Source: Daniel Miessler

lsof
is the sysadmin/security über-tool. I use it most for getting network connection related information from a system, but that’s just the beginning for this powerful and too-little-known application. The tool is aptly called lsof because it “lists open files“. And remember, in UNIX just about everything (including a network socket) is a file.
Interestingly, lsof
is also the Linux/Unix command with the most switches. It has so many it has to use both minuses and pluses.
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
As you can see, lsof
has a truly staggering number of options. You can use it to get information about devices on your system, what a given user is touching at any given point, or even what files or network connectivity a process is using.
Lire la suite…
Using iptables
to list filtering rules is OK. Running this command in a shell loop can help but it needs that you write a shell script.
Another convenient way is to use the watch
command:
watch --interval 0 'iptables -nvL'
or
sudo watch --interval 0 'iptables -nvL'
depending on whether you’re logged as super-user or not.
This will show a permanent iptables -L
with a refresh interval that can be specified:
watch --interval 0 'iptables -nvL'
will refresh every second.
Typical output will be:
Every 10,0s: iptables -nvL Tue Nov 3 16:35:19 2015
Chain INPUT (policy DROP 44001 packets, 2444K bytes)
pkts bytes target prot opt in out source destination
3 160 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
11M 1770M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
107K 6878K ACCEPT tcp -- * * 78.193.xx.xx 0.0.0.0/0
0 0 ACCEPT tcp -- * * 195.154.xx.xx 0.0.0.0/0
231K 14M ACCEPT tcp -- * * 213.36.xx.xx 0.0.0.0/0
0 0 ACCEPT tcp -- * * 195.154.xx.xx 0.0.0.0/0
2 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:548
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
1475 139K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
134 9600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
110 6563 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:943
136K 9529K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
1423 85360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4949
3 120 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 state NEW,ESTABLISHED
24 1910 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:119
2 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
156 7584 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
2952 177K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 172.27.xx.xx/24 0.0.0.0/0
0 0 ACCEPT tcp -- as0t0 * 0.0.0.0/0 0.0.0.0/0
3 192 ACCEPT tcp -- as0t1 * 0.0.0.0/0 0.0.0.0/0
Dans un réseau ethernet relié par un concentrateur (ou hub), chaque machines reçoit tous les paquets qui circulent sur le réseau. En fonctionnement normal, les cartes réseau ne réceptionnent que les paquets qui leur sont destinés, mais on peut faire en sorte qu’elles transmettent tous les paquets au système et les inspecter avec tcpdump
.
Les hubs sont de moins en moins utilisés. Ils sont généralement remplacés par des commutateurs (ou switch) qui savent déterminer (en fonction de l’adresses MAC) sur quel câble il faut envoyer un paquet. Les machines ne reçoivent donc généralement que les paquets qui leur sont destinés.
L’utilitaire tcpdump permet d’inspecter les paquets qui sont reçus et transmis par une carte réseau.
Filtrage
Il est possible de sélectionner les paquets à “écouter” en fonction d’expressions. Ainsi, ne seront affichées / traitées que les informations pour lesquelles le résultat de l’expression est vérifié. Une expression est composée de primitives et d’opérateurs logiques.
Une primitive est un identifiant précédé de mots clés qui indiquent le type de l’identifiant. Par exemple la primitive src port 21 contient les éléments suivants :
- le mot clé src qui indique que l’identifiant ne porte que sur la source du paquet
- le mot clé port qui indique que l’identifiant est le port du paquet
- l’identifiant 21
La primitive correspond donc au port source 21.
Lire la suite…
Source: nixCRAFT
You need to use the sudo
command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers
(config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.
sudo command
sudo
is more more secure than su
command. By default it logs sudo
usage, command and arguments in /var/log/secure
(Red Hat/Fedora / CentOS Linux) or /var/log/auth.log
(Ubuntu / Debian Linux).
If the invoking user is root
or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).
/etc/sudoers Syntax
Following is general syntax used by /etc/sudoers
file:
USER HOSTNAME=COMMAND
Where,
- USER: Name of normal user
- HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
- COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify “” to indicate that the command may only be run without command line arguments.
Lire la suite…
Source: nixCraft
I have a backup sync program on local server. I have an ssh password less login set up, and I can run commands on an external server in bash script doing:
ssh root@server2 "sync; sync; /sbin/shutdown -h now"
How do I run multiple commands in bash on a remote Unix or Linux server? What is the best Way to SSH in and Run various unix commands in bash?
There are various ways to run multiple commands on a remote Unix server. The syntax is as follows:
Simple bash syntax to run multiple commands on remote machine
Simply run command2 if command1 successful on a remote host called foo
$ ssh bar@foo "command1 && command2"
Run date and hostname commands:
$ ssh user@host "date && hostname"
You can run sudo command as follows on a remote box called server1.cyberciti.biz:
$ ssh -t vivek@server1.dbsysnet.com "sudo /sbin/shutdown -h now"
And, finally:
$ ssh root@server1.dbsysnet.com "sync && sync && /sbin/shutdown -h now"
Lire la suite…