I have splunk and try to enable splunk SSO instead of nornal authentiation. I have configuraitons as follows:
In /opt/splunk/etc/system/local/server.conf
[general]
trustedIP = 192.168.1.208
serverName = Splunk_Core_02
pass4SymmKey = $7$RRvdYDdIlj4P2geQdtHluTRb7OfvZhTFTZGJ7z5JiZAkJ6Q1at6j0Q==
sessionTimeout = 30s
[sslConfig]
sslPassword = $7$m6pB5a0PWFg64VlNZGgunhGElO3qLiAc6NrhfLO+tpX2jR7WC7qm1Q==
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[license]
active_group = Enterprise
[diskUsage]
minFreeSpace = 1024
[lmpool:test_splunk]
quota = MAX
slaves = *
stack_id = enterprise
In /opt/splunk/etc/system/local/web.conf
[settings]
#SSO
SSOMode = permissive
trustedIP = 192.168.1.208,192.168.2.15,127.0.0.1
remoteUser = REMOTE-USER
#tools.proxy.on = False
root_endpoint = /splunk
#SSL
enableSplunkWebSSL = 0
httpport = 8000
mgmtHostPort = 127.0.0.1:8089
appServerPorts = 8065
splunkdConnectionTimeout = 30
enableSplunkWebClientNetloc = False
# SSL certificate files.
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem
...
I see http://192.168.1.208:8000/debug/sso page, I see SSO is not enabled. What's wrong with my configurations?
There are several documentations says in server.conf, the trustedIP is 127.0.0.1. But none of them mention that only 127.0.0.1 is eligible to enable/activate SSO. So do not configure other IP address, instead of 127.0.0.1.
And in server.conf(/opt/splunk/etc/system/local/), you could only configure one trustedIP, and it is 127.0.0.1.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkSSO
Have you restarted splunk after making these changes?
In /opt/splunk/etc/system/local/web.conf,
remoteUser = REMOTE-USER is more likley to be REMOTE_USER
You have to use SAML.. I am using SAML for SSO purpose.. You need to contact IT guy and he will provide you IDP file upload it and share with your Splunk Connection file. You can download it from same window. Go to Users -> Authentication Method > SAML. Once everything is placed Then you have to create groups on AD and same thing you need to do on Splunk under SAML configuration.. Let me know if you need more details..
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/HowSAMLSSOworks
Related
In my centos7 server, I have set up Telegraf and InfluxDB. InfluxDB successfully receives data from Telegraf and stores them in the database. But when I reconfigure both services to use https, I see the following error in Telegraf's logs
Dec 29 15:13:11 localhost.localdomain telegraf[31779]: 2020-12-29T13:13:11Z E! [outputs.influxdb] When writing to [https://127.0.0.1:8086]: Post "https://127.0.0.1:8086/write?db=GRAFANA": dial tcp 127.0.0.1:8086: connect: connection refused
Dec 29 15:13:11 localhost.localdomain telegraf[31779]: 2020-12-29T13:13:11Z E! [agent] Error writing to outputs.influxdb: could not write any address
InfluxDB doesn't show any errors in it's logs.
Below is my telegraf.conf file:
[agent]
hostname = "local"
flush_interval = "15s"
interval = "15s"
# Input Plugins
[[inputs.cpu]]
percpu = true
totalcpu = true
collect_cpu_time = false
report_active = false
[[inputs.disk]]
ignore_fs = ["tmpfs", "devtmpfs", "devfs"]
[[inputs.io]]
[[inputs.mem]]
[[inputs.net]]
[[inputs.system]]
[[inputs.swap]]
[[inputs.netstat]]
[[inputs.processes]]
[[inputs.kernel]]
# Output Plugin InfluxDB
[[outputs.influxdb]]
database = "GRAFANA"
urls = [ "https://127.0.0.1:8086" ]
insecure_skip_verify = true
username = "telegrafuser"
password = "metricsmetricsmetricsmetrics"
