Ossec ar.conf issue

Submitted by eth00 on

While setting up a new ossec cluster I encountered the following error when trying to restart ossec on the client server using /var/ossec/bin/agent_control 001 :

ossec-execd(1103): ERROR: Unable to open file '/var/ossec/etc/shared/ar.conf'.
ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided.

The issue is a problem with ownership on the ar.conf file. By default ossec installs it with root:root permissions but it needs to be root:ossec.

#chown root:ossec /var/ossec/etc/shared/ar.conf

Linksys 0-day Exploit

Submitted by eth00 on

Security researchers at DefenseCode uncovered a 0day exploit within the linksys firmware. They have only tested it on the WRT54GL but believe other models will be vulnerable. At the moment only security researchers appear to have the exploit code. Per defensecode's vulnerability disclosure policy they are going to release the full details of the attack on January 25th.

0-Day in Java 1.7

Submitted by eth00 on

A new exploit in java has been made public, details can be found here: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-d...

It appears the exploit has been around for at least some time as two different exploit kits already include it. At the moment the only fix is to disable java. If you need java I would suggest running it on a specific browser used only for that, ideally within a virtual machine.

Libvirtd starting problems

Submitted by eth00 on

The following error was encountered while trying to get libvirtd running:

libvirt version: 0.9.10, package: 21.el6_3.1 (CentOS BuildSystem , 2012-07-03-16:15:49, c6b8.bsys.dev.centos.org)
error : virNetServerMDNSStart:460 : internal error Failed to create mDNS client: Daemon not running

Note that I had to check /var/log/libvirt/libvirt.log as a service libvirtd start looked fine, a restarted was failing on stopping it.

The issue comes from avahi not running. Go ahead and install it and get messagebus running via:

Plesk 0 day exploit

Submitted by eth00 on

If you are running Parallels Plesk control panel (both linux and windows) check out this article: http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-s...

Plesk reports that patching can help it but some are reporting that even patched servers may be vulnerable to this exploit. The most common attack seems to be uploading an iframe that can be then used to distribute malware to people surfing the site.

Welcome to the new page!

Submitted by eth00 on

Well its about that time...time for a new page! I have done a complete revamp of the backend and have everything up to the latest and greatest versions. The last few years have gone by in the blink of an eye, now after changing jobs I have a bit more time and plan to use some of that time to rejuvenate the site.

Enjoy your visit! =-)

-John
"eth00"

Icinga-web install problem

Submitted by eth00 on

This error I got when trying to install icinga-web on a cents 5 server.

[Wed May 25 20:54:02 2011] [fatal] Uncaught AppKitPHPError: PHP Error mkdir() [function.mkdir]: File exists (/usr/local/icinga-web/app/cache/config/compile.xml_development__033d402eaeb08f42e4e3d5f8474e444805e2c7c6.php:1327) (/usr/local/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:20)

Articles and guides: 

Ossec start problems

Submitted by eth00 on

The following is an error encountered after setting up ossec as an agent:

ossec-agentd: INFO: Trying to connect to server (10.0.0.2:1514).
ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.0.2'.

Make sure that the ossec server is running, has no firewall, and the IP for it is correct.

OSSEC start problem due to keys

Submitted by eth00 on

The following is an error I got after starting ossec as an agent that is supposed to connect back to a central server:


#/var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
Started ossec-execd...
ossec-agentd(1402): ERROR: Authentication key file '/var/ossec/etc/client.keys' not found.
ossec-agentd(1750): ERROR: No remote connection configured. Exiting.
ossec-agentd(4109): ERROR: Unable to start without auth keys. Exiting.

Suhosin Memory_limit

Submitted by eth00 on

This is an error that is generally observed in the servers messages log (even though it is related to php)

suhosin[32269]: ALERT - script tried to increase memory_limit to 536870912 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '/home/user/file.php', line 5)

The solution is to raise the memory_limit in the php.ini

Suhosin POST Variable limit

Submitted by eth00 on

This is an error that I received while working on a server that has suhosin.

suhosin[35486]: ALERT - configured POST variable limit exceeded - dropped variable 'check_agentID[63]' (attacker '10.0.02', file '/home/user/public_html/somefile.php')

The problem solution was pretty simple and just required allowing a longer request length for suhosin. Put the following in the php.ini:

php_admin_value suhosin.request.max_vars 500
php_admin_value suhosin.post.max_vars 500

Mailserver Hostname

Submitted by eth00 on

Here is an error that is seemingly simple but has a few more then just the obvious answers.

sendmail[4980]: p9JHuBGv004978: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=120427, relay=mx1.domain.com. [10.0.0.2], dsn=5.6.0, stat=Data format error
sendmail[4980]: p9JHuBGv004978: p9JHuBGv004980: DSN: Data format error

NotifyClamd error

Submitted by eth00 on

Here is an error I encountered in the messages log related to clam.

ERROR: NotifyClamd: No communication socket specified in /etc/clamd.conf
ERROR: Can't send to clamd: Socket operation on non-socket

If you have clamd running on your system then the issue is that clamd is having issues. If you do not run clamd then you need to disable NotifyClamd in /etc/freshclam.conf.

Kernel EDAC errrors

Submitted by eth00 on

Below are some errrors that are appearing in the /var/log/messages of a server:

kernel: EDAC MC0: CE page 0x4eea2, offset 0xe80, grain 128, syndrome 0x8f, row 0, channel 0, label "": i3000 CE
kernel: EDAC MC0: CE page 0x4eea2, offset 0xc80, grain 128, syndrome 0x23, row 0, channel 0, label "": i3000 CE
kernel: EDAC MC0: CE page 0x4eea2, offset 0xf00, grain 128, syndrome 0x8f, row 0, channel 0, label "": i3000 CE
kernel: EDAC MC0: CE page 0x4eea2, offset 0xc80, grain 128, syndrome 0x8f, row 0, channel 0, label "": i3000 CE
kernel: EDAC MC0: CE page 0x4eea2, offset 0xd80, grain 128, syndrome 0x8f, row 0, channel 0, label "": i3000 CE
kernel: EDAC MC0: CE page 0x4eea2, offset 0xc00, grain 128, syndrome 0x23, row 0, channel 0, label "": i3000 CE

kernel: EDAC MC0: CE page 0x4eea2, offset 0xe80, grain 128, syndrome 0x8f, row 0, channel 0, label "": i3000 CE
kernel: EDAC MC0: CE page 0x4eea2, offset 0xf00, grain 128, syndrome 0x8f, row 0, channel 0, label "": i3000 CE

Articles and guides: 

Pages

Subscribe to Server admin info for cPanel, Plesk and linux! RSS