What is the difference between snort rules and snort local rules ?
sudo nano /etc/snort/rules
sudo nano /etc/snort/rules/local.rules
Which one I should use for writing snort rules ?
If you are writing your own, use local.rules
The official ruleset from Snort.org is the place to get the rest.
Related
Today, I install ubuntu 16.04 in my machine.
When I boot the system, I can not get the IP address from DHCP server.
The network interface is renamed to enp2s0 from eth0.
I only get the IP address after run command:
$ sudo ethtool -s enp2s0 autoneg off speed 100
I try to add this command in init script (/etc/rc.local) but it does not work after I reboot system.
So, from now, when my machine is booted, I always need to add the above command mannually to get IP address.
Could anyone help me to solve this problem?
Thanks in advance.
Best Regards,
Since you're using ubuntu, use command line and execute the following:
$ sudo crontab -e
and add your script that you want to execute upon restarts by adding this at the end:
#reboot ethtool -s enp2s0 autoneg off speed 100
Hope this helps.
systemd considers both "rc.local" and "crontabs" to be "legacy". It has replacements for both. However, Ubuntu 16.04 supports both concepts.
I think your issue is that now rc.local is run before the network is fully online, causing your command to fail.
Look at /lib/systemd/system/rc.local.service to see how systemd is running your rc.local file. In particular note that the line After=network.target.
Try creating this file:
/etc/systemd/systemd/rc.local.service.d/10-wait-for-network.conf
Add these lines to it:
[Unit]
After=network-online.target
Then reboot and see if that works for you.
References:
Force services to wait for the network to be configured
Using systemd Drop-In units
Also, in the future SO is not the best place for systemd questions. Consider http://askubuntu.com for Ubuntu question instead.
I'll also add that the behavior change you found might be considered a bug in how Ubuntu emulates rc.local support with systemd. If the proposed fix works, perhaps Ubuntu shoudl change the rc.local replacement to load after network-online instead of network.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I installed CentOS 7 with minimal configuration (os + dev tools). I am trying to open 80 port for httpd service, but something wrong with my iptables service ... what's wrong with it? What am I doing wrong?
# ifconfig/sbin/service iptables save
bash: ifconfig/sbin/service: No such file or directory
# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
# sudo service iptables status
Redirecting to /bin/systemctl status iptables.service
iptables.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
# /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
# sudo service iptables start
Redirecting to /bin/systemctl start iptables.service
Failed to issue method call: Unit iptables.service failed to load: No such file or directory.
With RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. IMHO, firewalld is more suited for workstations than for server environments.
It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:
systemctl stop firewalld
systemctl mask firewalld
Then, install the iptables-services package:
yum install iptables-services
Enable the service at boot-time:
systemctl enable iptables
Managing the service
systemctl [stop|start|restart] iptables
Saving your firewall rules can be done as follows:
service iptables save
or
/usr/libexec/iptables/iptables.init save
RHEL and CentOS 7 use firewall-cmd instead of iptables. You should use that kind of command:
# add ssh port as permanent opened port
firewall-cmd --zone=public --add-port=22/tcp --permanent
Then, you can reload rules to be sure that everything is ok
firewall-cmd --reload
This is better than using iptable-save, espacially if you plan to use lxc or docker containers. Launching docker services will add some rules that iptable-save command will prompt. If you save the result, you will have a lot of rules that should NOT be saved. Because docker containers can change them ip addresses at next reboot.
Firewall-cmd with permanent option is better for that.
Check "man firewall-cmd" or check the official firewalld docs to see options. There are a lot of options to check zones, configuration, how it works... man page is really complete.
I strongly recommand to not use iptables-service since Centos 7
I had the problem that rebooting wouldn't start iptables.
This fixed it:
yum install iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables
systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables
Try the following command iptables-save.
I modified the /etc/sysconfig/ip6tables-config file changing:
IP6TABLES_SAVE_ON_STOP="no"
To:
IP6TABLES_SAVE_ON_STOP="yes"
And this:
IP6TABLES_SAVE_ON_RESTART="no"
To:
IP6TABLES_SAVE_ON_RESTART="yes"
This seemed to save the changes I made using the iptables commands through a reboot.
Put the IPtables configuration in the traditional file and it will be loaded after boot:
/etc/sysconfig/iptables
Last month I tried to configure iptables on a LXC VM container, but every time after reboot the iptables configuration was not automatically loaded.
