Friday, November 15, 2024

Install Zabbix 2.4.6 on a Raspberry Pi 2

First note that the original instructions I followed to get this going were written in 2015 when MySQL 5.5 or 5.7 was the latest. My attempt is in 2024 and MySQL 8 is what I'm working with. I'm putting this as the first thing you read because I am able to get Zabbix installed BUT it's not compatible with MySQL 8. Thus nothing really works after you log into the Zabbix interface. Supposedly the person at https://blog.fawcs.info/2015/09/zabbix-onf-raspberry-pi-2/ was able to get MySQL 5 for ARM processors installed but I'm having a hard time figuring out if ARM was supported back then. Something is weird. Still, I'm documenting my process to get it installed. If you know of how to get MySQL 5 instead of 8 during the install, please let me know.

Now, this is basically a dump of my notes during the install.  Don't expect it to be a line by line walkthrough of exactly what you need to do/change/type/etc.

# ##########################
# This is the basic information of my server
# ##########################

# uname -a
# Linux Pi-Zabbix 5.4.0-1069-raspi #79-Ubuntu SMP PREEMPT Thu Aug 18 18:18:46 UTC 2022 armv7l armv7l armv7l GNU/Linux

# cat /etc/*elea*
# DISTRIB_ID=Ubuntu
# DISTRIB_RELEASE=20.04
# DISTRIB_CODENAME=focal
# DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
# NAME="Ubuntu"
# VERSION="20.04.6 LTS (Focal Fossa)"
# ID=ubuntu
# ID_LIKE=debian
# PRETTY_NAME="Ubuntu 20.04.6 LTS"
# VERSION_ID="20.04"
# VERSION_CODENAME=focal
# UBUNTU_CODENAME=focal

# ##########################
# NOTE; it's possible locations change with versions (very likely!) so /etc/php/7.4/ and similiar references may not be the same as your system in the future!
# ##########################

# Download the installation software from:
# http://downloads.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stable/2.4.6/zabbix-2.4.6.tar.gz
# Transfer the gz file to the Raspberry Pi 2 putting it in the /opt folder.
# Become root or use sudo in front of each of these commands

sudo su
groupadd zabbix
useradd -g zabbix zabbix
passwd zabbix

# Install dependencies
apt-get install make apache2 libapache2-mod-php php-mysql mysql-server mysql-common libiksemel-dev libiksemel-utils libxml2-dev libxml2-utils libxml2 snmp libsnmp-dev libsnmp-perl libssh2-1-dev libssh2-1 libcurl4 libghc-curl-dev libmysql++-dev php-gd php-bcmath php-mbstring php-xml -y
# The mysql-utilities package may be needed but is not available natively (I'll see about coming back to this)

# Verify mysql is running
service mysql status

# Verify you are in the zabbix installation directory (example: /opt/zabbix-2.4.6)

# Run the installation/configure of Zabbix
./configure --enable-server --enable-agent --with-mysql --with-libxml2 --with-net-snmp --with-ssh2 --with-libcurl
# --with-jabber was removed as it created an error during the configure.  It's optional as it's a feature of Zabbix that allows users to send notifications via Jabber.

# Complete the install; note there could be many warnings about "<sys/sysctl.h> header" which are ok to ignore.
# Warning: This could take a very long time.
make install

# Copy init scripts
cp /opt/zabbix-2.4.6/misc/init.d/debian/* /etc/init.d/

# Setup the web pages
mkdir /var/www/zabbix/
cp -r /opt/zabbix-2.4.6/frontends/php/* /var/www/zabbix/
chown -R www-data:www-data /var/www/zabbix/

# Create the database
# Note; the IDENTIFIED BY in single quotes below is the password.
mysql -uroot -p
create database zabbix character set utf8 collate utf8_bin;
CREATE USER 'zabbix'@'localhost' IDENTIFIED BY 'zabbix';
grant all privileges on zabbix.* to zabbix@localhost;
set global log_bin_trust_function_creators = 1;
quit;

# Import the SQL data for the database
# Note; this utilizes the default password from above
# Warning: This could take a very long time.
mysql -uzabbix -pzabbix zabbix < /opt/zabbix-2.4.6/database/mysql/schema.sql
mysql -uzabbix -pzabbix zabbix < /opt/zabbix-2.4.6/database/mysql/images.sql
mysql -uzabbix -pzabbix zabbix < /opt/zabbix-2.4.6/database/mysql/data.sql

# Verify database installation
mysql
show databases;
#+--------------------+
#| Database           |
#+--------------------+
#| information_schema |
#| mysql              |
#| performance_schema |
#| sys                |
#| zabbix             |
#+--------------------+
use zabbix;
show tables;
select * from users;
quit;

# Prepare file system folders
mkdir -p /var/log/zabbix
chown -R zabbix:zabbix /var/log/zabbix/
mkdir -p /var/zabbix/alertscripts
mkdir -p /var/zabbix/externalscripts
chown -R zabbix:zabbix /var/zabbix/
mkdir /var/www/html/zabbix
cd ~/zabbix-2.4.6/frontends/php
cp -a . /var/www/html/zabbix/
chown -R www-data:www-data /var/www/html/zabbix
chmod +x /var/www/html/zabbix/conf/


# Adjust the config file to match below lines (change password if different than default)
nano /usr/local/etc/zabbix_server.conf

LogFile=/var/log/zabbix/zabbix_server.log
DBUser=zabbix
DBPassword=zabbix
AlertScriptsPath=/var/zabbix/alertscripts
ExternalScripts=/var/zabbix/externalscripts

# Adjust the php settings
nano /etc/php/7.4/apache2/php.ini

post_max_size = 16M
max_execution_time = 300
max_input_time = 300
date.timezone = 

# Bypass a version check as the newer PHP versions take care of this issue but the UI errors
nano /var/www/html/zabbix/include/classes/setup/CFrontendSetup.php
# #################
# Original Code:
// check for deprecated PHP 5.6.0 option 'always_populate_raw_post_data'
if (version_compare(PHP_VERSION, '[B]5.6[/B]', '>=')) {
         $result[] = $this->checkPhpAlwaysPopulateRawPostData();
# After making the change:
// check for deprecated PHP 5.6.0 option 'always_populate_raw_post_data'
if (version_compare(PHP_VERSION, '[B]7.5[/B]', '>=')) {
         $result[] = $this->checkPhpAlwaysPopulateRawPostData();
# ##################


nano /var/www/html/zabbix/include/func.inc.php
# ##################
# Original Code:
function str2mem($val) {
        $val = trim($val);
        $last = strtolower(substr($val, -1));

        switch ($last) {
                case 'g':
                        $val *= 1024;
                        /* falls through */
                case 'm':
                        $val *= 1024;
                        /* falls through */
                case 'k':
                        $val *= 1024;
        }

        return $val;
}
# After making the change:
function str2mem($val) {
        $val = trim($val);
        $last = strtolower(substr($val, -1));

        $val = substr_replace($val, "", -1);

        switch ($last) {
                case 'g':
                        $val *= $val * 1024;
                        /* falls through */
                case 'm':
                        $val *= $val * 1024;
                        /* falls through */
                case 'k':
                        $val *= $val * 1024;
        }

        return $val;
}
# ##################

# ##########################
# Create startup file for the server
# Note; this will get it going on boot but needs improved for functioning with other commands.
# ##########################

nano /etc/systemd/system/zabbix-server.service

[Unit]
Description=zabbix-server
[Service]
Type=forking
ExecStart=/etc/init.d/zabbix-server start
[Install]
WantedBy=multi-user.target

# Create startup file for the agent
# Note; this will get it going on boot but needs improved for functioning with other commands.
nano /etc/systemd/system/zabbix-agent.service

[Unit]
Description=zabbix-agent
[Service]
Type=forking
ExecStart=/etc/init.d/zabbix-agent start
[Install]
WantedBy=multi-user.target

# Set permissions on the startup files
chmod 644 /etc/systemd/system/zabbix-*


# Temporarily move the control scripts
mv /etc/init.d/zabbix-* /.

# Setup the services
systemctl daemon-reload
systemctl enable zabbix-server zabbix-agent apache2

# Move files back to their original location
mv /zabbix-* /etc/init.d/.
systemctl restart zabbix-server zabbix-agent apache2

# Open Zabbix UI web page
# The default URL for Zabbix UI when using Apache web server is http://host/zabbix
# The default user/password is Admin/zabbix


# ##########################
# This is where I played around with uninstalling MySQL 8 and trying to get 5.7
# It wouldn't pull 5.7 due to no ARM support
# ##########################

sudo systemctl stop mysql
sudo apt autoremove
sudo apt autoclean

wget https://dev.mysql.com/get/mysql-apt-config_0.8.12-1_all.deb

sudo dpkg -i mysql-apt-config_0.8.12-1_all.deb

In the prompt, choose Ubuntu Bionic and click Ok

The next prompt shows MySQL 8.0 chosen by default. Choose the first option and click OK

In the next prompt, select MySQL 5.7 server and click OK.

The next prompt selects MySQL5.7 by default. Choose the last otpion Ok and click OK


gpg --keyserver repo.mysql.com --recv-keys B7B3B788A8D3785C

gpg --export --armor B7B3B788A8D3785C | sudo apt-key add -

sudo apt-get update 

sudo apt-cache policy mysql-server

Friday, January 24, 2020

Security+ Topic - Penetration Testing Authorization

At some point in an IT administrators career they do a little dabbling in penetration testing of systems that they have access to. Sometimes these tests start as a simple check of vulnerabilities on their own system and sometimes it ends up being a test against the companies production servers simply because they are curious. What most of these casual or introductory penetration testers do not take into account, is that some of those test could cause a server to stop responding. If the administrator is working against a lab environment or a couple of servers that are not in production, this is usually not a big deal. A simple reboot and then things are back up and running. Things get a bit messier when that same thing happens against the production environment. The owners of a company do not usually take kindly to when their production servers go offline. Let's talk about using a test lab for a moment. Generally speaking a company will have enough resources for an IT administrator to setup a test lab. Some will have a fully virtualized environment that the administrator can simply spin up a few virtual machines into a separate VLAN to do their testing. On the other end of the spectrum is a tight budget IT department with scrutinized purchases. No matter where you are on the spectrum, there is still room for making sure that your penetration testing is not initially on production systems. The reason for these environments is pre-planning in regards to getting authorization for penetration testing on production systems. If you were to go to your management with an idea of penetration testing your production environment and they asked you what the impact would be, the only realistic answer would be that you do not know. Management wouldn’t take too kindly to not knowing if their servers were to go down and because you were the one to take them offline, you are the one getting fired. Doing testing within a lab environment gives you the pushing power for completing tests in a production environment. Company implementations of their server setup are unique and the tests in your lab environment must match that environment as close as possible. After the tests have been completed in the lab environment with proof of what may or may not happen, then you can go to management with a plan for the production environment. Sometimes you may find that a certain vulnerability test identifies an issue in the lab environment and a simple patch corrects the issue. After applying the patch in the lab and verifying functionality, it can then be pushed to the production environment. Once this is completed a plan can be presented to management for a specific vulnerability test in which you confirm the patch is in place and you would like to confirm that the correction is working properly. A lot of what this boils down to is making sure you have permission. Without permission, when something goes wrong it is you who takes the brunt of management. With an outlined plan for what you would like to do and how it is going to be implemented, management can sign off on the process which frees you from repercussions if something happens. Making sure to have all your documentation in place and a plan for what is happening is key to correct authorization.

Wednesday, January 15, 2020

Security+ Topic - Dictionary Cryptographic Attack

How effective is a Dictionary Cryptographic Attack?  Seriously, how many people really use the word password as their password?  Well according to Wikipedia, password was in the number four spot for 2019 and in the number two spot for the previous 6 years!  That is really amazing and goes to show just how effective a dictionary attack can be even though IT administrators have been enforcing strong passwords for a very long time.  It really is no wonder so many accounts get compromised just based off a dictionary attack.

If we stick with only alpha-numeric passwords from 2019 on the Wikipedia list, these simple passwords are crazy easy to defeat.  password, iloveyou, admin, lovely, welcome, princess, and dragon top their list.  If these are the top of the list then we can only imagine what other words are commonly used but are not used quite enough to make the list.  Granted there are other mitigation techniques to this type of attack such as a limit on the number of attempts, source of login restriction, or up-to-day blacklists to name a few.  This still doesn’t excuse the use of extremely weak passwords based on the dictionary.

I’ve posted in the past about tools you could use which have dictionaries built in and are able to speed through them in their attempts to log into the account.  On top of that, rainbow tables already include most (if not all) of the dictionary and can match a simple dictionary password extremely fast.  In reality we have to take into considerations the default password on customer devices such as DSL Modems, Cable Modems, SoHo Routers, and switches to name a few.  These are most likely the biggest culprit of these easy dictionary passwords.  Still when you weed out those from the list, there are plenty of other simple dictionary passwords that are in use.

What is really boils down to is the fight in regards to “ease of use” vs “secure environment”.  Why do people use simple dictionary passwords?  They are simple to use.  I’ve seen a meme that says “I changed all my passwords to incorrect so whenever I forget it will tell me  that my password is incorrect”.  There is always some truth in every joke and this joke really has application to why a dictionary attack works.  Just last week I went to log into a bank and couldn’t remember my password.  I tried to reset it but it told me that I couldn’t re-use a password that I previously used.  What happened is that I was forced to change my password so many times that I didn’t even know my own password and was forced to use a password I never remember.  Hence the introduction of simple passwords brought from frustration.

End users will almost always use the most simple password that they can come up with.  If their favorite childhood book is “The Cow Jumped Over the Moon” and they have a fond memory of it, their password is now “thecowjumpedoverthemoon”.  The point that I would like taken away from this is to make sure and use a secure password that will be much less vulnerable to a dictionary attack while still maintaining ease of use.  Enforce a password policy that lets the user have a password they can remember such as “thec0wjump$dOVERthem00n” without making your organization vulnerable to a dictionary attack. Aka, not that password.