www.linux-noob.com Community Blog List http://www.linux-noob.com/forums/index.php?app=blog Community Blog List Syndication Fri, 27 Aug 2010 12:25:55 +0000 admin@linux-noob.com (www.linux-noob.com) IP.Blog 60 NoobBlog? - Fail2Ban Rocks! Fail2Ban isn't an IDS, it just monitors logfiles and takes action when something is matched.

Let's rewind a moment. On all my servers, I am running logwatch, which comes with most installations (as in: a default install usually includes logwatch) and -- to be frank -- I can't think of reasons NOT to use it. In the past, the only reasons people have given me for not using it are that they didn't know about it, or they didn't know what it was but it was filling up root's mailbox so they disabled it.

My take? If you're not interested in monitoring your own server, then it can't be that important to you. And you shouldn't whinge when someone's rooted it and it's part of a botnet, or spewing out spam. And don't moan when your ISP disconnects you for running a compromised server - they never installed it, YOU did. Take responsibility.

Allrighty, I'll get off my soapbox now.

So, checking logfiles and taking necessary action (reporting intrusion attempts, blocking nefarious IPs generating suspicious activity, etc) became a daily chore. Well, not THAT much of a chore, since the work began to fall off as the server became gradually locked down, but at least I could sleep safely, knowing that the server was protected -- or at least I'd be aware if there was untoward activity.

Since the server runs an IRC network, it used to get port-scanned regularly. To safeguard that, I added the excellent portsentry service: receiving numerous connections from a single IP to different ports above a predefined threshold triggers the addition of an IPtables rule to block any further activity originating from that source. And since logwatch informed me of those attempts, I could provide the IP owners with evidence that someone was running sniffers on their network (or that their servers had become compromised). Hey, any little help here and there helps reduce the botnets and erode the increasing tide of spam, after all.

But portsentry only works by opening a pile of fake ports and awaits connections to them; it cannot use any ports that already have services bound to them -- such as mail/web/ftp and the like -- so someone sniffing Apache for known vulnerabilities wouldn't trigger portsentry. Hmm... back to the drawing board.

I began by rolling my own: I wrote a simple PHP page that compared the incoming HTTP request to a list of known vulnerabilities and responded with an appropriate reply (or inappropriate and downright rude, depending upon how you look at it), then added a Apache rule that rewrote all incoming HTTP attempts to this page. This provided me with a number of benefits: it reduced my error logs (since the request WAS matched) which made for smaller logwatch reports, and enabled me to gather stats upon what kind of vulnerabilities were being targetted. Many similar ones came up: Horde, AWstats, phpmyadmin... all of which served to improve the script I had.. but didn't actually do anything to BLOCK those attempts, just trap them.

Enter Fail2ban. A friend started using it on one of her servers, and once she had it up and running, I used her guide to get it configured and running on one of mine. Essentially it works like (the now-deprecated) logsentry; checks logfiles and takes proactive action once trigger condition(s) are met. Just what the doctor ordered!

So, configuration, then. The config file (jail.conf) is full of examples and handy information; two sub-directories contain pre-defined configs for matching suspicious activity (filter.d) and generic responses (action.d). The documentation suggests enabling one or two and giving it a go.. it really WAS that simple. Well, okay -- it was to me since many of the settings made sense. But I'll show you one or two of my configs:

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports[name=w00tw00t]
           mail-whois[name=w00tw00t, dest=root, sender=fail2ban@myserver.org]
logpath  = /var/log/httpd/access_log
maxretry = 3
## -- don't unban
bantime  = -1

## --------- more apache blocks ---------
[apache-sniffers]
enabled  = false
filter   = apache-sniffers
action   = iptables-allports[name=sniffers]
           mail-whois-lines[name=sniffers, dest=root, sender=fail2ban@myserver.org,logpath=/var/log/httpd/access_log]
logpath  = /var/log/httpd/access_log
maxretry = 3
bantime  = -1

[apache-phpmyadmin]
enabled  = true
port     = http,https
filter   = apache-phpmyadmin
action   = iptables-allports[name=phpmyadmin]
           mail-whois-lines[name=phpmyadmin, dest=root, sender=fail2ban@myserver.org, logpath=/var/log/httpd/access_log]
logpath  = /var/log/httpd/access_log
maxretry = 3
bantime  = -1


There are three blocks here, titled with the name in square brackets. Let's look at the first:
  • fail2ban looks in the apache logfile (the logpath entry)
  • A regular expression is in the apache-w00tw00t.conf file (the filter entry), in the filter.d subdirectory,
  • once there are more than three matches (the maxretry setting)...
  • two actions are performed: iptables-allport.conf and mail-whois.conf (the action directive), both located in the action.d directory
  • the bantime says how long the block should be for -- in this case, it's permanent

So, what are the filters? Here's my "apache-w00tw00t.conf" file:

[Definition]

# Option:  failregex
# Notes.:  regex to match the w00tw00t scan messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
## *** examples: ***
##<HOST> - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326
##89.19.27.114 - - [02/Oct/2009:23:16:25 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 311 "-" "-"
#failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*
## -- amended this to remove DFind\:\).*".* and SANS.test0:)
failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\..*\:\).*".*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex =


No, I didn't create this from scratch - I copied an existing one (apache-badbots.conf) then amended it. Actually, I cheated - I stole someone else's blog entry, but you can see how it works. However, at this point I need to mention a few things that weren't immediately obvious to me:
1. You can only have one filter entry in the jail.conf per block - but the filter file can actually contain several regular expressions, newline separated.
2. The <HOST> bit in the regular expression is a memory variable - the IP is grabbed into this variable for analysis and reporting later.
3. The ignoreregex bit are subtracted from the "failregex" matches, so useful to whitelist false positives here. Currently, mine is blank.
4. All regular expressions use Python syntax which threw me.

Let's look at that last bit again. I don't know python regular expressions (or how they differ from perl-compatible/posix-compliant), but another blog post told me of the fail2ban-regex utility for testing out your matches. Neat, eh?

So, onto the actions. Unlike the filters, there can be multiple action lines: in my case, the following actions are performed:
  • iptables-allport - adds an IPtables block for ALL ports, essentially runs "iptables -A INPUT -s ThatIPAddress -j DROP"
  • mail-whois - sends an email, but also includes the WHOIS information for that IP address so I can extract the abuse email addres and forward it on.
  • mail-whois-list - as above, but also includes the logfile lines, so evidence can be directly forwarded. I was going to amend one of the files in the action.d directory, only to find someone had beaten me to it!

Just one final tip: some of these scripts in the action.d directory require parameters setting when calling them. That's the bit in the square brackets following the action:

mail-whois-lines[name=phpmyadmin, dest=root, sender=fail2ban@myserver.org, logpath=/var/log/httpd/access_log]


So in this case:
  • The name of the jail is "phpmyadmin" which features in the email notification (I don't know if spaces are permitted here)
  • The destination email is "root" (which gets forwarded off this server via the /etc/aliases file)
  • The sender is.. well, you can work that out, and you can also work out that I've not included my real email address there. By using a specific sender, I can then filter on the "From:" field in mail headers.
  • The logpath tells grep which file to search and pull out matching lines for evidence. For some reason it wouldn't accept the path already set, so needed to be specified again. I noted in action.d/mail-whois-lines.conf that this field is set to "/dev/null", but I think that's intended as a default setting.

Wow. That seems a lot of info up there. But twitter this is not! I hope it helps someone.]]> Sun, 13 Dec 2009 12:29:00 +0000 NoobBlog? - Catching up...
To catch up: I completed the documentation I was writing for course manuals mentioned below, and in the process installed Ubuntu8.10 to trial it out, comparing differences. Many things I quite liked, and there are some deffo improvements over the Fedora ways of doing things. However, there are a few tools I felt lacking, but in the grand scheme of things that was a weak comeback from the Fedora camp - Ubuntu seems vastly superior in many aspects.

