2016年10月26日 星期三

LogAnalyzer Delete Records

loganalyzer 真是一套不錯的 OpenSource ,
用它來收集與分析 syslog  message 最簡單實用不過了!

官網
http://loganalyzer.adiscon.com/

Demo
http://loganalyzer-demo.adiscon.com/

但這次想做的是,刪除2015年前的舊資料,參考官網上的說明如下:

http://wiki.rsyslog.com/index.php/LogAnalyzer_Delete_Records

.....


Samples

All samples assume that the data to be deleted is contained in logstream 2.

Delete all data
  php maintenance.php cleardata 2 all

Delete all data older then 1 hour
  php maintenance.php cleardata 2 olderthan 3600

Some typical values are
60 - one minute
3,600 - one hour
86400 - one day
2592000 - 30 days, roughly one month

Delete all data before 2008-11-18
  php maintenance.php cleardata 2 date 11 18 2008
....


簡單的說透過 maintenance.php 這支程式即可完成該項作業。

maintenance.php (程式內文節錄如下:)( 這裡也有 Sample )

那個 ID 可透過 WEB 介面去查詢到..


149 // --- BEGIN Custom Code
150         //Additional Includes
151         include($gl_root_path . 'include/functions_debugoutput.php');
152 
153         // Run into Commandline part now!
154         /* Only run if we are in command line mode 
155         *       
156         *       Possible Operation Types:
157         *       cleandata               =       If you want to clear data from a logstream source, you can use the operation type. 
158         *                                               Be carefull using this option, any deletion process cannot be undone!
159         *                                               Sample 1: Delete all data in the logstream with id 2
160         *                                                       php maintenance.php cleandata 2 all
161         *                                               Sample 2: Delete all data older then 60 seconds in the logstream with id 2
162         *                                                       php maintenance.php cleandata 2 olderthan 60
163         *                                               Sample 3: Delete all data before 2008-11-18 in the logstream with id 2
164         *                                                       php maintenance.php cleandata 2 date 11 18 2008 
165         *
166         */


ID 怎麼來圖解如下,官網中也有說明:





該程式放在 cron 這個目錄中.

[root@cacti cron]# pwd
/var/www/html/loganalyzer/cron

[root@cacti cron]# ls -la
total 36
drwxr-xr-x  2 root root 4096 Oct 27 11:39 .
drwxr-xr-x 14 root root 4096 Oct 27 10:35 ..
-rw-r--r--  1 root root 7551 May 17  2013 cmdreportgen.php
-rw-r--r--  1 root root   31 May 17  2013 .htaccess
-rw-r--r--  1 root root   68 May 17  2013 maintenance.bat
-rw-r--r--  1 root root 7251 May 17  2013 maintenance.php
-rw-r--r--  1 root root   89 May 17  2013 maintenance.sh
[root@cacti cron]#

實作吧~

[root@cacti cron]# php maintenance.php cleandata 1 date 1 1 2015 
Num. Facility . Debug Message
1. Information. CleanData. Cleaning data for logstream source 'My Syslog Source'.
2. Information. CleanData. Successfully connected and found '3203148' rows in the logstream source.
3. Information. CleanData. Performing deletion of data entries older then '2015-01-01'.
4. Information. CleanData. Successfully Deleted '446346' rows in the logstream source.'
[root@cacti cron]# 


再透過 mysqlcheck 指令,檢查及優化 MySQL 資料庫 ,並釋放出刪除資料後磁碟空間

[root@cacti cron]# mysqlcheck -a -c  -o -r Syslog 
Syslog.SystemEvents                                OK
Syslog.SystemEventsProperties                      OK
Syslog.logcon_charts                               OK
Syslog.logcon_config                               OK
Syslog.logcon_dbmappings                           OK
Syslog.logcon_fields                               OK
Syslog.logcon_groupmembers                         OK
Syslog.logcon_groups                               OK
Syslog.logcon_savedreports                         OK
Syslog.logcon_searches                             OK
Syslog.logcon_sources                              OK
Syslog.logcon_users                                OK
Syslog.logcon_views                                OK
[root@cacti cron]#

