Category Archives: linux

use lfd to scan logfiles for custom auth failures

2 examples:

scan for smtp auth failures like

Jul 14 08:34:54 ns1 postfix/smtpd[20888]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

scan for dovecot imap login failures like

Jul 14 08:34:05 ns1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=contact rhost=xx.xx.xx.xx

in /etc/csf/csf.conf define

CUSTOM1_LOG = "/var/log/mail.log"
CUSTOM2_LOG = "/var/log/auth.log"

in /etc/csf/

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","list of ports to block this IP","14400");

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ auth:\ pam_unix\(dovecot:auth\): authentication failure; .* rhost\=(\d+\.\d+\.\d+\.\d+)/)) {
return ("Failed dovecot auth login from",$1,"dovecot_auth_match","5","list of ports to block this IP","14400");

automated patching against SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

Suppose you have a server with multiple rubies, rvms, gemsets, etc…

Manually finding and patching all affected activerecord-gems would be pretty cumbersome.

The following script does the job for you:

#!/usr/bin/env ruby

SEARCH_DIR = "/" # by default search the entire filesystem
ACTIVERECORD_GEM_VERSIONS = ['2.3','3.0','3.1','3.2']
'2.3' => '',
'3.0' => '',
'3.1' => '',
'3.2' => '',

#1. Find all activerecord 2.3.x, 3.0.x, 3.1.x, 3.2.x gems on this machine
gem_paths = {}
puts "Searching for activerecord gems inside #{SEARCH_DIR} ... "
gem_paths[version] = `find #{SEARCH_DIR} -path '*/gems/activerecord*' -name 'activerecord-#{version}.*' -type d`.split("\n")
puts "Found the following activerecord gems for version #{version}:"
puts gem_paths[version]

#2. Download the 4 patches here
puts "Downloading the patches ... "
`wget -O patch-#{version}.patch --no-check-certificate #{PATCHES[version]}`
puts " ... done"

#3. Apply the patches
gem_paths[version].each do |gem|
puts "--------------------------\nApplying patch for gem #{gem}"
puts `cd '#{gem}'; patch -tN -p2 < '#{File.expand_path(File.dirname(__FILE__))+"/patch-"+version+".patch"}'` end end

This script searches for affected activerecord gems, downloads the required patches and applies them individually.

You might need to run it as root, and it could take a while searching your entire filesystem...
If you know where all your gems are located change the
SEARCH_DIR = "/yougemrepository"

Tested on linux, freebsd

SSL certs from STARTSSL – for nginx

Follow all necessary stept until Startssl gives you the ssl.key

openssl rsa -in ssl.key -out ssl.key

Follow further stepts until Startssl gives you the ssl.crt
Download StartSSL’s root CA and class 1 intermediate server CA certificates:

Now create a unified certificate:

cat ssl.crt ca.pem > ssl-unified.crt

Upload the files ssl.key and ssl-unified.crt to the server
Do not forget to chmod 600 ssl.key
In your nginx ssl vhost include:

ssl on;
ssl_certificate /path/to/ssl-unified.crt;
ssl_certificate_key /path/to/ssl.key;

scapati de spamul de la mailway

Un spammer extrem de insistent este mailway.

Cel putin in prezent se foloseste de serviciul de mailing al firmei Adnet Telecom:
In pofida mai multor raportari la a celor de la adnet chiar pe pagina de facebook) spamurile au continuat sa vina.

Deci, daca vrei sa scapi de mailway shit – cel putin pe moment – trebuie sa blochezi rangeul de IPuri al serviciului de mailing care il folosesc.
Din analiza ultimelor catorva zeci de spamuri primite acest range pare a fi:

th_mailformplus voodoo with allowedReferers and email_redirect

We maintain a typo3-site which is available under several domains – since it’s not our server we do not 100% understand the network/domain forwarding, etc… arhitecture there. It seems relatively voodoo to me

However we installed the th_mailformplus for a real simple form.

If called from one domain – it worked perfectly and after successfully sending the email we were forwarded to the “thank you”-page we specified(email_redirect-pageID).

If called from the other domain – the mail was not sent and instead of being redirected correctly the TEMPLATE_SUBMITTED_OK-subpart of the template was rendered. I repeat: the TEMPLATE_SUBMITTED_OK-subpart. Once again TEMPLATE_SUBMITTED_OK contains SUBMITTED_OK … subitted ok – yeah right. Pretty stupid behaviour in my opinion…

The solution was simple, add both domains to the allowedReferers. Now it’s working.

simple and smart surveillance with low budget webcams

Let’s say you want to monitor a room and have a running linux machine(in our case ubuntu) with a webcam attached.

Problems that could appear:

  • Recording continuously for a long period can result in extremely large video files, especially when uncompressed, and a pretty high CPU usage.
  • In the case above you would have to compress and “logrotate” your video streams periodically
  • Maybe you do not want to record anything if nothing happens

Our solution:

$ sudo apt-get install webcam

use the following configuration file (webcam.conf)

device = /dev/video0
text = "my office %Y-%m-%d %H:%M:%S"
infofile = filename
fg_red = 255
fg_green = 255
fg_blue = 255
width = 320
height = 240
delay = 5
wait = 0
rotate = 0
top = 0
left = 0
bottom = -1
right = -1
quality = 80
trigger = 175
once = 0
archive = take %Y-%m-%d %H:%M:%S

dir = /path/to/images/temp
file = webcam_l.jpeg
tmp = uploading_l.jpeg
passive = 0
debug = 0
auto = 0
local = 1
ssh = 0

And now run

$ webcam webcam.conf &

Now you will get a JPG image from your webcam (quality = 80) every 5 seconds (delay = 5) but only if something changed. The “something changed”-condition is given by the setting trigger = 175.

monitor file and send alert mail on change/modify

For some reasons it can be very useful to be alerted on some specific file changes (for instance a database error log).

Using inotify-tools I wrote a script that can monitor a file sending alerts to an email address if that file is changed:

# Monitor file $1 for changes
# Send an alert emai to $2 if file $1 changes
# usage: /var/log/messages

if [ -z "$2" ]; then
echo "Usage: "
exit 1

#if a inotifywait for this file is already running
if [ $(ps aux | grep inotifywait | grep -c "$1" ) -gt '0' ]; then
echo "A process monitoring the file $1 is already running: $(ps aux | grep inotifywait | grep "$1" )";
exit 1;

#if inotifywait exists
type -P inotifywait &>/dev/null || { echo "Error: This script requires inotifywait( .... apt-get install inotify-tools ... " >&2; exit 1; }

#if the file exists
if [ -f $1 ]; then

echo "Monitoring file $1 for changes - sending alerts to $2"

while inotifywait -e modify $1; do
sleep 1
changes="$(tail -n5 $1)"
echo "The following change occured in the file $1 : $changes" | mail -s "Change in $1" $2
echo "Error: File $1 not found"

This script can be started on server startup like this:
/path/to/ /var/log/something.log

Or put in in the crontab – once a day (it will exit if it detects that another instance of “itself” is already running)
0 6 * * * /path/to/ /var/log/something.log