Tuesday, August 22, 2017

find the most recently modified file in a directory and display its contents.

  this is all i want to do today. just this.  
   
 cat "$(ls -lt `find $PWD -type f -name "*" ` |awk '{print $9}' | head -1)"  
   
 gross. the output is too long.  
   
 tail -n 10 "$(ls -lt `find $PWD -type f -name "*" ` |awk '{print $9}' | head -1)"  

Monday, August 21, 2017

Configuring NFS under Linux for Firewall control

because this is still an issue 15 years later from:
https://web.archive.org/web/20140906175220/http://www.lowth.com/LinWiz/nfs_help.html

Configuring NFS under Linux for Firewall control

By: Chris Lowth <chris@lowth.com>
Date: April 25th 2003

Looking for Iptables configuration assistance?

If you have been directed to this page because you are searching for general assitance in configuring IPTABLES, Then Click here to try "LinWiz", an on-line IPtables configurator that does the hard work for you. Answer a few simple questions and LinWiz will generate your IPtables rules file for you to download.

Platforms

This document has been written with reference to RedHat 7.x and 8.x systems but is appropriate for other Linux distributions. The author warmly invites comments, corrections and (in particular) news of using this approach on other Linuxes.

Follow-up contributions.

I have received numerous mails since writing this article, some of which include more information which may be of general use. Thanks to the authors for permission to reproduce their comments here..

Introduction.

When setting up IPTABLES firewalling for Linux systems running the NFS service (network file system), you hit the problem that some of the TCP/IP and UDP ports used by components of the service are randomly generated as part of the “SunRPC” mechanism.
This document is part of the LinWiz tool kit, and describes how to set up NFS in such a way that meaningful firewall rules can be applied to the system.

The LinWiz toolkit.

LinWiz is a free-to-use on-line Linux IPTables configuration wizard, designed for novices and experts alike. LinWiz presents a simple, single-page questionaire for you to fill in, and then generates a personalised iptable configuration file for download onto the Linux server, firewall or router/gateway.
Click here to use this software on line.

Viewing the used ports.

On a system that is up and running with the NFS service active, the ports used by the components of the service can be listed using the command “rpcinfo -p”. The output will look something like this...
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32814  status
    100024    1   tcp  33024  status
    100011    1   udp    670  rquotad
    100011    2   udp    670  rquotad
    100011    1   tcp    673  rquotad
    100011    2   tcp    673  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  32816  nlockmgr
    100021    3   udp  32816  nlockmgr
    100021    4   udp  32816  nlockmgr
    100005    1   udp  32818  mountd
    100005    1   tcp  33025  mountd
    100005    2   udp  32818  mountd
    100005    2   tcp  33025  mountd
    100005    3   udp  32818  mountd
    100005    3   tcp  33025  mountd
This listing shows the IP ports for the various versions of the service used in the 4th column. If you view this listing on different systems (or even after rebooting the same one) you may well find that the port numbers are different – this is a real problem when configing firewalls, which tend to assume that known port numbers are used for the services being configured.

Setting up NFS to use fixed IP ports.

To make it possible to configure a firewall that controls NFS, it is useful to be able to “tie” down the ports used by these services to fixed values. Luckily this is possible in RedHat Linux versions 7 and 8 (and, I suspect; other linux distributions), although the methods for setting these port numbers are different for each of the daemons.
The following table lists the NFS daemons and summarises the relevant information for them. The sections that follow give more detail.
Daemon Name
RPM
Standard Port
Suggested Port
What to Change
portmap
portmap
111
111
Nothing
rpc.statd
nfs-utils
Random
4000
Edit /etc/init.d/nfslock
rpc.nfsd
nfs-utils
2049
2049
Nothing
rpc.lockd
nfs-utils & kernel
Random
4001
Edit /etc/modules.conf
rpc.mountd
nfs-utils
Random
4002
Create or Edit /etc/sysconfig/nfs
rpc.rquotad
quota
Random
4003
Install "quota" package version 3.08 or later
and edit /etc/rpc and /etc/services

Portmapper [Standard port: 111]

The portmapper is implemented by the “portmap” program which is part of the “portmap” RPM package. The service uses port 111 on both the TCP and UDP protocols.
Portmapper provides the mapping between application names and IP ports, and is therefore analogous to the /etc/service file except that it relates to RPC programs only.
Firewall rules that refer to portmapper should refer to TCP/IP and UDP packets on port 111.

