How to disable weak SSH cipher in CentOS 7 - encryption

I am running CentOS 7.9 (server edition)
I have been searching online for some help on how to disable weak ssh cypher. However, I do not seem to be able to fix the issue. Qualys scans keeps reporting weak cipher in ssh service. I followed some recommendations (i.e: https://www.thegeekdiary.com/how-to-disable-weak-cipher-and-insecure-hmac-algorithms-in-ssh-services-for-centos-rhel-6-and-7/) online without any luck.
Here is what my /etc/ssh/sshd_config looks like
# Addresses Qualys QID 38739 Deprecated SSH Cryptographic Settings (CentOS 6)
## Changed this line:
##ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc#lysator.liu.se
## to this line:
ciphers aes128-ctr,aes192-ctr,aes256-ctr
Thank you for your help.

Step 1:
Go to below directory and uncomment the below line
Vi /etc/sysconfig/sshd
Uncomment
CRYPTO_POLICY=
Step 2:
Go to the below directories and append the below lines at the end of file
vi /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256#libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305#openssh.com,aes256-gcm#openssh.com,aes128-gcm#openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
Step 3:
systemctl restart sshd

Related

Wsrep MariaDB Crash Thread pointer: 0x0

Cluster is constantly crashing.
Sometimes it works stable for 2 days. Sometimes five minutes after 2 servers stand.
server.cnf was tested with different parameters. The result did not change
When the setup is not installed, the single server is running without problems.
Clean installation several times.
iptables stop
selinux disable
yum repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
Centos 6.9 64bit
yum install MariaDB-server MariaDB-client
Erorr Log
/var/lib/mysql/maria1.err
180305 16:17:03 [ERROR] mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.
Server version: 10.1.31-MariaDB
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=5
max_threads=153
thread_count=2
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467163 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.
Thread pointer: 0x0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x0 thread_stack 0x48400
/etc/my.cnf.d/server.cnf
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
bind-address=0.0.0.0
skip-name-resolve
#
# * Galera-related settings
#
[galera]
# Mandatory settings
wsrep_on=ON
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
wsrep_cluster_address="gcomm://10.1.1.11,10.1.1.12"
wsrep_cluster_name='galera_cluster'
wsrep_node_address='10.1.1.11'
wsrep_node_name='maria1'
wsrep_sst_method=rsync
wsrep_sst_auth=sst_user:!!PassWordSs!!
binlog_format=row
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2
#
# Allow server to accept connections on all interfaces.
#
#bind-address=0.0.0.0
#
# Optional setting
#wsrep_slave_threads=1
#innodb_flush_log_at_trx_commit=0
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.1 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.1]
Test DB structure
Please report this crash to MariaDB bug tracker

How to force mac os x server 5.2 to use TLS 1.2 only

I have a Mac running OS X Server 5.2 and due to company policy I need to force the server to use TLS 1.2 only and turn off TLS 1 and TLS 1.2.
I have edit the conf files in the /Library/Server/Web/Config/apache2/sites to SSLProtocol -all +TLSv1.2 but it still allows connection with tls1 and tls1.2
Does anybody know how to enforce TLS 1.2 connections only?
Thanks!
If that is an option, update your Server app. Starting with Server version 5.3, support for TLS 1 and TLS 1.1 has been disabled by default, so this solution would be simple and effective.
If you cannot update for some reason, you will have to remove these protocols in /Library/Server/Web/config/proxy/apache_serviceproxy.conf, and possibly in /library/server/web/config/apache2/httpd.conf. Also note that I have found that you have to restart macOS in order to restart the proxy server (it is not sufficient to issue sudo serveradmin stop/start web). This seems to be unnecessary - see my update below!
Update
It looks like there is a bug in Apache that can prevent the above setting from working as expected. It seems that, if there ciphers active that are not allowed any more in TLS 1.2, the older TLS versions remain available despite the setting in SSLProtocol. These older cipher suites need to be deactivated as well.
Therefore, use this recommended configuration:
SSLProtocol -all +TLSv1.2
SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLHonorCipherOrder on
Besides that, it looks like it's enough to update /Library/Server/Web/config/proxy/apache_serviceproxy.conf, as SSL/TLS is handled by the proxy process only. To restart the proxy use
$ sudo launchctl unload -w /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.serviceproxy.plist
$ sudo launchctl load -w /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.serviceproxy.plist
A server restart is not required.
There might be multiple occurrences in the configuration. I replaced them all, which may or may not be necessary.

MPICH2 gethostbyname failed

I don't understand the error message. I am trying to do is to run a MPICH2 application after I installed mpich2 version 1.4 or 1.5 to /opt/mpich2 (both version failed with the same error). My MPI application was compiled with 1.3 but I am able to run it with mpi 1.4 on another workstation. I am testing it on Ubuntu 12.04.
Fatal error in PMPI_Init_thread: Other MPI error, error stack:
MPIR_Init_thread(467)..............:
MPID_Init(177).....................: channel initialization failed
MPIDI_CH3_Init(70).................:
MPID_nem_init(319).................:
MPID_nem_tcp_init(171).............:
MPID_nem_tcp_get_business_card(418):
MPID_nem_tcp_init(377).............: gethostbyname failed, localhost (errno 3)
Solution for macOS
I stumbled upon this issue on macOS 10.12.1.
The solution is to add 127.0.0.1 computername.local to /etc/hosts. Your file will look more or less like this:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
127.0.0.1 computername.local
255.255.255.255 broadcasthost
::1 localhost
You can change/check your computer's name if you go to System Preferences > Sharing > Computer Name.
What worked for me was the following:
Make sure your hostname is the same for 1 and 2 below:
terminal hostname
"/etc/hosts" hostname
So if you type cat /etc/hosts in terminal it should look like:
// 127.0.0.1 my_hostname
My hostname was not the same for 1 and 2 for me. Once I changed them to match then my mpi program would execute.
To change your terminal hostname type the following:
sudo scutil --set HostName my_new_host_name
To change your /etc/hosts hostname type the following:
sudo nano /etc/hosts
and then add the line
127.0.0.1 my_new_hostname
This error indicates that there's a problem resolving localhost. Check your /etc/hosts file, make certain that you have localhost correctly defined here, it should be pointing to 127.0.0.1. Try using ssh to connect to localhost, make sure that works as well.
Being the question different, the answer is probably the same I gave time ago for OpenMPI:
gethostname() function missing in openMPI
The MPI portable solution is to use MPI_Get_processor_name()
adding -host localhost to the command line solved this for me. Suggested in https://github.com/pmodels/mpich/issues/4710#issuecomment-661933489
e.g.
mpiexec -host localhost -np 4 ./testExecutable
Maybe your /dev/shm is full, try to clean it.

Unable to execute MPICH2 on multiple machines on ubuntu 12.04 (HYDU_sock_connect issue)

I am facing difficulty in executing MPI program on two machines. The OS is Ubuntu 12.04. And the MPI implementation is MPICH2
ssh is working fine:
root#ubuntu:/home# ssh 192.168.1.9
root#gpuguy's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.8.0-29-generic i686)
* Documentation: https://help.ubuntu.com/
131 packages can be updated.
67 updates are security updates.
Last login: Thu Oct 24 17:36:25 2013 from ubuntu.local
root#gpuguy:~#
But when I run my MPI programs it fails:
root#ubuntu:/home# mpiexec -f hosts.cfg -n 4 hello
root#192.168.1.9's password:
[proxy:0:0#gpuguy] HYDU_sock_connect (./utils/sock/sock.c:171): unable to get host address for ubuntu (1)
[proxy:0:0#gpuguy] main (./pm/pmiserv/pmip.c:209): unable to connect to server ubuntu at port 42104 (check for firewalls!)
I have already disabled firewall on both machines that is the reason I can do ssh successfully. But how to solve this issue?
My MPI code runs successfully on single machine.
For MPICH (or any MPI implementation) to work, you need to have passwordless SSH set up. I should also mention that you really shouldn't have to be logged in as root to make this work. It's generally a very bad idea to be logged in as root all of the time.
In /etc/hosts file, add ip address of each server and its hostname.
You should do this for all the servers.
for example:
10.10.0.5 server1
10.10.0.6 server2
10.10.0.7 server3
Just check in /etc/hosts file, not use tab (\t) instead of space to separate between ip address and hostname.
This is wrong:
10.10.0.5 \t server1
This is true:
10.10.0.5 server1
Be careful to not delete or modify existed lines in /etc/hosts file. only add new lines at end of file.
Also, you do not need to disable firewall to fix this issue.

virsh console hangs at the escape character "^]"

I am trying to kickstart a newly built VM. I am stuck with the following.
Want to start with a console so that I can include username and other info for this VM:
#vmhost02 ~]$ sudo virsh start --console testengine
Domain testengine started
Connected to domain testengine
Escape character is ^]
It hangs up in there and doesn't listen to any keys except "^]"
Let me know if you need more information for any ideas...
Thanks very much.
1)
You can try to edit /etc/default/grub in the guest, and make sure you have:
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"
Then execute:
# update-grub
# reboot
2)
If that does not work, try to replace quiet with console=ttyS0 in GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="... console=ttyS0"
Then again:
# update-grub
# reboot
3)
You may still need to try:
# systemctl enable serial-getty#ttyS0.service
# systemctl start serial-getty#ttyS0.service
# reboot
You would need to define a tty to be used as a virtual console. In case you have access to your vm either using vnc or ssh create the following file
vi /etc/init/ttyS0.conf
The content should be something like
start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]
respawn
exec /sbin/getty -L 38400 ttyS0 vt102 # This is your term type vt102
Save these settings and subsequently from your host machine
virsh destroy [vm-name]; service libvirtd stop; service libvirtd start; virsh start [vm-name]
I'm doing here a stop/start of libvirt, because it sometimes tend to not send a SIGTERM to libvirt.
Finally try
virsh console [vm-name]
May be simpler than the solution of val0x00ff, you shall add the console=ttyS0 at the end of the kernel lines in the /boot/grub2/grub.cfg file of the VM (this is not done by default it seems):
(vm)$> grubby --update-kernel=ALL --args="console=ttyS0"
(vm)$> reboot
Then virsh console shall work as expected.

Resources