Sunday, December 7, 2008

looking for the missing data in partition

# grep -a -B10 -A100 -i fibonacci /dev/hda2 > fabonacci.out
a. searching string fibonacci in partition /dev/hda2, it was in a deleted file.
b. you need a few Mbytes free on the partition while running this command

-a treat device as a series of ASCII characters
-BN before N line
-AN after N line
-i not case-sensitive

use Sleuth kit to recover deleted files

1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror

Sleuth is great for recoving text files

a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.

# dls hd5_image_etc_files_deleted.img > dls_output.dls

b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str

c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0

d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc

e. dcalc -u 32153 hd5_image_etc_filess_deleted.img

f. dcat hd5_image_etc_files_deleted.img [> filename]


g. another tools is Foremost (

Wednesday, October 29, 2008

use Nikto for Web server security test

Tuesday, May 27, 2008

scp stalled through firewall, ssh no problem

  • someone says:
I have seen similar effects by several reasons:
- disallow icmp and mtu mismatch between networks (e.g. different
networks with then ethernet).
- Split routes
- firewall timeouts
- auto negotiation
Stalled "scp" session
Symptom: When "scp" huge files (> 4GB) between hosts, it stalls forever at random instants. It even happens with ftp/rsync. Two reasons may attribute to this problem:
1. Since scp greedyly grabs as much bandwidth of the network as possible when it transfers files, any delay caused by the network switch or the SuSE firewall can easily make the TCP connection stalled.
For this reason, the solution is to limit the bandwidth quota for scp as below:
username@localhost> scp -l 2000 SOURCE DESTINATION # The option "-l 2000" limits the bandwidth up to 2000 Kbit/s which is safe and fast enough.
2. It is due to the Linux SACK implementation problem for
both 2.4 and 2.6 when the TCP window is > 20 MB. Linux
takes such long time to locate the SACKed packet that
a TCP timeout is easily reached and CWND goes back to
the first packet when there are too many packets in flight
and a SACK event is invoked.
Please refer to the following links for information about
It might be working to restrict the TCP buffer size to about 12 MB. However,
the total throughput is limited. The better solution may be:
username@localhost> su # Enter the root password
append "net.ipv4.tcp_sack=0" to /etc/sysctl.conf
username@localhost> sysctl -p
username@localhost> su # Enter the root password
username@localhost> cat 0 > /proc/sys/net/ipv4/tcp_sack
username@localhost> su # Enter the root password
username@localhost> sysctl -w net.ipv4.tcp_sack=0
With this configuration, the SSH transfer of huge-sized file will stall occasionally with every short period of less than 1 second and then recover automatically. That means the simple cumulative acknowledgement scheme of TCP is robust enough.
FYI: There are many other suggestions through the internet as listed below (unfortunately, non of them worked on my machine):
1. Eliminating all the DROP rules for port 22 inside the iptables.
2. Turning off SuSEfirewall2.
3. Limiting the bandwidth by:
username@localhost> scp -l 2000
4. Changing the MTU of NIC by:
username@localhost> ifconfig eth0 mtu xxx
5. Increasing the queue for transmission by
username@localhost> ifconfig eth0 txqueuelen 2000
6. Tuning TCP performance by
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
7. Turning off the buggy TCP segmentation offload by
username@localhost> ethtool -K eth0 tso off
8. Compressing the files being transfered by
username@localhost> scp -C
9. Using pipe and std io to avoid possible "scp" huge file
limitation by
username@localhost> cat localfile | ssh ravana cat ">" remotefile
username@localhost> tar cf - . | ssh ravana tar xvpf -
10. Clamping MSS by
username@localhost> iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"

====for my company, I used the following over 2M lease line link

scp -l 1500 VMware-server-1.0.5-80187.i386.rpm

Tuesday, May 6, 2008

setup tcptraceroute under CentOS 5

  • download tcptraceroute from
  • install libpcap package on CentOS 5 using yum
#yum install libpcap*
including libpcap-devel package so that libpcap.h can be used for 'make'
  • install libnet package
# yum install libnet (without *)
  • run 'ldconfig -v' before compiling tcproute
  • compile tcproute
# ./configure;make;make install
  • done

Thursday, April 10, 2008

setup sudosh and swatch on Linux server

  • purpose:
assuming root password is locked in safebox, normal user like 'jephe' can only use 'sudo sudosh' to become root, after that, everything will be recorded and can be replayed later.

