dino

Named rndc.key error when starting

by

When trying to restart named process after making modifications may end up in a corrupt rndc.key key and the error will show like this:

Sep 12 03:30:54 server named[23683]: /etc/rndc.key:1: configuring key ‘rndc-key’: bad base64 encoding
Sep 12 03:30:54 server named[23683]: loading configuration: bad base64 encoding
Sep 12 03:30:54 server named[23683]: exiting (due to fatal error)

A simple explanation to this is that the key got modified somehow might me some bug.
What to do about this? Well it is simple just check the /etc/rndc.conf file and copy the key from there(you will see the key in the first lines of the file) and replace the key that it is in /etc/rndc.key file and restart named process.


# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]

Writing Linux firewall rules w/ IPTables

by

The Linux kernel, since version 2.0, has included the capabilities to act as a firewall. In those days, the kernel module was called ipfwadm and was very simple. With the 2.2 kernel, the firewall module became called ipchains and had greater capabilities than its predecessor. Today, we have IPTables, the firewall module in the kernel since the 2.4 days. IPTables was built to take over ipchains, and includes improvements that now allow it to compete against some of the best commercial products available in the market. This guide will give you some background on IPTables and how to use it to secure your network.

Getting to know some important terminology
IPTables can be used in three main jobs: NAT, Packet Filtering, and Routing.

  • NAT stands Network Address Translation, and it is used to allow the use of one public IP address for many computers.
  • Packet Filteringstateless firewall and the other is stateful firewall. Stateless firewalls do not have the ability to inspect incoming packets to see if the packet is coming from a known connection originating at your computer. Stateful firewalls have the ability to inspect each packet to see if it’s part of a known connection, and if the packet is not part of a known, established connection then the packet is “dropped” or not allowed to pass through the firewall.
  • Routing is used to route various network packets to different ports, which are similar to Airport gates, or different IP addresses depending on what is requested. For example, if you have a web server somewhere in your network that uses port 8080, you can use Linux’s packet routing to route port 80 packets to your server’s port 8080. More on all this this later on.

A word on tables
There are three table types: filter, NAT, and mangle.

  • Filter – this is the default table type and contains most of the chains including input, output, and forward.
  • NAT – this table is used when new connections are created. It contains only three chains: prerouting, output, and postrouting.
  • Mangle – is used to alter packets.

The importance of chains…
There are three built-in chains that are part of IPTables.

  • The INPUT chain is used for packets comming into the Linux box. This chain can be used to stop certain packets from coming into the network or system, so for example, if would prevent another computer from pinging your network.. I will talk more about stopping ping attacks later.
  • The OUTPUT chain is used for packets coming out of your Linux box. This chain can be used to stop certain packets that you do not want to leave your network or system.
  • The FORWARD chain is used for packets passing through the network’s firewall. This chain will be used to set our NAT rules. I will go into the syntax of a basic NAT filter later in this article.
  • The PREROUTING chain is for changing packets as they come in
  • The POSTROUTING chain is for changing packets as they leave

Every chain in IPTables is either user-defined or built-in and will have a default policy, which can be either ACCEPT or DROP. ACCEPT and DROP will be discussed in the next section.

Packet targets
IPTables has targets which denotes what happens to all packets. There are four built-in targets:

  • ACCEPT – denotes if the packet should be allowed to move on.
  • DROP – denotes if the packet should be dropped and ignored.
  • QUEUE – denotes if the packet should be passed to userspace.
  • RETURN – denotes if the packet should be passed to the previous chain. Should this happen, then the packet is governed by the default policy of the previous chain.

For the most part I will be using ACCEPT and DROP targets for the sake of simplicity. These two targets are also more than enough to create your firewall rules. Please note that while there are predefined chains, they can also be a user-defined.