Status [Random port. Suggestion: 4000]

The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnamed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.
The rpc.statd program is part of the “nfs-utils” RPM package.
While rpc.statd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done as follows ..
Edit the file /etc/init.d/nfslock and change the “start()” procedure to add “-p” and a port number to the line “daemon rpc.statd”. The changed procedure looks like this (this change is coloured in red)..
start() {
        # Start daemons.
        if [ "$USERLAND_LOCKD" ]; then
          echo -n $"Starting NFS locking: "
          daemon rpc.lockd
          echo
        fi
        echo -n $"Starting NFS statd: "
        daemon rpc.statd -p 4000
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/nfslock
        return $RETVAL
}
Once the above change has been made, firewall rules should refer to TCP/IP and UDP packets on the chosen port. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

NFS Daemon [Standard port: 2049]

The rpc.nfsd program implements the user level part of the NFS service. The main functionality is handled by the nfsd.o kernel module; the user space program merely starts the specified number of kernel threads.
The rpc.nfsd program normally listens on port number 2049, so firewall rules can be created to refer to that port (unless it is changed from the default value). (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

NFS Lock Manager [Random port. Suggestion: 4001]

The NFS lock manager is a kernel module. It implements the NLM (NFS Lock Manager) part of the NFS subsystem, used for handling file and resource locks of various types. This component is sometimes referred to "rpc.lockd", and shows up in the output of rpcinfo as "nlockmgr"(hey - consistancy would only make life booring!).
On systems where the lock manager is implemented as a loadable module the port number used is set at module load time, and so is configured by adding (or editting) a line in the /etc/modules.conf file, as follows..
     options lockd nlm_udpport=4001 nlm_tcpport=4001
This sets the udp and tcp/ip port numbers. Conventionally, these two numbers should be set to the same value.
If your system has the lockd code compiled into the main kernel binary rather than as a loadable module, then the settings in modules.conf wont work. You need to add the parameters "lockd.udpport=4001 lockd.tcpport=4001" to the kernel command line in the lilo or grub configuration instead.
Note on the linux kernel versions before 2.4.12: - the handling of these parameters was introduced into linux kernel version 2.4.11. But since 2.4.11 is flagged as a "dont use" release, you should verify that your system has kernel 2.4.12 or later installed in order for this to work. Use the command "uname -a" to see the kernel version you are running.
To fix the port used by the NFS Lock Manager, add a line (as above) to /etc/modules.conf or lilo.conf (or grub.conf) as appropriate, and configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

mountd [Random port. Suggestion: 4002]


The rpc.mountd program implements the NFS mount protocol. When receiving a MOUNT request from an NFS client, it checks the request againstthe list of currently exported file systems. If the client is permitted to mount the file system, rpc.mountd obtains a file handle for requested directory and returns it to the client.
While rpc.mountd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editting or creating the file /etc/sysconfig/nfs and adding the following line..
     MOUNTD_PORT=4002
Once this edit has been made, configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

rquotad [Random port. Suggestion: 4003]


rquotad is an rpc(3N) server which returns quotas for a user of a local filesystem which is mounted by a remote machine over the NFS. It also allows setting of quotas on NFS mounted filesystem. The results are used by quota(1) to display user quotas for remote filesystems and by edquota(8) to set quotas on remote filesystems. The rquotad daemon is normally started at boot time from the system startup scripts.

There are two versions of rpc.rquotad that are commonly used with linux systems, one is part of the nfs utilities, and the other comes bundled with the "quota" package. RedHat 7.x and 8.x use the "quota" package - sadly, the version they use does not have any built-in mechanism for tying down the port. Happily - version 3.08 of the quota tools package DOES allow this.

