Mosquitto dynamic security does not allow to insert clients or roles - docker

Hi everyone I've been trying to use mosquitto dynamic security plugin, the broker is running in a docker container, and so far everything seems to work as expected I can generate de file dynamic-secutiry.json for that I used the following command mosquitto_ctrl dynsec init path/to/dynamic-security.json user and after that, I set the password as user, so managed to open the file and make sure that it was created right, and indeed it was. However, when I try to modify the file like adding a new client for instance I got the following message Connection error: Not authorized in order to add new clients I've been something like this mosquitto_ctrl -u user -P user dynsec createRole rolepizza and then I'm getting this:
That's the dynamic-security.json
Finally my mosquitto.conf
I've been following this tutorials:
https://www.youtube.com/watch?v=QvRBtRH2mN0
http://www.steves-internet-guide.com/understanding-mosquitto-dynamic-security-plugin/
I'd appreciate it if someone could tell me what I've been doing wrong. Thanks in advance

As hashed out in the comments, the problem was most likely a lack of write permissions on dynamic-security.json file due to creating it as root.
Mosquitto will normally drop root permissions on startup, so all config/log files should be writable by a none privileged user (you can set the user in the mosquitto.conf file.

Related

fail2ban won't start using nextcloud.log with jail

I have nextcloud installed and working fine in a docker but want to have fail2ban monitor the log files for brute force attempts. I know nextcloud has it's own baked in but it just throttles the log in attempts and I would like to all out ban them (I also have this problem with other containers as well). The docker-compose is set to create the nextcloud.log file to /mnt/nextcloud/log/nextcloud.log. I followed this guide to create the jail
https://www.c-rieger.de/nextcloud-installation-guide-ubuntu/#c06
Fail2ban is running on the host machine however, fail2ban fails to start with:
[447]: ERROR Failed during configuration: Have not found any log file for nextcloud jail
[447]: ERROR Async configuration of server failed
Thinking it was simply a permission issue, I chowned everything to root and tried to start again but still the service won't start. What am I doing wrong?
Thanks for the help!
The docker-compose is set to create the nextcloud.log file to /mnt/nextcloud/log/nextcloud.log
Be sure this file really exists and your jail.local has correct entry logpath:
[nextcloud]
...
logpath = /mnt/nextcloud/log/nextcloud.log
You can also check resulting config using dump:
fail2ban-client -d | grep 'nextcloud.*logpath'
But I'm still not sure the error message you provide was throwed by fail2ban, because its error messages look different, see https://github.com/fail2ban/fail2ban/commit/27947407bc7910f0f50972113218ebc73c4a22c7
It should be something like:
-have not found a log file for nextcloud log
+Have not found any log file for nextcloud jail

Neo4j: Can't log in: Neo.ClientError.Security.Unauthorized: The client is unauthorized due to authentication failure

When I do :server connect with neo4j and neo4j I get Neo.ClientError.Security.Unauthorized: The client is unauthorized due to authentication failure..
I tried uncommenting the line dbms.security.auth_enabled=false in /etc/neo4j/neo4j.conf and restarting, but it still asks me to log in and still denies the login.
I can get in with /usr/bin/cypher-shell -u neo4j -p neo4j
I tried /usr/bin/neo4j-admin set-initial-password secret but it says command failed: The specified user 'neo4j' already exists.
I tried sudo rm /var/lib/neo4j/data/dbms/auth and restarting, but it gives the same result.
ubuntu 16.04
Installed with sudo apt-get install neo4j=1:3.5.0
I had the same problem. I tried to set the initial password and it said The specified user 'neo4j' already exists. I had thought I had set the initial password earlier via the command line, but it didn't take because there were special characters in the password string.
What ended up working for me was opening up the Neo4j Browser and it prompted me for a password. I entered 'neo4j' and then it gave me the option to set a new password through the browser. Once I did that, it worked.
If you need to turn off auth_enabled to test something, make sure to remember to restart the server. sudo neo4j restart It can also take a few minutes to restart, so make sure it's fully up and running first. (And then, of course, don't forget to turn auth_enabled back on again.)
It also took me a few tries to get the configuration correct in the conf file at /etc/neo4j/neo4j.conf
I set dbms.connectors.default_listen_address=0.0.0.0
And dbms.connectors.default_advertised_address=your.webdomain.com
Also, this guide helped me with setting up a certificate for the neo4j browser endpoint. https://medium.com/neo4j/getting-certificates-for-neo4j-with-letsencrypt-a8d05c415bbd
I faced the issue with the initial setup. Kept getting the same unauthorised message. The issue with me was I was trying to access it in firefox. Tried in Chrome and it worked and prompted me to change my password. Found one issue stating this:
< connecting to Neo4j browser through Firefox >
I disabled/uncomment authenitication in /etc/neo4j/neo4j.conf
To disable authentication, uncomment this line
dbms.security.auth_enabled=false
it worked for me.
Make sure to comment it back when you are done for security purposes

Visual Studio run Docker project issue

I have a strange situation, if I run a Docker project in Visual Studio 2017 I get an error saying: Cannot start service webapplication1: error while creating mount source path '/host_mnt/c/Users/MyUser/vsdbg/vs2017u5': mkdir /host_mnt/c/Users/MyUser/vsdbg/vs2017u5: permission denied
But, if I run the same project with the command docker-compose up -d it works.
It cannot be a permission issue only for Visual Studio.
I just had the same problem - found the solution at https://github.com/docker/for-win/issues/897
Basically, the problem is access to C:\Users\user\vsdbg - not to think too much I gave R/W access for Everyone to this one and C:\Users\user\.nuget, just in case, and it worked like a charm :)
For me absolutely nothing worked, including giving full rights to only the vsdbg and .nuget folders.
My setup is as follows:
I have a primary account called "User" onto which I'm currently
logged in and do my development work
I have a user called "DockerDiskSharing" with full admin rights,
which I intend to use for Docker to run with
What did the trick for me was:
I opened a command prompt with admin rights and added the DockerDiskSharing user to the docker-users group by running
net localgroups docker-users DockerDiskSharing /add
I went to Docker -> Settings -> Shared Drives, I clicked "Reset credentials" and added the DockerDiskSharing user's credentials. I ticked C drive (my main partition) and the D drive (where my project is located)
I opened a command prompt with admin rights and gave full access permissions to the entire Users/User folder by running:
icacls "C:\Users\User" /q /c /t /grant docker-users:F
Still unsure which folders in particular it needs permissions to read/write to though from Users/User...
For other readers getting here which have a forced setup where their primary windows user can't be local admin:
That doesn't work!
After trying out different workarounds, I gave up. Note that I have a local service account which is local admin. If you don't have that, and are not a local admin, I guess you're screwed.
So:
I reset my Docker shared drive, mounted it again with my primary windows credentials
I added my primary user to the local administrators group
And now it works :)

PSEXEC - Elevated Command prompt

Sorry if this has been asked a hundred times, I'm sure it might have been, but my searching skills don't seem to be finding the answer to my particular question today :(
I'm trying to execute a command on a server, from a domain user account, who has all the correct rights to perform the given action. I know this because if I login to the server under the admin account and then open the command prompt using 'Run as different User', specifying the login details of the domain user account, I can perform the relevant section of the below command successfully.
However, when I try running ("c:\NaviTest\psexec.exe" "\HOSTNAME" "c:\path to\server-command.exe" "arguments") from a command prompt on their host computer I get the 'Access Denied' message back.
If I launch the command prompt as administrator and change the syntax of the command as follows (where username is the logged in user and password is their password);
"c:\NaviTest\psexec.exe" -u username -p password "\\HOSTNAME" "c:\path to\server-command.exe" "arguments"
All works.
I know from this that its not running 'server-command.exe' the command that is causing the issue, its getting the connection to server using PSEXEC which seems to be failing unless the command prompt is being run in Elevated mode.
My question (as I haven't actually asked on yet!), is can PSEXEC work from the command prompt without having to be run administratively?
I'm trying to execute this as part of a much larger script, if I can't make it work without administrative privileges its not going to work.
Found the answer to this.......
https://serverfault.com/questions/280482/how-to-use-psexec-without-admin-privileges-on-target-machine
Basically, the user account executing the PSEXEC command needs local administrative rights on the destination host.
Adam
This might cause due to prevailing issue.
psexcec will start a service(windows) in end point .
check this
Run this as admin and will proceed without issues

Non-privileged, non-root, user to start or restart webserver server such as nginx without root or sudo

I'm using capistrano to deploy a rails web app. I want to give the deploy user on the webserver as few privileges as I can. I was able to do everything I need to do as a non-privileged user except restart the webserver.
I'm doing this on an ubuntu server, but this problem is not specific to my use case (rails, capistrano, deployment), and I've seen a lot of approaches to this problem that seem to involve poor security practices. Wondering whether others can vet my solution and advise whether it's secure?
First, not necessary, but I have no idea why /etc/init.d/nginx would need any (even read) access by other users. If they need to read it, make them become root (by sudo or other means), so I:
chmod 750 /etc/init.d/nginx
Since the ownership is owner root, group root (or can be set such with chown root:root /etc/init.d/nginx) only root, or a user properly sudo'ed, can read, change or run /etc/init.d/nginx, and I'm not going to give my deploy user any such broad rights. Instead, I'm only going to give the deploy user the specific sudo right to run the control script /etc/init.d/nginx. They will not be able to run an editor to edit it, because they will only have the ability to execute that script. That means that if a someone gets access to my box as the deploy user, they can restart and stop, etc, the nginx process, but they cannot do more, like change the script to do lots of other, evil things.
Specifically, I'm doing this:
visudo
visudo is a specific tool used to edit the sudoers file, and you have to have sudoer privileges to access it.
Using visudo, I add:
# Give deploy the right to control nginx
deploy ALL=NOPASSWD: /etc/init.d/nginx
Check the sudo man page, but as I understand this, the first column is the user being given the sudo rights, in this case, “deploy”. The ALL gives deploy access from all types of terminals/logins (for example, over ssh). The end, /etc/init.d/nginx, ONLY gives the deploy user root access to run /etc/init.d/nginx (and in this case, the NOPASSWD means without a password, which I need for an unattended deployment). The deploy user cannot edit the script to make it evil, they would need FULL sudo access to do that. In fact, no one can unless they have root access, in which case there's a bigger problem. (I tested that the user deploy could not edit the script after doing this, and so should you!)
What do you folks think? Does this work? Are there better ways to do this? My question is similar to this and this, but provides more explanation than I found there, sorry if it's too duplicative, if so, I'll delete it, though I'm also asking for different approaches.
The best practice is to use /etc/sudoers.d/myuser
The /etc/sudoers.d/ folder can contain multiple files that allow users to call stuff using sudo without being root.
The file usually contains a user and a list of commands that the user can run without having to specify a password. Such as
sudo service nginx restart
Note that we are running the command using sudo. Without the sudo the sudoers.d/myuser file will never be used.
An example of such a file is
myuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
This will allow the myuser user to call all start, stop and restart for the nginx service.
You could add another line with another service or continue to append them to the comma separated list, for more items to control.
Also make shure you have run the command below to secure things
chmod 0440 /etc/sudoers.d/myuser
This is also the way I start and stop services my own created upstart scripts that live in /etc/init
It can be worth checking that out if you want to be able to run your own services easily.
Instructions:
In all commands, replace myuser with the name of your user that you want to use to start, restart, and stop nginx without sudo.
Open sudoers file for your user:
$ sudo visudo -f /etc/sudoers.d/myuser
Editor will open. There you paste the following line:
$ myusername ALL=(ALL) NOPASSWD: /usr/sbin/service nginx start,/usr/sbin/service nginx stop,/usr/sbin/service nginx restart
Save by hitting ctrl+o. It will ask where you want to save, simply press enter to confirm the default. Then exit out of the editor with ctrl+x.

Resources