前後對照如下:
(前)
[root@cacti cron]# du /var/lib/mysql/* -hs 
51M /var/lib/mysql/cacti
10M /var/lib/mysql/ibdata1
5.0M /var/lib/mysql/ib_logfile0
5.0M /var/lib/mysql/ib_logfile1
1000K /var/lib/mysql/mysql
0 /var/lib/mysql/mysql.sock
656M /var/lib/mysql/Syslog
4.0K /var/lib/mysql/test

(後)
[root@cacti cron]# du /var/lib/mysql/* -hs 
51M /var/lib/mysql/cacti
10M /var/lib/mysql/ibdata1
5.0M /var/lib/mysql/ib_logfile0
5.0M /var/lib/mysql/ib_logfile1
1000K /var/lib/mysql/mysql
0 /var/lib/mysql/mysql.sock
446M /var/lib/mysql/Syslog
4.0K /var/lib/mysql/test
[root@cacti cron]#

完工

2016年10月19日 星期三

Apache 關閉 RC4 加密演算法加上也不使用 SSL v3 及 TLSv1.0

Apache 關閉 RC4 加密演算法加上
也不使用 SSL v3 及 TLSv1.0協定

考古題

昨天同事問我如何關閉 Apache RC4 加密演算法,
所以順便整理這個小筆記,供需要的人參考.


網路常用的RC4加密演算法已可快速破解,研究人員呼籲別再使用
http://www.ithome.com.tw/news/97445


Google 發現 SSL 3.0 漏洞,小心「貴賓犬」攻擊!
http://www.ithome.com.tw/news/91571

TLS加密協定竟然也不安全!企業須審慎內部漏洞
http://www.ithome.com.tw/promotion/93094

懶人包..--> 不使用不安全的加密演算法及通訊協定


#vi /etc/httpd/conf.d/ssl.conf ( Cenots 6 / httpd 2.2 預設檔案位置 )


原 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

使用 nmap RC4 檢測結果為

[root@bbb conf.d]# nmap --script ssl-cert,ssl-enum-ciphers -p 443  127.0.0.1 | grep RC4
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA

中獎-->使用 RC4....

===========

改為

SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

再檢測即可看到: 已無 RC4 加密演算法

[root@bbb conf.d]# nmap --script ssl-cert,ssl-enum-ciphers -p 443  127.0.0.1 | grep RC4

再看一次該主機的 ssl 資訊 , 可發現有使用不安全的 SSLv3 的協定

[root@bbb conf.d]# nmap --script ssl-cert,ssl-enum-ciphers -p 443  127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2016-10-19 15:48 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=aaa/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=aaa/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-04-08 02:58:19
| Not valid after:  2016-04-07 02:58:19
| MD5:   de0e fdf1 11c0 f3e4 2cc2 3b0b 8e9e 6b9a
|_SHA-1: fc10 b6c3 b1e8 695c 19f4 78a2 3e5d 58f6 6a69 a9f5
| ssl-enum-ciphers:
|   SSLv3
|     Ciphers (2)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.0
|     Ciphers (2)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.1
|     Ciphers (2)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.2
|     Ciphers (8)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds



但還是中獎 --> 使用 SSLv3 + TLSv1.0


==============

所以再次 vi 該檔案 ssl.conf , 將它改為下面這樣的宣告僅使用 TLS 協定方式.

#SSLProtocol all -SSLv2
SSLProtocol -all +TLSv1.1 +TLSv1.2


再次驗證,已無使用 SSLv3 及 TLSv1 ...


[root@bbb conf.d]# nmap --script ssl-cert,ssl-enum-ciphers -p 443  127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2016-10-19 16:10 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=aaa/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=aaa/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-04-08 02:58:19
| Not valid after:  2016-04-07 02:58:19
| MD5:   de0e fdf1 11c0 f3e4 2cc2 3b0b 8e9e 6b9a
|_SHA-1: fc10 b6c3 b1e8 695c 19f4 78a2 3e5d 58f6 6a69 a9f5
| ssl-enum-ciphers:
|   TLSv1.1
|     Ciphers (2)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.2
|     Ciphers (8)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds



這樣應該好多了....可以弱點掃描或滲透測試的軟體去試看看...是否還有其它的問題???


參考資訊
https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)
http://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache

外部 FQDN 檢測網站

https://www.ssllabs.com/ssltest