Hardening SNMP on Debian

Posted on June 23, 2022 by admin

Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.

Modify /etc/snmp/snmpd.conf

First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with

rocommunity
view
rouser authPriv <– “This may be the last line by default, we don’t need it”

Alternatively, you can copy and paste the following sed commands instead of manually editing the file.

sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf

Create SNMP v3 User

We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.

sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES

You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.

Now we can start SNMPD

sudo systemctl start snmpd

Troubleshooting

My created user is not working! This could result from two different issues.

It appears that Debian/SNMP doesn’t like pass phrases with special characters. You can try using a different password or escaping the special characters in “/var/lib/snmp/snmpd.conf” file before starting SNMPD.
The user didn’t get added to /etc/snmp/snmpd.conf To fix, add “rouser snmpuser” (Change snmpuser to your snmp username) to the bottom of the config file.

Access Denied “You don’t have permission to access …”

Posted on June 23, 2022 by admin

Sometimes you can get the following error while trying to access some sites.

Access Denied while trying to access website

It looks like these errors are from Akamai or other CDN’s

Why is Akamai blocking me?

https://myakamai.force.com/customers/s/article/Why-is-Akamai-blocking-me

Why is Akamai blocking me? Part 2 & 3

https://community.akamai.com/customers/s/article/Why-is-Akamai-Blocking-Me-Part-2-Penetration-Testers-Bug-Bounty-Hunters-and-Security-Researchers

https://community.akamai.com/customers/s/article/Why-is-Akamai-Blocking-Me-Part-3-Partners-Performing-Web-Scraping-Activity

Client Reputation Lookup

https://www.akamai.com/us/en/clientrep-lookup/

Akamai says they don’t block you, but the site can use tools and policies which could block you. To resolve the issue you should contact the web site owner and see if you can get unblocked and potentially get more details.

You can try doing a whois on the website domain to find the contact email.

Hardening SNMP on CentOS/RedHat/Fedora Etc.

Posted on June 23, 2022 by admin

These steps should be similar across Red Hat type distros.

Before we proceed, lets stop SNMP

sudo systemctl stop snmpd

Disable SNMP Versions 1 and 2c

First we are going to disable SNMP v1 and v2c

You can manually edit the /etc/snmp/snmpd.conf file and comment out or delete every line starting with com2sec, group, access. Or you can run the following sed commands to change it for you.

sudo sed -i 's/^com2sec/# com2sec/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^group/# group/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^access/# access/g' /etc/snmp/snmpd.conf

https://serverfault.com/questions/376688/how-to-disable-version-1-and-version-2c-in-snmpd

Create SNMP Version 3 User

Follow the prompts to create a SNMP v3 user.

sudo net-snmp-create-v3-user -ro -a SHA -x AES

Start SNMP

sudo systemctl start snmpd

You should be good to go.

If you are running a firewall, you will need to allow an exception for SNMP, UDP port 161. You may also need to allow an SELinux exception. Check out the last portion of both these articles.

Setting up SNMP V3 on CentOS

Allowing SNMP Through Firewall

semanage Allow and Delete ports in CentOS

Fresh Install of Ubuntu Server Doesn’t use all Disk Space

Posted on June 18, 2022 by admin

For some reason Ubuntu server didn’t use all the available disk space while installing. Thankfully this is an easy fix.

sudo lvextend –resizefs -l +100%FREE ubuntu-vg/ubuntu-lv

If the Volume Group or LVM Volume is different, you will need to change the name in the above command. You can use the “sudo pvdisplay” and “sudo lvdisplay” to show you details about your volumes.

https://unix.stackexchange.com/questions/664486/lvm-root-partition-only-uses-half-the-volume-size

SFTP Server – Configure Folder to be used by two users

Posted on June 8, 2022 by admin

Bob is the companies local Linux administrator. He has been tasked with creating a secure shared SFTP folder so members in the R&D department can securely collaborate on “The New Project”.

Bob immediately recognizes a potential difficulty. If Steve and John are working on a prototype, how will John be able to edit Steve’s file if the user permissions are set to only allow John to read?

Bob first goes to the break room to locate a coffee mug.

After consulting Google and the man pages for sftp, sftp-server, sshd_config, sshd he found out what he needed to do.

Create directory for the share
Create a user group
Create the individual users and add them to the user group
Modify the sshd_config
Restart the SSHD service and verify that it works

Create Directory for SFTP Share Directory

First Bob needed a directory to hold the R&D files.

mkdir /sftp/rdshare
mkdir /sftp/rdshare/files/
chown 755 /sftp/rdfiles

For some reason, he ran into issues with the folder getting set to the 775 permission which caused issues with logging in. Manually changing it to 755 fixed that issue.

Create User Group

Now Bob needs a user group to add everyone to.

sudo groupadd rdsftp

Now on to creating the users. Since we are just using the accounts for SFTP, we are setting the nologin option. None of these users will be able to use ssh to log on to the server.

sudo useradd -g rdsftp -s /sbin/nologin -M sftpadmin
passwd sftpadmin

Repeat for John, Steve, Jill, etc…

Use the sftpadmin user as an “admin” user and change the “home” directory permissions

chown -R adminuser:rdsftp /sftp/rdfiles

Modify sshd_config file

There are a couple things that need to be changed in the sshd_config file to make this all work.

sudo vi /etc/sshd_config

At the bottom of the file, Bob adds

# R&D SFTP share settings
Match Group rdsftp
        ChrootDirectory /sftp/rdshare/          # <- chroots the users into this directory
        ForceCommand internal-sftp -u 0002      # <- -u for umask.  Needed so users have write permissions for all files

This will chroot all the users into the /sftp/rdshare directory which makes /sftp/rdshare the users / directory.

