Security :: Possible To Map Httpd Sealert To Its Access Log?
Apr 20, 2009
One of our web servers has logged many of the same "setroubleshoot: SELinux is preventing the httpd from using potentially mislabeled files /boot (boot_t). For complete SELinux messages. run sealert -l e143c369-a72d-453e-84fe-6b62b7f05c5f" recently. This looks suspicious. We'd like to map these sealert to the httpd access log to see if there's any malicious activity. We added a '%P' option to the Apache combined logformat, so the httpd process id could be logged too. Then we grep'ed all the Apache access logs using the pid from the above sealert -l command. There are not many of them, so we can test them one by one.
Shockingly, none of the access served by the specified pid can repeat the same sealert.
The server was installed a Centos 5 (x86_64) and upgraded to the 5.3 version two days ago. The main components are as following:
Is there any other way we can try to find out the real access which triggered these alerts? The sealert -l output is attached.
View 12 Replies
ADVERTISEMENT
Mar 5, 2010
I have a F11 box serving xdmcp. I log into them machine remotely with xming. As far as I can tell, all x clients work fine, EXCEPT for sealert. I get occasional selinux alerts, but I cannot use the sealert browser on my remote machine. When I try to run the browser, I get this: sealert -V -b
2010-03-05 11:27:49,841 [dbus.proxies.ERROR] Introspect error on :1.61:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus) 2010-03-05 11:27:49,842 [dbus.proxies.DEBUG] Executing introspect queue due to error 2010-03-05 11:27:49,842 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.ServiceUnknown: The name :1.61 was not provided by any .service files
I see the bug at [URL].. but it does not mention the browser, nor does it say what the fix/workaround is..Im going to stab in the dark and start relabeling things, but anyone know what's really wrong?
View 2 Replies
View Related
Jul 13, 2010
I am learning SELinux from LinuxCBT and I'm stuck at one place. Now video is on RHEL 4 (so tell me if things has changed since, cause I can't find anything related) shows how to disable SELinux security on httpd.first I don't know diff between initrc_t and uncofined_t; and second I don't know if something is wrong is everything is all right.
View 1 Replies
View Related
Jul 19, 2011
Every time selaert is triggered, I get this problem. I have looked everywhere for the required report module. Where can I get it from?
Opps, sealert hit an error!
Traceback (most recent call last):
File "/usr/bin/sealert", line 692, in <module>
run_as_dbus_service(username)
[Code]....
View 3 Replies
View Related
Jun 17, 2011
What if two programs say ftpd and httpd need to acces the same directory? Any way to set context type of that directory to httpd_t and ftpd_t? What do you do in a case like this?
View 2 Replies
View Related
Aug 30, 2010
the following security alert made me checking my httpd.conf:
Code:
Summary:
SELinux is preventing the http daemon from reading users' home directories. Detailed Description: SELinux has denied the http daemon access to users' home directories. Someone is attempting to access your home directories via your http daemon. If you have not setup httpd to share home directories, this probably signals an intrusion attempt. Even though in httpd.conf there is a line that reads
Code:
LoadModule userdir_module modules/mod_userdir.so
in the same conf-file the access to home-dirs is disabled:
Code:
<IfModule mod_userdir.c>
[Code]....
View 12 Replies
View Related
Mar 3, 2010
Basicly just installed a fresh version of Cent OS 5.4 with apache httpd installed automaticly during the installation. The http daemon is running and when navigating to localhost i get the welcome cent os apache page thingy. The problem is when i put an index.html file in /var/http/www then try and navigation to localhost I get a 403 forbidden error.
View 2 Replies
View Related
Jul 12, 2010
I am setting up a web server and SElinux keeps stopping httpd/appache and making it fail. Everything works fine when SElinux is set to permisive, so I know it is SElinux causing the problem. I have all the apache/httpd items allowed in the SElinux bool and even added the line the troubleshooter told me to add but the problem still persists. Here is what SElinux puts out:
[Code].....
several times and it does nothing. I have all the permissions set to Apache as owner and group and allow execution on all the files.
View 1 Replies
View Related
Sep 19, 2010
I have installed fedora 13 in my system. httpd server is also installed. when I tried to start the service of httpd, following error message displayed: Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:80
View 1 Replies
View Related
Dec 24, 2010
I'm new to Apache configuration so could be misunderstanding but shouldn't the characters highlighted in red below be removed?
