Simple life, Complicated mind

Monday, June 3, 2019

Setup A Centralized Log Server Using Rsyslog on Ubuntu 16.04 LTS

Setup A Centralized Log Server Using Rsyslog on Ubuntu 16.04 LTS

Rsyslog Server:

# vim /etc/rsyslog.conf

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# vim /etc/rsyslog.d/tmpl.conf

$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

authpriv.* ?TmplAuth
*.info;mail.none;authpriv.none;cron.none ?TmplMsg

# systemctl restart rsyslog

Rsyslog Client:

# vim /etc/rsyslog.conf

##RULES## 
*.* @192.168.1.200:514

Note: The @ symbol before the IP address tells rsyslog to use UDP to send the messages. Change this to @@ to use TCP.

# systemctl restart rsyslog

# logger -s " This is my Rsyslog client "

# logger --server 127.0.0.1 --port 9000 --udp --rfc3164 "my testing msg"

# tree /var/log/client_logs/

The following is a list of RFCs that define the Syslog protocol:

RFC 3195 Reliable Delivery for syslog
RFC 5424 The Syslog Protocol
RFC 5425 TLS Transport Mapping for Syslog
RFC 5426 Transmission of Syslog Messages over UDP
RFC 5427 Textual Conventions for Syslog Management
RFC 5848 Signed Syslog Messages
RFC 6012 Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog

Reference:

http://yallalabs.com/linux/how-to-setup-a-centralized-log-server-using-rsyslog-on-ubuntu-16-04-lts/

https://success.trendmicro.com/solution/TP000086250-What-are-Syslog-Facilities-and-Levels

https://en.wikipedia.org/wiki/Syslog

https://www.elastic.co/blog/how-to-centralize-logs-with-rsyslog-logstash-and-elasticsearch-on-ubuntu-14-04

https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-syslog.html

Tuesday, April 9, 2019

Web Application Vulnerability Scanning Tools

Web Application Vulnerability Scanning Tools

Nessus
http://www.tenable.com/products/nessus

PortSwigger
https://portswigger.net/

qualys
https://www.qualys.com/

Scan Titan
https://www.scantitan.com/

Nikto
https://cirt.net/Nikto2

CIS (Center for Internet Security) Security benchmark
https://www.cisecurity.org/cis-benchmarks/

Vulnerability Scanning Tools
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

Monday, March 18, 2019

Use Mosh instead of SSH

Mosh is a replacement for SSH. It's more robust and responsive, especially over Wi-Fi WiFi, cellular, and long-distance links.

On Ubuntu:

# add-apt-repository ppa:keithw/mosh
# apt-get update && apt-get install mosh

On CentOS:

# yum -y update

# yum install epel-release

# yum install mosh

# firewall-cmd --permanent --zone=public --add-port=60000-60020/udp

Note: If you are using any other program to manage your firewall, then you will need to manually ensure to open the UDP ports from 60000 to 61000. However, if you only expect to have a small number of concurrent connections, then a smaller range of ports can be opened provided it begins at port 60000 (e.g 60000:60020).

Note: If you are using Amazon EC2, you will need to open the ports in Amazon's security group (firewall).

# firewall-cmd --reload

# firewall-cmd --list-all

public (default)
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 80/tcp 60000-60020/udp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

In most use cases, Mosh is a drop-in replacement for SSH, meaning many SSH commands need only a simple alteration. For example:

client # mosh user@example.com

However, if you use any other arguments with SSH (such as -p), then a slightly different syntax is needed:

client # mosh --ssh="ssh -i myserver.pem -p 22" centos@1.2.3.4

Note: if you see the "It is required that your private key files are NOT accessible by others." error message, run chmod 400 myserver.pem.

Note: you do not need to start mosh-server manually, mosh-server will start automatically once it's connected.

