Logrotate failing for apache logs
I've just rebuild my server and now it appears that logrotate is failing for apache: wolverine:/var/log# logrotate /etc/logrotate.d/apache error running shared postrotate script for /var/log/apache/*.log I've run the above command through strace and it looks like logrotate creates a file in /tmp and writes out a shell script to restart apache. I've tried recreating the script by hand and executing it from the command line, and it appears to work (echo $? displays 0). So what could be wrong? Relevant part of strace's output: open(/tmp/logrotate.97X4bM, O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 3 fchmod(3, 0700) = 0 write(3, #!/bin/sh\n\n, 11) = 11 write(3, \n\t\t/etc/init.d/apache reload /..., 41) = 41 close(3)= 0 rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 fork() = 15909 wait4(15909, [WIFEXITED(s) WEXITSTATUS(s) == 1], 0, NULL) = 15909 rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 --- SIGCHLD (Child exited) --- unlink(/tmp/logrotate.97X4bM) = 0 write(2, error running shared postrotate ..., 66error running shared postrotate script for /var/log/apache/*.log ) = 66 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Sorry, wrong list. Please ignore - Re: Logrotate failing for apache logs
Malcolm Ferguson wrote: snip Sorry, wrong list. I meant to send to debian-user. Malc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[OT] Release cycle - was Re: My machine was hacked - possibly via sshd?
David Pastern wrote: On Wed, 2005-03-30 at 20:34 +1000, Matthew Palmer wrote: You're not the first person to observe that woody's getting a bit long in the tooth. We're working on a new release, an no amount of aimless commentary on the symptom is going to solve the problems. I know. Firstly though, it's not aimless, it's absolutely valid. Just because you don't like to hear something doesn't mean it's not valid. The only way to fix a problem is for everyone to discuss it, and that means the users and not just the developers. I completely agree that this needs to be discussed, but is a Debian security list the right forum? It's clear that Debian is used for different purposes and one size might not fit all. Personally I like long release cycles. I can't stand constantly tinkering with my systems. I've got better things to do with my time, such as using it for its intended purpose or having time to do other things. Malc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
My machine was hacked - possibly via sshd?
All, My machine was cracked on Thursday evening. I'm trying to understand how it happened so that it doesn't go down again. Machine was running Debian 3.0 and was behind a NAT box with ports forwarded for SMTP, HTTP and SSH. It hadn't been rebooted for 430 days. I was using a 2.4 kernel with MPPE builtin. Early on the 25th, my logcheck emails indicated increasing messages in syslog concerning failed login attempts against ssh. At some point though I see ssh authentication failures for valid user names - how? Somehow they were being enumerated in the hack attempt, and I think that one person had a weak password. Finally I see an attempt to load net-pf-14 and other modprobe errors. At some point there are also messages about the ethernet card entering promiscuous mode. When I logged on I discovered two outgoing connections to port ircd on the foreign hosts, and some thing listening on port 48744 TCP. No PID associated with them. I also discovered that a bunch binaries were failing: gzip seg faulted; man couldn't load any man pages; any commands caused new messages to appear in the syslog concerning kernel modules loading and eth0 going in to promis mode. I'm guessing (maybe I read it somewhere in a log) that a packet sniffer was running. So what can I do to prevent it? My best guess is that ssh failed, but this is based on the log messages. Exim or Apache could have been the point of failure too though. Seeing as it was so long since I rebooted, perhaps the exploit was coupled with a kernel vulnerability. Any thoughts? I was up to date on all security patches. My kernel came from: deb http://www.vanadac.com/~dajhorn/projects/debian-pptp woody main Somehow the usernames were enumerated and weak password was discovered. There must have then been a local elevation of privileges attack at which point it was definitely