# grep -a -B10 -A100 -i fibonacci /dev/hda2 > fabonacci.out
note:
a. searching string fibonacci in partition /dev/hda2, it was in a deleted file.
b. you need a few Mbytes free on the partition while running this command
-a treat device as a series of ASCII characters
-BN before N line
-AN after N line
-i not case-sensitive
Sunday, December 7, 2008
use Sleuth kit to recover deleted files
1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror
Sleuth is great for recoving text files
a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.
# dls hd5_image_etc_files_deleted.img > dls_output.dls
b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str
c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....
d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153
e. dcalc -u 32153 hd5_image_etc_filess_deleted.img
f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....
....
g. another tools is Foremost (http://foremost.sf.net)
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror
Sleuth is great for recoving text files
a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.
# dls hd5_image_etc_files_deleted.img > dls_output.dls
b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str
c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....
d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153
e. dcalc -u 32153 hd5_image_etc_filess_deleted.img
f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....
....
g. another tools is Foremost (http://foremost.sf.net)
Wednesday, October 29, 2008
Tuesday, May 27, 2008
scp stalled through firewall, ssh no problem
- someone says:
- disallow icmp and mtu mismatch between networks (e.g. different
networks with then ethernet).
- Split routes
- firewall timeouts
- auto negotiation
========
Stalled "scp" session
Symptom: When "scp" huge files (> 4GB) between hosts, it stalls forever at random instants. It even happens with ftp/rsync. Two reasons may attribute to this problem:
1. Since scp greedyly grabs as much bandwidth of the network as possible when it transfers files, any delay caused by the network switch or the SuSE firewall can easily make the TCP connection stalled.
For this reason, the solution is to limit the bandwidth quota for scp as below:
1. Since scp greedyly grabs as much bandwidth of the network as possible when it transfers files, any delay caused by the network switch or the SuSE firewall can easily make the TCP connection stalled.
For this reason, the solution is to limit the bandwidth quota for scp as below:
username@localhost> scp -l 2000 SOURCE DESTINATION # The option "-l 2000" limits the bandwidth up to 2000 Kbit/s which is safe and fast enough.
2. It is due to the Linux SACK implementation problem for
both 2.4 and 2.6 when the TCP window is > 20 MB. Linux
takes such long time to locate the SACKed packet that
a TCP timeout is easily reached and CWND goes back to
the first packet when there are too many packets in flight
and a SACK event is invoked.
Please refer to the following links for information about
SACK:
http://www.ietf.org/rfc/rfc2018.txt
http://www.ietf.org/rfc/rfc1072.txt
It might be working to restrict the TCP buffer size to about 12 MB. However,
the total throughput is limited. The better solution may be:
both 2.4 and 2.6 when the TCP window is > 20 MB. Linux
takes such long time to locate the SACKed packet that
a TCP timeout is easily reached and CWND goes back to
the first packet when there are too many packets in flight
and a SACK event is invoked.
Please refer to the following links for information about
SACK:
http://www.ietf.org/rfc/rfc2018.txt
http://www.ietf.org/rfc/rfc1072.txt
It might be working to restrict the TCP buffer size to about 12 MB. However,
the total throughput is limited. The better solution may be:
username@localhost> su # Enter the root password
append "net.ipv4.tcp_sack=0" to /etc/sysctl.conf
username@localhost> sysctl -p
append "net.ipv4.tcp_sack=0" to /etc/sysctl.conf
username@localhost> sysctl -p
Or
username@localhost> su # Enter the root password
username@localhost> cat 0 > /proc/sys/net/ipv4/tcp_sack
username@localhost> cat 0 > /proc/sys/net/ipv4/tcp_sack
Or
username@localhost> su # Enter the root password
username@localhost> sysctl -w net.ipv4.tcp_sack=0
username@localhost> sysctl -w net.ipv4.tcp_sack=0
With this configuration, the SSH transfer of huge-sized file will stall occasionally with every short period of less than 1 second and then recover automatically. That means the simple cumulative acknowledgement scheme of TCP is robust enough.
