I have an Oracle 11g XE installed in Ubuntu 12.4 and facing difficulty with getting the Oracle to bind on a TCP port. The IP6 binding seems to be fine but not the IP4 (tcp 0.0.0.0:1521).
Here is the oracle-xe status:
root#pearBox:~# /etc/init.d/oracle-xe status
LSNRCTL for Linux: Version 11.2.0.2.0 - Production on 06-JUN-2013 15:08:34
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC_FOR_XE)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.2.0 - Production
Start Date 06-JUN-2013 15:06:42
Uptime 0 days 0 hr. 1 min. 52 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Default Service XE
Listener Parameter File /u01/app/oracle/product/11.2.0/xe/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/pearBox/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC_FOR_XE)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=pearBox)(PORT=1521)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=pearBox)(PORT=8080))(Presentation=HTTP)(Session=RAW))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "XE" has 1 instance(s).
Instance "XE", status READY, has 1 handler(s) for this service...
Service "XEXDB" has 1 instance(s).
Instance "XE", status READY, has 1 handler(s) for this service...
The command completed successfully
Netstat results:
root#pearBox:~# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 914/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1859/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 608/sshd
tcp6 0 0 :::22447 :::* LISTEN 1757/xe_d000_XE
tcp6 0 0 :::8080 :::* LISTEN 1655/tnslsnr
tcp6 0 0 :::1521 :::* LISTEN 1655/tnslsnr
tcp6 0 0 :::22 :::* LISTEN 608/sshd
And the listener configuration:
root#pearBox:~# cat /u01/app/oracle/product/11.2.0/xe/network/admin/listener.ora
# listener.ora Network Configuration File:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /u01/app/oracle/product/11.2.0/xe)
(PROGRAM = extproc)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC_FOR_XE))
(ADDRESS = (PROTOCOL = TCP)(HOST = pearBox)(PORT = 1521))
)
)
DEFAULT_SERVICE_LISTENER = (XE)
I changed the hostname to "HOST = 127.0.0.1" and it is binding on localhost, but I am not able to access the Oracle instance from the network!
root#pearBox:~# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 914/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1859/apache2
tcp 0 0 127.0.0.1:1521 0.0.0.0:* LISTEN 2339/tnslsnr
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 608/sshd
tcp6 0 0 :::21121 :::* LISTEN 2443/xe_d000_XE
tcp6 0 0 :::22
I would appreciate if you could help to get this issue resolved.
Just found this post, I had the same issue. It was the result of changing my hostname post-installation. I was able to remedy the situation by updating the hostname in both:
/u01/app/oracle/product/11.2.0/xe/network/admin/tnsnames.ora
and
/u01/app/oracle/product/11.2.0/xe/network/admin/listener.ora
I would suggest to take a look on the firewall rules -> https://help.ubuntu.com/12.04/serverguide/firewall.html
Changing the hostname worked for me as I found a mismatch by checking:
uname -a
listener log : log.xml
/etc/hosts
I added the full host name with the domain
Appreciated the help as I've been searching internet posts for a week before I got this reference.
Related
I have 2 VMs with Linux and keepalived installed. Their hostnames are master and slave. Each VM has 2 network interfaces configured for different subnets:
master:
eth1 - 192.168.1.101/24
eth2 - 192.168.56.101/24
slave:
eth1 - 192.168.1.102/24
eth2 - 192.168.56.102/24
On each node I configured one vrrp_instance using interface eth1:
vrrp_instance VI_1 {
...
interface eth1
...
}
And I assigned one VIP for each subnet - one per interface:
vrrp_instance VI_1 {
...
virtual_ipaddress {
192.168.1.250/32 dev eth1 label eth1:vip0
192.168.56.250/32 dev eth2 label eth2:vip0
}
...
}
So, whole configs are:
master:
vrrp_instance VI_1 {
state MASTER
interface eth1
virtual_router_id 1
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass HURRDURR
}
virtual_ipaddress {
192.168.1.250/32 dev eth1 label eth1:vip0
192.168.56.250/32 dev eth2 label eth2:vip0
}
}
slave:
vrrp_instance VI_1 {
state BACKUP
interface eth1
virtual_router_id 1
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass HURRDURR
}
virtual_ipaddress {
192.168.1.250/32 dev eth1 label eth1:vip0
192.168.56.250/32 dev eth2 label eth2:vip0
}
}
A question: could someone please tell me if there are pitfalls with a similar setup (on condition that VRRP multicast is allowed for the interface specified in option interface <interface name>).
As far as I understood, option interface <interface name> is used only for intercommunication between keepalived instances, and in fact, it specified which interface keepalived will use to send multicast traffic to negotiate which one should be a leader at the moment. And it should not affect configured VIPs (on condition that I configured them properly).
I realized at least one pitfall of a similar configuration. In case of network problems with interface eth2 on master server, VIP assigned on eth1 will not be moved to slave because VRRP instance configured via network on eth1 of both servers.
Therefore I think that a similar configuration is not recommended. VIP should be assigned to the same interface where VRRP instance was configured.
Correct configuration:
master:
vrrp_instance VI_1 {
state MASTER
interface eth1
virtual_router_id 1
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass HURRDURR
}
virtual_ipaddress {
192.168.1.250/32 dev eth1 label eth1:vip0
}
}
vrrp_instance VI_2 {
state MASTER
interface eth2
virtual_router_id 2
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass HURRDURR
}
virtual_ipaddress {
192.168.56.250/32 dev eth2 label eth2:vip0
}
}
slave:
vrrp_instance VI_1 {
state BACKUP
interface eth1
virtual_router_id 1
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass HURRDURR
}
virtual_ipaddress {
192.168.1.250/32 dev eth1 label eth1:vip0
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth2
virtual_router_id 2
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass HURRDURR
}
virtual_ipaddress {
192.168.56.250/32 dev eth2 label eth2:vip0
}
}
Im working in a project aimed to build a public VPN that passes through a Suricata IPS filter. Im using Wireguard VPN,Suricata IPS mode with Nftables.
I achieved to block IPS testing traffic from host (the server) to and from internet; also the VPN is working routing all traffic from clients to internet through the server.
But the problem is that this traffic is not detected by Suricara engine. I cannot find the appropiate nftables rule for this..
I have this nftables.conf file (some filtering ingress rules that I also have for bad traffic is not showed in this sample, for resuming space):
table inet firewall {
# Sets are dictionaries and maps of ports, addresses etc.
# These can then easily be used in the rules.
# Sets can be named whatever you like.
# TCP ports to allow, here we add ssh, http and https.
set tcp_accepted {
# The "inet_service" are for tcp/udp ports and "flags interval" allows to set intervals, see the mosh ports below.
type inet_service; flags interval;
elements = {
22, 8080
}
}
# UDP ports to allow, here we add ports for WireGuard and mosh.
set udp_accepted {
type inet_service; flags interval;
elements = {
19869
}
}
# The first chain, can be named anything you like.
chain incoming {
# This line set what traffic the chain will handle, the priority and default policy.
# The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
# Use a semicolon to separate multiple commands on one row.
type filter hook input priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Drop none SYN packets.
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
# OBS! Rules with "limit" need to be put before rules accepting "established" connections.
# Allow all incmming established and related traffic.
ct state established,related accept
# Allow loopback.
# Interfaces can by set with "iif" or "iifname" (oif/oifname). If the interface can come and go use "iifname", otherwise use "iif" since it performs better.
iif lo accept
# Allow certain inbound ICMP types (ping, traceroute).
# With these allowed you are a good network citizen.
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# Allow needed tcp and udp ports.
iifname $wan tcp dport #tcp_accepted ct state new accept
iifname $wan udp dport #udp_accepted ct state new accept
# Allow WireGuard clients to access DNS and services.
iifname $vpn udp dport 53 ct state new accept
iifname $vpn tcp dport #tcp_accepted ct state new accept
iifname $vpn udp dport #udp_accepted ct state new accept
# Allow VPN clients to communicate with each other. (disabled)
# iifname $vpn oifname $vpn ct state new accept
}
chain forwarding {
type filter hook forward priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Forward all established and related traffic.
ct state established,related accept
# Forward WireGuard traffic.
# Allow WireGuard traffic to access the internet via wan.
iifname $vpn oifname $wan ct state new accept
}
chain outgoing {
type filter hook output priority 0; policy drop;
# I believe settings "policy accept" would be the same but I prefer explicit rules.
# Drop invalid packets.
ct state invalid drop
# Allow all other outgoing traffic.
# For some reason ipv6 ICMP needs to be explicitly allowed here.
ip6 nexthdr ipv6-icmp accept
ct state new,established,related accept
}
chain IPS_input {
type filter hook input priority 10; policy drop;
counter queue num 0 bypass
counter drop
}
chain IPS_output {
type filter hook output priority 10; policy drop;
counter queue num 1 bypass
counter drop
}
}
# Separate table for hook pre- and postrouting.
# If using kernel 5.2 or later you can replace "ip" with "inet" to also filter IPv6 traffic.
table inet router {
# With kernel 4.17 or earlier both need to be set even when one is empty.
chain prerouting {
type nat hook prerouting priority -100;
}
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade WireGuard traffic.
# All WireGuard traffic will look like it comes from the servers IP address.
oifname $wan ip saddr $vpn_net masquerade
}
}
Suricata is launched with this (queued):
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1
Any idea?
thanks for your time!
I use Nagios Core 4.4.6. I want Nagios to send services email notifications.
I've used notify-host-by-email already and now want to use notify-service-by-email.
If I use 'Send custom service notification' it success. But auto-alerts doesn't work.
templates.cfg
define contact {
name generic-contact ; The name of this contact template
service_notification_period 24x7 ; service notifications can be sent anytime
host_notification_period 24x7 ; host notifications can be sent anytime
service_notification_options w,u,c,r,f,s ; send notifications for all service states,$
host_notification_options d,u,r,f,s ; send notifications for all host states, fl$
service_notification_commands notify-service-by-email ; send service notifications via email
host_notification_commands notify-host-by-email ; send host notifications via email
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A$
}
define host {
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 0 ; Flap detection is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program r$
retain_nonstatus_information 1 ; Retain non-status information across progr$
notification_period 24x7 ; Send host notifications at any time
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A$
}
define host {
name linux-server ; The name of this host template
use generic-host ; This template inherits other values from t$
check_period 24x7 ; By default, Linux hosts are checked round $
check_interval 5 ; Actively check the host every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute in$
max_check_attempts 10 ; Check each Linux host 10 times (max)
check_command check-host-alive ; Default command to check Linux hosts
notification_period workhours ; Linux admins hate to be woken up, so we on$
; Note that the notification_period variable$
; the value that is inherited from the gener$
notification_interval 120 ; Resend notifications every 2 hours
notification_options d,u,r ; Only send notifications for specific host $
contact_groups admins ; Notifications get sent to the admins by de$
register 0 ; DON'T REGISTER THIS DEFINITION - ITS NOT A$
}
define service {
name generic-service ; The 'name' of thi$
active_checks_enabled 1 ; Active service ch$
passive_checks_enabled 1 ; Passive service c$
parallelize_check 1 ; Active service ch$
obsess_over_service 1 ; We should obsess $
check_freshness 0 ; Default is to NOT$
notifications_enabled 1 ; Service notificat$
event_handler_enabled 1 ; Service event han$
flap_detection_enabled 1 ; Flap detection is$
process_perf_data 1 ; Process performan$
retain_status_information 1 ; Retain status inf$
retain_nonstatus_information 1 ; Retain non-status$
is_volatile 0 ; The service is no$
check_period 24x7 ; The service can b$
max_check_attempts 3 ; Re-check the serv$
check_interval 10 ; Check the service$
retry_interval 2 ; Re-check the serv$
contact_groups admins ; Notifications get$
notification_options w,u,c,r ; Send notification$
notification_interval 60 ; Re-notify about s$
notification_period 24x7 ; Notifications can$
register 0 ; DON'T REGISTER TH$
}
# Local service definition template
# This is NOT a real service, just a template!
define service {
name local-service ; The name of this $
use generic-service ; Inherit default v$
max_check_attempts 4 ; Re-check the serv$
check_interval 5 ; Check the service$
retry_interval 1 ; Re-check the serv$
register 0 ; DONT REGISTER THI$
}
test_server.cfg
define host {
use linux-server
host_name test_server
alias test_server
address 111.111.111.11 ; sample address
notification_interval 5
notification_period 24x7
}
define service {
use local-service ; Name of service template to use
host_name test_server
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
define service {
use local-service ; Name of service template to use
host_name test_server
service_description SSH
check_command check_ssh
notification_interval 5
}
define service {
use local-service ; Name of service template to use
host_name test_server
service_description HTTP
check_command check_http
notification_interval 5
}
contacts.cfg
define contact {
contact_name nagiosadmin ; Short name of user
use generic-contact ; Inherit default values from generic-contact templa$
alias Nagios Admin ; Full name of user
email gmail#gmail.com ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ****$
}
define contactgroup {
contactgroup_name admins
alias Nagios Administrators
members nagiosadmin
}
How can I force nagios to send notification about services alerts?
I have setup Nagios on one of my VM.
I receive the first alert when a service is Critical. But I do not receive the subsequent alert/email.
Host template config
define host {
name host-template
alias Default server template
check_command check_dummy!0!!!!!!!
max_check_attempts 10
check_interval 5
retry_interval 1
check_period 24x7
event_handler notify-host-by-email
event_handler_enabled 1
process_perf_data 1
contacts user1
notification_interval 10
notification_period 24x7
first_notification_delay 0
notification_options d,u,s,
notifications_enabled 1
_LTERM_LOAD_C 10
_LTERM_LOAD_W 5
_USED_MEM_C 30
_USED_MEM_W 20
_USED_SPACE_C 40
_USED_SPACE_W 30
register 0
}
Host config:
define host {
host_name aaaaa
use bbbbb
alias DEV
display_name DEV
address 11.111.111.111
_KEY xx
_SERVERPORT xx:8082
_SERVERPORTLFAT xx:443
_URL xx:8082
_USER test01
register 1
}
notification_interval is enabled but still i don't see any notifications.
I'm unsure if there is anything that is overriding it.
Because of this:
max_check_attempts 10
Nagios will try 10 more times before send you notification. Try to comment it and check again
I try to join Active Directory and Samba 4 in Ubuntu 12.04.05.
When I run host -t SRV _kerberos._udp.test.sg I get the error:
Host _kerberos._udp.test.sg not found: 3(NXDOMAIN)
meanwhile
$# host -t SRV _ldap._tcp.test.sg
_ldap._tcp.test.sg has SRV record 0 0 389 4ecapsvsg6.test.sg.
$# host -t A 4ECAPSVSG6.test.sg
4ECAPSVSG6.test.sg has address 10.153.64.5
My /etc/samba/smb.conf:
# Global parameters
[global]
workgroup = TEST
realm = TEST.SG
netbios name = 4ECAPSVSG6
server role = active directory domain controller
dns forwarder = 10.153.64.5
security = ads
use kerberos keytab = true
password server = 4ecapsvsg6.test.sg
allow dns updates = nonsecure and secure
bind interfaces only = no
server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc
passdb backend = samba4
server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
My /etc/krb5.conf:
[libdefaults]
default_realm = TEST.SG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
4ECAP.SG = {
kdc = 4ecapsvsg6.test.sg:88
admin_server = 4ecapsvsg6.test.sg:749
default_domain = test.sg
}
[domain_realm]
.test.sg = TEST.SG
test.sg = TEST.SG
[login]
krb4_convert = true
krb4_get_tickets = false
My /etc/hosts:
127.0.0.1 localhost
127.0.1.1 4ecapsvsg6
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.153.64.5 4ecapsvsg6.test.sg 4ecapsvsg6
What is the solution? Without it I cannot run join domain with command:
sudo net ads join
which comes out error like
Failed to join domain: failed to lookup DC info for domain 'TEST' over rpc: Logon failure
I did kinit administrator and klist, result:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator#TEST.SG
Valid starting Expires Service principal
26/03/2015 14:29:04 27/03/2015 00:29:04 krbtgt/TEST.SG#TEST.SG
renew until 27/03/2015 14:29:00
meanwhile i include my /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.153.64.5
search test.sg
domain test.sg
After i google this past week, lucky i found this site http://edoceo.com/howto/samba4
Happens to be i need to edit my dnsmasq (/etc/dnsmasq.conf)
add this line :
srv-host=_kerberos._tcp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._tcp.dc._msdcs.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kerberos._udp.test.sg,4ecapsvsg6.test.sg,88
srv-host=_kpasswd._tcp.test.sg,4ecapsvsg6.test.sg,464
srv-host=_kpasswd._udp.test.sg,4ecapsvsg6.test.sg,464
and disable Bind9 (which installed along with Samba4 by default)
Now the problems gone :)
Only one problems remains, how to connect to AD (which i'll open another thread for that)