December 8, 2017

Install and Configure Postfix

# yum install postfix mutt

# service postfix start

# adduser student

# su - student

$ mutt

1. Press m to create a new message.
2. In To write student@server1.example.com
3. In Subject write something
4. In Body write something. The default editor is vi, so:
    4.1 enter i for insert
    4.2 now write
    4.3 when finished writing, press ESC
    4.4 to save, press :wq
5. Now send, press y.

Print mail queue

# postqueue -p
Mail queue is empty

Flush mail queue
# postqueue -f

less /var/log/maillog

# netstat -tulpn | grep 25
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      17389/master       

# grep inet_interfaces /etc/postfix/main.cf 
# The inet_interfaces parameter specifies the network interface
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
# the address list specified with the inet_interfaces parameter.
# receives mail on (see the inet_interfaces parameter).
# to $mydestination, $inet_interfaces or $proxy_interfaces.
# - destinations that match $inet_interfaces or $proxy_interfaces,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
    

# vi /etc/postfix/main.cf 
...
inet_interfaces = all
...

# service postfix restart

# netstat -tulpn | grep 25
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      17558/master   

--------------------
Step 1: Install Packages
--------------------
# yum install sendmail sendmail-cf dovecot m4

--------------------
Step 2: Configure sendmail to receive external mails
--------------------

Edit /etc/mail/sendmail.mc

2.1 Comment out sendmail to listen to all network adresses. To comment out in sendmail, put 
'dnl' at the beginning of the line.

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

2.2 We will use our local hostname as mail domain, so change 'localhost.localdomain' to your 
hostname, mine is server1.example.com.

LOCAL_DOMAIN(`localhost.localdomain')dnl

--------------------
Step 3. Recompile Sendmail using m4
--------------------

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

--------------------
Step 4: Configure Dovecot to fetch emails
--------------------

4.1 Edit /etc/dovecot/dovecot.conf

#Protocols we want to be serving.
protocols = pop3

# A comma separated list of IPs or hosts where to listen in for connections.
listen = *, ::

4.2 Edit /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no

#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext

4.3 Add User

# echo "$USER:{PLAIN}password:$UID:$GROUPS::$HOME" > /etc/dovecot/users

Example:
magkar:{PLAIN}password:500:500::/home/magkar

Here I use an existing account on mail server, if you need to create a new user, use command 
useradd to create a new user and passwd to set password:

# useradd student1
# passwd student1

4.4 Last step. Verify installation by running 'dovecot -n'
# dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.14.1.el6.x86_64 x86_64 Red Hat Enterprise Linux Server release 6.4 (Santiago) 
disable_plaintext_auth = no
mbox_write_locks = fcntl
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = pop3
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}

--------------------
Step 5: Restart sendmail and dovecot service
--------------------

# service dovecot restart
# service sendmail restart

If this is a fresh installation, either of the services are started, so stopping them will fail. 
Verify this by restarting the services again.

--------------------
Step 6: Testing the installation
--------------------

Thunderbird

email: magkar@server1.example.com

POP3 
Host: server1.example.com
Port: 110
No SSL
username: magkar
password: password
Send password cleartext

SMTP
Host: server1.example.com
Port: 25
NO AUTHENTICATION

Add static dns to /etc/hosts
server1.example.com    192.168.1.10 


--------------------
Reference
--------------------

http://wiki2.dovecot.org/BasicConfiguration
http://wiki2.dovecot.org/FindMailLocation
http://www.telnetport25.com/2012/02/configuring-e-mail-notifications-in-nagios-core/

SELinux

------------
What is SELinux Boolean?
------------
"Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of 
SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, 
without reloading or recompiling SELinux policy." 
[https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/
Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html]

------------
Install semanage
------------

# yum install policycoreutils-python

------------
Working with SELinux boolean
------------

Previously you could get all SELinux Boolean with

# getsebool -a

But with RHEL 6, there is a better way, that also returns a comment for each boolean

# semanage boolean -l

To permently change a SELinux boolean

# setsebool -P httpd_can_network_connect on

------------
Reference 
------------
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

SELinux te policy file
http://oss.tresys.com/repos/refpolicy/archive/strict/domains/program/unused/nrpe.te

============
SELinux Process
============

# ps auxZ | grep nrpe
unconfined_u:system_r:nrpe_t:s0 nrpe 1234 0.0 0.0 41320 1340 ? Ss Jan13 0:14 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

