Sunday, December 7, 2008

looking for the missing data in partition

# grep -a -B10 -A100 -i fibonacci /dev/hda2 > fabonacci.out
a. searching string fibonacci in partition /dev/hda2, it was in a deleted file.
b. you need a few Mbytes free on the partition while running this command

-a treat device as a series of ASCII characters
-BN before N line
-AN after N line
-i not case-sensitive

use Sleuth kit to recover deleted files

1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror

Sleuth is great for recoving text files

a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.

# dls hd5_image_etc_files_deleted.img > dls_output.dls

b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str

c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0

d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc

e. dcalc -u 32153 hd5_image_etc_filess_deleted.img

f. dcat hd5_image_etc_files_deleted.img [> filename]


g. another tools is Foremost (

Wednesday, October 29, 2008

use Nikto for Web server security test

Tuesday, May 27, 2008

scp stalled through firewall, ssh no problem

  • someone says:
I have seen similar effects by several reasons:
- disallow icmp and mtu mismatch between networks (e.g. different
networks with then ethernet).
- Split routes
- firewall timeouts
- auto negotiation
Stalled "scp" session
Symptom: When "scp" huge files (> 4GB) between hosts, it stalls forever at random instants. It even happens with ftp/rsync. Two reasons may attribute to this problem:
1. Since scp greedyly grabs as much bandwidth of the network as possible when it transfers files, any delay caused by the network switch or the SuSE firewall can easily make the TCP connection stalled.
For this reason, the solution is to limit the bandwidth quota for scp as below:
username@localhost> scp -l 2000 SOURCE DESTINATION # The option "-l 2000" limits the bandwidth up to 2000 Kbit/s which is safe and fast enough.
2. It is due to the Linux SACK implementation problem for
both 2.4 and 2.6 when the TCP window is > 20 MB. Linux
takes such long time to locate the SACKed packet that
a TCP timeout is easily reached and CWND goes back to
the first packet when there are too many packets in flight
and a SACK event is invoked.
Please refer to the following links for information about
It might be working to restrict the TCP buffer size to about 12 MB. However,
the total throughput is limited. The better solution may be:
username@localhost> su # Enter the root password
append "net.ipv4.tcp_sack=0" to /etc/sysctl.conf
username@localhost> sysctl -p
username@localhost> su # Enter the root password
username@localhost> cat 0 > /proc/sys/net/ipv4/tcp_sack
username@localhost> su # Enter the root password
username@localhost> sysctl -w net.ipv4.tcp_sack=0
With this configuration, the SSH transfer of huge-sized file will stall occasionally with every short period of less than 1 second and then recover automatically. That means the simple cumulative acknowledgement scheme of TCP is robust enough.
FYI: There are many other suggestions through the internet as listed below (unfortunately, non of them worked on my machine):
1. Eliminating all the DROP rules for port 22 inside the iptables.
2. Turning off SuSEfirewall2.
3. Limiting the bandwidth by:
username@localhost> scp -l 2000
4. Changing the MTU of NIC by:
username@localhost> ifconfig eth0 mtu xxx
5. Increasing the queue for transmission by
username@localhost> ifconfig eth0 txqueuelen 2000
6. Tuning TCP performance by
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
7. Turning off the buggy TCP segmentation offload by
username@localhost> ethtool -K eth0 tso off
8. Compressing the files being transfered by
username@localhost> scp -C
9. Using pipe and std io to avoid possible "scp" huge file
limitation by
username@localhost> cat localfile | ssh ravana cat ">" remotefile
username@localhost> tar cf - . | ssh ravana tar xvpf -
10. Clamping MSS by
username@localhost> iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"

====for my company, I used the following over 2M lease line link

scp -l 1500 VMware-server-1.0.5-80187.i386.rpm

Tuesday, May 6, 2008

setup tcptraceroute under CentOS 5

  • download tcptraceroute from
  • install libpcap package on CentOS 5 using yum
#yum install libpcap*
including libpcap-devel package so that libpcap.h can be used for 'make'
  • install libnet package
# yum install libnet (without *)
  • run 'ldconfig -v' before compiling tcproute
  • compile tcproute
# ./configure;make;make install
  • done

Thursday, April 10, 2008

setup sudosh and swatch on Linux server

  • purpose:
assuming root password is locked in safebox, normal user like 'jephe' can only use 'sudo sudosh' to become root, after that, everything will be recorded and can be replayed later.

  • install sudosh
download it from DAG website(search google for 'DAG sudosh') for using 'yum install sudosh' from CentOS 5 or run 'yum install sudosh' from RHEL 5 after registering with RHN using command 'rhnreg_ks --proxy=http://x.y.z.k:port --username=user1 --password=pass1
  • put the folllowing to /etc/sudoers
jephe ALL=/usr/bin/sudosh
  • initialize sudo folder by running 'sudosh -i', the permission should be like this:
[root@jephe ~]# ls -ld /var/log/sudosh
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh

  • install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'
1. installing swatch rpm using the same method as sudosh
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---

watchfor /su:.*/
mail root,subject=--- server su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
/bin/kill -HUP `cat /var/run/ 2> /dev/null` 2> /dev/null || true

##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon

  • configuring to masquerade in non-dns environment
[root@db7 mail]# diff
> define(`SMART_HOST',`mailrelay')dnl
<> dnl EXPOSED_USER(`root')dnl
<> FEATURE(masquerade_envelope)dnl
<> FEATURE(masquerade_entire_domain)dnl
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl

note: assuming server hostname is, so swatch will send out email using normally, which is not-exist domain, but is valid, so we masquerade it to

setup osiris for Windows

  • purpose: for recording down system user/group changes and Windows directory and any other directories changes.
  • how it works: osiris on Windows is agent, the management tool and daemon are residing on Linux server. You need to configure it on Linux sever after installing software on Windows. Then it will generate a base database for comparing every 24 hours by default, then send out email alert for any changes
  • install it on Windows
if you are installing it through terminal service, it will install to wrong place.
1. after installing , copy c:\document and settings\sysmgr\windows\osiris directory to c:\win2k03
2. copy c:\documents and setting\sysmgr\windows\osiris to c:\win2k03\system32
3. startup osiris service again

note: if you encounter error saying "error writing to file osimessage.dll", u can rename c:\windows\system32\osimessage.dll first
  • osiris on Linux
1. ./configure;make;make install
2. enable tcp port 2265 and 2266 for iptables host firewall
3. enable in-between firewall ports too for above 2 ports
4. on server, configure management console
# osiris
# login as username and password
# add-host
all the way to default, except for email alert part choose (y,y,n,y)

copy configuration file to the windows server name to be monitored
start-scan servername
list-db servername