Septiembre 25

IP TO ASN MAPPING

For example, to enable the verbose mode (all flags) one would use:

$ whois -h whois.cymru.com " -v 216.90.108.31 2005-12-25 13:23:01 GMT"

AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | Info                    | AS Name
23028   | 216.90.108.31    | 216.90.108.0/24     | US | arin     | 1998-09-25 | 2005-12-25 13:23:01 GMT | TEAMCYMRU - SAUNET

You may also query for some basic AS information directly:

$ whois -h whois.cymru.com " -v AS23028"

AS      | CC | Registry | Allocated  | AS Name
23028   | US | arin     | 2002-01-04 | TEAMCYMRU - SAUNET

We recommend the use GNU’s version of netcat, not nc. (nc has been known to cause buffering problems with our server and will not always return the full output for larger IP lists). GNU netcat can be downloaded from http://netcat.sourceforge.net. This is the same as gnetcat in FreeBSD ports.

Links:

https://asn.cymru.com/

https://www.ultratools.com/tools/asnInfoResult?domainName=8.8.8.8

 

Category: NETWORKING, TOOLS | Los comentarios están deshabilitados en IP TO ASN MAPPING
Febrero 27

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)

f you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail as explained in this article.

In a typical sftp scenario (when chroot sftp is not setup), if you use sftp, you can see root’s file as shown below.

If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.

Non-Chroot SFTP Environment

In the following example (a typical sftp environment), john can sftp to the system, and view /etc folder and download the files from there.

# sftp john@thegeekstuff.com
john@thegeekstuff's password:
sftp> pwd
Remote working directory: /home/john

sftp> ls
projects  john.txt documents 

sftp> cd /etc
sftp> ls -l passwd
-rw-r--r--    0 0        0            3750 Dec 29 23:09 passwd

sftp> get passwd
Fetching /etc/passwd to passwd
/etc/passwd     100% 3750     3.7KB/s   00:00

Chroot SFTP Environment

In the following example, john can sftp to the system, and view only the directory that you’ve designated for john to perform sftp (i.e /incoming).

When john tries to perform ‘cd /etc’, it will give an error message. Since SFTP is setup in an chroot environment, john cannot view any other files in the system.

# sftp john@thegeekstuff.com
john@thegeekstuff's password:
sftp> pwd
Remote working directory: /home/john

sftp> ls
sftp> cd /etc
Couldn't canonicalise: No such file or directory

Now that you know what Chroot SFTP environment is, let us see how to set this up.

1. Create a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

2. Create Users (or Modify Existing User)

Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser

Verify that the user got created properly.

# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin

If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /incoming -s /sbin/nologin john

On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.

3. Setup sftp-server Subsystem in sshd_config

You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).

Modify the the /etc/ssh/sshd_config file and comment out the following line:

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file

Subsystem       sftp    internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

4. Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config
Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp

In the above:

  • Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
  • ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
  • ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

5. Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

# mkdir /sftp

Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.

# mkdir /sftp/guestuser

So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.

So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/guestuser/incoming

6. Setup Appropriate Permission

For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the owenership to the user, and group to the sftpusers group as shown below.

# chown guestuser:sftpusers /sftp/guestuser/incoming

The permission will look like the following for the incoming directory.

# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming

The permission will look like the following for the /sftp/guestuser directory

# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp

7. Restart sshd and Test Chroot SFTP

Restart sshd:

# service sshd restart

Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.

# sftp guestuser@thegeekstuff.com
guestuser@thegeekstuff's password:

sftp> pwd
Remote working directory: /incoming

sftp> cd /
sftp> ls
incoming

When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.

Category: TOOLS | Los comentarios están deshabilitados en How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
Febrero 6

Debian – Lista de paquetes instalados

 


Para listar el total de paquetes instalados utilizamos el siguiente comando:

dpkg --get-selections

Gracias a este herramienta también es posible exportar la lista de paquetes instalados:

dpkg --get-selections > mis_paquetes

Luego podemos instalarlos en otra máquina:
Obtención de la lista precedente:

dpkg --set-selections < mis_paquetes

Instalación de la lista:

apt-get dselect-upgrade



## Update dpkg's database of known packages
# <strong class="userinput"><code>avail=`mktemp`</code></strong>
# <strong class="userinput"><code>apt-cache dumpavail &gt; "$avail"</code></strong>
# <strong class="userinput"><code>dpkg --merge-avail "$avail"</code></strong>
# <strong class="userinput"><code>rm -f "$avail"</code></strong>
## Update dpkg's selections
# <strong class="userinput"><code>dpkg --set-selections &lt; pkg-list</code></strong>
## Ask apt-get to install the selected packages
# <strong class="userinput"><code>apt-get dselect-upgrade</code></strong>

El comando dpkg –l da la lista de paquetes instalados pero con mayor información. Sin embargo, no es posible utilizarlo para instalar una lista de paquetes.

Category: TOOLS | Los comentarios están deshabilitados en Debian – Lista de paquetes instalados
Diciembre 11

Lynis – Un soft sympa pour auditer son système

linys-1

Plop les bovins,

Tout d’abord je tiens à m’excuser pour ne pas avoir fichu grand chose aujourd’hui, mais Ubuntu Gnome 13.04 étant officiellement dans la nature, je me devais de me refaire un petit labs tout frais tout neuf pour les six prochains mois! Séance réinstall obligatoire, suivie d’un Mc DO pour retaper la bête!

Ceci étant dit je reprends la plume et j’inaugure cette session toute neuve, pour vous parler d’un petit outil d’audit sympathique qui répond au doux nom de Lynis. Vous allez voir, c’est assez énorme.

Lynis est un petit soft qui s’utilise en ligne de commande, mais rassurez-vous, il ne nécessite pas de connaissances spécifiques pour être utilisé. Là où quelques connaissances ne vous seront pas inutiles en revanche, c’est dans l’analyse des résultats que va vous renvoyer la bête après l’audit de votre système.

Comme vous l’avez peut-être compris Lynis n’est pas à proprement parler un outil de pentest (ce à quoi l’on pourrait s’attendre quand on parle d’audit).

Il a pour but de vérifier via un scan, quasiment tous les paramètres de votre système avant de vous faire une synthèse complète et de vous afficher des suggestions qui vont vous permettre d’agir sur les points faibles de celui-ci.

Il va analyser tout un tas de paramètres concernant entre-autres :

  • Les chargeurs et services de démarrage
  • La configuration du noyau, les modules chargés, ceux en cours d’exécution
  • La mémoire et les processus
  • Les utilisateurs et les groupes
  • Les points de montage et le système de fichiers racine
  • Les services NFS et BIND
  • Les mises à jour et les référentiels de vos logiciels
  • Les règles Iptables et la configurations SELinux
  • Les serveurs Web Apache et nginx
  • La configurations SSH
  • Le mot de passe root, MySQL et les services LDAP
  • Les options PHP
  • Les options crontab / cron et ATD
  • Le démon NTP
  • L’expiration du certificat SSL
  • La présence de malwares
  • Les répertoires personnels

Et il fait le kawa. Ah non, pas ça désolé (dans une prochaine maj peut-être).

Quoi qu’il en soit la liste des vérifications effectuées par Lynis est vraiment impressionnante.

Si ça vous branche, vous serez ravi d’apprendre que la bête est disponible par défaut dans les dépôts Debian et Ubuntu. Pour l’installer sur Ubuntu 13.04 par exemple, il suffit d’entrer simplement la commande suivante.

sudo apt-get install lynis

Une fois que la bête est présente sur votre machine, vous pouvez la lancer en entrant ceci dans votre terminal :

sudo lynis -c

ou

sudo lynis --check-all

Vous devriez ensuite arriver sur un fenêtre d’accueil qui ressemble à ça (cliquez pour agrandir) :

linys-1

À ce stade vous n’avez déjà plus rien à faire d’autre que d’enchaîner les tests à l’aide de la touche « Enter ». Patientez à chaque fois le temps que ceux-ci puissent s’exécuter correctement, certains tests prendront plus de temps que d’autres.

