First, let’s set up the PF table which will control the traffic. Add the following to your /etc/pf.conf :

# add time block table
table <time_block> { } persist

Next, create a PF rule which block traffic for all entries in the time_block table:

# block all CIDR addresses in the time block table
block in quick log from <time_block> to any

Since the time_block table is still empty, no traffic is actually blocked.

The last thing to implement, is periodically manipulating the time_block table. This could be done by creating two cronjobs:

1. allow traffic at the beginning of “business hours”
2. block traffic at the end of “business hours”

crontab -e
# Allow traffic
0 7 * * * /usr/local/scripts/allow_employees.sh > /dev/null 2>&1
# Block traffic
0 17 * * * /usr/local/scripts/block_employees.sh > /dev/null 2>&1


The allow_employees.sh script will allow certain network ranges by ensuring those are removed from the time_block table:

#!/bin/sh

/sbin/pfctl -Td -t time_block 10.1.0.0/24
/sbin/pfctl -Td -t time_block 10.2.0.0/24

The block_employees.sh script will do the exact opposite: it will add ranges to the time_block table so that their network access will be blocked by the firewall:

#!/bin/sh

/sbin/pfctl -Ta -t time_block 10.1.0.0/24
/sbin/pfctl -Ta -t time_block 10.2.0.0/24

Finally deploy your new PF rules (first test them!)

pfctl -nf /etc/pf.conf
pfctl -f /etc/pf.conf

The zone files provided by https://ipdeny.com/ need to be stored locally. A simple way to achieve this is by having a cronjob downloading those periodically (for instance once per day):

#!/bin/sh

# download the latest country zone files
curl -s https://www.ipdeny.com/ipblocks/data/countries/ru.zone > /etc/ru.zone
curl -s https://www.ipdeny.com/ipblocks/data/countries/cn.zone > /etc/cn.zone


We store them directly to /etc in the above example.

In the /etc/pf.conf, first add a table based on the files you have generated with the above statements:

# add a bad hosts table based on local disk text files
# one CIDR per line
table <badhosts> persist file "/etc/ru.zone" file "/etc/cn.zone"

In the above example, we have created a table called badhosts based on two local files.

Finally we need some rules which actually blocks from and to these network ranges, an example PF block rule could be:

# block bad IP addresses
block from <badhosts> to any
block from any to <badhosts>

On a Debian/Ubuntu Linux host, install the ‘gnupg’ package.

# apt-get install gnupg

After installation, generate a PGP/GnuPG key using the ‘gpg’ command and go through the questions:

# gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
*snip*

Once your key has been generated, you are ready to start using it.

In this example, MySQL backups will be created using the ‘mysqldump’ command. The output of that command will be compressed using ‘gzip’, since the ‘mysqldump’ generates plain text output.

The ‘gpg’ command takes two arguments:

1. –encrypt : to define that we will encrypting the output coming STDOUT
2. -r user@domain.com : this parameter defines the key that will be used for the encryption

When we put all these commands together:

$ mysqldump --all-databases -uroot -psecret \
 | gzip - \
 | gpg --encrypt -r user@domain.com >mysql_dump_sql.bkp

The above example could be used in a cronjob to have daily backups.

http://superuser.com/questions/283863/force-finder-to-log-in-as-guest-to-a-smb-share/300382#300382

When working in a UNIX/Linux/MacOSX environment, the command is often used to execute some tasks. The default shell in the Terminal.app (MacOSX) and in most other terminals, is the Bourne Again Shell aka bash.

Bash is intended to be a conformant implementation of the Shell and Utilities portion of the IEEE POSIX specification. Bash also incorporates useful features from the Korn and C shells (ksh and csh).

Screen is a full-screen text-based window manager with VT100/ANSI terminal emulation. It has the ability to detach shell sessions, which is extremely useful for executing remote processes or executing processes that should be terminated after log out or termination of the shell process itself.

my ~/.bashrc

First we start off with configuration the Bash configuration file, which is located at ~/.bashrc for the current user or at /etc/bashrc.bashrc for system-wide configurations.

