Firewall Testing and Monitoring

This page describes how to setup a firewall monitoring script. It sends out an email if it detects a malfunction in the firewall configuration. This type of monitoring is important to ensure your firewall is properly configured and also helps prevent inadvertent firewall misconfiguration and alerts the administration in the case of break in attempts.

The solution is to use “nmap” to monitor ports from a remote machine on the internet.

1. FreeBSD
2. Root access
3. A working firewall
4. Another machine outside the firewall.

Install and Configure

cd /usr/ports/security/nmap
rehash
nmap --version

The following script monitors ports 22,110, and 80 and sends out an email if it detects that that the port is open.

#!/bin/sh
 
# Sends an email only when there is a hole in the firewall.
 
/usr/local/bin/nmap -Pn -p 22,110,80  yourhostname.com | grep open > ~/out.txt
 
if [ $? -eq 0 ] ; then
    cat ~/out.txt | mailx -s "firewall misconfiguration" youremail@youremailhost.com 
fi
rm -f ~/out.txt

Enter the following into your crontab
vi /etc/crontab

# check firewall every 30 minutes.
*/30 * * * * yourusername /home/yourusername/bin/checkFirewall.sh

Test

Test the script by opening up a port in your firewall. Wait for the script to run, and verify that you get the alert email.

Convert Java Properties to Shell Environment Variables

This page describes how to convert java properties to shell environment
variables.

It is helpful to allow shell scripts to share project configuration files with
java programs.

Requirements

• Unix or Cygwin
• Borne shell or Bash

The following script converts key=value pairs into environment variables and
escapes the . with _ and “quotes” so they can be used as environment variables.

vi makeconfig.sh

#!/bin/sh
#
# This script is responsible for generating the setEnv.sh script
# based on the information inside env.properties

# run this file after updating env.properties

if [ ! -f $1 ] ; then
    echo "usage: "
    echo "    $0 [property file] > setEnv.sh"
    echo "\nExiting."
    exit 1
fi

TMPFILE=~/tmpfile
TMPFILE2=~/tmpfile2

echo "#!/bin/sh"

grep -v "^#" $1 | sed -e '/^$/d' > $TMPFILE

# escape the keys and values so they are shell friendly.

while read curline; do
echo $curline | awk -F = '{print $1;}' | tr '.' '_' | tr '\n' '=' >> $TMPFILE2
echo $curline | awk -F = '{print $2;}' | sed "s/'/'\"'\"'/g" | sed "s/^/\'/" | sed "s/$/\'/" >> $TMPFILE2
done < $TMPFILE

while read curline; do
echo export $curline
done < $TMPFILE2

rm -f $TMPFILE $TMPFILE2

env.properties

# Main Environment Config file
# remember to run bin/makeconfig.sh after editing this file.

testspace=test space
testsinglequote=test'one'two'three
testdoublequote=test"one"two"three
testdollar=testing$one$two$three
testsingledouble=single'quote'double"quote"

Run the script

The following generates the setEnv.sh shell script.

chmod +x makeconfig.sh test.sh
./makeconfig.sh env.properties > setEnv.sh
./test.sh

The following imports the script and outputs a few tests to the console.

vi test.sh

#!/bin/sh

. ~/setEnv.sh

echo $testspace
echo $testsinglequote
echo $testdoublequote
echo $testdollar
echo $testsingledouble

The output should look something like this…

test space
test'one'two'three
test"one"two"three
testing$one$two$three
single'quote'double"quote"

UPS configuration on FreeBSD 8.2

This page describes the process of configuring an APC BackUPS Uninterrupted Power Supply (UPS) on FreeBSD.

Hardware/Software

• APC Back-UPS BX1000G
• FreeBSD port: apcupsd 3.14.8_2
• FreeBSD 8.2
• USB connection cable to the UPS

Installation

 
cd /usr/ports/sysutils/apcupsd
make config

  ┌────────────────────────────────────────────────────────────────────┐
  │                   Options for apcupsd 3.14.8_2                     │  
  │ ┌────────────────────────────────────────────────────────────────┐ │  
  │ │[ ] APCSMART_DRV  Compile APC SmartUPS serial driver            │ │  
  │ │[X] APCDUMB_DRV   Compile dumb UPS driver                       │ │  
  │ │[ ] CLIENT_ONLY   Only NIS client (no network server or drivers)│ │  
  │ │[ ] CGI           Compile with CGI programms to show status     │ │  
  │ │[X] PCNET_DRV     Compile PowerChute Network Shutdown driver    │ │  
  │ │[X] USB           Compile with USB Support driver               │ │  
  │ │[ ] SNMP_DRV      Compile with SNMP driver                      │ │  
  │ │[ ] SNMP_DRV_OLD  Compile with old SNMP driver                  │ │  
  │ │[ ] TCP_WRAPPERS  Compile with TCP_WRAPPERS support             │ │  
  │ │[ ] TEST_DRV      Compile TEST driver                           │ │  
  │ │[ ] GAPCMON       Build GTK GUI front-end                       │ │  
  │ │                                                                │ │  
  │ │                                                                │ │  
  │ │                                                                │ │  
  │ │                                                                │ │  
  ├─└────────────────────────────────────────────────────────────────┘─┤  
  │                       [  OK  ]       Cancel                        │  
  └────────────────────────────────────────────────────────────────────┘  


make install clean

Configuration

The following are the changes to my configuration file in diff format.

