Just a small post with the instructions on upgrading Splunk on Ubuntu Linux.
First download the Splunk update. The Splunk website also gives you the wget command, which you can use directly on the Linux commandline.
Posts filed under Linux
Configuring Syslog-ng on Ubuntu
Syslog-ng is a replacement for the default syslog daemons you get with most Linux distributions. The advantage of syslog-ng is that the configuration is easier to understand, and it gives the sys-admin numerous advantages. Especially in complex environments.
Let's say we have a RADIUS environment which is able to send authentication and accounting information through syslog to external devices. And let's assume that a relevant part of this syslog information is needed by a department within a large cooperation.
Installing syslog-ng (on Ubuntu) is done by the following command:
# sudo apt-get install syslog-ng
Through the use of syslog-ng we can store, and/or forward syslog information based on the following (but not limited to):
- source IP address
- destination IP address
- syslog level
- content in the original syslog message by using regular expressions.
All this can be configured in the /etc/syslog-ng/syslog-ng.conf file.
Wireshark on Ubuntu 10.10
Last week, I acquired a small netbook @ work for testing purposes (HP Mini 5103). You don't want to know how handy a second laptop is when you're testing authentication environments.
For flexibility purposes I installed a dual-boot with Microsoft Windows 7 Enterprise and Ubuntu Linux v10.10 from a USB Flashdrive (1, 2), erasing all the preinstalled HP/McAfee crap. This all worked like a charm, up to the installtion of Wireshark in Ubuntu. Starting the sniffer application resulted in an empty list of network adapters. No network adapters mean no capturing capabilities.
This was probably related to the lack of rights while starting the application. Running it from the terminal with sudo resulted in some weird error regarding a display-thingy (which is still the main reason why Linux isn't penetrating the desktop market).
While searching the Interwebs, I found the following solution. Which, after some alterations to the commands, the following worked for me;
In a terminal session, execute these commands:
sudo addgroup –quiet –system wireshark (this command simply didn't work in my case)
sudo chown root:wireshark /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
usermod -a -G wireshark <my user name>
Reconfigure the Wireshark Common package and answer ‘Yes’ to the question ‘Should non-superusers be able to capture packets?
sudo dpkg-reconfigure wireshark-common (I needed to add the sudo part on this command)
After rebooting the laptop, Wireshark started normally with all the network interfaces available for capturing traffic.
UPDATE: I did a reinstall of the OS, and this time Wireshark started 'properly' from the Terminal application by typing (without the quotes) 'sudo wireshark'.
Vanishing HD Space on Popcorn Hour
Sometimes you think you're mind is playing tricks on you. I have that sometimes. E.g. I have a Popcorn Hour (Networked Media Tank) which holds movies and series I watch. Bits and Bytes come and go on that machine. Thing you've seen are deleted, and replaced by new content. But over the 'years' it seemed to hold less and less content. Oke, movies have increased in size (10-20GB per movie is nothing nowadays). So I didn't really think much of it....
Until I started transporting the content with Transmit instead of FileZilla. Transmit was configured to show even the hidden files, and hidden files it showed. I found 4 hidden temporary pureftp-upload files of almost 32GB each. The timestamps on those files differed from late last year to a couple of months back
.pureftpd-upload-<some random string>
The problem was that I couldn't remove them from the Popcorn, but I really wanted my 120GD of free space back. Turned out that the FTP daemon on the Popcorn was locking these files. Reboot of the popcorn didn't help.
The way to remove them was to stop the FTP daemon on the Popcorn in the menu, and access the device through SMB (or another protocol you can use), and make sure that you can see hidden files.
Select the files and press delete, and they should be gone. After that you can re-enable the FTP service if you like.
Installing & Configuring CentOS 5.4 (Day 2)
Oké. Day 2. After the successful installation and configuration of CentOS with Adobe Coldfusion, I needed to install MySQL as a database. So, I started the virtual machine, and found out why Linux will (probably) never cut it as a common desktop environment.
;)
X11 - No DesktopYesterday I (properly) shutdown the system (which had the GNOME Desktop), and today it started with some back to the 60's desktop. Every icon gone. All that I'm left with was a terminal window, clock, and a FireFox window. This environment is the basic X11 desktop.
Adobe Coldfusion 9 on CentOS 5.4 (x64)
A while back I figured out how to install Adobe (could have been Macromedia back then) Coldfusion MX on an Ubuntu linux server. This config still runs as it should, but in the mean time several things have changed in the world of software. I've been leaning towards Centos 5.4, and Adobe released Coldfusion 9 somewhere in 2009. These two 'events' made me decide to combine the two.