NAT, one IP for them all
NAT is one of the best tricks for networking; it allows one IP address to be used by many computers so they can all access the internet. NAT on your network would work through the rewriting the packet by changing the source IP address to read your internet IP address as it passes out of your network. When a packet needs to return to the source, the packet’s destination IP address is changed back to the computer’s IP address inside your network. For example, if your computer with an IP address of 192.168.1.2 needed to get to Google, whose IP address is 216.239.57.99, the NAT firewall would change 192.168.1.2 to something like 64.199.1.83 and would then be passed throught the internet to Google. When Google sends a response, the IP address is changed from 64.199.1.83 to 192.168.1.2 and is received at your computer inside the network.

To write IPTables rules you will need to open a command prompt, but there are some graphical apps to help you out. One application that makes writing IPTables rules simple is Firestarter for GNOME. KDE users can benefit from an application like knetfilter.



Some notes on IPTables syntax
IPTables chain syntax can be confusing, particularly for beginners, but once you have the basics down, anyone can learn to write their own firewall rules; be patient, it just takes time. It took me about 3 months to figure out how to write a rule to block ICMP packets which are used to ping computers. IPTables syntax looks like this: iptables -t filter -A INPUT -p icmp -i eth0 -j DROP.

  • The -t filter specifies that this rule will go into the filter table. If you wanted to write a NAT rule you would type -t nat.
  • The -A INPUT specifies that the rule is going to be appended to the INPUT chain. Other possible syntax would be -A OUTPUT, -A FORWARD, -A PRETROUTING, and-A POSTROUTING.
  • The -p icmp specifies that the packet has be from the ICMP protocol. The other two options are -p tcp used for TCP packets, and -p udp used for UDP packets.
  • The -i eth0 specifies that the packet has to be coming in via the eth0 interface or your first network device.
  • The -j DROP that if the packet matches it should be dropped. This rule is to stop people from using finger (used to see who else is on the system) , ping (used to check if a server is responding), or other methods to discover your network.

The next two rules are going to do the work of blocking connections not originating from inside your network.

iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

The -m state –state ESTABLISHED,RELATED was used to match the state of the packet coming in via eth0 (your ethernet device) and if the packet matches, then the packet is accepted. The -m is used to match on a specific option. Some possible options are -m limit –limit which looks for a limited rate, -m tos –tos used to match the TOS IP header field on a packet, -m unclean which is used to match packets that look “suspicious”.

The next rule is going to do source NAT, which will allow your network to connect using one IP address.

iptables -t nat -A POSTROUTING -o eth0

Depending on if you have a Static IP or Dynamic IP you would type: -j SNAT –to-source 1.2.3.4 for Static IP, and -j MASQUERADE for Dynamic IP at the end of the above code. As a bonus, i’ll tell you how to do destination NAT, which will allow you to put a server behind the firewall at the expense of security.

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport www -j DNAT –to-dest 192.168.1.2

The –dport www denotes that the destination port is port 80. You can use text like www (port 80) or ftp (port 21) or simply use port numbers. The -j DNAT part of the rule is the target, similar to -j DROP or -j ACCEPT in previous examples. –to-dest 192.168.1.2 tells IPTables where you want the packet to go. –sport 8080 is just like –dport www.

For three years i have writen my own firewall rules. IPTables saved my computer from MyDoom and Sasser worms/viruses. Hopefully, now you too can write your own firewall rules. IPTables is a usefull tool in the Linux user’s tool belt, for protecting Linux and Windows computers.

How do I Drop or block attackers IP with null routes?

by

Someone might attack on your system. You can drop attacker IP using IPtables. However one of our sr. sys admin highlighted something new for me. You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 70.126.142.72 127.0.0.1

You can verify it with following command:

# netstat -nr

This is cool, as you do not have to play with iptables rules.

Catch PHP nobody Spammers

by

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where. Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.



Step 1)
Login to your server and su – to root.


Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop

Article provided by WebHostGear.com


Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {

print INFO “$date – $PWD –  @infon”;

}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach  (@ARGV) {
$arg=”$arg” . ” $_”;
}

open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory –  nobody x 99 99   Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.

Windows integration notes

by

Make program default editor for a file type

Shift-right-click on a file of a type; this forces the ‘open with’. Click ‘Choose program’, find it, and select the checkbox that tells windows to always open files of this type.

