|
|
C:\
in the browser's address bar. The address will change to
file:///C:/
, i.e., the word "file" followed by a colon and
3 forward slashes and then the drive letter specified, colon, and forward
slash, which conforms to the standard
file URI scheme
for accessing file-based URLs. You can then navigate to the file you wish to
open in the browser. Or, if you know the full path, you can put it in the
address bar, e.g.,
c:\users\jdoe\documents\index.html
.
[ More Info ]
[ More Info ]
date /t
command (the /t
option prevents the command from prompting for a change to the date)
or by using echo %date%
to display the contents of the
date environment variable. However, both of those display the date in
the form DDD mm/dd/yyyy
, where DDD
is the
day of the week represented by a 3-character abbrviation, e.g., "Sat",
mm
is a two-digit representation of the month, e.g., "11"
for November, dd
is the day and yyyy
is the
year, on the Windows systems I support.
C:\>date /t Sat 11/22/2014 C:\>echo %date% Sat 11/22/2014
You can reformat the representation of the date that is stored in the
%date%
environment variable, however. I wanted the date in the
form yyyymmdd
, so that I could stick that at the end of filenames
to represent the rotation date for a log file. You can use a command like the
one below where a variable, YYYYMMDD
is set to hold the reformatted
date (the variable name can be anything you like, e.g., mydate, etc., but that
name reminds me of the format I'm using for the date.
C:\>set YYYYMMDD=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2% C:\>echo %YYYYMMDD% 20141122
The substring arguments to extract the elements of the date string are
in the format %variable:~startposition,numberofchars%
, so if the
"S" in Saturday in the string "Sat 11/22/2014" is at position 0, the
10th character is the "2" of 2014 and I want 4 characters, i.e., "2014", so
%DATE:10,4%
will give me those characters. Or you can also
think of the first number as the numer of characters to be skipped, i.e.,
%variable:~num_chars_to_skip,numberofchars%
. I can then append
%DATE:~4,2%
to get "11" for the month followed by
%DATE:~7,2%
to extract the day, i.e., "22" if the date is
November 22, 2014 represented in the %DATE% variable as "Sat 11/22/2014".
References:
[ More Info ]
reg query
command.
C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters LogFilePath REG_SZ d:\logs\dns\dns.log
You can reduce the output displayed to just the line containing the
log file location by piping the output of the reg query
command
into the find
command.
C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath | find "LogFilePath" LogFilePath REG_SZ d:\logs\dns\dns.log
If you wish to see just the log file location and not the other information
returned by the reg query
command, you can use
a FOR /F loop command such
as the following:
C:\>for /f "tokens=3" %g in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') do @echo %g d:\logs\dns\dns.log C:\>
The FOR /F
loop breaks up a line of output from the command
that is being processed into items, called "tokens" that are separated by
space on the lines of output from the command. In this case, I'm only
interested in the third token on the line of output, which is the location
of the DNS log file. The output that is being processed is the result of
piping the output of the reg query
command into the find
command. Since the pipe symbol, i.e., the vertical bar character
|
, has a special meaning for the Windows operating system,
you need to place an
"escape character",
which for Windows is the caret symbol, ^
, immediately before
it. You also need to put the at symbol, @
, before the echo
command to avoid seeing the echo command itself as output.
If you wish to use a batch file to execute the commands to find the log
file location, you need to replace the %g
with %%g
as shown below.
@echo off
FOR /F "tokens=3" %%G IN ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') DO echo %%G
The registry key and the value to be queried can also be placed in environment variables that can be modified, if you wish to query other registry keys, instead of the one for the DNS log file location, so that it is easier to see what needs to be changed for such other queries.
@echo off
REM Name: queryreg.bat
REM Version: 1.0
REM Created: November 22, 2014
REM Last Modified: November 22, 2014
REM
REM Description: Displays just the value of a registry key from a
REM "reg query regkey /v regvalue" command omitting the additional
REM information that is output by the command
set regkey="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
set regvalue="LogFilePath"
FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO echo %%G
Download: queryreg.bat
[ More Info ]
[ More Info ]
advfirewall
command can be used from a command prompt
to check and modify the settings for the Microsoft Windows Firewall
software on a Windows Vista, 7, 8, or Server 2008 system.
[ More Info ]
I opened the Copssh control panel on the system and clicked on the Users tab. I had been trying to login with a domain account, but found that the activated users list showed only two local accounts on the system, but no domain accounts. When I clicked on the Add button to add a new user, I found that for the "Domain" setting, the only option I could choose was the local system, since its name appeared, but there was no other value to select in the drop-down list. When I tried using one of the listed accounts for the user name and password, I was able to successfully log in by SSH.
[ More Info ]
prefs.js
in the account's Firefox profile directory. Searching the file for
"network.proxy" will provide the settings.
[ More Info ]
You don't need to go through an install process to use the program, though an installer is available for download from the developer's website. If you don't want to go through an installation process, simply download the zip file containing the executable program from the developer's website and unzip the contents of the zip file. Within the zip file are 3 files:
wul.exe | 43 KB |
wul.chm | 15 KB |
readme.txt | 9 KB |
Note: File sizes are for version 1.32, which is the current version.
The wul.chm
file is a Compiled HTML Help file.
When you run wul.exe
by double-clicking on it, you will see
a list of installed Windows updates, aka
"patches".
On Microsoft Window 98, ME, 2000, and Windows XP you will see a list of
files associated with the patch in the lower pane of the WUL window. On
Microsoft Windows 8, 7, Vista, and 2008 systems there is no information on
files installed by the update in the lower pane.
By default, the list of installed updates is ordered by name, but you can click on the column headers to sort by other criteria. E.g., you can click on the column header Installation Date to sort by date the patch was installed.
You can right-click on an entry in the upper pane of the window and choose "Properties" to see more details as shown in the example below, for the installed patch.
The utility can also be run from the command line with the following options:
/stext <Filename> | Save windows updates list into a regular text file. |
/stab <Filename> | Save windows updates list into a tab-delimited text file. |
/scomma <Filename> | Save windows updates list into a comma-delimited text file. |
/stabular <Filename> | Save windows updates list into a tabular text file. |
/shtml <Filename> | Save windows updates list into HTML file. |
/sverhtml <Filename> | Save windows updates list into HTML file. (vertical) |
/sxml <Filename> | Save windows updates list into XML file. |
/another <Windows Folder> |
connect to another instance of operating system on the same computer (Windows 2000/XP only).
You can combine this option with one of the save options in order to save the
Windows updates list of another operating system.
Examples:
|
/remote <Computer Name> |
Connect to remote Windows 2000/XP operating system.
You can combine this option with one of the save options in order to save the
Windows updates list of a remote computer.
Examples:
|
Method 1
Method 2
Obtain a command prompt by clicking on the Windows Start button then
typing cmd
and hitting return. At the command prompt type
java -version
and hit return.
C:\>java -version java version "1.8.0_25" Java(TM) SE Runtime Environment (build 1.8.0_25-b18) Java HotSpot(TM) Client VM (build 25.25-b02, mixed mode, sharing)
The version information displayed above is "1.8.0_25". The first method displayed "Version 8 Update 25" for the same version. The number after the underscore in the output from the command line, i.e. "25", is the build number for that version. A version can have many build numbers before the developer increments the version number.
You can determine what version of Java is the latest or download the latest version from www.java.com.
I verified that the php-mysql
package was installed with
rpm -qi php-mysql
.
# rpm -qi php-mysql Name : php-mysql Version : 5.4.16 Release : 23.el7_0.3 Architecture: x86_64 Install Date: Tue 11 Nov 2014 08:26:15 PM EST Group : Development/Languages Size : 237259 License : PHP Signature : RSA/SHA256, Fri 31 Oct 2014 10:24:56 AM EDT, Key ID 24c6a8a7f4a80eb5 Source RPM : php-5.4.16-23.el7_0.3.src.rpm Build Date : Fri 31 Oct 2014 09:07:27 AM EDT Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.php.net/ Summary : A module for PHP applications that use MySQL databases Description : The php-mysql package contains a dynamic shared object that will add MySQL database support to PHP. MySQL is an object-relational database management system. PHP is an HTML-embeddable scripting language. If you need MySQL support for PHP applications, you will need to install this package and the php package.
I created a PHP test page with the following code:
<html>
<head>
<title>PHP Test</title>
</head>
<body>
<h2>A test page</h2>
<?php echo "<p>Hello world</p>"; ?>
<?php phpinfo(); ?>
</body>
</html>
"Hello world" was displayed by the PHP echo command and the information from the phpinfo function was also displayed. I searched through the results displayed for references to "MySQL" and found mysql and mysqli sections, including the following:
MySQL Support | enabled |
---|---|
Active Persistent Links | 0 |
Active Links | 0 |
Client API version | 5.5.37-MariaDB |
MYSQL_MODULE_TYPE | external |
MYSQL_SOCKET | /var/lib/mysql/mysql.sock |
MYSQL_INCLUDE | -I/usr/include/mysql |
MYSQL_LIBS | -L/usr/lib64/mysql -lmysqlclient |
Since it appeared that PHP support for MySQL was present,
I restarted Apache with apachectl restart
, though I
didn't expect that to resolve the problem. But when I refreshed
the web page afterwards, the information from the MySQL database
was displayed. Apparently, I should have restarted Apache
after I ran the systemctl start mariadb.service
to start the MariaDB database service yesterday. MariaDB is a
fork
of MySQL.
