Author: Michael Blood
Coldfusion / PCI double null vulnerability – Addressed with apache rewriterule
Coldfusion / PCI double null vulnerability – Addressed with apache rewriterule
Coldfusion 8 and before have a ‘double null’ vulnerability that comes up as a fail on Nessus PCI reports. (output below)
Basically, some one can embed some custom characters into the URL and drive an error which breaks Coldfusion
https://yourdomain.com/coldfusion_apache_double_null_info_disclosure.nasl-14285118 17%2500.cfm
You can either upgrade Coldfusion (recommended) or you can put in place an Apache RewriteRule which prevents anyone from accessing your Coldfusion pages with the exploited URL.
RewriteRule %00 / [B,R]
Nessus Output before the error is corrected.
Application: https Port: 443 Protocol: tcp VATID: 40667 Synopsis : The remote web server has an information disclosure vulnerability. Description : The remote host is running a vulnerable version of ColdFusion on Apache. When requesting a non-ColdFusion file, appending a double-encoded null byte and an extension handled by ColdFusion (such as '.cfm') will display the contents of that file. A remote attacker could exploit this to view the source code of other files on the web server (e.g. PHP scripts), which may contain credentials or other sensitive information. This vulnerability is similar to CVE-2006-5858, which affected systems running ColdFusion on IIS. This vulnerability reportedly only affects systems running ColdFusion on Apache. See also : http://www.adobe.com/support/security/bulletins/apsb09-12.html Solution : Apply the relevant hotfix referenced in the vendor's advisory. CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 3.7 (CVSS2#E:U/RL:OF/RC:C) Public Exploit Available : false
Script for Patching XenServer 6.5
Script for Patching XenServer 6.5
Here’s a little script that you can run at the dom0 console to automate loading patches on a fresh installation of XenServer 6.5 up to patch XS65E005. If they add more patches, just add more lines referencing the new patch name (e.g. XS65E006, etc) starting with the “wget command and ending with the “rm -f .xsupdate” command.
#!/bin/bash
wget http://downloadns.citrix.com.edgesuite.net/akdlm/10194/XS65E001.zip
unzip XS65E001.zip
xe patch-apply uuid=`xe patch-upload file-name=XS65E001.xsupdate 2>&1|tail -1|awk -F” ” ‘{print $NF}’` host-uuid=`grep -B1 -f /etc/hostname <(xe host-list)|head -n1|awk ‘{print $NF}’`
rm -f *.zip
rm -f *.xsupdate
wget http://downloadns.citrix.com.edgesuite.net/akdlm/10195/XS65E002.zip
unzip XS65E002.zip
xe patch-apply uuid=`xe patch-upload file-name=XS65E002.xsupdate 2>&1|tail -1|awk -F” ” ‘{print $NF}’` host-uuid=`grep -B1 -f /etc/hostname <(xe host-list)|head -n1|awk ‘{print $NF}’`
rm -f *.zip
rm -f *.xsupdate
wget http://downloadns.citrix.com.edgesuite.net/akdlm/10196/XS65E003.zip
unzip XS65E003.zip
xe patch-apply uuid=`xe patch-upload file-name=XS65E003.xsupdate 2>&1|tail -1|awk -F” ” ‘{print $NF}’` host-uuid=`grep -B1 -f /etc/hostname <(xe host-list)|head -n1|awk ‘{print $NF}’`
rm -f *.zip
rm -f *.xsupdate
wget http://downloadns.citrix.com.edgesuite.net/akdlm/10201/XS65E005.zip
unzip XS65E005.zip
xe patch-apply uuid=`xe patch-upload file-name=XS65E005.xsupdate 2>&1|tail -1|awk -F” ” ‘{print $NF}’` host-uuid=`grep -B1 -f /etc/hostname <(xe host-list)|head -n1|awk ‘{print $NF}’`
rm -f *.zip
rm -f *.xsupdate
AWK script to show number of apache hits per minute
AWK script to show number of apache hits per minute
Documenting this script, to save me the time of rewriting it time and again on different servers
tail -n100000 www.access.log|awk '/09/Apr/{print $4}'|awk -F'[' '{print $2}'|awk -F':' '{print $1":"$2":"$3}' |sort -n|uniq -c
This shows output like this
21 09/Apr/2015:12:48 21 09/Apr/2015:12:49 21 09/Apr/2015:12:50 21 09/Apr/2015:12:51 21 09/Apr/2015:12:52 711 09/Apr/2015:12:53 1371 09/Apr/2015:12:54 1903 09/Apr/2015:12:55 2082 09/Apr/2015:12:56 2256 09/Apr/2015:12:57 2123 09/Apr/2015:12:58 1951 09/Apr/2015:12:59 1589 09/Apr/2015:13:00 1427 09/Apr/2015:13:01 811 09/Apr/2015:13:02
Hana – Stopped statisticsserver service – Backup wont run
Hana – Stopped statisticsserver service – Backup wont run
When running HANA on AWS, you should always stop the hana service manually before stopping / restarting the AWS instance, if not, the statistics server appears to have a problem.
