We need to add the high availability feature in our web application so I am considering load balancing (Application Request Routing in IIS). Here is my setup:
Server 01: This is where the ARR is installed with two nodes (02 and 03).
Server 02: This is the node 02 in Server 01.
Server 03: This is the node 03 in Server 01.
Assuming I have set it up correctly, question 1: I need to make sure that Server 01 is up all the time to archive the high availability feature. If I did not have ARR and host my web application directly on Server 01, I also need to make sure it is up all the time. What is the difference?
question 2: I have a folder that my users will upload files to the web server. That folder is available on both Server 02 and 03. If a file is saved on 02 but the request for that file goes to 03, it will not be able to find it. How do I share the resources between 02 and 03?
Since we are only looking for high availability, we will host the web application on Server 01 and have a cluster (Server 02). So when Server 01 is down, Server 02 will take over. Regarding to sharing the resources (folder), we will have a designated File Server that both Server 01 and Server 02 will point to.
Related
I have a control bord installed on a remote digital signage totem.
The card is connected via RS232 to an IP adapter which I can connect remotely.
I need to send it HEX commands every hour, get the answers and act according to them
(for example the command for what is the door status is: "AE 04 04 0A" and the answer is: "{EF}{04}{04}{01}" the last digit is 1=open 0=closed)
I would like to take the answers and get them on my Zabbix monitor system for alerts, like if the door is open or the temp is high.
can you give me a direction to a platform that can run this kind of automation?
It's surely doable, but it depends on the details of "IP adapter which I can connect remotely":
is it an http gateway where you post your authentication and commands? Then use an http item
is it a simple socket with no auth, just ip->rs232? Then a simple telnet/nc script called via zabbix with a system.run is the way to go
is the interaction more complex? I.e: telnet, then authenticate, then subcommand1 and so on? A system.run as well, but to call a more complex script like expect or pexpect
In the simplest case, assuming a socket on host 1.2.3.4 and port 23 that just accepts input:
echo 'AE 04 04 0A' | nc -N 1.2.3.4 23 | perl -lne 'print $1 if /(?:{\w\w}){3}{(\w\w)}/'
This will send the hex command AE 04 04 0A to the device, then print the fourth portion of the result: so if the result string is {EF}{04}{04}{01}, the command will return 01
We scanned our website for vulnerabilities and received the message shown below.
We used Clover Security to scan the Azure Web App site.
We have already implemented the solution in web.config shared on the Internet and by Microsoft on these websites:
https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/
https://learn.microsoft.com/en-us/answers/questions/28434/azure-app-service-how-to-block-msdeployaxd-on-port.html
As discussed in the last url, I have also re-created a new resource group, app service plan and app services and redeployed on in a different US location but the error still shows on re-scan.
Any suggestion on how to fix this would be greatly appreciated?
Thank you in advance.
------------------------------ Error Message Provided ( our ip has been x'd out) --------------------------------
Category Web Application
CVE -
CVSS base score 5.0
Description Web Server Information Disclosure
Host xx.xx.xxx.xx
Threat -
Impact -
Solution -
PCI compliant No
PCI details -
Reason The vulnerability is not included in the NVD.
PCI details medium
Port 8172 / tcp
Host name No registered hostname
Host OS Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows Vista / Windows 2008 / Windows 7 / Windows 2012
Result
url: https://xx.xx.xxx.xx:8172/
comment: Web Server Information Disclosure detected at PORT : 8172
matched: HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Thu, 23 Jun 2022 08:20:52 GMT
Connection: close
Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
CVSS Base Score 5.0 - - AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Score 4.3 - E:POC/RL:W/RC:C
Severity 2
Category Web Application
CVE ID
Vendor Reference
Bugtraq ID
Date Updated Jun 1, 2022
Threat The target application discloses the Web Server software version via the "Server:" token sent in HTTP response header.
QID Detection Logic:
This QID sends a GET request to the target application and determines the Web Server version disclosed in the "Server:" token.
Impact Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes.
Solution Customers are advised to modify the HTTP response header of the target application to not disclose detailed information about the underlying web server. Server implementers are encouraged to make this field a configurable option.
You need to raise this as a false positive, as the failing scan is for port 8172. This is part of Azure's services infrastructure and isn't removable or editable. You might also get false positives for ports 455 and 454 on the same IP address. When you create the false positive claim, you need to let your PCI scan provider that these ports are not accessible nor for use by the general public. You will also need to "confirm" that there is no CHD (Cardholder data) being transmitted through those ports/services.