References:
mysql
command on a CentOS 7 system,
I received the error message below:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)
It took me awhile to figure out that since I was using MariaDB, a fork of MySQL, that I needed to enter the following 3 commands to enable, run, and secure the MariaDB service.
systemctl start mariadb.service
systemctl enable mariadb.service
mysql_secure_installation
[ More Info ]
filename = raw_input("Enter file name: ")
with open(filename) as input_file:
for i, line in enumerate(input_file):
print line,
print "{0} line(s) printed".format(i+1)
The script will prompt me for the name of the file to be checked and will loop through that file displaying each line from it, printing the total number of lines at the end of the file.
The comma after the print line
statement prevents a
newline from being printed,
so each file name will be printed immediately below the preceding one without
a blank line between them. If the comma was not there, a blank line would be
printed between each line containing a file name.
The {0}
references the first positional argument in the
format statement, which in the case above refers to "i+1". The
.format(value)
at the end of the line tells python how to format
the output. So the count of the number of lines in the file, which will be i
plus 1, will be printed after the for loop completes.
If each line in the file is a directory path and file name, e.g.,:
./security/vulnerabilities/windows/wmf-vulnerability-exploited.php
./security/vulnerabilities/windows/kb908519_embedded-web-font.php
./security/antivirus/avast/avast-ie9/index.php
./network/Internet/domains/domain-reputation-check.php
then I can use import os.path, time
to import modules that
that will will allow me to obtain the time stamps for the files.
import os.path, time
filename = raw_input("Enter file name: ")
with open(filename) as input_file:
for i, line in enumerate(input_file):
print line,
line = line.rstrip('\r\n')
print "last modified: %s" % time.ctime(os.path.getmtime(line)),
print "created: %s" % time.ctime(os.path.getctime(line))
print "{0} line(s) printed".format(i+1)
Since the input file was created on a Linux system each line ends with a
newline character, which is represented by "\n". So I have to strip off the
trailing newline at the end of each file name in the input file with the
rstrip
function. If the input file was created on a
Windows system, I would have to strip off a carriage return, which is
represented by "\r". By using rstrip('\r\n')
, any carriage
return or newline characters will be stripped from the end of each line in
the input file, so the script will work on Mac OS, Mac OS X, Microsoft Windows,
or Unix/Linux systems.
I see output such as the following when I run the python script:
$ python checkfile.py Enter file name: checkfiles2_php.txt ./security/vulnerabilities/windows/wmf-vulnerability-exploited.php last modified: Mon Jan 9 15:45:00 2006 created: Tue Oct 14 10:21:03 2014 ./security/vulnerabilities/windows/kb908519_embedded-web-font.php last modified: Wed Jan 11 23:42:00 2006 created: Tue Oct 14 10:21:03 2014 ./security/antivirus/avast/avast-ie9/index.php last modified: Sat Aug 11 17:22:14 2012 created: Tue Oct 14 10:21:05 2014 ./network/Internet/domains/domain-reputation-check.php last modified: Sun Oct 6 13:30:27 2013 created: Tue Oct 14 10:21:12 2014
The creation times displayed above are the time I copied files from an old drive to a new drive.
References:
find
and
grep
commands to search for a specific text string in files.
E.g., if you wished to search all files with a ".php" file extension for
the occurrence of the word "noindex", you could use the following command:
find . -name "*.php" -exec grep "noindex" {} /dev/null \;
Since "*" has a special meaning for the shell, you will need to include it within quotes or precede it with the backslash escape character as shown below:
$ find . -type f -name \*.php -exec grep -l "noindex" {} \;
If I wished to search all files, not just those ending with ".php", I can use a command similar to the following one.
find . -type f -exec grep "noindex" {} \;
The -type f
instructs find to only check regular files and
not other objects such as directory names.
If I want to send the results to an output file, I could just append a
>outputfile_name
to the end of the line, but that will
also produce output indicating that the output file itself is being checked.
$ find . -type f -exec grep "noindex" {} \; >checkfiles.txt grep: input file ‘./checkfiles.txt’ is also the output
To avoid that issue, you can use the --exclude
argument.
$ find . -type f -exec grep -l --exclude checkfiles.txt "noindex" {} \; >checkfiles.txt
I can also use just the grep
command, as shown belown:
$ grep -rwl . -e "noindex" --include=\*.php
The -r
option tells grep to search recursively; the "." is
indicating that the search should be started in the current directory.
The -w
indicates that I want exact word matches, e.g., " noindex ",
not "nonindex" or "noindexes". The -l
option indicates that I
don't want to see the lines on which the word occurs, just the file names for
those files in which it is found. The -e
option provides the
pattern that grep should search on and the --include
option
tells grep which files it should search within.
-r, --recursive Read all files under each directory, recursively, following symbolic links only if they are on the command line. This is equivalent to the -d recurse option. -w, --word-regexp Select only those lines containing matches that form whole words. The test is that the matching substring must either be at the beginning of the line, or preceded by a non-word constituent character. Similarly, it must be either at the end of the line or followed by a non-word constituent character. Word-constituent characters are letters, digits, and the underscore. -l, --files-with-matches Suppress normal output; instead print the name of each input file from which output would normally have been printed. The scanning will stop on the first match. (-l is specified by POSIX.) -e PATTERN, --regexp=PATTERN Use PATTERN as the pattern. This can be used to specify multiple search patterns, or to protect a pattern beginning with a hyphen (-). (-e is specified by POSIX.) --include=GLOB Search only files whose base name matches GLOB (using wildcard matching as described under --exclude).