This does not appear to be EXPECTED behavior, just something that we have figured how to work around.
If you happen to forget this step, or the server is restarted without an administrator remembering this step, then you will need to manually restarted
Additionally, if for some reason your server runs out of memory or disk space, HANA can continue running however the statisticsserver process dies and can not be restarted through the studio.
And if the statistics server is not running, you will not be able to run the BACKUP services within HANA,
So to restart HANA manually, ssh to your linux client and run this from root.
# su -l hdbadm # ./HDB stop # ./HDB start
Refresh from HANA studio and you should see the statisticsserver process running
– Right Click -> Administration -> Landscape -> Services tab
For Reference the error that led me to this issue was one that I received when attempting to run a backup
Backup error: Backup is not possible because the service 'statisticsserver' at 'vhcalhdbdb:30005' responsible for the volume '2' does not run
SSL Cipher Suites – Apache config for IE 11
SSL Cipher Suites – Apache config for IE 11
In past posts I showed how I had followed some suggestions from qualsys on configuring Apache to only use specific ciphers in order to pass all of the required security scans.
However it turns out that blindly using their list of Ciphers led to another problem, (displaying the page in IE 11) which I describe the fix to below.
In addition though, the process I go through below, can / will help you trouble shoot and possibly find and enable / disable the Ciphers for any situation and browser.
On this page:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
They suggest setting this SSLCipherSuite:
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4
However I found IE 11 was showing “This web page can not be displayed” on Windows 7 and Windows 2008 Server (probably others as well),
I figured out that the problem was the CipherSuite, by commenting out the SSLCipherSuite line in apache, restarting, and the page loaded.
So the next step was to , with the line commented out, to run the ssllabs test with the SSLCipherSuite commented out,
https://www.ssllabs.com/ssltest/
the result of which I found to show some details about the CipherSuites used by different browsers. I would use this tool to make sure you have the correct CipherSuite for any, all browsers and exclude any older insecure browsers.
If you look down the report to the “Handshake Simulation portion of the report you will find a listing of browsers with the Cipher they used. IE 11/ Win 7 was working EVEN BEFORE noticed the ‘can not be displayed’ error, so I went on a hunch and decided to try and enable the IE 8-10 / Win 7 option which showed
TLS_RSA_WITH_AES_256_CBC_SHA
I googled “openssl TLS_RSA_WITH_AES_256_CBC_SHA” which brought me to the openssl page where they show all of the ciphers and on this page I found “AES256-SHA” which I needed to include in the Apache SSLCipherSuite directive
https://www.openssl.org/docs/apps/ciphers.html
Next, to confirm that this cipher is even available on my server, i ran this command
openssl cipher AES256-SHA
which returned a result showing that the cipher was indeed an option on the server
So, I added it towards the end, and the resulting SSLCipherSuite directive I have is:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA AES256-SHA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
And now I can load the webpage in the IE 11 browser.
Note that when I ran the ssllabs.com test again, it downgraded the site to an A- probably because the cipher did not offer Forward Secrecy (notated with a small orange ‘No FS’) on the report,
I decided that this is an okay grade in order to allow IE 11 to access the site, but hopefully Microsoft figures it out.
Changing IP Addresses on a XenServer 6.5 Pool
Changing IP Addresses on a XenServer 6.5 Pool
To change the ip addresses on a XenServer 6.5 pool, start with the slaves, and use the following xe commands:
Remember: Slaves first, then the Master
NOTE: There is no need to change the IP from the Management Console.