And this is the uncommented [http] section of the influxdb.conf
# Determines whether HTTP endpoint is enabled.
enabled = false
# Determines whether the Flux query endpoint is enabled.
flux-enabled = true
# The bind address used by the HTTP service.
bind-address = ":8086"
# Determines whether user authentication is enabled over HTTP/HTTPS.
auth-enabled = false
# Determines whether HTTPS is enabled.
https-enabled = true
# The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/server-cert.pem"
# Use a separate private key location.
https-private-key = "/etc/ssl/server-key.pem"
reading the documentation on autoscaling I can't figure the role of the [runner.docker] section when using docker+machine as executor :
[runners.docker]
image = "ruby:2.1" # The default image used for builds is 'ruby:2.1'
In the executors documentation it says :
docker+machine : like docker, but uses auto-scaled docker machines -
this requires the presence of [runners.docker] and [runners.machine]
I get I have to define this [runners.docker] section to be able to use [runners.machine] section, but what is the aim of this [runners.docker] ?
I can't find how to configure it as I don't understand why to use it.
Our gitlab-runner runs on a vSphere VM and is configured to scale using docker+machine executor with MachineDriver using vmwarevsphere. All works nice but I would like to understand fully the configuration file.
Here is our "censored with stars" config.toml file with the [runners.docker] I can't understand (note that the guy that wrote it leaved the company, so I can't ask him):
[[runners]]
name = "gitlab-runner"
limit = 6
output_limit = 102400
url = "http://gitlab.**************.lan"
token = "*******************"
executor = "docker+machine"
[runners.docker]
tls_verify = false
image = "docker:latest"
dns = ["*.*.*.*"]
privileged = true
disable_cache = false
volumes = ["/etc/localtime:/etc/localtime:ro", "/var/run/docker.sock:/var/run/docker.sock", "/etc/docker/certs.d:/etc/docker/certs.d", "/cache:/cache", "/builds:/builds"]
cache_dir = "cache"
shm_size = 0
[runners.cache]
Type = "s3"
ServerAddress = "*.*.*.*"
AccessKey = "*****************"
SecretKey = "*****************"
BucketName = "runner"
Insecure = true
[runners.machine]
IdleCount = 4
MaxBuilds = 10
IdleTime = 3600
MachineDriver = "vmwarevsphere"
MachineName = "gitlab-runner-pool-1-%s"
MachineOptions = ["vmwarevsphere-username=************", "vmwarevsphere-password=*****************", "vmwarevsphere-vcenter=*.*.*.*", "vmwarevsphere-datastore=*********", "vmwarevsphere-memory-size=3096", "vmwarevsphere-disk-size=40960", "vmwarevsphere-cpu-count=3", "vmwarevsphere-network=*****************", "vmwarevsphere-datacenter=**************", "vmwarevsphere-hostsystem=*******************", "engine-storage-driver=overlay2", "engine-insecure-registry=**************", "engine-insecure-registry=*******************"]
OffPeakPeriods = ["* * 0-8,21-23 * * mon-fri *", "* * * * * sat,sun *"]
OffPeakTimezone = "Local"
OffPeakIdleCount = 1
OffPeakIdleTime = 600
The [runners.machine] section defines how to start and provision your runner machines, the [runners.docker] section then defines how to configure the runner on that machine.
Docker-machine on its own only does the following (as you can read here):
"Docker Machine is a tool that lets you install Docker Engine on virtual hosts, and manage the hosts with docker-machine commands."
So this does nothing with the Gitlab runner, you still need to configure the runner after that and thats where the [runners.docker] section comes into play because the runner needs to know what default image to use and what volumes to mount etc.
We have an internet facing MX server whereby all users authenticate their outgoing connection to submit emails via port 587. This MX server routes incoming mail for our domain to an internal postfix smtp server which then delivers mail to local imap servers.
The internal postfix smtp server users LDAP alias_maps = ldap:/etc/postfix/ldap-aliases.cf, to lookup which imap server a users mailbox resides on.
