03-30-2017 12:09 PM - edited 03-12-2019 06:20 AM
My employers sourcefire appliance is no longer under maintenance and it wont be ever again. The device is still in production and will be for several months. I cannot authenticate using the web gui but i can ssh to it. How to i create a user id from console or make the admin account function thru the web interface? I cant find a good command set online or get support due to the unrenewed support.
Solved! Go to Solution.
03-31-2017 09:40 AM
You're welcome.
Please mark your question as answered. Doing so encourages participation and helps others searching for answers.
03-30-2017 12:55 PM
The admin account should work, by default, in UI. Unless the password was changed in the UI, but in the shell is still the one which you can access.
Provide me with the output of:
ls /usr/local/sf/bin/*.pl
03-30-2017 02:21 PM
/usr/local/sf/bin/ActionQueueScrape.pl
/usr/local/sf/bin/CreateDEConfigFiles.pl
/usr/local/sf/bin/DBCheck.pl
/usr/local/sf/bin/DeleteDEConfigFiles.pl
/usr/local/sf/bin/FS_Check.pl
/usr/local/sf/bin/OptimizeTables.pl
/usr/local/sf/bin/ProxyConsumer.pl
/usr/local/sf/bin/Pruner.pl
/usr/local/sf/bin/Syncd.pl
/usr/local/sf/bin/TSS_Daemon.pl
/usr/local/sf/bin/add_manager.pl
/usr/local/sf/bin/alter_merge.pl
/usr/local/sf/bin/cache_tool.pl
/usr/local/sf/bin/change_partition_interval.pl
/usr/local/sf/bin/check_for_lb_nat.pl
/usr/local/sf/bin/check_merge.pl
/usr/local/sf/bin/check_sfd_shutdown.pl
/usr/local/sf/bin/check_uuid.pl
/usr/local/sf/bin/choose-snort.pl
/usr/local/sf/bin/clear_opsec_module_rules.pl
/usr/local/sf/bin/create_default_de.pl
/usr/local/sf/bin/de_info.pl
/usr/local/sf/bin/diagnose_and_repair_users.pl
/usr/local/sf/bin/exec_perl.pl
/usr/local/sf/bin/failopen_pair.pl
/usr/local/sf/bin/fpcollect.pl
/usr/local/sf/bin/gethardware.pl
/usr/local/sf/bin/gethostipbyname.pl
/usr/local/sf/bin/hw-detect.pl
/usr/local/sf/bin/ids_event_db_info.pl
/usr/local/sf/bin/install_rule.pl
/usr/local/sf/bin/install_seu.pl
/usr/local/sf/bin/install_update.pl
/usr/local/sf/bin/ips_policy_apply.pl
/usr/local/sf/bin/ips_profile.pl
/usr/local/sf/bin/is_space_available.pl
/usr/local/sf/bin/load_inline_category.pl
/usr/local/sf/bin/manage_estreamer.pl
/usr/local/sf/bin/manage_procs.pl
/usr/local/sf/bin/manage_pruning.pl
/usr/local/sf/bin/merge_stats.pl
/usr/local/sf/bin/ntpd.pl
/usr/local/sf/bin/package_info.pl
/usr/local/sf/bin/purge_data.pl
/usr/local/sf/bin/register_appliance.pl
/usr/local/sf/bin/remove_managers.pl
/usr/local/sf/bin/remove_peer.pl
/usr/local/sf/bin/repair_table.pl
/usr/local/sf/bin/repair_users.pl
/usr/local/sf/bin/restore_events.pl
/usr/local/sf/bin/rotate_stats.pl
/usr/local/sf/bin/run_hm.pl
/usr/local/sf/bin/run_query.pl
/usr/local/sf/bin/run_task.pl
/usr/local/sf/bin/schedule_wrapper.pl
/usr/local/sf/bin/set_external.pl
/usr/local/sf/bin/sf-backup-inator.pl
/usr/local/sf/bin/sf-backup.pl
/usr/local/sf/bin/sf-restore-backup.pl
/usr/local/sf/bin/sf-rsd-mount.pl
/usr/local/sf/bin/sf-rsd-umount.pl
/usr/local/sf/bin/sf-rsd-upload-backup.pl
/usr/local/sf/bin/sf_crontab_edit.pl
/usr/local/sf/bin/sf_troubleshoot.pl
/usr/local/sf/bin/sfcli.pl
/usr/local/sf/bin/sfd_stats.pl
/usr/local/sf/bin/sftunnel_status.pl
/usr/local/sf/bin/sort_upgrades.pl
/usr/local/sf/bin/system-settings.pl
/usr/local/sf/bin/transaction_tool.pl
/usr/local/sf/bin/uimp.pl
/usr/local/sf/bin/update_snort_memory.pl
/usr/local/sf/bin/usertool.pl
/usr/local/sf/bin/vjdbc.pl
/usr/local/sf/bin/write_ntpd_conf.pl
03-31-2017 02:44 AM
Try with:
/usr/local/sf/bin/usertool.pl -p "admin Your_New_Password"
Replace Your_New_Password with your desired password. You can use the script to add new users, as well.
03-31-2017 07:28 AM
tried to make new user. i got this.
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p anbank ******
-bash: /usr/local/sf/bin/usertool.pl: Permission denied
I didnt try to edit the current admin because i dont want to lock myself out. But i am authenticated as admin in ssh console. Why would i get denied permission if i am admin in ssh ?
03-31-2017 07:36 AM
Because is Linux and it has nothing to do with the admin permissions, but with Linux handling of permissions.
Just issue: sudo su - (don't omit the hyphen), type the admin password adgain and then reissue the usertool command again.
Also, on -p use the double quotes, like: -p "user password"
03-31-2017 08:39 AM
admin@anb-sf01:~$ sudo su - admin &22m8a#9s8Je
[1] 30031
-bash: 22m8a#9s8Je: command not found
admin@anb-sf01:~$ sudo su -admin &22m8a#9s8Je
[2] 30045
-bash: 22m8a#9s8Je: command not found
[1]+ Stopped sudo su - admin
admin@anb-sf01:~$ sudo su -admin &22m8a#9s8Je
[3] 30053
-bash: 22m8a#9s8Je: command not found
[2]+ Stopped sudo su -admin
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p "anbank #######"
-bash: /usr/local/sf/bin/usertool.pl: Permission denied
[3]+ Stopped sudo su -admin
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p "anbank #######"
-bash: /usr/local/sf/bin/usertool.pl: Permission denied
admin@anb-sf01:~$
tried this too
admin@anb-sf01:~$ sudo su - admin
Password:
admin@anb-sf01:~$ /usr/local/sf/bin/usertool.pl -p "anbank #######"
-su: /usr/local/sf/bin/usertool.pl: Permission denied
03-31-2017 08:54 AM
Try this:
sudo su
usertool.pl -p "anbank #######"
The first command will change you to root user (not admin which does not have root privilege). Then you shold be able to run commands requiring root privilege.
03-31-2017 08:57 AM
admin@anb-sf01:~$ sudo su
Password:
root@anb-sf01:/var/home/admin# /usr/local/sf/bin/usertool.pl -p "anbank ######"
Could not load user anbank $VAR1 = bless( {
'-file' => '/usr/local/sf/lib/perl/5.10.1/SF/EOHandler.pm',
'-text' => 'loadObject: No UUID Provided - /usr/local/sf/lib/perl/5.10.1/SF/Permission.pm in sub SF::Permission::__ANON__ at line 537',
'-line' => 757,
'-package' => 'SF::EOHandler'
}, 'Error::Simple' );
No user specified. at /usr/local/sf/lib/perl/5.10.1/SF/UserPreferences.pm line 40.
No user named anbank at /usr/local/sf/lib/perl/5.10.1/SF/Auth.pm line 1998.
03-31-2017 09:16 AM
You're almost there. User anbank does not currently exist. That's why the tool isn't letting you change the password.
You need to reset the password for user admin. Once you do that, you should be able to use the admin username and new password to access the Web UI.
Also, I believe it should be single quotes. See the following technote that applies in your case:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118631-technote-firesight-00.html#anc4
It states the following:
In order to reset the password of an admin user that is used to access the web interface, complete these steps:
Caution: Note the use of single quotes. The use of double quote does not allow the password to be set properly.
admin@FireSIGHT:~$ sudo usertool.pl -p 'admin <password>'
Note: Replace <password> with the desired password.
For example, if you want to change the password of the admin user from Sourcefire (old password) to Firepower (new password), then enter the command as shown here:
admin@FireSIGHT:~$ sudo usertool.pl -p 'admin Firepower'
03-31-2017 09:31 AM
Thank you both so much !!! i am in. You guys rock.
03-31-2017 09:40 AM
You're welcome.
Please mark your question as answered. Doing so encourages participation and helps others searching for answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide