Safado's questions

I'm trying to enable SSL for Active Directory in our domain. The problem I'm running into is that the server is failing to recognize the certificate I've made for it. Whenever I try to query the server using ssl (using ldp.exe), I get event 36886 which basically states that a suitable certificate could not be found on the server.

I've gone through this kb article for troubleshooting and here's what I've got

• I've placed the cert on the local machine's certificate store, under the Personal container. I used openssl on a Linux machine as the CA and have placed its certificate under the Trusted Root Certification Authorities container.

• My domain controllers FQDN is in the Subject of the cert. An alternate name has also been added in the extendedKeyUsage section, neither works when querying.

• I have serverAuth and clientAuth in the EnhancedKeyUsage section

• When I double click the cert in the mmc console, it states at the bottom that "You have a private key that corresponds to this certificate" however, as per the KB instructions I run thecertutil -verifykeys command and it returns The system cannot find the file specified.

• When I double click the cert and go to Certification Path, it lists my CA and then the certificate, then below it says This certificate is OK, so I'm assuming that means the chain is valid.

• It's the only certificate in the Personal store for the computer

• When I do something like certutil -verifystore MY 0 it lists the cert and the only complaints it has is about the revocation list because I never made a crl, but it still says the certificate is valid at the end.

I'm guessing the reason it's failing is tied to why certutil -verifykeys is failing, but I haven't been able to find what it actually means when I get the error that I do.

Can anyone point me in the right direction?

I created a new folder at /modevasive to hold my mod_evasive scripts and for the Log Directory. I'm trying to change the context type to httpd_sys_content_t so Apache can write to the folder. I did semanage fcontext -a -t "httpd_sys_content_t" /modevasive to change the context and then restorecon -v /modevasive to enable the change, but restorecon didn't do anything. So I used chcon to change it manually, did the restorecon to see what would happen and it changed it back to default_t.

semanage fcontext -l gives:

/modevasive/          all files          system_u:object_r:httpd_sys_content_t:s0`

And looking at /etc/selinux/targeted/contexts/files/file_contexts.local gives

 /modevasive/    system_u:object_r:httpd_sys_content_t:s0

So why does restorecon keep setting it back to default_t?

tl;dr - What are the dangers of giving Apache a shell in /etc/passwd?

I'm working on getting mod_evasive set up with Apache to fight DOS attempts. I use the DOSSystemCommand to run a script that adds the offending IP address to a BANNED chain in iptables.

I've found that the only way that I can get this process to work is if I change Apache's shell from /sbin/nologin to /bin/bash. But it's really only one part of the script that fails by not having the shell changed. Here's the DOSSystemCommand line and the script that it runs:

 DOSSystemCommand    "/usr/bin/sudo /bin/bash /var/www/html/ban_ip.sh %s"

and the script ... (note I'm just in testing.. which is why I have verbose output and short banning periods)

#!/bin/bash

IP=$1
IPTABLES=/sbin/iptables

sudo $IPTABLES -I BANNED -p tcp -s $IP --dport 443 -j DROP
sudo $IPTABLES -I BANNED -p tcp -s $IP --dport 80 -j DROP

echo sudo $IPTABLES -v -D BANNED -p tcp -s $IP --dport 80 -j DROP | at -m now + 1 minutes
echo sudo $IPTABLES -v -D BANNED -p tcp -s $IP --dport 443 -j DROP | at -m now + 2 minutes
echo rm -fv /tmp/dos-$IP | at -m now + 2 minutes

So with Apache having a shell of /sbin/nologin, It'll add the IPTABLES rules and it'll create the at jobs, but when I get an email with the result of the at jobs, it states that the User is currently unavailable, so the iptables rules are never deleted. If I give Apache /bin/bash as its shell, the iptables rules are added, the at jobs are created, and the iptables deletion work as expected at their designated time.

So my question is: In what way am I putting my server at risk by giving the Apache user a shell?

I'm trying to get mod_evasive to fire off a script to add an iptables rule to deny the offending host. I've tried the suggestions from both answers here but I still can't get it working. Apart from the post that's linked, I'm trying to run a script as outlined in this article.

My Apache config has this

DOSSystemCommand "sudo -u root /root/scripts/ban_ip.sh %s"

The script has this

#!/bin/sh

IP=$1
IPTABLES=/sbin/iptables

$IPTABLES -A banned -s $IP -p TCP -j DROP

echo "$IPTABLES -D banned -s $IP -p TCP -j DROP" | at now + 5 minutes

I've created a 'banned' chain (I've also just tried to add it to the INPUT chain to no avail)

My /etc/sudoers looks like this:

apache ALL=(root) NOPASSWD: /root/scripts/ban_ip.sh *

I've disabled SELinux to make sure it's not getting in the way. I can su apache --shell=/bin/bash and run sudo /root/scripts/ban_ip.sh 10.10.10.10 and it works just fine.

