Just another Sys Admin blog… wait really ?

2009-07-092017-01-17

[OpenVZ] Disabling /etc/hosts modification at startup

On a fresh Debian hypervisor the script /etc/vz/dists/scripts/debian-set_hostname.sh is executed at each VM startup. To prevent modification of the container’s /etc/hosts file, simply comment every change_hostname function call inside.

2009-06-252017-02-09

Dig command examples

The dig utility is very handy for troubleshooting name resolution issues or to find out information about an IP or a domain name. Here are some useful command examples.

Lookup for a domain

# dig google.com

; <<>> DiG 9.3.4-P1.2 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24311
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 217 IN A 216.58.209.238

;; Query time: 0 msec
;; SERVER: 62.210.64.50#53(62.210.64.50)
;; WHEN: Tue Oct 25 11:10:01 2016
;; MSG SIZE rcvd: 44

Lookup for a specific record

You can specify record type using the appropriate prefix:

# dig <prefix> google.com

A for A records
MX for MX records
NS for NameServer records
CNAME for cname records
TXT for SPF, DKIM and everything that goes inside TXT records

Short answer

If you want just the answer without any comments, you can use the +short option:

# dig A google.com +short
216.58.209.238

You can also enable or disable each output sections, using the appropriate paramaters. For example to get only the ANSWER SECTION:

# dig A google.com +noall +answer
google.com.             299     IN      A       74.125.140.139
google.com.             299     IN      A       74.125.140.101
google.com.             299     IN      A       74.125.140.100
google.com.             299     IN      A       74.125.140.138
google.com.             299     IN      A       74.125.140.113
google.com.             299     IN      A       74.125.140.102

Use a Specific DNS server

To test the answer from a specific DNS server you can use the @ parameter:

# dig A @8.8.8.8 google.com

; <<>> DiG 9.3.4-P1.2 <<>> A @8.8.8.8 google.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28263
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 299 IN A 74.125.140.100
google.com. 299 IN A 74.125.140.113
google.com. 299 IN A 74.125.140.138
google.com. 299 IN A 74.125.140.139
google.com. 299 IN A 74.125.140.102
google.com. 299 IN A 74.125.140.101

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 25 11:15:23 2016
;; MSG SIZE rcvd: 124

Reverse lookup

You can check the PTR records by doing a reverse lookup:

# dig -x 91.189.94.40

; <<>> DiG 9.3.4-P1.2 <<>> -x 91.189.94.40
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21503
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;40.94.189.91.in-addr.arpa. IN PTR

;; ANSWER SECTION:
40.94.189.91.in-addr.arpa. 3600 IN PTR ovinnik.canonical.com.

;; AUTHORITY SECTION:
94.189.91.in-addr.arpa. 3600 IN NS ns1.canonical.com.
94.189.91.in-addr.arpa. 3600 IN NS ns2.canonical.com.
94.189.91.in-addr.arpa. 3600 IN NS ns3.canonical.com.

;; Query time: 15 msec
;; SERVER: 62.210.64.50#53(62.210.64.50)
;; WHEN: Tue Oct 25 11:43:36 2016
;; MSG SIZE rcvd: 132

2009-04-242017-02-09

Automatic reboot after kernel panic

Yep, Linux can do that ! By default in most distribution this feature is disable. To enable it simply edit the /etc/sysctl.conf file and add the following lines:

kernel.panic = 1
kernel.panic_on_oops = 1

Now kernel panic and oops, will automatically trigger an hardware reboot. Don’t forget sysctl -p to take the new values into account immediately.

2009-04-212016-08-29

Optimize rdesktop connections

By default rdesktop try to give you the best image quality which is fine on a LAN but inappropriate in other case. But using some options you can change this behaviour:

-x disable theming
-m disable mouse motion events
-z to enable compression
-r soundff disable sound
-P enable bitmap caching

So now i use the following command:

rdesktop -u username -f -m -z -x m -P -r soundff -0 myip

2009-04-212016-11-21

Remove CTRL-M characters

One annoying thing with text file is that files created on DOS/Windows machines have different line endings than files created on Unix/Linux. DOS uses carriage return and line feed \r\n as a line ending which Unix uses just line feed \n. So in the end you finish with a lot of supernumerary CTRL-M characters. To get rid of it you can:

Use sed

sed -e "s/^M//" filename > newfilename

Use vi

Inside vi [in ESC mode] type: :%s/^M//g
To enter ^M, type CTRL-V, then CTRL-M (hold down the CTRL key then press V and M in succession).

Use dos2unix

dos2unix filename

2009-03-242016-10-24

IP Forwarding

In order to use a linux host as a router/firewall, you first need to enable IP Forwarding:

# sysctl -w net.ipv4.ip_forward=1

To make the change permanent insert or edit the following line in edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1

2009-03-042017-02-09

[Apache] Basic tips for security

The Debian’s default apache.conf is quite good, but there is some parameters i like to redefine in order to improve security a little:

Disable apache signature

ServerSignature Off
ServerTokens Prod

Disable HTTP trace request

TraceEnable Off

Disable Unnecessary Modules

Look for lines that begin with LoadModule. To disable the module just comment them. Here are some modules that are typically enabled by default but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

2009-01-292017-02-09

Block the DFind scanner

Dfind is a vulnerability scanner, and a very pain in the *** one, as it will pollute your apache log with lines such as this:

84.145.78.74 [16 / Oct / 2008: 18: 12: 34] "GET /w00tw00t.at.ISC.SANS.DFind :) HTTP / 1.1" 400

How to get rid of this junk ?
The apache return code is 400, which implies that the query syntax is invalid. Looking in the logs we see this:

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)

As the request is invalid, it’s useless to try to block it with a rewrite rule or a mod_security pattern.

The best solution is to block it before the HTTP server using iptables, like that:

iptables -I INPUT -d -p tcp -dport 80 -m string -to 70 -algo bm -string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

2009-01-212017-06-23

Restore a machine from a backup

It is very easy under GNU/Linux to restore a system from a full rsync backup. Just follow this procedure:

Boot on a liveCD
In case of hard-drive change, partition the new HDD using parted
Create a temporary directory and mount the root partition of you HDD inside (/dev/sdb1 in this example):

mkdir /mnt/root_hdd
mount -t ext3 /dev/sdb1 /mnt/root_hdd

Restore data from your backup:

rsync -av --numeric-ids --delete --exclude='/proc' --exclude='/sys' /media/<mybackup>/ /mnt/root_hdd/

Data from the root partition will be overwritten, and supernumerary files deleted.

Now in case of disk change, we need to take care of the boot loader also:

Install grub:

mount --bind /proc /mnt/root_hdd/proc
mount --bind /dev /mnt/root_hdd/dev
mount --bind /sys /mnt/root_hdd/sys
chroot /mnt/root_hdd
grub-install /dev/sdb1

That’s all, reboot and enjoy.

2008-11-252016-10-25

Active FTP vs passive FTP

Active and passive are the two modes that FTP can run in. FTP is kind of a weird protocol because it use two ports, one for the command channel (by default TCP 21) and one for actual data transfer (TCP 20). It’s a nifty way of sending commands to the server without having to wait for the current data transfer to finish, but it’s make thing pretty difficult when you have NAT and firewall on the way.

Active mode

In active mode the client connects from a random unprivileged port (N > 1023) to the server’s command port (TCP 21). Then the client starts listening to port N+1 and sends the FTP command PORT N+1 to the server. The server will connect “back” to the client’s specified data port from its local data port (TCP 20).

If both host are on the same network, this mode work great. If you have a firewall and/or a router on the way, that a different story. For a firewall/router it appear that an outside host is initiating a connection to an “internal” client which is generally forbidden. And even if it wasn’t forbidden, the router doing NAT doesn’t have any idea to which host forwarding the connection.

Passive mode

In passive mode the client is responsible for initiating both connections to the server, solving the problem of firewalls/routers filtering. It work like this: when opening an FTP connection the client opens two random unprivileged ports locally (N > 1023 and N+1). Then it contact the server on port TCP 21, but instead of issuing a PORT N+1 command it use the PASV command. In respond the server opens a random unprivileged port (P > 1023) and sends the port number back to the client. Then the client initiates the second connection from its second port (N+1) to the specified server’s data port (P).

Which mode should i use ?

Short anwser: passive mode. There are three reasons for that:

pretty much everybody is doing NAT
many people use their web browser as an FTP client, and browsers only support passive mode
It’s true that passive mode opens up a whole new range of problems on the server side, but you are on the server side 😉

Further Reading and sources

http://slacksite.com/other/ftp.html