Je vous ai fait une petite galerie qui va vous montrer en image les différents tests :

lynis-2

lynis-3

linys-4

linys-5

Une fois que l’audit est achevé vous pouvez au choix, consulter les suggestions depuis le terminal.

lynis-suggest

Ou consulter le fichier « Lynis.log », qui en toute logique devrait se trouver dans /var/log/.

À vous ensuite d’en tirer les bonnes conclusions et de changer ce qui ne vas pas sur votre système 🙂

lynis-log

NB : Vous pouvez lancer Lynis de manière à ce que ce dernier ne vous demande pas de confirmation entre chaque test, en utilisant la commande suivante :

sudo lynis -c -Q

J’ai vraiment trouvé ce petit soft pas mal du tout.

Bien entendu tout n’y est pas et il y aura certainement pas mal d’autres tests à faire pour un audit complet, mais Lynis constitue un bon point de départ.

Je ne l’ai pas signalé car ce sont des paquets non officiels, mais il existe des packages RPMpour pouvoir utiliser Lynis sous Fedora ou openSUSE.

Amusez-vous bien.

Category: TOOLS | Los comentarios están deshabilitados en Lynis – Un soft sympa pour auditer son système
Diciembre 11

WGET

wget utility is the best option to download files from internet. wget can pretty much handle all complex download situations including large file downloads, recursive downloads, non-interactive downloads, multiple file downloads etc.,

In this article let us review how to use wgetfor various download scenarios using 15 awesome wget examples.

 

1. Download Single File with wget

The following example downloads a single file from internet and stores in the current directory.

$ wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

While downloading it will show a progress bar with the following information:

  • %age of download completion (for e.g. 31% as shown below)
  • Total amount of bytes downloaded so far (for e.g. 1,213,592 bytes as shown below)
  • Current download speed (for e.g. 68.2K/s as shown below)
  • Remaining time to download (for e.g. eta 34 seconds as shown below)

Download in progress:

$ wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
Saving to: `strx25-0.9.2.1.tar.bz2.1'

31% [=================> 1,213,592   68.2K/s  eta 34s

Download completed:

$ wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
Saving to: `strx25-0.9.2.1.tar.bz2'

100%[======================>] 3,852,374   76.8K/s   in 55s    

2009-09-25 11:15:30 (68.7 KB/s) - `strx25-0.9.2.1.tar.bz2' saved [3852374/3852374]

2. Download and Store With a Different File name Using wget -O

By default wget will pick the filename from the last word after last forward slash, which may not be appropriate always.

Wrong: Following example will download and store the file with name: download_script.php?src_id=7701

$ wget http://www.vim.org/scripts/download_script.php?src_id=7701

Even though the downloaded file is in zip format, it will get stored in the file as shown below.

$ ls
download_script.php?src_id=7701

Correct: To correct this issue, we can specify the output file name using the -O option as:

$ wget -O taglist.zip http://www.vim.org/scripts/download_script.php?src_id=7701

3. Specify Download Speed / Download Rate Using wget –limit-rate

While executing the wget, by default it will try to occupy full possible bandwidth. This might not be acceptable when you are downloading huge files on production servers. So, to avoid that we can limit the download speed using the –limit-rate as shown below.

In the following example, the download speed is limited to 200k

$ wget --limit-rate=200k http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

4. Continue the Incomplete Download Using wget -c

Restart a download which got stopped in the middle using wget -c option as shown below.

$ wget -c http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

This is very helpful when you have initiated a very big file download which got interrupted in the middle. Instead of starting the whole download again, you can start the download from where it got interrupted using option -c

Note: If a download is stopped in middle, when you restart the download again without the option -c, wget will append .1 to the filename automatically as a file with the previous name already exist. If a file with .1 already exist, it will download the file with .2 at the end.

5. Download in the Background Using wget -b

For a huge download, put the download in background using wget option -b as shown below.

$ wget -b http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2
Continuing in background, pid 1984.
Output will be written to `wget-log'.

It will initiate the download and gives back the shell prompt to you. You can always check the status of the download using tail -f as shown below.

