Pages

Thursday, October 19, 2023

Login hangs for scanning account

The Proplem

I ran into this issue the other day. Tenable.sc (formerly Security Center) was reporting a hit on plugin 21745 for a Red Hat Enterprise Linux 8 (RHEL 8) system. I checked on the account used on the systems for scanning and it wasn't locked out or anything. When I tryied to SSH into the system with the credentals, it would just hang. The system logs showed "login successful". When I rebooted the system was able to login normally again, but the problem would come back eventually.

The Cause

When the Nessus scanner scanner connects to a system, it's scanning, it makes several connections to the host. Each connection starts a tmux session. The proplem is the TMUX sessions where not being closed after the Nessus scanner disconnected from the system. It turned out that the account used for security scanning had around 2,000 TMUX sessions running.

The Fix

Add "set -g destroy-unattached on" to the /etc/tmux.conf file.

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

This will apend this line "set -g destroy-unattached on" into the /etc/tmux.conf configuration file. This will auto close sessions not being actively used.


Anther Fix


Set system wide rules for TMUX on the effected systems so only the account used by the Nessus scanner will have use of the TMUX terminal multiplexer. /etc/profile.d/custom.sh
[ "$USER" != "scanuser" ] then if [ "$PS1" ] then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) exec tmux esac fi fi

Defs

TMUX is an open-source terminal multiplexer for Unix type systems. Mulitple terminal sessions can accessed simultaneously by spliting the terminal into different screens. Can also detach remote sessions and reattach later, simular to what the screen application can do.
Tenable Plugin a plugin is a script deployed by the Nessus scanner to check for security vulnerabilities. In this case plugin 21745 is an info plugin, it displays info from other plugins. This plugin is triggered (displayed) whenever a login failure occurs.

Other useful links

Tmux Cheat Sheet & Quick Reference
https://tmuxcheatsheet.com/
A beginner's guide to tmux
https://www.redhat.com/sysadmin/introduction-tmux-linux

Tuesday, March 7, 2023

Setup SSH Keys with Agent

This guide for setting up SSH Keys with an SSH Agent for auto-logging into Linux based systems. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. When you set up an SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have the sshd service running on your system in order to follow along with this guide. All the examples are take from a Red Hat system. In the following examples, earth is the name on the local system and moon is the remote system. 

Create you key pair

The ssh-keygen command will generate a public and private keypair. The keys will be stored in the users home directory by default, this is the path  ~/.ssh/. The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair. This command also sets the passphrase, think of this like setting a password. Make sure you remember the  passphrase because you will use this instead of the password for logging into the remote system (moon).
man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

It is import to protect your private key, so don't share it. 

Note- Do not leave the passphrase blank. Doing this is a bad security practice, because this defeats the purpose of having the extra security of SSH keys. This will make the system less secure. If you have done this just rerun the command and add a passphrase. 

Install Public Key on Remote Host

You install the public SSH key by copying or appending it to the authorized_keys file on a remote host. This file is also located in the users home directory, ~/.ssh/.  For most systems you can use the ssh-copy-id command, which I cover in Method 1.  I will show a work around if the ssh-copy-id command is not available, in Method 2 & 3.

Method 1 - Use The ssh-copy-id Command

The easiest way to install the public key to a remote SSH server is use the ssh-copy-id command. To use the command type "ssh-copy-id <remote host>". This command appends the public key to the authorized_keys file on the the remote host. If the file doesn't exist it will be created. 
In the example below "moon" is the name of the remote host.
man@earth> ssh-copy-id moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

This the best way is to copy over the public key because ssh-copy-id will create .ssh/authorized_keys file if it doesn't exist. The command also appends the public key to the authorized_keys file, whereas other methods may overwrites the file. This allows the account to use keys from more than one system.

Note- This method will not work on some systems, such as Solaris 10.

