Archive for the “Linux” Category
Posted by: Buzz in Linux
ESP Ghostscript 815.02: Unrecoverable error, exit code 255
I got this issue today whilst running CentOS 5.4 x64 post investigation of images not being scaled when processing a specific PDF, the solution unfortunately is to build ghostscript and imagemagick from the latest sources.
1
2
| wget http://ghostscript.com/releases/ghostscript-8.71.tar.gz
wget http://image_magick.veidrodis.com/image_magick/ImageMagick-6.6.3-0.tar.gz |
Unpack, configure, make && make install
To fix compatibility with pear imagick
1
2
3
| ln -s /usr/local/lib/libMagickCore.so /usr/lib64/libMagick.so.10
ln -s /usr/local/lib/libMagickWand.so /usr/lib64/libWand.so.10
ln -s /usr/local/bin/gs /usr/bin/gs |
Tags: 255, exit, ghostscript, image, imagick, magic, unrecoverable
No Comments »
Posted by: Buzz in Linux, hacking
Most of the time when I review our log watches each morning I become enraged at the number of automated attacks,
But ever so occasional I find one that frankly intrigues me.
Today is just such an occasion where I have had multiple Brute force login attempts, the ingenious part is this attack has been designed to bypass tools such as fail2ban, blockhosts etc, and this is how
- Attack is launched from
- has PTR set for
- Failed login attempts record due to reverse lookup
- There is no A record, attacker maintains their own nameservers for the
- fail2ban notes failed logins, attempts to resolve to an IP but fails, due to missing A record
- Attacker can continue brute force attempts unhindered by being banned
I am still reading into how to counter this and will update this post as I figure out how to work around it, it’s a very sneaky and frankly quiet clever method of working around most automated blacklisting/banning tools.
Update 1:
One method I am trialing is the “log target” feature of iptables, in an attempt to match login failure times to the iptables log, I’ll post back with results.
1
| iptables -A INPUT -p tcp --dport ftp -j LOG |
Outputs
1
2
3
4
5
6
7
8
| Jul 23 11:45:57 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=47423 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 23 11:45:57 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=45370 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:45:57 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=46896 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:46:01 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=63 TOS=0x00 PREC=0x00 TTL=55 ID=38502 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul 23 11:46:02 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=32551 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:46:02 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=59735 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0
Jul 23 11:46:04 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=66 TOS=0x00 PREC=0x00 TTL=55 ID=23116 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Jul 23 11:46:07 132 kernel: IN=eth0 OUT= MAC=<mac addr> SRC=<connecitng ip> DST=<server ip> LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40246 DF PROTO=TCP SPT=3865 DPT=21 WINDOW=65535 RES=0x00 ACK URGP=0 |
Update 2: Defeating the hack
Now granted this would be a lot worse had the attacking IP been dynamic, fortunatly in this case it’s not
1
| grep kernel /var/log/messages | awk '{print $9}' | sed 's/SRC=//' | uniq -c | sort |
1
2
| 390 173.XXX.XXX.XXX
4 195.XXX.XXX.XXX |
Ip’s have been masked to prevent anyone complaining or threatening legal action (again) for inferring you should block their ip / network range … and me firing off the obligatory “Well if you policed your own network I wouldn’t have to post this no would I” email,
Maybe I am just being Cynical in my “old” age …
Any how as you may have guess I’m black holing the ip with the 390 connection entries.
Thanks
Being as I spoke to a load of people during the course of this I realy can not remember who contributed what to this solution, so I’ll just have to thank you all let me know if you want a crediting link.
Tags: brute, dissecting, fail2ban, force, hack
1 Comment »
Posted by: Buzz in Linux
This is something I have wanted to get working for some time now, and thanks to James P for passing me a note that as of OpenSSH 4.4 you can infact add command line args for the Subsystem configuration, which when combined with the (I assume new) logging functionality of the sftp-service allows you to finally log what is occuring during an sftp session.