References:
netsh firewall show state
. Though the netsh firewall
command, which I've used
since Microsoft Windows XP was released, is deprecated in Windows 7,
it can still be used to obtain information on the status and configuration
of the Microsoft Windows Firewall from the command line.
C:\>netsh firewall show state Firewall status: ------------------------------------------------------------------- Profile = Domain Operational mode = Enable Exception mode = Enable Multicast/broadcast response mode = Enable Notification mode = Enable Group policy version = Windows Firewall Remote admin mode = Disable Ports currently open on all network interfaces: Port Protocol Version Program ------------------------------------------------------------------- 22 TCP Any (null) 1900 UDP Any (null) 2869 TCP Any (null) IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 .
I checked on what applications had the three listed ports open with
netsh firewall show portopening
.
C:\>netsh firewall show portopening Port configuration for Domain profile: Port Protocol Mode Traffic direction Name ------------------------------------------------------------------- 22 TCP Enable Inbound Copssh 1900 UDP Enable Inbound Windows Live Communications Platf orm (SSDP) 2869 TCP Enable Inbound Windows Live Communications Platf orm (UPnP) Port configuration for Standard profile: Port Protocol Mode Traffic direction Name ------------------------------------------------------------------- 22 TCP Enable Inbound Copssh 1900 UDP Enable Inbound Windows Live Communications Platf orm (SSDP) 2869 TCP Enable Inbound Windows Live Communications Platf orm (UPnP) IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 .
I also checked to see what programs were allowed by firewall rules.
C:\>netsh firewall show allowedprogram Allowed programs configuration for Domain profile: Mode Traffic direction Name / Program ------------------------------------------------------------------- Enable Inbound McAfee Shared Service Host / C:\Program Files\Comm on Files\McAfee\Platform\McSvcHost\McSvHost.exe Enable Inbound LifeTray.exe / C:\Program Files (x86)\Microsoft Li feCam\LifeTray.exe Enable Inbound LifeExp.exe / C:\Program Files (x86)\Microsoft Lif eCam\LifeExp.exe Enable Inbound LifeEnC2.exe / C:\Program Files (x86)\Microsoft Li feCam\LifeEnC2.exe Enable Inbound LifeCam.exe / C:\Program Files (x86)\Microsoft Lif eCam\LifeCam.exe Disable Inbound Internet Explorer / C:\program files (x86)\interne t explorer\iexplore.exe Enable Inbound Dropbox / C:\Users\JSmith.mayfield\AppData\Roaming \Dropbox\bin\Dropbox.exe Allowed programs configuration for Standard profile: Mode Traffic direction Name / Program ------------------------------------------------------------------- IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 .
Since I need to be able to ping the system from other systems on the LAN for troubleshooting, I verified that ICMP echo requests and replies were not going to be blocked by the firewall.
C:\>netsh firewall show icmpsetting ICMP configuration for Domain profile: Mode Type Description ------------------------------------------------------------------- Enable 2 Allow outbound packet too big Enable 8 Allow inbound echo request ICMP configuration for Standard profile: Mode Type Description ------------------------------------------------------------------- Enable 2 Allow outbound packet too big IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 .
I saw that "allow inbound echo request" was enabled and I was able to ping the system from the domain controller.
References:
Attackers also routinely use name dictionaries to break into systems with any accounts that have weak passwords. E.g., an attacker may use a name dictionary to pick names to use as the userid. Let's say the first name in the name dictionary is Aaron. The attacker might then use a word dictionary to try every word in the English language, or some other language, as a possible password for an account with the userid of aaron. If an aaron account doesn't exist on the system or has a strong password, once the attacker has gone through every word in the word dictionary or whatever other password list he is using, he will then go onto the next name in his name dictionary, e.g., perhaps Abe. The attacker will proceed in this manner until he finds an account with a weak password he can compromise or exhausts all possible combinations of names for accounts and words to use for possible passwords. Of course it would take a human an inordinate amount of time to type all such possible userid and password combinations, but an attacker will let a program make such guesses for him. He merely needs to start the program and let it run. His program may be able to check many thousands of userid and password combinations in minutes.
If the system isn't monitored for such brute-force password attempts, an attacker can run unchecked for days. Even if he can't get in, he will be using bandwidth to/from the system under attack as well as CPU cycles, etc., so may slow down access to the system for legitimate users. I've seen periods where a system has been under attack from 5 such attackers in different countries at once.
On CentOS Linux,
you can check the /var/log/secure
log to find instances of
such attacks.
