within the educational sector.

The post Smoothwalls new safeguarding reports are going to be awesome appeared first on Oliver Marshall.

I’ve looked at LibreNMS in several other posts over the last few weeks. LibreNMS a great SNMP based network monitoring tool with super easy setup, and a massive range of notification types. Today I’ll look at how to add a user and assign them rights to monitor some devices.

LibreNMS supports a number of user permission levels which I’ve detailed below. We’ll be looking at the Normal User type which provides the most possibilities.

Create a new user

1. First up, lets create a new user. Click on the cog icon in the top right corner and choose Add User.
   
2. Enter the user details. Set the Level drop down to Normal User. This will prevent the user from seeing any devices unless you specify them in the permissions section later on.  Click Add User.
   
3. Click on the Settings menu again and choose Edit User. Select your user and click Edit Permissions.
4. You can now add access rights to individual devices, individual ports, or to billing records. Service checks aren’t a current option but any user, regardless of permissions, will have access to the Services tab as it’s read only by nature.
   
5. So if I assign a few devices to Mr Test and then I log in using my test account you can see that Mr Test can only access those few devices.
   

The post How to assign user permissions in LibreNMS appeared first on Oliver Marshall.

I’ve been looking at several linux projects here recently, such as LibreNMS, and you’ll need to be sure you are backing them up. I wanted to quickly backup a compressed copy of my LibreNMS install and so I went looking for a super easy way to upload a file to Google Drive, and I found it with gdrive.

gdrive, not to be mistaken for Google Drive itself, is a command line tool by Petter Rasmussen for Linux, Windows and OSX. Just what I needed. It’s proved itself so useful that I can’t imagine how I lived without it.

Linux

1. SSH on to your linux box and download the Linux version of gdrive from GitHub.
   

   cd ~
   wget https://docs.google.com/uc?id=0B3X9GlR6EmbnWksyTEtCM0VfaFE&export=download

    
2. You should see a file in your home directory called something list uc=0B3X9GlR6EmbnWksyTEtCM0VfaFE. Rename this file to gdrive.
   

   mv uc\?id\=0B3X9GlR6EmbnWksyTEtCM0VfaFE gdrive

    
3. Assign this file executable rights.
   

   chmod +x gdrive

    
4. Install the file to your usr folder.
   

   sudo install gdrive /usr/local/bin/gdrive

    
5. You’ll need to tell Google Drive to allow this program to connect to your account. To do this, run the gdrive program with any parameter and copy the text it gives you to your browser. Then paste in to your SSH window the response code that Google gives you.Run the following.
   

   gdrive list

6. YOU ARE DONE! Now you can upload files as required.
   

   gdrive upload backups.tar.gz

Windows

1. Download the Windows version of gdrive from github.
2. Copy the gdrive-windows-x64.exe file to your c:\windows folder
   

   copy downloads\gdrive-windows-x64.exe c:\windows

    
3. Run gdrive with a parameter to get the Google authentication code and then copy that to a browser windows. Paste back the verification code.
   
4. Now upload a file. WOOOT!
   

   gdrive-windows-x64.exe upload c:\test\backup.zip

    

The post How to upload a file to Google Drive from the command line appeared first on Oliver Marshall.

In a previous post I’ve been looking at how to use file screening to help block CryptoLocker. File screening is a great feature of Windows Server 2012 but the set up can be a pain. With this in mind this is a handy script which will make all the configuration changes for you.

Hosted over at GitHub a user called M-Dwyer has posted an awesome script called CryptoBlocker to take care of the entire process for you – from installing File Screening through to adding shares and configuring the file extension restrictions.

I’ve included a copy below but I would encourage you to have a read over the readme.md file hosted at GitHub. Just copy the file to a powershell script and then run it on your 2012 server.

# DeployCryptoBlocker.ps1
#
# This script performs the following actions:
# 1) Checks for network shares
# 2) Install File Server Resource Manager (FSRM) if missing
# 3) Creates Batch and PowerShell scripts used by FSRM
# 4) Creates a File Group within FSRM containing malicious extensions to screen on
# 5) Creates a File Screen Template utilising this File Group, with an Event notification and Command notification
#    to run the scripts created in Step 3)
# 6) Creates File Screens utilising this template for each drive containing network shares

################################ Functions ################################

Function PurgeNonAdminDirectoryPermissions([string] $directory)
{
    $acl = Get-Acl $directory

    if ($acl.AreAccessRulesProtected)
    {
        $acl.Access | % { $acl.PurgeAccessRules($_.IdentityReference) }
    }
    else
    {
        $acl.SetAccessRuleProtection($true, $true)
    }

    $ar = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow")
    $acl.AddAccessRule($ar)
    $ar = $ar = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","Allow")
    $acl.AddAccessRule($ar)
    Set-Acl -AclObject $acl -Path $directory
}


################################ Functions ################################

# Add to all drives
$drivesContainingShares = Get-WmiObject Win32_Share | Select Name,Path,Type | Where-Object { $_.Type -eq 0 } | Select -ExpandProperty Path | % { "$((Get-Item -ErrorAction SilentlyContinue $_).Root)" } | Select -Unique
if ($drivesContainingShares -eq $null -or $drivesContainingShares.Length -eq 0)
{
    Write-Host "No drives containing shares were found. Exiting.."
    exit
}

Write-Host "The following shares needing to be protected: $($drivesContainingShares -Join ",")"

$majorVer = [System.Environment]::OSVersion.Version.Major
$minorVer = [System.Environment]::OSVersion.Version.Minor

Write-Host "Checking File Server Resource Manager.."

