Graylog2 ssh stream rules - graylog2

I have gotten a task to setup a new stream that catches all failed ssh logins. I have never used graylog before and iam really bad at regex.
I have figured out that you need to create a new stream, make so that all the failed ssh login messages gets caught in that stream and then make an alarm on that.

You can create a stream just for an example then let us call it
SSH accepted/failed
Then create a rule where you enter
field : messages
type : match regular expression
value for failed: Failed password for.+ from .+
and then create a new rule for the same stream with the value : Accepted password for.+ from .+
Then you will have a Stream there is collecting Failed and Accepted logins for your SSH

Related

Let subprocess.check_output timeout when there is a user prompt

I have python script that use scp to transfer some files to other remote hosts.
try:
out = subprocess.check_output(f"scp filename.txt user1#host1:/home/user1/", stderr=subprocess.STDOUT, timeout=15)
print(out)
except subprocess.TimeoutExpired as e:
print(e.output)
// Handle hostkey verification error
Now some times, its possible that the remote server isnt authenticated and part of known hosts files, in which case the script just forever stays in waiting state for user input with Are you sure you want to continue connecting (yes/no/[fingerprint])?
What i want is to be able to catch this scenario, so i can handle host key verification.
I tried adding timeout and catch the exception but instead of timing out it still stays in user prompt state.

Problem connecting Snowflake to DataFactory

Upon using the DataFacotry Connector to Snowflake, I consistently get the error message below. Does anyone have any idea how to fix this?
I am using an Azure-managed Integration Runtime.
ERROR [HY000] [Microsoft][Snowflake] (4) REST request for URL
https://xxxxxxx.east-us-2.azure.snowflakecomputing.com.snowflakecomputing.com:443/session/v1/login-request?requestId=2fb149b1-5f57-47ad-a471-8a8db718336c&request_guid=25dcec4f-f680-4f18-b018-363084843708&databaseName=DEMO_DB&warehouse=COMPUTE_WH failed: CURLerror (curl_easy_perform() failed) - code=60 msg='SSL peer
certificate or SSH remote key was not OK'.
ERROR [HY000] [Microsoft][Snowflake] (4) REST request for URL
https://xxxxxxx.east-us-2.azure.snowflakecomputing.com.snowflakecomputing.com:443/session/v1/login-request?requestId=2fb149b1-5f57-47ad-a471-8a8db718336c&request_guid=25dcec4f-f680-4f18-b018-363084843708&databaseName=DEMO_DB&warehouse=COMPUTE_WH failed: CURLerror (curl_easy_perform() failed) - code=60 msg='SSL peer
certificate or SSH remote key was not OK'.
Activity ID: 376547c0-6604-454d-b881-544cb6e7811a.
Probably not a good idea, from a security perspective, to leave your account id visible like this.
Anyway, the issue is probably that you have mis-configured your connection as snowflake.com is repeated: ...snowflakecomputing.com.snowflakecomputing.com

How to type the credentials manually in Parallel-SSH or Paramiko

I am trying to create a script that will run commands over my 1000 Cisco devices.
The device model is: Cisco Sx220 Series Switch Software, Version 1.1.4.1
The issue is that there is some kind of strange behavior for some of those Cisco devices.
When I am trying to login with regular SSH (PUTTY) with the correct credentials we are first getting 'Authentication Failure' and after 1 seconds I am getting the User Password Prompt again, typing the same credentials again is giving me a successful login.
The problem is that when I am trying to connect using my script (uses ParallelSSHClient), the connection drops after getting the authentication failure message and not able to enter the credentials again since it is getting the exception and terminal the program.
I am looking for a way to enter those credentials manual by connecting to the machine, getting the Authentication Failure message and ignoring it, recognizing that the current prompt has the User or Password appears on screen and then send it manually.
I look for this kind of procedure anywhere but without any luck.
Does ParallelSSHClient has this feature?
If Paramiko has it, I am willing to move to Paramiko.
Thanks :)
try:
client = ParallelSSHClient(hosts=ip_list, user=user, password=password)
except Exception as err:
print("There was an issue with connecting to the machine")
command_output = client.run_command(command)
Here is the accrual error that I am getting:
pssh.exceptions.AuthenticationException: ('Authentication error while connecting to %s:%s - %s', '172.31.255.10', 22, AuthenticationException('Password authentication failed',))