Find the UUID of the Host Management PIF:
xe pif-list params=uuid,host-name-label,device,management
You will see a big list. Find the UUID for the slave that you’re working on. Use the “more” pipe if the UUID for your particular slave scrolls off the screen:
xe pif-list params=uuid,host-name-label,device,management | more
Change the IP Address on the first slave:
xe pif-reconfigure-ip uuid=<UUID of host management PIF> IP=<New IP> gateway=<GatewayIP> netmask=<Subnet Mask> DNS=<DNS Lookup IPs> mode=<dhcp,none,static>
Then:
xe-toolstack-restart
Verify the new address with ifconfig, and/or ping it from a workstation.
Point the slave to the new Master IP Address:
xe pool-emergency-reset-master master-address=NEW_IP_OF_THE_MASTER
Repeat the commands above on all slaves.
On the Master:
xe pif-list params=uuid,host-name-label,device,management
xe pif-reconfigure-ip uuid=<UUID of host management PIF> IP=<New IP> gateway=<GatewayIP> netmask=<Subnet Mask> DNS=<DNS Lookup IPs> mode=<dhcp,none,static>
xe-toolstack-restart
DO NOT run the emergency-reset-master command on the Master.
Reboot the Master, then reboot the Slaves and verify that they can find the Master.
Matt Long
04/06/2015
SSL Vulnerability and Problem Test – Online and Command Line
SSL Vulnerability and Problem Test – Online and Command Line
There are many vulnerabilities out there, and there seems to be no single test for all of them.
When working to correct SSL issues, some of the more comprensive tests, test EVERYTHING, while this is good, it can also make it difficult to test the smaller incremental changes that we make as system administrators make
This blog post is a way to collect and keep a resource in one place of links or methods we can use to quickly test individual failures
The big test, which only takes a minute or so, but is somewhat bloated for individual tests, is ssllabs.com. You will find out most failures here and even get a grade
http://ssllabs.com
But you wont find them all, and it is difficult to quickly test small changes. So here are some instant tests.
if you have an SSL Chain issue
openssl s_client -connect example.com:443
to test for CVE-2014-0224, otherwise know n as a CCS Injection vulnerability enter your domain here
http://ccsbug.exposed/
to test for CVE-2014-0160 or Heartbleed test or
http://possible.lv/tools/hb/
Verify ssl certificate chain using openssl
Verify ssl certificate chain using openssl
SSL Certificates ‘usually’ work and show ‘green’ in browsers, even if the full certificate chain is not correctly configured in apache.
You can use tools such as SSL Labs (link) or run a PCI ASV check on your site to find out if you are compliant, but a quicker way to do it is using openssl from the command link.
Using this command you can quickly verify your SSL Certificate and Certificate chain from you linux command line using openssl
openssl s_client -showcerts -connect mydomain.com:443
If you receive a line, ‘Verify return code: 0 ‘ at the end of the long out put, your chain is working, however you might receive an error 27 if it is not configured correctly.
In order to configure it correctly you will like need an line in your apache conf file
SSLCACertificateFile <yourCAfilename>
In addition to the files which list your Key and Cert file
SSLCertificateFile <yourcertfilename> SSLCertificateKeyFile <yourkeyfilename>
Using MPT-Status for RAID Monitoring in a Poweredge C6100 with Perc 6
Using MPT-Status for RAID Monitoring in a Poweredge C6100 with Perc 6
This post outlines the steps needed to get a CLI report of the conditions of your RAIDs in a Poweredge C6100 with a PERC 6/i RAID Controller.
