Jack Hacks

List user open sockets on cPanel server

Jack — Fri, 16 Mar 2007 22:41:47 GMT

As simple as this:

lsof -n -u^65534,^`cat /etc/passwd | awk -F':' '{if($3 < 32000) print $3}' | xargs | sed -e 's/ /,\^/g'` -i | awk '{if ($2 ~ /[0-9]*/) print $3, $1}' | sort | uniq -c | sort -n

The awk part is for excluding the system users ids < 32000.

How to extract SYN packets with tcpdump

Jack — Wed, 21 Feb 2007 21:36:17 GMT

tcpdump
# tcpdump -ne dst port 80 and 'tcp[13] & 2 == 2'
This way effectively filtering only SYN packets on port 80.

# tcpdump -c 30000 -ne dst port 80 and 'tcp[13] & 2 == 2' | awk '{print $11}' | cut -d. -f1|sort | uniq -c | sort -n
Dumping 30K packets,cutting the first octet from the IPs and sorting by number of packets originating from this A class net.

A bit more complicated:
# for i in `tcpdump -c 30000 -ne dst port 80 and 'tcp[13] & 2 == 2' | awk '{print $11} | cut -d. -f1|sort | uniq -c | awk '{if ($1 > 4000) print $2}'`; do \ iptables -I INPUT -s $i.0.0.0/8 -j DROP; \ done
Dumping 30K packets and if more than 4000 packets originate from the same A class net - block the net via iptables.

WPA for Ubuntu

Jack — Sat, 17 Feb 2007 22:59:03 GMT

It is a bit tricky (took me almost two days :), but basically this is the procedure:

- configure your wireless card
(using ndiswrapper is described in another article)
in case your wifi card is identified as wlan0 add the following to /etc/network/interfaces


auto wlan0
iface wlan0 inet dhcp
pre-up wpa_supplicant -Bw -Dwext -iwlan0 -c/etc/wpa_supplicant.conf
post-down killall -q wpa_supplicant

- install and configure wpasupplicant
# apt-get install wpasupplicant

create /etc/wpa_supplicant.conf with simular content


network={
  ssid="testwlan"
  psk="7cHBV294H_something_long_and complicate"
  scan_ssid=1
  key_mgmt=WPA-PSK
  proto=WPA
  pairwise=CCMP TKIP
  group=CCMP TKIP
}

This would automatically engage/shutdown wpasupplicant on up/down of the wlan0 interface.
Works nice for me :)

Make BASH update your terminal window title after logon

Jack — Sat, 17 Feb 2007 22:48:21 GMT

~/.bash_profile

This code would do the trick:


if [ "$TERM" = "xterm" ] ; then
    export PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}\007"'
else
    unset PROMPT_COMMAND
fi

After logon the terminal title would be updated in the form 'jack@server' and after logout the old value will be restored.

FreeBSD rc.firewall fix for blacklisted ip support

Jack — Sat, 17 Feb 2007 22:27:31 GMT

/etc/rc.firewall

Add this code at the end of the set_loopback function:


        if [ -f "${banned_ips}" ]; then
                for i in `cat ${banned_ips} | grep -vE "^#"`; do
                        echo ${fwcmd} add deny ip from ${i} to me
                done
        fi

This expects a variable banned_ips to be defined in rc.conf and to point to a file containing list (one per line) of blacklisted IPs/NETs in the form:


192.168.1.0/24
10.2.2.2
# This is a comment

Firewall rules would be up on the next reboot or after running /etc/netstart.

This is more a way to preserve blocked IPs/NETs across the reboots.