I can't get AMQP publish and subscribe to run with Node JS v6 and mqlight v2.0 from IBM MQ v9.0.1.0

I am trying to get the example snippet to publish and subscribe below, I can't get it to run with Node JS 6 and mqlight v2.0
https://www.npmjs.com/package/mqlight?cm_mc_uid=47189062138014548006442&cm_mc_sid_50200000=1490060435
// Receive:
var mqlight = require('mqlight');
var recvClient = mqlight.createClient({service: 'amqp://user:user#localhost:5672'});
recvClient.on('started', function() {
recvClient.subscribe('/TEST/#','sub1');
recvClient.on('message', function(data, delivery) {
console.log(data);
});
});
// Send:
var sendClient = mqlight.createClient({service: 'amqp://user:user#localhost:5672'});
sendClient.on('started', function() {
sendClient.send('TEST');
});
i run the sample code mqlight 2.0 with node js v6
$node mqlight_sample.js
events.js:160
throw er; // Unhandled 'error' event
^
SecurityError: AMQXR0100E: A connection from 172.17.0.1 was not authorized.
at lookupError (/media/Data/mqlight/node_modules/mqlight/mqlight.js:1034:11)
at AMQPClient.<anonymous> (/media/anonim/Data/mqlight/node_modules/mqlight/mqlight.js:1925:13)
at emitOne (events.js:96:13)
at AMQPClient.emit (events.js:188:7)
at Connection.<anonymous> (/media/anonim/Data/mqlight/node_modules/amqp10/lib/amqp_client.js:388:10)
at emitOne (events.js:96:13)
at Connection.emit (events.js:188:7)
at Connection._processCloseFrame (/media/anonim/Data/mqlight/node_modules/amqp10/lib/connection.js:495:10)
at Connection._receiveAny (/media/anonim/Data/mqlight/node_modules/amqp10/lib/connection.js:423:12)
at Connection._receiveData (/media/anonim/Data/mqlight/node_modules/amqp10/lib/connection.js:357:8)
at NetTransport.<anonymous> (/media/anonim/Data/mqlight/node_modules/amqp10/lib/connection.js:515:38)
at emitOne (events.js:96:13)
at NetTransport.emit (events.js:188:7)
at Socket.<anonymous> (/media/anonim/Data/mqlight/node_modules/amqp10/lib/transport/net_transport.js:26:49)
at emitOne (events.js:96:13)
at Socket.emit (events.js:188:7)
this one error log from MQ Server
# tail -100f /var/mqm/qmgrs/QM1/errors/amqp_0.log
3/31/17 19:14:44.115 AMQXR0041E: A connection was not authorized for channel SYSTEM.DEF.AMQP received from 172.17.0.1. MQRC 2035 MQRC_NOT_AUTHORIZED
3/31/17 19:14:45.142 AMQXR0041E: A connection was not authorized for channel SYSTEM.DEF.AMQP received from 172.17.0.1. MQRC 2035 MQRC_NOT_AUTHORIZED
actually authenticate for AMQP is enabled if CONNAUTH and CHCKCLNT required changed to disabled i can connected with Node JS 6
START SERVICE(SYSTEM.AMQP.SERVICE)
SET CHLAUTH(SYSTEM.DEF.AMQP) TYPE(BLOCKUSER) USERLIST('nobody')
SET CHLAUTH(SYSTEM.DEF.AMQP) TYPE(ADDRESSMAP) ADDRESS(*) USERSRC(CHANNEL) CHCKCLNT(REQUIRED)
REFRESH SECURITY TYPE(CONNAUTH)
START CHANNEL(SYSTEM.DEF.AMQP)
DISPLAY CHSTATUS(SYSTEM.DEF.AMQP) CHLTYPE(AMQP)
below the error log from /var/mqm/qmgrs/QM1/errors/AMQERR01.LOG
04/02/17 07:10:16 - Process(587.6) User(mqm) Program(java)
Host(770e29171038) Installation(Installation1)
VRMF(9.0.1.0) QMgr(QM1)
AMQ5534: User ID 'user' authentication failed
EXPLANATION:
The user ID and password supplied by the 'AMQP' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4486 -------------------------------------------------------
04/02/17 07:10:16 - Process(587.6) User(mqm) Program(java)
Host(770e29171038) Installation(Installation1)
VRMF(9.0.1.0) QMgr(QM1)
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION:
The user ID 'user' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'USE.OS' with CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.
To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
04/02/17 07:10:17 - Process(587.6) User(mqm) Program(java)
Host(770e29171038) Installation(Installation1)
VRMF(9.0.1.0) QMgr(QM1)
AMQ5534: User ID 'user' authentication failed
EXPLANATION:
The user ID and password supplied by the 'AMQP' program could not be
authenticated.
Additional information: 'N/A'.
ACTION:
Ensure that the correct user ID and password are provided by the application.