all over. I've rebuilt the machine. The biggest changes so far have been partitioning. I no longer have a single partition, but about 10, including read-only ones for /usr and /boot. I'm also running the Debian stock 2.4.18-1-586tsc 2.4.18-1-586tsc (I don't need to create PPTP tunnels anymore). I have Exim up and running and exposed to the internet. I need to open up ssh to external connections too soon, and of course I will be reinstalling Apache within a week. Sample logcheck messages: Mar 25 01:24:19 erin-and-malc sshd[23707]: Did not receive identification string from 193.170.65.132 Mar 25 01:31:02 erin-and-malc sshd[23661]: Did not receive identification string from 203.228.120.102 Mar 25 02:23:12 erin-and-malc PAM_unix[24756]: authentication failure; (uid=0) - backup for ssh service Mar 25 02:23:14 erin-and-malc sshd[24756]: Failed password for backup from 193.170.65.132 port 4128 ssh2 Mar 25 02:24:24 erin-and-malc PAM_unix[24884]: authentication failure; (uid=0) - erin for ssh service Mar 25 02:24:26 erin-and-malc sshd[24884]: Failed password for erin from 193.170.65.132 port 5776 ssh2 Mar 25 02:40:57 erin-and-malc sshd[26053]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(17.red-82-158-1.user.auna.net) failed Mar 25 02:40:57 erin-and-malc sshd[26053]: refused connect from 82.158.1.17 Mar 25 02:43:53 erin-and-malc kernel: request_module[net-pf-14]: waitpid(26279,...) failed, errno 512 Mar 25 02:43:55 erin-and-malc kernel: request_module[net-pf-14]: waitpid(26284,...) failed, errno 512 There are hundreds of these: Mar 25 02:40:48 erin-and-malc sshd[26038]: Could not reverse map address 193.170.65.132. Mar 25 02:40:50 erin-and-malc sshd[26040]: Could not reverse map address 193.170.65.132. Mar 25 02:40:52 erin-and-malc sshd[26042]: Could not reverse map address 193.170.65.132. Mar 25 02:40:53 erin-and-malc sshd[26044]: Could not reverse map address 193.170.65.132. Mar 25 02:40:55 erin-and-malc sshd[26046]: Could not reverse map address 193.170.65.132. Access gained to a normal user: Mar 25 02:44:03 erin-and-malc newgrp[26309]: user `steve' switched to group `steve' Mar 25 02:47:42 erin-and-malc PAM_unix[26416]: Password for steve was changed And finally: Possible Security Violations =-=-=-=-=-=-=-=-=-= Mar 25 04:05:18 erin-and-malc kernel: request_module[ppp0]: fork failed, errno 1 Unusual System Events =-=-=-=-=-=-=-=-=-=-= Mar 25 04:05:14 erin-and-malc modprobe: modprobe: Can't locate module ppp0 Mar 25 04:05:18 erin-and-malc kernel: request_module[ppp0]: fork failed, errno 1 Mar 25 05:02:04 erin-and-malc kernel: eth0: Promiscuous mode enabled. Mar 25 05:05:13 erin-and-malc kernel: eth0: Promiscuous mode enabled. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine was hacked - possibly via sshd?
Mark Foster wrote: Malcolm Ferguson wrote: My machine was cracked on Thursday evening. I'm trying to understand how it happened so that it doesn't go down again. Sounds to me like you know exactly how it happened - ssh user enumeration won the jackpot. Thanks: you got me thinking. I see exactly what happened now. A dictionary attack via ssh found user 'steve' with a weak password. The auth.log shows this user login and su to root. Perhaps a local exploit? Summary: Mar 25 02:42:48 erin-and-malc sshd[26185]: Accepted password for steve from 193.170.65.146 port 27310 ssh2 Mar 25 02:42:48 erin-and-malc PAM_unix[26197]: (ssh) session opened for user steve by (uid=1008) Mar 25 02:44:03 erin-and-malc newgrp[26309]: user `steve' switched to group `steve' Mar 25 02:44:52 erin-and-malc PAM_unix[25314]: (ssh) session closed for user steve Mar 25 02:44:52 erin-and-malc sshd[25314]: PAM pam_putenv: delete non-existent entry; MAIL Mar 25 02:46:52 erin-and-malc su[26394]: + pts/1 root-root Mar 25 02:46:52 erin-and-malc PAM_unix[26394]: (su) session opened for user root by steve(uid=0) Mar 25 02:47:42 erin-and-malc PAM_unix[26416]: Password for steve was changed Mar 25 02:52:31 erin-and-malc su[26534]: + ttyp0 root-steve Mar 25 02:52:31 erin-and-malc PAM_unix[26534]: (su) session opened for user steve by (uid=0) Mar 25 02:52:43 erin-and-malc PAM_unix[26197]: (ssh) session closed for user steve Mar 25 02:52:43 erin-and-malc sshd[26197]: PAM pam_putenv: delete non-existent entry; MAIL etc.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: My machine was hacked - possibly via sshd?
