I am having a big problem, quite difficult to find/search.
I have a server in Ubuntu, where inside that server I have installed:
GITLAB (have all proyect)
POSTGRESSQL (Independent gitlab database is used for a personal project)
TOMCAT with APP WEB (Springboot, this use postgres)
This server is still for testing, it is used for specific specific things (I mean, its use and access is limited and controlled)
I am having various problems:
This server is still for testing, it is used for specific specific things (I mean, its use and access is limited and controlled)
Very frequently, almost every day, the user postgres from the postgresql server "erases" the password. Without anyone doing it manually, "it happens exponentially". I notice why the application stops responding, and then I access postgresql and note that the postgres user has no password.
I looked for many places, and I can't find anything. I really don't know where else to look. If someone passed it to you or has information about it, I would be grateful if you could provide it to me.
------More information added----------
I was looking at the postgres logs, before I have no authentication and I see this.
There are times when no one could have been using the springboot server,
--2020-01-17 00:30:21.286
And also the two log that show before that moment. Could it be something that is deleting my password?
Thank you.
PostgreSQL does not randomly delete its own passwords, and I really doubt Tomcat or Gitlab do either. Indeed they shouldn't even have access to the server as the 'postgres' user or any other superuser, and so shouldn't be able to even if they wanted.
It seems like that there is an intruder in your system. After gaining access they create their own user with their own password. Then disabling your normal superuser from logging on is a common way to try to prevent you from regaining control and kicking them out. Do any users exist that you do not recognize?
The bit of the log file you posted clearly shows someone trying to guess your password, starting at 2:58. You aren't logging IP addresses (%h) so it doesn't show where they are coming from. It doesn't show that they succeed, but unless you have log_connections = on, it wouldn't show successes.
Related
We have a PostgreSQL database with PostGIS running and today we ran into the issue that too less connections were available. Mostly we are using QGIS to access the database. We realized that issue because multiple users got the following error:
FATAL: remaining connection slots are reserved for non-replication superuser connections
When checking the number of connections in pgAdmin I realized a thing I saw before, but as I never ran into problems didn't care too much about.
QGIS creates multiple connections to PostgreSQL for the same user to the same database.
Now I am wondering why this is the case and how I can maybe change that behaviour.
Could this happen for example if a person got access rights to a database through different user groups?
One approach might be the issue that some users run into that if you add layers to a QGIS project that was created before might ask you multiple times for your login credentials if those changed. This seem to me that probably different credentials are saved with the project and therefor multiple connections might be used. Can anyone confirm or dispruve this? - Suggestions for a test scenario are also welcome to check this.
Any ideas, hints or soutions are welcome.
By the way: Yes we increase the number of max_connections, but I want to understand why this happens and get closer to the core of the situation.
I have a client and whoever designed their site put it in Compute Engine. I am totally lost, no clue about this. I do see a bucket but there is only a footer.php in it. The site is a multi wordpress and I can not find where the files are stored or how to access phpmyadmin to see the database.
I ask this because the site is having many issues, starting with ssl expired, php is out of date and now I can not login or see the site because it is giving a 500 error or white page of death.
Tried to find what caused the error but nothing.
Site is http://nextstudy.org
Can anyone help or direct me on what I can do to get to the files and maybe get it off of compute engine?
Appreciate you reading this............
Diana
GCE does not host files from a bucket, but it runs VM instances off disk images.
Unless being assigned an admin role in Cloud IAM, there's probably not much to do. And even with an admin role granted, it's still rather risky when having no clue, I mean, while it's only a single instance, Cloud Shell might help, but when it's an instance group, the deployment may work whole different (up until the point where the servers are spun up from nothing but a shell script, which subsequently makes editing individual instances quite meaningless).
I have a MongoDB client in three EC2 instances and I have created a replica set. Last time I had a problem, of space constraint which stopped my mongod process, thereby halting the application and now in an instance couple of days back, some of my tables were gone from database, so I set logging and all to my database just to catch if anything like that happens again. In a fresh incident this morning I was unable to login to my system and that's when I found out that whole database was empty. I checked other SO question like this which suggest setting up a TTL.Which I haven't done at all.
Now how do I debug this situation and do a proper root cause analysis? I can't even find anything in my debug logs as well. The tables just vanished. How do I set up proper logging mechanism and how do I ensure that all my tables are never ever deleted again?
Today I got a mail from Amazon that I was probably running an unsecured version of MongoDB and that may have caused this issue. So who ever is facing this issue please go through the Security Checklist Provided by MongoDB. There are some points that are absolutely necessary in there.
1. Enable Access Control and Enforce Authentication
2. Encrypt Communication
3. Limit Network Exposure
These three are the core and depending upon how many people access your database you can Configure Role-Based Access Control.
These are all the things I have done. Before this incident I had not taken security that seriously but after I was hit by it. I made sure I have all the necessary precautions in place.
Hope this helps someone.
Our production site we run has potentially been compromised as we saw a big spike in network traffic, which brought down the site.
Since theft has potentially already happen before our patching, what steps should we go through informing our client. Do they need to make any password changes for the admin login, etc. Anything else that is relevant? Do we need to change the db password on our server etc.
Basically yes, all of the above.
There is a flow chart on the [Drupalgeddon project page] (https://www.drupal.org/project/drupalgeddon) that you can follow to help ensure you are dealing with a clean site.
Good luck
I have a customer that has an old non-existant application; he had a problem with the company that made the application and they won't disclose his database password. He realized that he signed a contract (back then) where it said that he was sort of "renting" the application and they had no right to disclose anything. This customer found out that he's not the only one with the same problem with that company. He's a Dentist and other dentists with the same old application experienced the same problems when trying to buy a new software and attempted to migrate their patients to the new system.
In either case, he wants to open his little firebird database, so we can at least extract some data to our SQL Servers. I have tried with the default 'masterkey' (which is, in fact, 'masterke' due to the 8 char limit) to no avail.
Now I know he could go legal and try to force the company to release his information, but I want to do it the short way. Does anybody know an app that can brute force/crack a legacy Firebird password?
Thanks.
EDIT: The legacy software is "STOMA-W", I cannot even find it on Internet. They are located in Asturias, Spain.
Firebird does not (yet) store passwords inside the database file.
With this in mind, move the database file to another server where the sysdba password is known.
Old Interbase and Firebird had hardcoded backdoor password you might want to try:
user: politically pass: correct
http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed
Provided not for the SYSDBA account, you may reset forgotten passwords for users with FlameRobin. After registering the database server on your localhost, use the Manage users... function in the context menu:
Here you get a list of users with options to delete or view/modify properties. If you click on the properties icon, you enter this dialogue where you simply enter the new password twice:
There is also IBConsole which comes packaged with the InterBase/Firebird SDK. It has similar functions.