# grep 'Failed password' /var/log/secure | tail -5 Oct 28 09:47:43 frostdragon sshd[32246]: Failed password for root from 123.125.219.130 port 11859 ssh2 Oct 28 09:47:47 frostdragon sshd[32249]: Failed password for root from 123.125.219.130 port 13894 ssh2 Oct 28 09:47:52 frostdragon sshd[32253]: Failed password for root from 123.125.219.130 port 15886 ssh2 Oct 28 09:47:56 frostdragon sshd[32256]: Failed password for root from 123.125.219.130 port 17740 ssh2 Oct 28 09:48:01 frostdragon sshd[32259]: Failed password for root from 123.125.219.130 port 19477 ssh2
You can see the number of failed ssh login attempts from various login
addresses with the command grep 'Failed password' /var/log/secure | grep
sshd | awk '{print $11}' | sort | uniq -c
- the IP address from which
the failed login attempt was made is the 11th item on the line.
If you pipe the output of the awk command into sort, you can sort the
output by IP address; uniq -c
will then provide you the count
of failed SSH login attempts from particular IP addresses.
# grep 'Failed password' /var/log/secure | grep sshd | awk '{print $11}' | sort | uniq -c 1 101.227.71.40 409 117.27.158.71 2 117.27.158.91 84 122.225.109.104 315 122.225.109.108 232 122.225.109.118 321 122.225.109.197 247 122.225.109.212 115 122.225.109.217 458 122.225.97.103 309 122.225.97.108 96 122.225.97.110 377 122.225.97.117 478 122.225.97.120 121 122.225.97.83 63 122.225.97.84 81 122.225.97.88 36 122.225.97.98 382 123.125.219.130
I can see from the above output from that command that there were
382 failed ssh login attempts from the 123.125.219.130
address
at the time I ran the command.
From a search on that IP address at the American Registry for Internet Numbers (ARIN), I found the address was part of a block of addresses managed by the Asia Pacific Network Information Centre (APNIC) . A whois search on the APNIC site showed the IP address is part of a large block of addresses, 123.112.0.0 - 123.127.255.255, allocated to an organization in Beijing, China. I often see attacks from IP addresses allocated to entities in China.
You can manually block further attempts to compromise a system in this
manner using a route
reject command or through the firewall software
on the system. The default firewall software for CentOS 7 is
FirewallD.
You can configure it through a
Graphical User
Interface (GUI), which can be opened using the command
firewall-config
or through a command line interface at a shell
prompt by using the command firewall-cmd
. I blocked the IP
address from any access to the system using the command below, though by
the time I blocked it, the login attempts had ceased:
# firewall-cmd --add-rich-rule="rule family='ipv4' source address='123.125.219.130' reject" success
The block can be viewed through the graphical interface for FirewallD
by running firewall-config
. E.g., in this case under "Rich
Rules" for the public zone, I can see the blocked IP when starting the
application after issuing the firewall-cmd
command.
The command above will put in place a firewall rule that will apply to the default firewall zone, but will only remain until the firewall service is restarted, e.g., with a system reboot. To put in place a permanent block, I could have used the commands below. Instituting a permanent change requires a restart of the firewall service, though.
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='123.125.219.130' reject"
systemctl restart firewalld.service
To have a block apply to a specific firewall zone, e.g., the public zone, I could use the commands below.
firewall-cmd --permanent --zone='public' --add-rich-rule="rule family='ipv4' source address='123.125.219.130' reject"
systemctl restart firewalld.service
The output of the grep command run against /var/log/secure
displayed above was sorted by IP address; if you, instead, would like
to sort the output by count of failed login attempts you can pipe the
output of the commands above into sort
again adding the
-n
argument to sort by the number that appears first on
each line.
# grep 'Failed password' /var/log/secure | grep sshd | awk '{print $11}' | sort | uniq -c | sort -n 1 176.222.201.154 1 85.132.71.83 1 91.220.131.33 1 a 1 pi 1 ubnt 2 client 4 ubuntu 4 usuario 27 git 48 122.225.97.117 64 221.228.205.196 71 61.174.51.223 78 admin 129 122.225.97.79 191 122.225.109.198 237 122.225.97.116 268 117.27.158.88 306 113.200.188.55 336 117.27.158.89
I can see from the above output that the greatest number of failed
SSH login attempts made on the day I ran the command, which was November 9,
2014, were made from 117.27.158.89
. Checking the APNIC site again,
I see that IP address is also assigned to an entity in China.
If you want to reverse the sorting order, so that the largest number
appears first, simply add the -r
argument to the last sort command.