Note: Requires OpenSSH >= 4.4
Replace the susbsystem line in your /etc/ssh/sshd_config with
1
| Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO |
Add the following to /etc/syslog.conf
1
2
| #sftp logging
local5.* /var/log/sftpd.log |
Restart the sshd and syslog services, try an sftp upload and review the logs @ /var/log/sftpd.log
Tags: logging, sftp, ssh, sshd
No Comments »
Posted by: Buzz in Linux
Ever wanted / needed HTTPD or another service to run with a raised thread priority?
Well you have a couple of options, add additional lines to the /etc/init.d script to change the nice level by adding additional lines on startup, or if you only need to do this on a temporary basis without restarting the service but need every thread to have a raised priority you can use a bash script
1
2
3
4
5
6
| #!/bin/bash
PIDS=`ps aux | grep httpd | grep -v 'grep' | awk '{print $2}'`;
for PID in ${PIDS[@]}
do
renice 20 -p $PID
done |
You can renice between -20 and +20, depending on your requirements you can use this script in a cron job to raise/lower priorities, change httpd for whatever service you want to change the thread priority for.
Ever needed to check files were being accessed / written to?
For this one you’re going to need the inotify-tools package, specifically the inotifywait binary.
1
| inotifywait -m --timefmt "[%a %b %d %H:%M:%S %Y]" --format "%T [%e] %f" -r /folder/to/watch |
An example usage is to ensure that caching is working correctly and that cache files are being used in place of processing PHP files, simply change “/folder/to/watch” to be your cache folder, and refresh a few pages.
All being well you’ll get an output similar to the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| y-tools-3.14)
(root@132 BUZZ1) # /usr/local/bin/inotifywait -m --timefmt "[%a %b %d %H:%M:%S %Y]" --format "%T [%e] %f" -r /path/to/saiweb/wp-content/cache/supercache/*
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
[Thu Jul 15 20:59:37 2010] [OPEN] index.html
[Thu Jul 15 20:59:37 2010] [CLOSE_NOWRITE,CLOSE] index.html
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] security
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] vsftpd-chrooting-without-the-headache-allowing-shared-directories
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] vsftpd-chrooting-without-the-headache-allowing-shared-directories
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] the-zen-of-secured-shared-hosting-part-1
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] the-zen-of-secured-shared-hosting-part-1
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] php-security-considerations
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] php-security-considerations
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] antivirus-xp-2008-removal
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] antivirus-xp-2008-removal
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] suphplookupexception
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] suphplookupexception
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR] honeypotting-for-viruses-statement-of-fees-200809
[Thu Jul 15 21:00:08 2010] [OPEN,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] honeypotting-for-viruses-statement-of-fees-200809
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR]
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] security
[Thu Jul 15 21:00:08 2010] [CLOSE_NOWRITE,CLOSE,ISDIR] |
As can be seen the re-write rules are redirecting users to the cached files/folders, in the example above I have used my wp-supercache folder.
Ever needed to quickly get the memory usage of all threads for a service?
You have two options for this a single line
1
| ps -Ao rsz,comm,pid | grep <process name> |
or a bash function you can place in your ~/.bashrc
1
2
3
4
5
6
7
8
| function appmem(){
if [ -z "$1" ]; then
echo "appmem <string to filter>"
echo "i.e. appmem httpd";
else
ps -Ao rsz,comm,pid | grep $1
fi
} |
You can then call this (after logging back in again to load the .bashrc up) using
replacing for instance with httpd will give you an output similar to the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| 8032 httpd 6207
33080 httpd 13828
8552 httpd 14095
28952 httpd 14102
8540 httpd 14103
30848 httpd 16741
31296 httpd 16832
30452 httpd 18439
31044 httpd 19996
30968 httpd 23287
30356 httpd 23300
25636 httpd 24553
29712 httpd 24771
25588 httpd 24777
31632 httpd 24778
25608 httpd 24796
29716 httpd 24812
28152 httpd 24813
31684 httpd 31291 |
This shows memory in kilobytes, command, process id, you can see here I currently have 3mb/pid for each httpd process (due to my optimizations, I highly recommend you read parts 1-3)
Dump mysql data and compress on the fly
1
| mysqldump -h <host> -u <user> -p <dbname> | bzip2 -c7 > /path/to/dump.sql.bz2 |
Self explanatory that one, pipes the output from mysqldump through bzip2 (which has better compression over gzip) and dumps it out to a file, if you _realy_ need a gziped file just replace bzip2 with gzip in the line above.
