At some point your system will crash and you need to perform a manual repair of your file system. A typical situation would be power loss while you are working on the system. You reboot and the system stops and indicates you must perform a manual repair of the system using fsck.
fsck (file system consistency check) is a command used to check filesystem for consistency errors and repair them on Linux filesystems. This tool is important for maintaining data integrity so should be run regularly, especially after an unforeseen reboot (crash, power-outage).
Usage: fsck [-sACVRTNP] [-t fs-optlist] [filesystem] [fs-specific-options]
Filesystem can be either a device's name (e.g. /dev/hda) or its mount point. fsck run with no options will check all devices in /etc/fstab. It might be neccesary to run fsck from single-user mode
Note: You need to be "root" to use any of the below mentioned command
* Take system down to runlevel one: # init 1
* Unmount file system, for example if it is /home (/dev/sda2) file system then type command:
# umount /home OR # umount /dev/sda2
* Now run fsck on the partition: # fsck /dev/sda2
* Specify the file system type using -t option: # fsck -t ext3 /dev/sda2 OR # fsck.ext3 /dev/sda2
fsck will check the file system and ask which problems should be fixed or corrected. If you don't wanna type y every time then you can use pass -y option to fsck: # fsck -y /dev/sda2
Please not if any files are recovered then they are placed in /home/lost+found directory by fsck command.
* Once fsck finished, remount the file system: # mount /home
Read man page of fsck for more information.
Make sure you replace /dev/sda2 with your actual device name.
Wednesday, April 29, 2009
Sunday, April 19, 2009
Overall Sendmail Security
1.File and directory permissions
It is imperative that Sendmail's binaries and configuration files have appropriate permissions. Weak permissions on files and directories can easily result in system compromise. For instance:
Everyone who has write access to your sendmail.cf can use the program form of the F command combined with setting the DefaultUser to 0:0 to cause sendmail to execute an arbitrary script as root. If that script happens to make one of your installed shells (or a copy of a shell in /tmp, for instance) a setuid binary, anyone with local access can get root access.
Attackers may also exploit group-writable .forward and :include: files to gain system access as the file owner.
Protecting the aliases file alone is not sufficient as that is merely a source file to generate the alias database, a db3(3) format file called aliases.db in /etc/mail.
Improper directory ownership can result in root-owned files being overwritten or directory owners being replaced.
To help prevent these situations, sendmail will check the permissions of all sendmail-related binaries, configuration files, and directories on the system. You can force an audit with the following command:
% sudo sendmail -v -d44.4 -bv postmaster
Observe the output closely and ensure your system does not fall prey to weak permissions. Once you have solidified the desired permissions on your system, you may want to employ some combination of file immutability and permissions auditing software like Tripwire, Osiris, or mtree(8).
2.Beware recipient programs
Most sendmail configuration files, including .forward files, :include: mailing lists, aliases, and the sendmail.cf configuration file itself, support the execution of arbitrary programs. We mentioned earlier that .forward and :include: mailing list files are parsed and acted upon in the user context. If you've been diligent, these files will be writable only by the owner, ensuring that the execution of programs is intentional. If you've not been careful, users could easily start running programs as other users.
Still, just the fact that these files point to arbitrary programs means you've got another problem to deal with. All of these programs have suddenly become a part of your mail system, and you'll have to audit them, too. Be especially wary of the aliases file: sendmail will take actions on this file in the daemon user context.
You might want to consider restricting users from passing incoming mail to programs by ensuring their shell as specified in the passwd files is not in /etc/shells. You may still allow login by specifying a valid shell that is not in /etc/shells: you could, perhaps, create a /bin/allow-login shell, which is a copy of /bin/tcsh, and ensure /bin/allow-login is not listed in /etc/shells.
It is imperative that Sendmail's binaries and configuration files have appropriate permissions. Weak permissions on files and directories can easily result in system compromise. For instance:
Everyone who has write access to your sendmail.cf can use the program form of the F command combined with setting the DefaultUser to 0:0 to cause sendmail to execute an arbitrary script as root. If that script happens to make one of your installed shells (or a copy of a shell in /tmp, for instance) a setuid binary, anyone with local access can get root access.
