Asides
Hana – Stopped statisticsserver service – Backup wont run
Hana – Stopped statisticsserver service – Backup wont run
When running HANA on AWS, you should always stop the hana service manually before stopping / restarting the AWS instance, if not, the statistics server appears to have a problem.
This does not appear to be EXPECTED behavior, just something that we have figured how to work around.
If you happen to forget this step, or the server is restarted without an administrator remembering this step, then you will need to manually restarted
Additionally, if for some reason your server runs out of memory or disk space, HANA can continue running however the statisticsserver process dies and can not be restarted through the studio.
And if the statistics server is not running, you will not be able to run the BACKUP services within HANA,
So to restart HANA manually, ssh to your linux client and run this from root.
# su -l hdbadm # ./HDB stop # ./HDB start
Refresh from HANA studio and you should see the statisticsserver process running
– Right Click -> Administration -> Landscape -> Services tab
For Reference the error that led me to this issue was one that I received when attempting to run a backup
Backup error: Backup is not possible because the service 'statisticsserver' at 'vhcalhdbdb:30005' responsible for the volume '2' does not run
SSL Cipher Suites – Apache config for IE 11
SSL Cipher Suites – Apache config for IE 11
In past posts I showed how I had followed some suggestions from qualsys on configuring Apache to only use specific ciphers in order to pass all of the required security scans.
However it turns out that blindly using their list of Ciphers led to another problem, (displaying the page in IE 11) which I describe the fix to below.
In addition though, the process I go through below, can / will help you trouble shoot and possibly find and enable / disable the Ciphers for any situation and browser.
On this page:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
They suggest setting this SSLCipherSuite:
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4
However I found IE 11 was showing “This web page can not be displayed” on Windows 7 and Windows 2008 Server (probably others as well),
I figured out that the problem was the CipherSuite, by commenting out the SSLCipherSuite line in apache, restarting, and the page loaded.
So the next step was to , with the line commented out, to run the ssllabs test with the SSLCipherSuite commented out,
https://www.ssllabs.com/ssltest/
the result of which I found to show some details about the CipherSuites used by different browsers. I would use this tool to make sure you have the correct CipherSuite for any, all browsers and exclude any older insecure browsers.
If you look down the report to the “Handshake Simulation portion of the report you will find a listing of browsers with the Cipher they used. IE 11/ Win 7 was working EVEN BEFORE noticed the ‘can not be displayed’ error, so I went on a hunch and decided to try and enable the IE 8-10 / Win 7 option which showed
TLS_RSA_WITH_AES_256_CBC_SHA
I googled “openssl TLS_RSA_WITH_AES_256_CBC_SHA” which brought me to the openssl page where they show all of the ciphers and on this page I found “AES256-SHA” which I needed to include in the Apache SSLCipherSuite directive
https://www.openssl.org/docs/apps/ciphers.html
Next, to confirm that this cipher is even available on my server, i ran this command
openssl cipher AES256-SHA
which returned a result showing that the cipher was indeed an option on the server
So, I added it towards the end, and the resulting SSLCipherSuite directive I have is:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA AES256-SHA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
And now I can load the webpage in the IE 11 browser.
Note that when I ran the ssllabs.com test again, it downgraded the site to an A- probably because the cipher did not offer Forward Secrecy (notated with a small orange ‘No FS’) on the report,
I decided that this is an okay grade in order to allow IE 11 to access the site, but hopefully Microsoft figures it out.
Changing IP Addresses on a XenServer 6.5 Pool
Changing IP Addresses on a XenServer 6.5 Pool
To change the ip addresses on a XenServer 6.5 pool, start with the slaves, and use the following xe commands:
Remember: Slaves first, then the Master
NOTE: There is no need to change the IP from the Management Console.
Find the UUID of the Host Management PIF:
xe pif-list params=uuid,host-name-label,device,management
You will see a big list. Find the UUID for the slave that you’re working on. Use the “more” pipe if the UUID for your particular slave scrolls off the screen:
xe pif-list params=uuid,host-name-label,device,management | more
Change the IP Address on the first slave:
xe pif-reconfigure-ip uuid=<UUID of host management PIF> IP=<New IP> gateway=<GatewayIP> netmask=<Subnet Mask> DNS=<DNS Lookup IPs> mode=<dhcp,none,static>
Then:
xe-toolstack-restart
Verify the new address with ifconfig, and/or ping it from a workstation.
