host is not allowed to connect to this mysql server — Resolved

Written by kammo on November 5th, 2008

When setting up a new mysql server, if you want to manage it from another machine, you will have to grant that machine access.  If you don’t, you may get an error that says: “host is not allowed to connect to this mysql server“.  This is how you fix it:

Log in to mysql on the mysql server:

[root@mysql-server nss]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 118
Server version: 5.0.45 Source distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

Grant permissions for root to connect to this server from your management machine. You can replace hostname with the IP Address if you’d like.
mysql> GRANT ALL PRIVILEGES ON *.* TO root@'hostname' IDENTIFIED BY 'root-passwd-goes-here' ;
Query OK, 0 rows affected (0.00 sec)

We’re all done so exit:
mysql> exit
Bye

Linux User Accounting Tools

Written by kammo on October 30th, 2008

Here is a list of commands you can use to get data about user logins:

who Shows a listing of currently logged-in users.
w Shows who is logged on and what they are doing.
last Shows a list of last logged-in users, including login time, logout time, login IP address, etc.
lastb Same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.
lastlog This command reports data maintained in /var/log/lastlog, which is a record of the last time a user logged in.
ac Prints out the connect time in hours on a per-user basis or daily basis etc. This command reads /var/log/wtmp.

dump-utmp
  Converts raw data from /var/run/utmp or  /var/log/wtmp into ASCII-parsable format.
Also check the /var/log/messages, /var/log/secure, and /var/log/syslog files.

Displaying Login Banners

Written by kammo on October 30th, 2008


It is prudent to place a legal banner on login screens on all servers for legal reasons and to potentially deter intruders among other things. Consult legal counsel for the content of the banner.
Click to continue »

Restricting Direct Login Access for System and Shared Accounts

Written by kammo on October 30th, 2008

On an audited production system it is very important to know who switched to which system or shared account. Therefore it is prudent to restrict direct logins for all system and shared account where more than one individual knows the password. All users should do a direct login using their own account and then switch to the system or shared account. (If you are just interested in restricting direct root SSH logins, see Securing SSH.)
However, there are situations where you have to allow direct logins for system or shared accounts. For example, within an Oracle RAC cluster you have to enable direct ssh logins for oracle. But in such an environment you have to protect the whole cluster as a single entity against incoming ssh connection, i.e. direct oracle logins should not work if you come from a node that is not part of the cluster. In the following example I will show how to achieve this goal as well. Click to continue »

Brute Force Wordlists

Written by kammo on October 30th, 2008

Here are some links to a few good wordlists for dictionary attacks.  While I have never been hugely successfull using brute-force attemtps, sometimes it’s good to try.  You never know what you’ll find.

Adult Wordlist 1kb(r)(u)
http://www.0daymedia.net/p/files/id/267

Large English Wordlist 154kb (r) 520kb
http://www.0daymedia.net/p/files/id/269

Misc Wordlist 167kb (r) 467kb (u)
http://www.0daymedia.net/p/files/id/270

1337 Mini Wordlist 4mb (r) 23mb (u)
http://www.0daymedia.net/p/files/id/268

1337 Full Wordlist 16mb (r) 78mb (u)
http://www.0daymedia.net/p/files/id/271

245 mb wordlist 22mb (r) 245mb (u)
http://www.0daymedia.net/p/files/id/273

2 gig wordlist 80mb (r) 2gb (u)
http://www.theargon.com/achilles/wordli … stver2.zip

Milw0rm Cracked Passes list:
http://milw0rm.com/mil-dic.php

Huge archive of wordlists
http://www.theargon.com/achilles/wordlists/

Common Passwords and Accounts
http://packetstormsecurity.nl/Crackers/wordlists/

Phreak Wordlists
http://www.phreak.org/html/wordlists.shtml

Fix for vmmon compile error with VMWare Server and Ubuntu

Written by kammo on September 3rd, 2008

Problem: include/asm/bitops_32.h:9:2: error: #error only <linux/bitops.h> can be included directly, and vmmon-only compile failes

Solution: change line 74 in vmmon-only source file to read: #include “linux/bitops.h”

Steps:

  1. cd /usr/lib/vmware/modules/source
  2. cp vmmon.tar vmmon.tar.orig
  3. sudo tar xvf vmmon.tar
  4. cd vmmon-only/include/
  5. sudo vi vcpuset.h
  6. change line 74 from: #include “asm/bitops.h” to: #include “linux/bitops.h”
  7. cd ../..
  8. rm vmmon.tar
  9. sudo tar cvf vmmon.tar vmmon-only/
  10. sudo rm -rf vmmon-only/
  11. sudo vmware-config.pl

That’s it, the compile will work now and vmware should be usable as normal.

Snort Install Guide for Red Hat Enterprise Linux 5 to log to MySQL Database

Written by kammo on August 3rd, 2008

This guide is intended for users who are using Red Hat Enterprise Linux 5, but this should work fine, or be rather easy to follow and manipulate for users using earlier versions of RHEL, or other Red Hat based Distorbutions such as CentOS and Fedora.

Pre-requisites: You need to have a MySQL database setup for Snort to log to. See my guide, Create MySQL Database for Snort, on how to setup the MySQL Database.
Click to continue »

A non-bloated snort.conf that logs to mysql

Written by kammo on August 1st, 2008

You can use this config as a starting point for your Snort configuration. Note that you will need to change the MySql variable… You should see it if you scroll down some. Also comment out or add any rules that you may or may not have. A good source for rules would be http://www.snort.org, or google for bleeding-edge rules. I personally use a combination of the two rulesets.
Click to continue »

Create MySQL Database for Snort

Written by kammo on August 1st, 2008

In this topic we will be creating a database for snort to use to log it’s alerts to. This is Part One in a series of installing snort with MySQL backend. Click to continue »

Spying on the console

Written by kammo on July 31st, 2008

Some software prints error messages to the console that may not necessarily show up on your SSH session. Using the vcs devices can let you examine these. From within an SSH session, run the following command on a remote server:

# tail -f /dev/vcs1.

Type Ctrl+c to stop.

This will show you what is on the first console. You can also look at the other virtual terminals using 2, 3, etc. If a user is typing on the remote system, you’ll be able to see what he typed.

This doesn’t show you what is being typed via ssh terminals, only what is bing typed on the physical console itself.

In most data farms, using a remote terminal server, KVM, or even Serial Over LAN is the best way to view this information; it also provides the additional benefit of out-of-band viewing capabilities. Using the vcs device provides a fast in-band method that may be able to save you some time from going to the machine room and looking at the console.