FYI: There are many other suggestions through the internet as listed below (unfortunately, non of them worked on my machine):
1. Eliminating all the DROP rules for port 22 inside the iptables.
2. Turning off SuSEfirewall2.
3. Limiting the bandwidth by:
FYI: There are many other suggestions through the internet as listed below (unfortunately, non of them worked on my machine):
1. Eliminating all the DROP rules for port 22 inside the iptables.
2. Turning off SuSEfirewall2.
3. Limiting the bandwidth by:
username@localhost> scp -l 2000
4. Changing the MTU of NIC by:
username@localhost> ifconfig eth0 mtu xxx
5. Increasing the queue for transmission by
username@localhost> ifconfig eth0 txqueuelen 2000
6. Tuning TCP performance by
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.core.netdev_max_backlog=2500
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_timestamps=0
net.core.wmem_max=16777216
net.core.netdev_max_backlog=2500
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_timestamps=0
7. Turning off the buggy TCP segmentation offload by
username@localhost> ethtool -K eth0 tso off
8. Compressing the files being transfered by
username@localhost> scp -C
9. Using pipe and std io to avoid possible "scp" huge file
limitation by
limitation by
username@localhost> cat localfile | ssh ravana cat ">" remotefile
Or
username@localhost> tar cf - . | ssh ravana tar xvpf -
10. Clamping MSS by
username@localhost> iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
====for my company, I used the following over 2M lease line link
scp -l 1500 VMware-server-1.0.5-80187.i386.rpm 1.2.3.4:/tmp
====for my company, I used the following over 2M lease line link
scp -l 1500 VMware-server-1.0.5-80187.i386.rpm 1.2.3.4:/tmp
Tuesday, May 6, 2008
setup tcptraceroute under CentOS 5
- download tcptraceroute from http://michael.toren.net/code/tcptraceroute/
- install libpcap package on CentOS 5 using yum
including libpcap-devel package so that libpcap.h can be used for 'make'
- install libnet package
- run 'ldconfig -v' before compiling tcproute
- compile tcproute
- done
Thursday, April 10, 2008
setup sudosh and swatch on Linux server
- purpose:
- install sudosh
- put the folllowing to /etc/sudoers
- initialize sudo folder by running 'sudosh -i', the permission should be like this:
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh
- install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---
watchfor /su:.*/
mail root,subject=--- server su alert! ---
watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
###end#####
endscript
}
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
#!/bin/sh
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
- configuring sendmail.mc to masquerade in non-dns environment
39a40
> define(`SMART_HOST',`mailrelay')dnl
103c104
<> dnl EXPOSED_USER(`root')dnl
160c161
<> MASQUERADE_AS(`newdomain.com')dnl
164c165
<> FEATURE(masquerade_envelope)dnl
168c169
<> FEATURE(masquerade_entire_domain)dnl
170,172c171,173
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl
> MASQUERADE_DOMAIN(domain.com)dnl
note: assuming server hostname is jephe.domain.com, so swatch will send out email using root@jephe.domain.com normally, which is not-exist domain, but newdomain.com is valid, so we masquerade it to root@newdomain.com.
setup osiris for Windows
- purpose: for recording down system user/group changes and Windows directory and any other directories changes.
- how it works: osiris on Windows is agent, the management tool and daemon are residing on Linux server. You need to configure it on Linux sever after installing software on Windows. Then it will generate a base database for comparing every 24 hours by default, then send out email alert for any changes
- install it on Windows
Solution:
1. after installing , copy c:\document and settings\sysmgr\windows\osiris directory to c:\win2k03
2. copy c:\documents and setting\sysmgr\windows\osiris to c:\win2k03\system32
3. startup osiris service again
note: if you encounter error saying "error writing to file osimessage.dll", u can rename c:\windows\system32\osimessage.dll first
- osiris on Linux
2. enable tcp port 2265 and 2266 for iptables host firewall
3. enable in-between firewall ports too for above 2 ports
4. on server, configure management console
# osiris
# login as username and password
# add-host
all the way to default, except for email alert part choose (y,y,n,y)
copy configuration file to the windows server name to be monitored
start-scan servername
list-db servername
Wednesday, April 9, 2008
setup Snare for Windows for centralized system log
- download snare for Windows
- after install, access it using http://localhost:6161
- go to 'network configuration' to give the remote Linux syslog-ng server ip at 'Destination Snare Server address', also give 'Destination Port which is 514 for syslog-ng'
- go to 'remote control' to setup password
- access it next time using username and password pair 'snare/password you gave'
Thursday, March 6, 2008
setup Snort on CentOS 5
- follow the documentation on www.internetsecurityguru.com
- certain things to take note as follow:
- selinux
- yum -y update, and you might want to add 'export http_proxy=http://10.0.0.252:8080' to /etc/profile
- oinkmaster
after setting up oinkmaster cronjob script, you might want to add root cronjob to restart snort itself also, in case the new rules are downloaded by oinkmaster, then it can be used snort
cronjob -l -u snort
30 5 * * * export http_proxy=http://1.2.3.4:8080; /usr/bin/oinkmaster.pl -C /etc/pinkmaster.conf -C /etc/autodisable.conf -b /etc/snort/backup > /tmp/snort.cron 2>&1 ;sync;sync;sync;sleep 15; (echo:snort@domain.com";echo "Subject: snort rules daily update";echo "";cat /tmp/snort.cron) | /usr/sbin/sendmail -f snort@domain.com jephe@domain.com
- pear config-show
- perl -MCPAN -e shell
- barnyard
./configure --enable-mysql;make;make install
use the following configuration for /etc/snort/barnyard.conf
config localtime
config hostname: localhost
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server localhost, user snort, password snort, detail full
you only need to modify bylog.waldo once, after that, barnyard will update it automatically.
here is the init script for barnyard:
--------------------
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops Barnyard
#
# config: /etc/snort/barnyard.conf
# processname: barnyard
# Source function library
. /etc/rc.d/init.d/functions
# program name
BASE=barnyard
# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/bylog.waldo"
DAEMON="-D"
# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting Barnyard service: "
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard
;;
stop)
echo -n "Shutting down Barnyard service: "
killproc /usr/local/bin/$BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1
esac
exit $RETVAL
--------------------------
- snort.conf
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
change interface to eth1 in /etc/init.d/snort script
cronjob for snort:
50 5 * * * /sbin/service snort restart 2>&1 > /tmp/snortrestart.cron;sleep 5;(echo "From:sensor1@domain.com";echo "Subject:snort daily restart";echo "";cat /tmp/snortrestart.cron)| /usr/sbin/sendmail -f snort@domain.com jephe@domain.com
- swatch
watchfor /snort.*Priority.* -> .*/
mail jephe@domain.com:wu@domain.com,subject=--- Sensor1 Snort Alert! ---
- syslog
/var/log/snortalert {
daily
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon
endscript
}
grep snort /etc/syslog.conf
local1.* /var/log/snortalert
- /etc/rc.local
- sendmail
a. change DS part to DS[1.2.3.5] which is smtp server
b. put the following to /etc/mail/sendmail.mc
masquerade_as('domain.com')
feature(masquerade_envelope)
feature(masquerade_entire_domain)
masquerade_domain(localhost)
masquerade_domain(localhost.domain)
then go to /etc/mail/sendmail.cf to commen out C{E} root
- conclusion
Friday, January 11, 2008
enable snmptrapd to work with selinux under Fedora Core 3
Purpose: to make HP ILO to send out snmp trap to snmp trap server running snmptrapd, through which, to send out email using snmptraptoemail function.
/etc/selinux/targeted/src/policy
[root@mail policy]# dmesg |audit2allow
allow snmpd_t bin_t:dir { search };
allow snmpd_t device_t:sock_file { write };
allow snmpd_t snmpd_t:fifo_file { write };
then put the above lines to domains /etc/selinux/targeted/src/policy/domains/misc/local.te, after that, under policy folder, then 'make load'
finally, restart snmptrapd service before testing sending test snmp alert from ILO web interface.
2. how to setup snmptrap to email?
[root@mail snmp]# more /etc/snmp/snmptrapd.conf
traphandle default /usr/bin/perl /usr/bin/traptoemail -s localhost -f hpsnmptrap@yourdomain.com youremailaddress
You can put multiple lines for above snmptrapd.conf configuration
3. go to ILO - Administration - SNMP/ Insight Manager Setting to enable SNMP ILO Alert and put your snmp trap server IP address, send test alert out now.
- enable snmptrapd to work with selinux first
- download selinux-policy-targeted-sources-1.17.30-2.19.noarch.rpm then install it using rpm -ivh , after that, run the following commands
/etc/selinux/targeted/src/policy
[root@mail policy]# dmesg |audit2allow
allow snmpd_t bin_t:dir { search };
allow snmpd_t device_t:sock_file { write };
allow snmpd_t snmpd_t:fifo_file { write };
then put the above lines to domains /etc/selinux/targeted/src/policy/domains/misc/local.te, after that, under policy folder, then 'make load'
finally, restart snmptrapd service before testing sending test snmp alert from ILO web interface.
2. how to setup snmptrap to email?
[root@mail snmp]# more /etc/snmp/snmptrapd.conf
traphandle default /usr/bin/perl /usr/bin/traptoemail -s localhost -f hpsnmptrap@yourdomain.com youremailaddress
You can put multiple lines for above snmptrapd.conf configuration
3. go to ILO - Administration - SNMP/ Insight Manager Setting to enable SNMP ILO Alert and put your snmp trap server IP address, send test alert out now.
Subscribe to:
Posts (Atom)