I am on a Windows Vista 64-bit Enterprise machine with Subsystem for Unix Applications installed and the applications downloaded. I am attempting to use RSH to connect to a FreeBSD server. The command I would like to execute is:
rsh host.suffix1.company.com command
The .rhosts file in my home directory on host.suffix1.company.com looks like this:
+ myusername
+ mydomain\myusername
+ mydomain/myusername
+ myusername#mydomain
+ +
mycomputer.suffix2 myusername
mycomputer.suffix2 +
mycomputer.suffix2.company.com myusername
mycomputer.suffix2.company.com +
I know + + is bad, but let's ignore that for now. When I run this:
rsh host.suffix1.company.com command
I get the following error:
rshd: Login incorrect.
However, when I run
rsh -l myusername host.suffix1.company.com command
this works flawlessly. What I'd like to know is:
What is SUA sending as the username when I don't specify it via -l?
How can I change what SUA is sending?
I'm assuming that here SUA is sending some form of mydomain\myusername, but I'm wondering what other entries I might need to make to the rhosts file to allow this and why the + + isn't allowing this?
I would guess that examining syslog (or another appropriate log?) on the freebsd box could give you the login name from the failed login. On my linux machine I get the lines like the following from the frequent ssh attacks:
May 19 19:57:40 anton sshd[29795]: Failed password for invalid user mercedes from 124.217.246.181 port 49198 ssh2
May 19 19:57:40 anton sshd[29796]: Received disconnect from 124.217.246.181: 11: Bye Bye
May 19 19:57:45 anton unix_chkpwd[29802]: password check failed for user (games)
May 19 19:57:45 anton sshd[29799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns1.1oasis.net user=games
May 19 19:57:48 anton sshd[29799]: Failed password for games from 124.217.246.181 port 49956 ssh2
This is from sshd, but I would be surprised if not rshd is not able to log something similar (although it might be off by default and needs to be enabled).
For guesses on what the rsh client made by microsoft gets the name from I have few ideas. A traditional unix rsh would of course get the name from /etc/passwd, reading it indirectly with getpwent() (failing that it might fall back to environmental variables LOGNAME or USER?). Is "myusername" present in c:\windows\system\etc\passwd (or whatever SUA maps as /etc/passwd)?
Related
I have a CGI script to load publications from BibBase:
#!/usr/bin/perl
use LWP::UserAgent;
my $url = 'https://bibbase.org/show?bib=http://www.example.com/pubs.bib';
my $ua = LWP::UserAgent->new;
my $can_accept = HTTP::Message::decodable;
my $response = $ua->get($url, 'Accept-Encoding' => $can_accept);
print "Content-type: text/html\n\n";
print $response->decoded_content;
(This is copied from BibBase with the exception that the URL is hard-coded.)
I have three webservers running RHEL7 and Apache 2.4 that are configured the same way by Puppet. On all three I can run the script on the command line and get the expected results:
[root#server1 cgi-bin]# ./bibbase_proxy2.cgi | head
Content-type: text/html
<img src="//bibbase.org/img/ajax-loader.gif" id="spinner" style="display: none;" alt="Loading.." />
<div id="bibbase">
<script type="text/javascript">
var bibbase = {
params: {"bib":"http://www.example.com/pubs.bib","host":"bibbase.org"},
When I try to run the script with CGI, I get three different results:
Server1
Unrecognised protocol tcp at /usr/share/perl5/LWP/Protocol/http.pm line 31.
Server2
Can't connect to bibbase.org:443 System error at /usr/share/perl5/LWP/Protocol/http.pm line 51.
Server3
No http output and the error log says AH01215: Out of memory!.
I can't find anything different between the three servers and I can't figure out why the script works fine on the command line and doesn't work when run as a CGI.
I have selinux in permissive mode and it is logging the outgoing request, so I know the script gets that far:
type=AVC msg=audit(1532465859.921:331235): avc: denied { name_connect } for pid=161178 comm="perl" dest=80 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
For testing, I have set selinux to disabled and restarted the server.
SE-Linux denied the TCP connection.
avc: denied { name_connect }
The default access controls for networking by SELinux are based on the labels assigned to TCP and UDP ports and sockets. For instance, the TCP port 80 is labeled with http_port_t (and class tcp_socket). Access towards this port is then governed through SELinux access controls, such as name_connect and name_bind.
When an application is connecting to a port, the name_connect permission is checked. However, when an application binds to the port, the name_bind permission is checked.
Permissive mode or not, Perl is acting like it was denied a TCP connection. Unrecognised protocol tcp means getprotobyname("tcp") failed inside IO::Socket::IP. That's very, very unusual. One of the ways that can happen is via exactly that SELinux denial.
I'm no SELinux expert, but according to RedHat and Gentoo some SELinux aware applications will ignore the global permissive setting and go it alone. RHEL 7 Apache appears to be one of them. It appears to have its own domain which must be set permissive.
On all three I can run the script on the command line and get the expected results:
There's two reasons for that, and they both have to do with users.
When you run the program you're running as your own user with your own configuration, permissions, and environment variables. In fact, you ran it as root which usually bypasses restrictions. When it runs on the server it runs as a different user, probably the web server user with severe restrictions.
In order to do a realistic test, you need to run it as the same user the web server will. You can use sudo -u for this. For example, if the user is apache...
sudo -u apache ./bibbase_proxy2.cgi
BTW Do not test software as root! Not only is it not going to give you sensible results, but if there's a bug in the software there are no safeguards preventing it from wrecking your system.
The second problem is #!/usr/bin/env perl. That means to run whatever perl is in your PATH. PATH will be different for different users. Running ./bibbase_proxy2.cgi may run with one Perl on the command line and a different one via the web server.
In a server environment, use a hard coded path to Perl like #!/usr/bin/perl.
We tested by rewriting the same script in Python and PHP. Both of them showed error which pointed us in the right direction.
Python urllib2 produced the error
<class 'urllib2.URLError'>: <urlopen error [Errno 16] Device or resource busy>
args = (error(16, 'Device or resource busy'),)
errno = None
filename = None
message = ''
reason = error(16, 'Device or resource busy')
strerror = None
PHP (run as CGI) wouldn't even start:
[Wed Jul 25 15:24:52.988582 2018] [cgi:error] [pid 10369] [client 172.28.6.200:44387] AH01215: PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/curl.so' - libssh2.so.1: failed to map segment from shared object: Cannot allocate memory in Unknown on line 0
[Wed Jul 25 15:24:52.988980 2018] [cgi:error] [pid 10369] [client 172.28.6.200:44387] AH01215: PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/dba.so' - libtokyocabinet.so.9: failed to map segment from shared object: Cannot allocate memory in Unknown on line 0
---- Similar lines for all extensions. ----
It appears that RLimitMEM blocks access to shared memory and that is required for opening sockets. I can't find any documentation, but removing that line makes it work.
I was following this guide to setup an LDAP server on CentOS 6.6: http://www.learnitguide.net/2016/01/configure-openldap-server-on-rhel7.html. I know the guide is for RHEL, but I think the vast majority of steps should be the same. I went through the tutorial and everything seems to work right except for sshing into the server as an LDAP user. As root I am able to su to any LDAP user. getent passwd username returns appropriate results. But every time I try to ssh in as a user I get permission denied and these messages show up in /var/log/secure:
Aug 8 22:13:14 servername sshd[5900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): received for user username: 6 (Permission denied)
Aug 8 22:13:17 servername sshd[5900]: Failed password for username from rhostIPaddress port 34758 ssh2
I was hoping maybe someone may know of a step that guide left out that would cause this behavior. Thanks.
Turns out the self signed certificate I was using needed to have the IP address as the common name as opposed to the FQDN, not sure why that is but it's working now.
Information that can help others.
In my case this message was a time difference problem between the FreeIPA server and the clients. The command systemctl status sssd -l presented the message (skew clock too great).
This message from the Kerberos authentication server appears if the difference hour in servers is too large (more than three or four minutes).
OS: Ubuntu Server
On Fedora 21, I had a simple script for sending emails
mail -a /tmp/attachment.txt -s "..." someone#somewhere.com
On Fedora 23, this no longer works.
No configuration file found at /home/mike/.esmtprc or /etc/esmtprc
I created the file and assigned correct permissions to it.
hostname = localhost.localdomain:25
(That's what Fedora 21 would send emails from: mike#localhost.localdomain.)
Well, now I'm getting
SMTP server problem Connection refused
Question: how do I get the mail command to work on Fedora 23?
Okay, seems like Fedora 21 must have had an email server running by default, but Fedora 23 does not.
In my
~/.esmtprc
I had to add
hostname = [SMTP SERVER THAT WORKS]:25
mda "/usr/bin/procmail -d %T"
And that worked. Thanks everyone anyway!
I am NO GOOD at regex - and as such i can not seem to match the plesk mail log string that indicates a brute force smtp attack -
my log looks like this:
May 19 03:24:58 gohhllc smtp_auth[22702]: SMTP connect from mail.globaltrbilisim.com [213.144.99.201]
May 19 03:24:58 gohhllc smtp_auth[22702]: No such user 'chuong#drophit.net' in mail authorization database
May 19 03:24:58 gohhllc smtp_auth[22702]: FAILED: chuong#drophit.net - password incorrect from mail.globaltrbilisim.com [213.144.99.201]
In some cases it also looks like this
May 19 03:25:22 gohhllc smtp_auth[23056]: SMTP connect from 89-97-124-22.fweds-spc.it [89.97.124.22]
May 19 03:25:22 gohhllc smtp_auth[23056]: FAILED: element - password incorrect from 89-97-124-22.fweds-spc.it [89.97.124.22]
My regex attempts to match both username failures and password look like this
failregex = No such user '.*' in mail authorization database
FAILED: .* - password incorrect from [<HOST>]
Along with 20+ other combos with no avail - most of the time teh result is an error like this
Unable to compile regular expression 'FAILED:
Thanks
I worked through this and using http://www.regexr.com/ i was able to write a fairly easy regex (i guess im getting better at it) to make this work.
The resulting statement for smtp-auth when using Pleask and Qmail (atleast on my server) is
failregex = FAILED: [-/\w]+ - password incorrect from <HOST>
AS for "no such user" entries i was unable to make this work as there is no hostname in the log file for this entry and fail2ban requires the hostname :(
I am trying to use an auto reply program for one of the users.
It works fine when I have user email address defined in .forward file but it gives following error when I put it in script:
Jun 28 12:25:38 localhost sendmail[5210]: s5SJPFkN005208: to="|/home/alpha/autoreply.pl", ctladdr=alpha#localhost (501/501), delay=00:00:10, xdelay=00:00:00, mailer=prog, pri=60446, dsn=5.0.0, stat=Service unavailable
Jun 28 12:25:38 localhost sendmail[5210]: s5SJPFkN005208: s5SJPckN005210: DSN: Service unavailable
Do I have have make any changes in sendmail configs (i.e. symbolic link etc)?
Thanks.
1.Have you checked problems mentioned in sendmail FAQ?
Sendmail-FAQ-3.11: Why can't my users forward their mail to a program?
2. On most linuxes sendmail uses procmail as local mailer program.
You may try to execute your script from ~/.procmailrc of the user.
The issue was /etc/smrsh did not have symbolic link for perl which can be defined as
ln -s /usr/bin/perl /etc/smrsh/perl