Change IE ‘view source’ program

Folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\View Source Editor\Editor Name

has a default key that is the path to a program, e.g.

C:\Program Files\Notepad2\Notepad2.exe

Add to context menu for all files

Run regedit. Create the key:

HKEY_CLASSES_ROOT\*\shell\

…if it doesn’t exist. Choose a name that doesn’t exist under it, e.g. Notepad2, and create that as key, and a key under it called ‘command’:

HKEY_CLASSES_ROOT\*\shell\Notepad2
HKEY_CLASSES_ROOT\*\shell\Notepad2\command

Make the default value under the first what you want to appear in the menu and the second what you want it to run, e.g.

“Edit with Notepad2”
and
“C:\Program Files\Notepad2\Notepad2.exe” “%1”

…respectively.

PHP Upgrade issues : Plesk / Redhat 4

by


PHP Upgrade issues : Plesk / Redhat 4

I was trying to upgrade the PHP version to php5 on a Redhat 4 server with Plesk 8.4 but had many issues, as the redhat mirrors do not have PHP5. PHP5 is available with Redhat 5. I used atomicrocketturtle repository for the installation, here is a guide for the upgrades http://www.atomicorp.com/wiki/index.php/PHP

I then tried the wiki but got errors for up2date

#  up2date php –dry-run
Unresolvable chain of dependencies:
php-domxml-4.3.9-3.22.12 requires php = 4.3.9-3.22.12
php-pear-4.3.9-3.22.12 requires php = 4.3.9-3.22.12
php-sqlite2-1.0.2-200608291859 requires php <= 4.4.0

Later I used yum which too gave me errors for php-pdo and php-xml :

# yum update php
Error: Missing Dependency: php-common = 5.2.5-3.el4.art is needed by package php-pdo

I fixed that error by installing php-pdo

# yum install php-pdo
# yum update php
Error: Missing Dependency: php-common = 5.2.5-3.el4.art is needed by package php-xml
# yum install php-xml

You need to modify the php.ini for the module path, the upgrade will not modify the path to php5

Edit the php.ini to one as below :

; Directory in which the loadable extensions (modules) reside.
;extension_dir = /usr/lib/php4
extension_dir = /usr/lib/php/modules

Now I had previously ioncube installed on the php4 which throwed errors 🙁

# php -v
Failed loading /usr/lib/php4/php_ioncube_loader_lin_4.3.so:
/usr/lib/php4/php_ioncube_loader_lin_4.3.so: undefined symbol: zend_hash_add_or_update
PHP 5.2.6 (cli) (built: May  2 2008 11:18:31)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

I installed ioncube loader for php5 using :

# yum install php-ioncube-loader

Still the error was same, I debugged a  lot and found that there was ioncube_loader config file under php.d

# ls /etc/php.d | grep ioncube
ioncube.ini
ioncube-loader.ini

I removed the file ioncube-loader.ini which was for php4 and fixed the upgrade problems.

#  php -v
PHP 5.2.6 (cli) (built: May  2 2008 11:18:31)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with the ionCube PHP Loader v3.1.32, Copyright (c) 2002-2007, by ionCube Ltd., and
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies


Hope this helps anyone in mess 🙂

DNS Cache Poisoning Test

by


Q. How do I verify that my ISP or my own recursive resolvers are free from DNS cache poisoning bug that is promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference? How do I test my dns server for DNS cache pollution or DNS Cache Poisoning bug?

A. DNS cache poisoning (also known as DNS cache pollution) is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources. It occur if DNS “spoofing attack” has been encountered. An attacker will send malicious data / non-secure data in response to a DNS query. For example dns query for www.linuxbabu.net can be redirected to www.redhat.com.

how do I find out if my DNS server is open to such attack or not?