diff -u /usr/local/etc/apcupsd/apcupsd.conf.sample /usr/local/etc/apcupsd/apcupsd.conf

 
--- /usr/local/etc/apcupsd/apcupsd.conf.sample	2012-01-16 00:47:17.000000000 -0500
+++ /usr/local/etc/apcupsd/apcupsd.conf	2012-01-16 00:52:10.000000000 -0500
@@ -26,7 +26,7 @@
 #     940-1524C, 940-0024G, 940-0095A, 940-0095B,
 #     940-0095C, M-04-02-2000
 #
-UPSCABLE smart
+UPSCABLE usb
 
 # To get apcupsd to work, in addition to defining the cable
 # above, you must also define a UPSTYPE, which corresponds to
@@ -73,8 +73,8 @@
 #                            passphrase are the credentials for which the card 
 #                            has been configured.
 #
-UPSTYPE apcsmart
-DEVICE /dev/usv
+UPSTYPE usb
+#DEVICE /dev/usv
 
 # POLLTIME <int>
 #   Interval (in seconds) at which apcupsd polls the UPS for status. This

Start-up Configuration

vi /etc/rc.conf

apcupsd_enable="YES"

Start services

Manually start all services (or reboot):

/usr/local/etc/rc.d/apcupsd start

Check UPS Status

apcaccess status

The output should look something like this…

APC      : 001,037,0944
DATE     : 2012-01-16 00:56:22 -0500  
HOSTNAME : prod.xxxx.com
VERSION  : 3.14.8 (16 January 2010) freebsd
UPSNAME  : prod.xxxx.com
CABLE    : USB Cable
MODEL    : Back-UPS BX1000G 
UPSMODE  : Stand Alone
STARTTIME: 2012-01-16 00:54:18 -0500  
STATUS   : ONLINE 
LINEV    : 123.0 Volts
LOADPCT  :  31.0 Percent Load Capacity
BCHARGE  : 100.0 Percent
TIMELEFT :  26.9 Minutes
MBATTCHG : 5 Percent
MINTIMEL : 3 Minutes
MAXTIME  : 0 Seconds
SENSE    : Medium
LOTRANS  : 088.0 Volts
HITRANS  : 139.0 Volts
ALARMDEL : Always
BATTV    : 27.2 Volts
LASTXFER : No transfers since turnon
NUMXFERS : 0
TONBATT  : 0 seconds
CUMONBATT: 0 seconds
XOFFBATT : N/A
SELFTEST : NO
STATFLAG : 0x07000008 Status Flag
MANDATE  : 2011-10-02
SERIALNO : 3B1140X37672  
BATTDATE : 2011-10-02
NOMINV   : 120 Volts
NOMBATTV :  24.0 Volts
NOMPOWER : 600 Watts
FIRMWARE : 869.L2 .D USB FW:L2
APCMODEL : Back-UPS BX1000G 
END APC  : 2012-01-16 00:56:24 -0500  

Testing the UPS

Testing the UPS involves actually pulling the cord and observing the system gracefully shut down.

Procedure

1. Edit the /usr/local/etc/apcupsd/apcupsd.conf and set TIMEOUT 60. This will allow the system to shut down 60 seconds after the power is cut. Testing it this way prevents wear on the battery life.
2. restart the daemon (/usr/local/etc/rc.d/apcupsd restart)
3. pull the plug and 60 seconds later the system should initiate the shut-down.
4. restore the power to the system. After the system comes back, Look for clues of a successful shut-down. On my server after the system comes back I observe the /var/messages and the MySQL logs since they indicate when they have been shut-down successfully. Compare the outputs with outputs of previous shut-downs.

Here is the output of my test:

After pulling the cord I got the following message on the console.

Broadcast Message from xxx@prod.xxxx.com                               
        (no tty) at 11:29 EST...                                               
                                                                               
Power failure. Running on UPS batteries.    

