16
Aug
sendmail log subject
LOCAL_CONFIG
Klog syslog
HSubject: $>+CheckSubject
LOCAL_RULESETS
SCheckSubject
R$*{TAB}$: $(log Subject: $1 $) $1
update thold_data a , graph_templates_graph b
SET a.name=b.title_cache
where a.graph_id=b.local_graph_id
https://github.com/Cacti/plugin_thold/releases6
Jul
apache mod_security
SecRule SCRIPT_BASENAME “\.php$” “id:999,chain,deny,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} BLOCKIP= %{REMOTE_ADDR} ‘”
SecRule SCRIPT_UID “^48$” log
SecRule REQUEST_FILENAME “^/phpadmin/” “id:990,noauditlog,allow”
SecRule ARGS “@containsWord select” “id:998,log,pass,t:lowercase”
SecRule ARGS “@containsWord union” “id:997,log,pass,t:lowercase”
SecRule ARGS “@containsWord outfile” “id:996,log,pass,t:lowercase”
SecRule ARGS “@containsWord load_file” “id:995,log,pass,t:lowercase”
#SecRule REQUEST_HEADERS:User-Agent “MJ12bot” ”id:972,deny,log”
#SecRule REQUEST_HEADERS:User-Agent “bingbot” ”id:973,deny,log”
SecRule ARGS “login” “id:980,pass,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} LOGINIP= %{REMOTE_ADDR} ‘”
[modsec-php48]
enabled = true
filter = modsec-php48
action = iptables-multiport[name=modsecPHP48, port="80,443", protocol=tcp]
modsec-php48-whois[name="ModSecBackdoor", dest="xxx@yahoo.com", sender=xxx@vixxxave.vn, sendername="Fail2Ban"]
logpath = /var/log/httpd/modsec_audit.log
maxretry = 1
findtime = 3600
bantime = 864000
vi modsec-php48.conf
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf
[Definition]
failregex = BLOCKIP= <HOST> “\]
ignoreregex =
vi whois-modsec-php48
actionban = printf %%b “Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +”%%a, %%d %%h %%Y %%T +0000″`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip>:\n
`tail -n 1000 /var/log/httpd/modsec_audit.log | grep <ip> | grep BLOCKIP`\n
`/usr/bin/whois <ip> || echo missing whois program`\n
Regards,\n
Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest>
grep SSLCertificate /etc/httpd/conf.d/ssl.conf
openssl req -new -days 3650 -x509 -nodes -newkey rsa:2048 \-out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.keychmod 600 /etc/pki/tls/certs/server.crtchmod 600 /etc/pki/tls/private/server.key
19
May
sendmail authid counter
cat /var/log/maillog-20170514 | grep authid | cut -d ‘=’ -f 4 | sort | uniq -c | sort -nr
17
Mar
mysql clustering
wget http://dev.mysql.com/get/Downloads/MySQL-Cluster-7.3/MySQL-Cluster-gpl-7.3.5-1.el6.x86_64.rpm-bundle.tar
tar -xvf MySQL-Cluster-gpl-7.3.5-1.el6.x86_64.rpm-bundle.tar
yum groupinstall 'Development Tools'
yum remove mysql-libs
yum install libaio-devel
rpm -Uhv MySQL-Cluster-server-gpl-7.3.5-1.el6.x86_64.rpm
vi config.ini
#####################################
[NDBD DEFAULT] NoOfReplicas=1 DataDir= /opt/mysql-cluster [MYSQLD DEFAULT] [NDB_MGMD DEFAULT] [TCP DEFAULT] # Section for the cluster management node [NDB_MGMD] # IP address of the management node (this system) HostName=10.10.255.175 # Section for the storage nodes [NDBD] # IP address of the first storage node HostName=10.10.255.176 [NDBD] # IP address of the second storage node HostName=10.10.255.177 # one [MYSQLD] per storage node [MYSQLD] HostName=10.10.255.176 [MYSQLD] HostName=10.10.255.177 ~
################################################
ndb_mgmd -f /opt/mysql-cluster/config.ini
ndb_mgm
>show
>shutdown
datanote
vi /etc/my.cnf
[mysqld]
ndbcluster
# IP address of the cluster management node
ndb-connectstring=10.10.255.175:1186
default-storage-engine=ndbcluster
[mysql_cluster]
# IP address of the cluster management node
ndb-connectstring=10.10.255.175:1186
/etc/init.d/mysql start
cat /root/.mysql_secret
ndbd –initial
http://skillachie.com/2014/06/30/mysql-cluster-getting-started-redhatcentos-6/
https://www.howtoforge.com/loadbalanced_mysql_cluster_debian
bash-4.3$ cat .xbindkeysrc
“qdbus org.kde.screensaver /ScreenSaver org.freedesktop.ScreenSaver.Lock”
b:9
“xte ‘keydown Escape’ ‘keyup Escape’”
b:8
bash-4.3$
AuthType Basic AuthName "Auth Required" AuthUserFile /path/to/.htpasswd Require valid-user
Now adding the following below this will allow you to exclude directories and files
# Allow access to excluded diretories SetEnvIf Request_URI "path/to/excluded/directory/" allow SetEnvIf Request_URI "path/to/excluded/file" allow Order allow,deny Allow from env=allow Satisfy any
22
Nov
tcpdump
tcpdump -i eth0 -nnn -w pcap-%Y-%m-%d-%H-%M-%S.pcap -G 60
-C MB , -W num files, -G second
incomming TCP syn group by port
tcpdump -tttt -nn -r pcap-2016-11-22_10:42:32.pcap ‘tcp and dst 127.0.0.1 and tcp[13]=2′ | cut -f 6 -d ‘ ‘ | cut -f 5 -d ‘.’ | sort | uniq -c
incoming http syn group by source ip
tcpdump -tttt -nn -r pcap-2016-11-22_10:43:32.pcap ‘tcp and dst 127.0.0.1 and tcp[13]=2 and port 80′ | cut -f 4 -d ‘ ‘ | cut -f 1-4 -d ‘.’ | sort | uniq -c | sort -nr
Fin = 1
Syn = 2
Rst = 4
Psh = 8
Ack = 16
Ugent = 32
19
Oct
GSM modem linux
#dmesg
usb 2-2.1: new full speed USB device number 6 using uhci_hcd
usb 2-2.1: New USB device found, idVendor=067b, idProduct=2303
usb 2-2.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 2-2.1: Product: USB-Serial Controller
usb 2-2.1: Manufacturer: Prolific Technology Inc.
usb 2-2.1: configuration #1 chosen from 1 choice
pl2303 2-2.1:1.0: pl2303 converter detected
usb 2-2.1: pl2303 converter now attached to ttyUSB0
#stty -F /dev/ttyUSB0
speed 115200 baud; line = 0;
min = 1; time = 5;
ignbrk -brkint -icrnl -imaxbel
-opost -onlcr
-isig -icanon -iexten -echo -echoe -echok -echoctl -echoke
# stty -F /dev/ttyUSB0 115200
# setserial -a /dev/ttyUSB0