Archive for July, 2004
SSH scanning
It’s a weekend, I know, but I can’t resist checking on Maui and opapa.
Been checking the logs on opapa when I noticed login failures using accounts like ‘test’ and ‘user’. Hmmm… These aren’t standard Linux accounts. And no one else has SSH privileges on opapa. So I checked and did awhois on the culprit host. Traced it back to an ISP in Korea. Something’s afoot.
Turns out this incident is similar to those happening worldwide. In the security mailing lists I subscribe to, similar incidents have been cropping up. The recommended solution was to harden SSH.
Already done that: no root logins. But that’s not enough. Would have to implement RSA key logins. And notify the Boss, too.
Shorter cut
With *nix, there’s always a better way. As I was browsing the mailing lists, I came across an interesting thread about piping the output of find to tar through xargs.
for...in...`seq... code block.
Routine admin tasks
SARG is running smoothly on Maui, spewing out HTML reports like clockwork.
Since Maui doesn’t have a web server, I had to download the SARG reports to my workstation for viewing, but not before tarring and gzipping these huge files first. (See my coredump entry.) Noticed a few anomalous user access on weekends from user accounts that are supposedly not present during those times. Hmm… Sharing of passwords? Would have to take that up with the Boss. I would have wanted to correlate user IDs with IP addresses. Problem is, the proxy resides in the DMZ, and all traffic from the LAN is NATted in the firewall. Solution: place the proxy behind the firewall, in the LAN segment. Installed Mandrake 9.2 in my workstation. Not to my liking. Went back to booting from the Damn Small Linux CD.Managing SARG
One of my tasks in my new job is to monitor network usage, including internet access. The workplace implements Webmin authentication for the Squid proxy, i.e. users have to give their usernames and passwords before being allowed to access the internet.
Lately, though, there have been reports of password-sharing and visiting of banned (read: pr0n and warez) sites. Monitoring was limited to user authentication, so in this case it wasn’t enough. SARG to the rescue. I configured SARG to generate daily, weekly and monthly reports. I was surprised, though, at the sizes of the files it generated. Besides, I had no way of displaying the reports because the proxy server did not have a web server, and not even a browser. I also did not have physical access to the server, except through SSH. SARG was configured to output the daily reports to my home directory. From there, I can view individual HTML files but after a while, this seemed cumbersome. So I thought: why not write a script to compress the outputs and have the gzip’d files mailed to me? Hence, this script:
#!/bin/bash
#
# This script compresses daily reports
# generated by SARG.
# Created 28 July 2004 by iandexter[at]gmail[dot]com
# Program paths
TAR=/bin/tar
GZIP=/bin/gzip
# I have to tar the files in their respective
# directories first so the paths
# from the SARG-generated “index.html” are preserved.
echo “Compressing sarg.daily reports…”
# Get input dates in the form. Do some swapping,
# if necessary.
first_day=$1
last_day=$2
month=$3
year=$4
# This is specific to my configuration: the output
# directories are in the form,
# ddMMYYYY-ddMMYYYY
if [ $first_day -gt $last_day ]
then
tmp=$first_day
first_day=$last_day
last_day=$tmp
fi
# Run through the dates
for i in `seq $first_day 1 $last_day`
do
tar_file=${i}${month}${year}
dir=${tar_file}-${tar_file}
$TAR -cf ${tar_file}.tar ${dir}/ | $GZIP -9 ${tar_file}.tar
done
echo “Done.”
chmod u+x the script.)
Ready to get stolen
Here’s an update on the antipixel-type buttons I posted here: they’re now part of gtmcknight.com’s “More buttons to steal”. W00t! So go ahead, steal them already.