Attackers may also exploit group-writable .forward and :include: files to gain system access as the file owner.
Protecting the aliases file alone is not sufficient as that is merely a source file to generate the alias database, a db3(3) format file called aliases.db in /etc/mail.
Improper directory ownership can result in root-owned files being overwritten or directory owners being replaced.
To help prevent these situations, sendmail will check the permissions of all sendmail-related binaries, configuration files, and directories on the system. You can force an audit with the following command:
% sudo sendmail -v -d44.4 -bv postmaster
Observe the output closely and ensure your system does not fall prey to weak permissions. Once you have solidified the desired permissions on your system, you may want to employ some combination of file immutability and permissions auditing software like Tripwire, Osiris, or mtree(8).
2.Beware recipient programs
Most sendmail configuration files, including .forward files, :include: mailing lists, aliases, and the sendmail.cf configuration file itself, support the execution of arbitrary programs. We mentioned earlier that .forward and :include: mailing list files are parsed and acted upon in the user context. If you've been diligent, these files will be writable only by the owner, ensuring that the execution of programs is intentional. If you've not been careful, users could easily start running programs as other users.
Still, just the fact that these files point to arbitrary programs means you've got another problem to deal with. All of these programs have suddenly become a part of your mail system, and you'll have to audit them, too. Be especially wary of the aliases file: sendmail will take actions on this file in the daemon user context.
You might want to consider restricting users from passing incoming mail to programs by ensuring their shell as specified in the passwd files is not in /etc/shells. You may still allow login by specifying a valid shell that is not in /etc/shells: you could, perhaps, create a /bin/allow-login shell, which is a copy of /bin/tcsh, and ensure /bin/allow-login is not listed in /etc/shells.
Thursday, April 16, 2009
What is PacketFence?
PacketFence is a Free and Open Source network access control (NAC) system. PacketFence is actively maintained and has been deployed in numerous large-scale institutions over the past years. It can be used to effectively secure networks - from small to very large heterogeneous networks. PacketFence has been deployed in production environments where thousands of users are involved. Among the different markets are :
* banks
* colleges and universities
* engineering companies
* manufacturing businesses
* school boards (K-12)
If your network is a breeding ground for worms, PacketFence is for you. If you have no idea who connects to your network and who owns a particular computer, PacketFence is for you. If you have no way of mapping a network policy violation to a user, PacketFence is for you.
* banks
* colleges and universities
* engineering companies
* manufacturing businesses
* school boards (K-12)
If your network is a breeding ground for worms, PacketFence is for you. If you have no idea who connects to your network and who owns a particular computer, PacketFence is for you. If you have no way of mapping a network policy violation to a user, PacketFence is for you.
Thursday, April 9, 2009
Encrypt-Decrypt file using OpenSSL
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
To encrypt a file:
$ openssl des3 -salt -in file.log -out file.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
The above will prompt for a password, or you can put it in with a -k option, assuming you’re on a trusted server.
To Decrypt: openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
To encrypt a file:
$ openssl des3 -salt -in file.log -out file.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
The above will prompt for a password, or you can put it in with a -k option, assuming you’re on a trusted server.
To Decrypt: openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
Tuesday, April 7, 2009
Nmap
-supports many techniques for mapping out networks filled with IP filters,firewalls, routers, and other obstacles,
-used to scan huge networks of hundreds of thousands of machines,supports most operating systems, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX,easy to start out,
-available for free, comes with full source code that you may modify,comprehensive and up-to-date man pages & tutorials;
-has won numerous awards
Thursday, April 2, 2009
OpenSSL 1.0.0 beta 1 Released!
After many, many years of 0.9 status, the OpenSSL team has finally released a beta of version 1.0 of their software: Please download and test them as soon as possible. This new OpenSSL version incorporates 107 documented changes and bugfixes to the toolkit. Click-through to read the rest of the announcement!
OpenSSL version 1.0.0 Beta 1
============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
OpenSSL is currently in a release cycle. The first beta is now released.