Most users will just edit their own bashrc file.
The options defined in this file, have comments above them so I won’t re-explain them.

# define your local timezone
export TZ='Europe/Brussels'

# If not running interactively, don't do anything
[ -z "$PS1" ] && return

# don't put duplicate lines in the history. See bash(1) for more options
export HISTCONTROL=ignoredups
# ... and ignore same sucessive entries.
export HISTCONTROL=ignoreboth

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# define all aliases in a separate file
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# turn on bash completion, must be installed separately
if [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
fi

# define some colors which will be used in PS1 and PS2
BLUE="[�33[0;34m]"
LIGHT_GRAY="[�33[0;37m]"
GREEN="[�33[0;32m]"
LIGHT_BLUE="[�33[1;34m]"
LIGHT_CYAN="[�33[1;36m]"
YELLOW="[�33[1;33m]"
WHITE="[�33[1;37m]"
RED="[�33[0;31m]"
NO_COLOUR="[�33[0m]"

# if this shell was started in the screen command, use a different PS1 prompt
if [[ $TERM =~ screen ]] ; then
    PS1="${GREEN}.oO( $BLUEh $GREEN|$BLUE w $GREEN)Oo"'[�33k][�33\]'".$NO_COLOUR "
else
    PS1="${GREEN}.oO( $BLUEh $GREEN|$BLUE w $GREEN)Oo.$NO_COLOUR "
fi
PS2="$GREEN.oO($NO_COLOUR "

This local bashrc file enables some default settings and creates a fancy bash prompt in colour. (See screenshot)

Next we’ll set up the Screen configuration file.

my ~/.screenrc

The following Screen configuration file sets some options that I find useful. These options included:

• no splash screen at startup
• no visual bell
• a customized status bar at the bottom of the screen
• a huge scrollback buffer
• updated window names, based on the current command
• UTF8 encoding

The file will be saved in the user home directory, at ~/.screenrc

# some default settings
startup_message off
vbell off
msgwait 1
defutf8 on
compacthist on

# Monitor windows
defmonitor on
activity ""

# Turns off alternate screen switching in xterms,
# so that text in screen will go into the xterm's scrollback buffer:
termcapinfo xterm* ti@:te@
altscreen on

# Enable 256 color terminal
attrcolor b ".I"
termcapinfo xterm 'Co#256:AB=E[48;5;%dm:AF=E[38;5;%dm'
defbce "on"

# Log 10000 lines
defscrollback 50000

backtick 2 60 60 echo $USERNAME

screen 0

shelltitle '. |bash'
hardstatus alwayslastline '%{= .y}.oO(%{= .b}%2`@%H%{= .y})Oo. %{= .b}%{+} %= %-w %{= .yb} %n:[%t] %{= db} %+w %{= .y}time: [%c]'

bindkey -k k2 screen                                    # F2  | Create new window
bindkey -k k3 prev                                      # F3  | Previous Window
bindkey -k k4 next                                      # F4  | Next Window
register r "^a:source $HOME/.screenrc^M"                #     | Goes with F5 definition
bindkey -k k5 process r                                 # F5  | Reload profile
bindkey -k k6 detach                                    # F6  | Detach from this session
bindkey -k k7 copy                                      # F7  | Enter copy/scrollback mode
register t "^aA^aa^k^h"                                 #     | Goes with the F8 definition
bindkey -k k8 process t                                 # F8  | Re-title a window

In order to have updated window names, it is important that the above Bash configuration regarding the PS1 variable, has been enabled. If not, then there will be no updated window names!

This configuration file was used to create the following screenshot:

References

Some options were taken out of the Byobu configuration file, others were found on the Interweb.

So I started gathering information, reading articles and fiddling my own IPtables firewall script.

Eventually over the years, the script quite big and is still easy to maintain.

The script itself has quite a lot of comments and should explain itself.

