RE: Fog Server vulnerable

@george1421 said in Fog Server vulnerable:

sshd

Thank you very much @george1421. I will update apache and openssl to see how it goes.

We are not using fog clients or https so I’m not so worry about TLS 1.0. I couldn’t get https to work when we configured FOG in the past so I gave up on it. We only have one storage node and it’s on the same server.

You are right. We had a compliance audit. I will ask the security team to see if they can make an exemption on the ftp part.

Thanks again for your help.

Hello all,

I hope y’all stay safe and well.

My institution recently did a pen test a found a few vulnerabilities on the FOG server:

Vulnerable version of product HTTPD found – Apache HTTPD 2.4.6
Vulnerable version of component OpenSSL found – OpenSSL 1.0.2k-fips
Configuration item ftp.plaintext.authentication set to ‘true’
Insecure MAC algorithms in use: hmac-sha1,hmac-md5
Negotiated with the following insecure cipher suites:
* TLS 1.0 ciphers

If I manually upgrade APACHE and OpenSSL to the latest versions 2.4.52 and 3.0 respectively, would this break FOG in any way? I’m using FOG Version 1.5.8 on Enterprise Linux Server release 7.9 (Maipo).
Does openSSL version 3.0 resolve Insecure MAC algorithms and insecure cipher issues? How do I go about fixing ftp plaintext authentication issue?

Thank you.

@george1421 Just tried a download using FOS 1.5.7 v0.2.89. Legacy mode was at 11GB/m vs EUFI was at 2.2GB/m

@george1421 It is b0.3.13. It might not be partclone after all. I did some more tests. Downloading using UEFI mode is much slower than legacy mode. Legacy mode is at 6GB/minutes or more vs UEFI mode never go pass 2.8GB/minutes.

Upload speeds on both modes are about the same (5GB/min).

Hello All,

I got exited and upgraded my server from 1.5.7 to 1.5.8 and ran into a few issues.

Download speeds became very very slow from different subnets/images/computer models. We usually get around 5GB/min on a bad day to 12GB/min on a good day. Look like we are capped at 2 - 2.8 GB/minute consistently now. Sometimes it went down to under a GB. However, uploading speeds remain the same which is over 5GB/minutes. I’ve tried different inits as suggested in here but it didn’t help.

This is not an issue but i’m curious. On the web UI at the login window it says Latest Version:1.5.7, Latest Development Version:1.5.7.120 and on FOG Configuration page says “You’re running the latest alpha-branch version: 1.5.7.958”. Should all be 1.5.8 or later?

@george1421 built-in nic can upload/download image just fine. I’m not sure of how to get MAC address from firmware bios on a Mac.

@george1421 I took that MAC address and registered. Both nics picked up IP addresses correctly in FOS linux.
I happen to find another Mac Mini and FOS linux does report a different MAC address than from OS. Weird.

@george1421 running /sbin/udhcpc -i enp126s0u2 --now shows correct assigned IP
/sbin/udhcpc -i enp1s0 --now has no IP assign (MAC address needs to be registered in our database for DHCP to assign an IP)

running lspci -nn |grep -i net shows

01:00.0 Ethernet controller [0200]: Device [1d6a:07b1] (rev 02)
03:00.0 Network controller [0280]: Broadcom Limited Device [14e4:4464] (rev 03)

@Sebastian-Roth said in Mac Mini with T2 chip:

Please download the latest inits (64 bit, 32 bit) and make sure you update your grub.conf file to use ramdisk_size=275000!!

I downloaded the new inits and set ramdisk_size to 275000. Then scheduled a new upload. It went to partclone screen and attempt to upload. it lasted for about 3 seconds and went to 100% and goes to update database (sorry I didn’t have a chance to take a picture) and trying to reboot the systems went to this screen Fixing recursive fault but reboot is needed! https://forums.fogproject.org/topic/14073/mac-mini-with-t2-chip/16#

@george1421 ip addr show lists network adapters as enp126s0u2 (USB-c to ethernet adapter), enp1s0, and lo. enp1s0 MAC address is not the same as reported in Mac OS or BootCamp for Ethernet adapter nor it’s the same as Wifi MAC address.
lsusb does show ID for USB-C multimedia adapter: Bus 001 Device 004: ID 05ac:1461

@george1421

Keyboard and mouse works on both T2 and T2b.

@george1421 Yes. I want to be able to use built-in ethernet card (and usb-c to vga adapter if possible).
Yes. 5.3.4 with T2 paches worked through HDMI and I was able to upload/download image correctly.

@george1421 Downloaded successfully but with error below. Rebooted the machine and tested both Mac OS and BootCamp partitions. Everything’s working fine. Thanks a million @george1421 & @Sebastian-Roth

I tried T2b kernel. USB-C to vga adapter still does not work (screen went power saving). Built-in ethernet are not able to get an IP from DHCP.

@george1421 Uploaded successfully but getting the error below. I’m downloading it now and will report back.

@george1421 Thank you. I will try it out once i’m done testing this.
It’s at 71% now and still going strong. Uploading speed is 6.66GB/min.

I used USB-c ethernet cable instead and it went to uploading image screen. It’s currently uploading now. I will let you know how it goes.

@Sebastian-Roth Apparently, it does not like usb-c to vga adapter. I connected to another monitor through DVI and saw a lot more. I went to a place where it’s trying to connect to fog server x.x.x/fog//index.php but failed to get an IP from DHCP through enp1s0 interface. I noticed it uses Atheros driver (00:13s) instead of Aquantia AQtion (Ethernet maker for this mini Mac).
My apologize for the out of focus and shaky hands. You might need to download it to be able to read the text.
https://s.amsu.ng/f8cHjL2HeJON (fixed)

@george1421 Yes. Secure boot is disabled (Mac won’t allow to boot to external device if it’s enable). I tried the new kernel and it gets a bit further. Kernel log level has been set to 7. Where does the log write to? I can’t seem to find it anywhere.
I noticed there are more errors before it gets to USB fog menu (wrong efi file?)
Video: https://s.amsu.ng/JWcj5VGc5USN

@Sebastian-Roth When the screen goes to power saving mode, machine is still on. It does not response to mouse or keyboard.

@Sebastian-Roth Video will get deleted after 24hrs: https://s.amsu.ng/1ILdNtSJa0xN

Does anyone have any luck backing up Mac Mini with T2 chip (Macmini 8,1 2018, Boot room: 1037.60.58.0.0, iBridge: 17.16.12551.0.0,0) or anything alike? CloneZilla doesn’t load at all. FOG USB drive with latest kernel got to

loading the kernel 
loading the virtual hard drive
booting kernel....

then the screen went dark without doing anything.

Thanks all. You are right. LDAP uses plain text password. I had ‘&’ symbol in the password and that breaks it. I set up a test RHEL server and was able to make it work by removing ‘&’ symbol. My “controlled” server however is till not working. No error in /var/log/php-fpm/www-error.log. Apache detected when I tried to login. Re-installing -php-ldap but no go. Does anyone know how to debug it? Thanks!