There is a postfix option...
reject_sender_login_mismatch
that can be mapped...
smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf
However - I get the following error
Jul 4 11:23:26 smtp-1.domain1.com postfix/smtpd[31530]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
No users authenticate to the internal postfix smtp server - all it does is route emails from the MX server. I believe the reason I see the warning "no SASL support" is because postfix doesn't handle the authentication as it's taken care of by the MX server.
postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
unknown_local_recipient_reject_code = 550
However, with a different config "smtpd_sender_restrictions = reject_unverified_sender"
If the "envelope From field" contains an invalid forged address the following is logged - which is great to stop unknown email address being forged - but doesn't help if it's forged with a known email address.
NOQUEUE: reject: RCPT from mx.domain1.com[xxx.xxx.192.130]: 450 4.1.7 : Sender address rejected: unverified address: unknown user: "hejem"; from= to= proto=ESMTP helo=
-bash-4.1$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mx3.$mydomain, mx1.$mydomain, mx2.$mydomain
mydomain = domain1.com
myhostname = smtp-1.domain1.com
mynetworks = xxx.xxx.xxx.0/21, xxx.xxx.xxx.0/22, xxx.0.0.0/xxx, xxx.xxx.0.0/12, xxx.xxx.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sender_restrictions = reject_unverified_sender"
What I want to achieve is my local internal postfix to check the "envelope From field" to ensure it's not been spoofed by knowing the sending user's username and looking up it's assigned "From" aliases in LDAP if it doesn't match i.e. they're spoofing then reject the mail.
Any advice how to implement this check in postfix?
Thanks
Firstly, it is not considered a good practice to activate reject_unverified_sender in postfix services. If you want to prevent mails being sent from non-existing addresses in your domain, you should prefer reject_unlisted_sender.
You can not be sure of spoofing of existing mail addresses without activating authentication (SASL) mechanism on postfix service. Thus, to prevent spoofing of existing addresses:
Make sure that smtpd_sender_login_maps is properly configured.
Activate SASL authentication on postfix
Configure reject_authenticated_sender_login_mismatch or reject_sender_login_mismatch depending on your preference.
Further Reading (from postfix SASL documentation)
Envelope sender address authorization
By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.
This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:
/etc/postfix/main.cf:
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions =
...
reject_sender_login_mismatch
permit_sasl_authenticated
Hello I have two (or maybe more later) domains:
domain1
domain2
I want to configure Exim (cPanel) to use SendGrid's or Mailgun SMTP servers, currently I'm trying with this config in Exim:
**Section: TRANSPORTSTART**
domain1_smtp:
driver = smtp
hosts = smtp.mailgun.org
hosts_require_auth = smtp.mailgun.org
hosts_require_tls = smtp.mailgun.org
domain2_smtp:
driver = smtp
hosts = smtp.mailgun.org
hosts_require_auth = smtp.mailgun.org
hosts_require_tls = smtp.mailgun.org
**Section: AUTH**
domain1_login:
driver = plaintext
public_name = LOGIN
client_send = : postmaster#mg.domain1.com : password
domain2_login:
driver = plaintext
public_name = LOGIN1
client_send = : postmaster#mg.domain2.com : password
**Section: PREROUTER**
send_via_domain1:
driver = manualroute
domains = ! +local_domains
senders = *#domain1.cm
transport = domain1_smtp
route_list = "* smtp.mailgun.org::2525 byname"
host_find_failed = defer
send_via_domain2:
driver = manualroute
domains = ! +local_domains
senders = *#domain2.com
transport = domain2_smtp
route_list = "* smtp.mailgun.org::2525 byname"
host_find_failed = defer
When I'm sending email from user#domain1.com I'm getting messages delivered by postmaster#mg.domain1.com and when I'm sending from user#domain2.com I'm getting messages delivered also from postmaster#mg.domain1.com.