Anyway, material was completed to the satisfaction of several that deliver the training course - and in the meantime I learned a great deal about recent developments in the Linux world: the event-driven framework (replaces the inittab and init.d stuff), PolicyKit, EXT4. Still gotta get to grips with SELinux, mind.

In the meantime a shared server of mine running Fedora6 with Ensim control panel is now well and truly buggered. For those not in the know, Ensim embeds itself deeply into the underlying OS to present a web-driven front-end to manage domain-grouped services. For what it offers, I felt it was better (more powerful and feature-richer) than CPanel. A major drawback is that you can't just go yum-updating binaries at will, they need to be Ensim-aware binaries. Fairy snuff, just add the Ensim repos to /etc/yum.repos.d/. Oh wait, that won't work flawlessly, since some binaries clash with RedHat's own. Okay, so let's disable the RH repos. No, that won't do either, since Ensim don't mirror RH packages on their repos, so yum can't resolve dependencies. GAHHHHHHHH! Dependency hell all over again!

Oh, did I forget to mention another major drawback? Yes. When some of the python libraries break, there's buggerall help with trying to get them fixed. No simple yum-erase/yum-install, not even downloading and unpacking an RPM to extract files needed to replace corrupted ones. Our hosting company suggested blatting the server and reinstalling - the Microsoft option - which was a road we walked in the past on another server, in which we used Ensim to make backups per hosted domain then restored those to the fresh server pretty seamlessly (needed a minor tweak here and there). But this time with a broken control panel, no recent site backups exist. We tried some of the Ensim forums and were led to believe that it WAS possible to mend a broken install insitu.. but nobody could provide instructions nor point us to a guide. Feh.

In the end, we decided to build a new server from scratch and ditch any control panel. And, of course, after my recent dalliances with Fedora10 v Ubuntu, I knew which was a better distro.

So why am I sticking to RedHat for my new server, then? (Actually CentOS - but let's not quibble: stroganoff or curry, they're both stews.) Cowardly familiarity is one thing. The other is that my server co-owner had issues with the first distro he tried (CentOS or Fed10 I can't remember - but it wasn't anything Canonical) so settled on Fed9. What's surprising is that he flies a Debian flag on his home boxen... however he's had root-level privs on one of my Mandrake servers for best part of two years and in that time he's proven he can adapt to other distros.

(for the wary: "root-level privs" means he's included in /etc/sudoers. Nobody knows the root pass on that server. Not even me.)

Oh, as for other news: renovating my new home is coming along nicely, but spending time doing small plastering/tiling/filling/sanding/grouting jobs here and there are taking up a LOT of my time.

But you'll hear from me again, soon!]]> Tue, 21 Jul 2009 22:30:00 +0000 NoobBlog? - Fedora 10 experiences - day 2 chkconfig --level 2345 iptables off ensures the chastity belt's lost for good (or at least until I get around to editing the ruleset). However, the same networking issue arises: eth0 is naked! A few attempts at restarting it finally brings it back up again (with warnings) as per before. Hmmm... Google finally uncovers the networking issue: a new parameter NM_CONTROLLED=no prevents the network interface being affected by NetworkManager, which apparently is what the /etc/init.d/network script now calls. Let's change that and try it out later; for the moment I can slip in.

So onto the graphical desktop. I can wobble my windows and rotate the cube when dragging windows, but those other effects seem to be missing. Google uncovers another page showing which packages are required for full wobbliness/wetness/weirdness, and in the end I added the following:

* compiz-0.7.8-4.fc10.i386
* compizconfig-python-0.7.8-1.fc10.i386
* compiz-fusion-0.7.8-2.fc10.i386
* compiz-fusion-extras-0.7.8-2.fc10.i386
* compiz-fusion-extras-gnome-0.7.8-2.fc10.i386
* compiz-fusion-gnome-0.7.8-2.fc10.i386
* compiz-gnome-0.7.8-4.fc10.i386
* compiz-manager-0.6.0-8.fc10.noarch
* gnome-compiz-manager-0.10.4-4.fc10.i386

* fusion-icon
* libcompizconfig-0.7.8-1.fc10.i386

* emerald-0.7.8-1.fc10.i386
* emerald-themes-0.5.2-2.fc8.noarch

Eventually I get an entry in Preferences>Look And Feel showing "CompizConfig Settings Manager". Wahoo! B-B-B-But.. remember that issue with Fed8 not doing those Beryl things that Fed7 did easily? Again, they reveal themselves: I used to be able to rotate the cube with the mouse wheel, but not any longer. Google, the ever wonderful font of knowledge, directed me to a ubuntu forum which suggests using a plugin called "Viewport Mouse Switcher" but it doesn't exist in Fed10.