Import-Module ServerManager

if ($majorVer -ge 6)
{
    $checkFSRM = Get-WindowsFeature -Name FS-Resource-Manager

    if ($minorVer -ge 2 -and $checkFSRM.Installed -ne "True")
    {
        # Server 2012
        Write-Host "FSRM not found.. Installing (2012).."
        Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
    }
    elseif ($minorVer -ge 1 -and $checkFSRM.Installed -ne "True")
    {
        # Server 2008 R2
        Write-Host "FSRM not found.. Installing (2008 R2).."
        Add-WindowsFeature FS-FileServer, FS-Resource-Manager
    }
    elseif ($checkFSRM.Installed -ne "True")
    {
        # Server 2008
        Write-Host "FSRM not found.. Installing (2008).."
        &servermanagercmd -Install FS-FileServer FS-Resource-Manager
    }
}
else
{
    # Assume Server 2003
    Write-Host "Other version of Windows detected! Quitting.."
    return
}

$fileGroupName = "CryptoBlockerGroup"
$fileTemplateName = "CryptoBlockerTemplate"
$fileScreenName = "CryptoBlockerScreen"

$monitoredExtensions = @(
    "*.cryptotorlocker*",
    "*.encrypted",
    "*.frtrss",
    "*.vault",
    "*want your files back.*",
    "confirmation.key",
    "cryptolocker.*",
    "*decrypt_instruct*",
    "enc_files.txt",
    "*help_decrypt*",
    "help_restore*.*",
    "how to decrypt*",
    "how_to_decrypt*",
    "how_to_recover*",
    "howtodecrypt*",
    "install_tor*.*",
    "last_chance.txt",
    "recovery_file.txt",
    "recovery_key.txt",
    "vault.hta",
    "vault.key",
    "vault.txt",
    "HOW_TO_RECOVER_FILES.*",
    "HELP_YOUR_FILES*",
    "*RECOVER_INSTRUCTIONS*",
    "*.micro",
    "*.locky"
)

$scriptFilename = "C:\FSRMScripts\KillUserSession.ps1"
$batchFilename = "C:\FSRMScripts\KillUserSession.bat"
$eventConfFilename = "$env:Temp\cryptoblocker-eventnotify.txt"
$cmdConfFilename = "$env:Temp\cryptoblocker-cmdnotify.txt"

$scriptConf = @'
param([string] $DomainUser)
Function DenySharePermission ([string] $ShareName, [string] $DomainUser)
{
    $domainUserSplit = $DomainUser.Split("\")
    $trusteeClass = [wmiclass] "ROOT\CIMV2:Win32_Trustee"
    $trustee = $trusteeClass.CreateInstance()
    $trustee.Domain = $domainUserSplit[0]
    $trustee.Name = $domainUserSplit[1]
    $aceClass = [wmiclass] "ROOT\CIMV2:Win32_ACE"
    $ace = $aceClass.CreateInstance()
    $ace.AccessMask = 2032127
    $ace.AceType = 1
    $ace.Trustee = $trustee
    $shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor | Select -ExpandProperty Descriptor
    $sclass = [wmiclass] "ROOT\CIMV2:Win32_SecurityDescriptor"
    $newsd = $sclass.CreateInstance()
    $newsd.ControlFlags = $sd.ControlFlags
    foreach ($oace in $sd.DACL)
    {
        $newsd.DACL +=  [System.Management.ManagementBaseObject] $oace
    }
    $newsd.DACL += [System.Management.ManagementBaseObject] $ace
    $share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $setResult = $share.SetSecurityDescriptor($newsd)
    return $setResult.ReturnValue
}
# Let's try altering share permissions..
$Username = $DomainUser.Split("\")[1]
$affectedShares = Get-WmiObject -Class Win32_Share |
                    Select Name, Path, Type |
                    Where { $_.Type -eq 0 }
$affectedShares | % {
    Write-Host "Denying [$DomainUser] access to share [$($_.Name)].."
    DenySharePermission -ShareName $_.Name -DomainUser $DomainUser
}
Write-Host $affectedShares
'@

$batchConf = @"
@echo off
powershell.exe -ExecutionPolicy Bypass -File "$scriptFilename" -DomainUser %1
"@

$scriptDirectory = Split-Path -Parent $scriptFilename
$batchDirectory = Split-Path -Parent $batchFilename

if (-not (Test-Path $scriptDirectory))
{
    Write-Host "Script directory [$scriptDirectory] not found. Creating.."
    New-Item -Path $scriptDirectory -ItemType Directory
}

if (-not (Test-Path $batchDirectory))
{
    Write-Host "Batch directory [$batchDirectory] not found. Creating.."
    New-Item -Path $batchDirectory -ItemType Directory
}

