Standard Process for Restoring IPtables at Boot?

04/03/2024 Categories: Réseau Tags: , Aucun commentaire

Source: Ubuntu Tutorials

I got to thinking about something the other day when I rebuilt my webserver using Debian 5.0. How does Debian/Ubuntu standardize on reloading the iptables rules at boot time?

I know that Red Hat and its variants use the /etc/sysconfig/iptables file as a save and restore point, and there is an init script, iptables, that starts at boot prior to the network script, but is there a similar standard on Debian/Ubuntu?

The solution I’ve come up with (and I’m very curious to hear what others have done) is the following:

First, I manually enter my base iptables rules…

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 17.88.115.150/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 111.70.51.51/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 16.10.111.177/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable
...etc, etc.

*(ip addresses have been scrambled to protect their identity)

I then run:

iptables-save > /etc/default/iptables

From this point forward I manually update my ruleset by editing the file directly with a text editor.

To reload these rules at boot-time I have added a line to my /etc/network/interfaces configuration as follows:

auto eth0
iface eth0 inet static
address foo
netmask bar
gateway baz
dns-search domain.tld
dns-nameservers foo
pre-up iptables-restore < /etc/default/iptables

That last line tells the machine that, before you activate these network settings, run iptables-restore and read from the file /etc/default/iptables.  This seems to work well enough so far, but I’m still curious what others have done.  Do you simply write an init script on your own and maintain the ruleset within that file?  Do you use a file similar to what I’ve done, but source it via an init script?  I’m curious, as there does not seem to be a standard that I’m aware of.

Categories: Réseau Tags: ,

Delete files by creation date

04/03/2024 Categories: Système Tags: , Aucun commentaire

source: http://ubuntuforums.org/showthread.php?t=625132
On the command line, you can use the “find” command to select certain files, and then use the “-exec” switch to cause some other command to be run on those files. So if you use “-exec rm” you will delete the files that are found. So, for example:

Code:
 find -mmin +4 -exec rm {} +

will delete any files in the current directory (and sub-directories) that are older than 4 minutes. This is because the “-mmin +4” switch causes find to return files older than 4 minutes. There are other options, like “-mtime” that return files based on modified date in days. You can use + or – depending on what kind of behavior you are trying to achieve. For a more complete explanation of all the options, see the manual page:
http://unixhelp.ed.ac.uk/CGI/man-cgi?find

Be careful when using the rm command! It’s usually a good idea to test your command first, before using it. So, for instance, use something like:

Code:
 find -mmin +4 -exec ls {} +

which will just list the files that you are selecting for. If the list looks right, then you can switch the “ls” to “rm” in the command and it will delete the files.

Categories: Système Tags: ,

Disable creation of .AppleDouble files on Mac OS X

03/03/2024 Categories: Logiciel Tags: , Aucun commentaire

Given that Macs support multiple forks to files, the AppleDouble trick (._ files) try to preserve the data in those forks. So they are needed so that Mac OS X can perform operations on them.

However, most of the files are created when the same volume is mounted through AFP, not SMB/CIFS or NFS. In that case, the AFP server might have configuration options for dealing with the Apple Double files (see, for instance, this blog post).

In order to get rid of AppleDouble files, you can on a Mac the dot_clean command:

dot_clean --keep=dotbar /Volumes/mounted_smb_volume

where mounted_smb_volume would be the name of the mounted volume. Lire la suite…

Categories: Logiciel Tags: ,

Filtrer les connexions ssh

03/03/2024 Categories: Réseau Tags: , , Aucun commentaire

Portier SSH

Si vous possédez un serveur avec ssh opérationnel, vous ne serez pas long à avoir des messages tels que ceux ci dans le fichier /var/log/auth.log:

...
Mar 11 12:48:21 serv sshd[12956]: Failed password for invalid user root from 64.71.148.162 port 47270 ssh2
Mar 11 15:45:04 serv sshd[6954]: Did not receive identification string from 210.21.30.72
Mar 11 15:46:48 serv sshd[7041]: Did not receive identification string from 81.93.188.5
Mar 11 15:47:50 serv sshd[7106]: User root from 210.21.30.72 not allowed because none of user s groups are listed in AllowGroups
Mar 11 15:47:50 serv sshd[7106]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.21.30.72  user=root
Mar 11 15:47:52 serv sshd[7106]: Failed password for invalid user root from 210.21.30.72 port 54346 ssh2
Mar 11 15:49:33 serv sshd[7241]: User root from 81.93.188.5 not allowed because none of user s groups are listed in AllowGroups
Mar 11 15:49:33 serv sshd[7241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.93.188.5  user=root
Mar 11 15:49:35 serv sshd[7241]: Failed password for invalid user root from 81.93.188.5 port 44663 ssh2
Mar 12 00:51:18 serv sshd[22229]: User root from host.ongamemarketing.com not allowed because none of user s groups are listed in AllowGroups
Mar 12 00:51:18 serv sshd[22229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.ongamemarketing.com  user=root
Mar 12 00:51:20 serv sshd[22229]: Failed password for invalid user root from 174.133.12.130 port 48089 ssh2
Mar 12 00:51:22 serv sshd[22236]: User root from host.ongamemarketing.com not allowed because none of user s groups are listed in AllowGroups
Mar 12 00:51:22 serv sshd[22236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.ongamemarketing.com  user=root
Mar 12 00:51:24 serv sshd[22236]: Failed password for invalid user root from 174.133.12.130 port 48521 ssh2
Mar 12 01:47:10 serv sshd[30827]: Did not receive identification string from 114.200.199.144
Mar 12 01:53:17 serv sshd[31227]: Invalid user staff from 114.200.199.144
Mar 12 01:53:17 serv sshd[31227]: pam_unix(sshd:auth): check pass; user unknown
Mar 12 01:53:17 serv sshd[31227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.200.199.144
Mar 12 01:53:19 serv sshd[31227]: Failed password for invalid user staff from 114.200.199.144 port 35343 ssh2
Mar 12 01:53:27 serv sshd[31234]: Invalid user sales from 114.200.199.144
...

sshsessionforwardingVous avez besoin de pouvoir vous connecter en ssh depuis le réseau local, depuis l’extérieur, mais vous voulez limiter les risques. Il existe plusieurs solutions, qui peuvent être cumulées: Lire la suite…

Categories: Réseau Tags: , ,

par2 – PAR 2.0 compatible file verification and repair tool

02/03/2024 Categories: Logiciel Tags: Aucun commentaire

Source: Ubuntu manuals

raring (1) par2.1.gz
Provided by: par2_0.4-11build1_i386 

NAME
par2 – PAR 2.0 compatible file verification and repair tool.

SYNOPSIS
 par2 c(reate) [options] <par2 file> [files]
 par2 v(erify) [options] <par2 file> [files]
 par2 r(epair) [options] <par2 file> [files]

Or:

par2create [options] <par2 file> [files]
 par2verify [options] <par2 file> [files]
 par2repair [options] <par2 file> [files]

DESCRIPTION

par2 is a program for creating and using PAR2 files to detect damage in
data files and repair them if necessary. It can be used with any kind
of file. Lire la suite…

Categories: Logiciel Tags: