this is a short related what clients are asking and how it is translated in company.
Author: bogdan
Change SSH Port On CentOS 7
sudo vi /etc/ssh/sshd_config
Port 9922
sudo yum -y install policycoreutils-python
sudo semanage port -a -t ssh_port_t -p tcp 9922
sudo firewall-cmd –permanent –zone=public –add-port=9922/tcp
sudo firewall-cmd –reload
sudo systemctl restart sshd.service
ss -tlpn | grep ssh
ssh user@192.168.0.1 -p 9922
Details here:
CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )
create MySQL for WordPress
mysql -u root -pxxx
CREATE DATABASE yyy;
CREATE USER zzz@localhost IDENTIFIED BY ‘zzz’;
GRANT ALL PRIVILEGES ON yyy.* TO zzz@localhost IDENTIFIED BY ‘zzz’;
FLUSH PRIVILEGES;
exit
Thanks to:
https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-on-centos-7
DenyHosts: Remove / Delete an IP address
Step # 1: Stop DenyHosts
# /etc/init.d/denyhosts stop
Step # 2: Remove Your IP From /etc/hosts.deny
# vi /etc/hosts.deny
Delete your IP address. Save and close the file.
Step # 3: Remove Your IP From /usr/share/denyhosts/data Directory
Cd to /usr/share/denyhosts/data
# cd /usr/share/denyhosts/data
You need to edit the following files using vi and remove the lines containing the IP address. Save the file.
hosts
hosts-restricted
hosts-root
hosts-valid
users-hosts
If you’ve static IP address add to allowed-hosts file. Any IP address that appears in this file will not be blocked by default (consider this as a whilelist):
# echo ‘1.2.3.4’ >> allowed-hosts
Step # 4: Start DenyHosts
# /etc/init.d/denyhosts start
Allow an IP:
nano /etc/hosts.allow
add the line:
sshd: Your_IP
check the logs:
tail -f /var/log/secure
And if you want to remove a banned IP address from the denyhosts:
# /etc/init.d/denyhosts stop
And then use the following lines to remove or delete the banned IP address completely:
# nano /etc/hosts.deny
# nano /var/lib/denyhosts/hosts
# nano /var/lib/denyhosts/hosts-restricted
# nano /var/lib/denyhosts/hosts-root
# nano /var/lib/denyhosts/hosts-valid
# nano /var/lib/denyhosts/users-hosts
Start deny host:
# /etc/init.d/denyhosts start
use grep for searching an IP:
#cd /var/lib/denyhosts
grep wanted_IP *
thanks to:
http://www.cyberciti.biz/faq/linux-unix-delete-remove-ip-address-that-denyhosts-blocked/
http://www.unixmen.com/install-configure-denyhost-centos/
remove teamviewer and change MAC
1. uninstall: ‘Start’ –> ‘Settings’ –> ‘Control Panel’
2. Click on Start –> Run –> type %appdata% –> delete TeamViewer folder and also delete “C:\\Program Files\\Teamviewer”
3. Delete registry folder: hkcu/software/teamviewer and hklm/software/teamviewer
4. Change the MAC Address: http://www.irongeek.com/i.php?page=security/changemac
5. Clean your systems registry – you can use a free registry cleaner for this purpose- http://www.techbuzz.in/how-can-i-clean-my-computer-registry-for-free.php
6. Install a fresh copy of Teamviewer. Select the ‘Personal Use’ option.
Thanks to:
http://www.techbuzz.in/how-to-reinstall-teamviewer-after-it-has-expired.php
http://www.irongeek.com/i.php?page=security/changemac
SQLSTATE[08004] [1040] Too many connections in drupal_is_denied()
restart MySQL server
# service mysqld restart
Configuring a VNC Server
# yum -y install tigervnc-server
tigervnc is client and tigervnc-server is server.
Spcify settings for specific user:
# useradd lisa
# passwd lisa
# cd /usr/lib/systemd/system
# cp vncserver@.service vncserver@\:2.service
we need the backslash “\” because the “:” will be intepreted and is interpreted and “2” is for session. DO NOT use session “0” because cannot start the service.
Modify the content of vncserver@\:2.service
# vi vncserver@\:2.service
Replace
ExecStart=/sbin/runuser -l lisa -c “/usr/bin/vncserver %i”
PIDFile=/home/lisa/.vnc/%H%i.pid
Have to reload configuration files:
# systemctl daemon-reload
Before start the session, set the password for that user and this can be done by user:
# su – lisa
# vncpasswd
# exit
start the server:
# systemctl start vncserver@\:1
check the status:
# systemctl status vncserver@\:1
Setup firewall. Firewall prevent user come in and not go outside.
# firewall-cmd –permanent –ad-service vnc-server
# firewall-cmd –reload
Firewalld
Configure firewalld or iptables.
# systemctl status firewalld
# systemctl start firewalld
# systemctl enable firewall
There are the following commands for firewalld:
# firewall-cmd or firewall-config
concept: zones and services:
Get the zones:
# firewall-cmd –get-zones
Get default zone:
# firewall-cmd –get-default-zone
Set default zone is using set-default-zone.
Service is a name associated with a name and a protocol.
