errors in pxe boot

For the “new” esxi 6.5 we need a new automated way of deploying host

We always use PXE and TFTP for our staging

We had the idea of using UEFI boot, because we are still running on legacy bios.

PXE will try to do a DHCP lease on every NIC and point 1 to the PXE server.

This is the TFTP server I used in my home lab: tftpd32

We network booted the blade and PXE was launched and it started to install ESXI

But after a while it threw this error:

error lsu_lsi_.v00 and the Fatal error 19 timeout

looking into the log of the TFTP server there is a timeout waiting for ACK block

Peer returns ERROR <User aborted the transfer> -> aborting transfer [14/08 14:28:08.025]

Connection received from 127.0.0.1 (server ip filtered) on port 1390 [14/08 14:28:08.025]

Read request for file <EFI/IMAGES/201807_01/scsi_lib.v00>. Mode octet [14/08 14:28:08.025]

Using local port 53074 [14/08 14:28:08.026]

TIMEOUT waiting for Ack block #15  [14/08 14:28:23.029]

Solution I found but I still don’t really understand was to limit the local ports used for TFTP

I limited the local ports for 53015-5350 and it worked and booted further.

tftpd64 settings:

extra notes

I also noticed that changing the anticipation window could impact the speed of your staging -> read more here

why you should probably also go to UEFI -> read more here

VMware documentation of how to set up PXE:

  1. Install the TFTP Server
  2. Configure the Auto Deploy and TFTP
  3. Installing ESXi Using PXE

wordpress security basic

If you want to know if your website is secure you can better start with attacking it.

For this demo I will be using mainly kali Linux, which is a great basic pentesting tool.

Download it here

I run it with VMware workstation 12, because you know VMWare.

The vulnerability score (CVE)

when you got this running start the Metasploit framework and upgrade it to the latest version.

after that let’s just start with a basic nmap scan, this will try to test which ports are open at what is running there, let’s take a look at this

Okay I added a few parameters to check which version is running and also -F which makes sure to check the 1000 most used ports.

as you can see it has 3 ports of the 1000 most used ports open.

Let’s take a look if these are breakable:

22 ssh uses OpenSSH 7.2p2 -> google it 

okay as you can see the first on is quite scary:

it seems like OpenSSH before 7.3 does not limit password lengths, so a Denial of service is possible if you have openBSD or fedora, I will test it on my server with this script

next up we have our apache ports: 80 and 443 -> CVE report
note: I automatically redirect traffic to https

don’t freak out about the amount of CVE’s you see, most of them are about specific cases and anything below 7 is either not really relevant or almost nobody can do it.


robots.txt

next up a hacker will surely look into what is running on your webserver and what they can extract from it.

let’s first surf to:

https://notabadvmwareblog.com/robots.txt

the robots.txt is a small text file that let’s google and other web crawlers know you don’t like these web pages indexed.

But these are the best pages for hackers to look into, actually nobody except your ip should be able to access the admin page.


users not allowed on admin page

note: it could be you get another ip from your ISP, because nobody wants to pay for a static ip, using Telenet in Belgium I noticed I got my ip address for 4 years. but make sure you can access VPS to update the ip.

you can let apache throw a nice 403 forbidden by creating a .htaccess at the right location:

/var/www/html/wp-admin

laying it at /var/www/html/ will make your awesome website only visible for you, which is fine to of course

root@ubuntu-512mb-testopenvpn:/var/www/html/wp-admin# cat .htaccess
order deny,allow
# Denies all IP’s
Deny from all
# This will allow the IP xx.xx.xx.xx -> replace xx with your ip
allow from xx.xx.xx.xx

note: Don’t use vmware as your ssh for your password, if a hacker really wants to break your site they probably can, but you don’t want script kiddies using your VPS for monero mining.

no need to restart apache2, it will take care of it, be sure to test it using a proxy

satisfying isn’t it?

Hackers can use ip spoofing to access the page anyway, but it is about making it harder.


 locking out

I also like timeouts for bad passwords, because I once hacked a SQL 2012 which seemed perfectly fine to test 1000+ passwords for SA every minute, making it look like it was designed for brute force attacks.

for this I use this plugin: Login LockDown,

ip lockout for 1 hour every 3 tries should do the trick.

Now this was basic security for WordPress 101


afterthoughts

things I already think about:

  • We should keep our current version of WordPress hidden using .htaccess
  • Mysql is not showing in our NMAP scan, which means it is not in the 1000 most used ports
  • I haven’t used Kali not nearly as much as u would like to, but i am already tired

WordPress troubles

Okay after installing a WAMP stack I noticed the first problems:

my site would go offline with the message:

Error establishing a database connection

When I would do something with the site like installing new plugins it would suddenly go offline, be offline for like 10 minutes and come back on after a while.

Mysql seemed to be crashed but starting it would not make it magically work.

The more I logged on and did stuff to fix it, the longer it went offline

logs are located in /var/log/mysql

It is wise just to search for the word ERROR.

Initializing buffer pool, total size = 128M
[ERROR] cannot allocate memory for the buffer pool

I am just running out of memory, that is why me consuming memory with my actions did a bad job. Mysql would keep trying to restart until it worked.

Now reading a little more into it it seems like mysql allocates 128M of RAM, but does not use it all, you could lower it, but I don’t think that will do any good.

My virtual private server counting in at 1 vcpu and 512 MB of RAM is just underpowered.

I now run at 2 vcpu and 2GB of RAM, not had a problem since

As a second thought I am thinking about scaling down my images to the smallest size possible using some loss full compression.

You have to also have at least a few high res images to build your site I think.

mounting ISO to HPe server-powershell

tested on HPe gen 8/9 – DL360 – BL460c – DL580

if you think you know what you are doing, just read the blue lines and skip my bla bla, otherwise, read on

First off, it will not work if you have a standard ILO license, the mount command later on will fail – maybe you are able to get by this if you write everything in redfish or something, but if you use the ilo cmdlets it will not work.

Most racks have an advanced license in our environment

If you work in a blade environment and you have standard ilo, you will have a job off asking advanced licenses through procurement and the HPe team.

Next up we have the firewall ports, you will have to communicate with the ilo, let’s say the ILO ip is 10.255.10.92, then you will have to open the firewall from where you want to execute the scripts to 10.255.10.92 on port (443, 17988, 17990)

Then we have the cmdlets itself, should be downloaded from HPE website:

link-to-hp-cmdlets

make sure you go supported:

2008R2 -> 1.5 latest release

Later then 2008R2 -> 2.0 or higher

You will also have to import them, so open PowerShell ISE and type:

Import-Module HPiLOCmdlets

We also need credentials, we do this via AD:

$credentials = Get-Credential

$iloentryip = 10.255.10.92

$ISOpath = http://10.255.10.93/superiso.iso

#this will mount the iso, the disablecertificate is because it is in our POC and i am lazy

Mount-HPiLOVirtualMedia -Server $iloentryip -Credential $credentials -DisableCertificateAuthentication -Device CDROM -ImageURL $ISOpath

#when you have it mounted, you want to connect to it, therefor we have this command to connect the server to the iso

Set-HPiLOVMStatus -Server $iloentryip -Credential $credentials -VMBootOption CONNECT -Device CDROM -DisableCertificateAuthentication

#setting first time boot to the CDROM device

Set-HPiLOOneTimeBootOrder -Server $iloentryip -Credential $credentials -Device CDROM -DisableCertificateAuthentication

Okay problems I had doing this:

IIS config:

It does not work with a local drive or something, you have to set up apache or IIS to host the iso, this is a minor work, after you set it up, test your isopath so you know it downloads.

directory browsing

Setting mimes types ( .iso and .img )

Firewall

Server problems -> if it goes through boot with error, it somethimes does not boot from iso-> important for automation

Mode to UEFI Mode if using HPE SW RAID.

Caution,73,540,0x000A,POST Message,,,07/06/2018 15:36:00,42: POST Error: 292 – Invalid HPE Software RAID Configuration. HPE B140i SW RAID Mode is NOT supported when the Boot Mode is configured for legacy BIOS Mode. Action: Configure the Boot Mode to UEFI Mode if using HPE SW RAID.

try to do it manually, before you do it with scripts, this will give you a better error than through the cli.

if all goes well you should have something like this:

now you can use it to automate deployment or updating