Tag: Hosts

IPS False positives caused by Vuln scanner

Symantec Community Leave a comment
I need a solution

Is there a way to whitelist or suppress alarms for “Network and Host Exploit Mitigation and Compliance Events” based on the source AND destination IP address. We have whitelisted our Vulnerability scanner IP addresses in SEPM, however there are some servers running JAVA services that “reflect” the request to thier loopback IP address. When the scan occurs, we receive alerts where the scan appears to originate from the scanned IP and is destined to the loopback “127.0.0.1”. 

We could suppress the alarms by whitlisting the specific IP addresses, however if they become compromised and start attacking other hosts we will not see it. If we could whitelist the specific source and destination pair, the specific activity would be omitted without blinding us to everything that originate from that host. 

0

Related:

Firewall rules “host” logic

Symantec Community Leave a comment
I need a solution

Hello.

I’ve already found https://support.symantec.com/us/en/article.howto80715.html , but still have small question left.

I want to create firewall rule, which will allow specific traffic only if (local IP) and (local MAC) will match specific values.

Following mentioned article, “The hosts that you define on either side of the connection (between the source and the destination)” use OR condition, and “Selected hosts” use AND condition.

That’s fine to understand if we are talking about matching only IP-addresses, for example (we take any IP from “Local” block, any IP from “Remote” block, and connect them with AND statement).

But, in my case, both my conditions (local IP and local MAC) are on the same side – does it mean, that only “OR” is possible? Any way I can connect both this rules with “AND”?

0

Related:

Sophos Anti-virus for Linux: Linux endpoint not reporting as registering to Central though the MCS.log file and config file show that it has registered.

Sophos Leave a comment

A Linux endpoint is not reporting as registering to the Cloud though the MCS.log file and config file show that it has registered. The following error may be seen if the Linux machine is not registered in the DNS A records or hosts file so the lookup against itself fails:

subprocess.CalledProcessError: Command '['hostname', '-f']' returned non-zero exit status 1

This will probably be due to a name resolution issue when the Endpoint is trying to register itself to Cloud. During this process two DNS queries are performed from the EP, one to the AWS cloud server,the other is to the Linux machine itself

The lookup process is as follows:

  1. DNS lookup from EP for AWS cloud
  2. Once IP address is identified by DNS lookup, TLSv1 session to AWS cloud is made. (typically ‘Server Hello’ is communicated.)
  3. DNS lookup for the Linux machine itself.
  4. Once the lookup for itself is successful, the next TLSv1 session with AWS cloud is made. (typically ‘Client Hello’ is communicated.)

When this error is seen the Linux machine is not registered in the DNS A records or hosts file so the lookup against itself fails.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Once a record in the DNS server for the Linux machine has been specified the registration with Sophos Central should proceed. Alternatively, the hosts file can be updated by adding the machine name of the Linux machine itself.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Monitoring File Changes

Symantec Community Leave a comment
I need a solution

I have a requirement to try and monitor changes to a file.  The file in this instance is the “HOSTS” file for any machine on the network (this is c:windowssystem2driversetchosts).  This is to simulate a bad actor modifying a HOSTS file to redirect traffic elsewhere.  Symantec A&DC has a pre-built rule that works fine if the file is done from the local machine.  As I discovered today if a bad actor modified a file from a remote location (for example accessing the UNC path of a device on the network) this doesn’t work.  Is there a way to detect this?  It seems a little short sighted to monitor a file but not being able to monitor the file if the change was done remotely.  To illustrate this point a bit clearer

Workstation 1 has a monitored file (HOSTS) ==> Local Admin logged into (or running administratively) on Workstation 1 and modifies HOSTS file ==> SEP A&DC will detect and log this event

Workstation 1 has a monitor file (HOSTS) ==> Administrator on Workstation X or Server X (using administrator privileges accesses UNC path of Workstation 1 and modifies HOSTS file ==> SEP A&DC does not detect or log this event.

Is this something that is able to be worked around or should this be configured through something like File Integrity?

