I've installed fail2ban in my web hosting and it is monitoring wordpress login attemps through the access_log file. Once I configured fail2ban to filter wp logins with this regexp:
failregex = ^<HOST> .* "POST /wp-login.php
... the attack was changed through a ipv6 host. I read fail2ban doc and I noticed that there is not ipv6 support in fail2ban (yet). Then, I applied this workaround:
fail2ban ipv6 support(in french)
As you can see in this tutorial, I created 2 new actions called iptables46* and I defined them in the jail.local in order to be executed when fail2ban detects the new regexp for ipv4 and ipv6 (changed in the patched python scripts).
I've checked fail2ban logs and it seems that it is detecting the ipv6 calls, but a warning is displayed before each filter detection:
2016-10-26 23:00:55,539 fail2ban.filter [24963]: WARNING Unable to find a corresponding IP address for 127.0.0.1/8: [Errno -2] Name or service not known
2016-10-26 23:00:55,540 fail2ban.filter [24963]: INFO [wp-auth] Found xxxx:xxxx:xxx::xxxx:xxx
(xxxx:xxxx:xxx::xxxx:xxx is the attacker host ipv6)
I've checked fail2ban status with : fail2ban-regex access_log /etc/fail2ban/filter.d/wp-auth.conf and there are a lot of results (regexp and the filter are ok), but the host is not blocked by iptables. I've checked ip6tables with :
ip6tables -S | grep f2b
and the results:
-A f2b-default -s 2002:5bc8:c41::5bc8:c41/128 -j REJECT --reject-with icmp6-port-unreachable
also if I check the status of the fail2ban filter: fail2ban-client status wp-auth
:
Status for the jail: wp-auth
|- Filter
| |- Currently failed: 1
| |- Total failed: 93
| `- File list: /opt/wordpress/logs/access_log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: xxxx:xxxx:xxx::xxxx:xxx
It seems that the ipv6 is not blocked because the host is still launching requests.
I don't know why fail2ban log is displaying a WARNING (related to a 127.0.0.1/8: [Errno -2]), if the created ip6table rule is ok... I don't know why the host is not been blocked.
Any help will be appreciated.
Good news are that fail2ban released support for IPv6 recently.
For Debian IPv6 servers I would recommend to follow this tutorial.
For CentOS IPv6 servers, I would recommend to download it here and then execute these commands replacing the version number accordingly:
tar xvfj fail2ban-0.11.0.tar.bz2
cd fail2ban-0.11.0
python setup.py install
Make sure a jail for sshd is enabled in /etc/fail2ban/jail.local, for example:
[sshd]
enabled=1
Related
I want to set up 2 rabbitmq servers to work in cluster.
When when trying to run
rabbitmqctl join_cluster rabbit#my_rabbit_1.my.domain.name on my_rabbit_1
I get unable to connect to epmd (port 4369) on my_rabbit_2.my.domain.name: nxdomain (non-existing domain)
I use rabbitmq:latest (debian), .erlang.cookie is the same, hosts resolve fine: I can ping both directions, nmap -6 -p 4369 my_rabbit_2.my.domain.nam returns 4369/tcp open epmd
EDIT:
tcpdump shows that while resolving hostname, rabbit or epmd performs not 2 types of DNS query: AAAA for IPv6 and A for IPv4 address, but only IPv4 which fails repeatedly with nxdomain as there is no IPv4 address available. However, it does not try AAAA DNS query, except when trying to run command like rabbitmq -n rabbit#local.machine.domain.name: then it runs AAAA query and outputs successfully. Hence the problem. How do I solve that?
Finally found solution that worked for me. Erlang documentation says that, by default, -proto_dist specifies a protocol for Erlang distribution, which defaults to inet_tcp (TCP over IPv4). So in IPv6-only environment you have to set -proto_dist inet6_tcp flag for erl.
This can be done by adding the following lines to your rabbitmq-env.conf (see RabbitMQ configuration docs):
# For rabbitmq-server
RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-proto_dist inet6_tcp"
# For rabbitmqctl
RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
Note that rabbitmqctl and rabbitmq-server use different erl settings: I was unable to create cluster without RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp" setting using rabbitmqctl join_cluster rabbit#host.in.my.domain. It should not be necessary in production mode. Also note that RabbitMQ configuration docs advice against using this setting except for debugging.
unable to connect to epmd (port 4369) on my_rabbit_2.my.domain.name: nxdomain (non-existing domain)
This is an error raised when the rabbitmq server is running on a hostname other than what you think it is running on, or when hostname doesn't resolve to what you think it does.
Amusingly enough I had this exact same issue last night when one instance in our cluster failed, came back on a new hostname, and somehow corrupted its internal authentication store etc.
Without the exact dns entries etc for your setup, all I can offer is general troubleshooting steps.
See this StackOverflow question for a resolution that may help you - in particular the answer by Kishor Pawar.
Are you sure you configured rabbitmq to listen on IPV6? Is there a reason you can't bind it to IPV4 as well on 127.0.0.1 for management operations?
I'm on CentOS 7. I'm running this command:
wget http://wordpress.org/latest.tar.gz
This is the returned output:
--2016-09-08 15:53:04-- http://wordpress.org/latest.tar.gz
Resolving wordpress.org (wordpress.org)... 66.155.40.250, 66.155.40.249
Connecting to wordpress.org (wordpress.org)|66.155.40.250|:80... failed: Network is unreachable.
Connecting to wordpress.org (wordpress.org)|66.155.40.249|:80... failed: Network is unreachable.
I'm not sure why that might be. I have access to my local network from my machine; I can install yum packages without issue.
EDIT
Result of ip route get 66.155.40.249
RTNETLINK answers: Network is unreachable
My /etc/sysconfig/network-scripts/ifcfg-eno16777736 after I edited it:
TYPE=Ethernet
BOOTPROTO="static"
IPADDR=192.168.2.100
NETMASK=255.255.255.0
NM_CONTROLLED=no
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=*random*
DEVICE=eno16777736
ONBOOT=yes
With the exception of my UUID... Specifically I added: bootproto, ipadder, netmask, and nm_controlled.
This situation happens when no entry in the routing table has been found.
If you're using a laptop (with wifi and ethernet) this may happen if you dhclient -r from one interface, which can remove the default route.
Easy resolution:
make a new dhcp request (optionally release the current lease)
add the default route by hand: ip route add default via <<GW ip>>. If you have several interfaces, you may need to specify the output interface using ip route add default via <<GW ip>> dev <<devname>> instead.
I have a drupal 8 site on the same physical server as apache solr (5.2.1). Drupal 8 uses the search_api_solr contrib module, which uses Solarium (installed by composer) to talk to the solr server using the http api.
I have successfully installed solr and created a core. I can query the core using cUrl on the linux command line, using various linux users.
I can access the solr admin screen in a browser (over vpn with 192.168 ip or domain resolving to such) and view the core I created on the cli.
However, the drupal solr module cannot connect to the solr server core, and if I create an index using the drupal module, it throws a php error:
[error] Uncaught PHP Exception Solarium\Exception\HttpException: "Solr HTTP error: HTTP request failed, Failed to connect to 127.0.0.1: Permission denied" at modules/search_api_solr/vendor/solarium/solarium/library/Solarium/Core/Client/Adapter/Curl.php line 248
My url is like this: http://127.0.0.1:8983/solr/mycore
I get the same error for
http://192.168.254.78:8983/solr/mycore
or
http://127.0.0.1:8080/solr/mycore << different port!
Why should Solarium not be able to send http to a local ip?
Note that nothing is listening on 8080, so I suspect that this http failure has nothing to do with the solr server.
The problem turns out to be that SELinux on this CentOS6 machine is not allowing apache to talk to port 8983.
# setenforce 0
and our error goes away.
# setenforce 1
error is back
Check /var/log/audit.log.
This is what we saw:
type=AVC msg=audit(1457115397.149:224568): avc: denied { name_connect } for pid=4029 comm="httpd" dest=8983 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Notice scontext is httpd_t (apache)
And tcontext is port_t (a port)
Now by default apache can only listen on ports that are http_port_t
SO -- we check to see if our desired port "8983"
But first we need "semanage" which is provided by :
yum install policycoreutils-python
Now check for existing http_port_r's:
# semanage port -l | grep 'http_port_t'
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
Now let's add 8983
# semanage port -a -t http_port_t -p tcp 8983
And check again -- yup 8983 is there
# semanage port -l | grep 'http_port_t'
http_port_t tcp 8983, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
No more error with SELinux enforcing
When i run the jboss-cli.sh,
I get this message.
