blog.witalis.net

clear ip nat selectively

admin — Sun, 12 May 2013 14:01:33 +0000

On cisco router device you can clear all ip nat translations once doing:

Router#clear ip nat translation *

but when you try remove only one translation you have to write long command i.e.

Router#clear ip nat translation udp inside     outside

which also cannot be easy cut and past from show command result. Fortunetly in cisco device there is a TCL shell, activated by:

Router#tclsh

Sample script to clear ip nat selectively:

proc clearnat {x} {
set result [exec {sh ip nat translation}]
set data [split $result "\n"]

foreach item $data {

    if {[string match *$x* $item]} {
        set wordList [regexp -all -inline {\S+} $item]
        set proto [ lindex $wordList 0 ]
        set insglob [ lindex $wordList 1 ]
        regsub -all ":" $insglob " " insglob
        set inslocal [ lindex $wordList 2 ]
        regsub -all ":" $inslocal " " inslocal
        set outlocal [ lindex $wordList 3 ]
        regsub -all ":" $outlocal " " outlocal
        set outglob [ lindex $wordList 4 ]
        regsub -all ":" $outglob " " outglob
        clear ip nat translation $proto inside $insglob $inslocal outside $outlocal $outglob
    }

}

}

Paste it in tclsh and fire up with:

Router(tcl)#clearnat

For me it was first met of tcl scripting, so it isn’t written optimally. TCL script looks pretty odd to my previous scripting experience ;)

hidepid capabilities of procfs

admin — Wed, 01 May 2013 11:39:19 +0000

RHEL 5.9 introduces new feature which allow to hide some sensitive information about process activity to non-root users. Release notes about new RHEL version doesn’t tell us too much:

Restricting Access to /proc//
The hidepid= and gid= mount options have been added to procfs to allow
restricting of access to /proc// directories.

more technical information about this patch is on

http://www.openwall.com/lists/kernel-hardening/2011/11/15/3

how it looks like in practice:

# mount  | grep ^proc
proc on /proc type proc (rw)

# mount -o remount,hidepid=1 /proc
$ ps ax
  PID TTY      STAT   TIME COMMAND
 2054 pts/0    S      0:00 -bash
 2084 pts/0    R+     0:00 ps ax
$ ls -ld /proc/[0-9]*
dr-xr-xr-x 6 root       root         0 May  1 13:29 /proc/1
dr-xr-xr-x 6 root       root         0 May  1 13:29 /proc/10
$ ls -l /proc/[0-9]*
ls: /proc/1: Operation not permitted
ls: /proc/10: Operation not permitted
...

# mount -o remount,hidepid=2 /proc
$ ps ax
  PID TTY      STAT   TIME COMMAND
 2189 pts/0    S      0:00 -bash
 2218 pts/0    R+     0:00 ps ax
$ ls -ld /proc/[0-9]*
dr-xr-xr-x 6 w.duranek domain users 0 May  1 13:31 /proc/2189
$ id
uid=10000(w.duranek) gid=10(wheel)

# mount -o remount,hidepid=2,gid=10  /proc
$ ps ax
  PID TTY      STAT   TIME COMMAND
    1 ?        Ss     0:03 init [3]
    2 ?        S<     0:00 [migration/0]
    3 ?        SN     0:00 [ksoftirqd/0]
...

Scan for new hard disk

admin — Wed, 01 May 2013 11:01:24 +0000

Useful especially in virtual environment to discover hot-added hard disk i.e.:

echo "- - -" > /sys/class/scsi_host/host2/scan

LinuxCon Europe 2012

admin — Tue, 13 Nov 2012 19:19:12 +0000

Lots of interesting post conference materials:

http://events.linuxfoundation.org/events/linuxcon-europe/slides

Perfect nagios plugin ?

admin — Sat, 10 Nov 2012 15:59:24 +0000

How should look like almost perfect nagios plugin ? Look at

http://folk.uio.no/trondham/software/check_openmanage.html

Trusted Path Execution – reduce attack vector

admin — Sat, 10 Nov 2012 15:53:54 +0000

TPE is a feature presented in Grsecurity, which denies users from executing programs that are not owned by root. This approach eliminates some parts of self uploaded exploits by users. Using Grsecurity force us to prepare custom – mainly non-distribution kernel. Nowadays TPE is prepared as separate linux kernel module, which isn’t complicated to test, deploy in supported linux distribution (RHEL/Centos,Ubuntu). Moreover when you using TPE-LKM you get some extra features like hiding processes which doesn’t belong to user or hide from seeing linux kernel module list. Howto prepare, install and configure this module is pretty straightforward [2]. Configuration is provided by sysctl variables described in [1]. Some of TPM-LKM extra features is duplicated by RHEL kernel extensions presented in 6.3 (hidepid parameter) [3], which also add dmesg_restrict feature [4].

[1] https://github.com/cormander/tpe-lkm

[2] https://github.com/cormander/tpe-lkm/blob/master/INSTALL

[3] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.3_Release_Notes/index.html

[4] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.3_Technical_Notes/index.html

Apache HTTP Server 2.4 – error logging

admin — Tue, 10 Jul 2012 16:13:32 +0000

Apache 2.4 was introduces couple months ago. Comprehensive list of changes doesn’t contain pretty useful enhancement of error logs, now it includes AH mark before each log entry. So you can easy extract and collect what kind of errors were logged. List of errors: http://wiki.apache.org/httpd/ListOfErrors

Monitoring HTTP on-the-fly

admin — Sun, 13 May 2012 12:01:20 +0000

On my day to day work sometimes I have to discover what request are really pushed to my web servers without digging into access logs. So I found some handy tools.

console ready:

http://justniffer.sourceforge.net/ – pretty nice multi purpose sniffer with http support
http://dumpsterventures.com/jason/httpry/ – packet sniffer for http traffic
http://www.wireshark.org/docs/man-pages/tshark.html - comes from wireshark tool
http://www.circlemud.org/jelson/software/tcpflow/ - multi purpose sniffer with convenient file store format
http://www.rhythm.cx/~steve/devel/tcptrack/ - it is not a sniffer, but it shows us source,amount, tcp state of traffic
http://www.tcpdump.org/ - of course

gui ready:

http://www.wireshark.org/ - with remote capture http://wiki.wireshark.org/CaptureSetup#Step_5:_Capture_traffic_using_a_remote_machine

gui but with capturing http traffic from end user perspective:

http://www.fiddler2.com/fiddler2/
https://addons.mozilla.org/pl/firefox/addon/live-http-headers/
http://getfirebug.com/network
and much more…

Are you Red Hat enterprise ready ?

admin — Sun, 13 May 2012 11:14:05 +0000

Easy to find out just try to download one of the free evaluation copy of RHEL. I’m definitely not ready:

We noticed that your Red Hat Login uses a personal email address. We’re sorry, but users must have an enterprise or business email address to obtain product evaluations.

Proof of the absurd.

Collect data about working system

admin — Sun, 15 Apr 2012 10:35:53 +0000

Pretty simple task get information about particular system, answer read documentation about it. But what if there is no documentation or it’s outdated. One of the solution is to write down some outputs of basic commands, the second solution is to use dedicated software.

The first one which I would recommend is cfg2html [1] it generates pretty nice looking output in html about collected data. It covers vast amount of services running on unix based operating system. It’s a good start point for doing maintenance job, because you know what was before.

The second one is sos. It’s a software bundled in RHEL and its derivates distros, mainly used to help support team to resolve your problems. You can collect data about particular service:

# sosreport -o ssh

or choose all plugins which covers whole operating system. Report it’s placed in /tmp directory.

[1] http://cfg2html.com/