Verify your controller type:
cat /proc/scsi/mptsas/0
ioc0: LSISAS1068E B3, FwRev=011b0000h, Ports=1, MaxQ=277
Download the following packages:
daemonize-1.5.6-1.el5.i386.rpm mpt-status-1.2.0-3.el5.centos.i386.rpm lsscsi-0.17-3.el5.i386.rpm
http://dl.nux.ro/utils/mpt-status/mpt-status-1.2.0-3.el5.centos.i386.rpm
http://dl.nux.ro/utils/mpt-status/daemonize-1.5.6-1.el5.i386.rpm
http://mirror.centos.org/centos/5/os/i386/CentOS/lsscsi-0.17-3.el5.i386.rpm
Install mtp-status:
rpm -ivh mpt-status-1.2.0-3.el5.centos.i386.rpm daemonize-1.5.6-1.el5.i386.rpm lsscsi-0.17-3.el5.i386.rpm
modprobe mptctl
echo mptctl >> /etc/modules
Verify your modules:
lsmod |grep mpt
mptctl 90739 0
mptsas 57560 4
mptscsih 39876 1 mptsas
mptbase 91081 3 mptctl,mptsas,mptscsih
scsi_transport_sas 27681 1 mptsas
scsi_mod 145658 7 mptctl,sg,libata,mptsas,mptscsih,scsi_transport_sas,sd_mod
run:
mpt-status or mpt-status -n -s
Also, you can use: lsscsi -l
This little script:
echo `mpt-status -n -s|awk ‘/OPTIMAL/ {print $1, “OK”}; /ONLINE/ {print $1, “OK”}; /DEGRADED/ {print $1, “FAILURE”}; /scsi/ {print $2}; /MISSING/ {print $1, “FAILURE”} ‘`
reports:
vol_id:0 OK phys_id:1 OK phys_id:0 OK 100% 100%
On a rebuild, it reports:
vol_id:0 FAILURE phys_id:2 OK phys_id:3 OK 75% 75%
Copy that script into a file called “check_raid”, and make it executable, E.G. 755
Edit nagios-statd on parcel1. Replace “sudo /customcommands/check_raid.pl -b -w1 -c1” with filename check-raid (without the switches) at line 20, and remove “sudo”
So, from this:
commandlist[‘Linux’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,”free | awk ‘$1~/^Swap:/{print ($3/$2)*100}'”,”sudo /customcommands/check_raid.pl -b -w1 -c1″)
To this:
commandlist[‘Linux’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,”free | awk ‘$1~/^Swap:/{print ($3/$2)*100}'”,”/customcommands/check_raid”)
Port 1040 will need to be opened in XenServer. Edit /etc/sysconfig/iptables and insert this line:
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1040 -j ACCEPT
Restart the firewall:
service iptables restart
Output:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]
NOTE: The “FAILED” error above doesn’t seem to be a problemVerify that port 1040 is open:
Check the status of port 1040:
service iptables status
Output:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT 47 — 0.0.0.0/0 0.0.0.0/0
2 RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp — 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah — 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp — 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:1040
9 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694
11 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14 REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
running “nagios-statd” opens port 1040 on Parcel1 and listens for commands to be initiated by nagios_stat on the nagios server.
On the nagios server, in a file called “remote.orig.cfg, there are commands defined using “nagios-stat”: NOTE: These are from a working server and haven’t been modified to work with mpt. Some changes may need to be made. This is just an example of the interaction between Nagios server and client
Example:
define command{
command_name check_remote_raid
command_line $USER1$/nagios-stat -w $ARG1$ -c $ARG2$ -p $ARG3$ raid $HOSTADDRESS$
}
This command defined above is used in the “services.cfg” file.
Example:
define service{
use matraex-template
host_name mtx-lilac
service_description Lilac /data Raid
check_command check_remote_raid!1!1!1040
The three files needed on the C6100 node are:
/customcommands/check_raid (contents below) -rwxr-xr-x
/customcommands/nagios-statd (contents below) -rwxr-xr-x
/etc/init.d/nagios-statd (contens below) -rwxr–r–
Creating the soft links:
ln -s /etc/init.d/nagios-statd /etc/rc.d/rc3.d/K01nagios-statd
ln -s /etc/init.d/nagios-statd /etc/rc.d/rc3.d/S99nagios-statd
The -s = soft, and -f if used, forces overwrite.
/rc3.d/ designates runlevel 3
So when you do this:
ls -lt /customcommands/nagios-statd /etc/init.d/nagios-statd /customcommands/check_raid /etc/rc.d/rc3.d/*nagios-statd
This is what you should see:
lrwxrwxrwx 1 root root 22 Mar 6 08:08 /etc/rc.d/rc3.d/K01nagios-statd -> ../init.d/nagios-statd
-rwxr-xr-x 1 root root 365 Mar 6 07:59 /customcommands/check_raid
lrwxrwxrwx 1 root root 22 Mar 6 07:52 /etc/rc.d/rc3.d/S99nagios-statd -> ../init.d/nagios-statd
-rwxr-xr-x 1 root root 649 Mar 6 07:51 /etc/init.d/nagios-statd
-rwxr-xr-x 1 root root 9468 Mar 5 12:05 /customcommands/nagios-statd
Script Files:
NOTE: Here’s a little fix that helped me out. I had originally pasted these scripts into a DOS/Windows editor (wordpad) and it added DOS-type returns to the file, resulting in an error:
-bash: ./nagios-statd: /bin/sh^M: bad interpreter: No such file or directory
If you encounter this, do this:
Open the file in vi
hit “:” to go into command mode
enter “set fileformat=unix”
then :wq to quit.