  • install sudosh
download it from DAG website(search google for 'DAG sudosh') for using 'yum install sudosh' from CentOS 5 or run 'yum install sudosh' from RHEL 5 after registering with RHN using command 'rhnreg_ks --proxy=http://x.y.z.k:port --username=user1 --password=pass1
  • put the folllowing to /etc/sudoers
jephe ALL=/usr/bin/sudosh
  • initialize sudo folder by running 'sudosh -i', the permission should be like this:
[root@jephe ~]# ls -ld /var/log/sudosh
drwx-wx-wx 2 root root 4096 Apr 10 15:37 /var/log/sudosh

  • install swatch to realtime scan /var/log/secure to monitor 'su, sudo and console root login'
1. installing swatch rpm using the same method as sudosh
2. put the following to /etc/swatch.conf
[root@jephe ~]# more /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- server sudo alert! ---

watchfor /su:.*/
mail root,subject=--- server su alert! ---

watchfor /login: ROOT LOGIN.*/
mail root,subject=--- server console login alert! ---
3. set root alias in /etc/alias, then run 'newaliases', for those environment that doesn't have DNS server, using /etc/mail/service.switch
[root@jephe ~]# cd /etc/mail
[root@jephe mail]# more service.switch
hosts files
4. put the following to /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
5. put the following to /etc/logrotate.d/syslog
[root@jephe logrotate.d]# more syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
/bin/kill -HUP `cat /var/run/ 2> /dev/null` 2> /dev/null || true

##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
6. put the following to /usr/local/sbin/restartsw (for restarting swatch)
[root@db7 logrotate.d]# more /usr/local/sbin/restartsw
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 2
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon

  • configuring to masquerade in non-dns environment
[root@db7 mail]# diff
> define(`SMART_HOST',`mailrelay')dnl
<> dnl EXPOSED_USER(`root')dnl
<> FEATURE(masquerade_envelope)dnl
<> FEATURE(masquerade_entire_domain)dnl
<> MASQUERADE_DOMAIN(localhost)dnl
> MASQUERADE_DOMAIN(localhost.localdomain)dnl

note: assuming server hostname is, so swatch will send out email using normally, which is not-exist domain, but is valid, so we masquerade it to

setup osiris for Windows

  • purpose: for recording down system user/group changes and Windows directory and any other directories changes.
  • how it works: osiris on Windows is agent, the management tool and daemon are residing on Linux server. You need to configure it on Linux sever after installing software on Windows. Then it will generate a base database for comparing every 24 hours by default, then send out email alert for any changes
  • install it on Windows
if you are installing it through terminal service, it will install to wrong place.
1. after installing , copy c:\document and settings\sysmgr\windows\osiris directory to c:\win2k03
2. copy c:\documents and setting\sysmgr\windows\osiris to c:\win2k03\system32
3. startup osiris service again

note: if you encounter error saying "error writing to file osimessage.dll", u can rename c:\windows\system32\osimessage.dll first
  • osiris on Linux
1. ./configure;make;make install
2. enable tcp port 2265 and 2266 for iptables host firewall
3. enable in-between firewall ports too for above 2 ports
4. on server, configure management console
# osiris
# login as username and password
# add-host
all the way to default, except for email alert part choose (y,y,n,y)

copy configuration file to the windows server name to be monitored
start-scan servername
list-db servername

Wednesday, April 9, 2008

setup Snare for Windows for centralized system log

  • download snare for Windows
  • after install, access it using http://localhost:6161
  • go to 'network configuration' to give the remote Linux syslog-ng server ip at 'Destination Snare Server address', also give 'Destination Port which is 514 for syslog-ng'
  • go to 'remote control' to setup password
  • access it next time using username and password pair 'snare/password you gave'

Thursday, March 6, 2008

setup Snort on CentOS 5

  1. follow the documentation on
  2. certain things to take note as follow:
  • selinux
vi /etc/selinux/config, change to disabled, then reboot
  • yum -y update, and you might want to add 'export http_proxy=' to /etc/profile
  • oinkmaster
login to snort website as registered user, go to rules-download rules, from there you will know how to get the oinkmaster code for automatic download rules for registered user.