Also, clicking and dragging on the desktop with the mouse wheel allowed me to tilt and move the cube; now it's CTRL+ALT+mouse button but the windows no longer levitate off the cube ("Raise on rotate", I think). Gotta find those settings. What was also handy was CTRL+ALT+PageDn to "open" the cube out and scroll through the faces before zooming back into one. Another setting I need to find.

I need a cup of tea. More to report later.]]> Fri, 30 Jan 2009 16:14:00 +0000 NoobBlog? - Fedora 10 experiences - day 1
Actually, it runs on Fedora7 kit, so whilst some content in the course manuals is still on the historical side, the majority is still relevant, and I'm able to talk around the new differences and emerging standards that's missed by the book - even to the point of satisfying SuSE, CentOS and RHEL users attending our courses. But the notes definitely DO need a bit of refreshing, as well as adding in recent developments (read: ubuntu stuff).

So, let's look at freshening the fedora stuff to Fed10. So here I am with a new install and some new experiences.

Footnote (or bellynote, due to its position): A bit ago I tried upgrading a Fed7 to 8 box to compare differences. Firstly, I noticed graphical stuff was smoother, GUI tools looking a bit neater. But beryl no longer works. Managed to get compiz working, but some normal Beryl-like behaviour wasn't forthcoming. Other than that, most other apps and services appear similar. Rather than faff about with getting GUI effects sorted, I left it and we continued to run the course on Fed7.

Back to the plot. Well, the install went pretty smoothly - the number of screens have been reduced to almost idiot-proof levels. A progress bar showed me what RPMs were being installed, and I knew I could yum any missing ones later. Once it was over, I rebooted to the HD, getting the "welcome to your new install - please configure it now" and continued on my merry way.

At this stage, I wasn't able to specify any information about proxy servers, so the request to forward hardware specs upstream to Red Hat couldn't be granted. Yes, I'm happy to reconsider, but there's a reason I block outgoing port 80 connections by default, Red Hat. There's a reason I use a proxy server. There should be a facility where I could specify this information, or at least log it for later forwarding.

A quick yum update revealed over 400M of packages to be updated. WHAT? Checking some, I could see several were extraneous stuff I didn't *really* need (games and the like) and others were dependencies. Java libraries weighed in at a hefty 47M, glibc is still as heavy as ever, some perl stuff had a suitably fat entourage, and evolution-help was 40M. Eh? evolution-server is only about 100k. And looking at it, all the other evolution packages were remarkably streamlined. But the help system is 40MEG? Ah, hell - a quick yum -y and head for a bite to eat, let it chug and strain my poor intertubes for a bit.

In the meantime I noticed networking was flicked on DHCP. I ran setup and gave it a static IP and name (JENNA - I'm a Blake's 7 fan), noting that it still found my default gateway and DNS server. Well, it would - my DHCP server gave this info out and the Fed10 box can't magically change its MAC address so it happily picked up an older (if not obsolete) setting. Flicked it over to static, quick /etc/init.d/network reload and... nothing. Eh? Nope, ifconfig still revealed the old IP. Okay then, /etc/init.d/network restart killed lo (loopback) and eth0, brought lo up and... no eth0. Strange. Restart again, and some errors came up (a file already existed?). ifconfig now revealed the existence of eth0, but alas! It was naked. No IP bound. A third attempt finally got a working IP. Relief!

Or was it? Nope. In the network restart, /etc/resolv.conf had lost my domain information, but some comments suggested I put DNS1= and DOMAIN= in my ifcfg-eth0 file (located at /etc/sysconfig/network-scripts/ if you must know). So, a quick edit here and there, and name resolution worked.