/customcommands/check_raid:
#!/bin/bash
EXECFILE=/usr/sbin/mpt-status
if [ ! -e $EXECFILE ] ; then
echo
echo “Error $EXECFILE is not installed, please install before running”
echo
echo “Usage $0”;
echo
exit 10
fi
echo `$EXECFILE -n -s|awk ‘/OPTIMAL/ {print $1, “OK”}; /ONLINE/ {print $1, “OK”}; /DEGRADED/ {print $1, “FAILURE”}; /scsi/ {print $2};
/MISSING/ {print $1, “FAILURE”} ‘`
/customcommands/nagios_statd
#!/usr/bin/python
import getopt, os, sys, signal, socket, SocketServer
class Functions:
“Contains a set of methods for gathering data from the server.”
def __init__(self):
self.nagios_statd_version = 3.09
# As of right now, the commands are for df, who, proc, uptime, and swap.
commandlist = {}
commandlist[‘AIX’] = (“df -Ik”,”who | wc -l”,”ps ax”,”uptime”,”lsps -sl | grep -v Paging | awk ‘{print $2}’ | cut -f1 -d%”)
commandlist[‘BSD/OS’] = (“df”,”who | wc -l”,”ps -ax”,”uptime”,None)
commandlist[‘CYGWIN_NT-5.0’] = (“df -P”,None,”ps -s -W | awk ‘{printf(“%6s%6s%3s%6s%sn”,$1,$2,” S”,” 0:00″,substr($0,22))}'”,None,None)
commandlist[‘CYGWIN_NT-5.1’] = commandlist[‘CYGWIN_NT-5.0’]
commandlist[‘FreeBSD’] = (“df -k”,”who | wc -l”,”ps ax”,”uptime”,”swapinfo | awk ‘$1!~/^Device/{print $5}'”)
commandlist[‘HP-UX’] = (“bdf -l”,”who -q | grep “#””,”ps -el”,”uptime”,None)
commandlist[‘IRIX’] = (“df -kP”,”who -q | grep “#””,”ps -e -o “pid tty state time comm””,”/usr/bsd/uptime”,None)
commandlist[‘IRIX64’] = commandlist[‘IRIX’]
commandlist[‘Linux’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,”free | awk ‘$1~/^Swap:/{print ($3/$2)*100}'”,”/customcommands/check_raid”)
commandlist[‘NetBSD’] = (“df -k”,”who | wc -l”,”ps ax”,”uptime”,”swapctl -l | awk ‘$1!~/^Device/{print $5}'”)
commandlist[‘NEXTSTEP’] = (“df”,”who | /usr/ucb/wc -l”,”ps -ax”,”uptime”,None)
commandlist[‘OpenBSD’] = (“df -k”,”who | wc -l”,”ps -ax”,”uptime”,”swapctl -l | awk ‘$1!~/^Device/{print $5}'”)
commandlist[‘OSF1’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,None)
commandlist[‘SCO-SV’] = (“df -Bk”,”who -q | grep “#””,”ps -el -o “pid tty s time args””,”uptime”,None)
commandlist[‘SunOS’] = (“df -k”,”who -q | grep “#””,”ps -e -o “pid tty s time comm””,”uptime”,”swap -s | tr -d -s -c [:digit:][:space:] | nawk ‘{print ($3/($3+$4))*100}'”)
commandlist[‘UNIXWARE2’] = (“/usr/ucb/df”,”who -q | grep “#””,”ps -el | awk ‘{printf(“%6d%9s%2s%5s %sn”,$5,substr($0, 61, 8),$2,substr($0,69,5),substr($0,75))}”,”echo `uptime`, load average: 0.00, `sar | awk ‘{oldidle=idle;idle=$5} END {print 100-oldidle}’`,0.00″,None)
# Now to make commandlist with the correct one for your OS.
try:
self.commandlist = commandlist[os.uname()[0]]
except KeyError:
print “Your platform isn’t supported by nagios-statd – exiting.”
