Archivo
Build Slim Docker Images
It’s possible to build slim Docker images using Multi-Stage Build.
https://docs.docker.com/develop/develop-images/multistage-build/
https://pythonspeed.com/articles/multi-stage-docker-python
https://medium.com/capital-one-tech/multi-stage-builds-and-dockerfile-b5866d9e2f84
SACK Panic – CVE-2019-11477 – Multiple TCP-based remote denial of service
Se ha detectado una nueva vulnerabilidad en Linux
https://access.redhat.com/security/vulnerabilities/tcpsack
Red Hat ha liberado un script para ver si nuestors sistemas están afectados:
https://access.redhat.com/sites/default/files/cve-2019-11477–2019-06-17-1629.sh
Para mitigar la vulnerabilidad podemos aplicar alguno de los siguientes parches:
Option #1
Disable selective acknowledgments system wide for all newly established TCP connections.
# echo 0 > /proc/sys/net/ipv4/tcp_sack
or
# sysctl -w net.ipv4.tcp_sack=0
This option will disable selective acknowledgements but will likely increase the bandwidth required to correctly complete streams when errors occur.
To make this option persist across reboots, create a file in /etc/sysctl.d/ such as /etc/sysctl.d/99-tcpsack.conf - with content:
# CVE-2019-11477 & CVE-2019-11478
net.ipv4.tcp_sack=0
Option #2 Mitigates CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 by preventing new connections made with low MSS sizes.
The default firewall configuration on Red Hat Enterprise Linux 7 and 8 is firewalld. To prevent new connections with low MSS sizes using firewalld use the commands.
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# firewall-cmd --reload
# firewall-cmd --permanent --direct --get-all-rules
This firewall-cmd command will remain persistent through system reboots.
If using the traditional iptables firewalling method on any version of Red Hat Enterprise Linux, iptables equivalent command is:
# iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
# iptables -nL -v
# ip6tables -nL -v
Instalamos las dependencias del Playbook para poder configurar las reglas de IPTABLES permanentemente:
mkdir -p ~/.ansible/plugins/modules
wget -O ~/.ansible/plugins/modules/iptables_raw.py https://raw.githubusercontent.com
/Nordeus/ansible_iptables_raw/master/iptables_raw.py
Playbook de Ansible para mitigarlo:
--
- name: Configure CVE-2019-11477 rule
hosts: all
tasks:
- name: "IPTABLES_RAW | Secure CVE-2019-11477"
iptables_raw:
name: "CVE-2019-11477"
rules: '-A INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP'
Saber versión Oracle WebLogic
Para saber la versión de Oracle Weblogic, debemos ejecutar el siguiente comando
java -cp /u01/app/oracle/fmw/wlserver_12.2/wlserver/server/lib/weblogic.jar weblogic.version
Información extraida de:
https://onlineappsdba.com/index.php/2011/04/28/how-to-find-oracle-weblogic-server-version/
Cambiar SID Windows Server 2012
Si realizamos el clonado de un servidor Windows, y no queremos pasarle un sysprep, podemos ejecutar los siguientes comandos para cambiar el SID.
net stop wuauserv
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIDValidation /f
net start wuauserv
wuauclt.exe /resetauthorization /detectnow
pause
Verificar compresión gzip web
Es posible verificar si un sitio web tiene habilitada la compresión “gzip”, para ello podemos hacerlo con el siguiente comando:
curl -vvvvv -I -sH 'Accept-encoding: gzip' www.google.es
La respuesta de esto, será algo similar a lo siguiente, en caso de contener la cabecera “Content-Encoding: gzip”, el servidor nos estará devolviendo el contenido comprimido.
