Stuff I'm Up To

Technical Ramblings

vSphere SSH failed to connect to host — November 17, 2017

vSphere SSH failed to connect to host

When trying to apply patches to one of our ESXi 6.0 hosts I found I couldn’t connect to it using ssh. Stopping and starting SSH from vCenter didn’t work. Neither did disabling/enabling from the DCUI.

From my client I’d see:

ssh_exchange_identification: Connection closed by remote host

So then I resorted to checking out the server from the console. First make sure I stopped SSH from either of the GUI’s.

Use ALT-F1 at the DCUI and logon to the host using your root account.

Then I tried to start sshd as a daemon using:

# /usr/lib/vmware/openssh/bin/sshd -D

Which reported errors Unsupported option running and Unsupported option PrintLastLog

So I editted my /etc/ssh/sshd_config file. Don’t know what caused it. But it was just a # missing from the first line. I guess I must have spannered it at some point when editing it to disable some ciphers. But the good news is using this method I can at least get some clear output from sshd -D to tell me why it wasn’t starting properly.

# running from inetd
# Port 2200
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

UsePrivilegeSeparation no

SyslogFacility auth
LogLevel info

PermitRootLogin yes

PrintMotd yes
PrintLastLog no

TCPKeepAlive yes

X11Forwarding no

...

So just to be safe I checked the other hosts and copied an sshd_config from one of the known good ones.

Advertisements
Monitor Security Flow — November 15, 2017

Monitor Security Flow

We stream the Juniper SRX logs out to our syslog server and that seems to work quite well. It is reliant upon us having the relevant log setting in the rules.

So for rules where we allow we can log the data at session-close

...
    then {
        permit;
        log {
            session-close;
        }
    }

But in our Deny All rules we log the session-init – because a denied session never gets closed (it’s never opened). So the session-init just logs the attempt.

...
    then {
        deny;
        log {
            session-init;
        }
    }

But what if we’re missing some rule logging, or are a bit unsure if packets coming in are actually coming in or not? That where monitor security flow comes in handy.

At the cli on the SRX you need to setup and activate the security flow, the filters to apply and the file to log to. In this example we’re going to capture packets from a specific ip address on a particular interface.

Create a named filter called ‘myfilter’ and then create a file to log into.

> monitor security flow filter interface reth0 source-prefix 192.168.56.10 myfilter
> monitor security flow file size 10240 securityflow.log

Then you can start and stop the monitor as you need. Then look at the content of the file.

> monitor security flow start
> monitor security flow stop
> show log securityflow.log

View the current status of your monitor

> show monitor security flow

Monitor security flow session status: Active
Monitor security flow trace file: /var/log/securityflow.log
Monitor security flow filters: 1
  Name: myfilter
    Status: Active
    Source: 192.168.56.10/32 (port 0~65535)
    Destination: 0.0.0.0/0 (port 0~65535)
    Logical system: root-logical-system
    Interface: reth0.0

Copy the log file to another system if you want to analyse it further

> file copy /var/log/securityflow.log scp://user@server.domain.local:~/

After stopping your monitor, you can then tidy up removing your file and filter using

> file delete /var/log/securityflow.log
> clear monitor security flow filter myfilter

 

Horizon View Client v4.6.0 —

Horizon View Client v4.6.0

I decided to upgrade my VMware Horizon View client today. It still has the same kind of issues as detailed here: https://warlord0blog.wordpress.com/2016/10/21/vmware-horizon-client-for-linux/

This time around my problems were with libgstreamer components. Even though I ensured they were installed the libraries were a different version that required by the client.

Specifically required:

  • libgstapp-0.10.so.0
  • libgstbase-0.10.so.0
  • libgstreamer-0.10.so.0

On my Debian Stretch install I had 1.0 versions.

So a quick fix by linking these made the scan issues go away.

$ cd /usr/lib/x86_64-linux-gnu
$ sudo ln -s libgstapp-1.0.so.0 libgstapp-0.10.so.0
$ sudo ln -s libgstbase-1.0.so.0 libgstbase-0.10.so.0
$ sudo ln -s libgstreamer-1.0.so.0 libgstreamer-0.10.so.0

Continue reading

Java Keystore Management — November 14, 2017

Java Keystore Management

keystore20explorer_256x256In the process of getting a new queue management system installed I discovered they’re using HTTP and not HTTPS. As part of out security process I had to recommend they change this to a HTTPS/SSL encrypted portal as it uses a logon process that would otherwise be in clear text.

The product is based on Wildfly and Java so they are progressing the deployment use Java keystores (JKS) and certificates. But as they pointed me to their installation guide I discovered they recommend the use of Keystore Explorer for managing the Java certificates.

So I downloaded it and have to say I’m impressed. It makes life so much easier when trying to manage certificates from Windows CA’s, OpenSSL and JKS. Definitely a valuable addition to my tool box. As it’s written in Java it’s available for Windows, Linux and fruit based systems.

Link: http://keystore-explorer.org/

Systemd and systemctl services — November 1, 2017

Systemd and systemctl services

I know it’st all that new, but not something I’ve spent much time working with. Previously using init.d to enable/disable systems services. Today I remove a program from my system and purged the config files. But it left behind a service in a failed condition. Of course it failed. I just removed all the files and config.

Using systemctl I could see my magicbox service still there and failed.

$ systemctl status magicbox.service                                   
● magicbox.service - Magic Box process
   Loaded: loaded (/usr/lib/systemd/system/magicbox.service; enabled; ven
   Active: failed (Result: exit-code) since Wed 2017-11-01 13:36:57 GMT; 1min 9s
  Process: 839 ExecStart=/opt/magicbox/embedded/bin/start (code=exited, s
 Main PID: 839 (code=exited, status=203/EXEC)

Thankfully the clue is in the output. It tells me where the .service file is on the Loaded: line. So to tidy up I followed part of the guidance I found here:

https://superuser.com/questions/513159/how-to-remove-systemd-services

$ sudo systemctl disable [servicename]
$ sudo rm /etc/systemd/system/[servicename]
$ sudo systemctl daemon-reload
$ sudo systemctl reset-failed

But bear in mind that the service I want isn’t located there. It’s under /usr/lib/systemd/system so I needed to remove that file instead.

References

https://manpages.debian.org/jessie/systemd/systemd.unit.5.en.html – See table 1

https://medium.com/@johannes_gehrs/getting-started-with-systemd-on-debian-jessie-e024758ca63d

JunOS static-nat and proxy-arp — October 31, 2017

JunOS static-nat and proxy-arp

I’m still relatively new to this JunOS, even though it’s been installed for several months now. Today’s problem was not passing traffic through a new static-nat that I’d setup. I checked the config for static-nats that already existed and couldn’t see the problem.

I needed to look at how the static-nat gets presented on the interface. It’s no good having a NAT rule if you don’t actively acknowledge that you are active on that IP address on an interface. No proxy-arp means nothing gets passed to NAT because the IP doesn’t exist on the network.

To do this make sure you add a proxy-arp address on the interface that you want to access the IP address.

eg.

set security proxy-arp interface reth1.99 address 192.168.99.99/32

Then you’ll have a related rule entry in your security nat static rule-set stanza to handle the translation.

eg.

show rule MyRule   
match {
    destination-address 192.168.99.99/32;
}
then {
    static-nat {
        prefix {
            192.168.0.99/32;
        }
    }
}

 

Git – Version Control — October 13, 2017

Git – Version Control

We have a distinct lack of version control in the relatively small development team that manages one of our business applications. One of the main challenges isn’t really related to the developers, but to the vendor that connects remotely and “fixes” things without leaving any clue as to what has been changed.

So I came up with a sneaky plan to deploy Git onto the servers and manage the versions of configuration files used by the application. I can then capture any changes and roll back as necessary.

Continue reading

Tomcat log4j Errors — October 12, 2017

Tomcat log4j Errors

As I’ve been spending a lot of time with Tomcat these days I’ve tried to clear out the stderr log of error messages. One of the frustrating warnings I had to deal with was this:

log4j:WARN Continuable parsing error 208 and column 23
log4j:WARN The content of element type "log4j:configuration" must match "(renderer*,throwableRenderer?,appender*,plugin*,(category|logger)*,root?,(categoryFactory|loggerFactory)?)".

The log4j.xml file parsed correctly and was obviously working as we were seeing log output. But this error had me baffled for a while. I checked the syntax of the xml file, ensured it was sound structurally and couldn’t for the life of me spot the problem.

Turns out the order of the elements in the file is important and must match the order of the string listed above. We’d got some logger elements after the root element. A move of the root element below the logger elements and the error message went away.

 

Fun with NTP — October 4, 2017

Fun with NTP

One of our Debian servers had a large time discrepancy. Turned out NTP wasn’t installed or working.

After I installed ntp I still wasn’t seeing a time update. Probably because I was more than 30 minutes adrift. So I had to force an ntp update.

Install ntp and set the servers in the .conf to match your ntp servers.

$ sudo apt-get install ntp
$ sudo vi /etc/ntp.conf

Then force a time update

$ sudo systemctl stop ntp.service
$ sudo ntpd -gq
$ sudo systemctl start ntp.service

The ntpd may take a while before dropping you back to the prompt.

Forcing Tomcat to HTTPS — September 28, 2017

Forcing Tomcat to HTTPS

As our environment needs change more and more of our internal services are being forced to change to HTTPS.

Tomcat supports the deployment of services using HTTPS, but many of our vendors have taken the easy route and just use HTTP on the standard port 8080. This is now going to become a bit of a hurdle as we now need to advise clients of the change to HTTPS and the port change involved.

Securing Tomcat with valid certificates is the start of the journey and adding a connector using HTTPS is the first step. Then we need to make calls to the non-secure HTTP site redirect over to the HTTPS version.

Continue reading

Horizon Client Stealing my Mouse — September 27, 2017

Horizon Client Stealing my Mouse

On my Linux VMWare Horizon client (v4.5.0 5650368) it doesn’t seem to matter what choice I make about NOT Connecting USB Devices at Startup it still continued to take over my Logitech USB Receiver.

I’d have to use the keyboard and navigate the menu so I could get control of my mouse back. Thankfully I don’t have a Logitech keyboard that uses the same receiver.

It was an easy fix, but I don’t know why it does it. The permissions to the ~/.vmware folder and files all seem OK. IT’s an easy fix of just editing the file view-preferences and amending the line or lines as follows.

$ vi ~/.vmware/view-preferences
...
view.usbAutoConnectAtStartUp = "FALSE"
view.usbAutoConnectOnInsert = "FALSE"
...

 

Windows, Apache 2.4 and OpenSSL — September 22, 2017

Windows, Apache 2.4 and OpenSSL

In order to make Apache 2.4.27 compliant it needs the later version of OpenSSL v1.1.0. To get this you need to install the VC15 version. The VC11 etc. do not include the later OpenSSL and fail because they are compiled with v1.0.2

  Banner           : Apache/2.4.27 (Win64) OpenSSL/1.0.2l
  Reported version : 1.0.2l
  Fixed version    : 1.1.0

This is detailed in the 16 June 2017 change log, but is repeated here as a reminder to install vcredist_x64 for VC++ 2017 which is linked on the downloads page on Apache Lounge.

References

https://www.apachelounge.com/download/

https://www.apachelounge.com/Changelog-2.4.html