PyMongo distribution contains tools for interacting with MongoDB database from Python.
sudo pip uninstall pymongo
sudo pip uninstall bson
sudo apt-get remove python-bson
sudo apt-get remove python-gridfs
sudo pip install pymongo -U
PyMongo distribution contains tools for interacting with MongoDB database from Python.
sudo pip uninstall pymongo
sudo pip uninstall bson
sudo apt-get remove python-bson
sudo apt-get remove python-gridfs
sudo pip install pymongo -U
Conpot is a low interactive server side Industrial Control Systems (ICS) honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.
For more info, you can refer at here
First, edit your apt list file and insert this line below:
nano /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu precise main multiverse
After that, update your OS:
sudo apt-get update
Then, install required dependencies:
sudo apt-get install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev sqlite sqlite3 git
Some of dependencies need to be install via pip:
pip install --upgrade gevent pysnmp lxml bottle jinja2 beautifulsoup4 requests sphinx libtaxii xlrd crc16
Install Modbus-tk (to create modbus app easily with Python):
cd /opt
git clone https://github.com/glastopf/modbus-tk.git
cd modbus-tk
python setup.py build
python setup.py install
Install Conpot:
cd /opt
git clone https://github.com/glastopf/conpot.git
cd conpot
python setup.py build
python setup.py install
Finish! Next step is to run the conpot:
$ conpot
Conpot is running on these port:
$ netstat -lnput | grep python
tcp 0 0 0.0.0.0:102 0.0.0.0:* LISTEN 62822/python
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 62822/python
tcp 0 0 0.0.0.0:502 0.0.0.0:* LISTEN 62822/python
udp 0 0 0.0.0.0:161 0.0.0.0:* 62822/python
Do ensure that those port is not occupied or used yet.
Recently, I purchased Comodo Positive SSL for one of my web. Since this is my new experience on installing SSL onto Apache, I write this article so that anyone can refer to this step and also as my personal note.
NameVirtualHost *:443
So the ports.conf will be something like this:
NameVirtualHost *:80 Listen 80 NameVirtualHost *:443
<VirtualHost _default_:443> SSLEngine on SSLCertificateFile /etc/ssl/crt/www_your_domainname_org.crt SSLCertificateKeyFile /etc/ssl/crt/private.key SSLCACertificatePath /etc/ssl/crt/ SSLCACertificateFile /etc/ssl/crt/www_your_domainname_org.cer
SSLCertificateFile
This is the actual SSL certificate. Comodo will name it after your domain e.g. www_your_domainname_org.crt. So just copy the file into the correct directory /etc/ssl/crt/ and make sure your vhost file points to it.
SSLCertificateKeyFile
When you first generated your CSR to send to the commercial SSL issuer you should have gotten a key file. You just need to move it into the same folder as your SSL cert if it’s not there already and point the line to your vhost config.
SSLCACertificateFile
Comodo sends you that zip file with 3 individual CRT files in it you need to combine a couple of them into one file. You can ignore the file named after your domain and just focus on the other two. You need to combine them into one file in a very specific order.
Run this command to generate a file that matches your vhost config, remembering to change the file names to whatever the SSL issuer has given you:
cat PositiveSSLCA2.crt AddTrustExternalCARoot.crt > www_your_domainname_org.cer
Then, restart your server:
sudo a2enmod ssl sudo service apache2 restart
To change your MySQL root password, first you need to connect to the sql server via terminal
mysql -u root -p
In my case, my root password is null/empty. So I need to create new mysql root password.
So, after you login to the mysql, enter this command:
use mysql;
update user set password=PASSWORD("") where User='root';
flush privileges;
If you try to ssh to your server and getting this error:
no hostkey alg
Try to run this command at your terminal:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
First, you need to get MySQL installers from https://dev.mysql.com/downloads/mysql/#downloads
I ran following command to get MySQL 5.6.14(32bit):
wget -O mysql-5.6.14.deb https://dev.mysql.com/get/Downloads/MySQL-5.6/mysql-5.6.14-debian6.0-i686.deb/from/http://cdn.mysql.com/
Install dependency
sudo apt-get install libaio1
Then install Mysql 5.6.14
sudo dpkg -i mysql-5.6.14.deb
Backup your MySQL 5.5 data
You will need this only if you are upgrading…
cd ~
mkdir backup && cd backup
mysqldump -A –events > dump/alldb.sql
cp -pr /etc/mysql config
service mysql stop
cp -pr /var/lib/mysql/ data
This is your backup folder & data in case if of anything. But if everything when well, you will not need the backups.
