Securing Your Server With A Host-based Intrusion Detection Compatibility Question

Hello Group..

I just wanted to validate to some degree the compatibility of the following Tutorial/Software installation with Ubuntu 7.10...

http://howtoforge.com/intrusion_detection_with_ossec_hids
Securing Your Server With A Host-based Intrusion Detection System

Thank you

Best Regards

 

I haven't tested it on Ubuntu 7.10, but I don't see why it shouldn't work.

 

Thank you Falko...

I have installed OSSEC successfully onto my Ubuntu 6.06 and all seems good.

This is the box that ISPConfig failed after running the ISPConfig upgrade VIA CLI, and now MySQL is not running/inaccessible.
OSSEC does send reports as follows which I feel is due to MySQL's status:

Code:

OSSEC HIDS Notification.
2009 Mar 25 14:09:17
 
Received From: giganetwireless->/var/log/auth.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
 
Mar 25 14:09:17 giganetwireless getty[9043]: ttyS1: ioctl: Input/output error
 
 
 
 --END OF NOTIFICATION

Does my assumption seem to be on target considering the error above?Thank you FalkoBest Regards

 

Thank you Falko...

I have installed OSSEC successfully onto my Ubuntu 6.06 and all seems good.

This is the box that ISPConfig failed after running the ISPConfig upgrade VIA CLI, and now MySQL is inaccessible.
OSSEC does send reports as follows which I feel is due to MySQL's status:

Code:

OSSEC HIDS Notification.
2009 Mar 25 14:09:17
 
Received From: giganetwireless->/var/log/auth.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
 
Mar 25 14:09:17 giganetwireless getty[9043]: ttyS1: ioctl: Input/output error
 
 
 
 --END OF NOTIFICATION

Does my assumption seem to be on target considering the error above?Thank you FalkoBest Regards

 

I'm not sure what the error means. Have you tried to restart MySQL? Are there any MySQL errors in the syslog?

 

Hi Falko

I can run '/etc/init.d/mysql restart' and no complaints are returned by the server.

However if I attempt to loginto MySQL I receive the following:

Code:

root@giganetwireless:/etc# mysql -u root -p
bash: mysql: command not found

As if MySQL is non-existent...

Likewise when I run 'tail -f /var/log/syslog' or even 'cat /var/lost/syslog'
there is no data populating 'syslog' what-so-ever

This particular server is tapped for drive space, as you pointed out to me after I ran an upgrade to ISPConfig VIA CLI earlier this week after which ISPConfig became inaccessible.

I am waiting on a 1TB drive for this server then I will start fresh.
The wierd thing is that everything that relys on MySQL such as E-Mail functions without a hitch.

Thanks Falko
Have a great day.

Best Regards

 

Did you install the MySQL client package?

 

Hi Falko

I am sure that the mysql-client package was installed originally, but to be sure I ran 'apt-get install mysql-client'

system reply:

Code:

Reading package lists... Done
Building dependency tree... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
Since you only requested a single operation it is extremely likely that
the package is simply not installable and a bug report against
that package should be filed.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
  mysql-client: Depends: mysql-client-5.1 but it is not going to be installed
E: Broken packages
 

I accessed '/etc/mysql' and opened 'debian.cnf' it's contents do show client settings...

Code:

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host     = localhost
user     = debian-sys-maint
password = Nhguuhdre35XXB
socket   = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host     = localhost
user     = debian-sys-maint
password = Nhguuhdre35XXB
socket   = /var/run/mysqld/mysqld.sock
 

I mangled the password just for safety in this post.

Thank you Falko

Best Regards

 

What's in /etc/apt/sources.list?

 

Hi Falko, Thank you for the reply and sorry for the long delay of answer.

The contents of '/etc/apt/sources.list'

Code:

#
# deb cdrom:[Ubuntu-Server 6.06.1 _Dapper Drake_ - Release i386 (20060807.1)]/ dapper main restricted
# deb cdrom:[Ubuntu-Server 6.06.1 _Dapper Drake_ - Release i386 (20060807.1)]/ dapper main restricted
deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper main restricted
deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper main restricted

## MySQL Update links provided by Falko Timme HowToForge.com (projectfarm.org).
## Add to /etc/apt/sources.list, run apt-get update and then apt-get install mysql
deb [URL]http://packages.dotdeb.org[/URL] stable all
deb-src [URL]http://packages.dotdeb.org[/URL] stable all
## Major bug fix updates produced after the final release of the
## distribution.
deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper-updates main restricted
deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper-updates main restricted
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper universe
deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper universe
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper-backports main restricted universe multiverse
deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] dapper-backports main restricted universe multiverse

deb [URL]http://security.ubuntu.com/ubuntu[/URL] dapper-security main restricted
deb-src [URL]http://security.ubuntu.com/ubuntu[/URL] dapper-security main restricted
deb [URL]http://security.ubuntu.com/ubuntu[/URL] dapper-security universe
deb-src [URL]http://security.ubuntu.com/ubuntu[/URL] dapper-security universe
 

Have a great day

Best Regards

 

I think the problem could be caused by the dotdeb.org repository. Can you remove it and try to install the MySQL client again?