after setting up oinkmaster cronjob script, you might want to add root cronjob to restart snort itself also, in case the new rules are downloaded by oinkmaster, then it can be used snort

cronjob -l -u snort
30 5 * * * export http_proxy=; /usr/bin/ -C /etc/pinkmaster.conf -C /etc/autodisable.conf -b /etc/snort/backup > /tmp/snort.cron 2>&1 ;sync;sync;sync;sleep 15; (";echo "Subject: snort rules daily update";echo "";cat /tmp/snort.cron) | /usr/sbin/sendmail -f

  • pear config-show
use pear config-set to set http_proxy as then run 'pear install xxxxx'
  • perl -MCPAN -e shell
install Net::RawIP or force install Net::RawIP
  • barnyard
download it from
./configure --enable-mysql;make;make install
use the following configuration for /etc/snort/barnyard.conf
config localtime
config hostname: localhost
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server localhost, user snort, password snort, detail full

you only need to modify bylog.waldo once, after that, barnyard will update it automatically.

here is the init script for barnyard:
# chkconfig: 2345 99 82
# description: Starts and stops Barnyard
# config: /etc/snort/barnyard.conf
# processname: barnyard

# Source function library
. /etc/rc.d/init.d/functions

# program name

# program options

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0


# See how we were called.
case "$1" in
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
echo -n "Starting Barnyard service: "
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
sleep 1
action "" /sbin/pidof $BASE
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard
echo -n "Shutting down Barnyard service: "
killproc /usr/local/bin/$BASE
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard
$0 stop
$0 start
status $BASE
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1

exit $RETVAL
  • snort.conf
output alert_syslog: LOG_LOCAL1
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

change interface to eth1 in /etc/init.d/snort script

cronjob for snort:
50 5 * * * /sbin/service snort restart 2>&1 > /tmp/snortrestart.cron;sleep 5;(echo "";echo "Subject:snort daily restart";echo "";cat /tmp/snortrestart.cron)| /usr/sbin/sendmail -f

  • swatch
more /etc/swatch.conf:
watchfor /snort.*Priority.* -> .*/
mail,subject=--- Sensor1 Snort Alert! ---

  • syslog
add the following to /etc/logrotate.d/syslog
/var/log/snortalert {
/bin/kill -HUP `cat /var/run/ 2> /dev/null` 2> /dev/null || true
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon
grep snort /etc/syslog.conf
local1.* /var/log/snortalert

  • /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon

  • sendmail
masqrade to
a. change DS part to DS[] which is smtp server
b. put the following to /etc/mail/
then go to /etc/mail/ to commen out C{E} root

  • conclusion
use snort, oinkmaster update rules daily then require snort restart, swatch to watch /var/log/snortalert to send out email notification, but after syslog rotation, need to restart swatch. barnyard is doing mysql database recording for snort alert.

Friday, January 11, 2008

enable snmptrapd to work with selinux under Fedora Core 3

Purpose: to make HP ILO to send out snmp trap to snmp trap server running snmptrapd, through which, to send out email using snmptraptoemail function.

  1. enable snmptrapd to work with selinux first
  • download selinux-policy-targeted-sources-1.17.30-2.19.noarch.rpm then install it using rpm -ivh , after that, run the following commands
[root@mail policy]# pwd
[root@mail policy]# dmesg |audit2allow
allow snmpd_t bin_t:dir { search };
allow snmpd_t device_t:sock_file { write };
allow snmpd_t snmpd_t:fifo_file { write };

then put the above lines to domains /etc/selinux/targeted/src/policy/domains/misc/local.te, after that, under policy folder, then 'make load'
finally, restart snmptrapd service before testing sending test snmp alert from ILO web interface.

2. how to setup snmptrap to email?
[root@mail snmp]# more /etc/snmp/snmptrapd.conf
traphandle default /usr/bin/perl /usr/bin/traptoemail -s localhost -f youremailaddress

You can put multiple lines for above snmptrapd.conf configuration

3. go to ILO - Administration - SNMP/ Insight Manager Setting to enable SNMP ILO Alert and put your snmp trap server IP address, send test alert out now.