I have two servers, a production server and a monitoring server. On the monitoring server I have Graylog2 installed (version 2.3.2).
Before I passed the logs between the two servers in UDP. With this config:
Production server side
/etc/rsyslog.d/60-graylog.conf:
*.* #monitoring.logMonitoringdomainName:514;RSYSLOG_SyslogProtocol23Format
Monitoring server side:
ufw allow 514/udp
systemctl restart rsyslog
And Graylog was running well. But now I would like to pass the logs between the two servers using TLS. My certificates are generated with letsencrypt. With this config:
Production server side
apt-get -y install rsyslog-gnutls
/etc/rsyslog.d/60-graylog.conf:
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/letsencrypt/live/domainName/fullchain.pem
$DefaultNetstreamDriverCertFile /etc/letsencrypt/live/domainName/cert.pem
$DefaultNetstreamDriverKeyFile /etc/letsencrypt/live/domainName/privkey.pem
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.$logMonitoring
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514
*.* ##monitoring.logMonitoringdomainName:514;RSYSLOG_SyslogProtocol23Format
ufw allow 514/tcp
systemctl restart rsyslog
Monitoring server side:
ufw allow 514/tcp
systemctl restart rsyslog
Graylog TCP input :
allow_override_date:
true
bind_address:
0.0.0.0
expand_structured_data:
false
force_rdns:
false
max_message_size:
2097152
override_source:
<empty>
port:
514
recv_buffer_size:
1048576
store_full_message:
false
tcp_keepalive:
false
tls_cert_file:
/home/gspohu/TLS_LOG/cert.pem
tls_client_auth:
disabled
tls_client_auth_cert_file:
<empty>
tls_enable:
true
tls_key_file:
/home/gspohu/TLS_LOG/privkey.pem
tls_key_password:
********
use_null_delimiter:
false
But I don't understand how to set the graylog input, watever I try in input config, graylog can't read the logs, besides I'm not sure of my TLS configuration. Could you guide me through the configuration ?
Thank you to take time to read me,
Related
I am using the following Haproxy configuration to pass SSH connections to the backend servers.
global
log 127.0.0.1 local0
daemon
maxconn 2048
defaults
log global
timeout connect 500000ms
timeout client 86400s
timeout server 86400s
listen stats
bind :1936
mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /
frontend front-ssh-servers
mode tcp
option tcplog
bind *:22
default_backend back-ssh-servers
timeout client 8h
backend back-ssh-servers
mode tcp
balance leastconn
stick-table type ip size 1m expire 8h
stick on src
server server1 X.X.X.X:22 check send-proxy
server server2 X.X.X.X:22 check send-proxy
server server3 X.X.X.X:22 backup send-proxy
The idea of adding send-proxy was to capture the actual client IP in the backend SSH servers. However, with send-proxy or send-proxy-v2, the connections are not reaching the destination backend SSH servers. Without the send-proxy option, the connections are reaching the backend SSH servers.
The Haproxy version is 1.8. Haproxy logs show the below.
2023-02-09T10:27:59-08:00 127.0.0.1 haproxy[3190902]: X.X.X.X:36730 [09/Feb/2023:10:27:59.175] front-ssh-servers back-ssh-servers/X.X.X.X 1/0/8 21 SD 2/1/0/0/0 0/0
The termination code is "SD". I read that proxy protocol also needs to be enabled at the backend hosts. Appreciate any help on how to achieve this for SSH connections. My backend hosts are running OpenSSH_7.4p1.
I am currently trying to keep watch of my systems certificates to make sure I get alerting 30 days before expiring. As an example I took google.com and monitoring its certificates. Looking at monitrc file I have added this:
check host google.com with address google.com
if failed
port 443
protocol https
with ssl options {verify: enable}
certificate valid > 1095 days
then alert
When I restart monit I get the error there is no service called google.com
When setting up new monit config or change/edit current config, should reload first to make sure monit reinitializing the daemon
Reproduce issue
# Edit monit config
root#home:~# vim /etc/monit/conf-enabled/test
# Restart right way will fail
root#home:~# monit restart all
There is no service named "google.com"
# Logs
[CEST Sep 12 19:16:29] info : 'home' trying to restart
[CEST Sep 12 19:16:29] info : 'home' restart action done
[CEST Sep 12 19:17:09] info : 'home' restart on user request
[CEST Sep 12 19:17:09] error : HttpRequest: error -- client [::1]: HTTP/1.0 400 There is no service named "google.com"
[CEST Sep 12 19:17:09] error : There is no service named "google.com"
Solution
# Edit monit config
root#home:~# vim /etc/monit/conf-enabled/test
# Reload to reinitialize monit
root#home:~# monit reload
Reinitializing monit daemon
root#home:~# monit status
Monit 5.25.2 uptime: 24m
Remote Host 'google.com'
status OK
monitoring status Monitored
monitoring mode active
on reboot start
port response time 878.069 ms to google.com:443 type TCP/IP using TLS (certificate valid for 69 days) protocol HTTP
data collected Thu, 12 Sep 2019 19:24:06
you can also run periodic tests with a software like Overseer, and receive notifications using a Notify17 notification template (see the sample recipe).
You could use a test rule like:
https://myurl.com/path must run https
Or
https://myurl.com/path must run ssl
These rules evaluate if a website is reachable over SSL and if the certificate will expire soon (you can see more options in the source code).
P.S. To have an easy start with Overseer, you can check out the Kubernetes deployment example.
I have installed RabbitMQ on Ubuntu 14.04 and I am unable to connect to the RabbitMQ server from other computers on the network.
There are no problems connecting to the server from the machine where RabbitMQ is installed, only from other computers on the network.
This page states that "By default, RabbitMQ will listen on port 5672 on all available interfaces".