Use nc command to test the udp connection:

client # nc -u 1.2.3.4 60000-60020

Note: to install nc, run yum install nmap-ncat.

server # ps auxww|grep -i mosh

centos   21000  1.0  0.0 171784  5748 ?        S    05:15   0:00 mosh-server new -s -c 256 -l LANG=en_US.UTF-8 -l LANGUAGE=en_US.UTF-8 -l LC_ALL=en_US.UTF-8

server # ss -lnu | grep :6000

tcp    UNCONN     0      0           172.31.28.16:60001                 *:*

Reference:

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-mosh-on-a-vps
https://mosh.mit.edu/

Sunday, March 17, 2019

Install MySQL 5.7, Apache 2.4, PHP 7.1 on Ubuntu 16.04

Install MySQL 5.7, Apache 2.4, PHP 7.1 on Ubuntu 16.04

Install VMware tools:

VM > Guest > Install/Upgrade VMware Tools

# su -
# df -h
# cd /media/jun/VMware\ Tools/
# ls -la
# tar zxvf VMwareTools-9.4.0-1280544.tar.gz -C /tmp/
# cd /tmp
# ls
# cd vmware-tools-distrib/
# ls
# ./vmware-install.pl -d
# reboot

Note: For more info https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1022525

Move Ubuntu launcher to the bottom:

# gsettings set com.canonical.Unity.Launcher launcher-position Bottom

Update the package repository:

# apt-get update

Upgrades packages with auto-handling of dependencies:

# apt-get dist-upgrade

or

# apt full-upgrade

Install SSH server:

# apt-get install openssh-server
# systemctl status sshd.service
# systemctl restart sshd.service

Compile and install the latest Git 2.20.1 from source code:

# apt-get install make gcc dh-autoreconf libcurl4-gnutls-dev libexpat1-dev gettext zlib1g-dev libssl-dev \
&& apt-get install curl \
&& cd /usr/local/src/ \
&& curl -L https://github.com/git/git/archive/v2.20.1.tar.gz -o git.tar.gz \
&& tar zxvf git.tar.gz \
&& cd git-2.20.1/ \
&& make configure \
&& ./configure --prefix=/usr \
&& make all \
&& make install

# git --version

git version 2.20.1

Install Git from ppa:

# add-apt-repository ppa:git-core/ppa
# apt-get update

# apt-cache policy git
# apt-cache madison git

# apt-get install git=1:2.11.0-2~ppa0~ubuntu16.04.1

# git --version

Compile and install the latest Vim 8:

# apt-get install libncurses5-dev python-dev python3-dev ruby-dev libperl-dev ruby-dev liblua5.3-dev exuberant-ctags cscope

// Fix liblua paths
# ln -s /usr/include/lua5.3 /usr/include/lua \
&& ln -s /usr/lib/x86_64-linux-gnu/liblua5.3.so /usr/local/lib/liblua.so

# cd /usr/local/src \
&& git clone https://github.com/vim/vim.git --depth 1 \
&& cd vim \
&& ./configure \
--prefix=/usr \
--with-features=huge \
--enable-multibyte \
--enable-pythoninterp \
--enable-python3interp \
--enable-rubyinterp \
--enable-perlinterp \
--enable-luainterp \
--enable-cscope \
&& make \
&& make install \
&& hash -r \
&& vim --version | head

Install MTA mail server:

# apt-get install postfix

Note: select "Internet site".

Note: If you need to reconfigure the postfix setting, run either one of the following:

# dpkg-reconfigure -plow postfix

or

# apt-get purge postfix

For other mail related packages:

# apt-get install mailutils

Install mail client:

# apt-get install bsd-mailx
# echo "test message" | mailx -s 'test subject' myemail@mydomain.com

For hexdump command:

# apt-get install bsdmainutils

# hexdump -c test.log

Install MySQL5.7:

# apt-cache policy mysql-server
# apt-cache search mysql-server
# apt-cache show mysql-server | less
# apt show mysql-server

# apt-get install mysql-server

# vim /etc/mysql/mysql.conf.d/mysqld.cnf
bind-address = 0.0.0.0

# vim ~/.my.cnf
[client]
host = localhost
port = 3306
user = root
password = MyPassword

# chmod 400 ~/.my.cnf

# mysql -e "SHOW variables WHERE variable_name REGEXP 'open_files_limit|table_open_cache|max_connections';"
+----------------------------+-------+
| Variable_name              | Value |
+----------------------------+-------+
| max_connections            | 151   |
| open_files_limit           | 1024  |
| table_open_cache           | 431   |
| table_open_cache_instances | 16    |
+----------------------------+-------+

Note: You will see the following error message in the error.log file if you did not change the open files limit:
[Warning] Changed limits: max_open_files: 1024 (requested 5000)
[Warning] Changed limits: table_open_cache: 431 (requested 2000)

# mkdir /etc/systemd/system/mysql.service.d
# vim /etc/systemd/system/mysql.service.d/override.conf

[Service]
#LimitNOFILE=infinity
LimitNOFILE=5000

#LimitMEMLOCK=infinity

# systemctl daemon-reload
# systemctl restart mysql

# mysql -e "SHOW variables WHERE variable_name REGEXP 'open_files_limit|table_open_cache|max_connections';"
+----------------------------+-------+
| Variable_name              | Value |
+----------------------------+-------+
| max_connections            | 151   |
| open_files_limit           | 5000  |
| table_open_cache           | 2000  |
| table_open_cache_instances | 16    |
+----------------------------+-------+

To check MySQL process's limit:

# cat /proc/$(pgrep mysqld$)/limits
Limit                     Soft Limit           Hard Limit           Units
Max cpu time              unlimited            unlimited            seconds
Max file size             unlimited            unlimited            bytes
Max data size             unlimited            unlimited            bytes
Max stack size            8388608              unlimited            bytes
Max core file size        0                    unlimited            bytes
Max resident set          unlimited            unlimited            bytes
Max processes             15614                15614                processes
Max open files            5000                 5000                 files
Max locked memory         65536                65536                bytes
Max address space         unlimited            unlimited            bytes
Max file locks            unlimited            unlimited            locks
Max pending signals       15614                15614                signals
Max msgqueue size         819200               819200               bytes
Max nice priority         0                    0
Max realtime priority     0                    0
Max realtime timeout      unlimited            unlimited            us

Note: https://dev.mysql.com/doc/refman/5.7/en/using-systemd.html

Note: https://stackoverflow.com/questions/30901041/can-not-increase-max-open-files-for-mysql-max-connections-in-ubuntu-15

Note: https://serverfault.com/questions/821695/mysqld-service-for-systemd-failed-to-parse-resource-value-ignoring-40000-l

To move a MySQL data directory to another directory:

# mysql -e "SELECT @@datadir;"
+-----------------+
| @@datadir       |
+-----------------+
| /var/lib/mysql/ |
+-----------------+

# systemctl stop mysql
# systemctl status mysql

# vim /etc/mysql/mysql.conf.d/mysqld.cnf
datadir         = /home/mysql

# vim /etc/apparmor.d/tunables/alias
alias /var/lib/mysql/ -> /home/mysql/,

Note: We need to tell AppArmor to let MySQL write to the new directory by creating an alias between the default directory and the new location.

Note: If you skipped the AppArmor configuration step, you would see the following error message:

Job for mysql.service failed because the control process 
exited with error code. See "systemctl status mysql.service" 
and "journalctl -xe" for details.

# systemctl restart apparmor
# systemctl restart mysql

To move the existing to MySQL directory to /home:

# rsync -av /var/lib/mysql /home

Or, you can run the following commands to initialize the MySQL data directory:

# mkdir /home/mysql \
&& chown mysql:mysql /home/mysql \
&& chmod 700 /home/mysql \
&& mysqld --initialize-insecure

Note: This option is used to initialize a MySQL installation by creating the data directory and populating the tables in the mysql system database.

Note: If you use --initialize, the random initial password is stored at: tail -n 1 /var/log/mysql/error.log.

Note: You can also start mysqld with --skip-grant-tables to access the database and change the password.

# systemctl start mysql && systemctl status mysql

Login MySQL with the above commands if you initialized MySQL data directory with --initialize-insecure option.
# mysql -u root --skip-password
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_password';

Check the current MySQL data directory:

# mysql -e "SELECT @@datadir;"
+--------------+
| @@datadir    |
+--------------+
| /home/mysql/ |
+--------------+

To change the root password if you did not know the current root password:

# vim /root/tmp/mysql-init.txt
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'YourPassWordHere' WITH GRANT OPTION;
GRANT SUPER ON *.* TO 'root'@'localhost';
FLUSH PRIVILEGES;

# mysqld --init-file=/root/tmp/mysql-init.txt

Use RAM-DISK for tmpdir:

# mysql -e "SHOW GLOBAL STATUS LIKE 'Created_tmp%tables';"
# mysql -e "SHOW GLOBAL VARIABLES LIKE '%table_size';"

# mkdir -p /mnt/ramdisk
# mount -t tmpfs -o size=512M tmpfs /mnt/ramdisk
# chown mysql:mysql /mnt/ramdisk

# id mysql

uid=123(mysql) gid=130(mysql) groups=130(mysql)

# vim /etc/fstab

tmpfs           /mnt/ramdisk     tmpfs   rw,uid=123,gid=130,mode=1770,size=512M    0       0

Note: You need to change the uid and gid of MySQL.