#!/bin/bash
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Interactive:     true
# Short-Description: Start/stop firewall script from hell
### END INIT INFO


# Description: Simple firewall script
# Author: Johnny Morano 
# Version: 0.04
# Usage:
#    ./firewall.sh 


#---------#
# History #
#---------#
 
# 0.01 .... Initial release, based on http://iptables-tutorial.frozentux.net/iptables-tutorial.html
# 0.02 .... Added more security by reading http://www.brandonhutchinson.com/iptables_fw.html
# 0.03 .... Added even more shit thanks to http://danieldegraaf.afraid.org/info/iptables/examples
# 0.04 .... Using ULOGD now for traffic accounting (inspired by http://tumbleweed.org.za/2008/04/02/bandwidth-accounting-ulogd)
# 0.05 .... Loading modules through modprobe

#---------------#
# Configuration #
#---------------#

IPTABLES=/sbin/iptables
SYSCTL=/sbin/sysctl
MODPROBE=/sbin/modprobe

#----------------#
# Initialization #
#----------------#

echo 
echo "    #---------------------------#"
echo "    # Firewall Script From Hell #"
echo "    #---------------------------#"
echo "                 by Johnny Morano"
echo

#
# Module loading
#
echo "Preload IP-Tables modules..."
$MODPROBE ip_tables
$MODPROBE iptable_nat
$MODPROBE iptable_mangle
$MODPROBE iptable_filter
$MODPROBE ipt_REJECT
$MODPROBE ipt_ULOG
$MODPROBE nf_nat
$MODPROBE nf_conntrack
$MODPROBE nf_conntrack_ipv4
$MODPROBE nf_conntrack_ftp

#
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
#
echo "Enable network security settings..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#
# Drop source routed packets
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#
# Enable TCP SYN cookie protection from SYN floods
#
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#
# Don't accept ICMP redirect messages
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#
# Don't send ICMP redirect messages
#
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

#
# Enable source address spoofing protection
#
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

#
# Log packets with impossible source addresses
#
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#
# Disable some ICMP settings that can be insecure
# Some of these were already disabled by the above echo statements
#
echo "Disable some ICMP settings..."
$SYSCTL -q -w net.ipv4.icmp_ignore_bogus_error_responses=1
$SYSCTL -q -w net.ipv4.icmp_echo_ignore_all=0
$SYSCTL -q -w net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL -q -w net.ipv4.icmp_ratelimit=1000

echo "Enable some extra network security..."
$SYSCTL -q -w net.ipv4.conf.all.accept_redirects=0
$SYSCTL -q -w net.ipv4.conf.all.accept_source_route=0
$SYSCTL -q -w net.ipv4.conf.all.rp_filter=1
$SYSCTL -q -w net.ipv4.conf.all.log_martians=1
$SYSCTL -q -w net.netfilter.nf_conntrack_acct=1

#
# Prevent SYN flood
#
$SYSCTL -q -w net.ipv4.tcp_syncookies=1

#
# Don't accept TCP connections unless we were here for their establishment
#
if [ -e /proc/sys/net/netfilter/ ]; then
        $SYSCTL -q -w net.netfilter.nf_conntrack_tcp_loose=1
else
        $SYSCTL -q -w net.ipv4.ip_conntrack_tcp_loose=1
fi
 
#
# Create policies and flush chains, then delete rules
#
echo "Creating default policies..."
$IPTABLES -P INPUT ACCEPT  
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP  

echo "Flushing and deleting chains..."
for type in filter mangle nat; do
        echo "- Flushing, deleting and zeroing chains for $type"
        $IPTABLES -t $type -F
        $IPTABLES -t $type -X
        $IPTABLES -t $type -Z
done

# 
# Accounting stuff
#
echo "Creating accounting chains"
$IPTABLES -t mangle -N incoming
$IPTABLES -t mangle -N outgoing
$IPTABLES -t mangle -F incoming
$IPTABLES -t mangle -F outgoing

#$IPTABLES -t mangle -A incoming -p tcp --dport 80  -m comment --comment  "Incoming http TCP connections"
#$IPTABLES -t mangle -A incoming -p tcp --dport 443 -m comment --comment  "Incoming http/ssl TCP connections"
#$IPTABLES -t mangle -A incoming -p tcp --dport 22  -m comment --comment  "Incoming ssh TCP connections"
#$IPTABLES -t mangle -A incoming -p tcp --dport 21  -m comment --comment  "Incoming ftp TCP connections"
#$IPTABLES -t mangle -A incoming -p tcp --dport 25  -m comment --comment  "Incoming smtp TCP connections"
$IPTABLES -t mangle -A incoming -p tcp -m comment --comment  "Incoming TCP connections"