The services are into: /etc/firewalld/services
Here are all services.
Default services are into:
/usr/lib/firewalld/services
Check the hish-availability.xml. Is a collection of ports:
Add the service:
# firewall-cmd –zone=home –add-service=high-availability
check the configuration for current zone:
# firewall -cmd –list-all
This way will persist untill reboot. To save the changes, use –permanent
# firewall-cmd –permanent –zone=home –add-service=high-availability
This command is hard to use. Is GUI firewall-config.
Select the zone > click the zone > check the Permanent configuration.
# firewall-cmd –get-default-zone
# firewall-cmd –set-default-zone dmz
add service:
# firewall-cmd –permanent –add-service=ssh
# firewall-cmd –permanent –add-service=ntp
# firewall-cmd –permanent –add-service=ftp
Check one service if is available:
# firewall-cmd –get-services
# firewall-cmd –permanent –add-service=vnc-server
# firewall-cmd –permanent –add-service=http
# firewall-cmd –permanent –add-service=dns
Check:
# firewall-cmd –list-all
reload the settings
# systemctl restart firewalld
Also can type:
# firewall-config
to check the configuration
Configuring SELinux for Apache
I want to use a new document root with a file
Change apache configuration
# mkdir /web
# cd /web
# vi index.html
# vi /etc/httpd/conf/httpd.conf
I’m creating another DocumentRoot.
DocumentRoot “/web”
And another directory to files:
AllowOverride None
Require all granted
Also check the settings for Directory:
Restart apache:
# systemctl restart httpd
if is not restarting, try to start it
I have my new document root and want to use it:
# elinks http://localhost
Is the default homeage. Check the logs audit.log for AVC and messages.
Click details from GUI troubleshoot.
I can’t use the SEAlert.
The audit log is the only reliable:
# grep AVC /var/log/audit/audit.log
This is clear.
Set it correclty:
# man semanage
Check the line with semanage-fcontext
and on the man page:
# man semanage-fcontext
and there is an example:
Now paste it and use restorecon:
Check it.
SELinux Modes and Policy
SELinux mode: /etc/sysconfig/selinux
# modes are available: disable, permissive, enforcing. Change between modes must boot.
Enforcing mode can be change without booting only to permissive.
# getenforce
# setenforce Enforcing
# set enforce Permissive
by default should be all time Enforcing
set context/
# ls -Z -see the context.
Context have 3 parts:
User part is first which is for advanced.
Role part – also for advanced configuration
Type part – access on files or directories
All processes have context.
Also ports have the context:
# netstat -Ztulpen
Context match a process with a file or port in order to match the access.
Boolean are switch for enable/disable the policy.
# getsebool -a
# getsebool -a | grep ftp
SELinux Labels and Booleans managing context
Show the current context for http context:
# ps Zaux | grep http
For http is httpd_t
default document root for httpd is /var/www/
Here I can see that the context is setup correctly.
In policy there should be a line which say that the httpd_t SOURCE context is allow to go to TARGET context httpd_sys_content_t
If something is wrong and a script on server which allow to go to /tmp directory, SELinux will not allow because have wrong context: tmp_t:
Set context:
# semanage –help
Arguments: fcontext, boolean, port
For file context:
# man semanage
On this page are subpages for othr subfunctions:
# man semanage-fcontext
At end of this man page have example. Just copy/paste the example and modify it as need it.
SELinux write to policy and not to file system. To apply to file system, must run the command:
# restorecon -R -v /web
This utility is ok to check it when something is not going OK.
# restorecon -R -v /etc – is restoring to whole directory.
# semanage fcontext -l – display all context from system.
# yum provides *sepolicy – check which is provide the documentation because is not installed by default.
Install the policy:
# yum -y install policycoreutils-devel
Now I have to run:
# sepolicy manpage -a
Is generating the man pages for all services with selinux
Update the man database
# mandb
Check all pages with _selinux in description:
# man -k _selinux
And now for httpd:
# man -k _selinux | grep httpd
and there is httpd_selinux
The man pages are all by default into /tmp directory. Must be moved:
# cd /tmp
# mv * /usr/share/man/man8
Update the man pages index:
# mandb
Now use the man page:
# manpage -a -p /usr/share/man/man8
Using booleans
# getseboot -a – show all bools from system.
# getsebool -a | grep ftp
User access home directory:
# setsebool ftp_home_dir on
This will survive reboot:
Check it:
# semanage boolean -l | grep ftp
Make it persistent:
# setsebool -P ftp_home_dir on
-P is from PERSISTENT
Analyzing SELinux Log Files
Check the troubleshoot packages:
# yum installed | grep setrouble
Must have installed the packages.
Check if the auditd is started:
# systemctl status auditd
Analyze the audit log:
# grep AVC /var/log/audit/audit.log
All SELinux messages have the header AVC
denied{getattr} is the atribute denied for server vsftpd.
Check the SOURCE context and TARGET context which are not the same.
Conclusion: vsftpd dont have the SELInux permissions to access audion_home_t target files.
Must relable the files or allow ftpd to access the files:
Check /var/log/messages for additional information
“sealert” is the word to search. Copy it.