I'm using vsftpd and I want to write a shell script that will detect a connection to my server and send me an email with information who and when has logged in.
I don't know where to start. Can someone point me in the right direction.
Thanx
Read the log.
http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-ftp-vsftpd-conf.html
Enable the transfer log.
Read the file.
I'm not familiar with vsftpd, but you could have your shell script look at the output of netstat to see if you've got any connections on port 21 (the default ftp port).
The most reliable way is using log analysis. If you use a tool like OSSEC (free and open source), it can run any scripts or generate email alerts when logins, logouts, failed logins, etc happens.
link: http://www.ossec.net
Same applies for "fail2ban", though the purpose of this thing is something else (you guessed it).
J.
Related
I'm supposed to access a server, but when I use WinSCP with FTP protocol to log in, I just get a warning that
The requested name is valid, but no data of the requested type was found.
Connection failed.
I really have very little experience with working remotely on servers, or even logging into them. What are my alternatives?
This is the WSANO_DATA. error Quoting Microsoft documentation:
The usual example for this is a host name-to-address translation attempt ... which uses the DNS (Domain Name Server). An MX record is returned but no A record—indicating the host itself exists, but is not directly reachable.
(This can possibly happen for newly registered domain names that are no fully setup yet.)
See:
https://learn.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2#WSANO_DATA or
https://winscp.net/eng/docs/message_name_no_data
It could have been a temporary issue. Also make sure you specify your hostname without the leading ftp:// (though the latest version of WinSCP will strip it automatically).
You can find a very nice discussion on the same issue with WinSCP here
You can also try FileZilla or Putty
If you are typing your address like ftp://ftp.domain.com or things like that, remove the first part and just keep ftp.domain.com in your host address box.
You might want to consider PuTTY, which comes with a number of tools including a ssh client and a secure copy tool like WinSCP called pscp. Possibly even more valuable is the psftp client, which allows secure ftp to remote servers. PuTTY can be run from a usb drive, making it easy to carry with you to any computer, allowing you to remote into your server from all over the world.
You're probably using WinSCP to send or get files from/to the server, right? You might want to state that in your question. For that, you're probably better off with FileZilla. (You need the FileZilla client, not the Server)
I'd like to ensure that only I can connect to an emacs server that I initialised. I frequently use machines that other people could be SSH'd into, and I don't see what's to stop them opening emacsclient and running M-x kill-emacs which would screw me over.
I looked at the documentation for emacsserver and emacsclient but couldn't find what I was looking for.
Is there a way to do this?
That happens out of the box, of course! The Emacs server creates a socket that only you can access (permissions 600 or 700, in a directory with permissions 600 for good measure).
It looks like you can specify server-socket-file for the server and server-socket-dir for emacsclient. Simply place the socket in a directory where only you have access and you should be set.
I've installed a WordPress instance on a Linux server, and I need to give it FTP access in order to install plugins and execute automatic backup/restores. I've just installed vsftpd, and started the service, but now what?
How do I figure out/set what the username/pass is?
Should I allow anonymous access?
Is the hostname just 'localhost'?
Any advice would be appreciated. I've never messed with FTP on linux before. Thanks-
Your question is a little unclear because you don't specify what aspect of wordpress "wants" FTP access. If you got WP installed, you clearly have at least some access to the machine already. That said, I'll try to answer around that inclarity.
Your questions in order, then some general thoughts:
How do I figure out/set what the username/pass is?
Remember that the man page for a program is a good first stop. A good man page will also contain a FILES or "SEE ALSO" section near the bottom that will point you to relevant config files.
In this case, "man vsftpd" mentions /etc/vsftpd.conf, so you can then do "man vsftpd.conf" to get info on how to configure it.
VSFTPD is configurable, and can allow users to log in in several ways. In the man page, check out "guest_enable" and "guest_username", "local_enable" and "user_sub_token".
*The easiest route for your single user usage is probably configuring local_enable, then your username and password would be whatever it is in /etc/password.*
Should I allow anonymous access?
No. Since you're using this to admin your Wordpress, there's no reason anyone else should be using this FTP. VSFTPD has this off by default.
Is the hostname just 'localhost'?
Depends where you're coming from. 'localhost' maps back to the loopback, or the same physical machine you're on. So if you need to put ftp configuration information for Server A into a wordpress configuration file on Server A, then 'localhost' is perfectly acceptable. If you're trying to configure the pasv_addr_resolve/pasv_addr flag of VSFTPD, then no, you'll want to either pass in the fully qualified name of Server A (serverA.mydomain.com), or leave it off an rely on the IP address.