$IPTABLES -t mangle -A incoming -p udp -m comment --comment  "Incoming UDP connections"
$IPTABLES -t mangle -A incoming -p icmp -m comment --comment "Incoming ICMP connections"

$IPTABLES -t mangle -A outgoing -p tcp -m comment --comment  "Outgoing TCP connections"
$IPTABLES -t mangle -A outgoing -p udp -m comment --comment  "Outgoing UDP connections"
$IPTABLES -t mangle -A outgoing -p icmp -m comment --comment "Outgoing ICMP connections"

echo "Adding accounting to PRE- and POSTROUTING"
$IPTABLES -t mangle -A PREROUTING -i eth0 -j incoming
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j outgoing

#
# Create a LOGDROP chain to log and drop packets
#
echo "Creating LOGDROP chain..."
$IPTABLES -N LOGDROP
$IPTABLES -F LOGDROP
#$IPTABLES -A LOGDROP -j LOG --log-prefix "firewall dropped packet: " --log-tcp-options --log-ip-options --log-uid -m limit --limit 2/sec
$IPTABLES -A LOGDROP -j ULOG --ulog-prefix "FIREWALL DROPPED" --ulog-nlgroup 1
$IPTABLES -A LOGDROP -p tcp -j REJECT --reject-with tcp-reset -m comment --comment "Reject TCP connections with tcp-reset"
$IPTABLES -A LOGDROP -p udp -j REJECT --reject-with icmp-port-unreachable -m comment --comment "Reject UDP connections with icmp-port-unreachable"
$IPTABLES -A LOGDROP -j DROP

#
# Create TCP_CHAIN chain
#
for CHAIN in TCP_CHAIN BAD_TCP TCP_SLOWLORIS ICMP_CHAIN UDP_CHAIN ; do
        echo "Creating chain $CHAIN..."
        $IPTABLES -N $CHAIN
        $IPTABLES -F $CHAIN
done

#----------------#
# Firewall rules #
#----------------#
#

#
# allow localhost services
#
echo "Accept localhost connections..."
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

#
#
# Allow network connections which have already been established (started by host) and related to your connection.
# FTP requires this as it may use various ports in support of the file transfer.)
#
echo "Set up established state..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established incoming connections"
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow established outgoing connections"

#
# Block Fragments
#
echo "Drop Fragments on INPUT"
$IPTABLES -A INPUT -f -j LOGDROP -m comment --comment "Fragments Packets"

#
# Block bad TCP stuff
#
echo "Drop bad TCP packets (portscans, spoofing, ...)"
$IPTABLES -A BAD_TCP -p tcp ! --syn -m state --state NEW -j LOGDROP -m comment  --comment "Drop Sync"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL ALL -j LOGDROP -m comment           --comment "XMAS Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL NONE -j LOGDROP  -m comment         --comment  "NULL Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGDROP -m comment --comment "Merry XMAS Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL FIN,URG,PSH -j LOGDROP -m comment   --comment "NMAP XMAS Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL PSH,ACK -m state --state RELATED -j LOGDROP -m comment --comment "Drop ALL PSH,ACK state RELATED"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL SYN,ACK,PSH -j LOGDROP -m comment   --comment "Drop ALL SYN,ACK,PSH"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ALL SYN,PSH -j LOGDROP -m comment       --comment "Drop ALL SYN,PSH"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP -m comment   --comment "SYN/RST Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags RST,FIN RST,FIN -j LOGDROP -m comment   --comment "RST/FIN Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags SYN,URG SYN,URG -j LOGDROP -m comment   --comment "SYN/URG Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset -m comment --comment "SYN/ACK Attack"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGDROP  -m comment  --comment  "SYN/FIN Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags SYN,ACK NONE -j LOGDROP -m comment      --comment "Drop SYN,ACK NONE"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ACK,FIN FIN -j LOGDROP -m comment       --comment "Drop ACK,FIN FIN"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ACK,PSH PSH -j LOGDROP -m comment       --comment "Drop ACK,PSH PSH"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags ACK,URG URG -j LOGDROP -m comment       --comment "Drop ACK,URG URG"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags FIN,ACK FIN -j LOGDROP  -m comment      --comment  "Fin Packets Scan"
$IPTABLES -A BAD_TCP -p tcp --tcp-flags FIN,RST FIN,RST -j LOGDROP -m comment   --comment "Drop FIN,RST FIN,RST"