# FSRM stipulates that the command directories/files can only be accessible by SYSTEM or Administrators
# As a result, we lock down permissions for SYSTEM and local admin only
Write-Host "Purging Non-Admin NTFS permissions on script directory [$scriptDirectory].."
PurgeNonAdminDirectoryPermissions($scriptDirectory)
Write-Host "Purging Non-Admin NTFS permissions on batch directory [$batchDirectory].."
PurgeNonAdminDirectoryPermissions($batchDirectory)

Write-Host "Writing defensive PowerShell script to location [$scriptFilename].."
$scriptConf | Out-File -Encoding ASCII $scriptFilename
Write-Host "Writing batch script launcher to location [$batchFilename].."
$batchConf | Out-File -Encoding ASCII $batchFilename

$eventConf = @"
Notification=E
RunLimitInterval=0
EventType=Warning
Message=User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group, which is not permitted on the server.  An attempt has been made at blocking this user.
"@

$cmdConf = @"
Notification=C
RunLimitInterval=0
Command=$batchFilename
Arguments=[Source Io Owner]
MonitorCommand=Enable
Account=LocalSystem
"@

Write-Host "Writing temporary FSRM Event Viewer configuration to location [$eventConfFilename].."
$eventConf | Out-File $eventConfFilename
Write-Host "Writing temporary FSRM Command configuration to location [$cmdConfFilename].."
$cmdConf | Out-File $cmdConfFilename

Write-Host "Adding/replacing File Group [$fileGroupName] with monitored file [$($monitoredExtensions -Join ",")].."
&filescrn.exe filegroup Delete /Filegroup:$fileGroupName /Quiet
&filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"

Write-Host "Adding/replacing File Screen Template [$fileTemplateName] with Event Notification [$eventConfFilename] and Command Notification [$cmdConfFilename].."
&filescrn.exe Template Delete /Template:$fileTemplateName /Quiet
&filescrn.exe Template Add "/Template:$fileTemplateName" "/Add-Filegroup:$fileGroupName" "/Add-Notification:E,$eventConfFilename" "/Add-Notification:C,$cmdConfFilename" /Type:Passive

Write-Host "Adding/replacing File Screens.."
$drivesContainingShares | % {
    Write-Host "`tAdding/replacing File Screen for [$_] with Source Template [$fileTemplateName].."
    &filescrn.exe Screen Delete "/Path:$_" /Quiet
    &filescrn.exe Screen Add "/Path:$_" "/SourceTemplate:$fileTemplateName"
}

Write-Host "Removing temporary FSRM Event Viewer configuration file [$eventConfFilename].."
Write-Host "Removing temporary FSRM Event Viewer configuration file [$cmdConfFilename].."
Remove-Item $eventConfFilename
Remove-Item $cmdConfFilename

The post The ultimate CryptoLocker script appeared first on Oliver Marshall.

Smoothwalls content modification feature can come in really handy if you need to be able to always direct users to certain parts of a website, or change URL parameters on the fly.

Here’s how to set up a content modification rule in Smoothwall Framlington 3 edition.

1. Firstly, lets enable the advanced features of the Guardian section. Log in to your smoothwall using an SSH client. Enter the following command to enable the advanced features.
   

   echo 1 > /modules/guardian3/settings/ui/blocklist/advanced

2. Next pop to your Smoothwall web interface and go to Guardian > Content Modification > Content Modifications. Name your content mod and click Advanced.
3. Content mods use reg expression so you need to escape any non-text characters with the backslash symbol (\). In this example I’m going to force any visitors to my site to show the malware tag list. Enter the following text in to the URL modifications box and then click save.The structure is always “original-url-string.com”->”new-url-string.com”
   

   "olivermarshall.net"->"olivermarshall.net\/tag\/malware"

   You should end up with something like this;
   
   
4. Now click Guardian > Content Modification > Policy Wizard to create a new policy. Walk through each step creating the policy as required. In Step 4 choose the Apply option and choose your Content Mod definition. Click confirm.
5. Now go to Guardian > Content Modification > Manage Policies Wizard. You should see that the policy is enabled and ready to go.
6. Visit your chosen site with the URL you used in your content mod and you should see that your URL is being modified on the fly. Here I go to “olivermarshall.net” but I’m always shown the posts tagged with malware.

The post URL modification with Smoothwalls Content Modification feature appeared first on Oliver Marshall.

Google Hangouts is a great chat client, easily one of the best when it comes to it’s awesome group video calls and picture quality. However, as with many things, it’s increasingly common to channel users in to using an approved chat client in the workplace. To enable this, here’s a little guide on how to disable Google Hangouts.

For this you will need to install the Google Chrome Group Policy templates on your AD server.

To block the Hangouts extension for Google Chrome

You’ll need the Extension ID of the Hangouts extension so let’s get that first.

1. Type the following in to the Chrome address bar.
   

   chrome://extensions

2. Tick the Developer tick box at the top of the page.
3. Find the Hangouts extension and copy the ID shown there

   I’ve found two IDs so far, nckgahadagoaajjgafhacjanaoiihapd and knipolnnllmklapflnccelgolnpehhpl. I don’t know why they aren’t the same so I’m guessing it’s version based or something. However blocking both worked for me reliably.

