YiBi's Life|Live Log

It can be a pain sometimes to try to read tcpdump results on the fly when you only have SSH access. The usual way is to write the capture into a file and have Wireshark read and analyse the file subsequently.

There’s another way to have Wireshark read tcpdump output on the fly though by sending the dump to a named pipe and sending it via ssh to your local machine with Wireshark for real-time analysis. But be warned that this might take up significant bandwidth if the machine are sniffing has high network utilization. This is the command for sniffing all the remote network traffic on eth0.

ssh root@tcpdump -i eth0 -s 1500 -w –  | wireshark -k -i -

You can apply additional filters on the tcpdump command to reduce the data sent over the network. There are other ways to do this but I think this is the simplest most straightforward way to get work done.

A friend sought my help to look at server that has been compromised. Each time after rebooting, there’s a process running that connects to IRC networks and starts DDOS.

So which is the process that wrecking the havoc?

A few commands will tell.

# lsof -i :6667 – This command will let you find what is the pid of the process that’s making the network connection. In this case, it’s port 6667 (ircd).

# lsof | grep <pid> - Take pid from the previous command and find the exact open file that’s causing this problem. Do not rush into killing the process first. Find the files, chown to root, chmod to 600 then proceed to kill. If you rush into killing the process, you might end up not being able to find the files that the cracker planted into your machine, until the next time it happens again. The files are usually store in some obscure locations. Keeping the files, let you do some forensic to determine the extent of damage.

Alot of PHP scripts have loopholes that allow crackers to upload and execute malicious scripts. Be very careful when running PHP scripts. Always ensure they are current and updated. Make sure the permissions are limited. Also hunt for the directories that allow apache write and change the permissions accordingly. These actions will not make your server entirely safe, but it does make things slightly more difficult for bad things to happen.

Another addition to my own F(#$)king M(anual). I recently updated my 389 Directory Server and encountered an permission error with changing of passwords. In my ACI list, there’s this “disallow_pw_change_aci” which doesn’t allow user to change password. First thing I missed after the upgrade was to run setup-ds.pl -u, so I did that immediately. Still doesn’t work when I tried to do a password change on the machine that I upgraded. My setup is a pair of DS servers running Multimaster Replication. Turns out that both machines has to updated with the ds-setup.pl script in order the password change to work.

Hope this helps for anyone else encountering this error.

I had to get my hands dirty recently to migrate some Solaris boxes.  While I’m not totally unfamiliar with Solaris zones, the commands slipped my mind since I don’t use it on a day to day basis.

zonecfg -z zonename
select net address=x.x.x.x (where x.x.x.x is the current address)
set address=y.y.y.y (where y.y.y.y is the new address)
end
verify
commit
exit

That’s it. Another quick reference and addition to my own F(**king)M(anual).

I have been working on SSL/TLS on my 389 Directory Server lately. That in turn requires me to dive slightly deeper into OpenSSL.

Here’s a few useful commands to convert the different certificate formats. Source: https://www.sslshopper.com/ssl-converter.html

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Prequisite: A working LDAP server with the right schemas. (I will go into setting up a Red Hat Directory Server another day)

On the Red Hat Enterprise Linux ‘client’

authconfig \
--enablemkhomedir --enableldap \
--enableldapauth --ldapserver=<myldapserver>
--ldapbasedn=<myldapbasedn> --updateall

“–enablemkhomedir” : This will auto create the home directory for new users who have not logged in to the system before. In the background, it’s actually pam_mkhomedir doing the real work. In order for this to work, the LDAP server must return a valid homedir attribute.

“–enableldap” : It’s telling the system to get user information via LDAP. ie getent passwd <user> will fetch the information from LDAP.

The rest of the command line options are self explanatory. One command to solve the entire problem instead of meddling pam, nsswitch.conf etc.

This is the geeky sequel to my last Linux to IPhone tethering episode where we used and abused the IPhone tethering function.

Some background, I’m one of those people who contracted (and got stuck) with the 50G SingTel Mobile Broadband Plan before the days of 12GB IPhone plan. My usage was about 4G per month, so none of the plans was suitable for me at that time.

Anyway, that aside. For some reasons my team had to work in a place where we had no internet access while we are building the network for high speed internet access. What irony! The only systems engineer in the team (me) decided that I had alot of data to spare, so here we go…use and abuse!

Configuration’s simple. First you have to setup tethering as per my previous post on IPhone tethering. Once you are done with that, do the follow steps. And again, it’s a 5 minute quick hack.

1. vi linux-router.sh

2. Paste the following into the shell script

#!/bin/bash
/sbin/ifconfig wlan0 192.168.0.1 255.255.255.0
/sbin/iptables -t nat -A POSTROUTING -o bnep0 -j MASQUERADE
/sbin/iptables -A FORWARD -i bnep0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i wlan0 -o bnep0 -j ACCEPT

3. Save the file.
4. chmod 700 linux-router.sh
5. ./linux-router.sh
6. Done!

My colleagues are connected to a WIFI router, hence the use of wlan0 as the “inside” interface. bnep0 is the “outside” interface connected to the IPhone via bluetooth. All the machines point to my laptop as the gateway, which bears the IP address 192.168.0.1. All of them are NAT’d out from the outside interface.

I have 2Mbps for my plan. Good enough for the team to check email and do some simple web browsing for information.

There are other things you can do like transparent proxying so that you save abit of bandwidth.

Leave a comment if you have any questions on the configurations. Have fun!

Tethering from a mobile phone is not new to me. I started from the days of having to script the ppp chat scripts to wvdial to finally having Network Manager recognizing my mobile phone as a 3G modem.

IPhone is new. I have been reading about tethering on Linux as soon as I bought it. Painful ways, jailbreak, run proxy etc etc etc.

Linux didn’t recognize the IPhone as a modem when I plugged in via USB, so it’s only bluetooth now. I tried the tethering of my Mac first. With bluetooth, I found that tethering actually happens over the PAN (Personal Area Network). That should work with Linux, and so it did.

These are steps for me to get tethering on Debian in 5 mins.

1. Run “sudo aptitude -y install blueman” in Debian.

2. Logout and login again. This is for the dbus and stuff to react correctly when you turn on your bluetooth later on.

3. Turn on your bluetooth or insert your USB bluetooth dongle. A bluetooth icon should appear in your system tray or whatever you call it in Gnome. That’s Blueman.

4. Discover and add your IPhone in Blueman

5. Turn on Internet Tethering under “Settings –> General –> Network”. Choose Bluetooth.

6. Go back to your Blueman, click on it and you should see your IPhone. Right click on your IPhone and select “Network Access Point”

7. And you are done!

That’s it! Simple right? No hacking, no jailbreak!

Do drop me a comment if anything’s unclear. The same solution should work with any of the modern distros like Fedora and Ubuntu.

I have to struggle with this whenever I had a new Debian installation. SCIM does not work out of the box in Debian, so there’s some minor configurations to do. But I failed to note it down anywhere, just happily relying on Google.

So yet again, I have a new Debian Lenny installation on my new notebook. And the same story again, I got to search all over Google for the instructions to make it work. So this time round I decided to note it down here so that I can “Read My Own F$#king Manual” next time as well as for the benefit of others.

Step 1:

Install the fonts

aptitude install ttf-arphic-bkai00mp ttf-arphic-uming ttf-arphic-gkai00mp ttf-arphic-bsmi00lp ttf-arphic-gbsn00lp ttf-arphic-ukai xfonts-intl-chinese unifont ttf-unifont

Step 2:

Install all the scim related packages

aptitude install scim-pinyin uim-pinyin scim-uim scim-chinese scim-tables-zh

Step 3:

im-switch -c

Select scim and save.

Step 4:

Restart your session by logging out and logging in again.

You should have your SCIM work after that.