Ensure that the authentication repository is correctly configured. Look at
previous error messages for any additional information.
----- amqzfuca.c : 4486 -------------------------------------------------------
04/02/17 07:10:17 - Process(587.6) User(mqm) Program(java)
Host(770e29171038) Installation(Installation1)
VRMF(9.0.1.0) QMgr(QM1)
AMQ5542: The failed authentication check was caused by the queue manager
CONNAUTH CHCKCLNT(REQDADM) configuration.
EXPLANATION:
The user ID 'user' and its password were checked because the queue manager
connection authority (CONNAUTH) configuration refers to an authentication
information (AUTHINFO) object named 'USE.OS' with CHCKCLNT(REQDADM).
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the user ID. The authentication configuration of the
queue manager connection determines the user ID repository. For example, the
local operating system user database or an LDAP server.
If the CHCKCLNT setting is OPTIONAL, the authentication check can be avoided by
not passing a user ID across the channel. For example, by omitting the MQCSP
structure from the client MQCONNX API call.
To avoid the authentication check, you can amend the authentication
configuration of the queue manager connection, but you should generally not
allow unauthenticated remote access.
-------------------------------------------------------------------------------
SASL flow has been changed within the new Node JS client version. The new SASL flow is currently not supported by the IBM AMQP server. The AMQP server thinks that at this moment it should already have enough data for authentication and authorization of the client user. However, because of the change in the new Node JS client, the rest of the required data has not yet been sent when the server tries to authenticate the client. This is why the logs show that only the user 'mqm' has been set and no password supplied to the QMgr. Thus causing an authorization error APAR IT20283
In reviewing the error logs from the queue manager it appears that MQ is not able to authenticate the user being passed to the AMQP channel via the mqlight_sample.js program.
Please try the following two commands and note the output:
echo 'goodpassword' | /opt/mqm/bin/security/amqoamax user ; echo $?
echo 'badpassword' | /opt/mqm/bin/security/amqoamax user ; echo $?
OP noted the output was 0 and 1 for the above commands. This means that MQ can properly authenticate the the UserId "user" with a correct password since it returns 0.
Next please create a normal SVRCONN channel on the queue manager and try the following sample program, this would again rule out MQ and CONNAUTH being an issue.
echo 'goodpassword' | amqscnxc -x 'localhost(5672)' -c SVRCONN.CHANNEL -u user QM1; echo $?
The output if good should look like this:
Sample AMQSCNXC start
Connecting to queue manager QM1
using the server connection channel SVRCONN.CHANNEL
on connection name localhost(5672).
Enter password: Connection established to queue manager QM1
Sample AMQSCNXC end
0
If output if it fails should look like this:
Sample AMQSCNXC start
Connecting to queue manager QM1
using the server connection channel SVRCONN.CHANNEL
on connection name localhost(5672).
Enter password: MQCONNX ended with reason code 2035
243
If the above test is also successful then please verify that the mqlight_sample.js has the same user and goodpassword values that worked with the two tests.
If you find that the UserID and password are correct, then it would appear that the amqp program is not passing the password correctly and someone else with more AMQP knowledge would need to help.
Update 2017-04-28
OP #dhaavhincy has posted a new answer that per IBM the issue was a result of the SASL flow in Node JS v6 being changed and incompatible with IBM MQ AMQP. IBM has provided that this will be fixed via APAR IT20283 which has not been published to the web.
Update 2017-06-20
APAR IT20283 was published to the web around May 22nd.

