Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "rhel"
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜
Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.
First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.
Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.
Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.
Dealing with attacks and getting hacked.
Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.
linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)
How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!
One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)
Dealing with different kinds of attacks:
Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.
So yah, hereby :P38
I hate asking for help on here as this place is mostly not intended for that but fuck it for now, I need help on this one!
Installing Arch isn't working for me. Installing any other Linux system (debian or RHEL based) works great.
I've seen some things online about EFI files and so on but I honestly don't understand what that stuff is (about).
Today I fucking learnt that RHEL is no longer an open source operating system in the full meaning of the terms starting from 8 onward as it shifts toward being a binary only distribution.
What does this mean? Historically in RHEL you could install packages that would allow you to compile software that would use the system libraries.
Now you can't. These packages are being taken away and no longer provided.
If you wanted an operating system you could develop on or build software on well you need something other than RHEL.
The OS is now crippled. There's a bunch of things you used to be able to do where as now you have to pay for a support contract.25
Autodesk + Linux is such a goddamn clusterfuck.
Firstly, they only release RPM builds for Maya, and say that they officially support RHEL and CentOS only.
No support for Debian, Arch, etc. What. The. Fuck.
Fine. Okay. Corporate policy. I can live with that. I use alien to convert the RPMs to DEBs on my ZorinOS installation and then found a script which does the installation for me. Cool.
Installs with a few library fuckups. Okay, no problem. I added the missing library versions (ancient libpng and libtiff). I run it. It throws up with some error involving licensing.
Upon searching it seems that Maya 20-fucking-17 can't handle the "new" consistent device naming system (the one which renames eth0 to enp1s0 or whatever). WHAT THE FUCK. Okay. Found a way to disable that. No effect. It's doing the equivalent of a boot loop with the same error.
Wow. This is the leading player in 3D content creation software :/
(As an aside, I did try to install Fedora 28 but it keeps failing with a TPM error. Yay for Linux distro quirks).1
Decided to install new CentOS to prepare for Red Hat exams.
a) had to disable VirtualBox Audio and USB otherwise it got stuck during boot (lvm2 masking did not help)
b) First command - "dnf update". Crashed in middle of the process and completely screwed dnf/yum (TWICE!). Went through just fine when executed from runlevel 3.
So far it held up to the name Enterprise Linux because this is the exact out of box clusterfuck I would expect from a corporate.4
Just like JS frameworks, everyone is trying to reinvent the wheel with an OS, now more than ever. Some give it a better tread, but things are hardly ever adopted by the end-user, unless proven to be a leader.
This is where Windows and macOS excel.
I have a love/hate relationship with Ubuntu, and use CentOS 7 for my servers (so I can get genuine, hands-on Debian/RHEL experience) but honestly, it ends there for me - which, again, is close to lightyears away from what the average person would use outside of our industry's cliche.
However, just like JS frameworks, there's a reason that each one exists; to fill a gap the others don't. This is where it gets a bit personal to me, and reflects a habitual mistake made by the human race, in general.
If we simply worked together towards setting true standards based on non-competitive collaboration - we'd be happier, positive, and much more productive.
Being forced to migrate an application written to to run on Solaris 9, which uses Sun ONE Webserver, Netscape LDAP Server and Cold fusion and migrate it to RHEL 7.3 ppc64le before the 3rd of January (I was only told about the project this morning), and I'm told I *have* to use the exact same technologies and versions. I'm on leave for Xmas from the 22 until the 5th of Jan. I know exactly where they can put their arbitrary management deadlines.2
Discovered this dumb backdoor into http://tutorialspoint.com/codinggro... months ago (June 2019). It's in Project>Compilation Options
It lets you execute any command on their server. I found a lot out:
The system is Red Hat based (Fedora/CentOS/RHEL)
It uses Linux kernel 3.20
It has 251GB of RAM
It has an 800GB HDD
Its IP is 172.17.0.2
Its main username is cg
It uses systemd init9
FML. Just when I finally managed to dual boot win10 and centos, only to just read the news of RHEL change its focus and shift to make me a beta user into Centos Stream. Time to distro hop to Arch.7
So for the past one month I'm working on an enhancement in a product coded in C++ and shell script, running on RHEL. After toiling away for almost 10 hours/day for a month, the enhacement is ready. Coded, tested, documented. Ready to ship.
The client is supposed to recieve the update as a drop. 1 day before the drop is scheduled to be released to Quality Control, I fire an overnight build on the build machine, update the change request ticket, update other related tickets, inform QC of the drop to be released tomorrow. On the D-day, I package the drop using the company's painfully arduous method. Everything is ready by the evening, and the drop is good to go.
At 7pm (one hour before the drop is to be released), Jack fucking Jack-o-lantern (one of the top most exec in the company) tells me that the default value of the parameter introduced in the enhancement, needs to be changed from 86400 to 1500. HALF AN HOUR BEFORE THE DROP IS TO BE RELAEASED!
Now here I am, changing the value in over 25 files, followed by firing an overnight build, followed by sanity testing, change specific testing, followed by drop packaging, followed by inform QC that the drop will be delayed.
All because fucking jack-o-lantern wanted to change the fucking default value.