0

Related:

7007242: Unable to start postgres service

Novell Leave a comment

This document (7007242) is provided subject to the disclaimer at the end of this document.

Environment

Novell Data Synchronizer

SUSE Linux Enterprise Server 11

Situation

Unable to start postgres service
ERROR: “Starting PostgreSQLcould not start server ” while starting postgres
“rcpostgresql status ” output shows as unused
ps -aux | grep sql | grep -v grep does not show postgres running

Resolution

Troubleshooting Steps / Resolution:
  1. Edit /var/lib/pgsql/data/postgresql.conf .
  2. Change “silent_mode = on ” to “silent_mode = off “. This would provide more information as to why is it failing
  3. Start postgresql by typing “rcpostgresql start ” and press Enter
  4. Check if the following error is received. If yes, please follow the steps listed below the error

    2010-11-22 19:15:45 MST WARNING: could not create listen socket for “localhost”

    2010-11-22 19:15:45 MST FATAL: could not create any TCP/IP sockets
  • Edit /etc/hosts
  • Make sure the following line exists at the very top. If not add it before other statements.

    127.0.0.1 localhost
  • Edit /var/lib/pgsql/data/pg_hba.conf
  • Make sure the following lines exist in the file. The following lines are from a DataSync server. Some lines may differ if this is not a DataSync server.

    local all postgres ident sameuser

    host all postgres 127.0.0.1/32 ident sameuser

    host all postgres ::1/128 ident sameuser

    local datasync all md5

    host datasync all 127.0.0.1/32 md5

    host datasync all ::1/128 md5

    local postgres datasync_user md5

    host postgres datasync_user 127.0.0.1/32 md5

    host postgres datasync_user ::1/128 md5

    local mobility all md5

    host mobility all 127.0.0.1/32 md5

    host mobility all ::1/128 md5
  • Restart the server.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

The SSO Server could not be found

Dell Community Leave a comment

Article Number: 484514 Article Version: 2 Article Type: Break Fix



NetWorker 8.2.2

– VBA is correct configured, no errors during VBA configuration (https://vba:8543/ebr-configure), all checks passed

– when connection to VBA from vCenter the following message appears


“Could not connect to the requested EBR Appliance. The SSO Server could not be found”

User-added image

there could be several Hostnames assigned to vCenter Host, that may not all resolved by DNS

for example:

//ipconfig

Host Name . . . . . . . . . . . . . . . .: server01vp

Primary Dns Suffix . . . . . . . . .: DAINFRA.ger.DE

Node Type . . . . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . .: int.ger.rz

ger.rz

make sure all all names can be resolved from VBA

if not, add those names to /etc/hosts on VBA

//VBA

#cat /etc/hosts

10.10.10.10 server01vp.DAINFRA.ger.DE server01vp.int.ger.rz server01vp.ger.rz

Related:

VNX: NFS issue due to DNS resolution

Dell Community Leave a comment

Article Number: 483305 Article Version: 3 Article Type: Break Fix



VNX1 Series,VNX2 Series

Loss of access to NFS export when a host is added or removed to the host access list for that export.

All hosts were using either RedHat of CentOS.

When there is a huge list of hosts in the access list for an export, and those hosts are entered using Fully Qualified Domain Name (FQDN) instead of the IP address, it is possible that some DNS resolution timeouts appear, causing loss of access to the export to all the hosts in the list.

This loss of access can has being reported to last between 5-10 minutes in a export list with 167 hosts where there were 3 hosts that had no DNS resolution.

The issue started when customer deleted from DNS configuration some hosts that were retired.

It will be recommended to use a test Filesystem prior to apply this solution to production Filesystem

Check DNS resolution for each host in the export list. This can be achieved using “server_ping” command or more practical using “ping” from the Control Station if the Data Movers and Control Station have the same DNS server configured.

Remove from the export access list the hosts that failed to resolve DNS. Check adding or removing a host to the list, whether the access is lost.

Related:

Physical host collecting stops after 7 days

Dell Community Leave a comment

Article Number: 502895Article Version: 3 Article Type: Break Fix



ViPR SRM 4.0.2

Physical hosts collected on by the Generic-RSC service are no longer collecting data after 7days of the service being up. After seven days the service still shows as running and the logs still show only issues as seen at startup, yet data is no longer being updated for those hosts.

Customer had to restart the service to begin active collection again.

No issues with Memory, File Space, Task Failure, Server Connection Failure, etc…

Overall health of the environment looked good.

Health report did not show any heap issues.

Upon Inspection we see that the time for completing collection goes up gradually during the course of the week after startup.

Completed collecting configuration GENERIC-SCRIPTS for context <hostname> in 298432 msec

.

.

.

Completed collecting configuration GENERIC-SCRIPTS for context <hostname> in 1520425 msec

Completed collecting configuration GENERIC-SCRIPTS for context <hostname> in 1624644 msec

Completed collecting configuration GENERIC-SCRIPTS for context <hostname> in 1701052 msec

Inspection of the SP setup for Generic-RSC revealed that there were 270 hosts discovered on one generic-rsc instance. The Java Heap was set to Default of 2GB and had the default 5 Threads.

According to Performance and Scalability guidelines the Generic Host Guidelines.

User-added image

Customer set the Java Heap to 4GB and set the Threads to 20 on the collector.

To change the thread count:

In centralized management, click on SolutionPacks on the left side of the screen.

Under Other components find the Generic-RSC SP for CollectorX Click the edit symbol and open the last section as pictured below and change the threads then hit reconfigure.

User-added image

To change the Java Heap

To increase the Java Heap for the Generic-RSC collector manager.

In centralized management, click on collector SV65515 under physical overview.

Under services click on Generic-RSC

Then click the configure service button as illustrated below.

User-added image

After performing these configuration changes the collection stabilized. Further review noted that there was no day to day increase in collecting times.

.p

Related:

7021821: Troubleshooting Reflection X Advantage Domain Connections

Novell Leave a comment

There are many reasons why a connection attempt may fail. After a failure occurs, a related message is shown in the bottom of the X Manager for Domains user-interface that may help identify the problem. For example:

Use the guidelines in the sections below to troubleshoot the failed connection. This note is organized into the following troubleshooting topics:

Additional detail regarding the problem may be available in log files created by both the X Manager for Domains and the Reflection X Advantage domain controller. For more information, see the Logging section below.

Network Firewall

Note: Beginning in Reflection X Advantage 4.0, predefined ports are used. If your environment has a network firewall, you need to upgrade to 4.0.

A network firewall cannot be running between any Reflection X Advantage 3.x or earlier domain nodes, including those running the X Manager for Domains and those running a Reflection X Advantage domain controller. This is because in domain mode, Reflection X Advantage uses random, ephemeral ports for communication between all of its components. If a network firewall is running, you may see one of the following messages:

  • “Failed to establish bidirectional communication with the domain controller.”

This message appears when the Reflection X Advantage domain controller cannot connect to the X Manager for Domains.

  • “Failed to connect to host <hostname>.”

This message appears when the X Manager for Domains cannot connect to the Reflection X Advantage domain controller. Besides checking for a firewall, ensure that the RX Service is running on the Reflection X Advantage domain controller.

Resolution: Upgrade to Reflection X Advantage 4.0 or disable the network firewall between the Reflection X Advantage domain nodes.

Note: Personal firewalls can be used if they work at the application level, as the Microsoft Windows Firewall does. For information about configuring Reflection X Advantage for use with the Windows Firewall, see Technical Note 2240.

Network Address Translation

Note: Beginning in version 4.0, you can configure Reflection X Advantage to work in a NAT environment.

Network Address Translation (NAT) must not exist between nodes running Reflection X Advantage 3.x or earlier. This is because Reflection X Advantage components provide IP address information to other Reflection components for communication, which would not be updated by the NAT tables. You may see the following error message:

“Failed to establish bidirectional communication with the domain controller.”

Resolution: Upgrade to Reflection X Advantage 4.0 or disable the Network Address Translation between nodes that run Reflection X Advantage.

