This is an update to the previous CentOS installation of OSSEC 3.6 ( here https://cheesefather.com/2020/06/install-ossim-ossec-agent-centos-7/), updating it to 3.7. You need one more library installed before OSSEC can update: dnf -y install systemd-develwget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gztar xzf 3.7.0.tar.gzcd ossec-hids-3.7.0/./install.sh Or to install from scratch, just change the first command and add the other requirements: dnf -y install […]

This is surprisingly simple if you don’t want to mess around with multiple versions and just switch to 7.4. Run as root: # dnf -y module reset php# dnf -y module install php:7.4 Then in my installation a few pecl modules needed to be reinstalled (zip needs the extra step below): # pecl uninstall imagick […]

I recently needed to have a look at moving some services to a different VPS provider for redundancy so I decided to benchmark my options to compare them. The plan selected was whichever had 16GB of RAM (though Google is 15GB). The selected datacenter was always London (Azure only says UK South). The fastest storage […]

I couldn’t find proper instructions on doing this anywhere so here are mine: In your OSSIM portal go to Environment -> Assets & Groups -> Add Assets and enter the name/IP of the asset you want to add. On the agent run: yum -y install libevent-devel pcre2-devel openssl-develwget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gztar xzf 3.6.0.tar.gzcd ossec-hids-3.6.0/./install.sh …select the defaults […]

Fail2ban hasn’t been working for me, I still have people running brute force attacks on my Postfix server, so I though I’d rig up something myself. This consists of a bash script that identifies multiple failures and bans them, run on cron every 10 minutes. It checks for both smtp and pop/imap login failures. #!/bin/sh […]

On a Linode Virtualmin CentOS 6 the upgrade from Xen to KVM breaks quotas with the following error: repquota: Cannot stat() mounted device /dev/root: No such file or directory The issue is that the symbolic link /dev/root is linking to /dev/xvda which has been replaced by /dev/sda so the symlink just needs to be replaced: […]

The recent update to nss-softokn breaks rpm/yum updates in CentOS 6. To restore functionality run these commands: For 64-bit: # wget http://mirror.centos.org/centos/6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm # rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv # cd lib64 # cp libfreeblpriv3.* /lib64 # yum update For 32-bit: # wget http://mirror.centos.org/centos/6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm # rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv # cd lib # cp libfreeblpriv3.* […]

After the recent global distributed botnet attack on WordPress installations that took down servers and broke into admin accounts, I thought I’d write a plugin to prevent it happening again. Distributed botnet attacks can come from multiple IP addresses and locations at the same time, so conventional IP-based lockouts are not effective (e.g. those found […]

If you are getting any brute force attacks to your dovecot imap/pop3 server, install fail2ban to block the offenders. This works on CentOs 5.7. For other distributions, see the relevant websites. Firstly, install fail2ban. You should have the rpmforge repo from my previous post. Enable it first to install fail2ban: # cd /etc/yum.repos.d/ # vi […]