Thanks for all the feedback everybody. It looks like an ssh dictionary attack discovered a weak password, followed by a local root exploit against an out-of-date kernel. From now on I will be sticking with an official Debian stable one. Alvin, I made a tar of the filesystem and put it on another machine before I rebuilt. Hence I've been able to revist the logs. It's a closed case though: I don't have the time to figure out what changed etc. I certainly haven't got the time to go and break the kneecaps of the script kiddies who did this. A very good lesson for me. I'm curious though about your statements telling me that everything I have is old and that I should be using new versions. This makes me ask: what is the point of Debian stable? Everything but the kernel was a Debian stable package with all the latest security patches. With your suggestions and those from others, I have some more ideas about how to harden this machine. I've also been looking (again) at the securing Debain manual, but I think some of it is out of date (written for Debian 2.2???). Malc Alvin Oga wrote: hi ya malcolm snip -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: passwords and crypt?
Mike Dresser wrote: On Fri, 30 Nov 2001, Roger Keays wrote: I'm not sure if this is common knowledge or not, but I have just noticed the effects of having the first two letters of your password the same as the first two in your login name... You can use any extension of your password!! e.g., on my Woody box I added a user called 'ron' and his password was 'roniosko'. He could login in with 'ronioskos', 'ronioskoasdfasd' and so forth! All the ones you tried are all over 8 letters, I bet? My guess is you're using DES. DES only allows up to 8 letter passwords. Check your /etc/pam.d, look at login and passwd in there If you add a md5 at the end of the line that handles passwords, this will enable md5, which allows longer passwords. This is backwards compatible in that your existing passwords will still work. Once you change it or add another user, it will use md5. Interesting. I'm running Debian 2.2r2 (dist-upgraded to testing). I selected MD5 for my passwords during installation. However, it seems that it has defaulted my passwords to 8 characters too: From /etc/pam.d/passwd (login is the same) password required pam_unix.so nullok obscure min=4 max=8 md5
Re: Where should I start from ?
John DOE wrote: Have to code the application in C ( I would prefer visual basic since it is sometimes hard to tell a professor that this code does it in C especially if you are in Turkey ) or C++ and of course on GNU Debian Linux. I'm a bit confused by this statement. First, what's Turkey got to do with the price of sausages? Second, either you have a very poor professor, or your coding and communication skills are very poor. I would lean in favour of the later... if he/she's asked for it in C, then they probably understand it, or their teaching assistants do. With proper design documents, cleanly designed code, and comments in the code with good function/variable names, there shouldn't be an issue. Perhaps you've left it to the last minute and don't have time to do it yourself, hence you're here asking for other people to help you do it. Sorry if I seem unsympathetic! I personally would start at www.google.com and groups.google.com. There is tons of information out there to look through. Is that enough help for you? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Where should I start from ?
John DOE wrote: Have to code the application in C ( I would prefer visual basic since it is sometimes hard to tell a professor that this code does it in C especially if you are in Turkey ) or C++ and of course on GNU Debian Linux. I'm a bit confused by this statement. First, what's Turkey got to do with the price of sausages? Second, either you have a very poor professor, or your coding and communication skills are very poor. I would lean in favour of the later... if he/she's asked for it in C, then they probably understand it, or their teaching assistants do. With proper design documents, cleanly designed code, and comments in the code with good function/variable names, there shouldn't be an issue. Perhaps you've left it to the last minute and don't have time to do it yourself, hence you're here asking for other people to help you do it. Sorry if I seem unsympathetic! I personally would start at www.google.com and groups.google.com. There is tons of information out there to look through. Is that enough help for you?