Blocking DNS requests with iptables

iptables -I INPUT 1 -p udp -m udp --dport 53 -m string --hex-string "|333032353904696e666f|" --algo kmp --from 30  --to 65535 -m comment --comment "drop 30259.info" -j DROP

Unfortunately that string is in hex, so you'll need to run a tcpdump to extract the hex-encoded domain name like so:

[bob@host01 ~]# tcpdump -nnX -c 10 -s 0 -l port 53 
05:18:53.307390 IP nnn.nnn.nnn.nnn.32825 > xxx.xxx.xxx.xxx.53:  7117+ [1au] ANY? 30259.info. (51)
        0x0000:  4500 004f 0000 4000 3f11 df23 cd86 d638  E..O..@.?..#...8
        0x0010:  d8b1 e009 8039 0035 003b 34c9 1bcd 0100  .....9.5.;4.....
        0x0020:  0001 0000 0000 0001 0533 3032 3539 0469  .........30259.i
        0x0030:  6e66 6f00 00ff 0001 0000 2910 0000 0000  nfo.......).....
        0x0040:  0000 0c50 fa00 0800 0120 000b 5dfb ed    ...P........]..

Notice that this happens to be a QTYPE 255: A request for all records (all cached records, not an AXFR which is type 252. I dunno if this QTYPE is useful in the real world or just a vector for attack. You can view all queries with QTYPE=255 with

tcpdump -c 10 -s 0 -l port 53 and ether[len - 3] == 0xff

changes in CentOS logrotate archive naming convention

It looks like the archive naming scheme used by logrotated has changed from CentOS5 to CentOS6.  For any one doing any CentOS scripting, this may affect you.  The CentOS5 logrotated simply added a ".n" to the filename, where "n" is a number.  For example:

[root@mail01-01 ~]# ls -latrh /var/log/messages*
-rw------- 1 root root 4.5M Dec 23 04:11 /var/log/messages.5.gz
-rw------- 1 root root 4.8M Dec 24 04:10 /var/log/messages.4.gz
-rw------- 1 root root 4.4M Dec 25 04:09 /var/log/messages.3.gz
-rw------- 1 root root 4.4M Dec 26 04:08 /var/log/messages.2.gz
-rw------- 1 root root 4.5M Dec 27 04:09 /var/log/messages.1.gz
-rw------- 1 root root  17M Dec 27 08:50 /var/log/messages

In CentOS6, the file name is appended with the date it was rotated.  For example:

[root@radius1 radius]# ls -latrh /var/log/messages*
-rw-------. 1 root root 2.1K Dec  4 03:45 /var/log/messages-20111204
-rw-------. 1 root root 1.8K Dec 11 03:11 /var/log/messages-20111211
-rw-------. 1 root root  33K Dec 18 03:23 /var/log/messages-20111218
-rw-------. 1 root root  438 Dec 25 03:29 /var/log/messages-20111225
-rw-------. 1 root root  281 Dec 25 21:50 /var/log/messages

This is more efficient, to be sure, as the old method would rename all the archived files to make room for the newest one, changing messages.1.gz to messages.2.gz, messages.2.gz to messages.3.gz, etc.  This may however mess up some scripts if they're looking for the ".n" pattern.

Handy BASH one-liners

Please excuse the mess:

• remove blanks and comments: egrep -v "#|^$" filename
• for f in *.dist; do cp $f `basename $f .dist`; done
• tcpdump -c 20 -i br0.52 'tcp port 3389 and host 216.177.x.x'
• tcpdump -n host 192.168.5.9 and port 53 -c 10
• ls /backup/*`date -d '-3 day' + '%G-%m-%d'
• find -type f -print0 | xargs -0 grep -liwZ "search_string" | xargs -0 rm -f
• arp -n |tail +2 | awk '{printf "arp -d %s\n",$1}'|sh
• recursive FTP mget: wget -r -nH ftp://ftp.remotehost.example.com
• iptables -t nat -I POSTROUTING 8 -s 192.168.112.0/255.255.255.0 -o eth0 -j SNAT --to-source 10.10.224.6
• iptables -L -n -t nat --line-numbers
• feed XARGS variables for more complex statements : grep -o -e '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' /var/log/maillog| sort | uniq | sort -nr | xargs -I '{}' grep '{}' /var/log/fail2ban.log
• grep 'cat\|dog' ## find file matches lines containing the word "cat" or the word "dog"
• find top email addresses in logs: tail -n 10000 /var/log/maillog | grep 'postfix\/smtp' | grep from= | awk '/from=/{for (i=1;i<=NF;i++) {if ( $i ~ /[[:alpha:]]@[[:alpha:]]/ ) {print tolower($i)}}}' | sed -n 's/from\=//p' | sort | uniq -c | sort -nr
• awk '{print $2 ":" (strftime("%D-%T", $2)) " " $4}'
• awk '{print substr($1,4),"@",$2,$3}' ./times.txt
• awk -F, '{if ($5 > 0 || $13=1) print $(NF-1)}' ## if fifth field is >0 OR thirteenth field equal to 1 then print second-to-last field
• awk '/Monday/{print substr($1,4),"@",$2,$3}' ./times.txt
• find /home/ -name '.snapshot' -prune -o -name '\*' -type d -fprintf ./fprint.txt '%U\t%G\t%p\n'
• find . -name nopo\* #finds files in current directory that begin in "nopo"
• find files modified w/in the last 24 hours but skip the rra directory or any file containing rra in the name: find ./ -name 'rra' -prune -o -mtime 0 -ls
• find /data/backup/ -mtime +10 -and -name tccu-server-\*.tar.gz\* -exec rm {} ;
• find . -path './mail/\*' -prune -o -mtime +120 -ls
• find /var/log/ -name maillog* | xargs ls -tr | xargs zgrep -h mydomainname
• postqueue -p |grep -P '^[0-9A-F]+' | sed 's/*//g' | awk '{print $1}' | postsuper -d -

Iptables comments

When working as a team, sharing information is critical. Nothing beats inline comments for this, as programmers and *nix admins will appreciate. For years I've been frustrated with the lack of comments in our *nix iptables files. What is this rule? Who put this here? Is it still valid? One could put helpful comments in the /etc/sysconfig/iptables file, but they'd be overwritten if anyone ran "iptables-save" or "service iptables save" (the latter being recent and pleasant discovery).

Like most things *nix, the answer has been there all along I just never looked in the right place for it. Strangely, i found this one in the man page for iptables. Fancy that! Simply add an additional packet patching module, in this case the comment module, in your rule definition. Rules and caveats:

• It can be anywhwere in the rule _before_ the -j or "jump" bit.
• It is limited to 245 characters.
• There is only one directive used by the comment module: --comment ""
• Remember to wrap your comment in _double_ quotes

[root@localhost]#iptables -I INPUT 1 -d 10.10.10.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "This is a comment" -j ACCEPT


results in:
[root@localhost]#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.10.0/24 anywhere state NEW tcp dpt:ssh /* this is a comment */

Remember to run "service iptables save". Enjoy!

Schedule BASH commands

Much like Cisco IOS's "at" command, BASH supports a command-line scheduler.  This is handy when a cron job is just too much trouble:

echo "/path/to/script" | at 22:00

or

echo "/path/to/script" | at now +1 hour

Recursively Search & Replace with grep and sed

The following tidbit recursively searches the current directory for files containing a string, and replaces the string, in place, with a new string,. 

grep -rl original ./* | xargs sed -i 's/original/replacement/g' 

By default sed and vi will only replace the first instance of a string on a line.  The /g will ensure that all instances of on every line is replaced.