Code:
View 9 Replies
View Related
Nov 9, 2009
accidentally I do something wrong with my server and the httpd folder missing and I need it to setup my mail server and anyone can help me what can I do without reinstalling my Cent OS? Here is the error msg :
[root@mydomain etc]# service httpd stop
Stopping httpd: [FAILED]
[root@mydomain etc]# service httpd restart
[code]....
View 3 Replies
View Related
Jul 30, 2010
We are using this url on our testing box and this ip is reverse proxy IP ( 10.192.64.52)
Without reverse proxy:- URL is working fine.
http://10.192.16.77/akc-qa/arsys/ser...TS000000001430
But with reverse proxy its putting escape [%25] in between %3a
[url]
Is it possible to write a rewrite rule to bypass escape [NE] for this particular URL?
View 1 Replies
View Related
May 28, 2010
While reading some papers on securing apache with selinux, I have tried to bind httpd to port 3000 expecting to be blocked by the selinux, since port tcp 3000 isn't on the http_port_t list. However I was able to start the service...
I'm preety sure selinux is enforcing. Also, if I bind httpd to tcp 81 selinux denies the start of the service, as expected!Did I miss something? Why is httpd allowed to start binded to a port that's not explicitly allowed?
View 12 Replies
View Related
Sep 6, 2010
Iam currently having a security issue due to a uninvited intrusion happen few days back. I've been checking the server for any possible backdoor but i could not find any. anyway i've finally found a weird SSH login logger which will log any successful SSH connection"id & password" (scary). The file was located under /dev/ and named "httpd". Im totally blank now. Dont know where to start troubleshooting.
View 14 Replies
View Related
Jun 10, 2011
Running CentOS 5 x64 And today my httpd is running very slow and I can't find a fix. Looked all over different forums
When starting httpd I get the message: /var/lock/subsys/httpd': No space left on device I checked that directory above and there is no file called httpd tried rebooting server
Can't do updates too:
[root@u15438957 ~]# yum update
Loaded plugins: fastestmirror, priorities
rpmdb: unable to join the environment
[Code]...
View 4 Replies
View Related
Mar 6, 2010
I happened to be looking at my Apache-2.2.8 log on an Ubuntu LTS 8.04.4 system, and noticed a few lines like this:
Code:
61.160.212.242 - - [06/Mar/2010:07:04:41 -0800] "GET http://218.30.115.246/ HTTP/1.1" 200 295 "-" "-"
61.160.212.242 - - [06/Mar/2010:07:05:29 -0800] "GET http://218.30.115.246/ HTTP/1.1" 200 295 "-" "-"
xxx.xxx.xxx.xxx - - [06/Mar/2010:07:56:15 -0800] "GET http://218.30.115.246/ HTTP/1.1" 400 290 "-" "-"
(The third line is me telnetting to the server and trying to issue the same request. Note that I got a 400 error response, while the guy coming from 61.160.212.242 got 200s. Also, if you just open the http://218.30.114.246/ URL, you get back "hello" (nothing else, just 5 characters). I'm presently putting together a bootable CD with chkrootkit to run on the machine. (I found a thread that mentioned in passing that this was related to PHP, which I have running on that Apache server, but my Google-fu isn't strong enough to track down the original thread.) (After checking with chkrootkit: nothing unusual found.)
View 10 Replies
View Related
Apr 2, 2010
I use putty and plink through ssh to support some process on my vd server (fedora-7) at godaddy. When login with plink frequently (ones per 10 seconds for just few minutes a day), the server blocks my access everywhere (sftp, http, control panel) for about 10 minutes and resumes then.Customer Support told me they do not have any blocker but I see that my ip is blocked for these 10 min. meanwhile I can access everything there from other address.
View 7 Replies
View Related
Jun 15, 2010
I currently have a user on my Ubuntu server that I want to block completely from login. I know right now they login with SSH keys so they don't need to enter their SSH password. Can anyone tell me how to remove the SSH key login for their username and root user which I believe they use too and block SSH access alltogether.I will then just change the root SSH password.I'm terrified they will do some harm so I need them blocked out ASAP.
