"MMC cannot create the snap in "
- by hossam-khalili
hello
i have windows SBS 2008 R2 when i try to open console manager or event viewer i got this message "MMC cannot create the snap in"
can anyone help me
thanks
Search Results
Search found 25503 results on 1021 pages for 'browser security'.
Page 199/1021 | < Previous Page | 195 196 197 198 199 200 201 202 203 204 205 206 | Next Page >
-
-
Linux installation analysis
- by blunders
"Ending company IT Admin relationship" has a good checklist for taking over an existing IT system, but I'm wondering as it relates to Linux: What is the most effective way to assess the scope of existing custom configurations, installs, scripts, etc done? Is there any software that will check if the kernel, system files, etc mirror the default files for the version installed? At this point I don't know what distro of Linux the server (though using Netcraft I do know the server appears to be Linux) -- so it's possible without knowing that information that this would be a hard question to answer.Read the article
-
OSSIM - Snort/OSSEC/Nagios Logging Config Question
- by Eric
Quick n00b OSSIM question. I've looked around but haven't found exactly what I'm looking for. I currently have a Nagios, OSSEC, Nessus, and Snort server and I want to keep those servers active but just ship the logs to the OSSIM server and have it do the correlating and graphing. Can that be done? Everything I've seen is putting the various software functions actually on the OSSIM box but I don't want to do that. I'm running CentOS on all of the systems. Thanks.Read the article
-
Snort network instruction Mac OS X
- by Rasatavohary
I'm trying to learn network intrusion detection. When I try to launch Snort, in IDS mode, I get this message (I'm running Mac OS X): Initializing Network Interface en1 ERROR: OpenPcap() FSM compilation failed: syntax error PCAP command: snort Fatal Error, Quitting.. How can I fix this problem?Read the article
-
Blocking a distributed, consistent spam attack? Could it be something more serious?
- by mattmcmanus
I will do my best to try and explain this as it's strange and confusing to me. I posted a little while ago about a sustained spike in mysql queries on a VPS I had recently setup. It turned out to be a single post on a site I was developmenting. The post had over 30,000 spam comments! Since the site was one I was slowly building I hadn't configured the anti-spam comment software yet. I've since deleted the particular post which has given the server a break but the post's url keeps on getting hit. The frustrating thing is every hit is from a different IP. How do I even start to block/prevent this? Is this even something I need to worry about? Here are some more specific details about my setup, just to give some context: Ubuntu 8.10 server with ufw setup The site I'm building is in Drupal which now has Mollom setup for spam control. It wasn't configured before. The requests happen inconsistently. Sometimes it's every couple seconds and other times it's a an or so between hits. However it's been going on pretty much constantly like that for over a week. Here is a sample of my apache access log from the last 15 minutes just for the page in question: dev.domain-name.com:80 97.87.97.169 - - [28/Mar/2010:06:47:40 +0000] "POST http://dev.domain-name.com/comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 202.149.24.193 - - [28/Mar/2010:06:50:37 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 193.106.92.77 - - [28/Mar/2010:06:50:39 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 194.85.136.187 - - [28/Mar/2010:06:52:03 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 220.255.7.13 - - [28/Mar/2010:06:52:14 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 195.70.55.151 - - [28/Mar/2010:06:53:41 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 71.91.4.31 - - [28/Mar/2010:06:56:07 +0000] "POST http://dev.domain-name.com/comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 98.209.203.170 - - [28/Mar/2010:06:56:10 +0000] "POST http://dev.domain-name.com/comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 24.255.137.159 - - [28/Mar/2010:06:56:19 +0000] "POST http://dev.domain-name.com/comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 77.242.20.18 - - [28/Mar/2010:07:00:15 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 94.75.215.42 - - [28/Mar/2010:07:01:34 +0000] "POST /comment/reply/3 HTTP/1.0" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 89.115.2.128 - - [28/Mar/2010:07:03:20 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 75.65.230.252 - - [28/Mar/2010:07:05:05 +0000] "POST http://dev.domain-name.com/comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 206.251.255.61 - - [28/Mar/2010:07:06:46 +0000] "POST /comment/reply/3 HTTP/1.0" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" dev.domain-name.com:80 213.194.120.14 - - [28/Mar/2010:07:07:22 +0000] "POST /comment/reply/3 HTTP/1.1" 404 5895 "http://dev.domain-name.com/blog/2009/11/23/another" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" I understand this is an open ended question, but any help or insight you could give would be much appreciated.Read the article
-
Why does my Belkin wireless router has eMule port open?