============
SELinux Files
============
# chcon -v --type=httpd_sys_content_t /html/index.html
context of /html/index.html changed to user_u:object_r:httpd_sys_content_t

Test

Make persistent

# semanage fcontext -a -t httpd_sys_content_t "/html(/.*)?" 


# touch /.autorelabel
# reboot 

============
SELinux Ports
============
5.4. Allowing Access to a Port

We may want a service such as Apache to be allowed to bind and listen for incoming 
connections on a non-standard port. By default, the SELinux policy will only allow 
services access to recognized ports associated with those services. If we wanted to 
allow Apache to listen on tcp port 81, we can add a rule to allow that using the 'semanage' command:

# semanage port -a -t http_port_t -p tcp 81 

A full list of ports that services are permitted access by SELinux can be obtained with:

# semanage port -l 

op5

------------------
Download OP5
------------------

op5-monitor-6.2.0.1-20131024.tar.gz

[http://www.op5.com/download-op5-monitor/]

------------------
Query RPM Package
------------------

Det finns två rpm i denna tar boll

# ll *nrpe*
-rw-rw-r--. 1 500 500 23068 Oct 24 10:17 nrpe-2.13.3-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500 11992 Oct 24 10:17 nrpe-client-2.13.3-op5.1.x86_64.rpm

Filer som RPM innehåller

# rpm -qpl nrpe-2.13.3-op5.1.x86_64.rpm
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/etc/init.d/nrpe
/etc/nrpe.conf
/etc/nrpe.d
/etc/nrpe.d/op5_commands.cfg
/usr/sbin/nrpe

RPM Dependency/Requires [-R,--requires]

# rpm -qpR nrpe-2.13.3-op5.1.x86_64.rpm 
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/bin/sh  
/bin/sh  
config(nrpe) = 2.13.3-op5.1
libc.so.6()(64bit)  
libc.so.6(GLIBC_2.2.5)(64bit)  
libc.so.6(GLIBC_2.3)(64bit)  
libc.so.6(GLIBC_2.3.4)(64bit)  
libc.so.6(GLIBC_2.4)(64bit)  
libcrypto.so.10()(64bit)  
libnsl.so.1()(64bit)  
libssl.so.10()(64bit)  
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(VersionedDependencies) <= 3.0.3-1
rtld(GNU_HASH)  
rpmlib(PayloadIsXz) <= 5.2-1

RPM installation scripts

# rpm -qp --scripts nrpe-2.13.3-op5.1.x86_64.rpm
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add nrpe || :
/sbin/service nrpe stop || :
/sbin/service nrpe start || :

# Move command definitions to 'include_dir' if upgrading
if [ $1 -eq 2 ]; then
   grep -q '^command\[' /etc/nrpe.conf || :
   if [ $? -eq 0 ]; then
          echo "" >> /etc/nrpe.d/op5_commands.cfg
          echo "# Imported from /etc/nrpe.cfg" >> /etc/nrpe.d/op5_commands.cfg
          grep '^command\[' /etc/nrpe.conf >> /etc/nrpe.d/op5_commands.cfg || :
          sed '/^[\#]\?[ tab]\?command\[\[*/d' -i /etc/nrpe.conf || :
          echo "" >> /etc/nrpe.conf
          echo "# NOTE!" >> /etc/nrpe.conf
          echo "# Command definitions have meed moved to 'include_dir'." >> /etc/nrpe.conf
          echo "# Any commands defined in this file will be moved by future upgrades." >> /etc/nrpe.conf
          echo "" >> /etc/nrpe.conf
   fi

   grep -q '^include_dir' /etc/nrpe.conf || :
   if [ $? -ne 0 ]; then
          echo "# In order to make remote config with conf_nrpe work, you need to" >> /etc/nrpe.conf
          echo "# create the following directory. It needs to be read/writeable by" >> /etc/nrpe.conf
          echo "# nrpe_user specified above. " >> /etc/nrpe.conf
          echo "# All command definitions should be placed in the 'include_dir'" >> /etc/nrpe.conf
          echo "# NOTE: files in 'include_dir' must have a '.cfg' suffix." >> /etc/nrpe.conf
          echo "include_dir=/etc/nrpe.d" >> /etc/nrpe.conf
   fi
fi


------------------
NRPE RPM Installation
------------------
# rpm -ipvh nrpe-2.13.3-op5.1.x86_64.rpm
warning: nrpe-2.13.3-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
Preparing...                ########################################### [100%]
   1:nrpe                   ########################################### [100%]
nrpe doesn't seem to be running.
Starting nrpe in daemon mode ... done