Before I continue, I must warn you that the Coldfusion installer is still broken..... So there's some manipulation of code involved.
Since the new 'server' is going to run in a virtual environment I started in a VMWare Workstation. This way I could make snapshots of my progress. This made it easier to start from scratch. The problem with Linux and me is that I tend to reinstall the OS when things go haywire. So VMWare is a safe way out in this case.
Why Linux Won't Work
.... for me at this moment (and probably for most others).
I'm still in the fase of migrating my Windows server to a more 'reliable' Operating System. The new server should cover the following basic functionalities:
- Filesharing (either via Samba or NFS)
- Webserver with PHP and Coldfusion
- SSH server
- RADIUS Server
- Central user database (e.g. an LDAP server)
- a NZB downloader of some sort
- etc.
Up till now I've tried several Linux distros (Ubuntu 7, Ubuntu 8, and CentOS 5), and none of them are that easy to configure.
It seems that NFS isn't that easy to configure, since Apple OSX requires some special features (standards anyone??). Especially when you want some sort of user authentication. Just do a search on Linux, NFS and Apple OSX.
So after NFS didn't really work, I tried SMB for filesharing. While CentOS has some GUI to configure the shares, it lacks the interface of permissions for users...
You create users within the Linux environment, and if you wanna connect to a Samba share you need to configure additional users (in a different userdatabase).
This can be done by synchronization, but you need to do some scripting etc.
So far I've managed to install a working SSH server (with x509 authentication) and a Webserver.
When I compare this with Windows.... Well, there's no real comparison. Windows has a real central user database (not talking about the Active Directory here, but the local user database). And every service I need can talk to this database, and every service recognizes this database. No need to start 'hacking' some configuration files to make it work.
Well, as long as there's no new (read:better) interface of configuring those services and combining them with a shared user database ....
LINUX >> /dev/null
Recommendations can be left in the comments (if there are any)......
Undocumented Coldfusion Ports
After running 'chkrootkit' on one of my Ubuntu server at work, I got a responds:
Checking `bindshell'... INFECTED (PORTS: 4000)
A message which started a 'mild' shiver across my back, because the rootkit checker just reported that one of the processes on the server could be compromised.
First I took the server of the network. Just to make sure. After that I searched the Internet for a possible explaination. Nothing substancionally. until I found the following command to see what is occupying the port.
sudo netstat -e -p -n -a | grep 4000
This gave me the following result:
udp6 0 0 :::4000 :::*
65534 13886 4739/coldfusion8
So it seems that Adobe Coldfusion is using this port. But this can't be found in any of the official Adobe Coldfusion documentation. There are some (blog)posts related to this, but nothing more.
OpenSSH Vulnerabilities
It seems that public key authentication isn't as save as you might have thought. That is if you're using a Debian based OpenSSH solution. This package can be found in many Linux distributions like;
- Debian (duh ;) )
- Ubuntu
- Kubuntu
- etc.
The problem is that the random number generator (which is of vital importance in generating key-pairs) isn't as random as you might think. It seems that there are only about 30.000 combinations in this specific generator. This leaves the door wide open for brute-force attacks.
So, the first you must do is update your OpenSSH software, and generate new keypairs for all devices / users which might have keys which were generated with the vulnerable OpenSSH software. Softwarepackages depending on OpenSSH are;
- OpenVPN
- DNSSEC
- OpenSSH
- Certificates used in TLS connections
- etc.
Adobe Coldfusion MX on Ubuntu Server
Ever since I went 'Apple', the urge of moving away from Microsoft Windows operating systems is getting bigger and bigger. A couple of weeks ago I installed a two Ubuntu servers (v7.x) at work. Mainly for testing , and educational purposes.
The installation went extremely smooth on old Compaq ML370 server hardware. So, as a test I tried to install Adobe Coldfusion MX (Coldfusion 8 ) on the Ubuntu server (with Apache, and MySQL).
There are several postings on the Internet suggesting that it should be possible. Even though Ubuntu isn't on the supported platforms list for Adobe Coldfusion MX.
The installation went extremely smooth on old Compaq ML370 server hardware. So, as a test I tried to install Adobe Coldfusion MX (Coldfusion 8 ) on the Ubuntu server (with Apache, and MySQL).
There are several postings on the Internet suggesting that it should be possible. Even though Ubuntu isn't on the supported platforms list for Adobe Coldfusion MX.