NodeJS. Child_process.spawn. Handle process' input prompt

I'm currently working on my web interface for git. Accessing git itself by child_process.spawn. Everything is fine while there is simple "command -> response" mechanism, but I cannot understand what should I do with command prompts (git fetch asks for password for example). Hypothetically there is some event fired, but I don't know what to listen to. All I see is "git_user#myserver's password: _" in command line where node.js process itself is running.
It would be great to redirect this request into my web application, but is it even possible?
I've tried to listen on message, data, pipe, end, close, readable at all streams (stdout, stdin, stderr), but no one fires on password prompt.
Here is my working solution (without mentioned experiments):
var out="";
var err="";
var proc=spawn(exe,cmd);
proc.on("exit",function(exitCode){
});
proc.stdout.on("data",function(data){
out+=data;
});
proc.stderr.on("data",function(data){
err+=data;
});
proc.on("close",function(code){
if(!code)func(out);
else return errHandler(err);
});
Can you please help me with my investigations?
UPDATE
Current situation: on my GIT web interface there is a button "FETCH" (as an example, for simple "git fetch"). When I press it, http request is generated and being sent to node.js server created by http.createServer(callback).listen(8080). callback function receives my request and creates child_process.spawn('git',['-C','path/to/local/repo','fetch']). All this time I see only loading screen on my web interface, but if I switch to command line window where node script is running I will see a password prompt. Now let's pretend that I can't switch window to console, because I work remotely.
I want to see password prompt on my web interface. It would be very easy to achieve if, for instance, child_process would emit some event on child.stdin (or somewhere else) when prompting for user input. In that case I would send string "Come on, dude, git wants to know your password! Enter it here: _______" back to web client (by response.end(str)), and will keep on waiting for the next http connection with client response, containing desired password. Then simply child.stdin.write(pass) it to git process.
Is this solution possible? Or something NOT involving command line with parent process.
UPDATE2
Just tried to attach listeners to all possible events described in official documentation: stdout and stderr (readable, data, end, close, error), stdin (drain, finish, pipe, unpipe, error), child (message, exit, close, disconnect, message).
Tried the same listeners on process.stdout, process.stderr after piping git streams to it.
Nothing fires on password request...
The main reason why your code wont work is because you only find out what happened with your Git process after is what executed.
The major reason to use spawn is beacause the spawned process can be configured, and stdout and stderr are Readable streams in the parent process.
I just tried this code out and it worked pretty good. Here is an example of spawning a process to perform a git push. However, as you may know git will ask you for username and password.
var spawn = require('child_process').spawn;
var git = spawn('git', ['push', 'origin', 'master']);
git.stderr.on('data', function(data) {
// do something with it
});
git.stderr.pipe(process.stderr);
git.stdout.pipe(process.stdout);
Make a local git repo and setup things so that you can do the above push command. However, you can really do any git command.
Copy this into a file called git_process.js.
Run with node git_process.js
Don't know if this would help but I found the only way to intercept the prompts from child processes was to set the detached option to true when you spawn a new child process.
Like you I couldn't find any info on prompts from child process in node on the interwebs. One would suspect it should go to stdout and then you would have to write to stdin. If I remember correctly you may find the prompt being sent to stderr.
Its a bit amazing to me that others haven't had this problem. Maybe we just doing it wrong.

Resources