4. Create a new group policy called “Disable Hangouts” and apply it to your chosen OU.
5.  Drill down to Computer Settings > Policies > Administrative Templates > Google > Google Chrome > Extensions and double click “Configure Extension installation blacklist”. There’s also a User based policy option but I tend to disable everything at the computer role as we have fairly static users.

6. Enable the policy and click Show to add your IDs. Then click OK several times to get back to the management window.

That’s the extension blocked. After applying the GPO to an OU and restarting your users should find that their Hangouts extension icon has disappeared.

Blocking Hangouts in the browser.

You will also need to block Hangouts from working in a web browser. To do this just block hangouts.google.com in your web filtering tool (I use a Smoothwall).

This will prevent people visiting the Hangouts website and also disable the Hangouts widget in the GMail web site.

The post How to disable Google Hangouts appeared first on Oliver Marshall.

Ransomware is almost impossible to remove and, if I’m honest, you’re unlikely to catch a break and get your data back. However things might have just gotten that little bit easier, that is if you find yourself under the cosh of TeslaCrypt because ESET have just made a decryptor.

Let me be clear, this isn’t a magic bullet for any version of ransomware. The makers of TeslaCrypt recently backed out of the ransom business and actually posted the master encryption keys online before leaving Dodge for safer ground. ESET have used these keys produce their decryptor and the best thing is that it can be run from the command line so that you easily script-it-up…baby.

How to run TeslaCrypt Decrypter

1. Download the exe from the ESET knowledgebase page.
2. Open up a command prompt window as an Administrator and run the exe with a /? parameter for the help options.
   

   Usage:
   ESETTeslaCryptDecryptor.exe [options] <filename(s) or directory name(s)>
   
   Options:
   /s - Silent mode.
   /f - Forced clean.
   /d - Debug mode.
   /n - Only list files for cleaning (don't clean).
   /h or /? - Show usage.

   /s runs the decrypter in silent mode which makes it ideal for scripting remotely.
   /f forces a clean of any files found to be encrypted without prompting.
   /d runs as debug mode and gives a lot more output than normal.
   /n only list files for cleaning and doesn’t actually make any changes.

It’s not much right now and, like I said above, it’s only any use if you get caught by the TeslaCrypt bug, but it may be what you need. For real protection you need to have good gateway protection in place and make sure you are also utilising Windows file screening.

The post How to decrypt TeslaCrypt ransomware using ESET TeslaCrypt decrypter appeared first on Oliver Marshall.

I’ve been needing to do a lot of work with quick VM testing recently, firing up VMs, running scenarios for clients and my first point of call is always Oracles VirtualBox opensource visualization tool. It’s reliable, free, and ideal for mucking about with virtual machines and giving things a once over.

Until today.

Today I had to create a load of VMs, import some backups, run through some scenarios and see what was likely to happen. I have no idea why, but each time I rebooted after taking a snapshot of a VM the guest failed to boot and VirtualBox gave me the following delightful error;

Now this was an issue. Each time I booted the VM after a snapshot was taken, the VM wouldn’t fire up and VirtualBox Media Manager showed exclamation marks for that drive and it’s snapshots.

After a bit of digging and testing with the command line I found that for some reason the snapshots weren’t associated with the original disk. They were there, Media Manager could see them and showed them in the right place, but the snapshots uuidParent tag was blank instead of pointing at the main disk image.

So, if you get an error in VirtualBox stating “Parent UUID {00000000-0000-0000-0000-000000000000} of the medium “blah” does not match UUID” then this might be a help

1. Add the VirtualBox directory to the system PATH variable as there’s a wealth of great command line tools in there and it’s good to access them easily.
   

   set path=%path%;C:\Program Files\Oracle\VirtualBox

2. Get the uuidCreation parameter of your parent virtual hard disk. I’ve highlighted it in bold.
   

   VBoxManage.exe internalcommands dumphdinfo c:\MyVirtualGuests\MyVirtualDisk.vhd
   
   --- Dumping VD Disk, Images=1
   Dumping VD image "MyVirtualDisk.vhd" (Backend=VHD)
   Header: Geometry PCHS=65535/16/255 LCHS=0/0/0 cbSector=512
   Header: uuidCreation=<strong>{3d3ebec3-d46c-4686-8754-729d7e8004e7}</strong>
   Header: uuidParent={00000000-0000-0000-0000-000000000000}

3. Get the uuidParent of the snapshot that is mentioned in your error. In my screenshot above the snapshot is catchily called {7cc77399-c4e0-4595-882d-73f81b9c1331}.vhd.
   

   VBoxManage.exe internalcommands dumphdinfo "{7cc77399-c4e0-4595-882d-73f81b9c1331}.vhd"
   
   --- Dumping VD Disk, Images=1
   Dumping VD image "{7cc77399-c4e0-4595-882d-73f81b9c1331}.vhd" (Backend=VHD)
   Header: Geometry PCHS=65535/16/255 LCHS=0/0/0 cbSector=512
   Header: uuidCreation={7cc77399-c4e0-4595-882d-73f81b9c1331}
   Header: uuidParent={00000000-0000-0000-0000-000000000000}

4. You can see that the output shows that the uuidParent setting for the {7cc77399-c4e0-4595-882d-73f81b9c1331}.vhd snapshot is blank; it’s been orphaned for some reason. Lets fix that.
   