- by Jeremy Powell
I have a Belkin F6D4230-4 v1 router. When I port scan it with nmap I get the following: $ sudo nmap -sS -A -T5 192.168.2.1 -p- Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-17 11:40 CDT Interesting ports on 192.168.2.1: Not shown: 65532 closed ports PORT STATE SERVICE VERSION 80/tcp open http Belkin 2307 wifi router http config (IP_SHARER httpd 1.0) |_ html-title: '+i1+' 4661/tcp filtered unknown 4662/tcp filtered edonkey MAC Address: 00:22:75:5D:52:D8 (Belkin International) Device type: WAP|broadband router|firewall|printer|specialized|webcam Running (JUST GUESSING) : Linksys embedded (95%), TRENDnet embedded (95%), Netgear embedded (92%), Canon embedded (89%), On Time RTOS (89%), Symantec embedded (89%), D-Link embedded (86%), Polycom embedded (85%) Aggressive OS guesses: Linksys WRT54GC or TRENDnet TEW-431BRP wireless broadband router (95%), TRENDnet TW100-BRF114 broadband router (95%), Netgear FR114P ProSafe VPN firewall (92%), Canon PIXMA MX850 printer (89%), On Time RTOS (89%), Symantec Firewall/VPN 100 (89%), D-Link DI-714P+ wireless broadband router (86%), Polycom ViewStation video conferencing system (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Device: WAP OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.57 seconds Why are the 4461 and 4462 ports open? This is a basic, out-of-the-box installation.Read the article
-
Novell eDirectory—How can I aggregate account lockout events?
- by bshacklett
I'm seeing an account become locked out pretty frequently and I wanted to pull an aggregated log together of all of the lockout events so I could get a better idea of what times it's occurring. Normally I'd do this with EventCombMT.exe, but I'm in a Novell environment at the moment. Is there a Novell equivalent to Microsoft's ALTools or another diagnostic utility I could use to help aggregate lockout events into an easy to read log file?Read the article
-
Isolating VMware virtual machines from the network
- by jetboy
I have: VMware Workstation 7 running on a Windows 7 box (with a single NIC), with multiple virtual machines running a range of OSs. The host box is connected to a WRT54G router running Tomato firmware. The router is acting as a wireless bridge to another WRT54G that's wired to my broadband modem. I can access the VMs externally via VNC using VMware's Remote Display. Over time I've had these running: a. Using NAT networking (single IP) with port forwarding on the router and a custom port in VMware for each VM. b. Using bridged networking with static IPs assigned to each VM via MAC address, and port forwarding on the router to each IP running with standard ports. Either way, the host box, and other physical machines on the network are accessible from the VMs. Is there a way to isolate the VMs from the rest of the network, but still maintain internet access and remote VNC to the VMs?Read the article
-
linux passwords in configuration files
- by user33124
Some programs on linux that use configuration files, want me to enter my password in plain text in one of their configuration files. For example newsbeauter, the rss reader wants me to enter my google account password in a ~/.newsbeauter/config if I want to read google reader feeds. Mutt also sort of wants a password in a text file, but gives an option of entering it on every login. Is there any secure workaround to storing a password in a config file like that (eg for newsbeauter)? I was thinking of running the app as root, but that doesn't seem right. Or somehow creating and deleting the file everytime I use the app. Any ideas?Read the article
-
how to protect telnet access to smtp port 25?