# grep 'Failed password' /var/log/secure | grep sshd | awk '{print $11}' | sort | uniq -c | sort -nr 336 117.27.158.89 306 113.200.188.55 268 117.27.158.88 237 122.225.97.116 191 122.225.109.198 129 122.225.97.79 78 admin 71 61.174.51.223 64 221.228.205.196 48 122.225.97.117 27 git 4 usuario 4 ubuntu 2 client 1 ubnt 1 pi 1 a 1 91.220.131.33 1 85.132.71.83 1 176.222.201.154
In the above output, some of the failed entries are associated with
userids the attacker attempted to use to login. E.g., for the case of
the usuario
one, I can see that the illegitimate login attempts
where that name was used for the userid orginated from the 221.228.205.196
IP address. There is no account on the system with that userid. The IP address
is also assigned to an entity in China.
# grep usuario /var/log/secure Nov 9 10:53:01 localhost sshd[23516]: Invalid user usuario from 221.228.205.196 Nov 9 10:53:01 localhost sshd[23516]: input_userauth_request: invalid user usuario [preauth] Nov 9 10:53:03 localhost sshd[23516]: Failed password for invalid user usuario from 221.228.205.196 port 52710 ssh2 Nov 9 10:53:04 localhost sshd[23568]: Invalid user usuario from 221.228.205.196 Nov 9 10:53:04 localhost sshd[23568]: input_userauth_request: invalid user usuario [preauth] Nov 9 10:53:06 localhost sshd[23568]: Failed password for invalid user usuario from 221.228.205.196 port 53534 ssh2 Nov 9 10:53:07 localhost sshd[23654]: Invalid user usuario from 221.228.205.196 Nov 9 10:53:07 localhost sshd[23654]: input_userauth_request: invalid user usuario [preauth] Nov 9 10:53:10 localhost sshd[23654]: Failed password for invalid user usuario from 221.228.205.196 port 55193 ssh2 Nov 9 10:53:12 localhost sshd[23657]: Invalid user usuario from 221.228.205.196 Nov 9 10:53:12 localhost sshd[23657]: input_userauth_request: invalid user usuario [preauth] Nov 9 10:53:14 localhost sshd[23657]: Failed password for invalid user usuario from 221.228.205.196 port 56072 ssh2
To count just by IP address so that the login failurers for particular
usernames don't appear in the output, I can put another grep
command, one that will filter the output of the prior grep command so any lines of output from it are eliminated if they contain "invalid user", before the
awk
command.
# grep 'Failed password' /var/log/secure | grep sshd | grep -v "invalid user" | awk '{print $11}' | sort | uniq -c | sort -n 1 176.222.201.154 1 85.132.71.83 1 91.220.131.33 48 122.225.97.117 64 221.228.205.196 71 61.174.51.223 129 122.225.97.79 191 122.225.109.198 237 122.225.97.116 268 117.27.158.88 306 113.200.188.55 336 117.27.158.89
If you wish to see what userids are being used most frequently for the
failed login attempts, the string of commands entered above need to be
modified to search for the userids used in failed login attempts. The above
commands don't show the most commonly used userid, which is
root
, since almost all Unix/Linux systems will have a root
account.
For failed login attempts the lines that appear in the output are slightly
different depending upon whether the userid used exists on the system. E.g.,
if the account doesn't exist on the system, as in the case for client
and git
below, the lines appear as follows:
Nov 9 10:34:14 localhost sshd[21745]: Failed password for invalid user client f rom 91.220.131.33 port 60223 ssh2 Nov 9 10:52:00 localhost sshd[23204]: Failed password for invalid user git from 221.228.205.196 port 60513 ssh2
If the account does exist, e.g., the root
account, then
the lines have the following format:
Nov 9 04:58:50 localhost sshd[21319]: Failed password for root from 122.225.97. 79 port 7951 ssh2
The sed
command can be used to strip out the "invalid user"
from lines to make the format of those lines containing "invalid user" the
same as for those for valid userids on the system. You can then use
the awk
command to display the contents of the 9th entry on
the line, which is the userid used.
# grep "sshd.*: Failed password for" /var/log/secure | sed 's/invalid user //' | awk '{print $9}' | sort | uniq -c | sort -n 1 a 1 operator 1 pi 1 ubnt 2 client 4 ubuntu 4 usuario 27 git 78 admin 1844 root
The output from a check of the /var/log/secure
file shows
that the most common user name used in attempts to log into the system
by attackers is root
.
References:
about:config
in
the Firefox address bar where you would normally put the address of a page
you wanted to visit. When you hit Enter you will see a warning
message "This might void your warranty! Changing these advanced settings
can be harmful to the stability, security, and performance of this application.
You should only continue if you are sure of what you are doing." You will
need to click on the "I'll be careful, I promise!" button to continue so that
you can enable JavaScript again.
In the list of preference options that appear, scroll down until you see
javascript.enabled
.
Preference Name | Status | Type | Value |
---|---|---|---|
javascript.enabled | user set | boolean | false |
You will need to double-click on the javascript.enabled
line
to change the value from "false" to "true" to enable javascript support. You
can disable javascript support by double-clicking on the line to toggle the
status to false, if it is set to true and you wish to disable it.