   VBoxManage.exe internalcommands sethdparentuuid "{7cc77399-c4e0-4595-882d-73f81b9c1331}.vhd" {3d3ebec3-d46c-4686-8754-729d7e8004e7}
   
   UUID changed to: 3d3ebec3-d46c-4686-8754-729d7e8004e7

5. Now you can either restart VirtualBox and start your VM again or you can click on File > Virtual Media Manager and then click on your disk and click Refresh.

The post Virtualbox VMs won’t boot after taking a snapshot appeared first on Oliver Marshall.

If you haven’t come across the Dlink range of manageable network switches, it’s worth taking a quick look. For a long time Dlink has been associated with the lower end of the market, a more cost effective solution. However many of their products are packed full of features and provide for a decent experience.

Recently I had to send back a Dlink DWS 3160 switch which featured wifi management. This acted not only as the core switch for the clients network but also as their WiFi controller, managing about 10 or more DWL-2600AP access points. For a small network, it handles this role very well. Unfortunately the client hadn’t taken the onsite warranty option and so the whole thing had to go back to replace a faulty fan. The fans are covered by a decent 5 year warranty luckily.

Now, before sending it off I wanted to grab a copy of the configuration, in case we received back a new unit. Here’s where the problems started. The Download Configuration screen kept asking me to open a file. The file dialog that appeared wasn’t the normal Save As box but an Open one, and the Download Page referred to a source file.

Not wanting to wipe the config by mistake I called the Dlink support team and had a chat.

It appears that the configuration screens are worded in such a way that it’s relative to the switch. So if you want to download a config from the switch, the *switch* could be seen to be uploading it to you. So, I wanted the Upload Configuration screen to…errr….download a configuration.

I have no idea who coded those pages but, honestly, why?

The post How to save the config on a Dlink DWS switch appeared first on Oliver Marshall.

Communication with your clients is vital, we all know that, and email communication is still the best way of getting information out to your clients as quickly as possible. You might know that Connectwise can send out emails en mass using it’s Marketing Manager module but did you know it can also let you track the number of emails that get opened? Here’s a quick guide to show you how to get up and running.

We’re going to be looking at enabling the Emails Opened and Linked Clicked elements of the Marketing Campaign module. You can see these if you go to Marketing > Marketing Campaign and then you’ll see the figures on the campaign screen.

Set up the Integration Login in Connectwise

Anything that uses the Connectwise API will require an integration account in order to access your data.

1. In Connectwise go to System > Setup Tables. Search for Integrator Login.
2. Click the + icon to create a new login.
3. Give your login a username and password and make a note of this somewhere safe, you’ll need this each time you create a campaign which you want to track.
4. Set the access level to All Records.
5. Tick the Marketing API tick box further down the page.
6. Save your way back out to the Setup Tables page.

Create the PHP files

We’ll be using the free tool at JoomConnect.com which will present you with a form that needs completing. You’ll then get two files, one to track email opens and one to track links clicked, and also two URLs, one to track email opens and one to track links clicked.

The JoomConnect form which will do the nitty-gritty.

1. Enter two file names in to the first two text boxes of the form. These will be used to create the PHP files which will be uploaded to your website. Lets use mywelcomecampaign-clicks and mywelcomecampaign-opens.
2. Enter the URL where these two PHP files will be found. If you are storing them on the root of your website then you would enter http://www.mywebsite.com
3. Next enter the Integrator username and password that you created above.
4. Enter your company name. This has to match the company name which you use on the Connectwise logon screen.
5. Finally enter your connectwise server URL. We use the CW cloud servers in the EU so I’ll use that URL here.
6. Click the Add URL button. You will be prompted for a URL. This is the URL that your email recipients will be sent to when they click on the link in your email. So in our case, I’m going to create an email asking people to click on a link to view our website. My target URL will be http://oakson.co.uk.
   
7. Click Save Form to generate the files.
   
8. Click on both of the download links. You’ll get two PHP files, one for tracking opens and one for tracking links. Make a note of the two URLs. Again, one is for tracking opens and one is for tracking link clicks.
   

So now you’ll have the two URLs. Each will point to one of the PHP files which in turn will call the Connectwise API and update your campaign stats, before redirecting your users to their ultimate destination. In the case of the email open PHP file, it will return a 1×1 px image that will be used to track when the user opens the email.

I’m going to send my clients the following email.

Hi

This is an email to say hello. It definitely isn't spam. 

To find out more about us CLICK HERE. 

Love

Me

And to do this I’m going to use the following HTML.