* Rebuilt URL to: www.google.es/ * Trying 172.217.16.227... * TCP_NODELAY set * Connected to www.google.es (172.217.16.227) port 80 (#0) > HEAD / HTTP/1.1 > Host: www.google.es > User-Agent: curl/7.52.1 > Accept: */* > Accept-encoding: gzip > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Fri, 23 Mar 2018 10:31:44 GMT Date: Fri, 23 Mar 2018 10:31:44 GMT < Expires: -1 Expires: -1 < Cache-Control: private, max-age=0 Cache-Control: private, max-age=0 < Content-Type: text/html; charset=ISO-8859-1 Content-Type: text/html; charset=ISO-8859-1 < P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." < Content-Encoding: gzip Content-Encoding: gzip < Server: gws Server: gws < Content-Length: 4923 Content-Length: 4923 < X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN X-Frame-Options: SAMEORIGIN < Set-Cookie: 1P_JAR=2018-03-23-10; expires=Sun, 22-Apr-2018 10:31:44 GMT; path=/; domain=.google.es Set-Cookie: 1P_JAR=2018-03-23-10; expires=Sun, 22-Apr-2018 10:31:44 GMT; path=/; domain=.google.es < Set-Cookie: NID=126=p4t5o6qZv1P2VCYc75WPs434Am1rxviq11T6lKP5mTt0uidrRNxWEuP0RdypnpTu5qNqyOn_xf01VKOBauMEtXRlvpQLA1qh1kIYBfRGva9R1-4sfAlT2Ts5mEku5-cS; expires=Sat, 22-Sep-2018 10:31:44 GMT; path=/; domain=.google.es; HttpOnly Set-Cookie: NID=126=p4t5o6qZv1P2VCYc75WPs434Am1rxviq11T6lKP5mTt0uidrRNxWEuP0RdypnpTu5qNqyOn_xf01VKOBauMEtXRlvpQLA1qh1kIYBfRGva9R1-4sfAlT2Ts5mEku5-cS; expires=Sat, 22-Sep-2018 10:31:44 GMT; path=/; domain=.google.es; HttpOnly < * Curl_http_done: called premature == 0 * Connection #0 to host www.google.es left intact
Compilar scripts python
Es posible que en algún momento nos interese compilar un script de python para que no lo modifique nadie, eso es posible ejecutando el siguiente comando:
# python -m py_compile launcher.py elastic_api.py
Esto nos generará el directorio “__pycache__”
Para usar los scripts, lo haremos de la siguiente manera:
# cd __pycache__/ # mv elastic_api.cpython-35.pyc elastic_api.pyc # mv launcher.cpython-35.pyc launcher.pyc # python launcher.pyc
Limpiar errores idmap samba
Es posible que si hacemos un remaping de UID/GIDs en Samba cuando obtenemos los usuarios de un AD, nos quede la BBDD tdb con algunas entradas erroneas.
# net idmap check
check database: /var/lib/samba/winbindd_idmap.tdb
Invalid record: "store test"
Invalid record: "transaction test"
[...]
Invalid mapping: "GID 1641\00" -> "S-1-5-21-329436275-369539378-859735618-4554\00"
("GID 2141\00" <- "S-1-5-21-329436275-369539378-859735618-4554\00")
Invalid mapping: "UID 1599\00" -> "S-1-5-21-329436275-369539378-859735618-2410\00"
("UID 2163\00" <- "S-1-5-21-329436275-369539378-859735618-2410\00")
uid hwm: 54298
gid hwm: 47533
mappings: 897
other: 3
invalid records: 2
missing links: 0
invalid links: 770
0 changes:
Si intentamos conectarnos a la bbdd y limpiar las entradas, nos dará un error y no podremos.
Para solucionar el problema, lo podemos hacer de la siguiente forma.
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")
for id in $(net idmap check|grep -i ^"invalid mapping" | cut -d"\"" -f 2);do
tdbtool /var/lib/samba/winbindd_idmap.tdb delete "${id}"
done
IFS=$SAVEIFS
Una vez eliminadas las entradas invalidas, podremos lanzar el comando, y veremos que está todo correcto.
# net idmap check check database: /var/lib/samba/winbindd_idmap.tdb Invalid record: "store test" Invalid record: "transaction test" uid hwm: 54298 gid hwm: 47533 mappings: 897 other: 3 invalid records: 2 missing links: 0 invalid links: 0 0 changes:
Para consultar más información al respecto sobre las BBDD TDB:
https://www.ibm.com/developerworks/library/l-lpic3-310-3/index.html
Solucionar problema de bloqueo de ficheros en OwnCloud
Configuramos OwnCloud en modo mantenimiento agregando la siguiente línea al fichero de configuración.