Remove MySQL 5.5 Packages
sudo apt-get remove mysql-common mysql-server-5.5 mysql-server-core-5.5 mysql-client-5.5 mysql-client-core-5.5
sudo apt-get autoremove
Setup MySQL 5.6 Startup Script
cp /opt/mysql/server-5.6/support-files/mysql.server /etc/init.d/mysql.server
update-rc.d -f mysql remove
update-rc.d mysql.server defaults
Update environment
sudo nano /etc/environment
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/mysql/server-5.6/bin”
source /etc/environment
Confirm changes
Run this command:
which mysql
Should show:
/opt/mysql/server-5.6/bin/mysql
Update mysql config file
sudo nano /etc/mysql/my.cnf
basedir = /opt/mysql/server-5.6
lc-messages-dir = /opt/mysql/server-5.6/share
Start MySQL 5.6
Its time to start new mysql…
service mysql.server start
If you cannot start mysql server, then install this package:
sudo apt-get install ia32-libs php5-mysql
Then try to start it again.
Final Step
If you are upgrading from mysql, run this command:
mysql_upgrade -u root -p
Otherwise if its a fresh install, run following:
/opt/mysql/server-5.6/scripts/mysql_install_db –user=mysql –datadir=/var/lib/mysql
Enjoy. 🙂
Recently I tried to playing around with Amazon EC2 server. After subscribing & setup my server, it will give you cert pem key to access the server instead of entering the key manually.
When I try to login, I got this error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0440 for ‘xxx.pem’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: xxx.pem
Password:
To fix this problem, just run this command:
chmod 0400 xxx.pem
The xxx.pem is your cert key file. After that try to login again. Should be fine. 🙂
If you want to find how much your database size in MySQL, you can run this command in mysql console:
If you want the output in MB’s:
mysql> SELECT table_schema “database”, sum(data_length + index_length)/1024/1024 “size in MB” FROM information_schema.TABLES GROUP BY table_schema;
If you want the output in GB’s:
mysql> SELECT table_schema “database”, sum(data_length + index_length)/1024/1024/1024 “size in GB” FROM information_schema.TABLES GROUP BY table_schema;
If you want to view specific database size in GB’s:
mysql> SELECT table_schema “database”, sum(data_length + index_length)/1024/1024/1024 “size in GB” FROM information_schema.TABLES WHERE table_schema=’test3′ GROUP BY table_schema;
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.
ClamAV also can be use to look if there any malicious code e.g. web shell that has been uploaded into your server. So here I show you on how to install ClamAV on Ubuntu Server 12.04
Step 1. Install ClamAV on Ubuntu Server
root@gh0st:~# apt-get install clamav
Step 2: Update antivirus database
root@gh0st:~# freshclam
Step 3: Scan virus on your Ubuntu Server
root@gh0st:~# clamscan –recursive=yes –cross-fs=yes
/root/vpstest.sh: OK
/root/.php_history: OK
/root/.nano_history: OK
/root/.goaccessrc: OK
/root/.rnd: OK
/root/.bashrc: OK
/root/.viminfo: OK
/root/.ircmotd: Empty file
/root/.mysql_history: OK
/root/test.sh: OK
/root/.profile: OK
/root/.bash_history: OK
/root/bench.sh: OK
———– SCAN SUMMARY ———–
Known viruses: 2533901
Engine version: 0.97.8
Scanned directories: 1
Scanned files: 12
Infected files: 0
Data scanned: 0.11 MB
Data read: 0.05 MB (ratio 1.93:1)
Time: 4.765 sec (0 m 4 s)
One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications.
It is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL. This is how logs looked like:
Log from nginx access.log
root@gh0st:~# grep -r w00t /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
Another log from nginx access.log
root@gh0st:~# grep -r ZmEu /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /db/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /dbadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /mysql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin1/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin2/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:35 +0800] “GET /websql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
Dayuumm. You as*h**e run into my server with this so-called script.
You scan me server. Me block you long time. Come. Here I share with you how to mitigate this attack.
First, we install fail2ban on our server. For those who don’t know what is fail2ban, fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.
Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
So, to install it, open up your terminal and type:
sudo apt-get install fail2ban
After that, create new file called w00tw00t.conf in /etc/fail2ban/filter.d/
nano /etc/fail2ban/filter.d/w00tw00t.conf
Put this code inside that file:
[Definition]
failregex = ^
ignoreregex =
Edit /etc/fail2ban/jail.conf file:
nano /etc/fail2ban/jail.conf
At the last line of the file, put this code:
[w00tw00t-scans]
enabled = true
action = iptables-allports
sendmail-whois[name=SSH, dest=root, sender=fail2ban@localhost]
filter = w00tw00t
##### set the log path ######
logpath = /var/log/nginx/access.log
maxretry = 1
###### ban for 24 hour ######
bantime = 86400
Restart fail2ban service:
/etc/init.d/fail2ban restart
Check fail2ban client status:
root@gh0st:~# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: w00tw00t-scans, ssh
credit to:
http://sharadchhetri.com/2013/06/27/protect-from-w00tw00t-at-blackhats-romanian-anti-sec/
http://myatus.com/p/blocking-w00tw00t-scans/