 

Hi Falko

OK after I removed the 'dotdeb' lines from sources.list I ran:

'apt-get update'
'apt-get upgrade'

Then I ran re-installed mysql-client.

After this things did progress forward.
I am now able to 'stop' & 'start' MySQL.

When I try to log onto mysql VIA CLI I receive the following:

Code:

ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)

Likewise if I attempt to log ingo ISPConfig I receive the following:

Code:

 
[B]Warning[/B]: mysql_connect() [[URL="https://giganetwireless.com:81/login/function.mysql-connect"][COLOR=#0000ff]function.mysql-connect[/COLOR][/URL]]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in [B]/home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php[/B] on line [B]77[/B]
 
[B]Warning[/B]: mysql_connect() [[URL="https://giganetwireless.com:81/login/function.mysql-connect"][COLOR=#0000ff]function.mysql-connect[/COLOR][/URL]]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in [B]/home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php[/B] on line [B]77[/B]
 
[B]Warning[/B]: Cannot modify header information - headers already sent by (output started at /home/admispconfig/ispconfig/lib/classes/ispconfig_db_mysql.lib.php:77) in [B]/home/admispconfig/ispconfig/web/login/login.php[/B] on line [B]62[/B]

I ran this command: 'find / -name mysql.sock'

RESULTS:

Code:

/var/lib/mysql/mysql.sock

And this command: 'find / -name mysql'

RESULTS:

Code:

/var/lib/mysql
/var/lib/mysql/mysql
/var/log/mysql
/etc/init.d/mysql
/etc/mysql
/usr/bin/mysql
/usr/include/mysql
/usr/lib/perl5/auto/DBD/mysql
/usr/lib/perl5/DBD/mysql

my.cnf contents

Code:

# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# [URL]http://dev.mysql.com/doc/mysql/en/server-system-variables.html[/URL]
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port            = 3306
socket          = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket          = /var/run/mysqld/mysqld.sock
nice            = 0
[mysqld]
#
# * Basic Settings
#
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
language        = /usr/share/mysql/english
skip-external-locking
#
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1
#
# * Fine Tuning
#
key_buffer              = 16M
max_allowed_packet      = 16M
thread_stack            = 128K
thread_cache_size       = 8
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10
#
# * Query Cache Configuration
#
query_cache_limit       = 1M
query_cache_size        = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
#log            = /var/log/mysql/mysql.log
#
# Error logging goes to syslog. This is a Debian improvement :)
#
# Here you can see queries with especially long duration
#log_slow_queries       = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id              = 1
log_bin                 = /var/log/mysql/mysql-bin.log
# WARNING: Using expire_logs_days without bin_log crashes the server! See README.Debian!
expire_logs_days        = 10
max_binlog_size         = 100M
#binlog_do_db           = include_database_name
#binlog_ignore_db       = include_database_name
#
# * BerkeleyDB
#
# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
skip-bdb
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
#skip-innodb
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
 
[mysqldump]
quick
quote-names
max_allowed_packet      = 16M
[mysql]
#no-auto-rehash # faster start of mysql but no tab completition
[isamchk]
key_buffer              = 16M
#
# * NDB Cluster
#
# See /usr/share/doc/mysql-server-*/README.Debian for more information.
#
# The following configuration is read by the NDB Data Nodes (ndbd processes)
# not from the NDB Management Nodes (ndb_mgmd processes).
#
# [MYSQL_CLUSTER]
# ndb-connectstring=127.0.0.1
 
#
# * IMPORTANT: Additional settings that can override those from this file!
#
!includedir /etc/mysql/conf.d/

'netstat -tap' Returns:

Code:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:39882 *:*                     LISTEN     4942/hpiod
tcp        0      0 *:54000                 *:*                     LISTEN     22539/sshd
tcp        0      0 *:81                    *:*                     LISTEN     5766/ispconfig_http
tcp        0      0 *:ftp                   *:*                     LISTEN     5615/proftpd: (acce
tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     4906/named
tcp        0      0 giganetwireless.:domain *:*                     LISTEN     4906/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN     4906/named
tcp        0      0 localhost.localdoma:ipp *:*                     LISTEN     4994/cupsd
tcp        0      0 *:smtp                  *:*                     LISTEN     5384/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     4906/named
tcp        0    296 giganetwireless.c:54000 65.197.209.10:59895     ESTABLISHED12329/sshd: leela [
tcp6       0      0 *:imaps                 *:*                     LISTEN     5083/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     5124/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     5101/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     5060/couriertcpd
tcp6       0      0 *:www                   *:*                     LISTEN     13471/apache2
tcp6       0      0 *:smtp                  *:*                     LISTEN     5384/master
tcp6       0      0 ::1%134723248:953       *:*                     LISTEN     4906/named
tcp6       0      0 *:https                 *:*                     LISTEN     13471/apache2
 

Shouldn't I see 'mysqld' running?