Point the slave to the new Master IP Address:
xe pool-emergency-reset-master master-address=NEW_IP_OF_THE_MASTER
Repeat the commands above on all slaves.
On the Master:
xe pif-list params=uuid,host-name-label,device,management
xe pif-reconfigure-ip uuid=<UUID of host management PIF> IP=<New IP> gateway=<GatewayIP> netmask=<Subnet Mask> DNS=<DNS Lookup IPs> mode=<dhcp,none,static>
xe-toolstack-restart
DO NOT run the emergency-reset-master command on the Master.
Reboot the Master, then reboot the Slaves and verify that they can find the Master.
Matt Long
04/06/2015
SSL Vulnerability and Problem Test – Online and Command Line
SSL Vulnerability and Problem Test – Online and Command Line
There are many vulnerabilities out there, and there seems to be no single test for all of them.
When working to correct SSL issues, some of the more comprensive tests, test EVERYTHING, while this is good, it can also make it difficult to test the smaller incremental changes that we make as system administrators make
This blog post is a way to collect and keep a resource in one place of links or methods we can use to quickly test individual failures
The big test, which only takes a minute or so, but is somewhat bloated for individual tests, is ssllabs.com. You will find out most failures here and even get a grade
http://ssllabs.com
But you wont find them all, and it is difficult to quickly test small changes. So here are some instant tests.
if you have an SSL Chain issue
openssl s_client -connect example.com:443
to test for CVE-2014-0224, otherwise know n as a CCS Injection vulnerability enter your domain here
http://ccsbug.exposed/
to test for CVE-2014-0160 or Heartbleed test or
http://possible.lv/tools/hb/
Verify ssl certificate chain using openssl
Verify ssl certificate chain using openssl
SSL Certificates ‘usually’ work and show ‘green’ in browsers, even if the full certificate chain is not correctly configured in apache.
You can use tools such as SSL Labs (link) or run a PCI ASV check on your site to find out if you are compliant, but a quicker way to do it is using openssl from the command link.
Using this command you can quickly verify your SSL Certificate and Certificate chain from you linux command line using openssl
openssl s_client -showcerts -connect mydomain.com:443
If you receive a line, ‘Verify return code: 0 ‘ at the end of the long out put, your chain is working, however you might receive an error 27 if it is not configured correctly.
In order to configure it correctly you will like need an line in your apache conf file
SSLCACertificateFile <yourCAfilename>
In addition to the files which list your Key and Cert file
SSLCertificateFile <yourcertfilename> SSLCertificateKeyFile <yourkeyfilename>
Using MPT-Status for RAID Monitoring in a Poweredge C6100 with Perc 6
Using MPT-Status for RAID Monitoring in a Poweredge C6100 with Perc 6
This post outlines the steps needed to get a CLI report of the conditions of your RAIDs in a Poweredge C6100 with a PERC 6/i RAID Controller.
