I just found out that you can apply different IPTables rules based on UID and GID.

Just check that your kernel / iptables supports the module:

iptables -m owner --help

Which should output near the bottom like:

owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists

Then make a rule as required. Eg. User ‘cm’ gets their web traffic transparently proxied via Squid.

iptables -m owner --uid-owner cm -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128

Pretty cool!

I had the fun times of trying to write grok rules in a particular way along with a complicated pipeline. I got tried of pushing the rules and restarting logstash, there had to be a better way!

This is want I ended up doing on my development system:

wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.1.rpm
yum localinstall logstash-6.3.1.rpm 

Create your pipeline in: /etc/logstash/conf.d/

Create the following example files:

/tmp/input.txt:

2018-07-16T01:53:28.716258+00:00 acme-host1 sshd[12522]: Disconnected from 8.8.8.8 port 37972

000-file-in.conf:

input {
    file {
	path => [ "/tmp/input.txt" ]
	start_position => beginning
	type => "test"
	add_field => { "sourcetype" => "test" }
	sincedb_path => "/dev/null"
    }
}

25-filter.conf:

filter {
    if [type] == "test" {
        grok {
            match => { "message" => "%{TIMESTAMP_ISO8601} %{SYSLOGHOST:logsource} %{SYSLOGPROG}?: %{GREEDYDATA:message}" }
            overwrite => [ "message" ]
            add_tag => [ "p25vls" ]
        }
    
        date {
            locale => "en"
            match => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss"  ]
            timezone => "UTC"
        }
    }
}

999-output.conf:

output {
    stdout { codec => rubydebug }
}

Run:

/usr/share/logstash/bin/logstash -r -f /etc/logstash/conf.d/

Give it a minute, because well Java

Now in a second window, modify you pipeline (or file 25-filter.conf etc), save it.

You should see Logstash reprocess the data from ‘/tmp/input.txt’

Happy iterational development :-)

In order for a Linux (client) box to communicate with (and perform NTLM auth) a Windows domain controller through a restrictive firewall you would need the following ports opened at a minimum:

udp 53
tcp/udp 88
tcp/udp 135
tcp 139
tcp 389
tcp 445
tcp/udp 464

openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

Like any good paranoid netizen I use a password manager to create unique passwords for each website, the problem that I have with unique passwords is that if you need to remember them for any period of time (even 20 seconds) while you type the password somewhere (because copy and paste is not supported for some reason) then it’s nearly impossible to do so!

I have also cracked my fair share of passwords in this day and age and know the passwords patterns / rules used to create an extended wordlist based on how people create passwords, eg. YourPetName2017. So what do we need? We need dictionary words, completely random, at least four of them and with a space separator plus numbers and symbols. So by utilising this methodology we get the website: https://xkpasswd.net/s/

So I ask you which is easier to remember for 20 seconds:
?02-dollar-space-french-25? OR shegh3xohzu4ahjaekiik%eiqu#u

Oh and bookmark that website! :-)