Method 2 - Manually Copy the Key File

This method uses the scp command to copy the public key to the remote server. Before the ssh-copy-id  command came about, this was way it was done. The key file will fail to copy to the system if .ssh/authorized_keys doesn't exist. If this happens just login with your password and create the file and try again. The main downside to this method is that it overwrites the authorized_keys file.
man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

Alternately you can get around this by doing this instead. The command below mimics what the ssh-copy-id command does. It creates the .ssh directory if it doesn't exist and appends the contents of the key to the authorized_keys file.
man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys

Method 3 - If You Automount Your Home Directory

If your home directory automounts across a lot of servers then you can just append the contents of the public key to the authorized_keys file. This method can be a lot faster then other methods. For example if you have 100 hosts you need to connect to, you just need to run the command once to connect to all of them. Instead of running 100 copy commands you just run one. Again this will only work if the hosts your connecting to automount the same home directory that the SSH kays are on.

You can copy it over with the cat command.
man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
The other methods will still work if you prefer them to this one. 

Setting up the SSH Agent



At this point when you login to a remote host you now get prompted for the SSH passphrase instead of the password. To automate the login process it is recommended to setup an SSH Agent. Luckily setting up an SSH Agent is easy. The agent holds the passphrase for the user and then presets the passphrase when prompted. 

There are some considerations you need to consider when running an SSH Agent. If a GUI is installed on the system, such as gnome, then the window manager may run the agent for you. This is by far the easiest way to setup an agent. If the system window manager handles SSH keys then you get prompted with a GUI text box for a passphrase the 1st time you try to SSH to a remote host. If you enter the passphrase the GUI will run the SSH Agent for you system wide for the user currently logged into that account. This lasts until the system is rebooted or the user logs out.

You can also run the agent from within a terminal or shell. When you run an agent from the terminal it will only work from that terminal and not system wide like does if the GUI manages the agent. 

To start an SSH Agent in a terminal run the commands show below. 
man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you open a terminal emulator. 

If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminal emulators launched in your VNC session, will use the same agent.     


SSH Agent Management

One issue with agents is that sometimes you end up running a lot of agents. This is because the agent doesn't stop running when the terminal closes. You need to run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent
If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent
This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id





Friday, December 14, 2018

Free Blockchain training

https://www.ethos.io/blockchain-education/
I found some free training on Cryptocurrency or Blockchain technology. This training is from the people who bought us the Ethos wallet. Go to there site and checkout there free wallet and training.

Thursday, December 13, 2018

Tape Format Script for Tape Pickup


The other day my co-worker showed me how to send our tapes offsite. Apparently you need to format the list of tapes in a certain way. So you can input the info to the Iron Mountain site for pickup. He was going though several steps to change the format in Excel. I told myself there has to be a better way, so wrote a script shown below.

First you need to put all the tapes in a list. I put the tape list in the file called list shown in the example below. Then I run the script, I created (tape-input.sh). I take the output and paste it into the web portal.


list
U00010L5
U00011L5
U00012L5
U00013L5
U00014L5
U00015L5
U00016L5
U00017L5
U00018L5
U00019L5
U00020L5
U00021L5
U00022L5
U00023L5
U00024L5
U00025L5
U00026L5
U00027L5
U00028L5
U00029L5
U00030L5 CAT

tape-input.sh
#!/bin/bash
# Created to format the tapes numbers to add to the web portal
echo -e "Packaged by man, $(date|awk '{print $2" "$3" "$6}')"

cat list |sed ':a;N;$!ba;s/\n/, /g'| perl -pe 's{,}{++$n % 3 ? $& :"\n"}ge'


man@earth> ./tape-input.sh
Packaged by man, Dec 13 2018
U00010L5, U00011L5, U00012L5
U00013L5, U00014L5, U00015L5
U00016L5, U00017L5, U00018L5
U00019L5, U00020L5, U00021L5
U00022L5, U00023L5, U00024L5
U00025L5, U00026L5, U00027L5
U00028L5, U00029L5, U00030L5 CAT
I take the output and paste it into the Iron Mountain web portal for pickup.

I hope this helps someone out. If you have any questions please ask below.

Wednesday, November 21, 2018

Fix RPM Database finding for UEFI file types

I ran into an issue the other day when was hardening a server. I couldn't change the file permissions on a few files to what the RPM database says is the default. This was in regard to the /boot/efi files or UEFI file types.

This is the check: rpm -Va

The security rule: RHEL-07-010010 "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." Basically the the check is to ensure the files have the default file permissions or less.
 