Verify your controller type:
cat /proc/scsi/mptsas/0
ioc0: LSISAS1068E B3, FwRev=011b0000h, Ports=1, MaxQ=277
Download the following packages:
daemonize-1.5.6-1.el5.i386.rpm mpt-status-1.2.0-3.el5.centos.i386.rpm lsscsi-0.17-3.el5.i386.rpm
http://dl.nux.ro/utils/mpt-status/mpt-status-1.2.0-3.el5.centos.i386.rpm
http://dl.nux.ro/utils/mpt-status/daemonize-1.5.6-1.el5.i386.rpm
http://mirror.centos.org/centos/5/os/i386/CentOS/lsscsi-0.17-3.el5.i386.rpm
Install mtp-status:
rpm -ivh mpt-status-1.2.0-3.el5.centos.i386.rpm daemonize-1.5.6-1.el5.i386.rpm lsscsi-0.17-3.el5.i386.rpm
modprobe mptctl
echo mptctl >> /etc/modules
Verify your modules:
lsmod |grep mpt
mptctl 90739 0
mptsas 57560 4
mptscsih 39876 1 mptsas
mptbase 91081 3 mptctl,mptsas,mptscsih
scsi_transport_sas 27681 1 mptsas
scsi_mod 145658 7 mptctl,sg,libata,mptsas,mptscsih,scsi_transport_sas,sd_mod
run:
mpt-status or mpt-status -n -s
Also, you can use: lsscsi -l
This little script:
echo `mpt-status -n -s|awk ‘/OPTIMAL/ {print $1, “OK”}; /ONLINE/ {print $1, “OK”}; /DEGRADED/ {print $1, “FAILURE”}; /scsi/ {print $2}; /MISSING/ {print $1, “FAILURE”} ‘`
reports:
vol_id:0 OK phys_id:1 OK phys_id:0 OK 100% 100%
On a rebuild, it reports:
vol_id:0 FAILURE phys_id:2 OK phys_id:3 OK 75% 75%
Copy that script into a file called “check_raid”, and make it executable, E.G. 755
Edit nagios-statd on parcel1. Replace “sudo /customcommands/check_raid.pl -b -w1 -c1” with filename check-raid (without the switches) at line 20, and remove “sudo”
So, from this:
commandlist[‘Linux’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,”free | awk ‘$1~/^Swap:/{print ($3/$2)*100}'”,”sudo /customcommands/check_raid.pl -b -w1 -c1″)
To this:
commandlist[‘Linux’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,”free | awk ‘$1~/^Swap:/{print ($3/$2)*100}'”,”/customcommands/check_raid”)
Port 1040 will need to be opened in XenServer. Edit /etc/sysconfig/iptables and insert this line:
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1040 -j ACCEPT
Restart the firewall:
service iptables restart
Output:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[FAILED]
NOTE: The “FAILED” error above doesn’t seem to be a problemVerify that port 1040 is open:
Check the status of port 1040:
service iptables status
Output:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT 47 — 0.0.0.0/0 0.0.0.0/0
2 RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp — 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah — 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp — 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:1040
9 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694
11 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14 REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
running “nagios-statd” opens port 1040 on Parcel1 and listens for commands to be initiated by nagios_stat on the nagios server.
On the nagios server, in a file called “remote.orig.cfg, there are commands defined using “nagios-stat”: NOTE: These are from a working server and haven’t been modified to work with mpt. Some changes may need to be made. This is just an example of the interaction between Nagios server and client
Example:
define command{
command_name check_remote_raid
command_line $USER1$/nagios-stat -w $ARG1$ -c $ARG2$ -p $ARG3$ raid $HOSTADDRESS$
}
This command defined above is used in the “services.cfg” file.
Example:
define service{
use matraex-template
host_name mtx-lilac
service_description Lilac /data Raid
check_command check_remote_raid!1!1!1040
The three files needed on the C6100 node are:
/customcommands/check_raid (contents below) -rwxr-xr-x
/customcommands/nagios-statd (contents below) -rwxr-xr-x
/etc/init.d/nagios-statd (contens below) -rwxr–r–
Creating the soft links:
ln -s /etc/init.d/nagios-statd /etc/rc.d/rc3.d/K01nagios-statd
ln -s /etc/init.d/nagios-statd /etc/rc.d/rc3.d/S99nagios-statd
The -s = soft, and -f if used, forces overwrite.
/rc3.d/ designates runlevel 3
So when you do this:
ls -lt /customcommands/nagios-statd /etc/init.d/nagios-statd /customcommands/check_raid /etc/rc.d/rc3.d/*nagios-statd
This is what you should see:
lrwxrwxrwx 1 root root 22 Mar 6 08:08 /etc/rc.d/rc3.d/K01nagios-statd -> ../init.d/nagios-statd
-rwxr-xr-x 1 root root 365 Mar 6 07:59 /customcommands/check_raid
lrwxrwxrwx 1 root root 22 Mar 6 07:52 /etc/rc.d/rc3.d/S99nagios-statd -> ../init.d/nagios-statd
-rwxr-xr-x 1 root root 649 Mar 6 07:51 /etc/init.d/nagios-statd
-rwxr-xr-x 1 root root 9468 Mar 5 12:05 /customcommands/nagios-statd
Script Files:
NOTE: Here’s a little fix that helped me out. I had originally pasted these scripts into a DOS/Windows editor (wordpad) and it added DOS-type returns to the file, resulting in an error:
-bash: ./nagios-statd: /bin/sh^M: bad interpreter: No such file or directory
If you encounter this, do this:
Open the file in vi
hit “:” to go into command mode
enter “set fileformat=unix”
then :wq to quit.