Ever needed a selection of passwords generated?
For this one you can use the secpwgen
1
2
3
| function pwgen(){
for (( i=0; i<=10; i++ )) do pwd=`secpwgen -Aadhs 10 2>&1 | grep ENTROPY | awk '{print $1}';`; echo "$i: $pwd"; done;
} |
Plant this in your ~/.basrc for a callable function that will genrate a selection of 10 secure passwords, handy when you’re fed up of 1337′ifying everything
example output:
1
2
3
4
5
6
7
8
9
10
11
| 0: 4>&B.\2R+--
1: )`WREEGZP{
2: ^)3"=F==|?0
3: ?1/|;;GF-2
4: [..///_([=AZ
5: }^%RC~U8//L
6: \//VNTQ[)->
7: @HE5@3)A%?
8: )|1C[BSIT*
9: C[//X^W<$G1
10: EOQ#Y%NI>- |
Modify the “-Aadhs” args to your taste.
This concludes Volume 1 and a very long post, please contribute your one liners / helper scripts via the comments.
Cheers
buzz
Tags: bash, handy, lhol, liners, Linux, one, scripts
2 Comments »
Posted by: Buzz in Linux, mySQL
I’ve no idea to this day why my bash script would not work with a CSV export from mysql by simply using mysql -e “SQL COMMAND HERE”.
So I had to come up with a workaround quickly.
This lead to using expect, scripting in this method can be used for numerous purposes, I am currently in the process of writing a few test scripts using tcl and this package for pop,imap,smtp testing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| #!/usr/bin/expect -f
set DB "<database>"
set USER "<user>"
set PASS "<password>"
spawn mysql -u $USER -p $DB
match_max 100000
expect -exact "assword: "
send -- "$PASS\r"
set SQL "SELECT * INTO OUTFILE '/tmp/csvfile.csv' FROM table";
expect -exact "mysql> "
send -- "$SQL;\r"
expect -exact "mysql> "
sent -- "exit;/r" |
Pretty simple realy once you have the hang of it, you tell it what to expect and what to reply with, there are more advanced methods going on from here, including conditional sends based on response.
I’ll be covering those soon.
Tags: csv, expect, mySQL, tcl
No Comments »
Posted by: Buzz in Linux
Strangely I’ve had some people reporting issues with being prompted for a username and password when accessing files on svn.saiweb.co.uk
it would appear in mod_dav_svn-1.4.2-4.el5_3.1 that this directive: AuthzSVNNoAuthWhenAnonymousAllowed
now defaults to OFF, well that was a p.i.t.a trying to track down, having never seen that directive in ANY of the documentation …
Anyway pass this on to other facing the same issue.
Tags: AuthzSVNNoAuthWhenAnonymousAllowed, broken, fubar, fucked, mod_authz_svn, mod_dav_svn, svn, wtf
No Comments »
Posted by: Buzz in Linux
The default install of VI is very basic, and being as I spend a lot of my time in there I find syntax highlighting invaluable, to get this however you will need the vim-enhanced package.
So run the following to install this package and setup an alias for vi.