Visit Dan Kaminsky java script page to check your DNS

You can also use following command dig command, enter:
$ dig +short @{name-server-ip} porttest.dns-oarc.net txt
$ dig +short @ns1.example.com porttest.dns-oarc.net txt
$ dig +short @208.67.222.222 porttest.dns-oarc.net txtSample output:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18"

Another test,
$ dig +short @125.22.47.125 porttest.dns-oarc.net txtOutput:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"125.22.47.139 is POOR: 42 queries in 8.4 seconds from 1 ports with std dev 0.00"


FIX :

Run yum update
yum updateOpen named.conf file and comment out following two lines:
query-source port 53;
query-source-v6 port 53;Make sure recursion is limited to your LAN only. Set ACL. Restart bind to take effect:
rndc reload 

service named restart


hwclock – query and set the hardware clock

by

set the system time from the hardware clock

============================================

root@s1 [~]# /sbin/hwclock –hctosys
root@s1 [~]#

set the hardware clock to the current system time

============================================

root@s1 [~]# /sbin/hwclock –systohc
root@s1 [~]#

root@s1 [~]# /sbin/hwclock –help
hwclock – query and set the hardware clock (RTC)

Usage: hwclock [function] [options…]

Functions:
–help        show this help
–show        read hardware clock and print result
–set         set the rtc to the time given with –date
–hctosys     set the system time from the hardware clock
–systohc     set the hardware clock to the current system time
–adjust      adjust the rtc to account for systematic drift since
the clock was last set or adjusted
–getepoch    print out the kernel’s hardware clock epoch value
–setepoch    set the kernel’s hardware clock epoch value to the
value given with –epoch
–version     print out the version of hwclock to stdout

Options:
–utc         the hardware clock is kept in coordinated universal time
–localtime   the hardware clock is kept in local time
–directisa   access the ISA bus directly instead of /dev/rtc
–badyear     ignore rtc’s year because the bios is broken
–date        specifies the time to which to set the hardware clock
–epoch=year  specifies the year which is the beginning of the
hardware clock’s epoch value
–noadjfile   do not access /etc/adjtime. Requires the use of
either –utc or –localtime

Problems with LWP and access to https URL’s : 500 read failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

by
If you’re using perl scripts on your server that use LWP and suddenly find them failing with connections to https resources with the following type error:


500 read failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

then you’ve probably got LWP v5.811 installed which breaks SSL connections! The author fixed the problem he created after about two days with v5.812 but the damage was done on many servers. cPanel have put a hold back on cpan module updates for LWP to v5.810 but if your servers already upgraded LWP then you’ll need to either upgrade it manually from the cpan source to v5.812 or downgrade to v5.810.

Downgrading LWP:

wget http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/libwww-perl-5.810.tar.gz
tar -xzf libwww-perl-5.810.tar.gz
cd libwww-perl-5.810
perl Makefile.PL
make
(take the default options unless you want to additional binaries installed)
make install

OR

Easier Way is to upgrade using cpan

Upgrading LWP:

# cpan
CPAN: File::HomeDir loaded ok (v0.80)
Exiting subroutine via last at /usr/lib/perl5/5.8.8/CPAN.pm line 1450.
cpan>upgrade LWP
This should fix the error 🙂

error: stat of /var/log/cron failed: No such file or directory

by

Hi guys… Today I faced a issue with a new VPS installed with EZ template Centos 5.2. I was preparing the VPS with logwatch, apf and other security and got cron error under roots mail.

Cron errors shows log errors :

/etc/cron.daily/logrotate:

error: stat of /var/log/boot.log failed: No such file or directory
error: stat of /var/log/cron failed: No such file or directory

OR

You do not find log files updating

This was due to the syslog daemon not running. Check if the service is running and restart. Your server may have syslogd daemon on rsyslogd depending on your OS.

I had rsyslogd on Centos 5.2

# /etc/init.d/rsyslog status
rsyslogd is stopped
rklogd is stopped

# /etc/init.d/rsyslog start
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]

Check if the service is being started at the starup :

 

# chkconfig –list | grep rsyslog
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Use Command to enable the daemon at startup

# chkconfig rsyslog on

The log files were not being created due to the daemons stopped, after restart all started generating.

Cheers!

🙂