The beta release is available for download via HTTP and FTP from the
following master locations (the various FTP mirrors you can find under
http://www.openssl.org/source/mirror.html):
o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The file names of the beta are:
o openssl-1.0.0-beta1.tar.gz
MD5 checksum: 49f265d9dd8dc011788b34768f63313e
SHA1 checksum: 89b4490b6091b496042b5fe9a2c8a9015326e446
The checksums were calculated using the following command:
openssl md5 < openssl-1.0.0-beta1.tar.gz
openssl sha1 < openssl-1.0.0-beta1.tar.gz
Please download and test them as soon as possible. This new OpenSSL
version incorporates 107 documented changes and bugfixes to the
toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).
Reports and patches should be sent to openssl-bugs@openssl.org.
Discussions around the development of OpenSSL should be sent to
openssl-dev@openssl.org. Anything else should go to
openssl-users@openssl.org.
The best way, at least on Unix, to create a report is to do the
following after configuration:
make report
That will do a few basic checks of the compiler and bc, then build
and run the tests. The result will appear on screen and in the file
"testlog". Please read the report before sending it to us. There
may be problems that we can't solve for you, like missing programs.
Oh and to those who have noticed the date... the joke is that it
isn't a joke.
Yours,
The OpenSSL Project Team...
OpenSSL version 1.0.0 Beta 1
============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
OpenSSL is currently in a release cycle. The first beta is now released.
The beta release is available for download via HTTP and FTP from the
following master locations (the various FTP mirrors you can find under
http://www.openssl.org/source/mirror.html):
o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The file names of the beta are:
o openssl-1.0.0-beta1.tar.gz
MD5 checksum: 49f265d9dd8dc011788b34768f63313e
SHA1 checksum: 89b4490b6091b496042b5fe9a2c8a9015326e446
The checksums were calculated using the following command:
openssl md5 < openssl-1.0.0-beta1.tar.gz
openssl sha1 < openssl-1.0.0-beta1.tar.gz
Please download and test them as soon as possible. This new OpenSSL
version incorporates 107 documented changes and bugfixes to the
toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).
Reports and patches should be sent to openssl-bugs@openssl.org.
Discussions around the development of OpenSSL should be sent to
openssl-dev@openssl.org. Anything else should go to
openssl-users@openssl.org.
The best way, at least on Unix, to create a report is to do the
following after configuration:
make report
That will do a few basic checks of the compiler and bc, then build
and run the tests. The result will appear on screen and in the file
"testlog". Please read the report before sending it to us. There
may be problems that we can't solve for you, like missing programs.
Oh and to those who have noticed the date... the joke is that it
isn't a joke.
Yours,
The OpenSSL Project Team...
Wednesday, April 1, 2009
How to Check and repair mysql tables
mysqlcheck is the command line program to check and repair mysql tables.
It performs the same functions as the check table and repair table query statements.
Examples:
# mysqlcheck bugs
This checks all of the tables in the bugs database.
# mysqlcheck bugs flags groups
This checks the flags and groups tables in the the bugs database
Using the –repair option you can repair tables using the same syntax as above.
Options to mysqlcheck to just check a table are:
–check-only-changed Same as “check table changed” query
–extended Same as “check table extended” query
–fast Same as “check table fast” query
–medium-check Same as “check table medium” query
–quick Same as “check table quick” query
Options to mysqlcheck to repair a table are:
–repair Same as “repair table” query
–repair –extended Same as “repair table extended” query
–repair –quick Same as “repair table quick” query
–repair –use-frm Same as “repair table use_frm” query
It performs the same functions as the check table and repair table query statements.
Examples:
# mysqlcheck bugs
This checks all of the tables in the bugs database.
# mysqlcheck bugs flags groups
This checks the flags and groups tables in the the bugs database
Using the –repair option you can repair tables using the same syntax as above.
Options to mysqlcheck to just check a table are:
–check-only-changed Same as “check table changed” query
–extended Same as “check table extended” query
–fast Same as “check table fast” query
–medium-check Same as “check table medium” query
–quick Same as “check table quick” query
Options to mysqlcheck to repair a table are:
–repair Same as “repair table” query
–repair –extended Same as “repair table extended” query
–repair –quick Same as “repair table quick” query
–repair –use-frm Same as “repair table use_frm” query
Subscribe to:
Posts (Atom)