Using an editor or the cat command, write a script that uses a variable. Note that this script uses the bash shell on LINUX, but you can also use the ksh shell with UNIX.
1) Set a value for the variable first using typeset then check it using set.
** Note that it doesn't recognize the hi variable. This is because the variable is local to the shell in which it was defined. When this script is executed, a new shell is started that is outside your local shell. **
4) Add execute privilege to the script file and run it as a command from the current directory.
Below are the simple steps to write a simple shell script in Linux machine. Before this I don't have any experience to write a script. Thanks to HP's Virtual Lab. Its really make my day ;-)
2) Using an editor or the cat command, write a korn or bash script that:
* Comments what the script will do. * Shows your current directory. * Shows who is currently logged on. * Prints the current date and time.
[root@vmpc_rh804 root]#cat > myscript #! /bin/bash # # This script shows current directory # then shows who is on the system # then prints the date and time # pwd who date Ctrl/D
3) Run the script by calling up the shell interpreter.
In this tip we are going to learn about nmap, an open source network scanner that is ideal for network troubleshooting, scanning, and auditing. The tool can be used to identify devices on the network as well as the services running on the particular devices. Additionally, advanced information such as operating systems in use, particular services (name and version), and network filters and firewalls can be identified.
The identification of services with nmap is achieved through its fingerprint database that currently contains 5,000+ fingerprints. This database is supported by the community by allowing submission of known fingerprints.
Nmap as an inventory tool One of the common applications of nmap is to generate basic inventory reports. This is useful for network maps, renewal of maintenance agreements on network devices and nodes, and to identify rogue, unauthorized, or forgotten devices. The basic scan for an inventory makes use of a ping scan. For example, the following scan shows the host available on the 192.168.1.0/24 network. The -sP tells nmap to do a ping scan, and the -n says to not do name resolution.
nmap -sP -n 192.168.1.0/24 Starting Nmap 4.76 (http://nmap.org) at 2009-05-14 10:18 CDT Host 192.168.1.1 appears to be up. MAC Address: 00:18:3A:A4:43:BA (Westell Technologies) Host 192.168.1.2 appears to be up. Host 192.168.1.3 appears to be up. MAC Address: 00:17:EE:01:95:19 (Motorola CHS) Host 192.168.1.4 appears to be up. MAC Address: 00:16:CB:A3:27:E4 (Apple Computer) Host 192.168.1.5 appears to be up. MAC Address: 00:1E:52:7D:84:7E (Apple) Nmap done: 256 IP addresses (5 hosts up) scanned in 2.17 seconds
This ping scan is quite useful for building inventories quickly. It can also be the building blocks of more sophisticated scripts and programs to validate adds and changes to the network. For example, the following command reports the new host (192.168.1.5) on the network from two daily scans output to text files:
diff monday.scan tuesday.scan | grep "> Host" > Host 192.168.1.5 appears to be up.
Host-specific inventory To look at a particular host to determine services running, you can use nmap. For example, let's take a closer look at the 192.168.1.5 that appears to have been turned up sometime after the Monday scan but before the Tuesday scan:
nmap -n 192.168.1.5 Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-14 12:44 CDT Interesting ports on 192.168.1.5: Not shown: 984 closed ports PORT STATE SERVICE 22/tcp open ssh 88/tcp open kerberos-sec 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 548/tcp open afp 631/tcp open ipp 1021/tcp open unknown 1022/tcp open unknown 1023/tcp open netvenuechat 2049/tcp open nfs 3300/tcp open unknown 5900/tcp open vnc 20221/tcp open unknown 20222/tcp open unknown MAC Address: 00:16:CB:A3:27:E4 (Apple Computer) Nmap done: 1 IP address (1 host up) scanned in 10.46 seconds It appears to be a Unix based system based upon ssh, but the identification of the MAC address makes the system most likely an Apple Mac computer. But, a closer look using nmap's service and version detection, more information can be gleaned. The -sV parameter is used for this:
mb3:~ root# nmap -n -sV 192.168.1.5 Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-14 12:47 CDT Interesting ports on 192.168.1.5: Not shown: 984 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.1 (protocol 1.99) 88/tcp open kerberos-sec Mac OS X kerberos-sec 111/tcp open rpcbind 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 515/tcp open printer 548/tcp open afp? 631/tcp open ipp CUPS 1.3 1021/tcp open rpcbind 1022/tcp open rpcbind 1023/tcp open rpcbind 2049/tcp open rpcbind 3300/tcp open unknown? 5900/tcp open vnc VNC (protocol 3.8) 20221/tcp open unknown? 20222/tcp open unknown? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port548-TCP:V=4.76%I=7%D=5/14%Time=4A0C5929%P=i386-apple-darwin9.4.0%r( SF:SSLSessionReq,172,"\x01\x03\0\0Q\xec\xff\xff\0\0\x01b\0\0\0\0\0\x18\0\" AD9 SF:6FA5112ED039C\0\x04mini"); MAC Address: 00:16:CB:A3:27:E4 (Apple Computer) Service Info: OS: Mac OS X Host script results: | Discover OS Version over NetBIOS and SMB: Unix |_ Discover system time over SMB: 2009-05-14 12:49:02 UTC-5 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 119.68 seconds
Now the administrator knows that it is Mac OS X, and that it is being used for Windows file sharing using Samba, that it is most likely sharing printers via CUPS, and that the system is configured for remote management with virtual network computing (VNC).
Using nmap for security While nmap is quite useful for administrators as shown above, it is also quite powerful for security audits. For example, many companies do not allow Web servers to be run on user networks (i.e. networks where user computers and laptops are connected). nmap can easily be used to identify all the systems with Web services running on the well known ports of 80 and 443 with:
nmap -n -p 80,443 192.168.1.0/24 | egrep "ports|open" Interesting ports on 192.168.1.1: 80/tcp open http 443/tcp open https Interesting ports on 192.168.1.2: Interesting ports on 192.168.1.3: Interesting ports on 192.168.1.4: Interesting ports on 192.168.1.5:
Another useful feature is identifying particular versions to determine if systems are vulnerable to an announced vulnerability. For example, let's assume the Samba team has announced a security issue with a particular version of Samba, and you need to identify all your Samba versions. The following reports the Samba versions:
nmap -n -sV -p 139 192.168.1.0/24 | egrep "ports|139" Interesting ports on 192.168.1.1: 139/tcp closed netbios-ssn Interesting ports on 192.168.1.2: 139/tcp closed netbios-ssn Interesting ports on 192.168.1.3: 139/tcp filtered netbios-ssn Interesting ports on 192.168.1.4: 139/tcp open netbios-ssn Samba smbd 3.2 (workgroup: HQ) Interesting ports on 192.168.1.5: 139/tcp open netbios-ssn Samba smbd 2.1 (workgroup: REMOTE) Interesting ports on 192.168.1.15: 139/tcp open netbios-ssn Samba smbd 3.2 (workgroup: WORKGROUP)
This tip has shown how nmap can be used for network inventory scans (-sP), more thorough inventory and auditing, and security scans to identify unauthorized services as well as assist in security vulnerability assessments. nmap is a good tool to have readily available...combine it with grep or egrep and it becomes a powerful reporting tool.
#deb cdrom:[Ubuntu-Server 8.10 _Intrepid Ibex_ - Release amd64 (20081028.1)]/ intrepid main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution.
deb http://my.archive.ubuntu.com/ubuntu/ intrepid main restricted deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid main restricted
## Major bug fix updates produced after the final release of the ## distribution. deb http://my.archive.ubuntu.com/ubuntu/ intrepid-updates main restricted deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://my.archive.ubuntu.com/ubuntu/ intrepid universe deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid universe deb http://my.archive.ubuntu.com/ubuntu/ intrepid-updates universe deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid-updates universe
## OpenNMS deb http://debian.opennms.org stable main deb-src http://debian.opennms.org stable main
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://my.archive.ubuntu.com/ubuntu/ intrepid multiverse deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid multiverse deb http://my.archive.ubuntu.com/ubuntu/ intrepid-updates multiverse deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid-updates multiverse
## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. # deb http://my.archive.ubuntu.com/ubuntu/ intrepid-backports main restricted universe multiverse # deb-src http://my.archive.ubuntu.com/ubuntu/ intrepid-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. This software is not part of Ubuntu, but is ## offered by Canonical and the respective vendors as a service to Ubuntu ## users. # deb http://archive.canonical.com/ubuntu intrepid partner # deb-src http://archive.canonical.com/ubuntu intrepid partner
# Line commented out by installer because it failed to verify: #deb http://security.ubuntu.com/ubuntu intrepid-security main restricted # Line commented out by installer because it failed to verify: #deb-src http://security.ubuntu.com/ubuntu intrepid-security main restricted # Line commented out by installer because it failed to verify: #deb http://security.ubuntu.com/ubuntu intrepid-security universe # Line commented out by installer because it failed to verify: #deb-src http://security.ubuntu.com/ubuntu intrepid-security universe # Line commented out by installer because it failed to verify: #deb http://security.ubuntu.com/ubuntu intrepid-security multiverse # Line commented out by installer because it failed to verify: #deb-src http://security.ubuntu.com/ubuntu intrepid-security multiverse
I want to using nmap in my Ubuntu server but I found that nmap is not installed yet.
root@ubuntu:~# nmap
The program 'nmap' is currently not installed. You can install it by typing:
So, to install nmap just type the below command. It is extremely simple and easy :)
type this command : apt-get install nmap -bash: nmap: command not found
root@ubuntu:~# apt-get install nmap ** nmap will be installed and the below process will be shown Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
nmap
0 upgraded, 1 newly installed, 0 to remove and 46 not upgraded.
Need to get 1080kB of archives.
After this operation, 3789kB of additional disk space will be used.
Get:1 http://my.archive.ubuntu.com intrepid/main nmap 4.62-1ubuntu1 [1080kB]
Fetched 1080kB in 20s (52.4kB/s)
Selecting previously deselected package nmap.
(Reading database ... 53517 files and directories currently installed.)
Unpacking nmap (from .../nmap_4.62-1ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Setting up nmap (4.62-1ubuntu1) ...
taddaaaaaaa...!!!! Nmap is installed..Yeaaaaa
root@ubuntu:~# nmap
Nmap 4.62 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idle scan
-sO: IP protocol scan
-b : FTP bounce scan
--traceroute: Trace hop path to each host
--reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports : Scan most common ports
--port-ratio : Scan ports more common than SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=safe,intrusive
--script=: is a comma separated list of
directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take
LogFormat=4 change to this value from default “ 1 ”
# If analyzing mail log, enter here the domain name of mail server.
# Example: "myintranetserver"
# Example: "www.domain.com"
# Example: "ftp.domain.com"
# Example: "domain.com"
#
SiteDomain="lbjt" make sure this is value is entered
# Example: "/var/lib/awstats"
# Example: "../data"
# Example: "C:/awstats_data_dir"
# Default: "."(means same directory as awstats.pl)
#
DirData="/var/www/awstats" change to this from the default “/var/lib/awstats”
Step 4
awstats@ubuntu:/var/www/awstats/tools$ type sudo /var/www/awstats/wwwroot/cgi-bin/awstats.pl config=lbjt -update
Create/Update database for config "/etc/awstats/awstats.lbjt.conf" by AWStats version 6.9 (build 1.925)
From data in log file "/var/log/apache2/lbjt.skali.my-access_log"...
Phase 1 : First bypass old records, searching new record...
Searching new records from beginning of log file...
Phase 2 : Now process new records (Flush history on disk after 20000 hosts)...
Jumped lines in file: 0
Parsed lines in file: 1788
Found 0 dropped records,
Found 0 corrupted records,
Found 0 old records,
Found 1788 new qualified records.
awstats@ubuntu:/var/www/awstats/tools$
Step 5
Open browser using Internet Explorer or Mozilla FireFox. At the URL address type the below address;
http://192.168.19.50/awstats/awstats.pl?config=lbjt and the web page as below will be displayed and your awstats configuration is successful. Replace the lbjt name with other website profile. Let say if you are creating a profile for Bank Rakyat, then type, bankrakyat after config= (eg; config=bankrakyat) and so on for other profile.
I have searching on the Internet how to setup a my Ubuntu (8.04) machine as a firewall and I finally found a step that I need to do. Lokkit, yeah this is the firewall that I think suitable. What I need to do is to download it first to my Ubuntu machine, install and configure it as I need.
rootubuntu@myubuntu-vbox:~$ sudo apt-get install lokkit<---- type this command [sudo] password for rootubuntu: type the root password, after that the below details will be displayed during the installation. (see below) Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: ipmasq Recommended packages: gnome-lokkit The following NEW packages will be installed: lokkit 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 128kB of archives. After this operation, 811kB of additional disk space will be used. Get:1 http://my.archive.ubuntu.com hardy/universe lokkit 0.50.22-7.1ubuntu2 [128kB] Fetched 128kB in 6s (20.6kB/s) Selecting previously deselected package lokkit. (Reading database ... 138076 files and directories currently installed.) Unpacking lokkit (from .../lokkit_0.50.22-7.1ubuntu2_i386.deb) ... Setting up lokkit (0.50.22-7.1ubuntu2) ... You must use lokkit or gnome-lokkit to configure the firewall. -end of installation-
After installation of Lokkit is finished enter below command to run Lokkit rootubuntu@myubuntu-vbox:~$ lokkit <---- type this command
ERROR - You must be root to run lokkit.why I got this message? because I'm not run it as a root. use sudo
rootubuntu@myubuntu-vbox:~$ whoami rootubuntu rootubuntu@myubuntu-vbox:~$ sudo lokkit [sudo] password for rootubuntu: type the root password, then the Lokkit window will be pop-up as below.
Oppsss, I got this error message when I tried to edit the SSL certificate in XAMPP on my application server. Honestly, it makes me panic! Know what, I can't running the Apache services. When I tried to run the command it shows an error like this
[root@pknp ~]# /opt/lampp/lampp start Starting XAMPP for Linux 1.5.3a... XAMPP: Starting Apache with SSL (and PHP5)... XAMPP: Error 1! Couldn't start Apache! XAMPP: Starting diagnose... XAMPP: Sorry, I've no idea what's going wrong. XAMPP: Please contact our forum http://www.apachefriends.org/f/
I'm searching on the Internet and exactly I've found it from XAMPP website. It said that I need to type the below command:
[root@mybox ~]#tail -2 /opt/lampp/logs/error_log and then it shows what is the type of error
[root@pknp ~]# tail -2 /opt/lampp/logs/error_log [Sun Oct 07 10:11:52 2007] [error] Unable to configure RSA server private key [Sun Oct 07 10:11:52 2007] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
As I expect earlier, it is caused by the SSL editing. I didn't know how this thing happen. Maybe there is some misconfigration or the XAMPP version compatibility. When i write this post, I'm using XAMPP for Linux 1.5.3awhile the new version is available, XAMPP Linux 1.6.3b. After a few attempt to start the Apache in XAMPP is fail, I was thinking how stupid am I not backup the original certificates files. Now the things come worst. But, I was thinking, Hey, I've got another server (database) that also using XAMPP. Why not I copy that certificate file in that server and replace it back to the original state of my application server. Fortunately, I still didn't make any configuration to that database server. So, I just copy the files (server.crt and server.key) and replace it to on my application server. The I tried to restart the XAMPP back and YESSS!!!! It back on track again. So, the moral is, please BACKUP your original file first before you are going to edit it. If not, then it will become a nightmare for you. :-P
I have added a plugins for my webmail (Squirrelmail). It is Secure Login plugins. This plugins enables a secure HTTPS/SSL-encrypted connection for my SquirrelMail login page. So, it can secure my email access. As I'm using Apache in XAMPP, the generated SSL certificate are using the default setting. When I view the certificate, it show's a default XAMPP Apache setting like below :
Issued To Common Name (CN) localhost Organization (O) Apache Friends Organization Unit (OU) Serial Number 00
Issued By Common Name (CN) localhost Organization (O) Apache Friends Organization Unit (OU)
So, to create my own self-signed SSL certificate, I need to edit the certain file make a few tuning. So that, the certificate will be no longer using a default XAMPP setting.
1. Open a terminal/console at local or do it remotely through SSH access
2. The first thing that need to do is, create a RSA Private Key by using the below command.
Generating RSA private key, 1024 bit long modulus .........................................................++++++ ........++++++ e is 65537 (0x10001) Enter PEM pass phrase: enter the desired pass phrase Verifying password - Enter PEM pass phrase: same as a above
3. The next step is to create a Certificate Signing Request (CSR). CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. User will be prompt to enter an information that related to CSR certificate. To create a CSR, enter the below command. [root@mybox ~]#openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [GB]:type your 2 letter country code State or Province Name (full name) [Berkshire]:type your state or province name Locality Name (eg, city) [Newbury]:type your city name Organization Name (eg, company) [My Company Ltd]:type your company name Organizational Unit Name (eg, section) []:type your department Common Name (eg, your name or your server's hostname) []:type your server hostname Email Address []:type your email address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:type your password An optional company name []:type your company name
4. The next step is to remove the passphrase key. It is because if you enable the passphrase, Apache will ask for the pass-phrase each time the web server is started. It will be a problem if the server is restarted as the user always need to type the passphrase. The below command will remove the passphrase.
5. To generating a Self-Signed Certificate, enter the below command. As this certificate is not verified by Certificate Authority such as Thawte or Verisign, your browser will notice an error inform you that the signing certificate authority is unknown and not trusted. Bear in mind that this is self-signed certificate. So, you should ignore that error message.
6. Installing the Private Key and Certificate is simple. All you need to do is to know where are your XAMPP Apache directory. I assume that, we are using the default XAMPP directory, /opt/lampp. So, copy the two below files, ssl.crt and ssl.key to the XAMPP directory.
[root@mybox ~]#cp server.crt /opt/lampp/etc/ssl.crt [root@mybox ~]#cp server.key /opt/lampp/etc/ssl.key/server.key When you are being asked to overwritten the file, just type yes and hit Enter.
7. Restart Apache and test to access your site. Check the certificate and make sure the information that you have insert is correct.
8. Finish! Your configuration is done. Good luck :-)
Purpose System Administrators are often on the front lines of computer security. This guide aims to support System Administrators in finding indications of a system compromise.
What to use this sheet for On a periodic basis (daily, weekly, or each time you logon to a system you manage,) run through these quick steps to look for anomalous behavior that might be caused by a computer intrusion. Each of these commands runs locally on a system. This sheet is split into these sections: • Unusual Processes • Unusual Files • Unusual Network Usage • Unusual Scheduled Tasks • Unusual Accounts • Unusual Log Entries • Additional Supporting Tools
• Unusual Processes Look for running processes: # ps –aux Get familiar with “normal” processes for the machine. Look for unusual processes. Focus on processes with root (UID 0) privileges. If you spot a process that is unfamiliar, investigate unusual processes, getting more detail using: # lsof –p [pid] This command shows all files and ports used by the running process.
• Unusual Files Look for unusual SUID root files: # find / -uid 0 –perm -4000 –print Requires knowledge of normal SUID files Look for unusual large files (greater than 10 MegaBytes): # find / -size +10000k –print Requires knowledge of normal large files Look for files named with dots and spaces: (“...”, “.. “, “. “, and “ “) # find / -name “...“ –print # find / -name “.. “ –print # find / -name “. “ –print
On a Linux machine with RPM installed (RedHat, Mandrake, etc.), run the RPM tool to verify packages # rpm –Va Checks size, MD5 sum, permissions, type, owner, and group of each file with information from RPM database Output includes: S – File size differs M – Mode differs (permissions) 5 – MD5 sum differs D – Device number mismatch L – readLink path mismatch U – user ownership differs G – group ownership differs T – modification time differs Pay special attention to changes associated with items in /sbin, /bin, /usr/sbin, and /usr/bin
• Unusual Network Usage Look for promiscuous mode, which might indicate a sniffer: # ip link | grep PROMISC Note that ifconfig doesn’t work reliably for detecting promiscuous mode on Linux kernel 2.4
Look for unusual port listeners: # lsof –i # netstat –nap Need to know which TCP and UDP ports are normally listening on your system and look for deviations from the norm
Look for unusual ARP entries, mapping IP address to MAC addresses that aren’t correct for the LAN: # arp –a Requires detailed knowledge of what is supposed to be on the LAN
• Unusual Scheduled Tasks Look for cron jobs scheduled by root and any other UID 0 accounts: # crontab –u root –l Look for unusual system-wide cron jobs: # cat /etc/crontab
• Unusual Accounts Look in /etc/passwd for new accounts, especially with UID 0 or GID 0 # less /etc/passwd # grep :0: /etc/passwd Normal accounts will be there, but look for new, unexpected accounts
• Unusual Log Entries Look through your system log files for suspicious events, including: Promiscuous mode “entered promiscuous mode” Large number of authentication or login failures from either local or remote access tools (e.g., telnetd, sshd, etc.) Remote Procedure Call (rpc) programs with a log entry that includes a large number (> 20) strange characters (-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM) For web servers: Large number of Apache logs saying “error”
• Additional Supporting Tools The following tools are often not built into Linux operating system, but can be used to analyze its security status in more detail. Each is available for free download at the listed web site. Chkrootkit looks for anomalies on systems introduced by user-mode and kernel-mode RootKits www.chkrootkit.org - free Tripwire looks for changes to critical system files www.tripwire.org - free for Linux for noncommercial use AIDE looks for changes to critical system files http://www.cs.tut.fi/~rammer/aide.html
I'm having a problem to access to my desktop using GUI. So, I decided to use command in console. I would like to share with people especially newbies how to configure Linux network using a command prompt based on my experience.
As usual, I'm coming to office and entering the server room and login to the portal to check in for my attendance system. But all of the sudden, the server is restart!!!! Oh my god! I was accidentally press the Ctrl+Alt+Delete!!! What I have done? Than, I tried to fix the problem. The solution that I can do is I need to disable the Ctrl+Alt+Delete key. I'm afraid that if anyone that accidentally press that key than everything will be horror. To disable that key is quiet simple actually. Below are the steps that I have done.
1. Backup the original etc/inittab file and named it as a inittab.ori [root@localhost ~]# cp /etc/inittab /root/Desktop/backup/inittab.ori
2. Edit the original file in /etc/inittab [root@localhost ~]#vi /etc/inittab
3. Find the the # Trap CTRL-ALT-DELETE line You can see that there is a file that exactly look like this ca::ctrlaltdel:/sbin/shutdown -t3 -r now
4. Now edit that line such below ca:12345:ctrlaltdel:/bin/echo "CTRL-ALT-DEL is disabled"
5. Save the file that you have edit and quit from VI
6. In order to activate the changes, you need to run this command [root@localhost ~]# init q
7. After that to make sure it is effective or not, try to press the Ctrl+Alt+Del key. Your screen should appear "CTRL-ALT-DEL is disabled"
Kuantan, Pahang Darul Makmur yang amai dan permai, Malaysia
Born to this world as a human that created by HIM to be a khalifah on this world. Happy with my job now. Independent, that's the most precious thing that I had now.
Download The Open House Full Movie
-
[Download]*HD* The Open House
[image: The Open House]
[image: Watch The Open House Online Streaming]
The Open House (2018)
Release Date : 2018-01-19
G...
Redash RPM in COPR
-
Just a quick announcement post.
I've added a redash build in COPR.
To install:
dnf copr enable izhar/redash
dnf install redash
Configure your databa...
Interesting Projects
-
I'm keeping the list of tools as online bookmark here -
https://github.com/automayt/FlowPlotter
http://threatstream.github.io/mhn/
https://github.com/stra...
Continue my blogging
-
Whoaa..
After the long time and busy with lots of thing in my life.. I've decided
to resume my blog.. it's already 4 years.. it will filled up with mumblin...
New (not that new) Beginning part 1
-
Silent is the best policy. I think probably it’s been too quiet for this
blog. I guess it’s over 2 years since my last post? Hooo haa about quiting
my job,...
Google +1 Plus One MOSC2011 Official Blog
-
Google +1 Plus One MOSC2011 Official Blog
Help us promoting Malaysia Open Source Conference 2011 (MOSC2011) by Google
+1 our official blog. Visit our offic...
Mari2.. Bagaimana mahu baik pulih Grub2?? Begini...
-
Hari ni ak da hancurkan Grub2 aku dengan format windows lagi sekali. Ia
agak susah nak membaiki pasal tak banyak "how to" pasal recover balik Grub2
yang da...
Kembali Bergambar
-
Jangan salah paham dengan tajuk kat atas tu. pokcik nak maksudkan kembali
menggunakan kamera yang telah sekian lama bersemadi dalam DIY drybox tu.
Dah lama...
Posts
