MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Technical Helps => Topic started by: prgs1971 on 2013-08-18, 17:34:03
-
For what seems to me, but i can be wrong, the Kloxo_MR setup script, that we run after installation, don't execute :
[root@server]# mysql_secure_installation
Can any body confirm this?
-
What you mean?. Did you try running 'mysql_secure_installation'?.
-
Yes i have run it with success.
[root@server]# mysql_secure_installation
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
[root@server]#
-
When you set root password manually it's possible problem with certain parts of Kloxo-MR (usually webmail). Need running 'sh /script/reset-mysql-root-password YOURPASSWORDHERE'.
-
Before i run "mysql_secure_installation" I have run this script as advised in Kloxo-MR admin, but in Kloxo-MR admin don't states that we need to input the password as plain text in front of the command as you have instructed now.
This is not a good practice to input the password in plain text with the command... this will be saved in command history.
-
Change 'YOURPASSWORDHERE' to other text like you want. That it!.
-
I know what you mean, but that is not secure...
Input a password in plain text ????
The script must ask for the password after is start running ;) not like it is now, that you have to input the password in plain text...
-
I don't know what's you mean about 'password in plain text'.
-
Input password in plaint text means that the the password is visible(you can read the password) in the command line.
[root@server]# sh /script/reset-mysql-root-password YOURPASSWORDHERE
the secure mode will something like this:
[root@server]# sh /script/reset-mysql-root-password
Enter password: // when you type the password here you will not see what you are typing
....
script execution
....
[root@server]#
-
It's still dangerous when you input password only you in front of your pc monitor?.
-
I say this because that command will be saved in the history of command line.
i will look for that file and erase the entry after i run this command.
-
Ok, 2 questions:
1. How to access 'command history' and who's able access this history?
2. Did you try mysql_secure_installation and reset-mysql-root-password and your input recorded by 'command history'?
-
To access command history you just need to use your up and down arrow keys or look for the content of the file ~/.bash_history
i run
[root@server]# mysql_secure_installation
and after i run
[root@server]# reset-mysql-root-password YOURPASSWORDHERE
now i am able to see the password by access to the last inputs in the command line, using the arrow key "up"
to see the password in the file ~/.bash_history i need to exit from root and login again.
[root@server]# exit
[root@server]# su -
[root@server]# vim ~/.bash_history
Now i can confirm that the password is visible in this file and i erase this line from the file ;)
After i close and save the file i have to exit from root and login again to confirm that reset-mysql-root-password YOURPASSWORDHERE is not accessible anymore from the command line history by using the arrow key "up" to walk in the last inputs we have done in the command line.
OK.. I confess, I am paranoid about security 8-)
-
I am not change to how to script work because I am not paranoid. I am consern for security but not until paranoid.
Sorry.
-
If you not select 'mod_php' (already remove from Kloxo-MR) and only you (as root/admin) able access to ssh, no reason to worry other people able access to bash history (because impossible).
-
With a increase of 1600%(one thousand and six hundred percent) in Hackers attacks in 2013 i start to get very concerned about security in my VPS.
Now i look for every detail that can compromise security ;)
I will try to learn the language used in that script and i will change it my self.
I hope that will not be to hard to prompt the user for a input in this language.
I will post that when done ;)
-
I am not paranoid.
VPS for this forum not using firewall (like iptables/CSF). Why?. Because I think protect from nginx and lxguard is enough!.
-
If you not select 'mod_php' (already remove from Kloxo-MR) and only you (as root/admin) able access to ssh, no reason to worry other people able access to bash history (because impossible).
I think that only with ssh access as root/admin, as you say, will be possible to see that file, but i will take this caution anyway.
Thank you very much for your help and advice's ;)
-
Remember, someone try access to your vps via ssh/ftp/panel will banned if fail until 20 (depend on your setting).
Also, sql-injection bug on Kloxo official already fixed in Kloxo-MR.
-
Remember, someone try access to your vps via ssh/ftp/panel will banned if fail until 20 (depend on your setting)
I have it enabled, but without a firewall you can exceed the max attempts you have configured.
Lxguard read from a log file the failed attempts and then blocks the ip...
I prefer to use Iptables or CSF to have real time blocking.
Also, sql-injection bug on Kloxo official already fixed in Kloxo-MR.
I was not aware of this one :(
-
Sql-injection in Kloxo official is critical issue because it's make someone from external to access/take-over your server after successful login.
-
You mean successful login to kloxo admin interface or user interface?
-
With sql-injection, possible someone login as 'admin' to Kloxo official panel.