Wednesday, November 23, 2011

iptables, oh no you didn't..

Being a systems administrator for a large number of linux systems that are primarily web and email servers, I get to see a lot of attacks on different services.

One of our boxes (A) was brought down from another box for the same client (B).  A. was running httpd and B. was running sendmail.  After examining the logs and determining that B. was the culprit, an examination of the logs on B. showed a particular IP with a large number of simultaneous connections.  His vector was to do dictionary/name email blast to the domain, then when he got a valid user, he would try to authenticate via another dictionary attack.  This was spawning a large number of sendmail processes that ended up slowing down the box considerably.

Performing a whois on the IP address showed us that the hacker was operating from another country that most likely was not a customer of our client.  
whois X.X.X.X
In order to keep the box and network alive, we decided to block the IP address on the machine's firewall.  We didn't want to add the IP to be there on reboot, in case it was a DHCP address that might be legitimate in the future, but we can insert the IP address inline, which will block it until the iptables is restarted.  If this IP comes through again in the future, we would add it to the /etc/sysconfig/iptables and reload the configuration.

This one-liner will keep any traffic from the 'bad' address from doing anything further on this box:
iptables -I INPUT -s X.X.X.X -j DROP
As soon as you hit enter, that attack is over.  If you realize you typed in the wrong IP address, and you want to remove the inline rule you just created, change the -I to a -D like this:
iptables -D INPUT -s 208.122.195.120 -j DROP
If you wanted to block this IP permanently, simply add this line to the /etc/sysconfig/iptables:
-A INPUT -s X.X.X.X -j DROP
Then reload your iptables config.
Posted by at No comments:
Labels: , , , , , ,

Tuesday, November 22, 2011

I BASHed the terminal and sed 's/ex...'

Like MySQL, BASH scripting is something I've always done frequently, but very light as far as complexity and depth.

Batching commands is easy, but now I'm coming into a new phase of my career where scripting is crucial to the day-to-day operations.  I'm finding help in the form of co-workers and tldp.org.  The following is a sanitized version of the check and insert I was asked to create that will turn on fasttcp on CentOS/RHEL, but not if the kernel is "2.6.18-238.9.1.el5.fsl_2.0.2.1"

So we need to:
a) Check kernel to exclude a certain build.
      i. (if yes) Insert 'kernel*' to the exclude on yum.conf
     ii. Report if the yum.conf was modified or not.
b) download and install
c) chkconfig on resources

I'm a total noob at scripting, so I made sure I didn't break anything on the system; I created the script as a non-root user and copied the yum.conf to that user's home folder with a unique name.

cp /etc/yum.conf /home/dave/dave-practice-yum.conf

First, the beginning of any (good) shell script calls the shell you're working in.  I'm from BSD most-recently, so !/bin/sh is what I would generally use, but now that I'm a CentOS guy at my new job, !/bin/bash is the shell for me.


#!/bin/bash

Defining variables: I need to find out if the kernel is the mystical kernel that isn't supposed to get updated, so I'll establish the KRNL variable.  I also am going to insert 'kernel*' into the 'exclude=' line of the yum.conf if it is a match, so I will also define the EXCL variable to make sure I'm not over-writing an already-established 'exclude='.

KRNL=`uname -r`
EXCL=`grep "exclude=" dave-practice-yum.conf|cut -d= -f2`

Now we write in the actual check with an IF statement:

if [ $KRNL = 2.6.18-238.9.1.el5.fsl_2.0.2.1 ]
then
        if [ -z $EXCL ]
        then
                sed -i 's/exclude=/exclude=kernel*/' dave-practice-yum.conf
                echo "yum.conf modified."
        else
                sed -i '/exclude=/s/$/,kernel*/g' dave-practice-yum.conf
        fi
else
        echo "No modification to yum.conf"
fi

The else in the nested condition is pretty ugly.  I didn't want to over-write if there were already any excludes, so I appended the 'kernel*' to the 'exclude=' if nothing were present; if there is something present on the exclude line when the script runs, it will simply put a ',kernel*'.  This works, but if 'kernel*' is there, it will be repeated.

Then we download the source package from the internal repository, and chkconfig the services on (in this case FASTTCP).

/usr/sbin/wget -qO - http://server/files/fasttcp/ftcp_rc.tar|tar xf - -C /
/sbin/chkconfig --add fasttcp
/sbin/chkconfig --levels 2345 fasttcp on
/etc/init.d/fasttcp start

Remarkably, this script works; thanks in large part to my co-workers, and James in particular.  Below, find the script in its entirety (without blogspot formatting).

#!/bin/bash
KRNL=`uname -r`
EXCL=`grep "exclude=" dave-practice-yum.conf|cut -d= -f2`
if [ $KRNL = 2.6.18-238.9.1.el5.fsl_2.0.2.1 ]
then
        if [ -z $EXCL ]
        then
                sed -i 's/exclude=/exclude=kernel*/' dave-practice-yum.conf
                echo "yum.conf modified."
        else
                sed -i '/exclude=/s/$/,kernel*/g' dave-practice-yum.conf
        fi
else echo "No modification to yum.conf"
fi
/usr/sbin/wget -qO - http://server/files/fasttcp/ftcp_rc.tar|tar xf - -C /
/sbin/chkconfig --add fasttcp
/sbin/chkconfig --levels 2345 fasttcp on
/etc/init.d/fasttcp start

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)