I just upgraded my Netbox server from v2.7.6 to v3.4.8. This is just a record of what I did in case anyone want to know how I did it.
Since we’re running such an old version of Netbox, we need to do an interim upgrade to v2.11.x before proceeding to v3.x.x. We decided on v2.11.12.
The main idea here is that you export you data, install on a VM, upgrade the app on that VM, then export it out after your upgrades are done. Of course, that is very simplified.
One key here is to take snapshots every time you do something. I started with an Ubuntu 20.04 install, ran an update, then took a snapshot. That’s where the real work starts, and a place to restore to when Continue reading
I just upgraded my Netbox server from v2.7.6 to v3.4.8. This is just a record of what I did in case anyone want to know how I did it.
Since we’re running such an old version of Netbox, we need to do an interim upgrade to v2.11.x before proceeding to v3.x.x. We decided on v2.11.12.
The main idea here is that you export you data, install on a VM, upgrade the app on that VM, then export it out after your upgrades are done. Of course, that is very simplified.
One key here is to take snapshots every time you do something. I started with an Ubuntu 20.04 install, ran an update, then took a snapshot. That’s where the real work starts, and a place to restore to when Continue reading
Earlier today, April 25, 2023, researchers Pedro Umbelino at Bitsight and Marco Lux at Curesec published their discovery of CVE-2023-29552, a new DDoS reflection/amplification attack vector leveraging the SLP protocol. If you are a Cloudflare customer, your services are already protected from this new attack vector.
Service Location Protocol (SLP) is a “service discovery” protocol invented by Sun Microsystems in 1997. Like other service discovery protocols, it was designed to allow devices in a local area network to interact without prior knowledge of each other. SLP is a relatively obsolete protocol and has mostly been supplanted by more modern alternatives like UPnP, mDNS/Zeroconf, and WS-Discovery. Nevertheless, many commercial products still offer support for SLP.
Since SLP has no method for authentication, it should never be exposed to the public Internet. However, Umbelino and Lux have discovered that upwards of 35,000 Internet endpoints have their devices’ SLP service exposed and accessible to anyone. Additionally, they have discovered that the UDP version of this protocol has an amplification factor of up to 2,200x, which is the third largest discovered to-date.
Cloudflare expects the prevalence of SLP-based DDoS attacks to rise significantly in the coming weeks as malicious actors learn how to exploit Continue reading
You can configure many firewalls to act as a router (layer-3 firewall) or as a switch bridge (layer-2 firewall). The oft-ignored detail: how does a layer-2 firewall handle ARP (or any layer-2 protocol)?
Unless you want to use static ARP tables it’s pretty obvious that a layer-2 firewall MUST propagate ARP. It would be ideal if the firewall would also enforce layer-2 security (ARP/DHCP inspection and IPv6 RA guard), but it looks like at least PAN-OS version 11.0 disagrees with that sentiment.
Straight from Layer 2 and Layer 3 Packets over a Virtual Wire:
You can configure many firewalls to act as a router (layer-3 firewall) or as a switch bridge (layer-2 firewall). The oft-ignored detail: how does a layer-2 firewall handle ARP (or any layer-2 protocol)?
Unless you want to use static ARP tables it’s pretty obvious that a layer-2 firewall MUST propagate ARP. It would be ideal if the firewall would also enforce layer-2 security (ARP/DHCP inspection and IPv6 RA guard), but it looks like at least PAN-OS version 11.0 disagrees with that sentiment.
Straight from Layer 2 and Layer 3 Packets over a Virtual Wire:
I’ve encountered two basic philosophies for responding to requests to join a project. One philosophy I’ll describe as “Default Yes”. The argument goes, “If someone brings you a request, say yes! You only grow with challenges and if you say no too much, people will stop asking.” The second philosophy could be called “Default No.” […]
The post Bridging The Gap Between ‘Default Yes’ And ‘Default No’ appeared first on Packet Pushers.