sys.exit(3)
# Below are the functions that the client can call.
def disk(self):
return self.__run(0)
def proc(self):
return self.__run(2)
def swap(self):
return self.__run(4)
def uptime(self):
return self.__run(3)
def user(self):
return self.__run(1)
def raid(self):
return self.__run(5)
def version(self):
i = “nagios-statd ” + str(self.nagios_statd_version)
return i
def __run(self,cmdnum):
# Unmask SIGCHLD so popen can detect the return status (temporarily)
signal.signal(signal.SIGCHLD, signal.SIG_DFL)
outputfh = os.popen(self.commandlist[cmdnum])
output = outputfh.read()
returnvalue = outputfh.close()
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
if (returnvalue):
return “ERROR %s ” % output
else:
return output
class NagiosStatd(SocketServer.StreamRequestHandler):
“Handles connection initialization and data transfer (as daemon)”
def handle(self):
# Check to see if user is allowed
if self.__notallowedhost():
self.wfile.write(self.error)
return 1
if not hasattr(self,”generichandler”):
self.generichandler = GenericHandler(self.rfile,self.wfile)
self.generichandler.run()
def __notallowedhost(self):
“Compares list of allowed users to client’s IP address.”
if hasattr(self.server,”allowedhosts”) == 0:
return 0
for i in self.server.allowedhosts:
if i == self.client_address[0]: # Address is in list
return 0
try: # Do an IP lookup of host in blocked list
i_ip = socket.gethostbyname(i)
except:
self.error = “ERROR DNS lookup of blocked host “%s” failed. Denying by default.” % i
return 1
if i_ip != i: # If address in list isn’t an IP
if socket.getfqdn(i) == socket.getfqdn(self.client_address[0]):
return 0
self.error = “ERROR Client is not among hosts allowed to connect.”
return 1
class GenericHandler:
def __init__(self,rfile=sys.stdin,wfile=sys.stdout):
# Create functions object
self.functions = Functions()
self.rfile = rfile
self.wfile = wfile
def run(self):
# Get the request from the client
line = self.rfile.readline()
line = line.strip()
# Check for appropriate requests from client
if len(line) == 0:
self.wfile.write(“ERROR No function requested from client.”)
return 1
# Call the appropriate function
try:
output = getattr(self.functions,line)()
except AttributeError:
error = “ERROR Function “” + line + “” does not exist.”
self.wfile.write(error)
return 1
except TypeError:
error = “ERROR Function “” + line + “” not supported on this platform.”
self.wfile.write(error)
return 1
# Send output
if output.isspace():
error = “ERROR Function “” + line + “” returned no information.”
self.wfile.write(error)
return 1
elif output == “ERROR”:
error = “ERROR Function “” + line + “” exited abnormally.”
self.wfile.write(error)
else:
for line in output:
self.wfile.write(line)
class ReUsingServer (SocketServer.ForkingTCPServer):
allow_reuse_address = True
class Initialization:
“Methods for interacting with user – initial code entry point.”
def __init__(self):
self.port = 1040
self.ip = ”
# Run this through Functions initially, to make sure the platform is supported.
i = Functions()
del(i)
def getoptions(self):
“Parses command line”
try:
opts, args = getopt.getopt(sys.argv[1:], “a:b:ip:P:Vh”, [“allowedhosts=”,”bindto=”,”inetd”,”port=”,”pid=”,”version”,”help”])
except getopt.GetoptError, (msg, opt):
print sys.argv[0] + “: ” + msg
print “Try ‘” + sys.argv[0] + ” –help’ for more information.”
