I have an Ubuntu guest on Windows host and it uses CNTLM to authorize in the intranet NTLM proxy. The problem is CNTLM just passes the name of the requested server and doesn't do domain searching with resolv.conf or /etc/hosts. Nslookup, dig etc work fine, but curl, firefox and other apps that use proxy simply get 504 Unknown Host from the proxy.
Let's say I have "com" added to "search" in resolve.conf and when I do:
"nslookup google", "dig +search google" it all works, but when I do "curl google", it fails with 504.
Is there any way to make CNTLM use the domain searching?
This is a really basic question but I somehow can't figure it out:
I am using netcat to get HTTP response from a website. Example:
request="GET / HTTP/1.1"
echo -ne $request | nc 127.0.0.1 80
If the website requires authentication I can send a POST request and include user/pass in form-data.
But how about apache password protected directories? Let's say this is in my apache.conf:
<Directory "/var/www/html/">
...
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd/.htpasswd"
Require valid-user
</Directory>
When I visit 127.0.0.1, I get prompted for user/pass. Browser shows request as "stalled". After I provide my credentials, request is finished. If I inspect request headers, I can't find my credentials or any other form data there.
My question is: how are these credentials sent? How can I send them using netcat utility?
p.s.: I am not dead set on using netcat, if there is another command line utility that can achive this in a simple way, that's also great.
They are sent in a Authorization header, encoded in base64 (Wireshark auto-decodes them for you if you expand the header).
You can specify the username and password easily using curl:
curl --user name:password localhost
You can see how it works by using -v to see the headers, for example:
curl -sv --user name:password localhost
In the header output you will see a line like this:
> Authorization: Basic bmFtZTpwYXNzd29yZA==
Try to use CURL insted of netcat
I'm trying to make LDAP setup using CentOS based OpenLDAP server and MCP Linux based PAM LDAP client.
Without SSL, I'm able to get the user authenticated successfully.
But with SSL('ssl start_tls' in /etc/pam_ldap.conf), I'm unable to get the user authenticated. When I did packet capture at server, I do not see client's HELLO packet.
Also, I'm not interested in server/client certificate verification hence at server I had 'TLSVerifyClient never' and at client I used 'TLS_REQCERT never' in /etc/openldap/ldap.conf(in addition to 'tls_checkpeer no' in /etc/pam_ldap.conf)
With CentOS based PAM LDAP client and with the same client configuration, I'm able to get the user authenticated successfully with the same server.
Can anyone tell me, in which cases SSL client doesn't send 'HELLO' packet ?
Here you go with logs at server:
...
connection_read(13): checking for input on id=1005
tls_read: want=3, got=0
TLS: error: accept - force handshake failure: errno 11 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
connection_read(13): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=13 for close
....
BTW, I'm trying to connect to client using SSH.
Also, if I use 'openssl s_client -connect my-domain.com:636 -showcerts -state -CAfile /etc/pki/tls/certs/cacert.pem' command at CLIENT, it is sending Client hello packet and is returing the server certificates
Thanks,
Sravani
From 'strace ldapsearch ....' log, I see that
open("/usr/lib/libsoftokn3.so", O_RDONLY) = -1 ENOENT (No such file or directory)
I'll try to get this library for MCP Linux and give it a try again.
Thanks all for your support
As i have enabled default-ssl site in my ubuntu linux server. When I load the site with Google Chrome I get this error:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
With Firefox:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
As i have check log file of apache2. Which say suhosin-path mod_ssl
[Fri Apr 04 16:29:33 2014] [notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
FYI,
when i run command "apachectl -S" i get this error
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default:1)
Syntax OK
if i run "apachectl configtest"
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Syntax OK
EDIT 1
I am getting below error also
Invalid method in request \x16\x03\x01
Please help me.
It looks like you are setting up an HTTP server on port 443, e.g on a port usually used for HTTPS (HTTP wrapped inside a SSL connection). The Invalid method in request \x16\x03\x01 you get on the server side is the start of the SSL handshake of from the client. And because the client does not get the expected answer back from the server it complains.
I don't know what your intention with this setup is, but
if you want to use only HTTP keep the listener on port 80 and remove the one on port 443
if you want to set up HTTPS you need certificates etc (there is enough documentation out there)
Ok, Here is the solution.
As my domain (example.com) is configured for port forwarding and It was mapping to my Local server
To Access my local server through example.com
It was like this:
http://example.com:1234/project_name
and i was configuring my local server for https
which was accessible as
https://192.168.**.***/project_name
But it was giving error (Invalid method in request \x16\x03\x01) for below url
https://example.com:1234/project_name
Because example.com was not configured for ssl.
I have NRPE daemon process running under xinetd on amazon ec2 instance and nagios server on my local machine.
The check_nrpe -H [amazon public IP] gives this error:
CHECK_NRPE: Error - Could not complete SSL handshake.
Both Nrpe are same versions. Both are compiled with this option:
./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu/
"allowed host" entry contains my local IP address.
What could be the possible reason of this error now??
If you are running nrpe as a service, make sure you have this line in your nrpe.cfg on the client side:
# example 192. IP, yours will probably differ
allowed_hosts=127.0.0.1,192.168.1.100
You say that is done, however, if you are running nrpe under xinetd, make sure to edit the only_from directive in the file /etc/xinetd.d/nrpe.
Don't forget to restart the xinetd service:
service xinetd restart
To check if you have access to it at all attempt a simple telnet on the address:port, a ping or traceroute to see where it is blocking.
telnet IP port
ping IP
traceroute -p $port IP
Also check on the target server that the nrpe daemon is working properly.
netstat -at | grep nrpe
You also need to check the versions of OpenSSL installed on both servers, as I have seen this break checks on occasion with the SSL handshake!
check your /var/sys/system.log . In my case, it turned out my monitored IP was set to something else than the one I set in nrpe.cfg file. I don't know the cause of this change, though.
#jgritty was right.
you should edit nrpe.cfg and nrpe config files to allow your master nagios server's access:
vim /usr/local/nagios/etc/nrpe.cf
allowed_hosts=127.0.0.1,172.16.16.150
and
vim /etc/xinetd.d/nrpe
only_from= 127.0.0.1 172.16.16.150
That's somewhat of a catch-all error message for NRPE. Check your firewall rules and make sure that port is open. Also try disabling SELinux and seeing if that lets the connection through. It's likely not an SSL issue, but just an issue with the connection being refused.
It looks like you are running your Nagios server in a virtual machine on a host-only network. If this is so, this would stop any external access. Ensure that you have a NAT or Bridged Network available.
So many answers, none of them hit the reason why I ran into this issue.
It turns out that nagios has terrible cross-version support and this was caused by me having a version 2 "client" (machine being monitored) and a version 3 "server" (monitoring machine).
Once I upgraded the client to version 3, the problem went away and I could do a check_nrpe -H [client IP] without issues.
Note that I am not sure if client/server are the right terms with nagios, as in the case of an NRPE call, the server is really the machine being called, but I digress.
Make sure that you have restarted the Nagios Client Plugin as well.
I'm running nrpe using the xinetd service.
Make sure also (in addition to the above basic steps) that your nagios user is authenticating properly. In my case:
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown user: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute user - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown group: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute group - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Service nrpe missing attribute user - DISABLING
Was showing in the /var/log messages.
It escaped me at first, but then I did a check on ypbind service and found it was not started.
After starting ypbind, nagios user and group was authenticating properly, the error went away.
some edge cases restarting nagios-nrpe-server doesn't help, due to the fact that process was not killed or it was not properly restarted.
just kill it manually then, and start.
SSL handshake error msg.Beside the allow_host you should assign.
your nagios server is in a local lan with C type ip address such as 192.168.xxxx
when the target monitored server feedback the ssl msg to your local nagios server,the message should first comes to your public IP of your line,the message cannot across the public IP into your nagios server which ip is an internal one.
you need NAT to guide the SSL message from target server to inner nagios server.
Or you better use "GET" method which just get monitor message from the nagios client side,such as SNMP to fulfill the remote monitor of local resource of linux servers.
SSL need feedback in double direction.
Best Regards
For me setting the following in /etc/nagios/nrpe.cfg on Client worked:
dont_blame_nrpe=1
It's and ubuntu 16.04 machine.
For other possible problems, I recommend looking at nrpe logs. Here is good article for configuring logs.
If you are running Debian 9 then there is a known issue regarding this problem, caused by OpenSSL dropping support for the method NRPE uses to initiate anonymous SSL connections.
The issue seems to be fixed but the fix hasn't made it into the official packages, yet.
Currently there seems to be no secure work-around.
check configuration in /etc/xinetd.d/nrpe and verify the server IP. If it is showing only_from = 127.0.0.1 change it with Server IP .