SSHD mm_request_send: write: Broken pipe

You are attempting to login to a Linux machine (probably CentOS) and your SSH sessions are instantly disconnected.

/var/log/secure shows various Signal 15 crashes and this error:

mm_request_send:  write:  Broken pipe

Your box has been hacked.    Format and Reinstall.

Be sure to run “yum update” at frequent intervals to keep your servers/VMs up-to-date!!

 

 

 

Connect Error (2000) mysqld cannot connect to MySQL 4.1+ using old authentication ERROR 2049 (HY000): Connection using old (pre-4.1.1) authentication protocol refused

You are receiving these errors:

Connect Error (2000) mysqld cannot connect to MySQL 4.1+ using old authentication
ERROR 1275 (HY000): Server is running in –secure-auth mode, but ‘dbname’@’localhost’ has a password in the old format; please change the password to the new format
ERROR 2049 (HY000): Connection using old (pre-4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
ERROR 1372 (HY000): Password hash should be a 16-digit hexadecimal number

Your system is definitely storing passwords in the new format.     You are going crazy because your database is offline.

UPDATE mysql.user SET Password = PASSWORD(‘cheese’) WHERE User = ‘test’ AND Host = ‘localhost’;
UPDATE mysql.user SET plugin = ‘mysql_native_password’ WHERE User = ‘test’ AND Host = ‘localhost’;
flush privileges;

CentOS / RHEL horrible disk performance with SSD

noop, is essentially a first-in first-out (FIFO) queue with no extra logic.

Each virtual machine can stop worrying about the disk, instead passing I/O requests along to the hypervisor to make a better decision about overall performance.

Add “elevator=noop” to the kernel parameters in your boot loader’s configuration in /etc/grub.conf

`echo noop > /sys/block/${DEVICE}/queue/scheduler`.

Set the default in your kernel config for all VM kernels you roll, with `CONFIG_DEFAULT_IOSCHED=”anticipatory”`.

 

 

 

IPTABLES Tidbits

List off all the rules in order. This helps to see if an allow is overriding one of your denies:

iptables -nvL –line-numbers

Reject or Drop?

Drop means to drop everything at the interface and give no response. Best for port probes and the like.

Reject responds to the source. Best practices for TCP/IP

VMware Virtual Machine Hosting

Setup NIS + Red Hat + CentOS + Linux

VMware Virtual Machine Hosting

The following describes a procedure to set up NIS network name service under Red Hat Linux. This is geared toward a small intallation with only one domain. However, it should be fairly evident how to add more NIS domains. The NIS domain name has nothing to do with any DNS naming convention being used.

In these examples, the following conventions are used:
NIS domain: “internal”
Code or configuration file data: bold
Root prompt on NIS master server: master#
Root prompt on NIS client host: client#
Setting up a NIS master server:

yum install yp-tools ypbind ypserv portmap ntpd

Set up “ntpd” service or otherwise make sure the host’s clock is synchronized.
ntpdate pool.ntp.org
chkconfig ntpd on
/etc/init.d/ntpd start

Edit /etc/yp.conf:

domain internal server ip.of.nis.server

Edit /etc/ypserv.conf:

[The below settings are, by default, activated in CentOS config]
dns: no
files: 30
xfr_check_port: yes
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port

Edit /etc/sysconfig/network:

NISDOMAIN=”internal”

Set NIS domain name:

master# domainname internal
master# ypdomainname internal

Create file /var/yp/securenets:

host 127.0.0.1
255.255.255.0 10.0.0.0

Make sure the “portmap” service is running:

master# service portmap start
master# chkconfig portmap on

Edit File: /etc/nsswitch.conf

passwd: files nis
shadow: files nis
group: files nis

Start ypserv service:

master# service ypserv start

Check that it’s listening:

master# rpcinfo -u localhost ypserv

You should see:

program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting

Initialize the NIS maps:

master# /usr/lib/yp/ypinit -m

Specify local hostname, Ctrl-D, y, let finish.

Start up ypbind, yppasswdd, ypxfrd:

master# service ypbind start
master# service yppasswdd start
master# service ypxfrd start

Set YP services to run on boot-up:

master# chkconfig ypserv on
master# chkconfig ypbind on
master# chkconfig yppasswdd on
master# chkconfig ypxfrd on

NIS client host setup

Required packages: yp-tools ypbind portmap

Edit /etc/sysconfig/network:

NISDOMAIN=internal

Edit /etc/yp.conf:

domain internal server ip.of.master.server

Edit /etc/hosts:

ip.of.master.server hostname.domain hostname

Set NIS domain-name:

client# domainname internal
client# ypdomainname internal

Edit /etc/nsswitch.conf:

passwd: files nis
shadow: files nis
group: files nis

Make sure the portmap service is running:

client# service portmap start
client# chkconfig portmap on

The /etc/hosts.allow file will need rules allowing access from localhost and the NIS master server.

Start ypbind service:

client# service ypbind start
client# chkconfig ypbind on

Test it out:

client# rpcinfo -u localhost ypbind
client# ypcat passwd

Unknown HZ value! (##) Assume 100

You’ve been hacked.

How to clean a Hacked CentOS / LINUX Machine

yum install chkrootkit

Run chkrootkit to find INFECTED files

You will need to delete, manually, each of these files.

The permissions will be modified to stump the average user.

You will need to use: chattr

This command will free most files: chattr -suSadAc

For the ones that can not be deleted after the above, try: chattr -i

Files commonly targeted: top ps find netstat ifconfig

Once the files are deleted, reinstall the files using YUM:

yum reinstall procps openssh-server openssl psmisc findutils fileutils util-linux net-tools textutils sysklogd

Additional things:

1. sshd will be renamed to sshd0 in /usr/sbin/
2. the hacker has most likely added an entry to the bottom of: /etc/rc.d/rc.sysinit
———
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
———

Remove it: chattr -suSadAc xntps ; rm -f xntps

3. Re-run chkrootkit until the machine is clean

VMware Virtual Machine Hosting

CentOS: Alias IP Ranges

VMware Virtual Machine Hosting

cd /etc/sysconfig/network-scripts

Quick and easy range of ips:

Add this file: ifcfg-eth0-range0

Contents:

IPADDR_START= 11.xxx.xxx.xxx
IPADDR_END= 11.xxx.xxx.xxx
CLONENUM_START=0

If you want to add another range:

Add this file: ifcfg-eth0-range1

IPADDR_START=10.xxx.xxx.xxx
IPADDR_END=10.xxx.xxx.xxx
CLONENUM_START=11

Pay close attention to CLONENUM_START. In the second range it must be a number higher than the amount of IPs adding in range0. For instance, lets say your range was: 10.10.10.1 -thru-> 10.10.10.10. That is 10 IPs, so your CLONENUM-START would be 11 in the second range file.

VMware Virtual Machine Hosting