# vim config/config.php 'maintenance' => true,
Borramos los locks de la table “oc_file_locks”
# mysql -u root -p owncloud DELETE FROM oc_file_locks WHERE 1;
Deshabilitamos el modo mantenimiento de OwnCloud dehaciendo el primer paso.
Red Hat Summit 2017
La Red Hat Summit fue hace poco, y nos ha dejado cosas muy interesantes 😉
Canal de Youtube de la Red Hat summit
Algunas presentaciones
- the Red Hat security roadmap,
- the Red Hat Ceph storage roadmap,
- the Red Hat CloudForms roadmap,
- the Red Hat Cloud Suite roadmap,
- the Red Hat Virtualization and KVM roadmaps,
- the Red Hat JBOSS BPM roadmap,
- Lessons learned with microservices,
- Developing real time intelligent applications with in-memory data management,
- The new OS model coming with Kubernetes and Docker,
- Hyper-Converged Infrastructure in OpenStack,
- Heterogeneous Memory Management,
- OpenShift for Operations,
- Reactive programming with Vert.x,
- Monitoring Java application performance using Thermostat,
- High availability for Red Hat Virtualization Manager,
- Demystifying systemd,
- JBoss AMQ 7,
- Utilizing persistent memory to improve database performance,
- Identity Management and Compliance in OpenShift,
- Choosing the right storage for your OpenStack cloud,
- DevSecOps the open source way,
- Node.js for building modern applications,
- Flexible, software-defined networking infrastructure,
- Common sense approaches to cloud security,
- Tuning Red Hat products for databases,
- Performance analysis and tuning of Red Hat Enterprise Linux,
- Building a fast and scalable architecture for SKY TV Video Encoding with Openshift Container Platform and Red Hat Gluster Storage,
- Security Enhanced Linux for mere Mortals,
- Red Hat Satellite Power User Tips and Tricks,
- HA Clustering with Red Hat Enterprise Linux 7.
Solucionar error “errno 111” al iniciar NFS
Es posible que nos encontremos el siguiente error al iniciar el servicio NFS.
# systemctl status nfs-server nfs-server.service - NFS server and services Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; disabled) Active: failed (Result: exit-code) since Tue 2017-05-02 17:42:54 CEST; 5s ago Process: 4005 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=1/FAILURE) Process: 4004 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS) Main PID: 4005 (code=exited, status=1/FAILURE) May 02 17:42:54 server systemd[1]: Starting NFS server and services... May 02 17:42:54 server rpc.nfsd[4005]: rpc.nfsd: writing fd to kernel failed: errno 111 (Connection refused) May 02 17:42:54 server rpc.nfsd[4005]: rpc.nfsd: unable to set any sockets for nfsd May 02 17:42:54 server systemd[1]: nfs-server.service: main process exited, code=exited, status=1/FAILURE May 02 17:42:54 server systemd[1]: Failed to start NFS server and services. May 02 17:42:54 server systemd[1]: Unit nfs-server.service entered failed state.
Para solucionar el error, deshabilitamos la versión NFS v2 y v3, de esta manera podemos solucionar el error al realizar el export.
# rpc.nfsd -d -N 2 -N 3 rpc.nfsd: Checking netconfig for visible protocols. rpc.nfsd: Enabling inet udp. rpc.nfsd: Enabling inet tcp. rpc.nfsd: Enabling inet6 udp. rpc.nfsd: Enabling inet6 tcp. rpc.nfsd: knfsd is currently down rpc.nfsd: Writing version string to kernel: -2 -3 +4 rpc.nfsd: Creating inet TCP socket. rpc.nfsd: Creating inet UDP socket. rpc.nfsd: Creating inet6 TCP socket. rpc.nfsd: Creating inet6 UDP socket.
Una vez iniciado, podemos verificar que versiones de NFS estamos exportando.
# cat /proc/fs/nfsd/versions -2 -3 +4 +4.1 -4.2