- by Michael Mao
Hi all: Please consider the following: 192-168-1-106:~ michael$ telnet <remote_server_ip> 25 Trying <remote_server_ip>... Connected to li*****.linode.com. Escape character is '^]'. 220 mindinscription.net ESMTP Postfix (Ubuntu) quit 221 2.0.0 Bye Connection closed by foreign host. Is this very bad? how to protect port 25 from malicious attackers? I've already set up a firewall, but not very sure what to do in this case. Basically I'd like to use this server to only send emails as alert messages, not receiving any external emails. Many thanks to the help in advance.Read the article
-
Solr error; JNDI not configured for solr; Anybody know what this means?
- by Camran
I am installing solr on my VPS (Ubuntu 9.10) via PuTTY. First, I thought about installing Solr with Tomcat, but then after installing tomcat, I changed my mind and went for the Jetty which comes with Solr. Now that I have setup everything on my Server, and try to start the "start.jar" file, I get some errors... Here is some text from the log file: 2010-05-29 00:22:42.074::INFO: jetty-6.1.3 2010-05-29 00:22:42.134::INFO: Extract jar:file:/var/www/webapps/solr.war!/ to /var/www/work/Jetty_0_0_0_0_8983_solr.war__solr__k1kf17/webapp May 29, 2010 12:22:42 AM org.apache.solr.core.SolrResourceLoader locateSolrHome INFO: JNDI not configured for solr (NoInitialContextEx) May 29, 2010 12:22:42 AM org.apache.solr.core.SolrResourceLoader locateSolrHome INFO: solr home defaulted to 'solr/' (could not find system property or JNDI) May 29, 2010 12:22:42 AM org.apache.solr.core.SolrResourceLoader <init> INFO: Solr home set to 'solr/' May 29, 2010 12:22:42 AM org.apache.solr.servlet.SolrDispatchFilter init INFO: SolrDispatchFilter.init() May 29, 2010 12:22:42 AM org.apache.solr.core.SolrResourceLoader locateSolrHome INFO: JNDI not configured for solr (NoInitialContextEx) May 29, 2010 12:22:42 AM org.apache.solr.core.SolrResourceLoader locateSolrHome INFO: solr home defaulted to 'solr/' (could not find system property or JNDI) May 29, 2010 12:22:42 AM org.apache.solr.core.CoreContainer$Initializer initialize INFO: looking for solr.xml: /var/www/solr/solr.xml May 29, 2010 12:22:42 AM org.apache.solr.core.SolrResourceLoader <init> INFO: Solr home set to 'solr/' Anybody know what this is? ThanksRead the article
-
How can I provide secure web content to mobile devices that can't access an intranet?
- by evanmcd
I'm working with a client on development web content for their intranet. We want users to be able to access a version of the content on their mobile devices, but most of them don't have the VPN capability to get on to their intranet. I'm wondering if anyone has had experience with this and can recommend a solution. One other thing to consider is that the content is not mission critically secure. If someone outside the company gained access to it, it would not represent a major issue, only a minor annoyance. Thanks for any advice.Read the article
-
Restrict IPMI access on Dell BMC and iDRAC to an allowed IP range
- by edgester
I'm trying to secure the iDRAC's and BMC's on some of my Dell servers (R210, R410, R510). I want to restrict access to IPMI commands to only a few IP addresses. I've successfully restricted access to the iDrac using the instructions from http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc2d.htm#wp1181529 , but the IP restrictions do not affect IPMI. A separate management network is not practical at this time because of lack or ports and some Dell BMC's don't offer a separate port. I'm told by my networking group that our switches don't support trunking, so using the vlan tagging is not an option either. Is there a way restrict the IPMI access to a list of allowed addresses? FYI, for various reasons, I have a mix of Dell servers with BMC's, iDrac Express and iDrac enterprise management features.Read the article
-
How to securely generate memorable passwords?
- by Tim
Whenever I need new passwords I use some tools to generate those, preferable memorable passwords, but I've been wondering how secure this might actually be. Using The xkcd random number generator is probably pretty bad, cat /dev/random is probably pretty good, but generating memorable passwords seems a bit more tricky. Whenever a program generates a memorable password, it only uses a subset of the total password space available, and it is not clear to me how big this space is. Of course a long password should help in this case, but if the `memorable' part of the program is too predictable, your passwords are not very good in the end. TL;DR: how secure are memorable password generators, given the fact that `memorable' passwords are a subset of total password space? Some tools I know of: pwgen -- seems ok, but passwords are not too memorable Mac Password Assistant - generates memorable passwords but it is unclear to me how this works.Read the article
-
How to remove strict RSA key checking in SSH and what's the problem here?
- by setatakahashi
I have a Linux server that whenever I connect it shows me the message that changed the SSH host key: $ ssh root@host1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 93:a2:1b:1c:5f:3e:68:47:bf:79:56:52:f0:ec:03:6b. Please contact your system administrator. Add correct host key in /home/emerson/.ssh/known_hosts to get rid of this message. Offending key in /home/emerson/.ssh/known_hosts:377 RSA host key for host1 has changed and you have requested strict checking. Host key verification failed. It keeps me for a very few seconds logged in and then it closes the connection. host1:~/.ssh # Read from remote host host1: Connection reset by peer Connection to host1 closed. Does anyone know what's happening and what I could do to solve this problem?Read the article
-
How do I grant a database role execute permissions on a schema? What am I doing wrong?
- by Lewray
I am using SQL Server 2008 Express edition. I have created a Login , User, Role and Schema. I have mapped the user to the login, and assigned the role to the user. The schema contains a number of tables and stored procedures. I would like the Role to have execute permissions on the entire schema. I have tried granting execute permission through management studio and through entering the command in a query window. GRANT EXEC ON SCHEMA::schema_name TO role_name But When I connect to the database using SQL management studio (as the login I have created) firstly I cannot see the stored procedures, but more importantly I get a permission denied error when attempting to run them. The stored procedure in question does nothing except select data from a table within the same schema. I have tried creating the stored procedure with and without the line: WITH EXECUTE AS OWNER This doesn't make any difference. I suspect that I have made an error when creating my schema, or there is an ownership issue somewhere, but I am really struggling to get something working. The only way I have successfully managed to execute the stored procedures is by granting control permissions to the role as well as execute, but I don't believe this is the correct, secure way to proceed. Any suggestions/comments would be really appreciated. Thanks.Read the article
-
IPFW not locking people out
- by Cole
I've had some brute-forcing of my ssh connection recently, so I got fail2ban to hopefully prevent that. I set it up, and started testing it out by giving wrong passwords on my computer. (I have physical access to the server if I need to unblock myself) However, it never stops me from entering passwords. I see in /var/log/fail2ban.log that fail2ban kicked in and banned me, and there's a ipfw entry for my IP, but I'm not locked out. I've changed the configuration around, and then tried just using the ipfw command myself, but nothing seems to lock me out. I've tried the following blocks: 65300 deny tcp from 10.0.1.30 to any in 65400 deny ip from 10.0.1.30 to any 65500 deny tcp from 10.0.1.30 to any My firewall setup has a "allow ip from any to any" rule after these though, maybe that's the problem? I'm using Mac OS 10.6 (stock ipfw, it doesn't seem to have a --version flag) Thanks in advance.Read the article
-
Apache error_log showing which command output
- by Unai Rodriguez
Apache's error_log shows lines like the following: --- snip --- which: no ruby in (/sbin:/usr/sbin:/bin:/usr/bin) which: no locate in (/sbin:/usr/sbin:/bin:/usr/bin) which: no suidperl in (/sbin:/usr/sbin:/bin:/usr/bin) which: no get in (/sbin:/usr/sbin:/bin:/usr/bin) which: no fetch in (/sbin:/usr/sbin:/bin:/usr/bin) which: no links in (/sbin:/usr/sbin:/bin:/usr/bin) which: no lynx in (/sbin:/usr/sbin:/bin:/usr/bin) which: no lwp-mirror in (/sbin:/usr/sbin:/bin:/usr/bin) which: no lwp-download in (/sbin:/usr/sbin:/bin:/usr/bin) which: no kav in (/sbin:/usr/sbin:/bin:/usr/bin) --- end --- The architecture is: Internet - Load Balancer - Varnish - Apache There are several web servers behind the load balancer and I have checked at least one of them with rkhunter (link) and couldn't find anything suspicious. Versions: CentOS 5.7 Varnish 2.1.5 Apache 2.2.3 PHP 5.2.17 Does this mean that someone has executed the command which through Apache? How can that happen? Thank you so much.Read the article
-
How to remove Ahnlab policy agent?
- by R.K.
Anybody know how to remove the Ahnlab Policy agent? I was forced to install it so that I could connect to the campus network when I visited Korea. Now that I'm home, I would like to remove it. However, it resists all uninstallation efforts. It gives me an Access is denied error whenever I try to stop the service. Used AppRemover too, to no avail. Tried removing it in safe mode but it doesn't work either. Does anybody know of a solution short of booting up a Linux distro and deleting the Ahnlab files with it?Read the article
-
monitoring a /21 for potential bad guys with snort and port mirroring
- by Adeodatus
Hi all, I want/need to start monitoring our network a bit better. Its an odd network in that it comprises 2 /22 public IPs and a slew of private admin IPs. I do have one point in the network where it all comes together and I can turn on port mirroring on the catalyst. From that port, I'd like to turn up a box running various utilities. Snort is high on my list but it'd be nice to also get some networking statistics with something like Netflow. So, what are peoeple's thoughts. I can turn up a box needed for this with a bit of ease. We have the hardware available. What should I run? I'd love to know what kind of nasty things are potentially going on but I'd also like to see statistics on what people are doing on the network so I can better tweak our systems to handle it better and improve performance. I'm open so please, give me some ideas to go along with what I've got.Read the article
-
Custom fail2ban Filter for phpMyadmin bruteforce attempts
- by Michael Robinson
In my quest to block excessive failed phpMyAdmin login attempts with fail2ban, I've created a script that logs said failed attempts to a file: /var/log/phpmyadmin_auth.log Custom log The format of the /var/log/phpmyadmin_auth.log file is: phpMyadmin login failed with username: root; ip: 192.168.1.50; url: http://somedomain.com/phpmyadmin/index.php phpMyadmin login failed with username: ; ip: 192.168.1.50; url: http://192.168.1.48/phpmyadmin/index.php Custom filter [Definition] # Count all bans in the logfile failregex = phpMyadmin login failed with username: .*; ip: <HOST>; phpMyAdmin jail [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = sendmail-whois[name=HTTP] logpath = /var/log/phpmyadmin_auth.log maxretry = 6 The fail2ban log contains: 2012-10-04 10:52:22,756 fail2ban.server : INFO Stopping all jails 2012-10-04 10:52:23,091 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2012-10-04 10:52:23,866 fail2ban.jail : INFO Jail 'fail2ban' stopped 2012-10-04 10:52:23,994 fail2ban.jail : INFO Jail 'ssh' stopped 2012-10-04 10:52:23,994 fail2ban.server : INFO Exiting Fail2ban 2012-10-04 10:52:24,253 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2012-10-04 10:52:24,253 fail2ban.jail : INFO Creating new jail 'ssh' 2012-10-04 10:52:24,253 fail2ban.jail : INFO Jail 'ssh' uses poller 2012-10-04 10:52:24,260 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2012-10-04 10:52:24,260 fail2ban.filter : INFO Set maxRetry = 6 2012-10-04 10:52:24,261 fail2ban.filter : INFO Set findtime = 600 2012-10-04 10:52:24,261 fail2ban.actions: INFO Set banTime = 600 2012-10-04 10:52:24,279 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2012-10-04 10:52:24,279 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller 2012-10-04 10:52:24,279 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2012-10-04 10:52:24,280 fail2ban.filter : INFO Set maxRetry = 5 2012-10-04 10:52:24,280 fail2ban.filter : INFO Set findtime = 600 2012-10-04 10:52:24,280 fail2ban.actions: INFO Set banTime = 600 2012-10-04 10:52:24,287 fail2ban.jail : INFO Creating new jail 'fail2ban' 2012-10-04 10:52:24,287 fail2ban.jail : INFO Jail 'fail2ban' uses poller 2012-10-04 10:52:24,287 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log 2012-10-04 10:52:24,287 fail2ban.filter : INFO Set maxRetry = 3 2012-10-04 10:52:24,288 fail2ban.filter : INFO Set findtime = 604800 2012-10-04 10:52:24,288 fail2ban.actions: INFO Set banTime = 604800 2012-10-04 10:52:24,292 fail2ban.jail : INFO Jail 'ssh' started 2012-10-04 10:52:24,293 fail2ban.jail : INFO Jail 'ssh-iptables' started 2012-10-04 10:52:24,297 fail2ban.jail : INFO Jail 'fail2ban' started When I issue: sudo service fail2ban restart fail2ban emails me to say ssh has restarted, but I receive no