Update (fsaua) doesn't work on my Linux servers
Hi,
On my Linux Ubuntu 14.04.5 LTS (yes, it's old and no longer maintained, but it is the system required by one of our provider - shame on these guys!).
There are information about versions:
- Ubuntu 14.04.5 LTS
- F-Secure Linux Security 11.10 build 68
- F-Secure Firewall Daemon 11.10 build 68
- F-Secure Integrity Checker 11.10 build 68
- F-Secure On-Access Scanning Daemon 11.10 build 68
- F-Secure Management Agent 4.75 build 79
I'm using PSB managed installation. I follow this installation procedure:
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
sudo bash fsls-11.10.68 --auto psb fspsbs=http://psb1-smi-bw.sp.f-secure.com/ keycode=XXXX-XXXX-XXXX-XXXX-XXXX
/opt/f-secure/fsav/sbin/fschooser
# ( “f”<enter> <enter> )
sudo /etc/init.d/fsma restart
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
Note: on the following trace, the system is up to date because cron job perform regularly a manual update.
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
wget http://download.f-secure.com/latest/fsdbupdate9.run
/opt/f-secure/fssp/bin/dbupdate /tmp/fsdbupdate9.run
/etc/init.d/fsma restart
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
Communication with PSB is working: PSB says me that the DB is not uptodate, I run manual update, and PSB remove the warning.
fsaua is running:
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
gw01:~$ ps auxf | grep fsaua
fsaua 32086 0.0 0.5 3887372 61172 ? Ss May08 0:18 /opt/f-secure/fsaua/bin/fsaua
fsaua 32245 0.0 0.0 3472 3024 ? Ss May08 0:06 /opt/f-secure/fsaua/bin/fsaua
fsaua 32252 0.0 0.0 3360396 3076 ? Ss May08 0:06 /opt/f-secure/fsaua/bin/fsaua
fsaua 32499 0.0 0.0 3560 3072 ? Ss May08 0:06 /opt/f-secure/fsaua/bin/fsaua
fsaua 12463 0.0 0.0 3644 3056 ? Ss 11:26 0:03 /opt/f-secure/fsaua/bin/fsaua
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
Using tcpdump, I validate periodic communication between fsaua and F-Secure servers: (I dont join the capture because our licence-key is contained in the excanged base64 data). There is an extract of the communication:
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
10:18:02.955783 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [P.], seq 1:891, ack 1, win 229, options [nop,nop,TS val 3530629646 ecr 494125792], length 890: HTTP: POST /8/MRQ HTTP/1.1
10:18:02.957486 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [.], ack 891, win 121, options [nop,nop,TS val 494125792 ecr 3530629646], length 0
10:18:02.978374 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [P.], seq 1:1813, ack 891, win 121, options [nop,nop,TS val 494125794 ecr 3530629646], length 1812: HTTP: HTTP/1.1 200 OK
10:18:02.978435 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [.], ack 1813, win 257, options [nop,nop,TS val 3530629651 ecr 494125794], length 0
10:18:02.979491 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [P.], seq 891:2502, ack 1813, win 257, options [nop,nop,TS val 3530629652 ecr 494125794], length 1611: HTTP: POST /8/MRQ HTTP/1.1
10:18:02.981243 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [.], ack 2502, win 133, options [nop,nop,TS val 494125794 ecr 3530629652], length 0
10:18:03.002392 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [P.], seq 1813:3615, ack 2502, win 133, options [nop,nop,TS val 494125796 ecr 3530629652], length 1802: HTTP: HTTP/1.1 200 OK
10:18:03.002436 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [.], ack 3615, win 285, options [nop,nop,TS val 3530629657 ecr 494125796], length 0
10:18:03.003547 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [P.], seq 2502:4113, ack 3615, win 285, options [nop,nop,TS val 3530629658 ecr 494125796], length 1611: HTTP: POST /8/MRQ HTTP/1.1
10:18:03.005309 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [.], ack 4113, win 146, options [nop,nop,TS val 494125796 ecr 3530629658], length 0
10:18:03.027454 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [P.], seq 3615:4712, ack 4113, win 146, options [nop,nop,TS val 494125799 ecr 3530629658], length 1097: HTTP: HTTP/1.1 200 OK
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
The fsaua logs contain ONLY lines with content similar to the following.
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
Mon May 11 07:55:11 2020(2): Connecting to http://psb1-smi-bw.sp.f-secure.com/ (no BW proxy, no HTTP proxy)...
Mon May 11 07:55:11 2020(2): Update check completed successfully. No updates are available.
8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-
My logs are from Apr 12 2020, to May 13 2020. I remove "no update" indication. The remaining logs line doesn't contains any update confirmation.
No update during 30 days, this is not possible. During this 30 days, I count 1265 attemps of update with always the result "No updates are available."
I join at the end of this post:
- "fsauatool -g" report
- full listing of /var/opt/f-secure/fsaua directory
Someone has any idea ?
Answers
-
Hi Thierry
Check the connectivity status when the issue is reproduced by running the following commands on Terminal:
ping x-bw.sp.f-secure.com
nslookup x-bw.sp.f-secure.com
curl -v http://x-bw.sp.f-secure.com
Depending on your cluster 'x' denotes:
EMEA (PSB1)
America (PSB2)
APAC (PSB3)
EMEA2 (PSB4)
EMEA3 (EUSMI)
If the connection is working fine (HTTP response code is "200 OK"), then run the database reset with following the instructions below:
Run the following command in the host installed with F-Secure Linux Security.
Note: All steps require root privileges.
# /etc/init.d/fsma stop
# /etc/init.d/fsaua stop
# ps - efl | grep fsupdated (check the running status of fsupdated process)
# kill <PID of remaining fsupdated process> (If there is any remaining one, kill it)
# rm - rf / var / opt / f - secure / fsaua / data / content / *
# /etc/init.d/fsaua start
# /etc/init.d/fsma start
This will force F-Secure Automatic Update Agent (AUA) to download again all database packages.
0 -
Hi, thanks for the answer. In summary:
- I'm in France, I use psb1
- Tests seems ok
- Stop, delete file and restart were done
- The fsaua doesn't download anything. The directory /var/opt/f-secure/fsaua/data/content/ remain empty, and it is no longer filled by fsaua.
gw01:~$ ping psb1-bw.sp.f-secure.com
PING drca3sse5qkfd.cloudfront.net (13.224.58.19) 56(84) bytes of data.
64 bytes from server-13-224-58-19.cdg50.r.cloudfront.net (13.224.58.19): icmp_seq=1 ttl=246 time=1.16 ms
---------------------------------------------
gw01:~$ nslookup psb1-bw.sp.f-secure.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
psb1-bw.sp.f-secure.com canonical name = drca3sse5qkfd.cloudfront.net.
Name: drca3sse5qkfd.cloudfront.net
Address: 13.224.58.3
Name: drca3sse5qkfd.cloudfront.net
Address: 13.224.58.19
Name: drca3sse5qkfd.cloudfront.net
Address: 13.224.58.98
Name: drca3sse5qkfd.cloudfront.net
Address: 13.224.58.50
---------------------------------------------
gw01:~$ curl -v http://psb1-bw.sp.f-secure.com
* Rebuilt URL to: http://psb1-bw.sp.f-secure.com/
* Hostname was NOT found in DNS cache
* Trying 13.224.58.98...
* Connected to psb1-bw.sp.f-secure.com (13.224.58.98) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: psb1-bw.sp.f-secure.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 92
< Connection: keep-alive
< Date: Fri, 15 May 2020 07:46:17 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Via: ip-10-112-15-28
< X-Cache: Hit from cloudfront
< Via: 1.1 50fe359d704e2db97a226367d34cf076.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: CDG50-C1
< X-Amz-Cf-Id: 29y6OfdvKjXMlFhbbMClLX18YHlnC30t3UZMk8w98qHqhXEoPm9A1w==
< Age: 2
<
F-Secure Automatic Update Server. Unauthorized access is monitored and strictly forbidden.
* Connection #0 to host psb1-bw.sp.f-secure.com left intact
---------------------------------------------
gw01:~$ sudo /etc/init.d/fsma stop
Stopping FSMA modules
Stopping F-Secure clstate update Daemon () as root
Stopping F-Secure Alert Database Handler Daemon (/opt/f-secure/fsav/libexec/fsadhd.stop) as fsma
Stopping F-Secure FSAV On-Access Scanner Daemon (/opt/f-secure/fsav/libexec/fsoasd.stop) as root
Stopping F-Secure Database Update Daemon () as root
Stopping F-Secure FSAV Web UI (/opt/f-secure/fsav/tomcat/bin/fs-shutdown.sh -force) as root
Stopping F-Secure FSAV PostgreSQL daemon (/opt/f-secure/common/postgresql/bin/shutdown.sh) as fsma
Stopping F-Secure Management Agent
---------------------------------------------
gw01:~$ sudo /etc/init.d/fsaua stop
Shutting down F-Secure Automatic Update Agent: done
---------------------------------------------
gw01:~$ ps -efl | grep fsupdated
0 S thierry 12372 11692 0 80 0 - 3515 pipe_w 09:49 pts/2 00:00:00 grep --color=auto fsupdated
---------------------------------------------
gw01:~$ sudo rm -rf /var/opt/f-secure/fsaua/data/content/*
---------------------------------------------
gw01:~$ sudo /etc/init.d/fsaua start
Starting F-Secure Automatic Update Agent: done
---------------------------------------------
gw01:~$ sudo /etc/init.d/fsma start
Starting F-Secure Management Agent (running as fsma user)
Starting FSMA modules
Starting F-Secure clstate update Daemon (/opt/f-secure/fssp/bin/clstate_updated.rc start) as root
Starting F-Secure Alert Database Handler Daemon (/opt/f-secure/fsav/sbin/fsadhd) as fsma
Starting F-Secure FSAV Policy Manager Daemon (/opt/f-secure/fsav/bin/fsavpmd) as root
Starting F-Secure Firewall Daemon (/opt/f-secure/fsav/bin/fsfwd.run) as root
Starting F-Secure FSAV License Alerter (/opt/f-secure/fsav/libexec/fslmalerter) as root
Starting F-Secure FSAV On-Access Scanner Daemon (/opt/f-secure/fsav/sbin/fsoasd) as root
Starting F-Secure FSAV Status Daemon (/opt/f-secure/fsav/bin/fstatusd) as root
Starting F-Secure Database Update Daemon (/opt/f-secure/fssp/libexec/fsupdated.rc start) as root
Starting F-Secure FSAV Web UI (/opt/f-secure/fsav/tomcat/bin/fs-catalina.sh start) as root
Starting F-Secure FSAV PostgreSQL daemon (/opt/f-secure/common/postgresql/bin/startup.sh) as fsma
---------------------------------------------
gw01:~$ sudo ls -l /var/opt/f-secure/fsaua/data/content/
total 0
0
