Stuff I'm Up To

Technical Ramblings

Mysql Broken After Apt Upgrade — January 18, 2018

Mysql Broken After Apt Upgrade

My local install of mysql-community-server decided to fail today after applying some updates. I’m running Debian buster/sid so these kind of things are to be expected. But this was a totally new one to me.

Mysql failed to start so the update wouldn’t install.

Unpacking mysql-community-server (5.7.21-1debian9) ...
Setting up mysql-community-client (5.7.21-1debian9) ...
Setting up mysql-client (5.7.21-1debian9) ...
Processing triggers for systemd (236-3) ...
Processing triggers for man-db (2.7.6.1-4) ...
Setting up mysql-community-server (5.7.21-1debian9) ...
Job for mysql.service failed because the control process exited with error code.
See "systemctl status mysql.service" and "journalctl -xe" for details.
invoke-rc.d: initscript mysql, action "start" failed.
● mysql.service - MySQL Community Server
   Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2018-01-18 08:54:36 GMT; 9ms ago
  Process: 11123 ExecStart=/usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid ^[[0;1;31m(code=exited, status=1/FAILURE)^[[0m
  Process: 11088 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
dpkg: error processing package mysql-community-server (--configure):
 installed mysql-community-server package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 mysql-community-server
Log ended: 2018-01-18  08:54:36

Then in my syslog file I saw lots of activity constantly trying to start and failing.

Continue reading

Advertisements
Microsoft Azure and Juniper SRX — January 12, 2018

Microsoft Azure and Juniper SRX

We’re getting on the Microsoft Office 366 and band wagon. I’m not a Microsoft fan, and think it’s overpriced for the functionality we’ll actually use. This means we need to setup an IPSec VPN between the Juniper SRX and Azure.

Microsoft have a Github page with not just guidance, but specific configuration examples to help do this. Not just with Juniper, but a range of firewalls.

https://github.com/Azure/Azure-vpn-config-samples

We’ve got some consultants in setting up the Azure side of the VPN and once I got into the portal I laughed at how much they were charging for turning on the VPN feature and setting a private key – that’s it! There’s very little control to be able to do anything else and if you want logs to see why things aren’t going to plan, you’d better rely on your own device for that.

After a couple of hours they’d written some PowerShell to gather some information that was stale because we’d already moved on past that particular error.

But that said, the Azure side just works. Get your device side right and do your debugging from there and let Azure sit and just do it’s thing. You have to assume that Azure just works.

Continue reading

Java Keystore Management — November 14, 2017

Java Keystore Management

keystore20explorer_256x256In the process of getting a new queue management system installed I discovered they’re using HTTP and not HTTPS. As part of out security process I had to recommend they change this to a HTTPS/SSL encrypted portal as it uses a logon process that would otherwise be in clear text.

The product is based on Wildfly and Java so they are progressing the deployment use Java keystores (JKS) and certificates. But as they pointed me to their installation guide I discovered they recommend the use of Keystore Explorer for managing the Java certificates.

So I downloaded it and have to say I’m impressed. It makes life so much easier when trying to manage certificates from Windows CA’s, OpenSSL and JKS. Definitely a valuable addition to my tool box. As it’s written in Java it’s available for Windows, Linux and fruit based systems.

Link: http://keystore-explorer.org/

Windows, Apache 2.4 and OpenSSL — September 22, 2017

Windows, Apache 2.4 and OpenSSL

In order to make Apache 2.4.27 compliant it needs the later version of OpenSSL v1.1.0. To get this you need to install the VC15 version. The VC11 etc. do not include the later OpenSSL and fail because they are compiled with v1.0.2

  Banner           : Apache/2.4.27 (Win64) OpenSSL/1.0.2l
  Reported version : 1.0.2l
  Fixed version    : 1.1.0

This is detailed in the 16 June 2017 change log, but is repeated here as a reminder to install vcredist_x64 for VC++ 2017 which is linked on the downloads page on Apache Lounge.

References

https://www.apachelounge.com/download/

https://www.apachelounge.com/Changelog-2.4.html

Apache 2.4 TRACE – Nessus plugin 11213 — September 21, 2017

Apache 2.4 TRACE – Nessus plugin 11213

Googling for how to close the vulnerability for the TRACE method on Apache 2.4 results in lots of responses that just use a rewrite rule to respond with a permission denied message.  Even the Nessus plugin output lists the rewrite fix. Nessus doesn’t use this for it’s scans, it carries out a HTTP call for OPTIONS and relies on the server telling it what methods are available.

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Whilst the rewrite rule may be a valid mitigation on Apache servers, the actual vulnerability warning won’t be removed from Nessus’ results.

If you’re using Apache 2.4 then there is a config TraceEnable directive that you should use to simply turn off the TRACE method.

Continue reading

SMB Insecurely Configured Service — August 17, 2017

SMB Insecurely Configured Service

For the first time today I ran into Nessus plugin ID 44676.

It highlighted an “insecurely configured Windows service”. This related to a Service Discretionary Access Control List (DACL), which is a whole bag of new to me.

The guidance shows how you can use the command line to show the DACL for the service it reported the issue with.

The following service has insecure group permissions:

Bacway Windows Service (BacwayService) :
– Authenticated Users: DC

More information is given here: https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces

Continue reading

Windows Update KB4034681 (August Monthly Rollup) — August 9, 2017

Windows Update KB4034681 (August Monthly Rollup)

Four hours of swearing at servers, kicking switches and rebooting printers and terminals and all because of a Windows Update.

Our entire network uses 802.1X authentication with certificates and this morning I arrived in the office to find all the Teradici terminals and network printers were failing to authenticate properly.

We hadn’t changed anything in the NPS policies so has a certificate expired? The errors in the event logs were constant

Event ID 36887 – A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 42.

Continue reading

SRX SSH Ciphers, Algorithms & Key Exchange — July 31, 2017

SRX SSH Ciphers, Algorithms & Key Exchange

When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.

So to remedy this we need to set the acceptable levels of ciphers etc.

Using the CLI a simple change to the config for the SSH service is required, under system services ssh.

# edit system services ssh
# set ciphers [ aes256-ctr "aes256-gcm@openssh.com" "chacha20-poly1305@openssh.com" ];
# set macs [ hmac-sha2-256 "hmac-sha2-256-etm@openssh.com" hmac-sha2-512 "hmac-sha2-512-etm@openssh.com" ];
# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]

Commit the changes and rescan and all is good.

Continue reading

JunOS SRX too clever for it’s own good! — July 28, 2017

JunOS SRX too clever for it’s own good!

Today the planned migration from a Juniper ScreenOS SSG to a JunOS SRX didn’t quite go as smoothly as I’d have liked.

We spent many hours last night and this morning trying to figure out why numerous services that worked fine through the SSG firewall failed through the SRX. This despite me having triple checked the rule sets matched exactly from one system to the other.

We ended up making changes to connected systems to resolve the problems as workarounds but this was far from ideal. The eventual culprit turned out to be a default feature that is enabled on the SRX within the default application junos-dns-udp.

Continue reading

Squid Kerberos Nightmare — July 25, 2017

Squid Kerberos Nightmare

What a terrible sequence of events we suffered today. Took quite a bit of head scratching, log reading and plenty of Google fu to resolve.

We use Squid with an LDAP and authenticated lookup to establish if a user is a member of an AD group to allow them through the proxy. For some very strange reason the authentication and lookup began failing today.

Continue reading

Fail2ban – Quick Reference — July 20, 2017
Juniper HA Woes — July 6, 2017

Juniper HA Woes

I spent quite some time messing around with a pair of Juniper SRX320’s trying to get the HA clustering setup. The documentation seems pretty straight forward, but I kept tripping over one fatal flaw.

Initially I configured HA using the J-Web interface and it configured successfully. I made some changes, set things up to test and then decided I didn’t like the direction I was taking and wanted to factory reset the devices.

The reset seemed pretty straight forward but then everything went wrong when I tried to follow the Command Line instructions for setting up an Active/Passive configuration. Every time I put the two systems into cluster mode and set the cluster ID and node the secondary node (node 1) always showed as lost and disabled.

Continue reading