Welcome, Guest! Registration

loc2log

Friday, 2017-11-24

When I entered one of my server instances on DigitalOcean via ssh I was shocked to discover there were almost half-million unsuccessful login attempts. That was definitely a cracking attempt going on. And I must confess my setup was not the strongest. So here are the remedy options:

  1. Just in case: Make sure you have non-ssh way of accessing your server console. DigitalOcean provides its own console to each Droplet. To get there: Click on your Droplet, Access, - big green button "Launch Console". Once you get to your box via non-ssh console (aka VNC), you are free to experiment because you do not depend on the ssh as your only life-line anymore.

    Now, from the VNC terminal, logged in as root, you may stop the sshd - an attacker won't be able to brute force a service which is not running.
    sudo service sshd stop - DO NOT DO THIS COMMAND UNLESS YOU HAVE NON-SSH ACCESS.

  2. If you've got an attack on a particular user name, then disable password access for that user, make it auth-key only, and limit number of access attempts.

    Better yet, create a new user instead, with less trivial name for the future access, so it has less chance of being in attacker's dictionary.

    Edit sshd config as necessary /etc/ssh/sshd_config

  3. To slow them down you may also throttle auth requests in the firewall, e.g. iptables.

    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -N SSHATTACK
    -A SSHATTACK -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --dport 80 --state NEW -m tcp -j ACCEPT
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --set
    -A INPUT -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

Useful links:

  • http://serverfault.com/questions/275669/ssh-sshd-how-do-i-set-max-login-attempts
  • http://serverfault.com/questions/470287/how-to-enable-iptables-instead-of-firewalld-services-on-rhel-7-and-fedora-18
Views: 9 | Added by: ep | Date: 2017-01-30 | Comments (0)

I have CentOS 7.0 iso set used as CD/DVD in VMWare, and wanted to use the image as the source to install rpms to my VMWare instance. It appeared quite easy to do:
  1. Even though the iso is used as the CD/DVD in the virtual machine and is "inserted", you still have to mount on the CentOS:
    sudo mount -t iso9660 /dev/sr0 /mnt
  2. Now create a repo file in /etc/yum.repos.d/. E.g. sudo vi /etc/yum.repos.d/CentOS-Media.repo:
    [CentOS-Media]
    name=CentOS-Media
    baseurl=file:///mnt/
    enabled=1
    
  3. You may have to clean all the caches to make sure the new repo is hooked up properly:
    sudo yum clean all
  4. That is pretty much it, yum shall be able to pick up your "CD/DVD" iso just as the other repositories.

Views: 174 | Added by: ep | Date: 2017-01-29 | Comments (0)

Recently I was debugging quite a convoluted bunch of daemons. That was an integration task with the goal to set proper permissions on temporary files used by them. I had to know what daemon is trying to access a certain file, and what user and group memberships are active for the daemon. There is a bunch of ways how to check what is accessing a file on Linux. The audit seemed to be the the most suitable one, as I did not know the exact timing for the access events.

Get things going I had to hook up a non-core repo on my CentOS 6.8 machine. Then to install audit with:

sudo yum install audit

Then start the daemon:

sudo service auditd start

Checked the audit daemon is actually running:

sudo service auditd status

Added the monitored rule:

auditctl -w /path/to/my/file -p rawx

The -w parameter sets which file or dir to monitor. If a directory is given, then all files and sub-dirs are going to be monitored.

The -p parameter enforces what exactly to monitor. I threw it all: r - for read, a - for append, w - for write, x - for execute.

The output can be found in /var/log/audit.log

Interestingly enough, there were no access events for that file until cut access permission down to just execute and set ownership to root:root. The idea was to proveke access error, and I knew the file is going to be read or written. Then the auditd threw an event of interest, so I could see what process tried to access file and the daemon's UID and GID among other info.

Another method could have been using inotify command line utility, which comes with the incron package. Will try it some other time. And last, but not least, all that goodness is available from kernel 2.6 and up, you maybe out of luck if you are running an older kernel.