Logging into a Reflection X Domain

When the X Manager for Domains is launched, the following login window displays.

2466_2.gif

User name and password fields

The input required depends on how the applicable Reflection X Advantage domain controller was set up. Multiple authentication mechanisms are supported and the default mechanism varies based on operating system.

For example, if the domain controller is running on a UNIX or Linux operating system, Pluggable Authentication Modules (PAM) is the default authentication mechanism, so your UNIX or Linux user name and password would likely be required. If the domain controller is running on a Windows operating system, Windows Domain (or Windows local) is the default authentication mechanism, so your Windows domain (or Windows local) credentials would likely be required. There are other authentication mechanisms as well, such as LDAP. If you are unsure which credentials to use, check with the domain administrator.

Domain field

The name or IP address of the host running the Reflection X Advantage domain controller should be entered here.

Note: Do not enter your Windows domain in this field.

Resolution: Follow these examples.

Example 1: Logging into a Reflection X Advantage domain controller running on a UNIX host

2466_3.gif

Example 2: Logging into a Reflection X Advantage domain controller running on a Windows host

2466_4.gif

Windows Domain and Local Authentications

When Reflection X Advantage is installed on a Windows operating system and a Reflection X Advantage domain controller is created, the default authentication mechanism is a Windows domain. The Windows domain configured by default will depend on how the Windows session was logged into before installing Reflection X Advantage.

For example, if the Windows session was logged into with a user from a domain (such as ‘attachmate’), the domain configured by the Reflection X Advantage domain controller will be ‘attachmate’. If the Windows session was logged into with an account local to the Windows machine, and the PC name is ‘rxa-dc.attachmate.com’, the domain configured by the Reflection X Advantage domain controller will be ‘RXA-DC’.

Understanding which domain has been configured for a Reflection X Advantage domain controller on Windows enables users to input the appropriate credentials.

Resolution: If you are unsure which domain has been configured, check with the host or Reflection X Advantage administrator.

Mixing Versions of Reflection X Advantage

All components in a Reflection X Advantage domain must be running the same version. If attempting to use the X Manager for Domains to log into a Reflection X Advantage domain running a different version, then you may see the following message:

“Version mismatch: Local version=<build number>, Remote version=<build number>.”

Resolution: Upgrade the earlier version of Reflection X Advantage to match the newer installation.

Machines with Multiple Network Adapters

If the Reflection X Advantage domain controller has more than one network adapter, there is a chance the wrong one may be utilized by the domain controller. The correct adapter can be configured by editing the rxs.conf file on the domain controller. In that file, there will be a few entries like the following:

wrapper.java.additional.1=<keyword=value>

wrapper.java.additional.2=<keyword=value>

wrapper.java.additional.3=<keyword=value>

Resolution: Add another entry, using the next number in sequence, and the keyword and value combination below:

wrapper.java.additional.4=-Djava.rmi.server.hostname=<IP address of correct network adapter>

After making this change, restart the RX service.

Domains on Linux

Note: This information in this section does not apply to version 4.0 or higher.

When you try to log on to a Reflection X Advantage domain, you receive a “Permission Denied,” “Failed to connect to domain,” or “Domain communication error” message.

Machines used with Reflection X Advantage must have a host name that is resolvable either through DNS or by an entry in a hosts file. Some Linux distributions place an entry in /etc/hosts that maps the machine’s host name to an address in the local loopback space (127.0.0.2 or 127.0.1.1, for example); using a local loopback address causes communication issues in Reflection X Advantage.

Resolution: Upgrade to Reflection X Advantage version 4.0, or remove entries in /etc/hosts that map the host name to a local loopback address, or add an entry containing the machine’s true IP address and host name to the hosts file.

Connections to Domain Nodes

You may be able to log into the domain, but when you try to start a session, a message like the following displays:

Failed to connect to node:127.0.0.2:22002

This message may display if there is a firewall blocking access to the node, or if there is a problem resolving the IP address (for example, in a NAT environment). If the problem is due to an incorrect or unusable IP address, starting in version 4.0, an alternate address can be configured as a fallback. The alternate address can be created using the rxsconfig command line utility or the X Administrative Console.