/customcommands/check_raid:
#!/bin/bash
EXECFILE=/usr/sbin/mpt-status
if [ ! -e $EXECFILE ] ; then
echo
echo “Error $EXECFILE is not installed, please install before running”
echo
echo “Usage $0”;
echo
exit 10
fi
echo `$EXECFILE -n -s|awk ‘/OPTIMAL/ {print $1, “OK”}; /ONLINE/ {print $1, “OK”}; /DEGRADED/ {print $1, “FAILURE”}; /scsi/ {print $2};
/MISSING/ {print $1, “FAILURE”} ‘`
/customcommands/nagios_statd
#!/usr/bin/python
import getopt, os, sys, signal, socket, SocketServer
class Functions:
“Contains a set of methods for gathering data from the server.”
def __init__(self):
self.nagios_statd_version = 3.09
# As of right now, the commands are for df, who, proc, uptime, and swap.
commandlist = {}
commandlist[‘AIX’] = (“df -Ik”,”who | wc -l”,”ps ax”,”uptime”,”lsps -sl | grep -v Paging | awk ‘{print $2}’ | cut -f1 -d%”)
commandlist[‘BSD/OS’] = (“df”,”who | wc -l”,”ps -ax”,”uptime”,None)
commandlist[‘CYGWIN_NT-5.0’] = (“df -P”,None,”ps -s -W | awk ‘{printf(“%6s%6s%3s%6s%sn”,$1,$2,” S”,” 0:00″,substr($0,22))}'”,None,None)
commandlist[‘CYGWIN_NT-5.1’] = commandlist[‘CYGWIN_NT-5.0’]
commandlist[‘FreeBSD’] = (“df -k”,”who | wc -l”,”ps ax”,”uptime”,”swapinfo | awk ‘$1!~/^Device/{print $5}'”)
commandlist[‘HP-UX’] = (“bdf -l”,”who -q | grep “#””,”ps -el”,”uptime”,None)
commandlist[‘IRIX’] = (“df -kP”,”who -q | grep “#””,”ps -e -o “pid tty state time comm””,”/usr/bsd/uptime”,None)
commandlist[‘IRIX64’] = commandlist[‘IRIX’]
commandlist[‘Linux’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,”free | awk ‘$1~/^Swap:/{print ($3/$2)*100}'”,”/customcommands/check_raid”)
commandlist[‘NetBSD’] = (“df -k”,”who | wc -l”,”ps ax”,”uptime”,”swapctl -l | awk ‘$1!~/^Device/{print $5}'”)
commandlist[‘NEXTSTEP’] = (“df”,”who | /usr/ucb/wc -l”,”ps -ax”,”uptime”,None)
commandlist[‘OpenBSD’] = (“df -k”,”who | wc -l”,”ps -ax”,”uptime”,”swapctl -l | awk ‘$1!~/^Device/{print $5}'”)
commandlist[‘OSF1’] = (“df -P”,”who -q | grep “#””,”ps ax”,”uptime”,None)
commandlist[‘SCO-SV’] = (“df -Bk”,”who -q | grep “#””,”ps -el -o “pid tty s time args””,”uptime”,None)
commandlist[‘SunOS’] = (“df -k”,”who -q | grep “#””,”ps -e -o “pid tty s time comm””,”uptime”,”swap -s | tr -d -s -c [:digit:][:space:] | nawk ‘{print ($3/($3+$4))*100}'”)
commandlist[‘UNIXWARE2’] = (“/usr/ucb/df”,”who -q | grep “#””,”ps -el | awk ‘{printf(“%6d%9s%2s%5s %sn”,$5,substr($0, 61, 8),$2,substr($0,69,5),substr($0,75))}”,”echo `uptime`, load average: 0.00, `sar | awk ‘{oldidle=idle;idle=$5} END {print 100-oldidle}’`,0.00″,None)
# Now to make commandlist with the correct one for your OS.
try:
self.commandlist = commandlist[os.uname()[0]]
except KeyError:
print “Your platform isn’t supported by nagios-statd – exiting.”