such email about my phpmyadmin jail. Repeated failed logins to phpMyAdmin does not cause an email to be sent. Have I missed some critical setup? Is my filter's regular expression wrong? Update: added changes from default installation Starting with a clean fail2ban installation: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local Change email address to my own, action to: action = %(action_mwl)s Append the following to jail.local [phpmyadmin] enabled = true port = http,https filter = phpmyadmin action = sendmail-whois[name=HTTP] logpath = /var/log/phpmyadmin_auth.log maxretry = 4 Add the following to /etc/fail2ban/filter.d/phpmyadmin.conf # phpmyadmin configuration file # # Author: Michael Robinson # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # # Count all bans in the logfile failregex = phpMyadmin login failed with username: .*; ip: <HOST>; # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # # Ignore our own bans, to keep our counts exact. # In your config, name your jail 'fail2ban', or change this line! ignoreregex = Restart fail2ban sudo service fail2ban restart PS: I like eggsRead the article
-
Create restricted user on Debian server
- by James Willson
I want to create a user account for each of the key programs installed on my debian server. For example, for the following programs: Tomcat Nginx Supervisor PostgreSQL This seems to be recommended based on my reading online. However, I want to restrict these user accounts as much as possible, so that they dont have a shell login, dont have access to the other programs and are as limited as possible but still functional. Would anyone mind telling me how this could be achieved? My reading so far suggests this: echo "/usr/sbin/nologin" >> /etc/shells useradd -s /usr/sbin/nologin tomcat But I think there may be a more complete way of doing it. EDIT: I'm using debian squeezeRead the article
-
How to avoid apache2 revealing hidden directory and/or file structure
- by matnagel
When someone fetches a denied URL that exists, he gets: Forbidden You don't have permission to access /admin/admin.php on this server. Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch Server When someone goes to a URL that does not exist he will get: Not Found The requested URL /notexisting/notthere.php was not found on this server. Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch Server This way someone can find out information about the directory structure in an area, that is actually not open to the public. Is this true? If I were paranoid, what could I do? Just curious.Read the article
-
How to restrict file system when logged into terminal services
- by pghcpa
What I need to accomplish: With one login, when user is physically in the building I need them to see everything. When they are using terminal services with same login they should not be able to see the file system on the network. I can lock down the PC running terminal services as that is its only use. Details: Windows/2003 Server with terminal services. One login for a user (e.g., johndoe). When johndoe logs into the network at his desk in the office, he can see the network files according to group policy. When johndoe logs into terminal services from outside the building, we do not want to allow him see the network. Using 2x to do a published app, but that app has a "feature" that allows user to see network. Published application on termina services (only) is a document management system that is tied to windows login, so I can't give them two logins. With one login, when they are in the building I need them to see everything. When they are using terminal services they should not be able to see the network. I can lock down the PC running terminal services as that is its only use.Read the article
-
Auditing events 4656 and 4658 on Windows folder on Server 2008
- by PCurd
During an overnight system state backup we are seeing thousands of success audit events (4656, 4658) on the folder c:\windows\servicing, system32 and others in the windows folder. We use file success auditing on some files so I can't disable it but this deluge is filling up the logs and making reporting tricky. What is the harm of changing the auditing settings on the windows folder? What are the recommended settings to put on the files for those people doing system state backups? Thanks,Read the article