When trying to connect from another serverusing pika in python, I get the following error:
ERROR:pika.adapters.base_connection:Socket Error: 104
ERROR:pika.adapters.base_connection:Socket closed while authenticating indicating a probable authentication error
I've added a new user with permissions set_permissions newuser ".*" ".*" ".*" and have tried the URI authentication method however I still receive the same error.
I also can't connect to RabbitMQ management from other computers on the network but can access it on the local pc.
Also, by checking open ports, I can see the following:
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 1122/beam.smp
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 1122/beam.smp
tcp6 0 0 :::5672 :::* LISTEN 1122/beam.smp
I am using the python code from RabbitMQ's tutorials:
import pika
connection = pika.BlockingConnection(pika.ConnectionParameters(host='AAA.AAA.AAA.AAA'))
channel = connection.channel()
channel.queue_declare(queue='hello')
channel.basic_publish(exchange='',routing_key='hello',body='Hello World!')
print(" [x] Sent 'Hello World!'")
connection.close()
What am I missing?
The code in question doesn't supply a username or password. You'll likely need to update your connection parameters to include those
credentials = pika.PlainCredentials('guest', 'guest')
parameters = pika.ConnectionParameters('rabbit-server1', 5672, '/', credentials)
connection = pika.BlockingConnection(parameters)
Check the docs for pika, for more info: http://pika.readthedocs.org/en/0.10.0/modules/parameters.html?highlight=connectionParameters
Also, check to ensure you have a valid username and password. the "guest" username / password may not be enabled on your server
By default, RabbitMQ accepts connections for the guest user from localhost only. This is explained in the documentation about access control.
To allow connections for the guest user from remote hosts, you need to change the loopback_users configuration parameter (usually in /etc/rabbitmq/rabbitmq.config on Unix):
[
{rabbit, [
{loopback_users, []}
]}
].
You can read more about this parameter in the configuration documentation.
That said, be careful: this user created by default, with a weak known password, has admin priviledges. So changing this configuration parameter like this must be done only on a trusted network.
I am trying to configure haproxy 1.5 on Ubuntu 3.2.0-91-generic as a TLS proxy for plain TCP traffic to a non-TLS server running on the same machine. The local non-TLS server is running on port 9501, and I want haproxy to listen on port 9500, decrypting incoming TLS connections on that port and forwarding the unencrypted TCP traffic to the server on port 9501. I'm doing all this on 172.28.11.94, which is a local intranet address that's bound to my eth0 interface. My haproxy config looks like this:
listen rtt 172.28.11.94:9500
mode tcp
bind 172.28.11.94:9500 ssl crt /etc/haproxy/cert.pem
option tcplog
server rks 172.28.11.94:9501
haproxy reports that this is valid:
dlobron#bos-lpjbb:/etc/haproxy$ sudo haproxy -f haproxy.cfg -V -c
Configuration file is valid
But when I run haproxy, I get an error:
dlobron#bos-lpjbb:/etc/haproxy$ sudo haproxy -f haproxy.cfg -V
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 2 (1 usable), will use poll.
Using poll() as the polling mechanism.
[ALERT] 011/114700 (6149) : Starting proxy rtt: cannot bind socket [172.28.11.94:9500]
I verified that my local non-TLS server on port 9501 is fine:
dlobron#bos-lpjbb:/etc/haproxy$ telnet 172.28.11.94 9501
Trying 172.28.11.94...
Connected to bos-lpjbb (172.28.11.94).
Escape character is '^]'.
203 WELCOME
The warning about select() not working is a little strange, but it seems like it's falling back to poll(), which should be fine. But I can't figure out why it can't bind to port 9500 when I run it as root, as I'm doing here. Any help would be much appreciated!
The very helpful guys on the HAProxy mailing list pointed out my problem: the first line of my server stanza is:
listen rtt 172.28.11.94:9500
This is telling HAProxy to bind to 172.28.11.94:9500, and then the "bind" line in my config file is telling it to bind a second time to that same point - hence the error. I changed the first line of the stanza to just:
listen rtt
and it's now fine.
I followed the steps in http://nil.uniza.sk/sip/installing-and-configuring-restund-stunturn-server to set up a restund server.
When I test it by stun, the result is
STUN client version 0.96
Primary: Blocked or could not reach STUN server
Return value is 0x00001c
Attached the config file
#
# restund.conf
#
# core
daemon yes
debug yes
realm myrealm
syncinterval 600
udp_listen 192.168.1.25:3478
#udp_listen 1.2.3.4:3478
udp_sockbuf_size 524288
tcp_listen 192.168.1.25:3478
#tcp_listen 1.2.3.4:3478
# modules
module_path /usr/local/lib/restund/modules
module stat.so
module binding.so
#module auth.so
module turn.so
#module mysql_ser.so
module syslog.so
module status.so
# auth
auth_nonce_expiry 3600
# turn
turn_max_allocations 512
turn_max_lifetime 600
turn_relay_addr 192.168.1.25
#turn_relay_addr6 ::1
# mysql
#mysql_host localhost
#mysql_user ser
#mysql_pass heslo
#mysql_db ser
#mysql_ser 0
# syslog
syslog_facility 24
# status
#status_udp_addr 127.0.0.1
#status_udp_port 33000
status_http_addr 192.168.1.25
status_http_port 8080
Any suggestion? Thanks in advance.
It looks like you are hosting your STUN/TURN server from behind a NAT. I'm guessing that from the looks of your conf file that lists 192.168.1.25 as the listening port. If your client is from the outside of your NAT, make sure you have the proper port forwarding setup.
Otherwise, the most common case for this problem is that the host server has a firewall rule that blocks incoming traffic by default. Check your firewall settings (iptables) on the host box as appropriate.