Search This Blog
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Monday, May 8, 2023

configure logrotate to not delete log files after rotation

copy: Make a copy of the log file, but don’t change the original at all.
copytruncate: Truncate the original log file in place after creating a copy.

An example: /etc/logrotate.d/mds 
/var/log/mds/mds-app-*.log {
    daily
    copytruncate
    rotate 30
    dateext
    missingok
    notifempty
    sharedscripts
}
at No comments:
Labels: , , ,

Monday, April 25, 2022

How to block incoming Russian IP addresses in the iptables by user defined chain

Too much attack/scanning to the server. Try to block all incoming Russian IP addresses in the iptables.

  1. First find generate the ACL list from:
    2. https://www.countryipblocks.net/acl.php It gives me a total # of 24,445 line of ip address range at the time.
  2. Replace the iptables string for user-defined chain:
    3. iptables
    by 
    iptables -A chain-Russian-Block
  3. Run the command to make create the chain:
    4. iptables -N chain-Russian-Block
...
iptables -A chain-Russian-Block -s 2.56.24.0/23 -j DROP
iptables -A chain-Russian-Block -s 2.56.26.0/23 -j DROP
iptables -A chain-Russian-Block -s 2.56.88.0/22 -j DROP
...
iptables -A INPUT -j chain-Russian-Block
  4. Check total lines of rules in the chain:
    5. # iptables -S chain-Russian-Block | wc -l
24,445
  5. Save it for reboot.
    6. service netfilter-persistent save
at 1 comment:
Labels: , ,

Monday, February 8, 2021

VMware vSphere Hypervisor ESXi Intel NUC homelab service settings

I checked the services configuration and turn off these services ffter re-build homelab ESXi on Intel NUC: lbtd: Load-Based Teaming Daemon Only 1 NIC on NUC ( I disabled wifi from NUC BIOS ).
vpxa: VMware vCenter Agent I do not connect my ESXi to any vCenter.
slpd: Skyline Health Diagnostics CIM Server NUC does not support it. And skip the CIM security issue.
TSM-SSH: ssh service.
Have a nice day.
at 1 comment:
Labels: , , ,

Sunday, March 10, 2019

How to reset check_mk admin password

My Windows 10 Laptop just crashed after latest Intel patch upgrade.

Forgot to save the admin password on one of the latest check_mk site I built.
su - mysite

cd etc

ls -l htpasswd

OMD[mysite]:~/etc$ ls -l htpasswd
Example: check_mk version 1.4: 
lambert:!$1$042926$lmAEb.P5TAi0sZfiGyWHX.
omdadmin:M29dfyFjgy5iA
check_mk version 1.5: 
automation:$1$857531$PzhNz/zMdQv8xGu68EZhD.
cmkadmin:$1$386620$Xe5mZKwrPRlzx0BvZCJM8.

htpasswd htpasswd omdadmin          # set password for user *omdadmin*

New password: 

Re-type new password:
You should be good! Have a nice day!
at 2 comments:
Labels: ,

Wednesday, October 22, 2014

CentOS 7 How to secure SSH service

Haven't got any time play with CentOS 7 since it launched.

Here are my steps to setup the SSH service on CentOS 7:

1.sudo

2.Configure SSH disable root remote login

vi /etc/ssh/sshd_config

PermitRootLogin no


3.Configure SSH to a bigger random port
Most of the "Port scanning Tools", start from lower ports number: 1,2,3...20,21,22,23...10000.
To make "My Friends"'s work a little bit hard.
To secure the ssh, simply give it an high random number like: 44022
vi /etc/ssh/sshd_config

Port 44022


4.Tell SELinux to pickup the new port
semanage port -a -t ssh_port_t -p tcp 44022


5.Update Firmwalld allow the new port
vi /usr/lib/firewalld/services/ssh.xml





  SSH
  Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.



Now restart the ssh and firmwalld daemons
# systemctl restart sshd.service
# firewall-cmd --reload


Reference: http://wiki.centos.org/HowTos/Network/SecuringSSH

[poll id="3"]
at No comments:
Labels: ,

Wednesday, May 22, 2013

How to protect your web site by iptables on CentOS RHEL OEL 


# Fist Cleaning all rules
iptables -F
iptables -X

# By default I drop all traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Only allow ssh and web
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 80 -j ACCEPT

# Allow lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Save the config for reboot and restart the service see how it works.
service iptables save
service iptables restart


More safe if you have a static IP:


-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s [My Static IP]/32 -d [Server IP]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s [Server IP]/32 -d [My Static IP]/32 -p tcp -m tcp --sport 22 -j ACCEPT


More safe if you Only talk to another server:


-A INPUT -s [Another Server]/32 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d [Another Server]/32 -p tcp -m tcp --dport 80 -j ACCEPT


If you want allow ssh from other subnet:


-A INPUT -s 192.168.244.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -d 192.168.244.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT


Enable DNS:

iptables -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT


Enable yum:

iptables -A OUTPUT -m tcp -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
at 7 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)