But when a source gets flagged as malicious in mod_evasion, it denies the host with 403s but it never runs the script, so I'm not really gaining any advantage here.

What else can I try to get this working?

I have an issue that I haven't been able to find an answer for. I have a handful of Mac designers here that started using a program called Articulate to generate flash objects to embed on our website. Articulate will create a folder, and in that folder is an html file, some javascript files and the swf file.

The designers have a single PC that they use the Articulate software on, and then they'll move the generated files to their department Share (running on a Windows Server 2008 box). Then they'll get on their macs, connect to the Windows file server via SMB and pull the file to their local computer.

The issue that is coming up is that when they pull the files from the Share to their Mac, OS X is making the permissions 700. When the users try and change the permissions using Finder > Get Info, they get a message that says it can't complete the operation, error code -50. If I use chmod from the terminal, it fixes it just fine. This is an issue because the CMS system we use depends on the files having the GROUP set to read. So with these files being copied down as 700, it's breaking the CMS.

If I create a new file or folder from the GUI or from the terminal, it applies the umask as expected and gives me 755 and 644, but through SMB it's doing 700. How can I change what default permissions are being set when they pull a file from a SMB share?

Additional Information:

On the Windows share, the folder has the Designers group with all permissions except for "change permissions" and "take ownership". The Designer will then get on their iMac and connect to the Windows fileserver using their Active Directory user, which is a member of the Designer group. Once they've pulled the share up in Finder, they find the folder they want and they drag and drop it to their local desktop. Upon inspecting the permissions of this new folder on their local machine, they have

drwxr-xr-x   63 ryan  staff   2142 May 23 09:31 .
drwxr-xr-x  337 ryan  staff  11458 May 22 16:25 ..
drwx------   5 ryan  staff     170 May 22 11:54 Folder1

We're not very pleased with our current colocation provider and so we're looking to move to a different company in a different city. Our business is an online school that's accessed world wide (which means we need 24x7 availability to our application, but maybe 1-2 hours max of downtime is affordable). Colleges and Universities around the world offer our curriculum as their own, so part of those agreements say we can have no more than X amount of downtime in any given month if they are to pay us.

So I have a plan, but I want to put it out in the open to see if anyone else see any problems with it that I may be overlooking, or maybe if you have a better plan you can suggest.

Our setup: Intel Modular Server, FreeBSD with jails, apache, mysql, php. The domain where the students log in is something like portal.mydomain.com

I was thinking that we could put up a second instance of our server at Site B (the new site) and give it a new domain name (portal1.mydomain.com). We could then force all traffic from portal.mydomain.com to redirect to portal1.mydomain.com. At that point we would make the DNS change for our original domain name to have the new IP address. Then we would give it 48 hours for DNS changes to propogate. At that point we would then just change apache on the new instance to respond to portal.mydomain.com instead of portal1 and then everything is business as usual.

Are there any holes in this plan I'm overlooking? Is there a better way to do it?

I have a Windows Storage Server 2008 machine acting as our company file server. I need to give someone access to same folder and files in our Marketing folder (which contains easily 100,000+ files). The user needs access to Marketing/images, but nothing else in the marketing folder. So my thought is to add read privileges to the Marketing folder, and then add read/write to the images folder, subfolders and files.

When I go to add the permissions on the Marketing folder, I select the correct read permissions and then I set the scope to "This folder only". When I click apply, it seems to touch every file within the Marketing folder (which takes forever). In the end it only added his permissions to the Marketing folder like I expected, but it still had to touch every other single file.

What is it doing? All the other files inherit their permissions, so is it telling every single file "Inherit permissions from Marketing except for user John Doe"? Am I doing it wrong?

We have a site-to-site VPN connection between our main office and our production web servers at our collocation using two SonicWall devices. By default, the VPN tunnel allows all traffic between the two sites. I want to restrict this so that we block all INCOMING traffic from the collocation to the office, that way our private network is more protected in the event that our production servers are compromised.

A problem that I'm seeing, though, is that our servers that we have joined to the domain still need to be able to contact the DC in our office for group policy, ldap information, etc.. After a bit of poking around for all the services and ports used by AD, I found that the RPC service uses random ports, which makes it difficult to punch a hole in the firewall to make it work. I found this kb article which describes how to change it to a specific port on all of your domain controllers, which would then allow me to open up a single port on the firewall. What this article doesn't go over is the downsides of doing so. I imagine they have the ports randomized for a reason .. and taking that away is removing whatever benefit that it provides.