I want to have smarthost for every domain with different credentials. Thanks
I have these setup (VPS + WHM/cPanel + Exim + Mailgun) and after doing some online research, I've found a few helpful websites regarding this topic and managed to come out with the correct configuration. Below are the solutions that I'm currently using on my VPS and hope it will help you as well. It should solve your "via" problem and might solve the intermittent "550 5.7.1 Relaying denied" error from Mailgun as well:
Go to the "Exim Configuration Editor" in WHM. Choose "Advanced Editor" and insert the configuration below:
Section: AUTH
mailgun_login:
driver = plaintext
public_name = LOGIN
hide client_send = ": ${extract{login}{${lookup{$sender_address_domain}lsearch{/etc/exim_mailgun}{$value}fail}}} : ${extract{password}{${lookup{$sender_address_domain}lsearch{/etc/exim_mailgun}{$value}fail}}}"
Section: ROUTERSTART
mailgun:
driver = manualroute
domains = ! +local_domains
transport = mailgun_transport
route_list = "* smtp.mailgun.org::587 byname"
host_find_failed = defer
no_more
Section: TRANSPORTSTART
mailgun_transport:
driver = smtp
hosts = smtp.mailgun.org
hosts_require_auth = smtp.mailgun.org
hosts_require_tls = smtp.mailgun.org
Then create a file named /etc/exim_mailgun and insert the content similar to the structure below (Replace it with your Mailgun's domain login credentials that was verified):
domain1.com: username=postmaster#mg.domain1.com password=abcdefghi
domain2.com: username=postmaster#mg.domain2.com password=jklmnopqr
I am new to Mantis bug tracker and I want to enable the email notification after registering for a new account.
Well, I installed the MantisBT correctly without any problem on my local computer, I already changed the admin's password and removed the admin folder in the directory. After this I signed up for a new account, there was a confirmation message flashed saying that I need to verify my registration via email. My problem here is that no verification message was sent to my email. According to one of the tutorials I found, I need to configure first my config_inc.php. After the installation, the initial content of my config_inc.php was
<?php
$g_hostname = 'localhost';
$g_db_username = '<myUser>';
$g_db_password = '<myPass>';
$g_database_name = 'bugtracker';
$g_db_type = 'mysql';
?>
So I changed it to.
*I am using my gmail account here
<?php
$g_hostname = 'localhost';
$g_db_username = '<myUser>';
$g_db_password = '<myPass>';
$g_database_name = 'bugtracker';
$g_db_type = 'mysql';
$g_allow_signup = ON;
$g_allow_anonymous_login = OFF;
$g_anonymous_account = '';
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_username = '<myUser#gmail.com>';
$g_smtp_password = '<myPass>';
$g_administrator_email = '<myUser#gmail.com>';
$g_webmaster_email = '<myUser#gmail.com>';
$g_from_name = 'Mantis Bug Tracker';
$g_from_email = '<myUser#gmail.com>';
$g_return_path_email = '<myUser#gmail.com>';
$g_email_receive_own = OFF;
$g_email_send_using_cronjob = OFF;
$g_allow_file_upload = ON;
$g_file_upload_method = DATABASE;
$g_absolute_path_default_upload_folder = '';
$g_max_file_size = 5000000;
$g_preview_attachments_inline_max_size = 256 * 1024;
$g_allowed_files = '';
$g_disallowed_files = '';
$g_window_title = 'MantisBT';
$g_logo_image = 'images/mantis_logo.gif';
$g_favicon_image = 'images/favicon.ico';
$g_show_realname = OFF;
$g_show_user_realname_threshold = NOBODY;
$g_default_home_page = 'my_view_page.php';
?>
I overwrite my config_inc.php with this one and then register for a new account. After submitting the information, an error occured saying:
Fatal error: Call to undefined method SMTP::getError() in < myDirectory >\mantis\library\phpmailer\class.phpmailer.php on line 1910.
And now I'm stucked, please help me with this, I need to setup my email notification. I was just creating accounts but I cannot use them because I need to verify it.
Please let me know if I need to modify some of the related files and what are the steps.
Thanks for the help!