GOOD FOR YOU FUCKING JACK.2
Linux is great - to tinker, to pull in all your FOSS, mess around...
But it's so fucked up, if you actually build and maintain a product on it, i.e. try to distribute s.th. in binary for money even. It's just not intended. If you offer your code for free, you can always say: "Ah, just compile it yourself. You might need these 29 dependencies, of which 2 are not even checked by configure, oops, and now it crashes, maybe in that qt library version, you picked there's still a bug?.. you know, it worked on my machine, sorry."
But if you sell it, it better install and run! And even if you target only the main distros of all that fragmented Linuverse - let's say, Debian, Ubuntu, RHEL, CentOS, Fedora, and if you're in Germany OpenSuSE and SLES, you'll start to see the crap of work you're up with. What you could try is to orchestrate a docker fleet with one container per distro, where you take the oldest version you still support compile a newer gcc there (to at least have C++11) and all your third party libs and then hope the resulting binary runs on all the newer versions of that distro, too.
(You could even be so brave as to try to pick a deb and rpm distro to build for all other distros.)
But ABI incompatibility can still bite you. For instance we once had the insane case, that our GUI would no longer start just by switching the Window-Manager to KDE.8
A heads up for all you java people: this took me fucking hours to figure out https://access.redhat.com/solutions... latest kernel patch on rhel 5+ has fucked the JVM, using -Xss2m made it work on rhel 5. Looks to have been caused by a security fix for stack gaurd.
2 weeks into my industrial placement year during University I was tasked with writing a rhel .rpm file to install our software.
Within this script contained rm -rf ... you can see where this is going, right?
Well this command was meant to delete a local usr/bin folder during the cleanup, and it did! But I must have accidentally changed something, and instead of staying local, it bounced to /. Goodbye usr/bin. Goodbye 2 weeks worth of progress. Hello angry infrastructure team...1
Okay, so because my desktop has an APU (AMD A8-3850) and a dedicated GPU (AMD R9 380) in it, and i'm finally getting a (small, probably 240GB because budget) SSD for it, what Linux distro should I use? I'm planning on doing libvirt passthrough for Windows using my APU because fuck running it as a main anymore, it breaks too often. As far as I can tell, my options are as such, family-wise:
- Debian kernel: amdgpu doesn't like that I have an APU and GPU and refuses to see a screen (yes, even after all the Xorg configs and xrandr bullshit and kernel flags and...)
- RHEL: a lot of Red Hat-based distros (mainly Fedora) have packages that are broken out-of-repo and out-of-box recently, but maybe it'll like my hardware? (It's been a few Fedora releases since I last tried it, is this fixed? CentOS has such old packages that it's not even worth bothering with for my needs.)
- Arch kernel: go fuck yourself, i don't wanna take 1000 hours to get it running for a week, nor would the updates be any better than Windows' current problem (or even more so, as slightly more often than not Windows' broken updates just add annoyances and don't hose the system.)
did I miss any?29
Yoo fellow devs... And sysAdmins??
We're tasked with migrating our apps from current HP UX server to RHEL...
Most of our apps run on Tomcat 7 and weblogic...
We also have Oracle DB Enterprise Edition...
Just wondering if any of you out there from the stone age have done this recently... Any tips.. Warnings... Advice on the matter??
You know you have to deal with annoying things when you take on a guard duty role and yes, we signed up for it because of the mullah.
However, you also want to do this with a reliable and robust monitoring and alerting systemthat you can depend on! And no i am not going to advertise a product for this... What i will tell you is which one to avoid.
Meet Quest "Foglight" ... It does EVERYTHING! It monitors, it alerts, it does trend watching it does fancy shmancy graphics, it does reporting, it is very extendable... WAUW, right! right?
Well, if you were stuck somewhere in 2005-2010 maybe... But this fucklight is cutting short on EVERYTHING
Today , i got called up at 3:30 in the morning (i am typing this after the incident) because this shit of a system has "HIgh Availability" by basically letting the FMS server suck each others jaggons and hope it somehow respons. This is a sort of keepalived thing, but on proprietary java tech..
Oh, yes, it's written on java and... yes.. Java 6
This means that, effectively we are running RHEL5 machines (yes, RHEL 5!!!) because something more modern in place? nope.
I have no idea anymore what i am ranting about, i'm tired, i'm tired of this shit, i'm tired of getting called up just because of some dude has been cussing up a sales representative, sucked each others jaggons and pushed the federal goverment with a shit solution for almost a decade now.
Fuck Quest software, because did you really think you would get enterprise level support for an enterprise product which you payed enterprise euro's for it? You are so naive, how cute...
And consequently : Fuck Dell and Good job Dell.. For purchasing quest software, mess around with it, and then dump it back to the market... Srsly Dell , you were like me when i had this hot ass chick as a girlfriend but later seemed to be too crazy to justifiably tolerate compared to her hotness. Dump it like it's trump.
Oh, and, wauw! Foglight graced us with a successful startup process after .. what.. 6 times restarting? In 2 hours... With 12 CPU's and 128 GB ram and .... oh fuck this you don't deserve such resources.4
Which is better; Ubuntu or Fedora? I'm debating moving to Fedora as a daily driver but information online is a bit all over the place.5