# mysql -e "SHOW GLOBAL VARIABLES LIKE 'tmpdir';"

# vim /etc/apparmor.d/local/usr.sbin.mysqld

/mnt/ramdisk rw,
owner /mnt/ramdisk/** rwkl,

Note: The first line gives read and write access to the directory, the second line gives read, write, lock(k) and link(l) access to all the files and the directories inside the directory owned by the mysql user.

# vim /etc/mysql/mysql.conf.d/mysqld.cnf

[mysqld]
tmpdir      = /mnt/ramdisk

# systemctl restart apparmor.service
# systemctl restart mysql.service

Install PHP7.1:

# command -v add-apt-repository >/dev/null 2>&1 \
|| { echo >&2 "add-apt-repository is not installed. I will install it for you"; apt-get install python-software-properties; }

# add-apt-repository -y ppa:ondrej/php
# apt-get update

# apt-cache policy php7.1

# apt-get install php7.1-fpm
# apt-get install php7.1-xml php7.1-curl php7.1-zip php7.1-gd php7.1-bcmath php7.1-intl php7.1-mbstring php7.1-mcrypt php7.1-mysql
# apt-get install php7.1-json php7.1-opcache
# apt-get install php-xdebug

# php -v
PHP 7.1.10-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Sep 29 2017 17:04:25) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.1.10-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2017, by Zend Technologies
    with Xdebug v2.5.5, Copyright (c) 2002-2017, by Derick Rethans

# vim /etc/php/7.1/fpm/pool.d/www.conf

;listen = /run/php/php7.1-fpm.sock
listen = 127.0.0.1:9000

Note: You can choose to use either a Unix socket (for local access only) or TCP socket (for the other server on the network to access).

Set up xdebug:

# vim /etc/php/7.1/fpm/php.ini

[Xdebug]
xdebug.default_enable=1
xdebug.remote_enable=1
xdebug.remote_handler=dbgp
xdebug.remote_host=localhost
xdebug.remote_port=9009
xdebug.remote_log=/tmp/xdebug.log
xdebug.remote_connect_back=0
xdebug.remote_autostart=1
xdebug.remote_mode=req

xdebug.max_nesting_level=1000

xdebug.var_display_max_depth = 5
xdebug.var_display_max_children = 256
xdebug.var_display_max_data = 1024

# systemctl restart php7.1-fpm.service && systemctl status php7.1-fpm.service

# ss -an | grep :9000
tcp    LISTEN     0      128    127.0.0.1:9000                  *:*

# vim /etc/php/7.1/fpm/php.ini

date.timezone = America/Vancouver
display_errors = On
display_startup_errors = On
error_reporting = E_ALL
error_log = /var/log/php_errors.log

List all the installed PHP packages:

# dpkg -l | grep php| awk '{print $2}' |tr "\n" " "

Show the available package version:

# apt-cache search php
# apt-cache policy php

Install the specific package version:

# apt-get install php7=7.0+35ubuntu6

Note: You can look up old versions of packages at their site http://www.debian.org/distrib/packages

Install older version of PHP (PHP5.6):

# add-apt-repository ppa:ondrej/php

# apt-get update

# apt-get install php5.6-fpm

# apt-get install php5.6-gd php5.6-intl php5.6-json php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-opcache php5.6-xml

# a2disconf php7.0-fpm.conf
# a2enconf php5.6-fpm.conf

# systemctl restart apache2.service

Install Apache2.4:

# command -v add-apt-repository >/dev/null 2>&1 \
|| { echo >&2 "add-apt-repository is not installed. I will install it for you"; apt-get install python-software-properties; }

# add-apt-repository -y ppa:ondrej/apache2
# apt-get update

# apt-cache policy apache2

# apt-get install apache2

Enable the following modules to talk to PHP:

# cat /etc/apache2/conf-available/php7.1-fpm.conf

# a2enmod proxy proxy_fcgi rewrite setenvif ssl
# a2enconf php7.1-fpm.conf

If your apache is talking to PHP through a TCP socket (127.0.0.1:9000) instead of a Unix socket (/run/php/php7.1-fpm.sock), you will need to modify the following line:

# vim /etc/apache2/conf-available/php7.1-fpm.conf
# Define a matching worker.
    # The part that is matched to the SetHandler is the part that
    # follows the pipe. If you need to distinguish, "localhost; can
    # be anything unique.
    <Proxy "fcgi://localhost/" enablereuse=on max=10>
    </Proxy>
    <FilesMatch ".+\.ph(ar|p|tml)$">
        #SetHandler "proxy:unix:/run/php/php7.1-fpm.sock|fcgi://localhost"
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>

# apache2ctl configtest
# systemctl restart apache2 && systemctl status apache2

Install and enable the following Apache modules if you are connecting to PHP through a TCP socket (127.0.0.1:9000):

# apt-get install libapache2-mod-fastcgi
# a2enmod fastcgi rewrite setenvif


Edit apache2.conf:

# vim /etc/apache2/apache2.conf

AllowOverride All

Set up a virtual host:

# cd /etc/apache2/sites-available
# cp 000-default.conf mag2.local.conf
# vim mag2.local

Check the configuration:

# apache2ctl -V
# apache2ctl -t
# apache2ctl -M
# apache2ctl configtest

Enable the site:

# a2ensite mag2.local

Start MySQL, PHP, and Apache:

# systemctl restart mysql.service
# systemctl restart php7.0-fpm.service
# systemctl restart apache2.service

# ps auxww | grep -i mysql
# ps auxww | grep -i php-fpm
# ps auxww | grep -i apache2

Install PHPStorm:

# cd ~jun/Downloads/
# tar xf PhpStorm-*.tar.gz -C /opt/
# cd /opt/PhpStorm-163.10504.2/
# ./bin/phpstorm.sh

Generate a self-signed SSL certificate:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj "/C=CA/ST=British Columbia/L=Vancouver/O=My Company Name/CN=erp.local" -keyout /etc/ssl/private/test.local.key -out /etc/ssl/certs/test.local.crt

Install node:

$ curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.11/install.sh | bash

$ command -v nvm

nvm

$ nvm ls-remote
$ nvm install 8.9.3
$ nvm use 8.9.3
$ node -v
$ nvm ls

$ echo '{}' > package.json
$ npm install webpack eslint js-beautify --save-dev

Reference:

https://wiki.apache.org/httpd/PHP-FPM

http://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html

https://www.digitalocean.com/community/tutorials/how-to-move-a-mysql-data-directory-to-a-new-location-on-ubuntu-16-04

http://www.fromdual.com/mysql-tmpdir-on-ram-disk

http://www.victordodon.com/changing-mysql-tmpdir-in-ubuntu/

https://blog.remirepo.net/post/2014/03/28/PHP-FPM-and-HTTPD-2.4-improvement

Saturday, February 23, 2019

Migrate to stamblerre/gocode in YouCompleteMe for Go module support

Migrate to stamblerre/gocode in YouCompleteMe for Go module support

apt install build-essential cmake python3-dev

git clone --depth 1 https://github.com/Valloric/YouCompleteMe.git

cd /home/jun/.vim/pack/plugins/start/YouCompleteMe
git submodule update --init --recursive

vim /home/jun/.vim/pack/plugins/start/YouCompleteMe/third_party/ycmd/ycmd/completers/go/go_completer.py

mdempsky/gocode
stamblerre/gocode

vim /home/jun/.vim/pack/plugins/start/YouCompleteMe/third_party/ycmd/.gitmodules

mdempsky/gocode
stamblerre/gocode

rm -rf third_party/ycmd/third_party/go/src/github.com/mdempsky/

vim ./third_party/ycmd/build.py

cd third_party/ycmd/third_party/go/src/github.com
mkdir stamblerre
cd stamblerre
git clone --depth 1 https://github.com/stamblerre/gocode.git

cd /home/jun/.vim/pack/plugins/start/YouCompleteMe

./install.py --go-completer

Reference:

https://github.com/Valloric/YouCompleteMe

https://github.com/stamblerre/gocode

Sunday, February 10, 2019

Apache SAML library

Apache SAML library

1. mod_shib

2. mod_auth_mellon

HTML a tag target="_blank" vulnerability tabnabbing

HTML a tag target="_blank" vulnerability tabnabbing

window.opener.location = 'https://fakewebsite/facebook.com/PHISHING-PAGE.html';

Solution 1:

<a target="_blank" rel="noopener noreferrer">demo</a>

Solution 2:

var newWnd = window.open();
newWnd.opener = null;

Reference:

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

https://medium.com/@ali.dev/how-to-fix-target-blank-a-security-and-performance-issue-in-web-pages-2118eba1ce2f