The only way for me to get it working was by running the following command:
yum -y install iptables-services; systemctl disable firewalld; systemctl mask firewalld; service iptables restart; service iptables save
And to add, you should also be able to do the same for ip6tables after running the systemctl mask firewalld command:
systemctl start ip6tables.service
systemctl enable ip6tables.service
If you do so, and you're using fail2ban, you will need to enable the proper filters/actions:
Put the following lines in /etc/fail2ban/jail.d/sshd.local
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5
bantime = 86400
Enable and start fail2ban:
systemctl enable fail2ban
systemctl start fail2ban
Reference: http://blog.iopsl.com/fail2ban-on-centos-7-to-protect-ssh-part-ii/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I'm using Ubuntu 11.10 and I manually configure DNS servers in /etc/resolv.conf but it gets somehow overwritten after I reboot. How can I prevent this?
Thanks.
As you can read in the header of resolv.conf :
Dynamic resolv.conf file for glibc resolver generated by resolvconf
So, the resolv.conf is generated, if you want to keep the resolvconf configuration after reboot, you will have to edit /etc/resolvconf/resolv.conf.d/base. In that file, put in your info as you would in resolv.conf.
nameserver 8.8.8.8
Then regenerate resolv.conf with resolvconf:
sudo resolvconf -u
After reading other answers, I still needed something different for the following reasons:
I'm not using resolvconf, just plain /etc/resolv.conf.
Using chattr +i to lock down resolv.conf seems too hacky. I need Puppet to be free to make changes when necessary.
The best solution I found overrides the default behavior of dhclient using its documented hooks.
Create a new file at /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate with the following contents:
#!/bin/sh
make_resolv_conf() {
:
}
Then make the file executable:
chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
Now when dhclient runs -- either on reboot or when you manually run sudo ifdown -a ; sudo ifup -a -- it loads this script nodnsupdate. This script overrides an internal function called make_resolv_conf() that would normally overwrite resolv.conf and instead does nothing.
This worked for me on Ubuntu 12.04.
I figure that the NetworkManager is overwriting the /etc/resolv.conf file. In my case it was the order in which my DNS servers were listed was something I wanted to change. You can do that through the NetworkManager by editing your connection IP4V settings.
You have DHCP client doing this. Follow these instructions to override that.
I use the following line :
chattr +i /etc/resolv.conf
to undo use :
chattr -i /etc/resolv.conf
Let me know if it worked...
NetworkManager can be configured to use manually entered IPv4 configuration, or get from DHCP IP/netmask/router only - in such a case it should not change /etc/resolv.conf
However, one may want have his own settings in the /etc/resolv.conf - like nameserver or domain to search; I just need a domain and I did by adding a file /etc/NetworkManager/dispatcher.d/99my_fix containing:
#!/bin/bash
rc=/etc/resolv.conf; le="search my.domain"
grep -q domain $rc && ! grep -q "$le" $rc && echo "$le" >> $rc
Of course I chmod-ed +x it. The NetworkManager invokes it after setting the /etc/resolv.conf and my script fixes it if nesessary; the first grep detects that network is up, the second that the fix was not applied - they both are necessary for the fix to be applied.
I had the same problem and I edited my `/etc/dhcp/dhclient.conf' file by adding domain-name and domain-name-servers
supersede domain-name "local.com";
supersede domain-name-servers 192.168.56.103;
192.168.56.103 is my vm running bind9 and my domain name is local.com
and I have removed the same from request section as well.
If the network interfaces for your server instance is controlled by DHCP, the dhclient program will overwrite your /etc/resolv.conf file whenever the networking service is restarted.
You can fix the issue by editing the "/etc/dhcp/dhclient.conf" file and adding supersede statements for domain-name, domain-search and domain-name-servers as follows:
supersede domain-name "mydomain.com";
supersede domain-search "mydomain.com"
supersede domain-name-servers 8.8.8.8;
In this particular case the name server is located at "8.8.8.8" and the domain name is "mydomain.com". Substitute your particular information.
Note that each line is terminated by a semi-colon and the domain name is enclosed in double quotes.
I want to store --password-file option that comes with rsync. I don't want to use ssh public_private key encryption. I have tried this command:
rsync -avz --progress --password-file=pass.txt source destination
This says:
The --password-file option may only be used when accessing an rsync daemon.
So, I tried using:
rsync -avz --progress --password-file=pass.txt source destination rsyncd --daemon
But this return various errors like unknown options. Is my sytanx correct? How do I setup rsync daemon in my Debian machine.