Check process 

# ps auxZ | grep nrpe
unconfined_u:system_r:nrpe_t:s0 nobody 1271 0.0 0.0 39364 1364 ? Ss 13:27 0:00 /usr/sbin/nrpe -c /etc/nrpe.conf -d
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1274 0.0 0.0 103244 832 pts/0 S+ 13:27 0:00 grep nrpe

------------------
NRPE RPM Configuration
------------------

# vi /etc/nrpe.conf
...
allowed_hosts=127.0.0.1,192.168.122.93
...

Restart NRPE to let configuration changes take effect

# service nrpe restart

------------------
Test NRPE Installation
------------------

From server 

# /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.12
NRPE v2.13

------------------
Plugin RPM Installation
------------------

# cat /etc/nrpe.d/op5_commands.cfg 
################################################################################
#
# op5-nrpe command configuration file
#

# COMMAND DEFINITIONS
# Syntax:
# command[]=
#
command[users]=/opt/plugins/check_users -w 5 -c 10
...

# ll *plugins*
-rw-rw-r--. 1 500 500 417248 Oct 24 10:17 plugins-community-2.8.5-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500  47920 Oct 24 10:17 plugins-metadata-2.8.7-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500 594020 Oct 24 10:17 plugins-nagios-2.6.5.1-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500  94088 Oct 24 10:17 plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm
-rw-rw-r--. 1 500 500   3160 Oct 24 10:17 plugins-op5-3.0.0-op5.1.el6.x86_64.rpm

# rpm -qpl plugins-community-2.8.5-op5.1.x86_64.rpm | grep check_users
warning: plugins-community-2.8.5-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY

# rpm -qpl plugins-nagios-2.6.5.1-op5.1.x86_64.rpm | grep check_users
warning: plugins-nagios-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY

# rpm -qpl plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm | grep check_users
warning: plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/opt/plugins/check_users

# rpm -qpl plugins-op5-3.0.0-op5.1.el6.x86_64.rpm | grep check_users
warning: plugins-op5-3.0.0-op5.1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY





# rpm -ipvh plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm
warning: plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
error: Failed dependencies:
 perl(Exporter) is needed by plugins-nagios-local-2.6.5.1-op5.1.x86_64


# rpm -qpR plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm
warning: plugins-nagios-local-2.6.5.1-op5.1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f6e3ade7: NOKEY
/bin/sh  
libc.so.6()(64bit)  
libc.so.6(GLIBC_2.2.5)(64bit)  
libc.so.6(GLIBC_2.3)(64bit)  
libc.so.6(GLIBC_2.3.4)(64bit)  
libc.so.6(GLIBC_2.4)(64bit)  
libc.so.6(GLIBC_2.8)(64bit)  
libdl.so.2()(64bit)  
libm.so.6()(64bit)  
libm.so.6(GLIBC_2.2.5)(64bit)  
libpthread.so.0()(64bit)  
libpthread.so.0(GLIBC_2.2.5)(64bit)  
perl(Exporter)  
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rtld(GNU_HASH)  
rpmlib(PayloadIsXz) <= 5.2-1

Måste installera perl

# rpm -q --provides perl | grep Exporter
perl(Exporter) = 5.63
perl(Exporter::Heavy)  


-----------------------
Troubleshooting
-----------------------

# less /var/log/messages
...
nrpe[2703]: Error: Could not complete SSL handshake. 1
...

Från server enbart testa NRPE kommunikationen, genom att anropa NRPE utan kommando

# /usr/lib64/nagios/plugins/check_nrpe -H 192.168.122.12
NRPE v2.13

------------------
Plugin SELinux Problems
------------------

plugins does not seem to work with SELinux

On client set SELinux to Permissive

# setenforce 0

Double check that audit deamon is installed and running

# service auditd status
auditd (pid  983) is running...

sealert:

yum install setroubleshoot-server


semanage:
audit2allow:

yum install policycoreutils-python

check_log

-------------------
Introduction
-------------------

In mine previous blogs I have discussed how to setup the 

- Server [http://magnus-k-karlsson.blogspot.se/2014/01/install-nagios-core-35-on-rhel-6-from.html]
- Client/Agent [http://magnus-k-karlsson.blogspot.se/2014/01/install-nagios-agent-nrpe-on-rhel-6.html]

In this blog I will show you how to install and configure the check_log plugin. 