[root bin]# sh jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect localhost
The controller is not available at localhost:9999
[disconnected /] connect
The controller is not available at localhost:9999
[disconnected /] connect localhost:9999
The controller is not available at localhost:9999
[disconnected /]
Also i have another installation of jboss5 GA. I hope that is not interfering.
Although that is totally shut down for now.
Native management interface is :9999 in standalone.sh
Please throw light on this issue.
#
EDITED
#
When i stop my service with "service jboss stop"
i get this message
[root# bin]# *** JBossAS process (7302) received KILL signal ***
grep: /var/run/jboss-as/jboss-as-standalone.pid: No such file or directory
I Dont know how to check whether server is listening on the port 9999 or not.
Few more details
[root bin]# netstat -anp |grep 9999
tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN 7931/java
[root bin]# netstat -anp |grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 7931/java
JBoss processs id and the server id acquiring these ports is same.
This question has two issues ,
First, i have provided debuging parameter in the startup script.
If you see 8787 that means you have somewhere provided debuging argument.
Second and the most important one controller not available #localhost or #IPADDRESS .
Please check if you have used port offset, as it increments all the ports by the number with with you have set port offset.
Suppose port offset is 2
Then try to access connect localhost:10001 Port i.e 9999+2
On my production server sometimes it does not works with localhost , but works with IP address.
Then try to access connect IPADDRESS:9999
OR
Then try to access connect 127.0.0.1:9999
Please check in the firewall weather the port 9999 or what ever with port offset, if the port is not open in the firewall it gives error,
I asked this question 6 months back and the above checks has solved
the problem always.
This is probaby because you have changed your binding configuration and jboss does not bind to 127.0.0.1.
In case your jboss instance is not binding to 127.0.0.1, you may use --controller option as follows:
./jboss-cli.sh --controller=YOUR_IP:9999
Use netstat -anp |grep 9999 to find out if port 9999 is in use and by which process id. You could also check the host.xml used by the controller to configure the proper native port.
In the host xml, you should find the default port:
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
./jboss-cli.sh --controller=localhost:9999 --connect
You open the debug-port with jboss-cli.sh. Either you activated in jboss-cli.sh:
# Sample JPDA settings for remote socket debugging
# JAVA_OPTS="$JAVA_OPTS -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n"
or you set JAVA_OPTS with such an option in you environment. See
echo $JAVA_OPTS
I guess you did this for two jboss-processes, and you get a port-conflict. See
netstat -nap | grep 8787
I recently faced this issue and the root cause that I found was completely different than it is listed above. It is because for some other project I shifted to JDK 1.8 from 1.7. Boom! and error started coming up...I took hell lot of time figuring out why it is coming up before finally realizing I changed my JDK version.
It might be because JBOSS 7 doesn't work with 1.8 of which I have limited knowledge but yes this might prove useful for some cases.
I'm having trouble checking out a project via svn. I have a repository set up at svn://consideropen.com/home/consider/rvsubversion/project/trunk.
I have no problem checking out the project in NetBeans, but, when I ssh to another server (not the same server as the repository) and run
svn checkout svn://example.com/home/consider/rvsubversion/project/trunk
I get a connection refused error.
Why is this happening?
Possibly your server is behind a firewall that only permits certain ports through such as 22, 80, and 8080 for example. It might not permit the standard svn protocol port 3690 to pass through.
Try telnet consideropen.com 3690 and see if you get:
( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline svndiff1 absent-entries ) )
If you don't then you are blocked. Your other option would be to set up the repository using subversion with WebDAV. Then your server would be able to access it over port 80 which is usually open.
I recommend to master nmap - very powerful port scanning tool
In your case it will be:
$ nmap -sT -r -n -vv -p80,8080 example.com
where -sT mean direct TCP connection, -sS - SYNC or silience
-vv - very verbose
-r - don't randomize ports
-n - don't make DNS resolve
-p{xxx} - ports to scan, different masks are supported, e.g. 80,8081-8088,8090
optional -P0 means don't ping a target host