View 7 Replies
View Related
Mar 1, 2011
I am using Locked Lynx 10.04r1 on my
Pentium D 3.0GHz
512 RAM
[URL]
UPR does not access the HDD then from where am I getting Swap 245.3 MB in my System Monitor? Not only that it even uses it.
View 5 Replies
View Related
Jun 14, 2011
I am used to, on starting Ubuntu on my Netbook, being prompted with a password challenge to open my Keychain required to authenticate against the WPA enabled WiFi network.
Now, Ive recently installed Ubuntu on a desktop PC, along with some dev tools (Code::Blocks etc.) but it gives me a keychain access challenge about 4 times on startup. I can't seem to figure out which app is trying to (get my permission to) access my keychain, and for what Purpose.
(By contrast: on my Mac, when an application tries to open the keychain, the application, its certificate, and the search data of the matching key that will be accessed are all displayed making it much easier to determine what app is being naughty) How do I do simular diagnostics with Natty?
When I cancel these requests, nothing "breaks".
View 4 Replies
View Related
Feb 18, 2011
What's the best way in centos to block a user from accessing mysql. I don't want him to be able to run the mysql command, so just putting passwords up in mysql is not good enough. Mysql is running ad user=mysql, and i added the user in a different group by he is able to access mysql by typing in the command.
How can i block this command being availible for this user.
View 5 Replies
View Related
Jun 17, 2010
I am traveling outside US and trying to watch netflix from my computer.
However, it is blocked in my region. Is there a way to fake the IP address to looks like i am viewing the content from the US?
View 2 Replies
View Related
Apr 21, 2011
How can I enable passphrase along with the password for login via ssh ? In that whenever I login from server A to server B via ssh, it should ask me for a password and then passphrase to allow me access.
OR
Can we have multiple passwords to login via ssh ?My basic need is to have 2 levels of password.
View 6 Replies
View Related
Feb 17, 2010
When creating 10 samba users I also created Linux users. I do not want these Samba users to be able to use putty, winscp etc to access the server.
Do you know how I can restrict ssh access to specific users?
View 6 Replies
View Related
Mar 26, 2011
I just realized that I can access other users files and they can access my files simply by using the console to navigate the file system, Its not that big a deal, I am the only one using the computer but this seems like something is not configured correctly. Should each user be able to look at and modify each others files by default? (On Xubuntu 10)
View 7 Replies
View Related
Jul 8, 2010
How can I display the IP addresses that have accessed my Fedora machine via SSH? In particular i want to know if they logged in and what they may have done while logged in.
View 2 Replies
View Related
Apr 7, 2010
I have 2 users: carol, carol2 and 2 files in /: filea, fileb. I want to carol has access only to filea and carol2 only to fileb. I need to do this with MLS (range). I dont want do this with levels because user that is higher has access to both files. How to do that?
View 13 Replies
View Related
Jul 27, 2011
I recently set up a web server at home, using a non-standard port, due to my ISP blocking 80. I just checked my log files, and I see a TON of entries indicating that a file was not found "proxy-1.php", "proxyheader.php", etc. I do not have these files, not intend to have them as part of my website. I did a whois looking by IP address for several of these, and they all seem to come from an ISP in China. Is there a way to BLOCK any IP address outside the US (that is somewhat simple to do?)
View 5 Replies
View Related
Jan 18, 2010
I have installed an Ubuntu server and it running OK. Before making it a production server, I want to make sure one day if the OS corrupts accidentally, I can still access the users' files on the hard disk.
I burned a Ubuntu desktop live CD, and booted it with this machine. There are 2 hard disks on the server, both could be mounted automatically. However, I can only access some folders like lost+found.
The questions are:
1. how can I access the other folders, given I have the root password of the server.
2. is there a way to access all folders without knowing the users + passwords?
View 9 Replies
View Related
Jan 29, 2010
how i can remote access my pc at home from work ? on different pc that has access to INTERNET. what software shall I install on my pc at home ? I want to be able to install software on my pc at home from my work place, my home pc has unbuntu Linux ubuntu 2.6.31-17-generic #54-Ubuntu SMP Thu Dec 10 17:01:44 UTC 2009 x86_64 GNU/Linux
View 9 Replies
View Related