A minute later:

Broadcast Message from xxxx@prod.xxxx.com                               
        (no tty) at 11:30 EST...                                               
                                                                               
UPS battery runtime limit exceeded. Doing shutdown.                            
                                                                               
                                                                               
Broadcast Message from xxxx@prod.xxxx.com                               
        (no tty) at 11:30 EST...                                               
                                                                               
Beginning Shutdown Sequence                                                                               
                                                                               
*** FINAL System shutdown message from xxxx@prod.xxxx.com ***         
System going down IMMEDIATELY                                                  
                                                                               
apcupsd initiated shutdown

After the system came back I got the following in the
/var/messages

Jan 16 11:29:09 prod apcupsd[3062]: Power failure.
Jan 16 11:29:15 prod apcupsd[3062]: Running on UPS batteries.
Jan 16 11:30:16 prod apcupsd[3062]: Reached run time limit on batteries.
Jan 16 11:30:16 prod apcupsd[3062]: Initiating system shutdown!
Jan 16 11:30:16 prod apcupsd[3062]: User logins prohibited
Jan 16 11:30:16 prod apcupsd[3062]: Attempting to kill the UPS power!
Jan 16 11:30:16 prod shutdown: halt by xxxx: apcupsd initiated shutdown
Jan 16 11:30:25 prod squid[1375]: Squid Parent: child process 1377 exited with status 0
Jan 16 11:30:32 prod apcupsd[3062]: apcupsd exiting, signal 15
Jan 16 11:30:32 prod apcupsd[3062]: apcupsd shutdown succeeded
Jan 16 11:30:33 prod syslogd: exiting on signal 15

Looks like everything is in order… After your test is complete, don’t forget to restore the TIMEOUT value to the original.

Leave a small note below with the make and model of your UPS and version of FreeBSD to let me know it worked for you!

Thanks.

References:

This page is a variation of a page originally written by Julien Gabel back in 2006: http://blog.thilelli.net/post/2006/07/09/Configuring-an-APC-Back-UPS-RS-800VA

sudo on ubuntu without password

The following tip can be used to use the sudo command on Ubuntu without requiring a password. This actually came out handy because I needed to run a command in a non-interactive shell script. It wasn’t working because the script was expecting the user to enter the root password.

I know there probably is a better solution to running commands that require root from shell scripts but for now this will do.

sudo vi /etc/sudoers

Add the following line to the bottom of the file. (replace username with your own)

username ALL=(ALL) NOPASSWD: ALL

Please comment below if you know of a better way.

Fake SMTP Server

The following page just contains a link to a nice Fake SMTP server that can be used to test email client software. The server does not send out any email. It just presents an interface for client software to connect and post email messages.

The original JavaWorld Article describing this project is posted here.

The project has since been forked and a newer version of the software is available here: SMTP server Git Hub Repository URL

The SMTP server is also a good baseline to start

1. a new project that implements your own custom protocol.
2. to learn about server side multi-threading
3. to implement a server using Java

The original project older version of the project is hosted at the following URL:

http://quintanasoft.com/dumbster/

Configuring TCSH with command line search on Ubuntu

Ubuntu lacks the rich command line search functionality present in FreeBSD tcsh shell. This page describes how to get that back by installing and configuring tcsh on Ubuntu.

Background

tcsh is a pretty good shell. If you login to the root account in FreeBSD you will notice the command history search is pretty powerful. The following are the instructions on how to get the shell configured on Ubuntu.

Procedure

1. The first step is to install tcsh. (Google for the instructions on how to get this installed) Based on my experience the command is: sudo apt-get install tcsh
2. At this moment I would keep one terminal screen open to make sure you don’t lock yourself out.
3. Next we will modify/create a /etc/csh.cshrc file.

# /etc/csh.cshrc: system-wide .cshrc file for csh(1) and tcsh(1)

if ($?tcsh && $?prompt) then

        bindkey "\e[1~" beginning-of-line # Home
        bindkey "\e[7~" beginning-of-line # Home rxvt
        bindkey "\e[2~" overwrite-mode    # Ins
        bindkey "\e[3~" delete-char       # Delete
        bindkey "\e[4~" end-of-line       # End
        bindkey "\e[8~" end-of-line       # End rxvt

        bindkey "^W" backward-delete-word
        bindkey -k up history-search-backward
        bindkey -k down history-search-forward

        set autoexpand
        set autolist
        set prompt = '[%B%m%b] %B%~%b%# '
endif

4. Next we change the login shell for a test user on your system.
5. Login to the box using that test user and you should be able to see the difference.

Let me know if it worked for you by entering a comment below.

Thanks!

Uninstalling Leaf Ports

This page describes the process of un-installing ports that don’t have any other ports depending on them. These types of ports are called leafs. This is the first place to start when starting to analyse the system to remove software that is no longer used as a dependency for any thing else.

Requirements

• FreeBSD box with access to root account

Procedure

A nice tool to help automate this task is available from the ports-mgmt/pkg_cutleaves port.

Install the software and read the man page.

The typical options I use when using this port are:

-g – generate or merge exclude list when complete
-R – auto prune newly created leaves
-x – tells the program to use the exclude file.

Exclude file is kept here: /usr/local/etc/pkg_leaves.exclude

If I just want to have the program list me the leaves then I use

-l – list leaves only.

Displaying Perl Program Usage Information

Validate PERL program arguments, command line usage and generate man page. This page is also a good place to start with a blank perl template.

The Program

The following program is annotated with specific tokens that allow the Pod::Usage module provide the features listed above.

#!/usr/bin/perl -w

use Getopt::Long;
use Pod::Usage;

my $man = 0;
my $help = 0;
## Parse options and print usage if there is a syntax error,
## or if usage was explicitly requested.
GetOptions('help|?' => \$help, man => \$man) or pod2usage(2);
pod2usage(1) if $help;
pod2usage(-verbose => 2) if $man;

## If no arguments were given, then allow STDIN to be used only
## if it's not connected to a terminal (otherwise print usage)
pod2usage("$0: No files given.") if ((@ARGV == 0) && (-t STDIN));
__END__

=head1 NAME

sample - Using GetOpt::Long and Pod::Usage

=head1 SYNOPSIS

sample [options] [file ...]

=head1 OPTIONS

=over 8

=item B<-help>

Print a brief help message and exits.

=item B<-man>

Prints the manual page and exits.

=back

=head1 DESCRIPTION

B<This program> will read the given input file(s) and do something
useful with the contents thereof.

=cut

Parameter Validation

./test.pl

Print Help Information

./test.pl -help

PERL Doc

If you have perldoc installed on your system when you type:

./test.pl -man

or

perldoc -T test.pl

The following is how to output looks like.

TEST(1)               User Contributed Perl Documentation              TEST(1)



NAME
       sample - Using GetOpt::Long and Pod::Usage

SYNOPSIS
       sample [options] [file ...]

OPTIONS
       -help   Print a brief help message and exits.

       -man    Prints the manual page and exits.

DESCRIPTION
       This program will read the given input file(s) and do something useful
       with the contents thereof.



perl v5.10.1                      2011-11-26                           TEST(1)

Installing a Fake DNS Server

This page describes the process of installing DNSHijacker on your FreeBSD machine so that it can respond to requests with a specified answer.

Background

Faking DNS response can be handy when trying to create a walled garden, pop-up blocking, or IT Information Security analysis.

Process

The DNS Hijacker application is available as a port.

cd /usr/ports/dns/dnshijacker
make install clean
rehash

The following command line will run the DNS server and respond with 127.0.0.1 to all DNS queries. Specify -z to run it it as a daemon.

dnshijacker -d 127.0.0.1 -i lo0

The answers are static. They can be specified in the command line argument, or in a tab delimited file.

run a test query using dig

virtual# dig @localhost ftp.freebsd.org
; <<>> DiG 9.6.-ESV-R3 <<>> @localhost ftp.freebsd.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.freebsd.org.		IN	A

;; ANSWER SECTION:
ftp.freebsd.org.	0	IN	A	127.0.0.1

;; Query time: 204 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 23 21:37:49 2011
;; MSG SIZE  rcvd: 64

Mysql Backup and Restore procedures

This page describes techniques for backing up and restoring data in a mysql database. The page will start with a simple scenario for backing up data on an inactive or read only database and move on to more advanced examples of backing up data on an active database.

For the purposes of this example we will use a mySQL database located on a FreeBSD system. However this procedures should work fine for databases located in windows (using cygwin) as well.

Backup Types

1. Text format backups: are done by using the mysqldump command. They create a text file with all the commands necessary for re-creating the database. This type of backup can be done while the server is running but in read only mode.
2. Binary format backups: These types of backups are done using standard archival tools such as (cp, tar and gzip). These tools are more compact and quicker. This type of operation requires that the server be shut down.

Text Backup

Step 1 is to make the server read only

FLUSH TABLES WITH READ LOCK;
SET GLOBAL read_only = ON;

Create the backup using the following command:

mysqldump --all-databases | gzip > output.txt.gz

To make the server read-write issue the following commands.

SET GLOBAL read_only = OFF;
UNLOCK TABLES;

Binary Backups

Binary backups require that you shut down the mySQL server. In order to shut down the mySQL server in FreeBSD issue the following

command:

/usr/local/etc/rc.d/mysql-server stop

Once the server is stopped you can copy the complete database over to another disk or tape. Once the copy is complete you can start the database server by issuing the following command:

/usr/local/etc/rc.d/mysql-server start

Backing up data on an active or live database

This type of backup is more challenging since we will be performing a backup on a database that is actively being used. In order to get this done, review the following tutorial on setting up mySQL data replication.

Once replication is set up all that needs to be done is to shut down the slave server, perform the backup on the data and bring the server back up. The slave server will sync with the master and get all the updates it missed while the backup was taking place.