Credential Stuffing

dalescott.net is a regular target for credential stuffing penetration attacks. I took a closer look at last nights attempted login IDs. By it’s appearance, “1234” and “m” must be popular with sysadmins for quick login ID (but not for me ;-)).

1234
aaron
account
adam
adm
admin
administrateur
administrator
apache
asteriskftp
auction
backup
boss
centos
cisco
connect
console
contact
cop
demo
D-Link
ems
fax
ftp
ftpuser
guest
helpdesk
info
installer
jenkins
kelly
kobayashi
lock
logout
lpa
lpd
luanvandiemcao
luckup
lucky
m
mailman
mailtest
manager
marketing
monitor
msf_user
nagios
network
new
office
openfiler
oracle
password
pi
PlcmSpIp
post
postfix
postgres
remote
report
sales
scan
scanner
sconsole
software
spam
squid
sue
support
svn
sync
synopass
system
tamaichi
test
test01
testuser
tomcat
ubnt
ubuntu
uftp
unknown
unlock
uploader
url
user
uucp
vagrant
vmail
vpn
webmaster
wordpress
www-data

July 31, 2018February 4, 2019

Install ERPNext on FreeBSD 11.2 using VirtualBox

Search for other ERPNext-related posts. You may also visit the demo on dalescott.net.

The simplest way to “install” ERPNext on FreeBSD is to simply use the Virtual Image provided by the ERPNext project with VirtualBox.

The ERPNext project provides the Easy Install script for bare-metal installation but it has a number of Linux dependencies and will not work without changes on FreeBSD. Happily, the project also provides a fully configured virtual machine (based on Ubuntu Linux).

It may also be possible to use bhyve, the BSD hypervisor, with the virtual image, but the OVF file must first be converted to bhyve’s raw format.

Install VirtualBox

Install the virtualbox-ose-nox11 package for running headless virtual machines.

% sudo pkg install virtualbox-ose-nox11

The VirtualBox kernel module (virtualbox-ose-kmod) will also be installed, but it must be re-compiled from source and re-installed (at the very least, the system will crash when next re-booted once it has been configured to load the kernel module at boot).

Update the ports collection to prepare for compiling the kernel module.

# portsnap fetch update

If the ports collection has not been installed, install.

# portsnap fetch extract

The FreeBSD sources are required to compile the kernel module. If not already installed, install the FreeBSD sources.

% fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.2-RELEASE/src.txz % tar -C / -xzvf src.txz

Compile and install the virtualbox-ose-kmod port. Make will first refuse to install the module because it is already installed (recall it was installed by being a dependency of virtualbox-ose-nox11). De-install the virtualbox-ose-kmod package, then re-install the newly compiled version.

% cd /usr/ports/emulators/virtualbox-ose-kmod
% sudo make
% sudo make install
% sudo make deinstall
% sudo make reinstall

Perform post-install configuration.

1) edit /boot/loader.conf to load the vboxdrv kernel module at boot,

# vi /boot/loader.conf
...
vboxdrv_load="YES"

2) increase AIO limits by editing /etc/sysctl.conf (my server is using AIO, for more information refer to the virtualbox-ose-nox11 pkg-message).

vfs.aio.max_buf_aio=8192
vfs.aio.max_aio_queue_per_proc=65536
vfs.aio.max_aio_per_proc=8192
vfs.aio.max_aio_queue=65536

Reboot the system to load the kernel module (or load it manually).

Make a mental note before doing an OS update to first edit /boot/loader.conf to not load the module. Otherwise the system will likely crash when next rebooted.

The user that VirtualBox runs as must be a member of the vboxusers group. For simplicity, I’ll run VirtualBox using my own username, although best practise would be to create a dedicated user.

# pw groupmod vboxusers -m dale

Edit /etc/rc.conf to run vboxwebsrv (the Virtual Box web interface daemon) using the provided startup script installed in /usr/local/etc/rc.d/

% sudo vi /etc/rc.conf

vboxwebsrv_enable="YES"
vboxwebsrv_user="dale"

and finally start the vboxwebsrv service.

% sudo service vboxwebsrv start
% sudo service vboxwebsrv status

The vboxmanage cli utility can be used to manage virtual machines but I will be using phpVirtualBox which provides a familiar GUI.

Install phpVirtualBox

phpVirtualBox can be installed from the FreeBSD ports collection but it currently has a dependency on PHP 7.1 while I have PHP 7.2. I installed phpVirtualBox manually to avoid pkg attempting to revert my PHP install to 7.1, and have not encountered any issues.

Download the latest release from the phpVirtualBox Github project . Follow the instructions in README.md file and on the wiki. Extract the project to /usr/local/www, and edit the configuration.

# vi /usr/local/www/phpvirtualbox/config.php

var $username = 'dale';
var $password = 'dale_login_password';

Configure the webserver to serve phpVirtualBox. I’m using the basic Apache 2.4 http server package. I added a virtual host definition to /usr/local/etc/apache24/extra/httpd-vhosts.conf to serve phpvirtualbox as a phpvirtualbox.dalescott.net.

<VirtualHost phpvirtualbox.dalescott.net>
  DocumentRoot "/usr/local/www/phpvirtualbox"
  <Directory "/usr/local/www/phpvirtualbox">
    allow from all
    Options None
    Require all granted
  </Directory>
</VirtualHost>

Change the default phpVirtualBox login password to something secure after logging in for the first time.

“Install” ERPNext

Download the desired ERPNext Virtual Machine image (*.ova).

% cd ~/downloads
% wget http://build.erpnext.com/ERPNext-Production.ova

Using phpVirtualBox, create a new vm by importing the downloaded ERPNext-Production.ova Virtual Image file (File/Import). The OVF includes port forwarding rules to forward client port 80 to host port 8080 (for serving ERPNext) and a rule to forward ssh from client port 22 to host port 3022 (for system administration).

Start the vm and then login to ERPNext from a browser (e.g. www.dalescott.net:8080) using the default credentials. The new site wizard will run and lead you through ERPNext configuration. Use a secure password when defining the initial (admin) user, and the wizard will delete the initial Administrator user (with default password) when complete.

Once logged into ERPNext, setup email processing so that users will receive notifications outside of ERPNext. This will be valuable to understanding and appreciating ERPNext’s significant social aspect. You will also want to change the system login (i.e. ssh) password for “frappe” user to something secure (or disable password authentication entirely in favor of key-based authentication).

Cheers,
Dale

September 20, 2017June 24, 2022

Use newsyslog to rotate Apache log file on FreeBSD

I recently needed to review the Apache httpd error log file on my server (/var/log/httpd-error.log), and had to scroll through 95,000 lines before getting to the part of interest. The server was rebooted only a month earlier, which shows how fast the Apache log file grows even on a server with relatively low demand.

To make Apache’s log files more manageable, I configured them to roll every week using the FreeBSD standard newsyslog utility, which is run from cron (see /etc/crontab).

Instead of editing the newsyslog config file (/etc/newsyslog.conf) directly, create a secondary configuration file specifically to rotate Apache logs. The end of the newsyslog master configuration file reads any secondary config files,

...
<include> /etc/newsyslog.conf.d/[!.]*.conf
<include> /usr/local/etc/newsyslog.conf.d/[!.]*.conf

and secondary configuration files will not be affected by upgrades to newsyslog.

First create a directory for the Apache newsyslog configuration file. Since Apache is third-party software, create the /usr/local/etc/newsyslog.conf.d directory.

% sudo mkdir -p /usr/local/etc/newsyslog.conf.d

and then create the config file:

% sudo vi /usr/local/etc/newsyslog.conf.d/apache.conf

# Apache
# [logfile name] [owner-group] [mode] [count] [size] [when] [flags] [path to pid file] [signal]
/var/log/httpd-access.log www:www 640 9 * $W1D4 J /var/run/httpd.pid 30
/var/log/httpd-error.log  www:www 640 9 * $W1D4 J /var/run/httpd.pid 30

The will roll the access and error log files every Monday at 4am (system time), a total of 9 weekly archives will be kept (providing up to 10 weeks of logs counting the current log), and log file archives will be compressed using bzip2. The file mode is consistent with other system logs, but could be made more restrictive if desired. A SIGUSR1 signal (30) is sent to Apache to perform a graceful restart after rolling the log file.

For more information, see the System Logging section of the FreeBSD Manual and man pages for newsyslog and newsyslog.conf.

To read a compressed log file, uncompress the file and pipe to less:

% sudo bzcat httpd-error.log.0.bz2 | less

or use the simpler:

% sudo bzless httpd-error.log.0.bz2

Cheers!

May 24, 2017May 24, 2017

FreeBSD on a BBG

Here’s the situation after installing FreeBSD on my BBG (BeagleBone Green), using an image published by the raspBSD project. No custom configuration or installing additional software has been done, although I have updated the package database. There’s more information on the install in a previous post.

For background, a BeagleBone Green (BBG) has a TI Sitara AM335x (1GHz ARM Cortex-A8) with 512MB DDR3 and 4GB eMMC (primary boot device), a micro SD socket (alternate boot device and additional storage), two USB connectors (one client and one host), ethernet, two Grove 4-pin connectors and two 46-pin 2×23 0.100″ pin headers with GPIO, SPI, I2C and other signals.

Identification & Disk Use

Active Processes

I have two remote ssh sessions open.

Category: FreeBSD