$ tail -f wget-log
Saving to: `strx25-0.9.2.1.tar.bz2.4'

     0K .......... .......... .......... .......... ..........  1% 65.5K 57s
    50K .......... .......... .......... .......... ..........  2% 85.9K 49s
   100K .......... .......... .......... .......... ..........  3% 83.3K 47s
   150K .......... .......... .......... .......... ..........  5% 86.6K 45s
   200K .......... .......... .......... .......... ..........  6% 33.9K 56s
   250K .......... .......... .......... .......... ..........  7%  182M 46s
   300K .......... .......... .......... .......... ..........  9% 57.9K 47s

Also, make sure to review our previous multitail article on how to use tail command effectively to view multiple files.

6. Mask User Agent and Display wget like Browser Using wget –user-agent

Some websites can disallow you to download its page by identifying that the user agent is not a browser. So you can mask the user agent by using –user-agent options and show wget like a browser as shown below.

$ wget --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" URL-TO-DOWNLOAD

7. Test Download URL Using wget –spider

When you are going to do scheduled download, you should check whether download will happen fine or not at scheduled time. To do so, copy the line exactly from the schedule, and then add –spider option to check.

$ wget --spider DOWNLOAD-URL

If the URL given is correct, it will say

$ wget --spider download-url
Spider mode enabled. Check if remote file exists.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
<strong>Remote file exists</strong> and could contain further links,
but recursion is disabled -- not retrieving.

This ensures that the downloading will get success at the scheduled time. But when you had give a wrong URL, you will get the following error.

$ wget --spider download-url
Spider mode enabled. Check if remote file exists.
HTTP request sent, awaiting response... 404 Not Found
<strong>Remote file does not exist -- broken link!!!</strong>

You can use the spider option under following scenarios:

  • Check before scheduling a download.
  • Monitoring whether a website is available or not at certain intervals.
  • Check a list of pages from your bookmark, and find out which pages are still exists.

8. Increase Total Number of Retry Attempts Using wget –tries

If the internet connection has problem, and if the download file is large there is a chance of failures in the download. By default wget retries 20 times to make the download successful.

If needed, you can increase retry attempts using –tries option as shown below.

$ wget --tries=75 DOWNLOAD-URL

9. Download Multiple Files / URLs Using Wget -i

First, store all the download files or URLs in a text file as:

$ cat > download-file-list.txt
URL1
URL2
URL3
URL4

Next, give the download-file-list.txt as argument to wget using -i option as shown below.

$ wget -i download-file-list.txt

10. Download a Full Website Using wget –mirror

Following is the command line which you want to execute when you want to download a full website and made available for local viewing.

$ wget --mirror -p --convert-links -P ./LOCAL-DIR WEBSITE-URL
  • –mirror : turn on options suitable for mirroring.
  • -p : download all files that are necessary to properly display a given HTML page.
  • –convert-links : after the download, convert the links in document for local viewing.
  • -P ./LOCAL-DIR : save all the files and directories to the specified directory.

11. Reject Certain File Types while Downloading Using wget –reject

You have found a website which is useful, but don’t want to download the images you can specify the following.

$ wget --reject=gif WEBSITE-TO-BE-DOWNLOADED

12. Log messages to a log file instead of stderr Using wget -o

When you wanted the log to be redirected to a log file instead of the terminal.

$ wget -o download.log DOWNLOAD-URL

13. Quit Downloading When it Exceeds Certain Size Using wget -Q

When you want to stop download when it crosses 5 MB you can use the following wget command line.

$ wget -Q5m -i FILE-WHICH-HAS-URLS

Note: This quota will not get effect when you do a download a single URL. That is irrespective of the quota size everything will get downloaded when you specify a single file. This quota is applicable only for recursive downloads.

14. Download Only Certain File Types Using wget -r -A

You can use this under following situations:

  • Download all images from a website
  • Download all videos from a website
  • Download all PDF files from a website
$ wget -r -A.pdf http://url-to-webpage-with-pdfs/

15. FTP Download With wget

You can use wget to perform FTP download as shown below.

Anonymous FTP download using Wget

$ wget ftp-url

FTP download using wget with username and password authentication.

$ wget --ftp-user=USERNAME --ftp-password=PASSWORD DOWNLOAD-URL

If you liked this article, please bookmark it with delicious or Stumble.

Category: TOOLS | Los comentarios están deshabilitados en WGET