Category Archives: linux

use lfd to scan logfiles for custom auth failures

July 14, 2016linux, regex, tools, ubuntua.philippi

2 examples:

/var/log/mail.log
scan for smtp auth failures like

Jul 14 08:34:54 ns1 postfix/smtpd[20888]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

/var/log/auth.log
scan for dovecot imap login failures like

Jul 14 08:34:05 ns1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=contact rhost=xx.xx.xx.xx

in /etc/csf/csf.conf define

CUSTOM1_LOG = "/var/log/mail.log" CUSTOM2_LOG = "/var/log/auth.log"

in /etc/csf/regex.custom.pm
add

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) { return ("Failed SASL login from",$1,"mysaslmatch","5","list of ports to block this IP","14400"); }

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ auth:\ pam_unix$dovecot:auth$: authentication failure; .* rhost\=(\d+\.\d+\.\d+\.\d+)/)) { return ("Failed dovecot auth login from",$1,"dovecot_auth_match","5","list of ports to block this IP","14400"); }

ubuntu – creating screencast the simple and fast way

September 10, 2014tools, ubuntua.philippi

sudo apt-get install recordmydesktop

recordmydesktop -x 0 -y 40 --width 1000 --height 700 -o foo.ogv

automated patching against SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

January 5, 2013FreeBSD, linux, rails, rubya.philippi

Suppose you have a server with multiple rubies, rvms, gemsets, etc…

Manually finding and patching all affected activerecord-gems would be pretty cumbersome.

The following script does the job for you:

#!/usr/bin/env ruby


SEARCH_DIR = "/" # by default search the entire filesystem

ACTIVERECORD_GEM_VERSIONS = ['2.3','3.0','3.1','3.2']

PATCHES = {

  '2.3' => 'https://bugzilla.redhat.com/attachment.cgi?id=672189',

  '3.0' => 'https://bugzilla.redhat.com/attachment.cgi?id=672190',

  '3.1' => 'https://bugzilla.redhat.com/attachment.cgi?id=672191',

  '3.2' => 'https://bugzilla.redhat.com/attachment.cgi?id=672192',

}
#1. Find all activerecord 2.3.x, 3.0.x, 3.1.x, 3.2.x gems on this machine

gem_paths = {}

puts "Searching for activerecord gems inside #{SEARCH_DIR} ... "

ACTIVERECORD_GEM_VERSIONS.each do |version|

  gem_paths[version] = `find #{SEARCH_DIR} -path '*/gems/activerecord*' -name 'activerecord-#{version}.*' -type d`.split("\n")

  puts "Found the following activerecord gems for version #{version}:"

  puts gem_paths[version]

end
#2. Download the 4 patches here

puts "Downloading the patches ... "

ACTIVERECORD_GEM_VERSIONS.each do |version|

  `wget -O patch-#{version}.patch --no-check-certificate #{PATCHES[version]}`

end

puts " ... done"

#3. Apply the patches ACTIVERECORD_GEM_VERSIONS.each do |version| gem_paths[version].each do |gem| puts "--------------------------\nApplying patch for gem #{gem}" puts `cd '#{gem}'; patch -tN -p2 < '#{File.expand_path(File.dirname(__FILE__))+"/patch-"+version+".patch"}'` end end

This script searches for affected activerecord gems, downloads the required patches and applies them individually.

You might need to run it as root, and it could take a while searching your entire filesystem...
If you know where all your gems are located change the
SEARCH_DIR = "/yougemrepository"

Tested on linux, freebsd

SSL certs from STARTSSL – for nginx

December 7, 2012FreeBSD, linux, nginxa.philippi

Follow all necessary stept until Startssl gives you the ssl.key

openssl rsa -in ssl.key -out ssl.key

Follow further stepts until Startssl gives you the ssl.crt
Download StartSSL’s root CA and class 1 intermediate server CA certificates:
http://www.startssl.com/certs/ca.pem
http://www.startssl.com/certs/sub.class1.server.ca.pem

Now create a unified certificate:

cat ssl.crt sub.class1.server.ca.pem ca.pem > ssl-unified.crt

Upload the files ssl.key and ssl-unified.crt to the server
Do not forget to chmod 600 ssl.key
In your nginx ssl vhost include:

ssl on; ssl_certificate /path/to/ssl-unified.crt; ssl_certificate_key /path/to/ssl.key;

scapati de spamul de la mailway

September 22, 2012linux, spamexim, linux, mail, spama.philippi

Un spammer extrem de insistent este mailway.

Cel putin in prezent se foloseste de serviciul de mailing al firmei Adnet Telecom: http://www.facebook.com/AdNetTelecom
In pofida mai multor raportari la abuse@adnettelecom.ro(indicatie a celor de la adnet chiar pe pagina de facebook) spamurile au continuat sa vina.

Deci, daca vrei sa scapi de mailway shit – cel putin pe moment – trebuie sa blochezi rangeul de IPuri al serviciului de mailing care il folosesc.
Din analiza ultimelor catorva zeci de spamuri primite acest range pare a fi: 37.43.130.1/24

very good brass radio

May 11, 2011linux, vlca.philippi

http://www.allbrassradio.com/

can be run on linux using vlc in a console in the background:
cvlc http://173.192.205.181:80/listen.pls &

insulting a unix process

December 2, 2010FreeBSD, humor, linux, ubuntua.philippi

kernel to process: “go fork yourself”

th_mailformplus voodoo with allowedReferers and email_redirect

September 1, 2010linux, typo3a.philippi

We maintain a typo3-site which is available under several domains – since it’s not our server we do not 100% understand the network/domain forwarding, etc… arhitecture there. It seems relatively voodoo to me

However we installed the th_mailformplus for a real simple form.

If called from one domain – it worked perfectly and after successfully sending the email we were forwarded to the “thank you”-page we specified(email_redirect-pageID).

If called from the other domain – the mail was not sent and instead of being redirected correctly the TEMPLATE_SUBMITTED_OK-subpart of the template was rendered. I repeat: the TEMPLATE_SUBMITTED_OK-subpart. Once again TEMPLATE_SUBMITTED_OK contains SUBMITTED_OK … subitted ok – yeah right. Pretty stupid behaviour in my opinion…

The solution was simple, add both domains to the allowedReferers. Now it’s working.

simple and smart surveillance with low budget webcams

August 16, 2010linuxa.philippi

Let’s say you want to monitor a room and have a running linux machine(in our case ubuntu) with a webcam attached.

Problems that could appear:

Recording continuously for a long period can result in extremely large video files, especially when uncompressed, and a pretty high CPU usage.
In the case above you would have to compress and “logrotate” your video streams periodically
Maybe you do not want to record anything if nothing happens

Our solution:
$ sudo apt-get install webcam

use the following configuration file (webcam.conf)

[grab] device = /dev/video0 text = "my office %Y-%m-%d %H:%M:%S" infofile = filename fg_red = 255 fg_green = 255 fg_blue = 255 width = 320 height = 240 delay = 5 wait = 0 rotate = 0 top = 0 left = 0 bottom = -1 right = -1 quality = 80 trigger = 175 once = 0 archive = take %Y-%m-%d %H:%M:%S

[ftp] dir = /path/to/images/temp file = webcam_l.jpeg tmp = uploading_l.jpeg passive = 0 debug = 0 auto = 0 local = 1 ssh = 0

And now run

$ webcam webcam.conf &

Now you will get a JPG image from your webcam (quality = 80) every 5 seconds (delay = 5) but only if something changed. The “something changed”-condition is given by the setting trigger = 175.

monitor file and send alert mail on change/modify

May 20, 2010FreeBSD, linux, softwarea.philippi

For some reasons it can be very useful to be alerted on some specific file changes (for instance a database error log).

Using inotify-tools I wrote a script that can monitor a file sending alerts to an email address if that file is changed:

#!/bin/sh # # Monitor file $1 for changes # Send an alert emai to $2 if file $1 changes # usage: file_change_mail_alert.sh /var/log/messages your.name@domain.com #


if [ -z "$2" ]; then

   echo "Usage: file_change_mail_alert.sh  "

   exit 1

fi
#if a inotifywait for this file is already running

if [ $(ps aux | grep inotifywait | grep -c "$1" ) -gt '0' ]; then

  echo "A process monitoring the file $1 is already running:  $(ps aux | grep inotifywait | grep "$1" )";

  exit 1;

fi
#if inotifywait exists

type -P inotifywait &>/dev/null || { echo "Error: This script requires inotifywait(http://wiki.github.com/rvoicilas/inotify-tools/) .... apt-get install inotify-tools ... " >&2; exit 1; }
#if the file exists

if [ -f $1 ]; then
    echo "Monitoring file $1 for changes - sending alerts to $2"

while inotifywait -e modify $1; do sleep 1 changes="$(tail -n5 $1)" echo "The following change occured in the file $1 : $changes" | mail -s "Change in $1" $2 done else echo "Error: File $1 not found" fi

This script can be started on server startup like this:
/path/to/file_change_mail_alert.sh /var/log/something.log your.email@domain.ro

Or put in in the crontab – once a day (it will exit if it detects that another instance of “itself” is already running)
0 6 * * * /path/to/file_change_mail_alert.sh /var/log/something.log your.email@domain.ro

(old) cubus.bv

Aus dem Leben eines nginx