Also works for Red Hat 6
RHEL-06-000516, RHEL-06-000517, RHEL-06-000518, RHEL-06-000519

The Fix

Add the line below to /etc/fstab
UUID=####       /boot/efi     vfat umask=0177,shortnames=winnt  0 0

Unmount and mount /boot/efi
root@earth> umount /boot/efi
root@earth> mount /boot/efi


Some other reference materials.
Could not change permission for /boot/efi/EFI/redhat/grub.conf
Why do /boot/efi content always show up in rpm -Va output in UEFI enabled system?

How to lookup UUIDs
https://liquidat.wordpress.com/2007/10/15/short-tip-get-uuid-of-hard-disks/
https://liquidat.wordpress.com/2013/03/13/uuids-and-linux-everything-you-ever-need-to-know/

Thursday, November 8, 2018

Six Fee Computer Books

I like getting free stuff, so when I got and email from Jason Cannon and his website Linux Training Academy I had to share it. Jason Cannon is offering six of his books for free through Amazon.com until this Saturday. To get the books you need an Amazon account with the US or UK store. The books are in the kindle format, which can be read on your computer or tablet if you don't have a kindle.

These books are absolutely free! Just click on the book to download it from Amazon's US store. Use this link for Amazon's UK store.



Prices of the print versions
$24.99   Linux for Beginners
$24.99   Linux Administration
$14.99   Shell Scripting
$14.99   Command Line Kung Fu
$19.99   High Availability for the LAMP Stack
$24.99   Python Programming for Beginners
$124.94 Total savings

I found out about this because I'm on a mailing list that Jason Cannon and his site put out. Further instructions on how to get the free books can be found on his website.

If your looking for more free books checkout my other posts:
Free Python Books
Free Books

Tuesday, November 6, 2018

Remotely Login & Run Commands on ILOMs

Logging into Oracle's Integrated Lights Out Manager (ILOM) to get info can be a real pain, so I wrote this script to do it for me. Normally one would use use Simple Network Management Protocol (SNMP) or Intelligent Platform Management Interface (IPMI), but due to security concerns I was not able to use either of these options. Even with the latest firmware installed the ILOMs would not support modern security practices. So I was forced to find anther way. I needed to write a script that would wait for a prompt and then fill it in for me. Expect an extension to the Tcl scripting language is great for this kind of stuff, but I decided to use HERE which is even easier.

In order to make this work I created the user mancnt on the local system and on all the ILOMs. I also created a SSH key and setup an SSH agent on the local system and then I copied the key over to the ILOMs. If you don't know how to setup SSH keys check out my last post on how to do it  "A Better Way to Setup SSH Keys". You will also need a file containing the hostnames of the ILOMs you want access. In the example script below I use two such files, lsILOMb and lsILOMc, one for the blades and one for the chassis.


#!/bin/bash
#
# This section is for the ILOM blades
 HERE-ILOM(){
ssh $1 2>/dev/null <show /SP/network macaddress
HERE
}
# This section is for the ILOM Chassis
HERE-ILOMc(){
ssh $1 2>/dev/null <show /CMM/network macaddress
HERE


# To get IP address from hostname
Ping-to-IP(){
ping -c1 $1 |grep PING|awk '{print $3}'|sed -e 's/(//' -e 's/)//'
}

# Main section
ps aux|grep manacnt|grep -v grep |grep agent &>/dev/null || echo "Need to have an agent running"

# Section for ILOMs on Oracle Blades
for s in $(cat lsILOMb)
do echo -e "$(Ping-to-IP $s),$(HERE-ILOM $s),Embedded Linux,$s"
done

# Section for ILOMs on Oracle Chassis
for s in $(cat lsILOMc)
do echo -e "$(Ping-to-IP $s),$(HERE-ILOMc $s),Embedded Linux,$s,FALSE,ILOM,N611"
done

So the script generates a comma-separated values (CVS) file, which contains the IP address, MAC address, OS, and hostname. I then give this file to the network security people.

Example output: 10.0.1.20,00:10:e0:40:c2,Embedded Linux,server-ilom

If you have any questions feel free to ask them below.


Thursday, October 11, 2018

Free Python Books

Hello, I ran across some free books on Python and I thought I would share them with you. These books are written by Al Sweigart, who has made the books available under the Creative Commons License. So the books are free and legal for you to read and download. Click on the image of the book to go to the site hosting the free book.