Once you have reenabled JavaScript, you should be able to successfully display webpages that rely upon it.
grep resuming
/var/log/httpd/error_log
.# grep resuming /var/log/httpd/error_log
[Sun Nov 09 03:29:02.631763 2014] [mpm_prefork:notice] [pid 20663] AH00163: Apac
he/2.4.6 (CentOS) configured -- resuming normal operations
perl -e shell -MCPAN
at a shell prompt and then at the
cpan prompt, type install YAML
.
# perl -e shell -MCPAN Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v1.9800) Enter 'h' for help. cpan[1]> install YAML
Once it is installed you can view documentation on it by issuing the
command perldoc YAML
. If you just want to see if it is
installed, you can issue that command. If it is, you will see the documentation.
If it isn't installed, you will see a message "No documentation found" followed
by the module name.
You can also use the -l
argument to perldoc
, which
will report the location of the
Plain Old
documentation, abbreviated pod, file for the module, if one is present or
also report "No documentation found", if the module can't be found. Be
sure to capitalize "YAML" or you will see the "No documentation found"
message.
# perldoc -l yaml No documentation found for "yaml". # perldoc -l YAML /usr/local/share/perl5/YAML.pod
/var/spool/cron
, so I needed the
/var/spool/cron/root
for the root account. Since I didn't
want to include every line from the old crontab file, I edited the
old one and copied its contents. I then used crontab -e
while
logged into the root account to create a new crontab file. I pasted the
contents of the old file into the new one. When I tried
saving the file, I got the message below:
# crontab -e no crontab for root - using an empty one crontab: installing new crontab "/tmp/crontab.wpnAYC":3: bad minute errors in crontab file, can't install. Do you want to retry the same edit?
I had also seen "bad day-of-week", instead of "bad minute" when editing the
file previously. I typed "y" to retry and then realized the source of
the problem, which I thought at first from the error message was some error
in the first five entries on the line that specify when a cron job should run.
Instead, the problem was because when I copied and pasted the contents of
the old file into the new file, entries that had wrapped around to a new
line on the screen were now on two lines whereas before they were only on
one line. E.g., for the output above, line 3, which was the one referenced
for "bad minute" was really the continuation of line 2, but it was now,
because of my copy and paste operation, on line 3 with no time specified, but
instead the end part of the command line.
I edited those lines where that had occurred, so though they wrapped
around on the screen each entry was one continuous line. I was then able
to save the file successfully and then view the crontab file with
crontab -l
Since I had SELinux enabled on the system, I
checked the security context for the cron file and saw the following.
# ls -Z /var/spool/cron/root -rw-------. root root unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/cron/root
References:
httpd.conf
file on a Linux system, I restarted Apache and tried
viewing the website with a browser. Instead of seeing the home page for the
site, I saw:
Forbidden
You don't have permission to access / on this server.
When I looked in the error log for the site, I saw the following:
Checking the public_html
directory and the directories
beneath it, I saw that owner, group, and world all had "execute" access,
i.e., the capability to search through the directories.
$ ls -ld public_html drwxrwxr-x. 14 jdoe jdoe 4096 Nov 5 21:04 public_html
But, checking the user's home directory I found there was no access to it except for the owner. When I changed that access to grant search access to other accounts in the same group and all accounts, then the website became visible.
$ chmod ga+x /home/jdoe $ ls -ld /home/jdoe drwx--x--x. 13 jdoe jdoe 4096 Nov 5 21:17 /home/jdoe
You can check the permissions on a directory and the directories
above it up to the root directory with just one command using
the namei -m
command in the form namei -m
/path_to_directory/dirname
. E.g.:
$ namei -m /home/jdoe/public_html f: /home/jdoe/public_html drwxr-xr-x / drwxr-xr-x home drwx--x--x jdoe drwxrwxr-x public_html
# usermod --shell /sbin/nologin jasmith
Task 'jasmith@example.com - Receiving' reported error (0x800CCC92) :
'Your e-mail server rejected your login. Verify your user name and
password for this account in Account Settings. The server responded:
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS)
connections.'
At first I thought the tech who upgraded the system had made some
change to Outlook on the system, but I eventually realized that the email
server using
dovecot for
POP3 email
access was denying access, because the system had a new IP address. The
user was using POP3, port 110, for downloading email and I had previously
added the old IP address to the login_trusted_networks
line in /etc/dovecot/dovecot.conf
file on the email
server. By adding an IP address or IP address range to that line, you can
configure dovecot to allow users to login using an unencrypted userid
and password, i.e., plaintext authentication, from
the specified IP address or range of addresses. The relevant section in
dovecot.conf
is shown below:
# Space separated list of trusted network ranges. Connections from these # IPs are allowed to override their IP addresses and ports (for logging and # for authentication checks). disable_plaintext_auth is also ignored for # these networks. Typically you'd specify your IMAP proxy servers here. login_trusted_networks = 192.168.0.0/24 192.168.1.0/24 172.45.55.82
In the case above, the server will accept plaintext passwords from any
system in the 192.168.0.0/24 address range, i.e., 192.168.0.0 to
192.168.0.255, the 192.168.1.0/24 address range, and from the specific
IP address 172.45.55.82, which was the user's IP address. After updating
her IP address in the file, I restarted dovecot with
service dovecot restart
.