<p>Hi<br />
<br />
This is an email to say hello. It definitely isn't spam.<br />
<br />
To find out more about us <a href="http://www.mywebsite.com/mywelcomecampaign-clicks.php?url=0&crecid=[contactrecordid]&cpid=[campaignrecordid]">CLICK HERE</a>.<br />
<br />
Love<br />
<br />
Me<br />
</p><img alt="" height="1" src="http://www.mywebsite.com/mywelcomecampaign-opens.php?url=0&crecid=[contactrecordid]&cpid=[campaignrecordid]width=" />

The Click Here link takes the user to one of our previously created PHP files which in turn updates the campaign in Connectwise and redirects them to the URL we specified. The IMG tag at the end of the email does nothing other than show a blank 1px image. When this is served up to the email client the PHP file that the tag links to will update the campaign in Connectwise and send back the image. However this aspect will only work if the recipient has their email client set to show images.

1. First off, let’s upload the two PHP files to our website. In the examples I’ve given they need to be accessible on the root of your website (ie www.mywebsite.com/<name of php here>.php). We use Plesk but you can use FTP, Plesk WordPress, Whatever.
   
2. So with that done, let’s go to the Marketing Manager and choose our victims…err…I mean targets. Time to pen the email. In this example I’ll copy in the text from my highly artistic marketing email above. Don’t forget to associate the marketing email with a Campaign in the top right corner. It’s the campaign that will be updated when a user clicks the link in the email.

   Our email before the HTML is applied

   And here’s the HTML

3. Send the email – perhaps to yourself as a test – and click the link.
   
4. Once the page loads you can pop back to your Marketing Campaign and you should see that the Links Clicked tab now has entries.
   

The post How to track marketing emails in Connectwise appeared first on Oliver Marshall.

Capita SIMS is a very popular MIS platform found widely within the educational sector. It covers a range of products geared towards the various areas of the educational process that schools would want to focus on, such as taking payments from parents for school activities. As a result of it’s size, updates are frequent and it’s good to stay on top of them.

Luckily applying the updates couldn’t be easier, particularly if you have the SOLUS update deployment tool installed.

1. Open up Solus on your SIMS server.
   
2. Click on the Check for Updates button to ensure you are seeing the latest updates.
3. Click on the update that you want to install.
   
4. Click on the Download button at the bottom of the screen.
   
5. Once the status shows Downloaded against that update you can click the Deploy button to start the update installation.
6. You can check the Deployment History tab to see the installation status as it plods through its steps.
7. End users will see a prompt in their SIMS client requiring them to close SIMS and re-open it to complete the client side update.

Job done. If you need to check anything then you should call either your SIMS provider, your LEA or Capita themselves.

The post How to perform an upgrade for Capita SIMS using Solus 3 appeared first on Oliver Marshall.

I’ve been looking for a way to easily migrate a Trend Worry Free cloud customer from one reseller to another. Quite often over at Oakson we’ll grab a client from a less-able IT company who also uses Trends. Rather than remove the Trend client only to re-install the exact same client, wouldn’t it be better to be able to just migrate the reseller account used? Turns out you have to uninstall Trend Worry Free and re-install it again.

Although Trends now uses an Installation ID which is generated per end-customer in the Trend Remote Manager portal, I can’t seem to find a way to edit this on the client PC. If you do know whether this can be done, do let me know.

Until I find the answer I’ve been using a script to uninstall Trend and then re-install it again. The un-installation process is below, and I’ve included a link to my Labtech script.

1. Download the Security Agent Uninstall tool from the Trend website.
2. Extract to a location on your PC.
   
3. Run uninstall.bat to uninstall Trend Worry Free.
   
4. Reboot your PC.
   

Below you’ll find a link for my Labtech script along with a custom uninstall.bat file that I use. This removes any need for user input, making it ideal for use with Labtech. You’ll need to adjust the file location in the script as it’s pointing to our Oakson folders right now. You’ll need to import the XML after extracting the zip.

Click here to download the custom uninstaller zip file

Click here to download the Labtech script

Once you’ve managed to uninstall Trend Worry Free then you can install your MSI using your default scripts or GPOs. I’ve not needed to reboot in between though your mileage may vary.

The post How to uninstall Trend Worry Free (with Labtech scripts) appeared first on Oliver Marshall.

Labtech, as we know is super powerful. Power, however, like any good super hero will tell you, is useless if you don’t know how to control it. In this post I’ll look at creating a way to prevent unauthorised access to remote machines which also serves as a good introduction to some of the more complex features within Labtech.

One of our clients at Oakson (we provide IT Support in Brighton, don’tcha know) wanted to ensure that no one could access any of their users PCs without the user approving it. They wanted this for all machines at several locations as well as the odd workstation at other locations. Welcome to the wonderful world of Custom Fields, Extra Data Fields, Searches and Groups (I think that’s everything).

A few basics

So first up, let’s cover a few basics. The ability to require the end user to approve a connection is found in the Templates section of Labtech. We’ll need to assign that to a group of computers, and assigning things to groups of devices is done by using the Groups function. We’ll need a way to dictate which machine receives our custom template, so we need to look at additional fields (for some reason also called Extra Data Fields in some parts of the UI). EDFs will allow us to have a tick box for each workstation to turn this feature on. Finally, we’ll need to find all the machines that have this ticket box set, and this is the job of a Search.

