First create a file "swapfile" with the input file of /dev/zero and the output file of "swapfile"
Byte Size is 1 gig and the loop count is 1, so it will create a file that is 1 GB.
Create the file:
dd if=/dev/zero of=swapfile bs=1G count=1
Then we permission it:
chmod 600 swapfile
Format it:
mkswap swapfile
And turn it on!:
swapon swapfile
I find that Notepad2 from www.flos-freeware.ch is a vast improvment on the notepad that ships with Windows.
But as usual MS has made it very difficult to replace any system file so here’s a quick and easy way to replace your regular notepad with notepad2.
You will need to ensure that you have "Display contents of system folders" and "Show hidden files and folders" checked and "Hide protected operating ssytem files" unchecked.
When you make the switch you may get a pop up warning you that some system files maybe be changed, just cancel and and your good to go.
This is a quick one line command that I created to return a list of Display names when all I had was UserID’s.
It’s a simple DSQUERY command piped into a DSGET to return the Display Name and SAMID of the user. Just have a look of at the DSGET command you can see all the different attributes that i can return for you.
First you need a text file with UserID’s one per line. Then just open a command prompt in the same directory where you have the text files and run this command, don’t forget to change the USERID.TXT to the name of your text file:
FOR /F %i in (userid.txt) DO DSQUERY user -samid %i | DSGET user -display -samid >> displayname.txt
You’ll now find a text file in that directory named displayname.txt with all your Display Names.
This is just a simple open setup with a block drop on eth0, I am using this as a simple gateway for my vmware "Host-Only" network to get out to the real world, but not allowing traffic back in that wasnt requested for..
First off make sure you turn on forwarding in the /etc/sysctl.conf:
net.ipv4.ip_forward = 1
Then execute a sysctl -p
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
Then here is the ruleset that i am currently using:
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 1:65535 -j DROP
/sbin/iptables -A INPUT -i eth0 -p udp -s 0/0 -d 0/0 –dport 1:65535 -j DROP
This allows ssh back in on the outside interface but blocks everything else, and still allows internal traffic to freely flow out…
Save the iptables commands into a file and then execute the file and it will apply the rules. If on a redhat base, you can issue a iptables-save > /etc/sysconfig/iptables then you will be able to use the "service iptables start"/"service iptables stop" commands to start and stop the firewall for future use.
Obviously you would need the audit package installed…
Lets say I wanted to audit "test.file" for read, write, execute, and access:
auditctl -w /root/test.file -k test-file -p rwxa
-w: adds the "watch" rule
-k: is the key that you can use to filter the audit logs on
-p: is the permissions that you would like to audit
If you would like this to be a permanent rule .. then you must add it to /etc/audit/audit.rules in the following format:
-w /root/test.file -k test-file -p rwxa
Now we can take a look at the rules:
auditctl -l
LIST_RULES: exit,always watch=/root/test.file perm=rwxa key=test-file
Now i am going to add some text to test.file and see what the audit says.. I run the ausearch tool to find this out:
ausearch -k test-file
or
ausearch -f test.file
Here are the results:
—-
time->Thu May 1 15:04:33 2008
type=PATH msg=audit(1209679473.817:1252): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679473.817:1252): cwd="/root"
type=SYSCALL msg=audit(1209679473.817:1252): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d67 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
—-
time->Thu May 1 15:04:33 2008
type=PATH msg=audit(1209679473.817:1253): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679473.817:1253): cwd="/root"
type=SYSCALL msg=audit(1209679473.817:1253): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d38 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
—-
time->Thu May 1 15:04:39 2008
type=PATH msg=audit(1209679479.812:1254): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679479.812:1254): cwd="/root"
type=SYSCALL msg=audit(1209679479.812:1254): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=0 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:39 2008
type=PATH msg=audit(1209679479.813:1255): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679479.813:1255): cwd="/root"
type=SYSCALL msg=audit(1209679479.813:1255): arch=c000003e syscall=89 success=no exit=-22 a0=7fff0814a7f0 a1=7fff0814abf0 a2=3ff a3=1 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1256): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1256): cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1256): arch=c000003e syscall=191 success=no exit=-61 a0=1d6cb910 a1=3872404d67 a2=7fff0814aff0 a3=84 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1258): item=3 name="test.file~" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=2 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=1 name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=0 name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1258): cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1258): arch=c000003e syscall=82 success=yes exit=0 a0=1d6cb910 a1=1d6f6d80 a2=2 a3=1 items=4 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1260): item=1 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1260): item=0 name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1260): cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1260): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=241 a2=1a4 a3=0 items=2 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.996:1261): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.996:1261): cwd="/root"
type=SYSCALL msg=audit(1209679485.996:1261): arch=c000003e syscall=90 success=yes exit=0 a0=1d6cb910 a1=81a4 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.997:1262): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.997:1262): cwd="/root"
type=SYSCALL msg=audit(1209679485.997:1262): arch=c000003e syscall=188 success=yes exit=0 a0=1d6cb910 a1=3872404d67 a2=1d6f6da0 a3=1c items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
Also aureport will give us a report of activity:
Summary Report
======================
Range of time in logs: 05/01/2008 15:04:33.817 – 05/01/2008 15:04:45.997
Selected time for report: 05/01/2008 15:04:33 – 05/01/2008 15:04:45.997
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 1
Number of host names: 0
Number of executables: 2
Number of files: 3
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 4
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 2
Number of events: 9
First you must generate a ssl certificate:
openssl req -new -x509 -nodes -out ftps.pem -keyout ftps.pem
Copy the ssl certificate to your vsftpd directory:
cp ftps.pem /etc/vsftpd
Add the following to vsftpd.conf:
ssl_enable=YES
rsa_cert_file=/etc/vsftpd/ftps.pem
force_local_data_ssl=NO
*Note ftps will only work with authenticated users, eg users with a valid account, not anonymous
My friend, Rod and I, were thinking that after being in the IT industry for almost a decade, we needed to start keeping a repository of all the technical information that we have come across and/or figured out.
I’m sure many of you IT people out there have recovered from an issue but then a month, 6 months, a year later you came across the same issue but couldn’t remember how you solved the problem.
This is why we decided to start up our blog repository. We will try to update this blog whenever we come across one of those issues so that not only we have a place to store the information but perhaps it may help other IT people help them solve thiers.
Bear with us as we experiment with different blog formats and get this site going.
If you’d like any information on myself or Rod feel free to send us an email at info@technical411.info.
Mike