That is correct,
--password-file is only applicable when connecting to a rsync daemon.
You probably haven't set it in the daemon itself though, the password you set and the one you use during that call must match.
Edit /etc/rsyncd.secrets, and set the owner/group of that file to root:root with world reading permissions.
#/etc/rsyncd.secrets
root:YourSecretestPassword
To connect to a rsync daemon, use a double colon followed by the module name, and the file or folder to synchronize (instead of a colon when using SSH),
RSYNC_PASSWORD="YourSecretestPassword"; rsync -rtv user#remotehost::module/source/ destination/
NOTE:
this implies abdicating SSH encryption, though the password itself is not sent across the network in plain text, your data is ...
this is already insecure as is, never as the the same password as any of your users account.
For a better understanding of its inner workings (how to give specific IPs/processes the ability to upload to specified areas of the filesystem without the need for a user account): http://transamrit.net/docs/rsync/
After trying a while, I got this to work. Since Im copying from my live server (and routers data) to my local server in my laptop as backup user no problem with password been unencrypted, its secured wired on my laptop at home. First you need to install sshpass if Centos with yum install sshpass then create a user backup and assign a temp password. I listed the -p option in case your ssh port is different than default.
sshpass -p 'password' rsync -vaurP -e 'ssh -p 2222' backup#???.your.ip.???:/somedir/public_data/temp/ /your/localdata/temp
Understand SSH RSA is a better permanente alternative and all that, but this is a quick alternative to backup and restore on the go. It works if you are not too concern about security but more concern about your data been backup locally as in an emergency o data recovery. Your user backup password you can change it once the backup is completed. Its a lot faster to setup when your servers change IPs, users, and its in constant modifications (as routers change config and non static IPs, also when routers are not local and you are backing up clients servers locally, where you dont have always access to do SSH. Some of my clients dont even have SSH installed and they dont want to hassle with creating public keys. On some servers only where you have access on a temporary basis. By the way, if you want to do the restore, just reverse the case. Dont need change much, from the same command shell you can do it reversing the order of target and source directories, and creating another backup user with same temp password on the target. After finish, you delete the backup user or change its passwords on target and/or source servers. You can protect even further, as I have done, replacing the password for a one line file using a bash script for multi server environment. Alternative is to use the -f option so the password does not show in the bash history -f "/path/to/passwordfile" Regards
NOTE: If you want to update only modified files then you should use this parameters -h -v -r -P -t as described here https://unix.stackexchange.com/questions/67539/how-to-rsync-only-new-files
rsync -arv -e \
"sshpass -f '/your/pass.txt' ssh -o StrictHostKeyChecking=no" \
--progress /your/source id#IP:/your/destination
Maybe you have to install "sshpass" if you not.
Puppet writes logging by default to syslog. Why is that? Most software write to some separate logfile. I checked the documentation and there is a mention that you can write to a log file but there was a mention that "This is generally not used." Is it a bad idea?
What is the typical setup for following the puppet logging? Using grep on the /var/log/messages file?
Since your mentioned syslog, I assume you were talking about Debian-like Linux.
Actually there is no need to write your own log facility. Customizing /etc/default/puppet is enough.
# Startup options
DAEMON_OPTS="--logdest /var/log/puppet/puppet.log"
/etc/default/puppet is sourced by /etc/init.d/puppet, so the options you added here will be executed when puppet service is started.
Docs about --logdest options : https://docs.puppetlabs.com/references/3.3.1/man/apply.html#OPTIONS
BTW, the deb package puppet provides for Debian(or Ubuntu) even includes a logrotate configuration file for /var/log/puppet, I don't know why this option is not default.
/var/log/puppet/*log {
missingok
sharedscripts
create 0644 puppet puppet
compress
rotate 4
postrotate
pkill -USR2 -u puppet -f 'puppet master' || true
[ -e /etc/init.d/puppet ] && /etc/init.d/puppet reload > /dev/null 2>&1 || true
endscript
}
We are using puppet-dashboard for this purpose. It will give you a good overview on the environment, what is failing and what is working. And which servers have stopped checking in.
Its easy to setup, checkout http://puppetlabs.com/puppet/related-projects/dashboard/
If you want to log to a different file, you can use the syslogfacility configuration option in puppet ( http://docs.puppetlabs.com/references/stable/configuration.html#syslogfacility ), and configure syslog to log it to a different file.