Remove a Windows Service

Remove a Windows Service

Get Social!

windows-logoYou can easily remove a Windows service from the Windows registry using a simple command prompt command called SC.

SC is the command line utility which interacts with the Windows Service Controller and can be used to manage services on either a remote or local Windows machine.

You will need to find the name of the service you would like to remove before you can issue the SC command to remove it. You can either use the Windows Service console or the sc query command to find the name of a service.

Click the Start menu and type in Services and click the Windows Services console in the list. Find your service by name and double click it to see the Properties window. The service name can be seen at the top of the form. The below example shows the Skype Updater service.

services-skype-properties

To use the sc query command to find your service name, open up a command prompt and type the below command.

sc query

Find the SERVICE_NAME attribute of your required service.

Once you have the service name, you will need to stop the service before you can delete it. Issue the sc stop command followed by the service name. The below example show how to stop the SkypeUpdate service.

sc stop SkypeUpdate

Finally, you can issue the sc delete command to remove the service.

sc remove SkypeUpdate

Set up Fail2ban for Proxmox Web GUI

Get Social!

fail2ban_logoFail2ban is an application that scans log files in real time and bans malicious IP addresses based on a set of rules and filters you can set.

For this blog post, we’re going to look at capturing invalid login attempts to the Proxmox Web GUI and ban any IP addresses from accessing the Web GUI if they fail to authenticate 3 times from the same IP address.

Fail2ban is made up of three main component parts:

  • Filter – a Filter is a pattern or regular expression that we wish to search for in the log files. In our case, we want to search for the words ‘authentication failure’ in the log because that’s what the pvedaemon writes when a failed login attempt occurs.
  • Action – an Action is what we’ll do if the filter is found. What we need to do is ban any IP address where the filter is triggered 3 times.
  • Jail – a Jail in Fail2ban is the glue that holds it all together – this ties a Filter, together with an Action and the relevant log file.

Install Fail2ban

Installing Fail2ban on Debian/ Proxmox is as easy as it gets – just use the apt package manager.

apt-get install fail2ban

Fail2ban is mostly Python, so it’ll need to be installed on the system or apt-get  will install it as a dependency.

Note: by default Fail2ban will enable itself on SSH connections, blocking invalid IPs after 6 invalid attempts. 

Configure Fail2ban for the Proxmox Web GUI

There are several steps to setting up Fail2ban. As mentioned earlier in the post, we want to ban any users IP address from accessing the Proxmox Web GUI if they have failed to authenticate 3 times. We shouldn’t block them indefinitely because it may be a simple password issue that they can resolve with the account administrator. We’ll configure Fail2ban to ban failed attempts for an hour.

Because banning a user after 3 invalid attempts is a fairly basic thing in the world of Fail2ban, we won’t need to create an Action as listed above. We’ll need to create a Jail and a Filter.

The Jail

A Jail in Fail2ban is the core configuration that  combines a Filter, an Action (although this may be default Fail2ban behaviour) and a log file.

The default configuration for Fail2ban is found in /etc/fail2ban/jail.conf and contains many predefined entries for common processes such as FTP and Apache. We shouldn’t edit this file directly when adding new entries, instead, we should create the below file which will be used to override the default jail.conf.

vi /etc/fail2ban/jail.local

Add the following (this file may not already exist):

[proxmox-web-gui]
enabled  = true
port     = http,https,8006
filter   = proxmox-web-gui
logpath  = /var/log/daemon.log
maxretry = 3
bantime = 3600

The above entry has set a ruleset name of proxmox-web-gui, and the following:

  • enabled – this simply states that this ruleset is active.
  • port – set sthe port that any bans should act on
  • filter – this sets the file name of the filter that we’ll use to detect any login failures. More about this in the next section.
  • logpath – the name or pattern (for example /var/log/apache/*.log) of the log to monitor for the failed logins. This is the file that the above filter will work on.
  • maxretry – this is how many times should the filter detect a problem before starting the ban.
  • bantime – this is how long, in minutes, that the ban be in effect for.

The Filter

Now that we have specified the log file to look in we need to specify how to find the event we need to look for. For our example, Proxmox writes a specific string each time a failed login occurs which looks like the belew:

authentication failure; rhost=10.10.10.10 [email protected] msg=no such user ('[email protected]')

Our Filter, therefore, needs to look for this text and pull out the IP address.

Create a Filter file called proxmox-web-gui.conf in /etc/fail2ban/filter.d/.

vi /etc/fail2ban/filter.d/proxmox-web-gui.conf

Add the following:

[Definition]
failregex = pvedaemon\[[0-9]+\]: authentication failure; rhost=<HOST> user=.* msg=.*

This will match the text that Proxmox writes to the daemon.log file when a failed login is detected. It’s got a Fail2ban specific keyword <HOST> which is what’s used to indicate to Fail2ban where the offending IP address is in the log entry. Fail2ban can then block this IP address as indicated in our Jail file.

Testing Fail2ban Filters

Fail2ban provides a nice little utility to test your Filter definitions to make sure they are working as you intend. First things first – we need an entry in our log file for an invalid login attempt. Go to your Proxmox Web GUI and enter some invalid login credentials.

The command to use is fail2ban-regex which has two parameters; the log file location and the Filter location.

fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox-web-gui.conf

An example of the output is below. The text Success, the total number of match is 1 states that there is one match in the log for our pattern in the proxmox-web-gui.conf file.

fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox-web-gui.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/proxmox-web-gui.conf
Use log file   : /var/log/daemon.log


Results
=======

Failregex
|- Regular expressions:
|  [1] pvedaemon\[[0-9]+\]: authentication failure; rhost=<HOST> user=.* msg=.*
|
`- Number of matches:
   [1] 1 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    10.27.4.98 (Fri May 29 12:31:14 2015)

Date template hits:
770 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 1

However, look at the above section 'Running tests' which could contain important
information.

Restart fail2ban for the new Jail to be loaded.

service fail2ban restart

To check your new Jail has been loaded, run the following command and look for the proxmox-web-gui Jail name next to Jail List.

fail2ban-client -v status
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
Status
|- Number of jail:      2
`- Jail list:           ssh, proxmox-web-gui

Try to log into the Proxmox Web GUI with an incorrect user 3 and see your IP address appear in the Currently banned section.

fail2ban-client -v status proxmox-web-gui
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
Status for the jail: proxmox-web-gui
|- filter
|  |- File list:        /var/log/daemon.log
|  |- Currently failed: 0
|  `- Total failed:     3
`- action
   |- Currently banned: 1
   |  `- IP list:       10.10.10.10
   `- Total banned:     1

 


Add a package to startup on Debian/ Ubuntu/ Red Hat/ CentOS

Get Social!

Linux penguin Most versions and distributions of Linux today have a start up manager application to easily set which programs are started when your Linux machine boots up. There are two distinct flavours of start up applications and a manual method for distributions without this feature installed.

Using a terminal and the command chkconfig on CentOS, Red Hat and Oracle Enterprise Linux; and update-rc.d on Debian and Ubuntu you can control which packages are available as services and which packages start with your computer.

Run Level

Before looking at the commands used to control startup services in Linux, it’s important to understand when a program should be running in relation to the current operating system state. For example, you probably don’t want your Apache service being started before you have networking.

Linux has the concept or a runlevel which dictates the state of the operating system as a number between 0 and 6 inclusive.

See my post on runlevels to understand when your application or service should be asked to start.

Start up with Red Hat, CentOS and Oracle Enterprise Linux

Controlling startup services in Linux distributions such as Red Hat Enterprise Linux (RHEL), CentOS and Oracle Enterprise Linux (OEL) is done using the chkconfig command.

See my chkconfig cheat sheet for more information on controlling startup services on RHEL based Linux.

Start up with Debian and Ubuntu

Debian and Ubuntu based Linux distributions use the command update-rc.d to control which services are started during machine boot.

For details of controlling such services, see my update-rc.d cheat sheet.

Start up for manually setting the start up services

For operating systems that are not managed by an application, such as upstart on Ubuntu, you will need to manually add the /etc/init.d/ start up script to the /etc/rc.local file.

The /etc/rc.local file contains a reference to all the services which are required on machine boot.

Run the below echo command to add a manual start up application. The application name must be the same as the /etc/init.d/ file which must exist.

echo "network" >> /etc/rc.local

To remove a service, edit the /etc/rc.local file and manually remove the service name.

vi /etc/rc.local

update-rc.d Cheat Sheet

Get Social!

Linux penguinDebian and Ubuntu use the service command to control services and update-rc.d for adding and removing services from start up. Using the service command we can start, stop, restart and display all available services. With update-rc.d we can add and remove services and add them to the Ubuntu/ Debian start up scripts. As Linux operating systems have multiple states, or runlevels, you need to make sure you add any new services to the correct runlevels. For example, you would not want to start a web service application before starting networking.

See my post on runlevels for more information about runlevels in Linux..

What services are available for startup?

Use the status-all switch to list all services which are registered with the OS and issues them a status command. You will then get one of the following displayed next to each service:

  • [ + ] – Services with this sign are currently running.
  • [ – ] – Services with this sign are not currently running..
  • [ ? ] – Services that do not have a status switch.
service --status-all

Sample output:

service --status-all
 [ ? ] acpid
 [ - ] apparmor
 [ ? ] apport
 [ ? ] atd
 [ - ] bootlogd
 [ ? ] console-setup
 [ ? ] cron
 [ ? ] dbus
 [ ? ] dmesg
 [ ? ] dns-clean
 [ ? ] friendly-recovery
 [ ? ] glusterfs-server
 [ - ] grub-common
 [ ? ] gssd
 [ ? ] hostname
 [ ? ] hwclock
 [ ? ] hwclock-save
 [ ? ] idmapd
 [ ? ] irqbalance
 [ ? ] killprocs
 [ ? ] module-init-tools
 [ ? ] network-interface
 [ ? ] network-interface-container
 [ ? ] network-interface-security
 [ ? ] networking
 [ ? ] ondemand
 [ ? ] passwd
 [ ? ] plymouth
 [ ? ] plymouth-log
 [ ? ] plymouth-ready
 [ ? ] plymouth-splash
 [ ? ] plymouth-stop
 [ ? ] plymouth-upstart-bridge
 [ ? ] portmap
 [ ? ] portmap-wait
 [ ? ] pppd-dns
 [ ? ] procps
 [ ? ] rc.local
 [ ? ] resolvconf
 [ ? ] rpcbind-boot
 [ - ] rsync
 [ ? ] rsyslog
 [ ? ] screen-cleanup
 [ ? ] sendsigs
 [ ? ] setvtrgb
 [ + ] ssh
 [ ? ] statd
 [ ? ] statd-mounting
 [ - ] stop-bootlogd
 [ - ] stop-bootlogd-single
 [ ? ] sudo
 [ ? ] udev
 [ ? ] udev-fallback-graphics
 [ ? ] udev-finish
 [ ? ] udevmonitor
 [ ? ] udevtrigger
 [ ? ] ufw
 [ ? ] umountfs
 [ ? ] umountnfs.sh
 [ ? ] umountroot
 [ - ] unattended-upgrades
 [ - ] urandom
 [ ? ] whoopsie

Start a service

Starting a service is done using the command service followed by the service name and the command to start the service.

service apache2 start

Stop a service

Use the stop keyword with service to stop a service.

service apache2 stop

Check the status of a service

Each service has a status, usually running or not running. Some services, such as network, may have a different output and output more information on the service.

service apache2 status

Remove a service

Use the remove keyword with update-rc.d to remove the service start up command for an application. You will need to use the -f switch if the applications /etc/init.d start up file exists.

update-rc.d -f apache2 remove

 Add a service

Adding a service to Ubuntu or Debian is done with the update-rc.d command. You can specify which runlevels to start and stop the new service or accept the defaults. The init.d file will be added to the relevent rc.d startup folders.

 update-rc.d apache2 defaults

Setting Start and Kill priority

If you need more control over when your service is asked to start and stop, you may need to set the start and kill (S and K) values.

For a given runlevel, you may have several services starting. For example, you may have apache2 and mysql both starting on runlevel 3. Ideally, you’d want mysql to start before apache2 and shutdown after apache2. In this case we need to give mysql the priority in startup, but apache2 the priority in shutdown.

When starting, the lower the number, the earlier it will start. A start priority of 10 will start before a priority of 20. When killing, it’s the opposite. A higher number will be killed before a lower number.

To set the start and kill priority we simply add them to the above update-rc.d command with the start priority first, followed by the kill priority.

update-rc.d apache2 defaults [START] [KILL]

The below command will start mysql first, then apache2. On shutdown, the kill will be the reverse of the start with apache2 being killed first and mysql second.

update-rc.d apache2 defaults 90 90
update-rc.d mysql defaults 10 10

Because, in our example, both start and kill priorities are the same we can shorted the command to just

update-rc.d apache2 defaults 90
update-rc.d mysql defaults 10

Manually set the RunLevel to Start and Kill a service

You can manually specify the Linux RunLevel that the system must be in to Start and Kill your service. See my other blog post for more information on RunLevels.

To extend the above example, we can specify exactly which RunLevel apache2 will be started and stopped.

update-rc.d apache2 start 10 2 3 4 5 . stop 90 0 1 6 .

apache2 will be started (as long as it isn’t already) when the system enters RunLevel 234 or 5 with a priority of 10. It will then be asked to stop when the system enters RunLevel 01 or 6 with a priority of 90.

Let me know in the comments if you think anything is missing.


chkconfig Cheat Sheet

Get Social!

Linux penguinControlling startup services in Linux distributions such as Red Hat Enterprise Linux (RHEL), CentOS and Oracle Enterprise Linux (OEL) can be done using a Gnome GUI or a command line utility. The command line utility is called chkconfig and can list existing, add new or remove services from the operating systems startup list.

As Linux operating systems have multiple states, or runlevels, you need to make sure you add any new services to the correct runlevels. For example, you would not want to start a web service application before starting networking. See my post on runlevels.

What services are available for startup?

Use the –list switch to see your existing services and when they should be running.

chkconfig --list

An example output is below. This shows all of the machine runlevels and what the state of the service will be.

chkconfig --list

Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration.

modules_dep 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:off 3:on 4:off 5:off 6:off

In this example, there are three services available. netconsole is not available at any runlevels and is therefore never started automatically, network is available only in runlevel 3 and modules_dep is available in runlevel 2 and runlevel 3.

You could also use the example below to detail the runlevels of a single service only.

chkconfig network --list

Add a new service with chkconfig

Adding a new service is  easily done with the below command. The below example shows the service network being enabled to start at the next machine boot.

chkconfig network on

Use the –level switch to enable the service at specific runlevels. Use the below example to enable the service at runlevel 3.

chkconfig network on --level 3

Remove a service with chkconfig

Removing an existing service is done with the below command. The below example shows the service network being disabled from automatic start.

chkconfig network off

Use the –level switch to remove the service from specific runlevels. Use the below example to disable the service at runlevel 3.

chkconfig network off --level 3

Start a service

Starting a service is done using the command service followed by the service name and the command to start the service.

service network start

Stop a service

Use the stop keyword with service to stop a service.

service network stop

Check the status of a service

Each service has a status, usually running or not running. Some services, such as network, may have a different output and output more information on the service.

service network status

 

Let me know in the comments if you think anything is missing.


Visit our advertisers

Quick Poll

Do you use GlusterFS in your workplace?

Visit our advertisers