Thanking you in advance Falko
Best Regards

 

What's the output of

Code:

ps aux | grep mysql

? I guess there's still an old instance running; if it is, try to stop it and start MySQL again.

 

Hi Falko thanks for the reply


The output of 'ps aux | grep mysql'

Code:

root     30369  0.0  0.0   2876   804 pts/0    S+   07:58   0:00 grep mysql

I tried stopping mysql '/etc/init.d/mysql/stop' the re-started mysql but when I attempt to log into mysql VIA CLI it still returns the same error...

Best Regards

 

What's in /etc/init.d/mysql? Maybe that script is using another my.cnf?

 

Thanks for the reply FalkoI opened /etc/init.d/mysql and the following lines are pointing back to the correct my.cnf within the correct dir.

Code:

SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)CONF=/etc/mysql/my.cnfMYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"

Puzzeling situation Best Regards

 

Can you try to restart MySQL?

Code:

/etc/init.d/mysql restart

Do you see any error messages? What's the output of

Code:

netstat -tap

then?

 

Hi Falko thanks for the reply...

I ran '/etc/init.d/mysql restart' and no errors are displayed the system just returns to the command line as if all went well.

Here is the output of 'netstat -tap'

Code:

root@giganetwireless:/etc/postfix# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost.localdo:39882 *:*                     LISTEN     4942/hpiod
tcp        0      0 *:54000                 *:*                     LISTEN     22539/sshd
tcp        0      0 *:81                    *:*                     LISTEN     5766/ispconfig_http
tcp        0      0 *:ftp                   *:*                     LISTEN     5615/proftpd: (acce
tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     4906/named
tcp        0      0 giganetwireless.:domain *:*                     LISTEN     4906/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN     4906/named
tcp        0      0 localhost.localdoma:ipp *:*                     LISTEN     4994/cupsd
tcp        0      0 *:smtp                  *:*                     LISTEN     5384/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     4906/named
tcp        0      0 giganetwireless.c:36487 giganetwireless.co:smtp TIME_WAIT  -
tcp        0    148 giganetwireless.c:54000 65.197.209.10:60160     ESTABLISHED1164/sshd: leela [p
tcp6       0      0 *:imaps                 *:*                     LISTEN     5083/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     5124/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     5101/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     5060/couriertcpd
tcp6       0      0 *:www                   *:*                     LISTEN     13471/apache2
tcp6       0      0 *:smtp                  *:*                     LISTEN     5384/master
tcp6       0      0 ::1%134723248:953       *:*                     LISTEN     4906/named
tcp6       0      0 *:https                 *:*                     LISTEN     13471/apache2
tcp6       0      0 giganetwireless.com:www crawl-15.cuill.co:45102 TIME_WAIT  -

Best Regards

 

Still not running. Are there any MySQL errors in /var/log/syslog when you try to restart MySQL?

 

Hi Falko thank you for the reply...

New Information: I have found that when OSSEC sends notices as below:

Code:

OSSEC HIDS Notification.
2009 Apr 08 21:01:47

Received From: giganetwireless->/var/log/auth.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr  8 21:01:46 giganetwireless getty[9018]: ttyS1: ioctl: Input/output error



 --END OF NOTIFICATION

I have just found that at the same time OSSEC sends error notices that I am also receiving a system message as follows:

Code:

Warning: service mysqld not running (server: giganetwireless.com)!

Message generated at April 8, 2009, 21:30.

Out of curiosity I took a look at '/var/log/auth.log' a few sample lines below:

Code:

Apr  8 21:39:01 giganetwireless CRON[11616]: (pam_unix) session opened for user root by (uid=0)
Apr  8 21:39:01 giganetwireless CRON[11616]: (pam_unix) session closed for user root
Apr  8 21:40:37 giganetwireless getty[11703]: ttyS1: ioctl: Input/output error
Apr  8 21:40:47 giganetwireless getty[11710]: ttyS1: ioctl: Input/output error

I restarted mysql '/etc/init.d/mysql restart' and then ran 'tail -f /var/log/syslog' and all I see in there are mail type messages nothing petaining to MySQL though.

Best Regards