Databases, Systems & Networks

Source: Daniel Miessler

• Key Options
• Getting Information About the Network
• User Information
• Commands and Processes
• Files and Directories
• Advanced

lsof is the sysadmin/security über-tool. I use it most for getting network connection related information from a system, but that’s just the beginning for this powerful and too-little-known application. The tool is aptly called lsof because it “lists open files“. And remember, in UNIX just about everything (including a network socket) is a file.

Interestingly, lsof is also the Linux/Unix command with the most switches. It has so many it has to use both minuses and pluses.

usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
 [-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]

As you can see, lsof has a truly staggering number of options. You can use it to get information about devices on your system, what a given user is touching at any given point, or even what files or network connectivity a process is using.

Lire la suite…

Using iptables to list filtering rules is OK. Running this command in a shell loop can help but it needs that you write a shell script.

Another convenient way is to use the watch command:

watch --interval 0 'iptables -nvL'

or

sudo watch --interval 0 'iptables -nvL'

depending on whether you’re logged as super-user or not.

This will show a permanent iptables -L with a refresh interval that can be specified:

watch --interval 0 'iptables -nvL'

will refresh every second.

Typical output will be:

Every 10,0s: iptables -nvL                                                                                         Tue Nov  3 16:35:19 2015

Chain INPUT (policy DROP 44001 packets, 2444K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   160 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  11M 1770M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 107K 6878K ACCEPT     tcp  --  *      *       78.193.xx.xx         0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       195.154.xx.xx        0.0.0.0/0
 231K   14M ACCEPT     tcp  --  *      *       213.36.xx.xx         0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       195.154.xx.xx        0.0.0.0/0
    2    92 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:548
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
 1475  139K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  134  9600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80
  110  6563 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:943
 136K 9529K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
 1423 85360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4949
    3   120 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:873 state NEW,ESTABLISHED
   24  1910 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:162
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:119
    2    92 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3000
  156  7584 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
 2952  177K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       172.27.xx.xx/24      0.0.0.0/0
    0     0 ACCEPT     tcp  --  as0t0  *       0.0.0.0/0            0.0.0.0/0
    3   192 ACCEPT     tcp  --  as0t1  *       0.0.0.0/0            0.0.0.0/0

Dans un réseau ethernet relié par un concentrateur (ou hub), chaque machines reçoit tous les paquets qui circulent sur le réseau. En fonctionnement normal, les cartes réseau ne réceptionnent que les paquets qui leur sont destinés, mais on peut faire en sorte qu’elles transmettent tous les paquets au système et les inspecter avec tcpdump.

Les hubs sont de moins en moins utilisés. Ils sont généralement remplacés par des commutateurs (ou switch) qui savent déterminer (en fonction de l’adresses MAC) sur quel câble il faut envoyer un paquet. Les machines ne reçoivent donc généralement que les paquets qui leur sont destinés.

L’utilitaire tcpdump permet d’inspecter les paquets qui sont reçus et transmis par une carte réseau.

Filtrage

Il est possible de sélectionner les paquets à “écouter” en fonction d’expressions. Ainsi, ne seront affichées / traitées que les informations pour lesquelles le résultat de l’expression est vérifié. Une expression est composée de primitives et d’opérateurs logiques.

Une primitive est un identifiant précédé de mots clés qui indiquent le type de l’identifiant. Par exemple la primitive src port 21 contient les éléments suivants :

• le mot clé src qui indique que l’identifiant ne porte que sur la source du paquet
• le mot clé port qui indique que l’identifiant est le port du paquet
• l’identifiant 21

La primitive correspond donc au port source 21.

Lire la suite…

Source: nixCRAFT

You need to use the sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.

sudo command

sudo is more more secure than su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).

If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).

/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:

USER HOSTNAME=COMMAND

Where,

• USER: Name of normal user
• HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
• COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify “” to indicate that the command may only be run without command line arguments.

Lire la suite…

Source: nixCraft

I have a backup sync program on local server. I have an ssh password less login set up, and I can run commands on an external server in bash script doing:

ssh root@server2 "sync; sync; /sbin/shutdown -h now"

How do I run multiple commands in bash on a remote Unix or Linux server? What is the best Way to SSH in and Run various unix commands in bash?

There are various ways to run multiple commands on a remote Unix server. The syntax is as follows:

Simple bash syntax to run multiple commands on remote machine

Simply run command2 if command1 successful on a remote host called foo
$ ssh bar@foo "command1 && command2"
Run date and hostname commands:
$ ssh user@host "date && hostname"
You can run sudo command as follows on a remote box called server1.cyberciti.biz:
$ ssh -t vivek@server1.dbsysnet.com "sudo /sbin/shutdown -h now"
And, finally:
$ ssh root@server1.dbsysnet.com "sync && sync && /sbin/shutdown -h now"

Lire la suite…