sys.exit(3)
# Below are the functions that the client can call.
def disk(self):
return self.__run(0)
def proc(self):
return self.__run(2)
def swap(self):
return self.__run(4)
def uptime(self):
return self.__run(3)
def user(self):
return self.__run(1)
def raid(self):
return self.__run(5)
def version(self):
i = “nagios-statd ” + str(self.nagios_statd_version)
return i
def __run(self,cmdnum):
# Unmask SIGCHLD so popen can detect the return status (temporarily)
signal.signal(signal.SIGCHLD, signal.SIG_DFL)
outputfh = os.popen(self.commandlist[cmdnum])
output = outputfh.read()
returnvalue = outputfh.close()
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
if (returnvalue):
return “ERROR %s ” % output
else:
return output
class NagiosStatd(SocketServer.StreamRequestHandler):
“Handles connection initialization and data transfer (as daemon)”
def handle(self):
# Check to see if user is allowed
if self.__notallowedhost():
self.wfile.write(self.error)
return 1
if not hasattr(self,”generichandler”):
self.generichandler = GenericHandler(self.rfile,self.wfile)
self.generichandler.run()
def __notallowedhost(self):
“Compares list of allowed users to client’s IP address.”
if hasattr(self.server,”allowedhosts”) == 0:
return 0
for i in self.server.allowedhosts:
if i == self.client_address[0]: # Address is in list
return 0
try: # Do an IP lookup of host in blocked list
i_ip = socket.gethostbyname(i)
except:
self.error = “ERROR DNS lookup of blocked host “%s” failed. Denying by default.” % i
return 1
if i_ip != i: # If address in list isn’t an IP
if socket.getfqdn(i) == socket.getfqdn(self.client_address[0]):
return 0
self.error = “ERROR Client is not among hosts allowed to connect.”
return 1
class GenericHandler:
def __init__(self,rfile=sys.stdin,wfile=sys.stdout):
# Create functions object
self.functions = Functions()
self.rfile = rfile
self.wfile = wfile
def run(self):
# Get the request from the client
line = self.rfile.readline()
line = line.strip()
# Check for appropriate requests from client
if len(line) == 0:
self.wfile.write(“ERROR No function requested from client.”)
return 1
# Call the appropriate function
try:
output = getattr(self.functions,line)()
except AttributeError:
error = “ERROR Function “” + line + “” does not exist.”
self.wfile.write(error)
return 1
except TypeError:
error = “ERROR Function “” + line + “” not supported on this platform.”
self.wfile.write(error)
return 1
# Send output
if output.isspace():
error = “ERROR Function “” + line + “” returned no information.”
self.wfile.write(error)
return 1
elif output == “ERROR”:
error = “ERROR Function “” + line + “” exited abnormally.”
self.wfile.write(error)
else:
for line in output:
self.wfile.write(line)
class ReUsingServer (SocketServer.ForkingTCPServer):
allow_reuse_address = True
class Initialization:
“Methods for interacting with user – initial code entry point.”
def __init__(self):
self.port = 1040
self.ip = ”
# Run this through Functions initially, to make sure the platform is supported.
i = Functions()
del(i)
def getoptions(self):
“Parses command line”
try:
opts, args = getopt.getopt(sys.argv[1:], “a:b:ip:P:Vh”, [“allowedhosts=”,”bindto=”,”inetd”,”port=”,”pid=”,”version”,”help”])
except getopt.GetoptError, (msg, opt):
print sys.argv[0] + “: ” + msg
print “Try ‘” + sys.argv[0] + ” –help’ for more information.”
sys.exit(3)
for option,value in opts:
if option in (“-a”,”–allowedhosts”):
value = value.replace(” “,””)
self.allowedhosts = value.split(“,”)
elif option in (“-b”,”–bindto”):
self.ip = value
elif option in (“-i”,”–inetd”):
self.runfrominetd = 1
elif option in (“-p”,”–port”):
self.port = int(value)
elif option in (“-P”,”–pid”):
self.pidfile = value
elif option in (“-V”,”–version”):
self.version()
sys.exit(3)
elif option in (“-h”,”–help”):
self.usage()
def main(self):
# Retrieve command line options
self.getoptions()
# Just splat to stdout if we’re running under inetd
if hasattr(self,”runfrominetd”):
server = GenericHandler()
server.run()
sys.exit(0)
# Check to see if the port is available
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((self.ip, self.port))
s.close()
del(s)
except socket.error, (errno, msg):
print “Unable to bind to port %s: %s – exiting.” % (self.port, msg)
sys.exit(2)
# Detach from terminal
if os.fork() == 0:
# Make this the controlling process
os.setsid()
# Be polite and chdir to /
os.chdir(‘/’)
# Try to close all open filehandles
for i in range(0,256):
try: os.close(i)
except: pass
# Redirect the offending filehandles
sys.stdin = open(‘/dev/null’,’r’)
sys.stdout = open(‘/dev/null’,’w’)
sys.stderr = open(‘/dev/null’,’w’)
# Set the path
os.environ[“PATH”] = “/bin:/usr/bin:/usr/local/bin:/usr/sbin”
# Reap children automatically
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
# Save pid if user requested it
if hasattr(self,”pidfile”):
self.savepid(self.pidfile)
# Create a forking TCP/IP server and start processing
server = ReUsingServer((self.ip,self.port),NagiosStatd)
if hasattr(self,”allowedhosts”):
server.allowedhosts = self.allowedhosts
server.serve_forever()
# Get rid of the parent
else:
sys.exit(0)
def savepid(self,file):
try:
fh = open(file,”w”)
fh.write(str(os.getpid()))
fh.close()
except:
print “Unable to save PID file – exiting.”
sys.exit(2)
def usage(self):
print “Usage: ” + sys.argv[0] + ” [OPTION]”
print “nagios-statd daemon – remote UNIX system monitoring tool for Nagios.n”
print “-a, –allowedhosts=HOSTS Comma delimited list of IPs/hosts allowed to connect.”
print “-b, –bindto=IP IP address for the daemon to bind to.”
print “-i, –inetd Run from inetd.”
print “-p, –port=PORT Port to listen on.”
print “-P, –pid=FILE Save pid to FILE.”
print “-V, –version Output version information and exit.”
print ” -h, –help Print this help and exit.”
sys.exit(3)
def version(self):
i = Functions()
print “nagios-statd %.2f” % i.nagios_statd_version
print “os.uname()[0] = %s ” % os.uname()[0]
print “Written by Nick Reinkingn”
print “Copyright (C) 2002 Nick Reinking”
print “This is free software. There is NO warranty; not even for MERCHANTABILITY or”
print “FITNESS FOR A PARTICULAR PURPOSE.”
print “nNagios is a trademark of Ethan Galstad.”
if __name__ == “__main__”:
# Check to see if running Python 2.x+ / needed because getfqdn() is Python 2.0+ only
if (int(sys.version[0]) < 2):
print “nagios-statd requires Python version 2.0 or greater.”
sys.exit(3)
i = Initialization()
i.main()
/etc/init.d/nagios-statd:
#!/bin/sh
#
# This file should have uid root, gid sys and chmod 744
#
if [ ! -d /usr/bin ]
then # /usr not mounted
exit
fi
killproc() { # kill the named process(es)
pid=`/bin/ps -e |
/bin/grep -w $1 |
/bin/sed -e ‘s/^ *//’ -e ‘s/ .*//’`
[ “$pid” != “” ] && kill $pid
}
# Start/stop processes required for netsaint_statd server
case “$1” in
‘start’)
/customcommands/nagios-statd -a <IP of Allowed Nagios Server>,<IP of Test Workstation> -p 1040
;;
‘stop’)
killproc nagios-statd
;;
*)
echo “Usage: /etc/init.d/nagios-statd { start | stop }”
;;
esac
Testing:
As you can see in the script file above, I’ve added the IP Address of a test workstation. This will allow me to simply telnet to a node in the C6100 and execute one of the commands defined in this section of the /customcommands/nagios-statd script:
# Below are the functions that the client can call.
def disk(self):
return self.__run(0)
def proc(self):
return self.__run(2)
def swap(self):
return self.__run(4)
def uptime(self):
return self.__run(3)
def user(self):
return self.__run(1)
def raid(self):
return self.__run(5)
At your workstation, telnet to <Node IP Address> 1040
When connected, the screen will be blank.