Templates, EDFs, Searches and Groups. Phew. Here’s an amazing diagram showing how it flows together.

I think you’ll agree my art classes are paying off.

Extra Data Fields

Let’s start down the road of chaos and create our additional fields, or Extra Data Fields.

1. Click on the Dashboard icon and go to Config > Configurations > Additional Fields. On the Computers tab complete your details as below. I’ve specified a tab called Oakson. This will create a new tab in the device window with our custom, sorry, additional, sorry, extra data fields on it.
   Make sure you set this to be a check box, we want this to be an absolute.  Click Save when you are done.

   Computer level EDF fields

   Then do the same on the Location tab. Note that the field name needs to be different as the Name shown (ie the ‘label’) is also used as the field name. Horrid, but we have no choice. Having a Location level EDF will allow us to turn this feature on for either individual computers *or* entire locations. Again, hit Save when you are done.

   Location level EDF fields

2. Now we can test that the EDFs are showing. Open up a device and go to Data Tiles > then Extra Data Fields. You should see your named tab. In my example it’s called Oakson (have I mentioned we provide IT Support in Brighton, UK?).

   EDFs on the device screen

   Location level EDF fields

   Open a location and click on Info and choose the name of the tab you created. There you’ll see your EDF.

So that’s the Extra Data Fields created. Dead simple so far. Next up, the Templates.

Templates

In Labtech, templates control a host of device, location or client specific settings. These are things like when the clients patches will be installed, reboot times, icon branding and the like. In our case templates also manage the settings for Screenconnect and remote access authorisation. Let’s dive in and take a look.

1. Go to the template node on the left nav bar in Labtech. Click on the Admin node and then right click on Templates and create a new one.
2. Give it a meaningful name and pop to the Access tab. Set the Remote Access Mode to Ask along with the Screenshot Mode. This will cause the end user to receive a pop-up from Screenconnect requesting their approval for the connection. If a user isn’t there then the connect won’t be successful, so make sure someone is around to approve it.

   Select the access options you want in your new template

   It’s worth noting that there is an “Ask then Deny” option along with an “Ask then Approve” option. These are only applicable when connecting via the legacy VNC option and don’t do anything in Screenconnect.

3. Once done, hit Save. You are now ready to move on, player 1.

Up next we’ll look at creating the search before finally moving on to creating the group and pulling it all together.

Searches

So we now have our Extra Data Fields which allow us to mark which machines or locations we want to apply the template to. We now need to create a search which will return a list of all the machines that have the EDF field set OR which are in a Location which itself has that EDF set. For added measure, we want to exclude servers from the mix as those beasts rarely have a user sat in front of them.

1. Click Search on the top, ever-so large, nav bar.
2. Now we need to define our criteria. Here’s how I set mine up.

   And…and…and….and….

   1. To recreate this, click on the red And in the top left corner and choose Add Group. A new And operator will appear under that. Click that new one and choose Or from the menu.
   2. Underneath the Or operator is a line of blue text in square brackets. Click this and choose  Computer > Location > Extra Data Field > Tab Name > Your EDF name.
   3. Click the + next to the Or operator and again click the blue line of text. This time choose Computer > Extra Data Field > Tab Name > Your EDF Name.
   4. Finally click the + next to the And operator and again click the blue text and choose Computer > OS > IsServer and change the green text to False.
3. With your search criteria created enter a name in the text box at the bottom of the search screen and click Save.

   My fingers hurt from all this typing

4. You can test this Search by clicking the Search button at the top of screen. If you have any devices or locations with the EDF already set they should show up.

Now, with the search done we can put it all in to a group and go and have a cake.

Groups

And finally we can put it all together. A group allows you to, well, group together computers based on a search criteria and apply a stack of things to them, in this case our template.

1. Right click the Group node on the left side nav and choose Add Group. You’ll see a new group icon appear called New Group. Double click that.
2. Give your group a clear name and set the options like they are in my screenshot below.

   The red bits are important. Really really important.

3. From the Template drop down choose the template you created earlier. Set the priority to 1.
4. In the AutoJoin Searches section choose your saved search from the Computers drop down. Make sure you tick the Limit to Search checkbox. The Limit to Search option ensures that only computers matches the search results are added to the group and, more importantly, that they will be removed from the group when they no longer match. If you didn’t tick that box, devices would effectively never be removed from the group.

   The group will assign computers based on the search at set intervals. If you want to speed that up and have any devices with your EDF set added to the group right now then click the Preview/Run button and then choose Auto Join Now. This will force the search results to be added to the group, but you can always wait a while. Be patient. A little bit zen.

5. Hit Save to save the group definition.

Testing it.

You should now be able to see your EDF field in both the Location properties screen and the Device properties. If you tick the EDF in the a location all the workstations in that Location will be added to your group. Alternatively you can tick the EDF on a device only and just that one machine will be added.

If you want to do a test go ahead now. If you don’t want to wait for the scheduled autojoin to kick in then you might need to open your group, click Preview/Run, and then click the AutoJoin Now button to force machines to be added to your group.

I’d love to know how you get on so use the comments to keep in touch.

The post How to control remote viewing access in Labtech appeared first on Oliver Marshall.