The -u umask option is the secret for getting all the users to manage all the files. Without it, John would not be able to update Steve’s inventory file.

Restart services and test

Now we can restart the ssh server

sudo systemctl resart sshd

And verify that john can log in.

sftp john@localhost

Any existing sessions will need to be terminated for the changes to take effect.

PostgreSQL Commands Cheat Sheet

Posted on June 3, 2022 by admin

Here is a list of helpful Postgres commands

Drop a Role

DROP ROLE role_name;

Connect to database

\c database_name;

List tables

\l

List tables in current database

\dt

List users

\du

A better Cheat Sheet

PostgreSQL Cheat Sheet

How to Send an Email using Telnet

Posted on May 20, 2022 by admin

We’ll be using telnet to connect to a mail server and send ourselves an email.

The parts in bold are the commands to enter.

[bob@linux ~]$ telnet mail.website.com 25
Trying mail.website.com...
Connected to mail.website.com.
Escape character is '^]'.
220-mail.website.com ESMTP Exim 4.85 #2 Mon, 09 May 2022 22:12:59 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
HELO domainto.sendfrom.com
250 mail.website.com Hello domainto.sendfrom.com [192.168.1.2]
MAIL FROM: <bob@incredigeek.com>
250 OK
RCPT TO: <bob@incredigeek.com>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Subject: Test Message

This is a test

.
250 OK id=5a1g7i-1347MT-1p
QUIT
221 mail.website.com closing connection
Connection closed by foreign host.

Further links to read

https://github.com/maildev/maildev/issues/212

How To Manually Send Email Using Telnet to Check for Open Relays

Bob lost sudo access on Fedora

Posted on May 11, 2022 by admin

Bob has a computer running Fedora. When he installed Fedora he didn’t setup the root password and locked the root account. That is best practice. Right? Then one day he goes to upgrade to the latest version of Fedora and types in

sudo dnf update

and is greeted with

sudoers. This incident will be reported.

What happened? I had access before? Bob thinks to himself. Seems like I am not in the wheel group anymore. Bob being a smart person decides to attempt recovery mode. He’ll boot up and just readd his user to the wheel group.

Recovery mode starts up and then fails due to the root account being locked. What?!

Bob then starts talking to himself as he is in need of some expert advice. What other options do I have. I know! He runs to find his handy dandy Live Fedora pen drive. Plugs it in and boots up into a live version of Fedora. Now I can mount and access the main drive.

But wait, I can’t run “usermod -G wheel bob” because that will only affect the Live System. I could chroot into the drive. That would require mounting some extra mount points. Is there a faster way? We could maybe edit the /etc/group and add “wheel:x:10:bob”. That should add bob back to the wheel group. Right?

Wait, what about the sudoers file. We are normally supposed to use “sudo visudo” command to modify the file. Let’s check the file and see if we can just manually edit it.

$ stat -c "%n %a" /etc/sudoers
/etc/sudoers 440
$

Hmm, okay I am going to need to change permissions to save the file. Let’s chmod that to 644 temporarily

$ sudo chmod 644 /etc/sudoers

Alright now I should be able to edit it.

$ sudo vi /etc/sudoers

Okay, now I need to explicitly give myself permission to use sudo. Where is that line. Ah-ha!

root    ALL=(ALL)       ALL

Lets duplicate that with yy and p, replace root with my username.

root    ALL=(ALL)       ALL
bob     ALL=(ALL)       ALL

Save that with esc then :wq enter

Now change the file permissions back

sudo chmod 400 /etc/sudoers

Reboot the system and now lets login and test sudo.

$ sudo whoami 
root

Success!

Bob, satisfied that the problem is resolved, rewards himself by getting a sandwich.

sudo make me a sandwich

https://docs.fedoraproject.org/en-US/quick-docs/root-account-locked/

Add directory to path in Linux

Posted on May 9, 2022 by admin

Adding a directory to your path is really easy.

The following command adds the ~/script_folder to our PATH paths. Once run, we’ll be able to call any script in the script folder like it was a system utility.

PATH="$HOME/script_folder/:$PATH"

If you would like to always be able to call any file in your scripts folder, add the above command to your ~/.bashrc file.

You may need to restart your session for it to work.

Fix Peertube youtube-dl not Downloading

Posted on April 26, 2022 by admin

Issue was not being able to import a video into Peertube using a URL.

Peertube was set up to use youtube-dl which is in /var/www/peertube/storage/bin/youtube-dl. Further investigation showed that Peertube calls it with python.

For example

python youtube-dl video-to-download

Usually Python refers to Python 2 where as Python3 refers to Python 3.

We can create a symlink so that python = python3

sudo ln -s /usr/bin/python3 /usr/bin/python

This way when Peertube runs python, it technically will run it with python3.

Note you will probably run into issues if you do have Python 2 installed and need it. In my case, python was not installed and didn’t reference anything.