What would I be losing by switching this to a specific port? The instructions have me edit the registry on all my DCs, which I would love to avoid. Also, would this be a good case in which we would benefit from having an RODC at our collo site?

I have an XP Pro computer acting as a Quickbooks server. I've noticed that any user on the domain can access the computer via \\quickbooks\c$. I've looked in the local Administrators group on the quickbooks server and there is no group that any domain user would be a part of. I've checked the access on all of my Windows Server 2008 machines and they work as expected (Domain Users cannot access c$ share). It's just this one computer that is allowing them.

I can't find any hint as to why it's allowing access for everyone. Any ideas on where else I can check?

I set out to integrate Active Directory with the iDRAC LOM for our Dell servers. One of the prerequisites is that the Domain Controllers be SSL enabled for ldap communication. The setup process in iDRAC says Upload Active Directory CA Certificate. So I log in to one of our DCs, go to its personal certificate store, and it's empty. Up until today I've always assumed that our domain services were using SSL (I wasn't the one who set up the domain). I've never set it up before myself, and I'm not too familiar with the ins-and-outs, so the only way I know to check whether we're using SSL or not is to use wireshark on the DC and captures packets. Capturing on port 636 yielded nothing while capturing on 389 gave me all sorts of data. So at this point I'm pretty sure we're not using SSL.

So my question is, how important is it that the directory information that is transmitted back and forth be encrypted? I'm assuming that if there were an immediate risk over it not being encrypted no matter what your domain is like (whether the company is big or small with varying levels of security rules), that Microsoft would have just forced the SSL.

Obviously I would like to have AD integration with the LOM on my Dell servers, but I have some work to do before implementing it. A couple of questions I would like answers to are:

1. What risks should I be aware of that we're facing by not using SSL
2. If I follow one of the million guides on the internet to enable SSL, will it interrupt current service? Or will I be able to do it and the client machines will some how be informed to use SSL automatically?
3. I have two DCs running a single domain as domain.local. Since it's an "internal" TLD, I'm guessing I'll need to set this up using an internal CA and not a third party?
4. Based off the answer of #1, would you say it's safe to stay off of SSL? What would you feel is the ratio of benefit to effort involved in getting converted to ssl?

I need some ideas on how our work flow compares to some others. We have a single developer that works on our marketing website and she knows how to code and that's about it (no source control experience, no command line.... nothing). In the past the developer has always edited everything directly on the server using Eclipse. Meaning, if she fat-fingered something and saved it, it was viewable to the world.

So after dozens of "mishaps", I've been tasked with creating a new workflow that's more appropriate than just editing the files on the live server. Here's what I've got so far..

1. Subversion server with a marketing repository

2. A "Production" VM with the main marketing site that is up on the webs as we speak.

3. A "Staging" VM that allows her to see changes in an identical environment before we upload any changes to "Production"

4. A script that allows her to sync the latest SVN tag to either of those servers.

To keep the integrity of those two servers, I'd like to make a third "Sandbox" server. It'd be another VM, copied from the "Staging" server. With this server she can experiment with code, try new things and not worry about making the Staging or the Production servers FUBAR.

When I proposed this plan, I got a lot of grumbling and moaning from multiple parties about how much work this creates for her. The flow would be:

Edit Code in new branch > sync to SANDBOX. Repeat until satisfied. Merge changes to Trunk, create a new a tag from trunk and sync to STAGING. Do a QA check. If everything looks ok, sync to PRODUCTION. (I'm very open to new ideas for this process)

As could be expect from someone who's never used source control in their life and is used to editing the file, pushing ctrl+s to save, and then refreshing the browser, this is a nightmare. I'd love to find some middle ground, but having a hard time doing so if we're to keep the Sandbox/Staging/Production set up.

What has worked for you guys?

We use WhatsUp Gold to monitor all of our web servers. On our Linux servers (and much to the same degree, our FreeBSD servers) I'm having a little bit of an issue with the memory monitors. We're using SNMP with WUG to grab the data from the servers. The memory counter that the SNMP daemon returns on the servers is the combined value (used, cached, buffers). Right now one of my servers looks like this:

[admin@stgwww snmp]$ free -m
             total       used       free     shared    buffers     cached 
Mem:          7872       1656       6216          0        143      1107
-/+ buffers/cache:        404       7467 
Swap:         4867          0       4867

The Value being returned via SNMP to WUG is 1656. From what I understand, the cached RAM is essentially FREE RAM with the added benefit of hanging on to data that previously occupied it in case it's needed again. So for our purposes of wanting to know how much RAM is actually being actively used, the value we're getting back is misleading. If we go off of what's being graphed by WUG, we're being led to believe that more RAM is being used and less is available than there really is.