Type “raid”. The screen won’t echo this.
When you hat enter, you should see:
vol_id:0 OK phys_id:2 OK phys_id:3 OK 100% 100%
Now you’re ready to move on to the Nagios configuration.
Matt Long
03/06/2015
apache commands that ‘might’ make your server more PCI compliant
apache commands that ‘might’ make your server more PCI compliant
Add the following commands to you Apache configuration file to help make it more PCI compliant.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Update: I have made some new notes in another blog post for requirements that helped a client pass an additional test with TrustWave
ip tables commands which ‘might’ make your firewall PCI compliant
ip tables commands which ‘might’ make your firewall PCI compliant
This is a list of the iptables commands that will setup a minimal firewall which ‘might’ be PCI compliant
This is primarily here to remind me, so I have a reference in the future.
I also have ports for FTP and SSH for a single developer IP as well as monitoring for a single monitoring server. The format is simple and can easily be changed for other services.
Be sure to replace ‘my.ip’ with your development ip, and ‘monitoring.ip’ with
This is on a Linux Ubuntu machine (of course)
apt-get install iptables iptables-persistent
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s my.ip/32 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -s my.ip/32 -j ACCEPT iptables -A INPUT -p tcp --dport 5666 -s monitoring.ip/32-j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p udp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p udp --dport 443 -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables-save > /etc/iptables/rules.v4
moving mysql databases using mysqldump & ssh
moving mysql databases using mysqldump & ssh
Moving MySQL Databases Using mysqldump
On old server:
Check the /etc/mysql/my.cnf file and make note of the address listed in bind-addresses.
On the new server:
When you install mysql, define a temporary password to root. This password will get overwritten during the transfer, after a restart of the mysql service.
Add a new interface eth0:x in /etc/network/interfaces with the ip address noted in the old server’s /etc/mysql/my.cnf file. LEAVE THIS INTERFACE DOWN UNTIL THE FINAL SWITCH.
Edit the /etc/mysql/my.cnf file
bind-addresses = <address of the new server> or, less specific, 0.0.0.0
Restart the service mysql. NOTE: reload doesn’t load the changes in my.cnf.
Service mysql restart
Use this command to move the databases:
ssh (your username)@(old-server’s FQDN or IP) “mysqldump -u (db-username, probably root) –all-databases > /(dirpath)/(filename)” | “mysql -u root -p (temp pw designated at mysql install on the new server) -h (ip address of new server) < /(dirpath)/(filename)”
NOTE: After the restoration of the databases on the new server, your current credentials will work until the mysql service is restarted.
If, for any reason, you need to do a complete re-install of MySQL, use this procedure to remove MySQL completely from server:
service mysql stop #or mysqld
deluser mysql
delgroup mysql
killall -9 mysql
killall -9 mysqld
apt-get remove –purge mysql-server mysql-client mysql-common
apt-get autoremove
apt-get autoclean
rm -rf /var/lib/mysql
Then re-install:
apt-get install mysql-server
ssh-keygen -R (FQDN)
Matt Long
3/31/2015
PCI SAQ Security Links
PCI SAQ Security Links
It seems there are a couple Google searchs that can be done to help find the forms you need to fill out the SAQ as a Self Reporting Web Hosting Company of links out there. But it took me a little bit to put them all together.
I am not a PCI Security Consultant so dont take this as any kind of gospel, but here are the forms I found that I needed.
To fill out the Attestation of Compliance SAQ D 3.0 for Service Providers, get the form here:
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.pdf
If you are not a service provider, perhaps you need a different form
For a quick reference, see their file here
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
The PCI DSS Glossary has details of many of the items mentioned in the form
https://www.pcisecuritystandards.org/security_standards/glossary.php