A good documentation overview site is https://www.nagios-plugins.org/doc/man/index.html.

-------------------
check_log
-------------------

#! /bin/sh
#
# Log file pattern detector plugin for Nagios
# Written by Ethan Galstad (nagios@nagios.org)
# Last Modified: 07-31-1999
#
# Usage: ./check_log   
#
# Description:
#
# This plugin will scan a log file (specified by the  option)
# for a specific pattern (specified by the  option).  Successive
# calls to the plugin script will only report *new* pattern matches in the
# log file, since an copy of the log file from the previous run is saved
# to .
#
# Output:
#
# On the first run of the plugin, it will return an OK state with a message
# of "Log check data initialized".  On successive runs, it will return an OK
# state if *no* pattern matches have been found in the *difference* between the
# log file and the older copy of the log file.  If the plugin detects any 
# pattern matches in the log diff, it will return a CRITICAL state and print
# out a message is the following format: "(x) last_match", where "x" is the
# total number of pattern matches found in the file and "last_match" is the
# last entry in the log file which matches the pattern.
#
# Notes:
#
# If you use this plugin make sure to keep the following in mind:
#
#    1.  The "max_attempts" value for the service should be 1, as this
#        will prevent Nagios from retrying the service check (the
#        next time the check is run it will not produce the same results).
#
#    2.  The "notify_recovery" value for the service should be 0, so that
#        Nagios does not notify you of "recoveries" for the check.  Since
#        pattern matches in the log file will only be reported once and not
#        the next time, there will always be "recoveries" for the service, even
#        though recoveries really don't apply to this type of check.
#
#    3.  You *must* supply a different  for each service that
#        you define to use this plugin script - even if the different services
#        check the same  for pattern matches.  This is necessary
#        because of the way the script operates.
#
# Examples:
#
# Check for login failures in the syslog...
#
#   check_log /var/log/messages ./check_log.badlogins.old "LOGIN FAILURE"
#
# Check for port scan alerts generated by Psionic's PortSentry software...
#
#   check_log /var/log/message ./check_log.portscan.old "attackalert"
#

-------------------
Agent/Client Configuration check_log for JBoss EAP 6 Standalone
-------------------

The standard log file for JBoss EAP 6 running in standalone mode is

# ll /var/log/jbossas/standalone/server.log

First let pay attention to the third prerequisites for check_log and create a new "old" log file for check_log.

# touch /var/log/jbossas/standalone/server.log.check_log

# chmod 640 /var/log/jbossas/standalone/*

In the NRPE configuration file we see that there is a configuration directory for NRPE

# cat /etc/nagios/nrpe.cfg
...
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).

include_dir=/etc/nrpe.d/

And there we will put our command for the check_log plugin.

# vi /etc/nrpe.d/check_jboss_log.cfg
command[check_jboss_log]=/usr/lib64/nagios/plugins/check_log -F /var/log/jbossas/standalone/server.log \
-O /var/log/jbossas/standalone/server.log.check_log -q "WARN"

Finally restart the nrpe deamon to make the new configuration take effect.

# service nrpe restart



http://mgrepl.fedorapeople.org/Blog/nagios.html

-------------------
Server Configuration
-------------------

# vi /etc/nagios/conf.d/virtual1.example.com.cfg

Block Cipher (Encryption) Cheat Sheet

Block Cipher
INPUT: a plaintext block and a key
OUTPUT: a ciphertext block of same length

  • A block cipher can be inverted (decrypted) with the key
  • Even if you know the plaintext and ciphertext it should be hard to recover the key
Bad, do not use Good, do use
DES AES
3DES Also OK, if AES is not available:
your own algorithm CAST (in PGP)
  Twofish, Blowfish

SSL/TLS Attacks

Padding oracles in CBC mode Compression

  • Vaudenay 2002
  • Boneh/Brumley 2003
  • BEAST 2011
  • Lucky13 2013
  • POODLE 2014
  • Lucky Microseconds 2015

RSA PKCS1-1.5

  • Bleichenbacher 1998
  • Jager 2015
  • DROWN 2016

MD5 & SHA1

  • CA forgery attack 2008
  • SLOTH 2016

Compression

  • CRIME 2012
  • BREACH 2013

Renegotiation

  • Marsh Ray Attack 2009
  • Renegotiation DoS 2011
  • 3Shake 2014

Export-grade ciphers

  • FREAK 2014
  • LogJam and WeakDH 2015
  • Sweet32 2016

Other

  • RC4 2013
  • Nonce reuse 2016