AeroHive have some amazing products. Their access points are perhaps some of the best and are easily my favourite to get up and working in a pinch. If you have a need for enterprise level WiFi then really you should have a look.

I’m not such a big fan of their virtual VPN appliance and it’s implementation. I’ve known professors at Hogwarts to freeze in fear at the notion of having to configure one.

The other day I had to reconfigure the IP settings for one that we inherited over at Oakson and, it having been a while, I couldn’t remember how to start the funky setup script from the horribly limited linux prompt on the VM. But it’s just one command line away, just issue the following command after logging in to your VPN virtual appliance.

wizard start

You should see the following helpful script appear.

Now, someone go fetch Dumbledor, I need to change my Layer 3 configuration.

The post How to manually configure networking on an AeroHive virtual appliance appeared first on Oliver Marshall.

I’ve just spent the day migrating an aging email server to Office 365 for customer who was worried that all their chickens were in one basket, which of course they were. But I got stumped with the SRV records required for Office 365 as their provider, Vidahost, didn’t allow for the ‘service’ srv record.

Missing SRV records were holding up the Office 365 set up.

Here’s the solution I found after a bit of poking.

1. Log in to the WHM cPanel portal and go to the advanced DNS editor.
2. Create the new SRV records using the information from the screenshots below. The _sip ‘service’ field from Office365 becomes -sip._tls and goes in the Name field in WHM. The _sipfederationtls service field becomes _sipfederationtls._tcp and goes in the Name field. All other fields are as specified.

   The _sipfederationtls record

   The _sip record

3. A short wait and Office 365 should be happy. Yay.
   

The post How to add Office 365 SRV records using WHM appeared first on Oliver Marshall.

This morning we had a need to disable a Wi-Fi card quickly. A users laptop was defaulting to using the Wi-Fi adapter rather than their cabled connection and it was causing problems. The Wi-Fi card was flapping about causing problems for their VPN which was geared for the wired connection and….well…you get the picture.

So we knocked together a quick Labtech script using WMIC to disable any Wi-Fi cards on the PC.

Open up a command prompt with administrative privileges and run the following command.

wmic path win32_networkadapter where NetConnectionID="Wi-Fi" call disable

Below you’ll find a link to the same command in the form of a Labtech script.

The post How to disable a Wi-Fi card from the command line appeared first on Oliver Marshall.

OpenVAS 9 is the latest version of the most well-known open source vulnerability scanner. OpenVAS allows easy scanning of networks with support for a number of vulnerability feeds, both commercial and community driven. Version 9 adds to the list of features and, above all, includes a newer interface with a reduced chance of making your eyeballs bleed.

Here’s my rough, but pretty ready, guide on how to install OpenVAS 9 on to Ubuntu 16.04.2 LTS (Long Term Support).

1. Install Ubuntu 16 LTS in your VM of choice. OpenVAS is processor intensive so the more oompf you can give it the better.
2. Once it’s ready, update your sources and apply any upgrades to the OS, with a reboot for good measure.
   

   sudo apt-get update
   sudo apt-get upgrade
   sudo reboot

3. Install the requirements for OpenVAS 9.
   

   sudo apt-get install python-software-properties
   sudo apt-get install sqlite3
   sudo apt-get install software-properties-common

4. Next you’ll need to add the OpenVAS source to your list of apt sources and tell apt to update it’s uber-database.
   

   sudo add-apt-repository ppa:mrazavi/openvas
   sudo apt-get update

5. Now we get serious and get OpenVAS settled in to place.
   

   sudo apt-get install openvas9

6. With OpenVAS in place we need to make sure that its feeds are up to date. This is where you go and get a cup of tea as this can take 30 mins or more.
   

   sudo greenbone-nvt-sync
   sudo greenbone-scapdata-sync
   sudo greenbone-certdata-sync

7. With the feeds in place lets just be cautious and restart the scanner and manager services and also rebuild the OpenVAS databases. I’m not sure if this is still needed in v9, but hey-ho, let’s roll with it.
   

   sudo service openvas-scanner restart
   sudo service openvas-manager restart
   sudo openvasmd --rebuild --progress

8. The following two lines are needed for PDF reporting. We’ll install the texlive bits and also the font kit. If you are seeing blank PDF reports in OpenVAS 9 then it’s likely you’ve missed the font kit line below.
   

   sudo apt-get install texlive-latex-extra --no-install-recommends
   sudo apt-get install texlive-fonts-recommended

9. Install the OpenVAS 9 dev stuff if you need to.
   

   sudo apt-get install libopenvas9-dev

10. With OpenVAS now running on your box you need to just allow TCP port 4000 through the firewall. If you haven’t already enabled it then you should, so lets do that now.
    

    sudo ufw allow ssh
    sudo ufw allow 4000/tcp
    sudo ufw enable

11. So, with OpenVAS ready, the firewall suitably firewalled, you can point your browser to https://serverip:4000 and log in with the user admin and password admin.

If you can see anything I might have missed then let me know in the comments section below.

The post How to install OpenVAS 9 on Ubuntu 16 LTS appeared first on Oliver Marshall.