So let's try tapping in over ssh (I use PUTTY under Windows). Nada. Jenna responds to pings, but not ssh. Okay, so ICMP foreplay shows that she's certainly attentive, but won't put out. Aha! iptables -L revealed some rulesets; /etc/init.d/iptables stop persuaded her to drop the chastity belt. So far, so good - I'm able to continue. In the meantime, let's drop it from run-level 5 to 3, I don't need a graphical desktop. So a quick init 3 aaaaand... I'm disconnected. Yup, either iptables has reloaded and spared Jenna's blushes, or networking has slammed the door on my face. It's late and I'm tired, so I just power the thing down.]]> Fri, 30 Jan 2009 00:00:00 +0000 the rooster crows - Small Bash Script to Help Record TV 
#!/bin/bash
# recordtv.sh 

HOME=/home/user

if [ -z $1 ] || [ -z $2 ]
then echo "Usage: recordtv 'wait time' 'duration'" "Use h,m,s suffix.  Ex recordtv 10m 1h" 
exit
else
echo "Start recording in $1 for $2"
sleep $1
mplayer /dev/video0 -really-quiet -dumpstream -dumpfile $HOME/recordedtv.out &
sleep $2
killall mplayer
fi
exit


So if I want to start recording a show that starts in 10 minutes that last for 1 hour I can type
~: recordtv 10m 1h
And it does it's thing.

Thanks,
Eric]]> Sat, 10 Jan 2009 17:14:00 +0000 NoobBlog? - Christmas @ Home SWMBO spent our first Christmas in our own home. There was the usual opening of cards, unwrapping of gifts, tucking into a good roast and fine chilled wine over the sounds of Christmas hits from times past (70s/80s) being recycled on yet another "${celebrity}'s Top Xmas Hits" show... but this year was different - it's been a Christmas that I've felt quite settled in some years, since (I believe) being a new homeowner, we've not had the threat of an impending move hovering, Damocles-like. It was indeed a very relaxing time.

Man In Red brought a couple of good comic books: The Boys and Lucifer. Cracking reads, them.

Oh, right - I'd better post something Linuxy. Well, I'm going to take the opportunity to get my server migrated over to CentOS at some point (still running FunkyCoar4) so I started cleaning it down in preparation for the upgrade. Well, I say upgrade, but essentially I'm going to do a fresh build, copy over data, databases and various other mods, as well as configuring services as they were on the old box. I aim to have a cleaner build.

My plan of action is essentially:
+ get a list of packages (RPMs), removing unneeded ones
+ backup of /etc files, as well as any other configs lying around
+ ensure my custom scripts are in /usr/local/bin and /usr/local/sbin (where they SHOULD have been originally!) and TAR up those dirs.
+ TAR up /home (everything else is in mounted LVM slices, not on root disk)

The first was pretty straightforward. A quick rpm -qa | sort > rpm-list.txt gave me a list, and I then ran rpm -qi on each package to learn a bit more about it before deciding to give it the ol' file13 treatment (rpm -e to erase). Some of the packages were obvious ones to keep - apache, postfix, php, mysql - as well as some that provided dependencies (gcc/automake and the like). Of course, I got into dependency hell for a bit and had to backtrack several times before discovering some obscure lil package was a minor requirement for perl or kernel modules, etc. Still, I cleaned out most of the graphical packages and streamlined the base footprint somewhat.

Then I discovered - to my horror - a few non-RPM-installed apps failed to work, one of which was the excellent hellanzb, used for some newsgroup access I frequent. After observing the error messages closely it seemed I'd removed some crucial python packages, but was unsure which were required. All I could do was refer back to my original list (grep -i py rpm-list.txt) and try reinstalling each, retrying hellanzb to see if that particular package reduced the error messages at all (and rpm -e if not). Although I only had 7 or so packages to check it only took the first three before I had success - python-twisted seemed to be the requirement. *phew!*

Moral of the story? Have a planned (organised and structured) approach to your tasks - including a planned backout route. Although I never consciously created the former, my original rpm-list.txt sufficed for this purpose. Saved my bacon well, that did.

Ring in the New Year!

(footnote: seems the blog doesn't like the formatting for lists. Odd...)]]> Fri, 26 Dec 2008 23:23:00 +0000 NoobBlog? - Break the cherry time!
Well, Anyweb's got a blog module plumbed into the linux-noob forums, so I thought I'd take full advantage of it by abusing it as a soapbox mouthpiece. Erm.. I mean, I thought I'd take the plunge into the world of blogdom and post some thoughts.

What *IS* a blog? That is one of the questions surrounding the true purpose of a blog, when in fact blogs have existed pre-internet days. Of course, they weren't web-logs... they were called "columns" in newspapers, or a "comment" as musings from the editor. In some ways, you could argue that The Secret Diary Of Adrian Mole and Bridget Jones' Diary are both book-blogs of a kind, be them written purely for entertainment purposes (and thus being somewhat flexible with the true events that occured) but they're still supposed to be a singular viewpoint for someone else to read and ponder over.

I've seen blogs from developers struggling against some coding challenge, finally posting their proposed solution which has helped me in some of my coding endeavours. I've read blogs from sysadmins who have documented their findings for implementing some new service, for which I have been grateful since I've learned by their mistakes. I've also viewed blogs of people in other industries having a rant against something, for which I either nod smugly in agreement (and feel glad that it isn't just ME that encounters it) or snigger childishly at the author's ill-informed viewpoint, leading them to inaccurate and misleading conclusions. Maybe I'm just voyeuristic in that regard.

So what DO people post, and why? Anyone familiar with facebook/livejournal/deadjournal/myspace will have encountered people wanting to vent their frustrations or just give others a deeper view into their psyche. Maybe to feed off the comments to placate their mood, or to feel they're not alone in their anger. Oh, wait.. that comes back to the prior paragraph, doesn't it? A need to belong, a requirement to feel they're not alone in the way in which they've been (mis)treated?

If you're looking for that kinda of post here, well.. I think you're in the wrong place. Look, this IS a *Linux* forum after all, so expect me to post some geekiness stuff here once in a while, maybe even the majority of the time. And if I descend into spleen-splitting spittle-spraying vent (try saying THAT after a few drinks) then a comment to tell me to chill out, or even a quick tweak from the moderators here and there ought to get me back onto the right track. Can't say no fairer than THAT can I, eh, squire?

So this is my first blog post. How was it for you? Did the earth move? Were you satisfied?

If not, I hope you'll give me the opportunity to right that for you.

Later!]]> Wed, 24 Dec 2008 14:05:00 +0000 <![CDATA[Dark Distorted's Blog - Windows or Linux??]]> Ive tried using different linux distros before in the past but never really stuck with it due to the lack of compatibility with hardware/software at the time. I set up my laptop with a dual WinXp Home /Mandriva 2008 boot using the Grub boot loader. Since i have setup the dual boot i have found myself mainly in Linux.

Its funny how someone has to pay an arm and a leg to setup and use microsoft products and also has to deal with all of the headaches and system errors along with everyone favourite screen ... the "Blue Screen of Death".
]]> Thu, 24 Apr 2008 01:33:32 +0000 the rooster crows - xine engine error fix
So when I try to play a dvd in xine I get these errors.
picture here
Xine Engine Error.
There is no input plugin available to handle "dvd:/"
Maybe MRL syntax is wrong or file/stream source doesn't exist.

The source can't be read.
Maybe you don't have enough rights for this, or source doesn't
contain data (e.g.:not disc in drive ) (/dev/dvd)

So to fix it, I type this into the terminal.

sudo ln -s /dev/scd0 /dev/dvd

There it is I hope this helps someone.
Now the only problem is that this only works until I reboot, then I must do it again.
So if anyone knows how to make this a more permanent fix please let me know.

]]> Tue, 22 Jan 2008 01:54:07 +0000 <![CDATA[Corkster's Blog - My first blog]]> blog blog blog blog Sun, 20 Jan 2008 16:20:01 +0000