• Easy way to get Display name from list of UserID’s from AD

    This is a quick one line command that I created to return a list of Display names when all I had was UserID’s.

    It’s a simple DSQUERY command piped into a DSGET to return the Display Name and SAMID of the user. Just have a look of at the DSGET command you can see all the different attributes that i can return for you.

    First you need a text file with UserID’s one per line. Then just open a command prompt in the same directory where you have the text files and run this command, don’t forget to change the USERID.TXT to the name of your text file:
     

    FOR /F %i in (userid.txt) DO DSQUERY user -samid %i | DSGET user -display -samid >> displayname.txt

    You’ll now find a text file in that directory named displayname.txt with all your Display Names.


  • Quick and simple iptables gateway setup

    This is just a simple open setup with a block drop on eth0, I am using this as a simple gateway for my vmware "Host-Only" network to get out to the real world, but not allowing traffic back in that wasnt requested for..

    First off make sure you turn on forwarding in the /etc/sysctl.conf:

    net.ipv4.ip_forward = 1

    Then execute a sysctl -p

    sysctl -p
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    net.ipv4.tcp_syncookies = 1
    kernel.msgmnb = 65536
    kernel.msgmax = 65536
    kernel.shmmax = 68719476736
    kernel.shmall = 4294967296

    Then here is the ruleset that i am currently using:

    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -t mangle -F

    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT

    /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    /sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 22 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 1:65535 -j DROP
    /sbin/iptables -A INPUT -i eth0 -p udp -s 0/0 -d 0/0 –dport 1:65535 -j DROP

    This allows ssh back in on the outside interface but blocks everything else, and still allows internal traffic to freely flow out…

    Save the iptables commands into a file and then execute the file and it will apply the rules. If on a redhat base, you can issue a iptables-save > /etc/sysconfig/iptables then you will be able to use the "service iptables start"/"service iptables stop" commands to start and stop the firewall for future use.


  • Audit a file on rhel5 with auditd

    Obviously you would need the audit package installed…

    Lets say I wanted to audit "test.file" for read, write, execute, and access:

    auditctl -w /root/test.file -k test-file -p rwxa

    -w: adds the "watch" rule
    -k: is the key that you can use to filter the audit logs on
    -p: is the permissions that you would like to audit

    If you would like this to be a permanent rule .. then you must add it to /etc/audit/audit.rules in  the following format:

    -w /root/test.file -k test-file -p rwxa

    Now we can take a look at the rules:

    auditctl -l

    LIST_RULES: exit,always watch=/root/test.file perm=rwxa key=test-file

    Now i am going to add some text to test.file and see what the audit says.. I run the ausearch tool to find this out:

    ausearch -k test-file
    or
    ausearch -f test.file

    Here are the results:

    —-
    time->Thu May  1 15:04:33 2008
    type=PATH msg=audit(1209679473.817:1252): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679473.817:1252):  cwd="/root"
    type=SYSCALL msg=audit(1209679473.817:1252): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d67 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
    —-
    time->Thu May  1 15:04:33 2008
    type=PATH msg=audit(1209679473.817:1253): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679473.817:1253):  cwd="/root"
    type=SYSCALL msg=audit(1209679473.817:1253): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d38 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
    —-
    time->Thu May  1 15:04:39 2008
    type=PATH msg=audit(1209679479.812:1254): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679479.812:1254):  cwd="/root"
    type=SYSCALL msg=audit(1209679479.812:1254): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=0 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:39 2008
    type=PATH msg=audit(1209679479.813:1255): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679479.813:1255):  cwd="/root"
    type=SYSCALL msg=audit(1209679479.813:1255): arch=c000003e syscall=89 success=no exit=-22 a0=7fff0814a7f0 a1=7fff0814abf0 a2=3ff a3=1 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.992:1256): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.992:1256):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.992:1256): arch=c000003e syscall=191 success=no exit=-61 a0=1d6cb910 a1=3872404d67 a2=7fff0814aff0 a3=84 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.992:1258): item=3 name="test.file~" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1258): item=2 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1258): item=1  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1258): item=0  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.992:1258):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.992:1258): arch=c000003e syscall=82 success=yes exit=0 a0=1d6cb910 a1=1d6f6d80 a2=2 a3=1 items=4 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.992:1260): item=1 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=PATH msg=audit(1209679485.992:1260): item=0  name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.992:1260):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.992:1260): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=241 a2=1a4 a3=0 items=2 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.996:1261): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.996:1261):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.996:1261): arch=c000003e syscall=90 success=yes exit=0 a0=1d6cb910 a1=81a4 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
    —-
    time->Thu May  1 15:04:45 2008
    type=PATH msg=audit(1209679485.997:1262): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
    type=CWD msg=audit(1209679485.997:1262):  cwd="/root"
    type=SYSCALL msg=audit(1209679485.997:1262): arch=c000003e syscall=188 success=yes exit=0 a0=1d6cb910 a1=3872404d67 a2=1d6f6da0 a3=1c items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"

    Also aureport will give us a report of activity:

    Summary Report
    ======================
    Range of time in logs: 05/01/2008 15:04:33.817 – 05/01/2008 15:04:45.997
    Selected time for report: 05/01/2008 15:04:33 – 05/01/2008 15:04:45.997
    Number of changes in configuration: 0
    Number of changes to accounts, groups, or roles: 0
    Number of logins: 0
    Number of failed logins: 0
    Number of authentications: 0
    Number of failed authentications: 0
    Number of users: 1
    Number of terminals: 1
    Number of host names: 0
    Number of executables: 2
    Number of files: 3
    Number of AVC’s: 0
    Number of MAC events: 0
    Number of failed syscalls: 4
    Number of anomaly events: 0
    Number of responses to anomaly events: 0
    Number of crypto events: 0
    Number of process IDs: 2
    Number of events: 9

     


  • Enabling ftps on vsftpd

    First you must generate a ssl certificate:

    openssl req -new -x509 -nodes -out ftps.pem -keyout ftps.pem

    Copy the ssl certificate to your vsftpd directory:

    cp ftps.pem /etc/vsftpd

    Add the following to vsftpd.conf:

    ssl_enable=YES
    rsa_cert_file=/etc/vsftpd/ftps.pem
    force_local_data_ssl=NO

    *Note ftps will only work with authenticated users, eg users with a valid account, not anonymous


  • Welcome to Technical411.info | Introduction

    My friend, Rod and I, were thinking that after being in the IT industry for almost a decade, we needed to start keeping a repository of all the technical information that we have come across and/or figured out.

    I’m sure many of you IT people out there have recovered from an issue but then a month, 6 months, a year later you came across the same issue but couldn’t remember how you solved the problem.

    This is why we decided to start up our blog repository. We will try to update this blog whenever we come across one of those issues so that not only we have a place to store the information but perhaps it may help other IT people help them solve thiers.

    Bear with us as we experiment with different blog formats and get this site going.

    If you’d like any information on myself or Rod feel free to send us an email at info@technical411.info.

    Mike