So whats that best way to go about monitoring this? WUG allows me to write SSH scripts, which can SSH into the server every 5 minutes or so, execute a script and return the value (as long as it's a single numeric value). With this I've written a script that pulls the "404" number from the example above and divides it by the total amount giving me a percent used value which I return to WUG and graph on a chart that scales from 0 to 100. But this seems like way to much of a hack.

Am I better off monitoring the free+buffers+cached value? Is there a better way to do this in WUG? Thoughts?

I wanted to delete files that were greater than 2MB within a specific folder. So I ran:

find . -size +2M

And I got a list of two files

./a/b/c/file1

./a/f/g/file2

So I then run:

find . -size +2M -exec rm ;

and I get the error message Find: missing argument to -exec

I check the syntax in the man page and it says -exec command ;

So instead I try

find . -size +2M -exec rm {} +

And it works. I understand that the {} make it execute the command like rm file1 file2 instead of rm file1; rm file2;.

So why didn't the first one work?

ANSWER:

I guess I just had to RTFM a couple of times to finally understand what it was saying. Even though the first example doesn't show {}, the braces are required in all cases. And then either add \; or + depending on the desired method. Don't just read the heading. Read the description as well. Got it.

I have two web servers at our colocation running CentOS 6.0. One runs our main marketing web site (production server) and the other is a staging server for the production server, so almost an exact replica. Both of them are behind a firewall and have private IP addresses. The firewall is connected to our main office with a site-to-site VPN tunnell. Both of the servers have their nameservers set up to use our internal DNS servers here in our main office.

On the production server, I'm facing this exact same issue, even the same hostname of phx1-ss-2-lb.cnet.com. The problem is that whenever I ping a domain name that doesn't exist, I get that cnet.com hostname in return. Even on my own domains, if I do somestupidsubdomain.mydomain.com, it returns with the cnet address. In that thread, they said it was NXDOMAIN hijacking and that they should use different name servers. In my situation, this production server is using the same nameservers as everyone else in the company, but this isn't an issue for anyone else. Even the staging server that's a mirror of the production server isn't having the issue.

I've checked the /etc/hosts file and nothing out of the ordinary is there. I looked up how to flush the local DNS cache through either nscd or bind and neither are even installed. I used nslookup and queried my two assigned DNS servers and they came back with domain not found errors, as would be expected.

Where should I look next?

EDIT

I used tcpdump on port 53 and than pinged some jibberish domain and this is the output I got

14:55:39.884442 IP 192.168.4.11.59726 > 192.168.0.22.domain: 27749+ A? asdfjjjf.com. (30) 14:55:39.905778 IP 192.168.0.22.domain > 192.168.4.11.59726: 27749 NXDomain 0/1/0 (103) 14:55:39.905930 IP 192.168.4.11.46752 > 192.168.0.22.domain: 18476+ A? asdfjjjf.com.com. (34) 14:55:39.926982 IP 192.168.0.22.domain > 192.168.4.11.46752: 18476 2/0/0 CNAME phx1-ss-2-lb.cnet.com., A 64.30.224.112 (82)

14:55:39.962067 IP 192.168.4.11.44686 > 192.168.0.22.domain: 5275+ PTR? 112.224.30.64.in-addr.arpa. (44)

14:55:39.983324 IP 192.168.0.22.domain > 192.168.4.11.44686: 5275 1/0/0 PTR phx1-ss-2-lb.cnet.com. (79)

So if I'm reading this right, does that mean that my DNS server is definitely responding with the cnet.com address? If I use nslookup, set it to the 192.168.0.22 server, and query a jibberish domains A record, it returns with nothing.

My domain registrar is Company A and we use two of their nameservers for DNS. We host our own server hardware in a datacenter that's not affiliated with Company A. Everything about Company A sucks. So we've set up a new account on DNSmadeeasy.com and I copied all our A, MX, and CNAME records over (they take care of SOA and NS). Now, when I log in to my registrar's panel and switch the name servers from theirs to DNSME, are we going to experience any sort of interruption in service?

My initial thought it no, we shouldn't. As with any DNS changes, propagation can take up to 72 hours, but if certain name servers don't have the updated zone files yet, they'll most likely used cached information which is all the same (because NO IP addresses are changing... it's an exact replica).

So what do you think? Should I go ahead and make the change or should I pick a scheduled date and notify clients that they may experience connectivity issues within the 72 hour window?

UPDATE:

Nearly 72 hours have passed and we didn't even have as much as a hiccup. Throughout the last 72 hours I've used nslookup to query several different servers for my NS records and it took about 48 hours for all of them to show the new name servers. The whois information changed almost immediately. So bottom line for anyone that has the same worries as I did, as long as the new DNS providers have the exact same zone information, you won't have any issues.

When SELinux logs an event to the audit log on my CentOS 6 system, it's logging it in epoch time which makes for a real hassle when trying to troubleshoot. Is there any way to make it log these events using human readable date formats? I've looked through the conf files and googled around but can't seem to find anything on it.

I want SELinux to allow the LogRotate daemon to rotate and compress the audit logs under /var/log/audit/audit.log, but it's being blocked with this error message showing up:

Oct 27 04:06:03 setroubleshoot: SELinux is preventing /usr/sbin/logrotate "read" access on /var/log/audit. 

The context of the /var/log/audit directory is:

drwxr-x---. root  root  system_u:object_r:auditd_log_t:s0 audit

Is there a context I can give a file or directory that will make SELinux behave as if it were turned off? I'm swimming in documentation and I'm not going to learn this thing overnight, so I'd like to implement a work around until I can do it right. Any pushes in the right direction are welcome.

Edit: I'm also finding that all the documentation I'm coming across doesn't match what actually exists on my CentOS 6 server (i.e. file and config locations). Has anyone else had this problem and no of a good source for "correct" information?

Edit 2-- I take this back, they have instructions on building policies in a different section. http://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html

FINAL EDIT: So my end goal was to try and get a daily rotation of the Audit logs because I have a daily email sent out with any new SELinux alerts, but I kept getting the same messages. So I tried creating a new logrotate rule to do these logs, but SELinux was blocking it. Turns out that auditd has a built in rotate function that can be called by running /sbin/service auditd rotate which rotates the logs. I can simply set that in a daily cron job. I still think the SELinux question holds value, so if anyone wants to answer it, it might help future googlers

We're doing a rewiring project at my work (server room is a mess of cables) and we've decided to go the route of cutting each cable to length and terminating them ourselves. In the past, I've used used plugs that had holes in the end that allowed the wires all the way through and then you just trim the excess (versus trimming all the wires to the same size first and then inserting them into the plug). I've found these plugs to be a lot easier to work with. Now that I'm ready to purchase some, I can't seem to find any that specifically say whether they have the holes in the end or not and googling "RJ45 plug with holes in the end" didn't really give me worthwhile results.

Does anyone know if there is a differentiating name for this type of plug? Or does anyone have a brand/part# of plugs like this?

Our Marketing department wants to start hiring an outside company to assist in the development and maintenance of our marketing website. The website right now is on FreeBSD (using apache), but with plans within the next couple of months to migrate everything to CentOS. How it's set up right now is we have an internal Subversion server housing all of the code, developers check code in and out, code is then pushed to an external staging server to make sure everything looks good, and then pushed to our live server.

Like I mentioned, they're going to be hiring an outsourced company to work with them on the code. My task is to be able to work with the code, but at the same time keep them out of network.

Here are some ideas I've had:

1. Give them VPN access through our SonicWall (our main gateway) and only allow them access on port 443 to the Subversion server and block off everything else (I'm not even sure if the Sonicwall will do this or if it will only allow me to grant access on a subnet level.)

2. Set up a subversion server in a DMZ and only allow inbound traffic from their corporate IP address. This would effectively block access into our network, but still allow people inside and outside to access subversion.

3. Give them an account on the staging server and just let them work from there (laziest, least liked solution...)

Option 2 is the one I'm leaning towards the most. Does anyone have any input on these solutions or have a completely different solution that would work better? Our end goal is to allow them to work on the code without compromising our network.

I have a user on Windows 7 that is trying to access a local server with a DNS name of windows.cs. We have two internal DNS servers. The DHCP server assigns users the two internal DNS servers as primary and secondary and then our ISPs DNS as a tertiary DNS server.

Every now and then, the user can't access the website at windows.cs. If I ping it, it says it can't resolve the host name. I flush the DNS cache, and then when I display the dns cache it has the following:

windows.cs - Name does not exist

Yet if I use nslookup, which by default queries the primary DNS server (our internal one) and I query windows.cs, it returns the correct IP address.

So why can't Windows resolve the hostname using ping, but it can when using the nslookup tool? And how do I fix this?