Software – Page 2 – Milan's blog

Adaptive DDOS IDS firewall

We had a task to build a simple solution for DDOS protection on the learning phase of attack. Main goals were:

To build it fast: We chose Ubuntu … as everything needed is compiled and build in.
Minimum network intervention: We opted for L2/L3 bridge with iptables integration which we plugged between our autonomous system (AS) and internet.
Auto learning offenders: Using honeypot service to distinguish non-legitimate connections. Log source IP address and drop packet with iptables. Using suricata ids to additionally analyze client requests.
Auto block offenders: Using fail2ban to pars logs generated by iptables and suricata and temporary disable all connections from offending sources.
Have some connection limit capabilities: Again we used iptables with connlimit and conntrack modules activated.

Continue reading “Adaptive DDOS IDS firewall”

OpenWrt mass configure simple script

#!/bin/bash
cmd=". /etc/profile; $1; exit;"
echo $cmd

for i in 1 2 4 7 9 10 11
do
 ssh -i /root/.ssh/id_rsa 192.168.98.$i $cmd </dev/null

done

#!/bin/bash

cmd=". /etc/profile; $1; exit;"

echo $cmd

for i in 1 2 4 7 9 10 11

ssh -i /root/.ssh/id_rsa 192.168.98.$i $cmd </dev/null

done

sh remote_exec.sh  "uci set wireless.@wifi-device[0].isolate=1"
sh remote_exec.sh  "logread -l 1000|grep bc:cf:cc:74:d0:11"

1 2	sh remote_exec.sh "uci set wireless.@wifi-device[0].isolate=1" sh remote_exec.sh "logread -l 1000\|grep bc:cf:cc:74:d0:11"

How to remove duplicated VMs in VMM console

Move machine to another hyper-v host via Failover Cluster Manager Console
Get ID of duplicated VM

PowerShell

Get-SCVirtualMachine -Name "VMName" |fl id,vmid, virtualmachinestate, hostname

1

Get-SCVirtualMachine -Name "VMName" |fl id,vmid, virtualmachinestate, hostname
Double check working and duplicated machine

PowerShell

get-vm -id "ID" | fl id,vmid, virtualmachinestate, hostname

1

get-vm -id "ID" | fl id,vmid, virtualmachinestate, hostname
Delete duplicated VM configuration

PowerShell

get-vm -id "ID" |Remove-SCVirtualMachine -Force

1

get-vm -id "ID" |Remove-SCVirtualMachine -Force

Note the -Force option! You are risking to delete your data If you do NOT put -Force.

Exchange mailbox statistics in MB

Get-Mailbox -ignoredefaultscope|Get-MailboxStatistics| select DisplayName,MailboxGuid, Database, StorageLimitStatus,itemcount,LastLogonTime , @{expression = {$_.TotalItemSize.Value.ToMB()}; label="TotalItemSizeMB"},@{expression = {$_.TotalDeletedItemSize.Value.ToMB()}; label="TotalDeletedItemSizeMB"}|export-csv C:\tmp\export.csv -encoding Unicode

Get-Mailbox -ignoredefaultscope|Get-MailboxStatistics| select DisplayName,MailboxGuid, Database, StorageLimitStatus,itemcount,LastLogonTime , @{expression = {$_.TotalItemSize.Value.ToMB()}; label="TotalItemSizeMB"},@{expression = {$_.TotalDeletedItemSize.Value.ToMB()}; label="TotalDeletedItemSizeMB"}|export-csv C:\tmp\export.csv -encoding Unicode

Openvpn on OpenWRT does not start

with error:

Sat Mar 14 20:48:43 2015 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.0.254:1194: Cannot assign requested address

1	Sat Mar 14 20:48:43 2015 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.0.254:1194: Cannot assign requested address

try to add to /etc/rc.local:

sleep 10s
/etc/init.d/openvpn start

1 2	sleep 10s /etc/init.d/openvpn start

Daewoo Lanos SRS/Airbag test

What you will need:
1. K-Line adapter connected to pin ” J”
2. Chevrolet Explorer 1.7 (free to use)

Procedure overview:
1. Get (or solder) a K-Line adapter.
2. Download Chevrolet Explorer (CE).
3. Connect to ALDL pins:Ground, +12V, J.
4. Turn on ignition. Do not start engine.
4. Start CE, set up COM Port, test adapter.
5. Double click “SRS” button (in orange).
6. Read Errors, clear errors.
7. Remove car key for 10 seconds.
8. Turn on ignition again.

