Hoxt.com – Open Source Mirrors Apache, CPAN, PHP, MySQL, PuTTY, Linux Virtual Server, Linux Documentation Project, ProFTPD


Install OSSEC automatically with expect

If you want to script the installation of ossec, this script will use expect/spawn to automatically enter values for prompts:

#!/usr/bin/expect -d
set timeout -1
spawn ossec-hids-2.4.1/install.sh
expect "en/br/cn/de"
send "en\r"
expect "Press ENTER to continue"
send "\r"
expect "What kind of installation"
send "local\r"
expect "Choose where to install the OSSEC HIDS"
send "\r"
expect "Do you want e-mail notification"
send "y\r"
expect "your e-mail address"
send "root@localhost\r"
expect "Do you want to use it"
send "y\r"
expect "Do you want to run the integrity check daemon"
send "y\r"
expect "Do you want to run the rootkit detection engine"
send "y\r"
expect "Do you want to enable active response"
send "y\r"
expect "Do you want to enable the firewall-drop response"
send "y\r"
expect "Do you want to add more IPs to the white list"
send "n\r"
expect "Press ENTER to continue"
send "\r"
expect "Press ENTER to finish"
send "\r"
expect eof


shell scripting – Bash alias that takes argument

Normally, you would have this shortcut in .bash_profile

alias sshwww='ssh john@www.example.com'

What about you have 100s of www servers:

sshwww() { ssh "john@$1".example.com; }

Usage: "sshwww web1", "sshwww web2"

Even more, you can su directly to root from john:
sshroot() { ssh "john@$1".example.com "su"; }

Usage: "sshroot web1", "sshroot web2"

Filed under: Uncategorized No Comments

Make an encrypted password for useradd

Very simple using php:

php -r "echo crypt('myplaintextpassword123');"

useradd -m -p "$1$abJez234$fD4Dn4IrG3Hzeas3hBjIb0" -d /home/john -s /bin/bash john

Filed under: Uncategorized No Comments

su – Run a command after entering root password

For a better scripting automation and still retain the security of su/non-root login:

su -c "mysql -e 'SHOW STATUS;' "

This will return the status of mysql. Now you can run this via a regular user, then su, then mysql. You'll be asked for password twice, one for the regular user, one for root.

ssh nonroot@server "su -c \"mysql -e 'SHOW STATUS;' \""

You'll get "standard in must be a tty" error. Too bad! Nice concept but does not work like this. Now to solve this, I've seen some suggestion to use an expect script but not supplying the root password automatically. The expect script will ask for the password.

Update: no need for expect script, with just an ssh option "-t" to force it to ask for a tty (see man page for description). So the solution is this:

ssh -t nonroot@server "su -c \"mysql -e 'SHOW STATUS;' \""

Security is still there, you'll be asked for two different passwords, but you can now write a script to guide the process flow as you expected and not having to teach/say/request/instruct users to type in a certain command (eg: then type su, then type your xxx command). Love it eh!

Filed under: Uncategorized No Comments

Puppet locking problem

If you run "puppetd --test" manually or via service and get this error:

Run of Puppet configuration client already in progress; skipping

Problem: the lock file is not removed properly. It's a known bug: http://projects.reductivelabs.com/issues/2888

Solution: manually remove /var/lib/puppet/state/puppetdlock
Also, you might need to check /var/run/ for the pid and delete/kill the process if it's indeed running

Filed under: Uncategorized No Comments

mod_security and Apache dummy internal connection

The core rule looks specially for so if your apache is listening to specific IPs and not, this rule will be ignored.

Solution: add Listen to your httpd.conf, it should be the first line before other Listen's statements

You might want to add exceptions or slowly introduce the rulesets. Some core rules are very specific and might not work for your case.

#Include modsecurity.d/base_rules/modsecurity_crs_20_protocol_violations.conf
#Include modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf
#Include modsecurity.d/base_rules/modsecurity_crs_23_request_limits.conf
#Include modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf
#Include modsecurity.d/base_rules/modsecurity_crs_35_bad_robots.conf
#Include modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_phpids_converter.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_xss_attacks.conf
#Include modsecurity.d/base_rules/modsecurity_crs_42_tight_security.conf
#Include modsecurity.d/base_rules/modsecurity_crs_45_trojans.conf
#Include modsecurity.d/base_rules/modsecurity_crs_47_common_exceptions.conf
#Include modsecurity.d/base_rules/modsecurity_crs_48_local_exceptions.conf
#Include modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf
#Include modsecurity.d/base_rules/modsecurity_crs_49_inbound_blocking.conf
#Include modsecurity.d/base_rules/modsecurity_crs_50_outbound.conf
#Include modsecurity.d/base_rules/modsecurity_crs_59_outbound_blocking.conf
#Include modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf

Some example exceptions

# avoid for Apache dummy internal connection
SecRule REMOTE_ADDR "^127\.0\.0\.1$" phase:1,nolog,allow,ctl:ruleEngine=Off

# turn off for this file
SecRule REQUEST_BASENAME "^special\.php$" phase:1,nolog,allow,ctl:ruleEngine=Off

# certain agents do not send Accept header and it's okay, I don't need to see those errors
SecRule REQUEST_HEADERS:User-Agent "SomeAgentString" phase:1,nolog,pass,ctl:ruleRemoveById=960015

Filed under: Uncategorized No Comments