#
# Add BAD_TCP chain as 1st rule to TCP_CHAIN
# 
$IPTABLES -A TCP_CHAIN -j BAD_TCP
 
# ICMP rules
# Allow ping and traceroute
#
echo "Allow ping and traceroute..."
$IPTABLES -A ICMP_CHAIN -p icmp -s 0/0 --icmp-type 8 -j ACCEPT -m comment --comment "Allow ICMP ping"
$IPTABLES -A ICMP_CHAIN -p icmp -s 0/0 --icmp-type 11 -j ACCEPT -m comment --comment "Allow ICMP traceroute"


##
## Disable port-scans (part 1)
## 
#echo "Disable portscans..."
#$IPTABLES -A INPUT -m recent --update --hitcount 16 --name portscanblock --seconds 3600 -j LOGDROP
#$IPTABLES -A INPUT -m recent --name portscanblock --set -m tcp -p tcp --tcp-flags ! SYN,RST,ACK,FIN SYN -j LOGDROP

#
# Prevents more than 2 SSH connections per minute, to slow down SSH scans
# Allow connections to SSH server, but only allow 2 connections from one IP
#
echo "Allow only 2 SSH connections /minute and not more than 4 connections in total..."
$IPTABLES -A TCP_CHAIN -p tcp -m tcp --dport 22 -m recent --update --hitcount 2 --seconds 60 --name sshsin -j LOGDROP -m comment --comment "Drop SSH connection if more than 2 in 60 secs"
$IPTABLES -A TCP_CHAIN -p tcp --syn --dport 22 -m connlimit --connlimit-mask 32 --connlimit-above 4 -j LOGDROP -m comment --comment "Don't allow more than 4 connections"
$IPTABLES -A TCP_CHAIN -p tcp -m tcp --syn --dport 22 -m recent --set --name sshsin -j ACCEPT -m comment --comment "Allow TCP connections to ssh"

#
# Allow traffic to webserver
#
echo "Allow web traffic..."
# Small defense against slowloris
$IPTABLES -A TCP_CHAIN -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j LOGDROP -m comment --comment "Allow only 20 connections per IP to port 80"
# This chain will be provisioned from /root/bin/block_slowloris_attacks.sh
$IPTABLES -A TCP_CHAIN -p tcp --dport 80 -j TCP_SLOWLORIS

$IPTABLES -A TCP_CHAIN -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow TCP connections to http"
$IPTABLES -A TCP_CHAIN -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow TCP connections to https"

#$IPTABLES -A TCP_CHAIN -p tcp --dport 6000 -j ACCEPT -m comment --comment "Allow TCP connections to X11"
#$IPTABLES -A TCP_CHAIN -p udp --dport 6000 -j ACCEPT -m comment --comment "Allow UDP connections to X11"

#
# Allow traffic to mail platform
#
echo "Allow mail traffic..."
$IPTABLES -A TCP_CHAIN -p tcp --dport  25 -j ACCEPT -m comment --comment "Allow TCP connections to smtp"
$IPTABLES -A TCP_CHAIN -p tcp --dport 110 -j ACCEPT -m comment --comment "Allow TCP connections to pop3"
$IPTABLES -A TCP_CHAIN -p tcp --dport 143 -j ACCEPT -m comment --comment "Allow TCP connections to imap"
$IPTABLES -A TCP_CHAIN -p tcp --dport 465 -j ACCEPT -m comment --comment "Allow TCP connections to smtps"
$IPTABLES -A TCP_CHAIN -p tcp --dport 993 -j ACCEPT -m comment --comment "Allow TCP connections to imaps"
$IPTABLES -A TCP_CHAIN -p tcp --dport 995 -j ACCEPT -m comment --comment "Allow TCP connections to pop3s"

#
# Allow traffic to FTP server
#
echo "Allow FTP traffic..."
$IPTABLES -A TCP_CHAIN -p tcp --dport 20 -j ACCEPT -m comment --comment "Allow TCP connections to ftp-data"
$IPTABLES -A TCP_CHAIN -p tcp --dport 21 -j ACCEPT -m comment --comment "Allow TCP connections to ftp"
$IPTABLES -A TCP_CHAIN -p tcp --dport 989 -j ACCEPT -m comment --comment "Allow TCP connections to ftps-data"
$IPTABLES -A TCP_CHAIN -p tcp --dport 990 -j ACCEPT -m comment --comment "Allow TCP connections to ftps"
$IPTABLES -A TCP_CHAIN -p tcp --dport 115 -j ACCEPT -m comment --comment "Allow TCP connections to sftp"
$IPTABLES -A INPUT -m helper --helper ftp -j ACCEPT


#
# Allow traffic to DNS server
#
echo "Allow FTP traffic..."
$IPTABLES -A TCP_CHAIN -p tcp --dport 53 -j ACCEPT -m comment --comment "Allow TCP connections to dns"
$IPTABLES -A UDP_CHAIN -p udp --dport 53 -j ACCEPT -m comment --comment "Allow UDP connections to dns"

#
# Allow traffic to database server (needed for replication)
#
echo "Allow MYSQL traffic..."
$IPTABLES -A TCP_CHAIN -p tcp --dport 3306 -s 88.198.65.228 -j ACCEPT -m comment --comment "Allow TCP connections to mysql"
$IPTABLES -A UDP_CHAIN -p udp --dport 3306 -s 88.198.65.228 -j ACCEPT -m comment --comment "Allow UDP connections to mysql"

#
# Allow traffic to NTP server
#
echo "Allow NTP traffic..."
$IPTABLES -A TCP_CHAIN -p tcp --dport 123 -j ACCEPT -m comment --comment "Allow TCP connections to ntp"
$IPTABLES -A UDP_CHAIN -p udp --dport 123 -j ACCEPT -m comment --comment "Allow UDP connections to ntp"

#
# Allow traffic to torrent
#
echo "Allow torrent traffic..."
$IPTABLES -A TCP_CHAIN -p tcp --dport 6959 -j ACCEPT -m comment --comment "Allow TCP connections to torrent"
$IPTABLES -A UDP_CHAIN -p udp --dport 6959 -j ACCEPT -m comment --comment "Allow UDP connections to torrent"

#
# Allow traffic to DCC
#
echo "Allow DCC traffic..."
$IPTABLES -A UDP_CHAIN -p udp --dport 6277 -j ACCEPT -m comment --comment "Allow UDP connections to DCC"

#
# Needed for portscan block (part 2)
#
#$IPTABLES -A INPUT -m recent --set --name portscanblock

#
# Allow the ICMP_CHAIN, TCP_CHAIN and UDP_CHAIN chains on INPUT
# 
echo "Add ICMP_, TCP_ and UDP_CHAIN to INPUT..."
$IPTABLES -A INPUT -p icmp -j ICMP_CHAIN
$IPTABLES -A INPUT -p tcp  -j TCP_CHAIN
$IPTABLES -A INPUT -p udp  -j UDP_CHAIN

#
# debugging and logging
#
echo "Log and drop everything else..."
$IPTABLES -p ALL -A INPUT -j LOGDROP -m comment --comment "Drop all packets"

The script should run as the root user (since it will be restarting services or processes), and can easily be configured as a cron job.

Let’s say you’ve saved your script in /root/bin/services_watchdog.pl, then the cronjob could look like:

# Check if main services are still running
*/5 * * * * /root/bin/services_watchdog.pl

This will check every 5 minutes if all required processes are running.