Electric schematic:

Chevrolet Explorer:

Port setup:

Adapter test:

Airbag reset:

K-Line adapter schematic (can’t find original link):

Upcoming pfSense 2.2 CARP under Hyper-V

It seems that CARP under Hyper-V does not work.
There is a tension between pfSense developers and Key4ce member who seems to got it working.
In short if you need CARP in VM go to pfSense fork VirtualPF.

Postfix tips

Fast and dirty parsing of /var/log/mail.log.

#!/bin/bash
cat /var/log/mail.log|grep "> -> <"|awk '{print $1," "$2," "$3," "$13," "$15," "$17}'|tr -d ','|while read p; do
  mid=$(echo $p|awk '{print $6}')
  sender=$(echo $p|awk '{print $4}')
  if [ $sender != "Message-ID:" -a $sender != "->" ]
  then
        status=$(cat /var/log/mail.log|grep $mid |grep -Eo "status=\w+")
        echo $p $status
  fi
done

#!/bin/bash

cat /var/log/mail.log|grep "> -> <"|awk '{print $1," "$2," "$3," "$13," "$15," "$17}'|tr -d ','|while read p; do

mid=$(echo $p|awk '{print $6}')

sender=$(echo $p|awk '{print $4}')

if [ $sender != "Message-ID:" -a $sender != "->" ]

then

status=$(cat /var/log/mail.log|grep $mid |grep -Eo "status=\w+")

echo $p $status

done

It shows: date, sender, recipient, mail id, status

Oct 31 00:34:14 <noreplay@sender.com> <sibbbbl@icccon.bg> EBE5640D38 status=sent
Oct 31 00:34:24 <noreplay@sender.com> <sbbbbt@mariccc.org> 1396F40D39 status=sent
Oct 31 00:34:24 <noreplay@sender.com> <m.gbbbbieva@cccumen.bg> 3094940D3A status=sent
Oct 31 00:34:33 <noreplay@sender.com> <fibbbbi@dicccr.bg> 3957640D3B status=sent
Oct 31 00:34:34 <noreplay@sender.com> <sbbbbtli@mccc.bg> 47FE840D3C status=sent
Oct 31 00:34:43 <noreplay@sender.com> <bbbbitly@maccc.bg> 61C3440D3D status=sent
Oct 31 00:34:44 <noreplay@sender.com> <sitobbbbsi@maccc.bg> 724F340D3E status=sent

Oct 31 00:34:14 <noreplay@sender.com> <sibbbbl@icccon.bg> EBE5640D38 status=sent

Oct 31 00:34:24 <noreplay@sender.com> <sbbbbt@mariccc.org> 1396F40D39 status=sent

Oct 31 00:34:24 <noreplay@sender.com> <m.gbbbbieva@cccumen.bg> 3094940D3A status=sent

Oct 31 00:34:33 <noreplay@sender.com> <fibbbbi@dicccr.bg> 3957640D3B status=sent

Oct 31 00:34:34 <noreplay@sender.com> <sbbbbtli@mccc.bg> 47FE840D3C status=sent

Oct 31 00:34:43 <noreplay@sender.com> <bbbbitly@maccc.bg> 61C3440D3D status=sent

Oct 31 00:34:44 <noreplay@sender.com> <sitobbbbsi@maccc.bg> 724F340D3E status=sent

Qmail abracadabras

Sent emails from: sender@example.com

cat ./var/log/qmail/smtpd/current |grep -i "rcpt: from <sender@example.com" |awk '{print $1" "$6 " "$7 " "$8 " " $9 " " $10}' |tai64nlocal > ../workresult/sender\@example.com-emails.txt

1	cat ./var/log/qmail/smtpd/current \|grep -i "rcpt: from <sender@example.com" \|awk '{print $1" "$6 " "$7 " "$8 " " $9 " " $10}' \|tai64nlocal > ../workresult/sender\@example.com-emails.txt

Sent emails from: 10.11.12.13

cat /var/log/qmail/smtpd/current|grep "CHKUSER relaying rcpt:" |tai64nlocal |more |awk '{print $9;}'|awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}'|grep -v "10.11.12.13"

1	cat /var/log/qmail/smtpd/current\|grep "CHKUSER relaying rcpt:" \|tai64nlocal \|more \|awk '{print $9;}'\|awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}'\|grep -v "10.11.12.13"

Category: Software