The home page of the linuxquota project is at: http://sourceforge.net/projects/linuxquota. To obtain the software, vistit the site, download the sources and build them on your platform. If you have RedHat 8.0, then you can download the RPMs from my web site, and install.
To use this package to update the existing one..
  • First verify that your system is not already running "quota" version 3.08 or later (RedHat may have provided the up-to-date version since this document was written).
  • Download the quota rpm from my web site.
  • Install in "update" mode by using the command: rpm -Uhv quota-3.08-1.rpm
Once the updated "quota" package is installed, you can "fix" the port used by rpc.rquotad as follows..
  • Check that the following line is present in the file /etc/rpc. It should be there, but if isnt, then add it yourself. NB: the number "100011" is NOT the portnumber but the fixed RPC program number - It is important that you dont change it.
    • rquotad 100011 rquotaprog quota rquota
  • Add (or modify) the following two lines to the /etc/services file (replacing the number 4003 with the port number you want rpc.rquotad to listen on).
    • rquotad 4003/tcp
    • rquotad 4003/udp
Once thes changes have been made, configure the firewall to manage the port numbers selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

who is talking to my microsoft windows dns server?

 who is talking to my ms dns server?  
   
 turn on debug logging on the server. we want incoming client requests.  
 your logs will be here: c:\Windows\System32\dns\   
   
 since we're doing our work on a linux box...  
   
 $ sudo mount -t cifs -o username=myname,password=mypass\!,domain=hell.hades.com //thedamned/C$ /tmp/amount/  
   
 copy the log.  
   
 $ cp /tmp/amount/Windows/System32/dns/dns.log ~  
   
 remove everything except for the ip addresses. sort the results and   
 remove all duplicate entries. write to file for further processing.  
   
 $ cat dns.log | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -nu >> pithyresolv  
   
 ip addresses are fine? since names are even more useful,  
 create the following bash script, getresolv.sh:  
   
   
 #!/bin/bash  
   
 while read line  
 do  
   dig -x "$line" +short >> resolved  
 done  
   
   
 feed the list into the script:  
   
 $ ./getresolv.sh < pithyresolv  
 $ cat resolved | mailx me@hell  
   
 there. sliced, diced, and emailed.  
   
   

Thursday, August 3, 2017

make redhat use centos repos

 [root@satan ~]# yum install traceroute  
 Loaded plugins: rhnplugin, security  
 This system is not registered with RHN.  
 RHN support will be disabled.  
 Setting up Install Process  
 No package traceroute available.  
 Nothing to do 
 
 [root@satan ~]#  

 well flock.  

 [root@satan ~]# cat /etc/redhat-release  

 RedHat Enterprise Crap 6.crap  

 yes. redhat. not centos. let's use centos for yum, shall we?  

 [root@satan ~]# vi /etc/yum.repos.d/centos.repo  

 [centos]  
 name=CentOS $releasever - $basearch  
 baseurl=http://ftp.heanet.ie/pub/centos/6/os/$basearch/  
 enabled=1  
 gpgcheck=0  

 nb: after centos place 5 or 6 depending on major version of RHEL.  

 [root@satan ~]# yum install traceroute 

 stuff happens...
    

Tuesday, July 25, 2017

before you go crazy check dnstracer

 # dnstracer -v old-releases.ubuntu.com  

don't forget the -v

 Tracing to old-releases.ubuntu.com[a] via 127.0.0.1, maximum of 3 retries  
 127.0.0.1 (127.0.0.1) IP HEADER  
 - Destination address: 127.0.0.1  
 DNS HEADER (send)  
 - Identifier:      0x3808  
 - Flags:        0x00 (Q )  
 - Opcode:        0 (Standard query)  
 - Return code:     0 (No error)  
 - Number questions:   1  
 - Number answer RR:   0  
 - Number authority RR: 0  
 - Number additional RR: 0  
 QUESTIONS (send)  
 - Queryname:      (12)old-releases(6)ubuntu(3)com  
 - Type:         1 (A)  
 - Class:        1 (Internet)  
 DNS HEADER (recv)  
 - Identifier:      0x3808  
 - Flags:        0x8080 (R RA )  
 - Opcode:        0 (Standard query)  
 - Return code:     0 (No error)  
 - Number questions:   1  
 - Number answer RR:   0  
 - Number authority RR: 4  
 - Number additional RR: 0  
 QUESTIONS (recv)  
 - Queryname:      (12)old-releases(6)ubuntu(3)com  
 - Type:         1 (A)  
 - Class:        1 (Internet)  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   6  
 - Resource data:    (3)ns1(3)p27(6)dynect(3)net  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   6  
 - Resource data:    (3)ns3(3)p27(6)dynect(3)net  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   6  
 - Resource data:    (3)ns4(3)p27(6)dynect(3)net  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   20  
 - Resource data:    (3)ns2(3)p27(6)dynect(3)net  
   
  |\___ ns1.p27.dynect.net [ubuntu.com] (No IP address)  
  |\___ ns3.p27.dynect.net [ubuntu.com] (No IP address)  
  |\___ ns4.p27.dynect.net [ubuntu.com] (No IP address)  
  \___ ns2.p27.dynect.net [ubuntu.com] (No IP address)  
   
   

Thursday, July 20, 2017

discover axis webcams when you're clueless

 AXIS cameras have a severe remote compromise bug. I guess the cameras need to be found and patched. But, you know, I don’t recall where they’re at.  
 Let’s find them.  
   
 I do not remember, off the top of my head, all the subnets around. Happily, I'm in a mixed shop and Active Directory Sites and Services tells me what subnets are which. Cool.  
   
 On an AD controller, run PowerShell and enable script execution.  
   
 > Set-ExecutionPolicy RemoteSigned  
   
 Run the following cmdlet:  
   
 [cmdletbinding()]  
 param()  
   
 $Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites  
 $obj = @()  
 foreach ($Site in $Sites) {  
 foreach($sub in $site.subnets){  
   
  $obj += New-Object -Type PSObject -Property (  
   @{  
   "site" = $site.Name  
   "subnet" = $sub.name  
   }  
   )}  
    
  }  
 $obj | Export-Csv 'ADsites.csv' –NoType  
   
 The csv output shows:  
   
 "subnet","site"  
 "6.6.66.0/24","HELL"  
 "6.7.67.0/24","PANDEMONIUM"  
 "6.8.68.0/24","HELLS-GATE"  
   
 2. AXIS cameras have the following ports open by default:  
 TCP 21,80,554,49152  
   
 We can use nmap to discover and filter hosts that have the above:  
 $ nmap -p 21,80,554,49152 10.97.232.* -oG - | grep open | awk '!/closed/ && !/filtered/' >> axis  
   
 However, scanning UPnP port 49152 is unreliable. We could then narrow the ports, but we would be left with a guessing game as to whether or not the system is an Axis camera.  
   
 Luckily, Axis cameras all have a banner on FTP 21. It is either Axis or AXIS. This works better:  
 $ nmap -sS -sV -p 21 -n -Pn --script banner IPRANGE/CIDR -oG - | grep -i axis >> axis  
   
 To scan all the ranges, all we need to do is create a file and feed it the CIDR notated networks. I'm only concerned about my isolated networks, HELL and HELLS-GATE:  
   
   
 $ vi axis.subnet  
   
 6.6.66.0/24  
 6.8.68.0/24  
   
 Now, the completed command would be:  
   
 $ nmap -sS -sV -p 21 -n -Pn --script banner -iL axis.subnet -oG - | grep -i axis >> axis  

Wednesday, July 19, 2017

discover axis webcams

i'm just going to leave this here.

 nmap -sS -sV -p 21 -n -Pn --script banner -iL subnet.list -oG - | grep -i Axis > axis