The link below is the main site the books are on and there are also some free videos. There is also some online courses as well.
http://inventwithpython.com/




You can also get some free Python from Amazon as well. Use this link, to to see a list of Python books sorted by price, from low to high. These are kindle books that can also be read online with the kindle cloud player, if you don't have a kindle.

Wednesday, August 15, 2018

(Updated) Free Cryptocurrency Payed Directly to Your Wallet


There are many sites that offer free cryptocurrency. Many of these sites are called faucets. Faucet websites give tiny amounts of cryptocurrency in exchange for showing you adds. The main purpose of faucets is to promote the coin there offering. Many of these faucets make you come back repeatedly before you can withdraw the funds to your cryptocurrency wallet. I have found some faucets that payout immediately to your wallet, no more waiting. Using these websites will not make you rich, but free money is free money and the ads on the sites I'm showing are not excessive.

So far I have only found a few faucets that pay directly to your wallet. If you know of any addition faucets please post them below.


This is an update to this blogs previous Free Cryptocurrency Payed Directly to Your Wallet post. There are a few faucets from the previous post that are no longer working, but perhaps in the future they will work again. The Most of the Waves coin faucets are the still working. I have added more faucets to this list, which include new faucets for these coins: ZenCash, Minexcoin, Denarius, and Bitcoin Green.


ZenCash (ZEN)
ZEN is a major coin so getting coins coins from a ZEN cash faucet is a big deal. 

This faucet pays from 50000 to 150000 Satoshis every 20 hours. The only issue is that now you need to have an account on the site and that is a real pain.

Link to the ZEN web wallet: https://myzenwallet.io/

Waves (WAVES)
The Waves faucets are managed by the Waves stacking or mining pools. This is to promote the Waves coin and to encourage you to lease Waves coins with them. One interesting thing about the Waves coin is that it is a Proof of Stake (PoS) coin, meaning that holding the waves coin in the Waves wallet will earn you more Waves coin. But unlike other POS coins you can only stake by leasing the coin out hte coin to the pool.

Freewaves
You will get some Waves coins and the option to get some random tokens. This faucet can be used every hour per IP address.

WavesDrop
You will get some Waves coins and the option to get some random tokens. This faucet can be used every hour per IP address.

FountainPerpetua
You will get some Waves coins and the option to get some random tokens, usually Mercury (MER) tokens. This faucet can be used every hour per IP address.

Link to the Waves web wallet: https://wavesplatform.com/ 
The Waves wallet is a multi coin wallet and has a built in exchange.

MinexCoin (MNX)

The coin also has a banking feature called "MinexBank"where you can earn interest by "parking" there coins.

xdeathwing
This faucet pays out every 6 hours. This is tracked via your IP address. There are no ads on the site and the payout is really fast. One nice feature of the coin is that you can park it and earn interest.

MNX doesn't have a web wallet, so you will have to install a client on your computer.


Denarius (DNR) 
This coin can be mined (POW) and staked (POS) and the coins can be put into a Master Node.

xemplarsoft
This faucet pays out 0.002 every 24 hours. The site seems to track your withdraw from the faucet via your router's IP address and not your wallet address. The site also works through a VPN. There are no ads at the monument.

One easy way to get a DNR wallet is by joining their Discord. If you chose to use the wallet from there Discord server beware the address changes, so check it before you use the faucet. If you are active on the Denarius Discord server they sometimes payout free coins to there members, this is commonly called rain. I was able to get 10 coins on the coins birthday, which I put in a shared Master Node. Click on the word Discord for the Discord invite.

The Coinomi wallet supports this coin, and you can get it for your android or apple device. 

Bitcoin Green (BITG)
This is a Proof of Stake (PoS), so if you stack the coin it will earn you more coins.

bitgfaucet
This faucet is often always dry. You can claim every 12 hours.

They have wallets you can install on your computer.





Faucets listed below have stopped working but might come back in the future.

Bytecoin (BCN)
The Bytecoin faucet was managed by bytecoin.org the developers and maintainers of Bytecoin.

Freebytecoin
This faucet can be used once an hour per IP address. They have recently switched to a manually payout system so you will not get the BCN instantly. You will however get the payout in a timely manner.