The script itself will start with:

#!/usr/bin/perl
use strict; use warnings;
use Proc::ProcessTable;

The script uses Proc::ProcessTable to retrieve a full process list.
The processes it should monitor, are easily defined in a hash:

my %services_table = (
        'MySQL' => {
                'cmd' => '/etc/init.d/mysql restart',
                're' => '/usr/sbin/mysqld --basedir=/usr',
        },
        'Postfix' => {
                'cmd' => '/etc/init.d/postfix restart',
                're' => '/usr/lib/postfix/master',
        },
# ...
);

The actual processing of the process list can be done in a minumum of lines:

my %nok_services = %services_table ;
my $services = join '|', map {$services_table{$_}->{'re'}} keys %services_table;

my $process_table = Proc::ProcessTable->new;

foreach my $process ( @{ $process_table->table } ) {
        if($process->cmndline =~ m/($services)/) {
                my $proc_name = (grep { $1 =~ m/Q$services_table{$_}->{'re'}E/} keys %services_table)[0];
                delete $nok_services{$proc_name}                                  if exists($nok_services{$proc_name});
                $services = join '|', map {$services_table{$_}->{'re'}}           keys %services_table;
        }
}

Finally, the script tries to restart the missing service and prints a log message:

foreach my $process (keys %nok_services) {
        print "$process NOT running! Restarting...n";
        system($nok_services{$process}->{'cmd'});
        if ($? == -1) {
                print "failed to execute: $!n";
        }
        elsif ($? & 127) {
                printf "child died with signal %d, %s coredumpn", ($? & 127),  ($? & 128) ? 'with':'without';
        }
        else {
                printf "child exited with value %dn", $? >> 8;
        }
}

And that’s all folks!

The process is actually fairly simple, and this should be practically the biggest reason to automate this process.
DCC will create a text file for every email it checks (whether you like it or not), in /var/dcc/log. The bottom of those files contain variables and HEX values which are required to white- or blacklist messages in the DCC server.

Example of a text file generated by DCC (such the bottom actually):

### end of message body ########################
unknown-->spam
dccifd  global-log  

X-DCC-musashi-Metrics: musashi.moretrix.com 32702; bulk Body=many Fuz1=many
        Fuz2=many
                            reported: 1 spam          checksum  server wlist
                       IP: e475b896 492c60fc efecb432 6e29e3c5
                 env_From: c339fff7 216652a7 36a8ffa4 692ca3c1
                     From: 21eadc86 d5fa588e 2de85418 e2e18829
          substitute helo: e34e261c 6c7e0450 454065a8 a19f7b6c          many
               Message-ID: 48f0f506 f391cb50 5c9a8033 ff5c6bbb
                 Received: 4683ff3f 121cf370 ffb45478 dad90632
                     Body: 9b8a1cda 67a889ba 5d78d440 3b27da17       1
                     Fuz1: 27c25f69 0894e8b9 b5efa920 959aef57       1
                     Fuz2: 84451221 40f95ad5 fe80b2ef a0d1e5fd       1
     substitute mail_host: 956f550f f8dadf7e 38637790 756f8240

result: reject

In most cases, black- or whitelist entries will be created based on the fields ‘Body’, ‘Fuz1’ or ‘Fuz2’ (or all three will be added), but it is also possible to create criteria based on ‘IP’, ‘From’, …

Quick Overview of the process:

1. Locate the correct text file in /var/dcc/log
2. Grab the fields you want to white- or blacklist
3. prefix these fields with either ‘many hex’ or ‘ok’
4. Add those fields to the corresponding file in /var/dcc

In my case, I’ve created a file called /var/dcc/blacklist_spam which is included from /var/dcc/whiteclnt

The script goes as follows:

#!/usr/bin/perl
use strict;
use warnings;

use Getopt::Long;

my $fields = 'Body,Fuz1,Fuz2';
my $result = GetOptions("fields=s", $fields);

my $criteria = @ARGV;

chdir '/var/dcc/log' or die "Kak: $!";
my @blacklist;
foreach my $crit (@{$criteria}){
        print "criteria: $critn";
        open my $grep, '-|', "grep -l '$crit' *" or die "Kak: $!";
        my @files = <$grep>;
        close $grep;

        foreach my $file (@files){
                $fields =~ s/,/|/g;
                open my $grep, '-|', "egrep '^ *($fields)' $file" or die "Kak: $!";
                my @hexes = <$grep>;
                close $grep;

                map { s/^s*/manythext/; s/((S+s*){7}).*/$1/; } @hexes;
                push @blacklist, @hexes
        }
}

open my $blacklist, '>>', '/var/dcc/blacklist_spam' or die "Kak: $!";
print {$blacklist} $_ foreach @blacklist;
close $blacklist;

print "Written " . scalar @blacklist . " to /var/dcc/blacklist_spamnn";

The criteria I use in order to search the emails is usually the Message-ID field, since this should be a unique identifier.

# dcc_block 20101008111306.31259.876787136.swift@email.addemar.com

• ps
• top
• htop

But most of the times, they will not give a correct view of what is really going on, and most of the times we want to see totals instead of individual processes with their resource consumption.

Since Perl is one of the default scripting languages on almost every UNIX/Linux flavour, we will use this language to create a script which will allow us to get general overview of how much an application is really using up (all childs processes, threads, …).

The script uses two functions:

• get_proc_list()
• print_sorted()

sub get_proc_list {
    my($ps_fields, $key) = @_;

    my $ps_cmd = "ps -T -e -o $ps_fields,$DEFAULT_FIELDS --sort $ps_fields";
    my @process_list = do {
        open my $cmd, '-|', $ps_cmd or die "Kak: $!n";
        <$cmd>;
    };

    my %top_res;
    foreach my $cmd (@process_list[1.. $#process_list]){
        $cmd =~ s/^s*//;
        $cmd =~ s/s*$//;
        my(@fields) = split /s+/, $cmd;

        $top_res{"$fields[-1]_$fields[-2]"}->{ "${ps_fields}_sum" } += $fields[0];
    }

    my @sorted_keys = sort { 
            $top_res{$b}->{"${ps_fields}_sum"} <=> $top_res{$a}->{"${ps_fields}_sum"} 
        } 
        keys %top_res;

    return (%top_res, @sorted_keys, "${ps_fields}_sum");
}

This function executes the ps command and will create a sum of the resource values per application and user. These values will be sorted in a descended way (highest will be first element in the list).

sub print_sorted {
    my($data, $sorted_keys, $sum_key, $limit) = @_;

    $limit ||= $#{$sorted_keys};

    my ($title) = ($sum_key =~ m/(.*?)_sum$/);

    print "====================[ TOP $limit OF $title ]======================n";
    foreach my $key ( @$sorted_keys[0..$limit] ) {
        my ($app, $user) = ( $key =~ /(.*?)_([^_]+)$/ );
    
        printf "%9.2ft%16st%16sn", $data->{$key}->{$sum_key}, $app, $user;
    }
    print "="x60, "nn";

}

This function will print out the data structures returned by get_proc_list().

We call these functions in one liner statements like:

print_sorted( get_proc_list('pcpu'), 20 );
print_sorted( get_proc_list('pmem'), 20 );
print_sorted( get_proc_list('rss'), 10 );

Sample output:

====================[ TOP 5 OF pcpu ]======================
     5.50	     firefox-bin	         dieterw
     2.90	          chrome	            phil
     2.60	            java	            dave
     2.50	 plugin-containe	             rob
     2.50	     firefox-bin	            dave
     2.40	     firefox-bin	             rob
============================================================

====================[ TOP 5 OF pmem ]======================
   375.10	            java	            dave
   346.00	            java	           fredv
    49.00	     firefox-bin	           fredv
    40.30	            java	         dieterw
    28.00	             exe	            phil
    19.20	 console-kit-dae	            root
============================================================

====================[ TOP 3 OF rss ]======================
123533296.00	            java	            dave
117568200.00	            java	           fredv
16021180.00	     firefox-bin	           fredv
14749020.00	            java	         dieterw
============================================================