sys.exit(3)
for option,value in opts:
if option in (“-a”,”–allowedhosts”):
value = value.replace(” “,””)
self.allowedhosts = value.split(“,”)
elif option in (“-b”,”–bindto”):
self.ip = value
elif option in (“-i”,”–inetd”):
self.runfrominetd = 1
elif option in (“-p”,”–port”):
self.port = int(value)
elif option in (“-P”,”–pid”):
self.pidfile = value
elif option in (“-V”,”–version”):
self.version()
sys.exit(3)
elif option in (“-h”,”–help”):
self.usage()
def main(self):
# Retrieve command line options
self.getoptions()
# Just splat to stdout if we’re running under inetd
if hasattr(self,”runfrominetd”):
server = GenericHandler()
server.run()
sys.exit(0)
# Check to see if the port is available
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((self.ip, self.port))
s.close()
del(s)
except socket.error, (errno, msg):
print “Unable to bind to port %s: %s – exiting.” % (self.port, msg)
sys.exit(2)
# Detach from terminal
if os.fork() == 0:
# Make this the controlling process
os.setsid()
# Be polite and chdir to /
os.chdir(‘/’)
# Try to close all open filehandles
for i in range(0,256):
try: os.close(i)
except: pass
# Redirect the offending filehandles
sys.stdin = open(‘/dev/null’,’r’)
sys.stdout = open(‘/dev/null’,’w’)
sys.stderr = open(‘/dev/null’,’w’)
# Set the path
os.environ[“PATH”] = “/bin:/usr/bin:/usr/local/bin:/usr/sbin”
# Reap children automatically
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
# Save pid if user requested it
if hasattr(self,”pidfile”):
self.savepid(self.pidfile)
# Create a forking TCP/IP server and start processing
server = ReUsingServer((self.ip,self.port),NagiosStatd)
if hasattr(self,”allowedhosts”):
server.allowedhosts = self.allowedhosts
server.serve_forever()
# Get rid of the parent
else:
sys.exit(0)
def savepid(self,file):
try:
fh = open(file,”w”)
fh.write(str(os.getpid()))
fh.close()
except:
print “Unable to save PID file – exiting.”
sys.exit(2)
def usage(self):
print “Usage: ” + sys.argv[0] + ” [OPTION]”
print “nagios-statd daemon – remote UNIX system monitoring tool for Nagios.n”
print “-a, –allowedhosts=HOSTS Comma delimited list of IPs/hosts allowed to connect.”
print “-b, –bindto=IP IP address for the daemon to bind to.”
print “-i, –inetd Run from inetd.”
print “-p, –port=PORT Port to listen on.”
print “-P, –pid=FILE Save pid to FILE.”
print “-V, –version Output version information and exit.”
print ” -h, –help Print this help and exit.”
sys.exit(3)
def version(self):
i = Functions()
print “nagios-statd %.2f” % i.nagios_statd_version
print “os.uname()[0] = %s ” % os.uname()[0]
print “Written by Nick Reinkingn”
print “Copyright (C) 2002 Nick Reinking”
print “This is free software. There is NO warranty; not even for MERCHANTABILITY or”
print “FITNESS FOR A PARTICULAR PURPOSE.”
print “nNagios is a trademark of Ethan Galstad.”
if __name__ == “__main__”:
# Check to see if running Python 2.x+ / needed because getfqdn() is Python 2.0+ only
if (int(sys.version[0]) < 2):
print “nagios-statd requires Python version 2.0 or greater.”
sys.exit(3)
i = Initialization()
i.main()
/etc/init.d/nagios-statd:
#!/bin/sh
#
# This file should have uid root, gid sys and chmod 744
#
if [ ! -d /usr/bin ]
then # /usr not mounted
exit
fi
killproc() { # kill the named process(es)
pid=`/bin/ps -e |
/bin/grep -w $1 |
/bin/sed -e ‘s/^ *//’ -e ‘s/ .*//’`
[ “$pid” != “” ] && kill $pid
}
# Start/stop processes required for netsaint_statd server
case “$1” in
‘start’)
/customcommands/nagios-statd -a <IP of Allowed Nagios Server>,<IP of Test Workstation> -p 1040
;;
‘stop’)
killproc nagios-statd
;;
*)
echo “Usage: /etc/init.d/nagios-statd { start | stop }”
;;
esac
Testing:
As you can see in the script file above, I’ve added the IP Address of a test workstation. This will allow me to simply telnet to a node in the C6100 and execute one of the commands defined in this section of the /customcommands/nagios-statd script:
# Below are the functions that the client can call.
def disk(self):
return self.__run(0)
def proc(self):
return self.__run(2)
def swap(self):
return self.__run(4)
def uptime(self):
return self.__run(3)
def user(self):
return self.__run(1)
def raid(self):
return self.__run(5)
At your workstation, telnet to <Node IP Address> 1040
When connected, the screen will be blank.
Type “raid”. The screen won’t echo this.
When you hat enter, you should see:
vol_id:0 OK phys_id:2 OK phys_id:3 OK 100% 100%
Now you’re ready to move on to the Nagios configuration.
Matt Long
03/06/2015
apache commands that ‘might’ make your server more PCI compliant
apache commands that ‘might’ make your server more PCI compliant
Add the following commands to you Apache configuration file to help make it more PCI compliant.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Update: I have made some new notes in another blog post for requirements that helped a client pass an additional test with TrustWave