1
2
3
4
| yum install vim-enhanced
echo "alias vi='/usr/bin/vim'" >> ~/.bashrc
echo "syntax on" >> ~/.vimrc
alias vi='/usr/bin/vim' |
And you’re done:
Tags: CentOS, highlight, rhel, syntax, vi, vim-enhanced
No Comments »
Posted by: Buzz in Linux
Following on from the python bindings post I found myself with a real problem,
the netsnmp bindings I could not for the life of me get to take the redhat cluste MIB files, so what did that leave me with, walking the entire parent cluster OID, manually matching the returned OID’s to their MIB names based on the value returned as I couldn’t find a decent mib browser or script to convert them …
At any rate here is a subset of OID’s for polling the redhat cluster service using snmp, please note that are more OID’s but these vary on your cluster config.
Python code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| rhc_oid = '.1.3.6.1.4.1.2312.8'
data_oids = {
'rhcMIBVersion':'.1.1',
'rhcClusterName':'.2.1',
'rhcClusterStatusCode':'.2.2',
'rhcClusterStatusDesc':'.2.3',
'rhcClusterVotesNeededForQuorum':'.2.4',
'rhcClusterVotes':'.2.5',
'rhcClusterQuorate':'.2.6',
'rhcClusterNodesNum':'.2.7',
'rhcClusterNodesNames':'.2.8',
'rhcClusterAvailNodesNum':'.2.9',
'rhcClusterAvailNodesNames':'.2.10',
'rhcClusterUnavailNodesNum':'.2.11',
'rhcClusterUnavailNodesNames':'.2.12',
'rhcClusterServicesNum':'.2.13',
'rhcClusterServicesNames':'.2.14',
'rhcClusterRunningServicesNum':'.2.15',
'rhcClusterRunningServicesNames':'.2.16',
'rhcClusterStoppedServicesNum':'.2.17',
'rhcClusterStoppedServicesNames':'.2.18',
'rhcClusterFailedServicesNum':'.2.19',
'rhcClusterFailedServicesNames':'.2.20'}
for item in data_oids:
oid = '%s%s' % (rhc_oid,data_oids[item])
print item,oid |
Tags: oid, python, redhat, snmp
No Comments »
Posted by: Buzz in Linux, python
Following on from Linux – Generating file manifests and then checking them I was always getting the same questions …
How long left on the manifest Buzz ?
How long left on the verification Buzz ?
And I HATE having to turn around an say … I don’t know …
The problem with the usual command line method is that it give no indication of progress, and by extension no indication that it was infact running and not ‘hung’ …
As such I have now added the ‘manifest’ command set to the Sysadmin toolset
The manifest command take two data types, the first is a folder path from which to build the file manifest from, the manifest itself is also compatible with the “md5sum –check” function.
The second is the path to the manifest itself, in this case the manifest command will verify each file against it’s entry in the manifest:
At each point the command give you an indication of it’s current status, however this does come at a small cost, the script has no concept of the size of you console and as such will always render out the same number of character meaning if you console is not wide enough it will not render correctly, in the videos I have the console on a high resolution monitor as can be seen each video itself is 900 pixels wide.
This process is CPU intensive (20-45% on one core of a intel core2duo 2.8GHZ) and uses around 140KB of memory.
Tags: cli, indication, indicator, Linux, manifest, md5, progress, python, sysadmin
No Comments »
Posted by: Buzz in Linux
I had a major issue facing the iconv functionality of the sysadmin toolset namely due to rushed coding.
When loading a file to be re-encoded the entire file was loaded into the buffer, encoded as whole and written out to the new file, this of course meant the memory usage was roughly double the size of the file to be converted plus any overheads to do with the encoding itself.
Today I had need to convert a 1.3GB sql file, needles to say the script was crashing out with a memory error.
As such I have now completely re-written the function it now processes the file in 1kb ‘chunks’, moving the load to the CPU, this process is now very cpu intensive the the memory overhead is minimal (during test processed the 1.3GB file using 113kb of memory!!!).
Also I have now added BOM (Byte order mark) detection:
Tags: BOM, charset, conversion, iconv, python
No Comments »
|
Entries (RSS)