Request Technical Support

If you have worked through this technical note and are still unable to connect, contact Attachmate Technical Support. For information about contacting Attachmate technical support, see http://support.attachmate.com/contact/.

If you are asked to send in a log file, follow the steps below.

Logging

Logs are generated for the X Manager for Domains, the Reflection X Advantage domain controller, and the Reflection X Advantage domain nodes. See the log locations below, along with information about how to increase logging if needed..

Note: All log files in version 3.0 and earlier are named output.txt. Beginning with version 4.0 loging information has been broken down into a larger number of files, each with a descriptive name such as “xmanager.log” and “domain.log”.

X Manager for Domains:

Windows:%USERSPROFILE%attachmaterxlogs

UNIX:~/attachmate/rx/logs

Reflection X Advantage domain controller:

Windows:%ALLUSERSPROFILE%attachmaterxlogs

UNIX:/opt/rxadvantage/logs

Sometimes a higher level of logging is required than what is provided by default. You can enable debug logging by using the file provided here for download from the Attachmate Download Library: log.xml.

To use the log.xml file, follow the steps below.

  1. Download and save the file into the appropriate directory on each system running Reflection X Advantage that you want to increase debugging on.

Windows – Reflection X Advantage standalone installation:

C:Program FilesAttachmateReflection X Advantage

Windows – Installed with Reflection X 2011:

C:Program FilesAttachmateReflection

UNIX:/opt/rxadvantage

  1. Edit this file entry to specify the location and name for the debug log:
<param name="file" value="path/file_name"/>

Windows Example:

<param name="file" value="c:/path/rxa.log"/>

UNIX Example:

<param name="file" value="path/rxa.log"/>
  1. Restart the X Manager for Domains and RX Service on the domain controller so that the new logging will take effect.

Note: All Reflection X Advantage logging will be redirected to the files specified. Once the debug log has been taken or the connection problem resolved, we recommend you remove the log.xml file and restart the appropriate Reflection X Advantage component(s).

Uploading

To upload the log file, see https://upload.attachmate.com/.

Related:

7022650: AUTOYAST how to modify autoyast file on the fly.

Novell Leave a comment
—snip—

<ask>

<title>Customize the automatic installation</title>

<dialog config:type=”integer”>1</dialog>

<element config:type=”integer”>1</element>

<!– remove direct assignment and use script instead

<pathlist config:type=”list”>

<path>networking,dns,hostname</path>

</pathlist>

//–>

<question>Enter Hostname (server name)</question>

<stage>initial</stage>

<default>linux</default>

<script>

<feedback config:type=”boolean”>true</feedback>

<rerun_on_error config:type=”boolean”>true</rerun_on_error>

<environment config:type=”boolean”>true</environment>

<debug config:type=”boolean”>true</debug>

<filename>my-host.sh</filename>

<source>

<![CDATA[

#!/bin/bash

HOSTNAME=$VAL

sed -e “s/%%HOSTNAME%%/$HOSTNAME/g”

-e “/^s*<ask-list/,/ask-list>$/d”

/tmp/profile/autoinst.xml > /tmp/profile/modified.xml

]]>

</source>

</script>

</ask>… <dns>

<dhcp_hostname config:type=”boolean”>true</dhcp_hostname>

<domain>example.suse.de</domain>

<hostname>%%HOSTNAME%%</hostname>

—snap—

“%%HOSTNAME%%” is used as placeholder within the XML to fill in asked results.

$HOSTNAME is assigned the $VAL and used by sed command to replace and create the modified.xml.

To process 2 asks or more you need to run a script for each.


Note, # and ## work from the left end (beginning) of string,

# % and %% work from the right end.


Another example with several ask:

….