WAVES (WAVES)

WavesGo
This was the best and most reliable Waves faucet, when it was working. In the past you got some
Waves coins as well as some WavesGo (WGO) tokens. This faucet used work once hour, per wallet address.  Did at one time work though a VPN.


Conclusion
Remember this will not a get rich, so don't put a lot of effort into getting the coins. Faucets are just meant to promote the coin. Many coins are switching to Airdrops as there main way to promote a their coin. Sometimes the faucets will stop working or are under maintenance, so if it is not working try again later. I hope this was helpful. If you have any questions or comments please post them below. If you know of any faucets that payout to your wallet, and are not to a site connected CoinPot or Faucet Hub, please let me know.

Wallet Tip
Use a webwallet if you don't have many coins that are worth a lot of money. If you start to collect a lot of valuable crypto then switch to client wallet or a hardware wallet. If you end up needing to install the a lot of client wallets on your computer. Then install it on a external or removable storage device, because some of these wallets can get very big and and take a lot of space on your local hard drive. If you fill up your hard drive your computer, the computer can get slower or even crash (stop working).


My ZenCash wallets address
znaBJT8amzTdGLhk985QvZnN1QbF8G3M5NH

My Waves wallet address 
3P9nJZ9PSb8yR8pueB4WbBtLvD4raDi6Ah8

My Minexcoin wallet address
XYupxVDW4yWD2nG6eS68YLhKSq76DnLsHi

My Bytecoin wallet address
28ExGFyTXTPdCHYqPqkNasMjTYHpnHFgG7KAAEcQpKkYKoX1UzLzHdsgjykcu8CuQRG9SxEoSH7YxCHJVp7Ui9es3WSjGDt




Friday, June 22, 2018

How to setup Claymore on EthOS



Today I’m showing you how to setup the Claymore dual miner on EThOS. Ethos is Linux based operating system specially designed to mine cryptocurrency. In the examples we are going to dual mine Callisto (CLO) and SmartCash (SMART), but Claymore can be used to mine any number of coins. The reason I make this video was because EthOS has changed the what configuration files you can use. The local.conf or remote.conf files are still the most important files for mining on EthOS, but we used to be able to supplement these files with stub files. I go over the new way to do things now that the stub files are no longer an option. Now we have to use the flags option to this in local.conf. I also go over some advanced settings.


Below I have included the a copy of the file I used in the video. Remember to replace my info with your info.


Example files Local.conf
---------------------------------
globalminer claymore
stratumproxy enable
proxywallet 0x33496bf2654acbdbe501accc9393790707e89ad3
proxypool1 stratum+tcp://lb.geo.callistopool.eu:8001
poolpass1 x
proxypool2 stratum+tcp://clopool.pro:2561
poolpass2 x

dualminer enabled
dualminer-coin keccak
dualminer-pool
stratum+tcp://us-mine.smartcash.cc:3008
dualminer-wallet SaMXJJ4CjFRDVwJceAEQfE2QfUMKuRpiGt
dualminer-poolpass1 x

claymore=flags -eworker trio -dcri 8,8,8 -colors 1 -allpools 1
--------------------------------------
To add failover pools for the 2nd coin edit this file: /opt/miners/claymore/dpools.txt 

Links to more info
Main Page http://ethosdistro.com/
EthOS knowledge base http://ethosdistro.com/kb/
SmartCash (SMART) https://smartcash.cc/
Callisto (CLO) https://callisto.network/


Friday, May 18, 2018

Turn a list into a CSV file

Hello today I'm showing you two simple ways to turn a list into a comma separated (CSV) output. This is helpful if you need to import the output into a spreadsheet. You can do this one of two ways, with a BASH for loop or with SED.

We are going to use list.txt which is a small list of solar objects for this example. 

list.txt
earth
moon
mars
venus
saturn

BASH Script
for s in $(cat list.txt)
do echo -en "$s, "
done
-note - if you don't want spaces or commas use "$s" instead

man@earth> ./BASHscript
earth, moon, mars, venus, saturn,

SED Script
cat list.txt |  sed ':a;N;$!ba;s/\n/, /g'

As you can see the SED statement is much shorter.

man@earth> ./SEDscript
earth, moon, mars, venus, saturn,

I hope someone out there finds this useful. If you have any questions or comments please post them below.