MarkLogic 9.0.9
Deployed in Azure with Managed Disk
While setting up new MarkLogic Cluster, we are facing an issue for 2 server nodes as below
This host is down. The following error occurred while trying to contact it:
XDMP-HOSTOFFLINE: Host is offline or not responding
Host <HostName>
Online Disconnected
While looking at error log, I got this line
2020-05-06 05:22:28.832 Warning: A valid hostname is required for proper functioning of MarkLogic Server: SVC-SOCHN: Socket hostname error: getaddrinfo .reddog.microsoft.com: Name or service not known (where as it should connect to )
I got knowledge base article which is published in April 2020.
https://help.marklogic.com/Knowledgebase/Article/View/svc-sochn-warning-during-start-up-on-aws
Based on this article, I do not find any file under /etc/ or /var/local folders as mentioned in article
Not sure if it is because of this, I am not able to open MarkLogic Admin Interface (port 8001).
It seems that somewhere in the MarkLogic configuration this name is there, but which one is a question.
Please find below screen from host within MarkLogic Interface. In this case, disconnected status is for 01 & 03
Whereas I can access Admin Interface of 01, so I am wondering.
After discussing same issue with infra team, they found issue with DNS resolution as full dns was not set in hostname within MarkLogic.
i.e. ml-01 was set in hostname instead of ml-01.abc.com and then as MarkLogic was in azure, it added ml.01.reddog.microsoft.com automatically.
So outside MarkLogic we were able to ping server with full name.
After change in DNS resolution, i was able to add ML server nodes in cluster.
I've enabled SSL on IIS server (running on Windows 2003) using steps mentioned here:
http://www.techpaste.com/2012/01/steps-configure-ssl-iis-windows-2003-server/
It looks like SSL is enabled properly because when I hit:
http://hostname.myhost
I get following in browser:
The page must be viewed over a secure channel The page you are trying
to access is secured with Secure Sockets Layer (SSL).
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.
I was using this IIS as proxy to my weblogic server. All my configuration was working on HTTP (http://hostname.myhost/myapp/test.jsp).
However when I tried (HTTPS):
https://myhost/myapp/test.jsp
It doesn't work. I get following in browser:
The connection was interrupted
After googling, I found that I'll need to enable HTTPS on weblogic and I'll have to establish trust between IIS plugin and weblogic.
URL - http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/isapi.html#100382
Section: Using SSL with the Microsoft Internet Information Server Plug-In
I enabled HTTPS on weblogic by checking 'SSL Listen Port Enabled'.
Using keytool and java command, I got pem file as well for corresponding der file for corresponding certificate in DemoTrust.jks.
I added following two keys to iisproxy.ini file:
SecureProxy=ON
TrustedCAFile=c:/mycert.pem
However when I access https://hostname.myhost/myapp/test.jsp, I still get same error in browser.
In iisforward.log I see following:
Fri Aug 02 14:52:29 2013 load properties from: C:\Inetpub\WLS_IIS_Plugin\iisproxy.ini
Fri Aug 02 14:52:29 2013 WLForwardPath: /
Fri Aug 02 14:54:36 2013 TerminateFilter...
I don't see any log in iisproxy.log.
Could anyone please suggest where I am wrong?
Thanks.
Reset the iis once...
Before resetting iis the following things make sure...
you have enabled SSL port in weblogic console and make sure you have enabled that port in that server's firewall. otherwise it won't allow any outside/remote communication via that port
you have to bind an ip addess and port in IIS for ssl communication...and you must have to specify SecureProxy=ON in iisproxy.ini(the cert should be physically located..where it is specified in iisproxy.ini file like c:/mycert.pem)
How do you go about checking that an IIS website is successfully using Kerberos and not falling back on NTLM?
One way I found to test in code that you are using Kerberos is that that the HTTP_AUTHORIZATION header for NTLM always starts with the following:
Negotiate TlRMTVNTUA
If the header doesn't start with text then the browser is authenticating using Kerberos.
Fiddler2 will indicate if the authentication header is NTLM vs Kerberos.
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 82 13 7B 06 06 2B 06 01 05 05 02 A0 82 13 6F `.{..+..... .o
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A ¡ 0 ....¡...*
The easiest way that I can think of is to use wireshark to watch the network packets and verify that your IIS server is requesting Kerberos Tickets from your DC.
You can check the security log in the event viewer of the web server.
You can also launch KerbTray on the client machine and check if it's using the correct SPN. Kerbtray is available here (don't worry, it's not Win2000 only).
I use the security log in the event viewer to check like someone already mentioned. Here is a successful kerb auth:
Successful Network Logon:
User Name: {Username here}
Domain: {Domain name here}
Logon ID: (0x0,0x########)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {########-####-####-####-############}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Well, Negotiate can also be Kerberos, because it is a wrapper over Kerberos and NTLM. Like other guys said, Wireshark (or Network Monitor) and Security event log will not cheat you.