<ask-list config:type=”list”>

<!– BEGIN Dialog 20 – Network –>

<ask>

<title>Customize your network settings</title>

<dialog config:type=”integer”>20</dialog>

<element config:type=”integer”>1</element>

<width config:type=”integer”>70</width>

<height config:type=”integer”>20</height>

<help><![CDATA[

<p><b>Hostname</b><br>Enter a hostname without the domain part.</p>

]]></help>

<pathlist config:type=”list”>

<path>networking,dns,hostname</path>

</pathlist>

<file>/tmp/may_q_hostname</file>

<question>Hostname</question>

<stage>initial</stage>

<default>linuxbox</default>

<script>

<filename>my_host.sh</filename>

<rerun_on_error config:type=”boolean”>true</rerun_on_error>

<environment config:type=”boolean”>true</environment>

<source><![CDATA[

HOSTNAME=$VAL

sed -e “s/%%HOSTNAME%%/$HOSTNAME/g”

/tmp/profile/autoinst.xml >/tmp/profile/modified.xml

]]></source>

<debug config:type=”boolean”>false</debug>

<feedback config:type=”boolean”>true</feedback>

</script>

</ask>


<ask>

<dialog config:type=”integer”>30</dialog>

<element config:type=”integer”>1</element>

<help><![CDATA[

<p><b>Network Domain</b><br>Enter the domain for your network.</p>

]]></help>

<pathlist config:type=”list”>

<path>networking,dns,domain</path>

</pathlist>

<file>/tmp/may_q_dnsdomain</file>

<question>Network Domain</question>

<stage>initial</stage>

<default>example.com</default>

<script>

<filename>my_host.sh</filename>

<rerun_on_error config:type=”boolean”>true</rerun_on_error>

<environment config:type=”boolean”>true</environment>

<source><![CDATA[

DOMAIN=$VAL

sed -i -e “s/%%DOMAIN%%/$DOMAIN/g”

/tmp/profile/modified.xml

]]></source>

<debug config:type=”boolean”>false</debug>

<feedback config:type=”boolean”>true</feedback>

</script>

</ask>

<ask>

<dialog config:type=”integer”>30</dialog>

<element config:type=”integer”>2</element>

<help><![CDATA[

<p><b>IP Address</b><br>Enter a free IP address for this host.</p>

]]></help>

<pathlist config:type=”list”>

<path>networking,interfaces,3,ipaddr</path>

</pathlist>

<file>/tmp/may_q_ip_addr</file>

<question>IP Address</question>

<stage>initial</stage>

<default>10.0.0.20</default>

<script>

<filename>my_ip.sh</filename>

<rerun_on_error config:type=”boolean”>true</rerun_on_error>

<environment config:type=”boolean”>true</environment>

<source><![CDATA[

IPADDR=$VAL

sed -i -e “s/%%IPADDR%%/$IPADDR/g”

-e “/^s*<ask-list/,/ask-list>$/d”

/tmp/profile/modified.xml

]]></source>

<debug config:type=”boolean”>false</debug>

<feedback config:type=”boolean”>true</feedback>

</script>

</ask>


</ask-list>


…..


<host>

<hosts config:type=”list”>

<hosts_entry>

<host_address>127.0.0.1</host_address>

<names config:type=”list”>

<name>localhost</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>%%IPADDR%%</host_address>

<names config:type=”list”>

<name>%%HOSTNAME%%.%%DOMAIN%% %%HOSTNAME%%</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>::1</host_address>

<names config:type=”list”>

<name>localhost ipv6-localhost ipv6-loopback</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>fe00::0</host_address>

<names config:type=”list”>

<name>ipv6-localnet</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>ff00::0</host_address>

<names config:type=”list”>

<name>ipv6-mcastprefix</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>ff02::1</host_address>

<names config:type=”list”>

<name>ipv6-allnodes</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>ff02::2</host_address>

<names config:type=”list”>

<name>ipv6-allrouters</name>

</names>

</hosts_entry>

<hosts_entry>

<host_address>ff02::3</host_address>

<names config:type=”list”>

<name>ipv6-allhosts</name>

</names>

</hosts_entry>

</hosts>

</host>

Related: