No for SSLv2 connections and weak ciphers! (Windows)

It is very common to see the current HTTPS support SSLv2 connections and weak ciphers (<112bits key) due to backward compatibility. Well, you can’t stop ppl from using old pc (I really don’t mind you buy me a new one… lol)!

However, SSLv2 connection and weak cipher is a vulnerability to your system although it is generally hard to launch attack on it (heavy computing resource required and local access to network device may required).

In Windows, you can disable the following function of your SSL certificate in Windows registry as below:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    Create a key “Enabled” with value 0 (dword)


  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    Create a key “Enabled” with value 0 (dword)

To disable support of weak cipher in your web server, you can change your Windows registry as below:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    Create a key “Enabled” with value 0 (dword)

After these, you need to RESTART your server for these registry to take effect. After these, you shall not see the vulnerabilities as below:

  • SSL Server Supports Weak Encryption
  • SSL Server Allows Cleartext Encryption
  • SSL Server May Be Forced to Use Weak Encryption
  • SSL Server Allows Anonymous Authentication


PCI Compliance – Disable SSLv2 and Weak Ciphers


Basic Steps to secure your Cisco Switch


Vlan Hopping (Rogue Trunk)
Disable trunking on port (eg. gigabitethernet 0/1) which don’t require trunking:
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport mode access

Disable DTP (Dynamic Trunking Protocol) on port which required trunking:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate


Vlan Hopping(Double-Tagging)
Change Native Vlan to a unused Vlan
Switch(config)# interface gigabitethernet 0/1
Switch(confi-if)# switchport trunk native vlan 400 <– vlan 400 not used by anyone

STP Manipulation Attack
Enable portfast globally for non-trunking ports (non-trunking ports over here means the ports not connecting the other switches)
Switch(config)#spanning-tree portfast default

Turn On portfast mode on a selected interface (eg. gigabitethernet 0/1)
Switch (config)#interface gigabitethernet 0/1
Switch (config-if)#spanning-tree portfast

Enable BPDUGuard globally on all portfast ports. When these ports see BPDU frames (used to elect STP root switch), the frame will be ignored and dropped.
Switch(config)#spanning-tree portfast bpduguard default

Enable RootGuard on selected port (eg. gigabitethernet 0/1), thus the port will stop passing traffic when it see BPDU which superior to current root. It start passing traffic again after the superior BPDU ceased.
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# spanning-tree guard root

CAM table Overflow
Enable port security (this only work on non-trunking port, aka access port)
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security violation [protect|restrict|Shutdown]

In previous example, that port will only learn 132 MAC address, other MAC address will trigger violation. The violation actions are:
protect: new MAC address will be ignored and not inserted into CAM table
restrict (default): switch will ignored new MAC address and send an SNMP trap or syslog to corresponding servers.
shutdown: New MAC address will be ignored and that network port will be shut down till manual turn on.

Instead of remember 132 MAC address, we can set the maximum MAC addresses to be learned (eg, maximum 50 addresses are allowed to be learned)
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

If we want the port to remember 1 MAC address only, there are 2 ways (dynamic and static)
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security sticky
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security static 1234.1234.1234
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

Configure MAC address aging in CAM table
Scenario: Age out the MAC address which has been inactive for 100minutes
Switch(config-if)# switchport port-security aging time 100
Switch(config-if)# switchport port-security aging type inacitivity

Scenario: Age out the MAC address after 100minutes no matter what!
Switch(config-if)# switchport port-security aging time 100
Switch(config-if)# switchport port-security aging type absolute

Check port-security status
Switch#show port-security

Create SPAN port
Replicate all traffic on a port (eg. gigabitethernet 0/1) to another port (eg gigabitethernet 0/2) for analaysis (normally for IDS/IPS):
Switch(config-if)# monitor session 1 source interface gigabitethernet 0/1
Switch(config-if)# monitor session 1 destination interface gigabitethernet 0/2 encapsulation replica

Controlling 3 types of traffic: unicast, multicast and broadcast
Scenario, shutdown the port (eg. gigabitethernet 0/1) if:
a) unicast traffic is more than 99%
b) multicast reach 50Mbps
c) broadcast packet reach 3000 per second

Switch(config)# interface gigabitethernet 0/1
Switch(config-if)#storm-control unicast level 99
Switch(config-if)#storm-control multicast level bps 50m
Switch(config-if)#storm-control broadcast level pps 3k
Switch(config-if)#storm-control action shutdown

*Traffic measurements percentage, bps, pps can be freely used for unicast, multicast and broadcast.

See this example:
Switch(config-if)#storm-control unicast level bps 50m 30m
Switch(config-if)#storm-control action trap

Meaning: Switch will send SNMP trap and message to syslog once unicast traffic reach 50Mbps, and it will stop sending the message when unicast traffic fall below 30Mbps.

Switch Security Best Practise

  1. Secure Management: Use SSH, dedicated management Vlan, out of band etc.
  2. Native Vlan: use dedicated Vlan for trunk ports and avoid vlan 1 at all.
  3. User ports: configure it as non-trunking ports.
  4. Port-security: control learned MAC address volume on non-trunking ports.
  5. SNMP: Limit to the management Vlan if possible and treat community string as superuser password.
  6. STP: Used BPDU guard and root guard.
  7. CDP(Cisco Discovery Protocl): Use if necessary. CDP provide great deal of information about the device.
  8. Unused ports: Disable them and put them in an unused Vlan for extra security.

Change Windows RDP port

rdp port

By default, Windows listening on port 3389 f0r RDP (Remote Desktop Protocol), hence it has becomes a favor for attacker.

To change the port number, just go to windows registry:

Start -> Run -> regedit

Under the path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp > PortNumber option

Change the port 3389 to the number you preferred.

How to change the listening port for Remote Desktop


Fedora 10 error with SCSI RAID controller


While installing Fedora 10 onto machine with SCSI RAID controller, error may come out while booting, as show above.

The machine will forever stucked there without getting into Fedora desktop if only reboot, swap disk, remove RAID setting action are taken.

To solve this problem:

Insert the Fedora 10 installation CD and reboot (force reboot is applicable).

On the GUI page for installation options, select Rescue an Installed System.

Select Do NOT start network devices. Click Continue.

On bash shell prompt, type:

# chroot /mnt/sysimage

# cd /boot

Backup the existing initial ramdisk image first. (Optional but recommended)

For example, the ramdisk image name is initrd-

# mv initrd- initrd-

Create a new initial ramdisk image:

# mkinitrd   – -with=scsi_wait_scan initrd- `uname –r`
*Note that it is “- -” double hypen without space; also grave accent/tilte button ( ` ) followed by “uname…”, not single quote( ‘ )

The ramdisk image filename “initrd-” MUST match the initrd file name in /boot/grub/grub.conf

Reboot and problem shall be solved (you may expecting a working login interface).


  1. Fedora Forum
  2. Linuxtopis: Fedora 10. Begining the installation.

Removing Li-ion battery from Laptop really helps it life span?

A lot of people have the thinking that removing the battery from the laptop while using AC current will prolong the battery lifespan from being charged over long time. This concept is simply not right because most of the Li-ion has built-in circuit to cut off the charge in order to prevent over-charging, which will permanently damage the battery (normally 4.2V). So if the battery is already fully-charged, it won’t get charged even you leave it attached with the laptop.

The reason to remove the battery from laptop is because of HEAT! Over period of time, the battery will lose its capacity permanently according to its storage capacity and temperature, as refered to the chart below:
capacity-lostSo, an idle fully-charged Li-ion battery at 40 degree celcius will lose 15% more capacity compared to another battery at room temperature.

With a laptop running more at 60 degree celcius (rarely seen), its attached battery will render useless within a year.  In another words, you can choose to attach your battery with your laptop all the time, as long as you remain the laptop is cool enough (bottom cooling pad with fans).

To store fresh/unused battery, it is recommended to charge the battery to 40% instead of 100%, to reduce its capacity lose over time.



Failed to open IIS metabase


When IIS is installed after .Net Framework, the right for ASPNet user isn’t configured properly, where it won’t handle aspx(asp) files properly. In order to solve, just reset the aspnet user rights in IIS registry with such command:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis  -i



Changing Grub boot sequence on dual boot (Win+Linux)

change-sequence-on-grub1Linux has been improved significantly that the users don’t have to give up Win platform while installing Linux on its hdd, since Linux distro now a day usually comes with boot loader which enable dual boot easily (Linux installation sometimes could be less “clicks” than Windows platform).

Ubuntu and Fedora use Grub boot loader, sometimes we might accidentally set Linux to default boot, where unattended machine will boot into Linux automatically, then the user has to reboot again and manually set it boot to Windows platform.

To change boot sequence, just edit the configuration at /etc/grub.conf
(“root” privilege is required)

Hereby I use vi as the text editor

vi /etc/grub.conf

On the parameters of default, change to the number of its partition on the hdd, like 0 in the example shown above. (hdd 0,0: Windows;    hdd 0,1:swap;    hdd 0,2:Fedora )

timeout is for the pending time for selection before it auto-boot the default choice, which is set to 5second on example above.

After changing to 0 (previously 2 for Fedora partition), pls kindly restart and it shall works!