EDIT: I actually forgot the critical disclaimer to never send credentials over plain FTP. Plain old FTP (meaning not SFTP) sends your username and password in cleartext. I didn't install VSFTP and play with it, but you'll want to make sure that there is some form of encryption happening when you connect. Try hitting it with WinSCP (from windows) or sftp (from linux) to make sure you're getting an ecrypted SFTP, rather than plaintext FTP.
Apologies if you already knew that ;)
You would probably get better answers on server fault.
That said:
vsftp should use your local users by default, and drop you in that user's home directory on login.
disable anonymous access if you don't need it, I don't think wordpress will care but your server will be safer.
yes, or 127.0.0.1, or your public IP if you think you might split the front and back end some day.
WordPress does not natively support SFTP. You can get around this two ways:
chmod permissions in the appropriate directories to allow the normal, automatic update to work correctly. This is the approach most certain to work, as long as it doesn't trip over any local security policies.
Try hacking it in yourself. There have been any number of threads on this at the WordPress.org forums. Here is a recent one which is also talking about non-standard ports. Here is an article about how to try to get it working on Debian Lenny (which also addresses the non-standard port issue).
In my university there's a certain wlan network open for the students and employees. To use it, however, one must first log in via a website using your own username and password. This can also be done by submitting a http request with the right POST-data to the same website. I already have a shell script that does this but I'm still curious to whether it would be possible to have this script run automagically every time my computer connects to the university wlan. Is it possible to do this in some semi-easy way?
I know that NetworkManager (which is used in Ubuntu) exposes a DBUS interface -- I would suspect there is an event for network connected / disconnected which you could use. Try checking the NetworkManager DBUS Interface spec.
If you've never worked with DBUS before, fear not, there are bindings for pretty much every language. I'm sure there's even a CLI client you could invoke from a shell script. This blog entry shows how to detect a new connection from NetworkManager with Python -- it might be a good starting point
You might write a simple script that runs "iwconfig" and processes it's output. If the name of the network is found (with Regex for example) you send a request.
I don't think you can trigger the script when you are acutally connected to the network, but you can add it to CRON, so it is executed for example every ten seconds.
Heres's a document you may find helpful: https://help.ubuntu.com/community/CronHowto
Is there a way to execute commands using directory traversal attacks?
For instance, I access a server's etc/passwd file like this
http://server.com/..%01/..%01/..%01//etc/passwd
Is there a way to run a command instead? Like...
http://server.com/..%01/..%01/..%01//ls
..... and get an output?
To be clear here, I've found the vuln in our company's server. I'm looking to raise the risk level (or bonus points for me) by proving that it may give an attacker complete access to the system
Chroot on Linux is easily breakable (unlike FreeBSD). Better solution is to switch on SELinux and run Apache in SELinux sandbox:
run_init /etc/init.d/httpd restart
Make sure you have mod_security installed and properly configured.
If you are able to view /etc/passwd as a result of the document root or access to Directory not correctly configured on the server, then the presence of this vulnerability does not automatically mean you can execute commands of your choice.
On the other hand if you are able view entries from /etc/passwd as a result of the web application using user input (filename) in calls such as popen, exec, system, shell_exec, or variants without adequate sanitization, then you may be able to execute arbitrary commands.
Unless the web server is utterly hideously programmed by someone with no idea what they're doing, trying to access ls using that (assuming it even works) would result in you seeing the contents of the ls binary, and nothing else.
Which is probably not very useful.
Yes it is possible (the first question) if the application is really really bad (in terms of security).
http://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
Edit#2: I have edited out my comments as they were deemed sarcastic and blunt. Ok now as more information came from gAMBOOKa about this, Apache with Fedora - which you should have put into the question - I would suggest:
Post to Apache forum, highlighting you're running latest version of Apache and running on Fedora and submit the exploit to them.
Post to Fedora's forum, again, highlighting you're running the latest version of Apache and submit the exploit to them.
It should be noted, include the httpd.conf to both of the sites when posting to their forums.
To minimize access to passwd files, look into running Apache in a sandbox/chrooted environment where any other files such as passwd are not visible outside of the sandbox/chrooted environment...have you a spare box lying around to experiment with it or even better use VMWARE to simulate the identical environment you are using for the Apache/Fedora - try get it to be IDENTICAL environment, and make the httpd server run within VMWare, and remotely access the Virtual machine to check if the exploit is still visible. Then chroot/sandbox it and re-run the exploit again...
Document the step-by-step to reproduce it and include a recommendation until a fix is found, meanwhile if there is minimal impact to the webserver running in sandbox/chrooted environment - push them to do so...
Hope this helps,
Best regards,
Tom.
If you already can view etc/passwd then the server must be poorly configured...
if you really want to execute commands then you need to know the php script running in the server whether there is any system() command so that you can pass commands through the url..
eg: url?command=ls
try to view the .htaccess files....it may do the trick..