According to a posting on the MantisBT forums, these are working settings for GMail:
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_username = 'username#gmail.com';
$g_smtp_password = 'yourpassword';
$g_smtp_connection_mode = 'ssl';
$g_smtp_port = 465;
Something to add about GMail. These settings are correct but GMail has instituted some new security that will still prevent email from being sent from Mantis or any other mailer using the SMTP connector.
In order to do this with GMail, you must "Allow less secure apps to access accounts". In GMail admin, there is a setting to allow users to control access from "less secure apps," which must be turned on, and then the user account used to send mail must turn on access from "less secure apps." The link above provides the information on how to configure this.
The frustrating thing is everything will appear to work fine but no emails are sent. There is no error indication from the SMTP server. However, the user account used to send mail may receive an email from GMail indicating someone is trying to access the account. I spent hours trying to track this down.
If anyone still faces issue or error while configuration add log level so that you can drill down the problem further. Below settings worked for me. Detailed explanation is written here
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_port = '465';
$g_smtp_connection_mode = 'ssl';
$g_smtp_username = 'letzdotesting#gmail.com';
$g_smtp_password = 'xxxxx';
$g_administrator_email = 'letzdotesting#gmail.com';
$g_webmaster_email = 'letzdotesting#gmail.com';
$g_from_email = 'letzdotesting#gmail.com';
$g_return_path_email = 'letzdotesting#gmail.com';
$g_default_timezone = 'UTC';
$g_log_level = LOG_EMAIL | LOG_EMAIL_RECIPIENT;
$g_log_destination = 'file:C:\mantisbt.log';
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_username = 'username'; // without #gmail.com
$g_smtp_password = 'password';
$g_smtp_connection_mode = 'ssl';
$g_smtp_port = 465;
it Works for me
2017 update (MantisBT 2.3.0) Please follow the steps below:
[1] IF YOU'RE USING DOCKER
Access the docker instance running the command below:
docker exec -it {docker-id} bash
[2] INSIDE MANTISBT SERVER
if you dont have any editor:
# sudo apt-get update
# apt-get install vim
create a log file:
# touch /var/log/mantisbt.log
# cd /var/log/
# chmod 777 mantisbt.log
[3] EDITING MANTISBT CONFIGURATION
# vim /var/www/html/config/config_inc.php
add the following content to the file opened in the earlier step:
$g_phpMailer_method = PHPMAILER_METHOD_SMTP;
$g_administrator_email = 'your-admin-email#gmail.com';
$g_webmaster_email = 'your-webmaster-email#gmail.com';
$g_return_path_email = 'your-return-email#gmail.com';
$g_from_email = 'your-from-email#gmail.com';
$g_smtp_host = 'smtp.gmail.com';
$g_smtp_port = 465;
$g_smtp_connection_mode = 'ssl';
$g_smtp_username = 'username';
$g_smtp_password = 'password';
$g_log_level = LOG_EMAIL | LOG_EMAIL_RECIPIENT;
$g_log_destination = 'file:/var/log/mantisbt.log';
$g_validate_email = OFF;
[4] EDITING GMAIL CONFIGURATION
You need to do this in order to allow MantisBT authentication:
Access the following URL:
https://myaccount.google.com
Navigate to the Sign-in & Security menu-item under menu-tree.
Check the "Allow less secure apps" option and set equals to true
Image:
You're good to go!
Tested and running with these configurations. =]
My issue was solved by updating ca certificates.
I am using Xampp, with PHP 7.2 on Windows sever 2012.
Although the below link provides you with the details, I mention the relavent part too:
Updating CA certificates
Updating CA certificates To update your CA certificates, make sure
your operating system is fully up to date - CA certs are usually
updated via OS updates. Alternatively, you can download the latest CA
cert file from curl, install it somewhere accessible (for example
/etc/ssl/cacert.pem) and point at it from the openssl.cafile and
curl.cainfo directives in your php.ini file (this location will vary
according to your OS and PHP config; where you need to put it is
beyond the scope of PHPMailer!):
openssl.cafile = /etc/ssl/cacert.pem
curl.cainfo = /etc/ssl/cacert.pem
https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#updating-ca-certificates