Views: 133 | Added by: ep | Date: 2016-12-13 | Comments (0)

You may have to find out details on an existing AWS security group with ansible. For example, ansible rds module reguires security group ID to be provided. So how would you create an RDS instance if you have just the name of the group? Of course you can hardcode the id, or provide it via command line, but that may be quite cumbersome and not practical. You may also grab the group facts once you create a security group within ansible playbook (with "register:" on the spot), but if the group is already created by someone else - that is not an option. In the end, you may submit a feature request for ansible rds module to implement the security group hookup the same way as it is done for ansible ec2 or implement it yourself and to submit it to ansible. To my surprise I did not find a way to find a security group id by its name in ansible 2.2.0.0 out of the box. Fortunately there is an easy way around, thanks to Henrique Rodrigues (github.com/Sodki) and 2 other authors who came up with the same idea and implementations quite at the same time.

To gather security group facts in AWS with ansible 2.2.0.0 you will need to

1. Create library/ dir in your playbook root (same level as your inventory/, roles/ and whatever else you have there)

mkdir library

2. download the ec2_group_facts module from the development branch

cd library/
wget https://raw.githubusercontent.com/ansible/ansible-modules-extras/devel/cloud/amazon/ec2_group_facts.py

3. Use it in your playbook or role tasks to gather all available facts on security groups satisfying your search criteria. I had to get a security group id by name. To accomplish that I did:

- name: Gather security group facts
  ec2_group_facts:
  region: "{{ your_aws_region }}"
  filters:
    vpc-id: "{{ your_vpc_id }}"
    group_name: "{{ security_group_name_to_gather_facts_for }}"
  register: sg_facts


- debug: var=sg_facts
- debug: var=sg_facts.security_groups[0].group_id

More detail on AWS security groups gathering ansible module can be found here: https://github.com/ansible/ansible-modules-extras/blob/devel/cloud/amazon/ec2_group_facts.py. The module is not in the official deliverable yet at the time of writing, but I am sure it will be included into the official release pretty soon and it worked for me.

Views: 941 | Added by: ep | Date: 2016-11-29 | Comments (0)

The most well-known web ads network is Google AdSense. They pay per click, bid-based. Your site must be 6 months old. The content shall be original and of good quality with straightforward links. There should be enough content for ad context lock-on. Also, there were rumors that a site must have no less than 20 unique visitors per day, but I don't see anything like that in the official Google AdSense Webmaster quality guidelines nor in Eligibility to participate in AdSense. Here is great write-up Get Google Adsense Approval within 3 days – Top 12 Working Strategies. Among other things it mentions hooking up to Google Analytics before you apply and accumulating some stats - that is definitely a great idea. Note: If you are moving between some countries, like if you are changing your tax residency from USA to Canada or back, you will have to cancel your existing account, then re-apply fresh for a new one. Given increasing difficulty to get approved for AdSense, let's see what are the alternatives:

Prepeller Ads - UK-based advertising networks, said to work best for Australia, Canada, New Zealand, UK and USA. Straight forward registration, automatic approval - make it very attractive for beginners. But hold on, it is not all roses, I've got 2 bummers:

  1. You can't use banners if your site has less than 10k visitors per day, you are simply not allowed to continue with this selection as soon as you admitted to Prepeller Ads program. So you have to resort to pop-unders and/or direct links. Even though you are allowed to add a direct links channel, they are supposed for sites with more than 500 unique visitors per 24 hours.
  2. Payouts - PayPal is not supported. You get your passively earned money via ePayments, EPESE, Payoneer MasterCard, Payoneer Global Bank Transfer, Wire Transfers EUR/USD, or Webmoney Z.

