Block network traffic based on UID / User and GID / Group
I just found out that you can apply different IPTables rules based on UID and GID.
Just check that your kernel / iptables supports the module:
iptables -m owner --help
Which should output near the bottom like:
owner match options: [!] --uid-owner userid[-userid] Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists
Then make a rule as required. Eg. User ‘cm’ gets their web traffic transparently proxied via Squid.
iptables -m owner --uid-owner cm -t nat -A OUTPUT -i eth0 -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128
Pretty cool!
Fast development of Grok / Logstash extractions and fields
I had the fun times of trying to write grok rules in a particular way along with a complicated pipeline. I got tried of pushing the rules and restarting logstash, there had to be a better way!
This is want I ended up doing on my development system:
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.1.rpm yum localinstall logstash-6.3.1.rpm
Create your pipeline in: /etc/logstash/conf.d/
Create the following example files:
/tmp/input.txt:
2018-07-16T01:53:28.716258+00:00 acme-host1 sshd[12522]: Disconnected from 8.8.8.8 port 37972
000-file-in.conf:
input {
file {
path => [ "/tmp/input.txt" ]
start_position => beginning
type => "test"
add_field => { "sourcetype" => "test" }
sincedb_path => "/dev/null"
}
}
25-filter.conf:
filter {
if [type] == "test" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601} %{SYSLOGHOST:logsource} %{SYSLOGPROG}?: %{GREEDYDATA:message}" }
overwrite => [ "message" ]
add_tag => [ "p25vls" ]
}
date {
locale => "en"
match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
timezone => "UTC"
}
}
}
999-output.conf:
output {
stdout { codec => rubydebug }
}
Run:
/usr/share/logstash/bin/logstash -r -f /etc/logstash/conf.d/
Give it a minute, because well Java
Now in a second window, modify you pipeline (or file 25-filter.conf etc), save it.
You should see Logstash reprocess the data from ‘/tmp/input.txt’
Happy iterational development :-)
The minimum firewall ports for a Windows domain controller and linux server
In order for a Linux (client) box to communicate with (and perform NTLM auth) a Windows domain controller through a restrictive firewall you would need the following ports opened at a minimum:
udp 53 tcp/udp 88 tcp/udp 135 tcp 139 tcp 389 tcp 445 tcp/udp 464
Check SSL certificate expiry via shell script
openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
Password generator for memorable passwords
Like any good paranoid netizen I use a password manager to create unique passwords for each website, the problem that I have with unique passwords is that if you need to remember them for any period of time (even 20 seconds) while you type the password somewhere (because copy and paste is not supported for some reason) then it’s nearly impossible to do so!
I have also cracked my fair share of passwords in this day and age and know the passwords patterns / rules used to create an extended wordlist based on how people create passwords, eg. YourPetName2017. So what do we need? We need dictionary words, completely random, at least four of them and with a space separator plus numbers and symbols. So by utilising this methodology we get the website: https://xkpasswd.net/s/
So I ask you which is easier to remember for 20 seconds:
?02-dollar-space-french-25? OR shegh3xohzu4ahjaekiik%eiqu#u
Oh and bookmark that website! :-)