Add comments to IPTables firewall rules
Instead of just documenting the IPTables configuration file eg: /etc/sysconfig/iptables with comments (#’s) you can also input comments as part of the ruleset itself. So when you perform iptables -L -v -n you get the following output:
root@server070:[~]: iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 64M 4727M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 474 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 202K 27M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 16 880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 137M 38G ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 /* Syslog traffic */ 28 1664 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:514 /* Syslog traffic */ 41067 2050K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9997 /* Universal Forwarder traffic */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 /* Splunk SSL traffic */ 47 2564 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 /* Splunk web interface */ 14135 1313K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: ' 218K 21M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
All that you need to do use the following example in your configuration file:
root@server070:[~]: cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 9997 -m comment --comment "Universal Forwarder traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8089 -m comment --comment "Splunk SSL traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk web interface" -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Happy commenting!
How to block malicious VBA documents and spreadsheets with spam assassin or amavisd
Monitoring our net streams for SMTP traffic, I have a particular Splunk alert configured to alert when a spam campaign in underway. It’s quite interesting to see what tricks spammers try and how long some campaigns last.
Something that has caught my attention is the increased use of unsolicited “invoice” and “order” emails which get sent with .doc documents attached. Reviewing the documents nearly all of them contain malicious VB scripting usually set to auto run, which downloads and tries to execute binaries.
Now I have created a number of spam assassin rules to block these types of emails (invoices with .doc files attached) but it’s a cat and mouse game, and you can’t be too generic as you may block legitimate email. What I can block ruthlessly is documents and spreadsheets which contain autorun VB scripting.
Here is how to do it:
Create the following file on your amavisd server at the location “/usr/local/bin/detectvba.pl”
#!/usr/bin/perl -w # technion@lolware.net # Detects vba macros containing blacklisted strings. # https://github.com/technion/maia_mailguard/blob/master/scripts/detectvba.pl # Mods by www.cammckenzie.com # # Suggested amavisd/maiad.conf config: # ['Detect-VBA', # '/usr/local/bin/detectvba.pl', "{}", # [0], qr/INFECTED/, qr/\bINFECTED (.+)\b/m ], # use strict; my $sigtool = '/usr/bin/sigtool'; #Clamav sigtool path if ($#ARGV != 0) { print "Please supply directory to scan\n"; exit 0; } #Sanity check directory my $dir = $ARGV[0]; if ($dir !~ /^[a-z0-9A-Z\/-]+$/) { print "Invalid directory passed\n"; exit 0; } opendir DIR, $dir or die "Cannot open dir $dir: $!"; my @files = readdir DIR; foreach my $file (@files) { next if $file =~ /^\.$/; next if $file =~ /^\.\.$/; my $scan = `$sigtool --vba="$dir/$file"`; if ($scan =~ /autoopen/i ) { print "Scanning $file: INFECTED VBA\n"; exit 1; } else { print "Scanning $file: OK\n"; } } closedir DIR; exit 0;
Then in amavisd.conf (/etc/amavisd/amavisd.conf on CentOS) modify the section “@av_scanners” and insert as a primary scanner the following stanza:
['Detect-VBA', '/usr/loca/bin/detectvba.pl', "{}", [0], qr/INFECTED/, qr/\bINFECTED (.+)\b/m ],
Then after that just restart your amavisd service and you should see, it finds Detect-VBA as a primary scanner, test it by sending yourself a malicious macro document lol.
Download the raw howto here, so that special characters are intact as FlatPress has a habit of removing them….https://www.cammcken … assin-or-amavisd.txt
How to mount dd images under Linux
For a raw filesystem try:
fdisk -l harddrive.img mount -o ro,loop,offset=xxxxxxxxx harddrive.img /mnt/loop
or for filesystems with volume groups etc try:
losetup /dev/loop0 disk.img kpartx -a /dev/loop0
Then to mount the first partition:
mount /dev/mapper/loop0p1 /mnt
Or to activate the volume group then mount the logical volume:
vgscan vgchange -ay vg mount /dev/vg/lv /mnt
Hope that helps.
Stop Nagios going into /var/log/messages on CentOS 7
It seems that Nagios is logging in two places on my CentOS 7 build.
Once in /var/log/nagios/nagios.log and also in /var/log/messages.
Considering I like my builds nice and tidy and don’t want contamination of my log files, I needed to filter out Nagios using rsyslog.
Because rsyslog processes it’s rules in order, we need to insert the following rule
# Stop nagios going into messages - it already has a log if $programname == 'nagios' then stop
before:
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
Then restart rsyslogd!
Enable Apache’s inbuilt chroot functionality
This works on all versions of Apache webserver greater than 2.2.10.
I’ll presume you have a current working version of Apache serving files from /var/www/
mkdir -p /chroot/var/
Required for PHP5 compatibility:
mkdir -p /chroot/var/lib/php5 chown root:www-data /chroot/var/lib/php5 chmod 770 /chroot/var/lib/php5 cp /etc/localtime /chroot/etc/localtime cp -R /usr/share/zoneinfo /chroot/usr/share/zoneinfo cp -R /usr/share/apache2 /chroot/usr/share/apache2
mv /var/www /chroot/var/
To help with compatibility and user / sysadmin expectations
ln -s /chroot/var/www /var/www
Enable Apache’s in-built chroot (Debian)
echo "ChrootDir /chroot" > /etc/apache2/conf.d/chroot
Enable Apache’s in-built chroot (Redhat/CentOS/Fedora)
echo "ChrootDir /chroot" >> /etc/httpd/conf/httpd.conf semanage fcontext -a -t httpd_sys_content_t “/chroot/var/www(/.*)?”
service apache2 restart
Now test your damn website! Logfiles are your friend for troubleshooting any bugs :-)