Adsterra Network - supposed to pay per view, along with other models. The dirtiest ads, like pop-unders and interstitial yield the most money. The network requires Alexa Rank <1M. So don't waste your time there if you have a niche/regional site which is not intended for webmaster/SEO specialists with Alexa toolbar installed, or you don't want to pay for Alexa "certified" ranks.

media.net - They are a gateway to Yahoo! Bing Network Contextual Ads program. As for acceptance terms: Content shall be unique and of good quality, it shall be relevant to prospective advertisers. Traffic shall be "reasonable". That is - enough to make you $100. Unofficially you have to have no less than 3000 Unique Visitors per month, that is the minimum threshold to get accepted. They may be checking your compliance from time to time. There are known cases for ban for low quality traffic just before payout. See Program Guidelines for the full set of acceptance and ban reasons.

buysellads.com - ad market, more involving in managing and interacting with advertisers than AdSense. They charge 25% off your deal and they are tough on approvals. If you've got rejected by AdSense, there is high chance you'll be rejected by BuySellAds.

Pocket Cents they have Ad revenue model and network marketing. I am worried their site does not seem to have updates since 2013. For ads they pay fixed rate per click (at the time of writing they give $0.15 net out of $0.25 gross CPC) . You may also act as their "agent" and provide referrals. Each referral will add 10% of their monthly advertising budget to your account.

Adblade - They position themselves as "premium publisher's first choice". Their Publisher FAQ explicitly says that a site shall have 500,000 page views per month to be considered.

adMarketplace - Search advertising. They seem to work with big publishers. There is now submission form nor admittance criteria.

intellilinks.com - ad and affiliate program. Ads served as links in your content. Requires server side script install (PHP, WordPress PlugIn)

Participating in an affiliate programs, like Rakuten LinkShare also worth exploring. Entry conditions seem to be not as strict as for the ads networks. On the other hand, you are getting paid for sales, instead of impressions. That means income is less certain than with the usual ads network. Which in turn, maybe higher, than just the impression/click rates. You've got the idea :-)

Rakuten LinkShare. Founded in 1996, Rakuten LinkShare is one of the oldest affiliate networks still in existence today. They do require your tax information (SSN) upfront. Publisher membership is free.

Amazon Affiliate Program. You may convert your commission to money, or get Amazon Gift card. There is a catch though. Their Associates Program Operating Agreement states: If you have not earned any advertising fees in the 3 years prior to any given calendar month, then on the first day of that calendar month we may charge you an account maintenance fee that will be deducted from your unpaid accrued advertising fees. That account maintenance fee will be the lesser of $10 or the amount of unpaid accrued advertising fees in your account. - I read is as, if you are out of luck getting income from Amazon, then your membership is not free, and you have to pay Amazon to maintain your membership as a publisher.

Useful Resources:

Top 15 High Paying Google AdSense Alternatives In 2016

http://www.adswiki.net/ - most current updates of ad scene

http://monetizepros.com/reviews/ad-networks/ - quick ratings of ad networks, affiliate programs and more

Views: 331 | Added by: ep | Date: 2016-11-27 | Comments (0)

ssh warnings can be extremely annoying, especially when you call ssh from scripts. To disable messages like:

Warning: Permanently added 'remote_host' (RSA) to the list of known hosts.

You can use LogLevel config parameter with value ERROR. Which can easily used right from ssh call command line. Here is an example of perfectly quiet, yet informative output-producing command to be executed from bash, Perl, Python scripts and alike:

ssh -o LogLevel=error -o BatchMode=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no remote_host command
or more secure (note StrictHostKeyChecking set to yes):
ssh -o LogLevel=error -o BatchMode=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=yes remote_host command

That -o LogLevel=error will leave just normal command output and ssh error messages to be displayed back to the console.

Views: 177 | Added by: ep | Date: 2016-11-25 | Comments (0)

When updating a package via rpm or yum, you may observe old rpm's scripts breaking install of the new one. Assume we have my-app-0.1 rpm installed on the system, and my-app-0.2 being an update. Here is how the rpm scripts are getting called when we execute rpm -U my-app or yum update my-app:

install: %pre(my-app-0.2)
install: %post(my-app-0.2)
erase: %postun(my-app-0.1) - surprise! blast from the past :-)

I did not have a script in %preun stanza in the rpm I was troubleshooting, but you should be able to debug your case with rpm -vvv -U my-app-0.1.rpm.

Views: 177 | Added by: ep | Date: 2016-10-28 | Comments (0)

1 2 3 ... 6 7 »