The system uses sendmail
for sending email and I also had to update /etc/mail/access
to include her IP address, since the change to the dovecot configuration file
allowed her to download her email, but sendmail would still not except any
email sent from her computer, since relaying was permitted from her old
email address, but not her new one. I added her IP address and a comment
line to the /etc/mail/access
file.
# J. A. Smith 172.45.55.82 RELAY
I then used makemap hash
to generate an updated /etc/mail/access.db
file.
# makemap hash /etc/mail/access </etc/mail/access
She was then able to send as well as receive email; I didn't need to restart sendmail.
References:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at webmaster@example.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Checking the httpd error log, I saw the following entries for the problem:
[Sun Nov 02 11:31:21.399775 2014] [cgi:error] [pid 18794] [client 94.228.34.209:55416] AH01215: Can't locate CGI.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /home/jdoe/public_html/blog/blosxom line 92.
[Sun Nov 02 11:31:21.399911 2014] [cgi:error] [pid 18794] [client 94.228.34.209:55416] AH01215: BEGIN failed--compilation aborted at /home/jdoe/public_html/blog/blosxom line 92.
[Sun Nov 02 11:31:21.401265 2014] [cgi:error] [pid 18794] [client 94.228.34.209:55416] End of script output before headers: blosxom
When I searched the system for CGI.pm
, I found it was not
present.
# find / -name CGI.pm -print 2>/dev/null #
The file was present on a backup from the CentOS 5 system at
/usr/lib/perl5/5.8.8/CGI.pm
.
Since it wasn't installed, I tried installing it.
# perl -e shell -MCPAN Can't locate CPAN.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .). BEGIN failed--compilation aborted.
But that failed because CPAN.pm
wasn't installed, either.
# find /usr/lib/perl5 -name CPAN.pm -print 2>/dev/null # whereis CPAN.pm CPAN:[root@frostdragon conf]# locate CPAN.pm #
So I installed the perl-CPAN
package with yum
.
# yum install perl-CPAN
After the installation, I checked on the package and the location of CPAN.pm.
# rpm -qi perl-CPAN Name : perl-CPAN Epoch : 0 Version : 1.9800 Release : 283.el7 Architecture: noarch Install Date: Sun 02 Nov 2014 12:02:15 PM EST Group : Development/Languages Size : 762403 License : GPL+ or Artistic Signature : RSA/SHA256, Fri 04 Jul 2014 12:15:45 AM EDT, Key ID 24c6a8a7f4a80eb5 Source RPM : perl-5.16.3-283.el7.src.rpm Build Date : Tue 17 Jun 2014 01:42:20 PM EDT Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.perl.org/ Summary : Query, download and build perl modules from CPAN sites Description : Query, download and build perl modules from CPAN sites. # whereis CPAN.pm CPAN: /usr/share/man/man3/CPAN.3pm.gz #
I was then able to install CGI.pm
.
# perl -e shell -MCPAN CPAN.pm requires configuration, but most of it can be done automatically. If you answer 'no' below, you will enter an interactive dialog for each configuration option instead. Would you like to configure as much as possible automatically? [yes] yes <install_help> Warning: You do not have write permission for Perl library directories. To install modules, you need to configure a local Perl library directory or escalate your privileges. CPAN can help you by bootstrapping the local::lib module or by configuring itself to use 'sudo' (if available). You may also resolve this problem manually if you need to customize your setup. What approach do you want? (Choose 'local::lib', 'sudo' or 'manual') [local::lib] sudo Autoconfigured everything but 'urllist'. Now you need to choose your CPAN mirror sites. You can let me pick mirrors for you, you can select them from a list or you can enter them by hand. Would you like me to automatically choose some CPAN mirror sites for you? (This means connecting to the Internet) [yes] yes Trying to fetch a mirror list from the Internet Fetching with LWP: http://www.perl.org/CPAN/MIRRORED.BY Looking for CPAN mirrors near you (please be patient) ........................... done! New urllist http://cpan-du.viaverio.com/ http://mirror.cogentco.com/pub/CPAN/ http://httpupdate25.cpanel.net/CPAN/ Autoconfiguration complete. commit: wrote '/root/.cpan/CPAN/MyConfig.pm' You can re-run configuration any time with 'o conf init' in the CPAN shell Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v1.9800) Enter 'h' for help. cpan[1]>
At the cpan[1]
prompt, I entered install CGI
.
Note: You need to use uppercase letters, not "cgi"
After the installation completed, I typed "exit" at the CPAN prompt. I was then able to reload the page in the browser without getting the "Internal Server" error; I did not have to restart Apache.
References: