Contact our honeypot department if you are desperate to get blacklisted.

Tuesday, December 27, 2011

changes in CentOS logrotate archive naming convention

It looks like the archive naming scheme used by logrotated has changed from CentOS5 to CentOS6.  For any one doing any CentOS scripting, this may affect you.  The CentOS5 logrotated simply added a ".n" to the filename, where "n" is a number.  For example:

[root@mail01-01 ~]# ls -latrh /var/log/messages*
-rw------- 1 root root 4.5M Dec 23 04:11 /var/log/messages.5.gz
-rw------- 1 root root 4.8M Dec 24 04:10 /var/log/messages.4.gz
-rw------- 1 root root 4.4M Dec 25 04:09 /var/log/messages.3.gz
-rw------- 1 root root 4.4M Dec 26 04:08 /var/log/messages.2.gz
-rw------- 1 root root 4.5M Dec 27 04:09 /var/log/messages.1.gz
-rw------- 1 root root  17M Dec 27 08:50 /var/log/messages

In CentOS6, the file name is appended with the date it was rotated.  For example:

[root@radius1 radius]# ls -latrh /var/log/messages*
-rw-------. 1 root root 2.1K Dec  4 03:45 /var/log/messages-20111204
-rw-------. 1 root root 1.8K Dec 11 03:11 /var/log/messages-20111211
-rw-------. 1 root root  33K Dec 18 03:23 /var/log/messages-20111218
-rw-------. 1 root root  438 Dec 25 03:29 /var/log/messages-20111225
-rw-------. 1 root root  281 Dec 25 21:50 /var/log/messages

This is more efficient, to be sure, as the old method would rename all the archived files to make room for the newest one, changing messages.1.gz to messages.2.gz, messages.2.gz to messages.3.gz, etc.  This may however mess up some scripts if they're looking for the ".n" pattern.
Posted by Unknown at 9:01 AM
Labels: ,

Tuesday, September 20, 2011

Displaying Interface descriptions in SNMP traps using SNMPTT's PREXEC funtion

I collect snmp traps via snmptrapd which then hands them off to snmptt. Upon receipt of an interface down/up trap (.1.3.6.1.6.3.1.1.5.3, for example) snmptt then runs a quick snmpget request (unfortunately using SNMPv1 at the moment) to the reporting host to pull the description for the given interface like so:
EVENT ciscoConfigManEventDN .1.3.6.1.6.3.1.1.5.3 "Status Events" Normal
# use snmpget to fetch the interface description and save it as $p1, to be used it the FORMAT line.
PREEXEC /usr/bin/snmpget -v 1 -t 2 -Ovq -c snmptt $aA ifAlias.$1
FORMAT Link DOWN $2 - $p1
# OPTIONAL: do not process this event for VI interfaces (like PPPoE interfaces)
MATCH $2:!(Virtual-Access)
MATCH $2:!(Multilink)
MATCH MODE=and
#
EXEC /root/bin/sendemail.sh high traps@mydomain.com "ALERT-$s-$R-$Fz" "Agent $A at $aA reports $Fz$FnTrap $e:$D$Fn"


Note that I've created a special SNMP VIEW and community one our routers which allow access only to the ifAlias.* OID tree like so:
snmp-server view snmptt ifXEntry.* included
! note that ACL99 includes my snmp NMS only!
snmp-server community snmptt view snmptt RO 99
Posted by Unknown at 3:53 PM
Labels: , ,

Monday, June 27, 2011

BackupPC client quickstart with improved security

To embellish and improve upon http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided I've been using the following procedure:


  1.  Add the 'mybackuppc' user to the machine that is being backed up.  I try to avoid using "backuppc" as the username in case a common dictionary attack occurs. Then,  create a SSH key pair on the client as the 'mybackuppc' user (do not enter a password):
    useradd mybackuppc -c "Backup User"
    su - mybackuppc
    ssh-keygen -t rsa
    exit

  3. Add the 'mybackuppc' user to the client's sudoers file using visudo to give the user sudo rights as follows:
    mybackuppc ALL=(ALL) NOPASSWD: /usr/bin/rsync --server *
    Defaults:mybackuppc !requiretty




  4. Copy 'backuppc' users public key from the backup server:
    /var/lib/backuppc/.ssh/id_rsa.pub) to the mybackuppc's auth keys file on the client (/home/mybackuppc/.ssh/authorized_keys


  5. SSH from the BackuPC server to the client once as the backuppc user (su - backuppc; ssh -l mybackuppc $host) to get the RSA fingerprint into the backup server's /var/lib/backuppc/.ssh/known_hosts file:
    bash-3.2$ /usr/bin/ssh -l mybackuppc client-host
    The authenticity of host 'client-host (x.x.x.x)' can't be established.
    RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'client-host, x.x.x.x' (RSA) to the list of known hosts.
    [mybackuppc@client-host ~]$ exit
    logout

    Connection to client-host closed.


  6. Use the BackupPC web interface to add a new host. Notice in the comments at the bottom of the page that you can easily copy an existing host, or just add one from scratch with the defaults. You don't have to use an valid name available via DNS if you make sure the name is in /etc/hosts on the backup server. Alternatively, you could create a config file on the Backup Server in /etc/BackupPC/pc/ and then add them to /etc/BackupPC/hosts file.


  7. Use the BackupPC server's web interface to initiate a full backup of the new client machine.


Posted by Unknown at 9:17 PM
Labels: ,

Site to Site VPN Worksheet

Periodically I find myself working with another party to establish a LAN to LAN, or Site to Site, IPSEC VPN tunnel and there are various parameters which must be agreed upon.  I have found that exchanging a VPN worksheet ahead of time helps both parties think through the process better and speeds up the VPN configuration.  This is preferable under all scenarios, but especially when one or more parties are paying by the hour to have someone configure it for them.  Feel free to download, alter and use it as you see fit:

https://docs.google.com/leaf?id=0Bw0IToZ5AnXTMjAzMzJiYmEtOWRjOC00OTY0LTg4ZjUtYzk4ZTk4MjViNTEx&hl=en_US&authkey=CMbmnecO
Posted by Unknown at 9:01 PM
Labels: , ,

Cisco ASA Remote Access VPN for IPSEC client

Here's a basic template for Remote Access VPN using the Cisco IPSEC VPN client. It includes a pool for address assignment, and an ACL to provide remote clients access to a few RDP servers. This also features PPPoE dialer for the WAN interface. 

interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 description OUTSIDE
 nameif outside
 security-level 0
 ip address pppoe setroute
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network remoteVPNGroup
 network-object 172.16.0.0 255.255.255.0
object-group network insideNetworks
 network-object 10.0.0.0 255.255.255.0
object-group network RDP-Servers
 network-object host 10.0.0.6
 network-object host 10.0.0.14
 !
access-list inside_nat0_outbound extended permit ip object-group RDP-Servers object-group remoteVPNGroup
!
ip local pool RAGenPool 172.16.0.2-172.16.0.30 mask 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
!
crypto isakmp policy n
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
!
group-policy RAGeneral internal
group-policy RAGeneral attributes
 vpn-tunnel-protocol IPSec
 group-lock value RAGeneral
 split-tunnel-policy tunnelall
 address-pools value RAGenPool
 !
username testuser password ************** encrypted
username testuser attributes
 vpn-group-policy RAGeneral
 group-lock value RAGeneral
username superadmin password ********** encrypted privilege 15
!
tunnel-group RAGeneral type ipsec-ra
tunnel-group RAGeneral general-attributes
 address-pool RAGenPool
 default-group-policy RAGeneral
tunnel-group RAGeneral ipsec-attributes
 pre-shared-key * 
!
vpdn group PPPOE-WAN request dialout pppoe
vpdn group PPPOE-WAN localname my_ppp_username
vpdn group PPPOE-WAN ppp authentication pap
vpdn username my_ppp_username password *********
Posted by Unknown at 8:52 PM
Labels: , , ,

Tuesday, April 19, 2011

My Thunderbird Plugins

  • DisplayQuota
  • Enigmail
  • Lightning
  • Provider for Google Calendar
  • Sieve
Posted by Unknown at 12:24 PM

Tuesday, March 22, 2011

Handy BASH one-liners

Please excuse the mess:

  • remove blanks and comments: egrep -v "#|^$" filename
  • for f in *.dist; do cp $f `basename $f .dist`; done
  • tcpdump -c 20 -i br0.52 'tcp port 3389 and host 216.177.x.x'
  • tcpdump -n host 192.168.5.9 and port 53 -c 10
  • ls /backup/*`date -d '-3 day' + '%G-%m-%d'
  • find -type f -print0 | xargs -0 grep -liwZ "search_string" | xargs -0 rm -f
  • arp -n |tail +2 | awk '{printf "arp -d %s\n",$1}'|sh
  • recursive FTP mget: wget -r -nH ftp://ftp.remotehost.example.com
  • iptables -t nat -I POSTROUTING 8 -s 192.168.112.0/255.255.255.0 -o eth0 -j SNAT --to-source 10.10.224.6
  • iptables -L -n -t nat --line-numbers
  • feed XARGS variables for more complex statements : grep -o -e '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' /var/log/maillog| sort | uniq | sort -nr | xargs -I '{}' grep '{}' /var/log/fail2ban.log
  • grep 'cat\|dog' ## find file matches lines containing the word "cat" or the word "dog"
  • find top email addresses in logs: tail -n 10000 /var/log/maillog | grep 'postfix\/smtp' | grep from= | awk '/from=/{for (i=1;i<=NF;i++) {if ( $i ~ /[[:alpha:]]@[[:alpha:]]/ ) {print tolower($i)}}}' | sed -n 's/from\=//p' | sort | uniq -c | sort -nr
  • awk '{print $2 ":" (strftime("%D-%T", $2)) " " $4}'
  • awk '{print substr($1,4),"@",$2,$3}' ./times.txt
  • awk -F, '{if ($5 > 0 || $13=1) print $(NF-1)}' ## if fifth field is >0 OR thirteenth field equal to 1 then print second-to-last field
  • awk '/Monday/{print substr($1,4),"@",$2,$3}' ./times.txt
  • find /home/ -name '.snapshot' -prune -o -name '\*' -type d -fprintf ./fprint.txt '%U\t%G\t%p\n'
  • find . -name nopo\* #finds files in current directory that begin in "nopo"
  • find files modified w/in the last 24 hours but skip the rra directory or any file containing rra in the name: find ./ -name 'rra' -prune -o -mtime 0 -ls
  • find /data/backup/ -mtime +10 -and -name tccu-server-\*.tar.gz\* -exec rm {} ;
  • find . -path './mail/\*' -prune -o -mtime +120 -ls
  • find /var/log/ -name maillog* | xargs ls -tr | xargs zgrep -h mydomainname
  • postqueue -p |grep -P '^[0-9A-F]+' | sed 's/*//g' | awk '{print $1}' | postsuper -d -
Posted by Unknown at 2:48 PM
Labels: , , ,

Monday, February 21, 2011

Log cron output to syslog

# With this method, script output is logged to syslog, but errors go to mail
* * * * * root /root/bin/cron-test  2>&1 >> /var/log/messages
# this sends both to syslog
* * * * * root /root/bin/cron-test  >> /var/log/messages 2>&1
Posted by Unknown at 10:00 AM

Tuesday, February 1, 2011

Hard = wrong

sometimes, when things seem harder than they should be, it's because I'm doing it wrong.
Posted by Unknown at 9:48 AM
Subscribe to: Posts (Atom)