diginc » code

Using IPTables with Dynamic IP hostnames like dyndns.org

diginc — Wed, 26 May 2010 15:51:42 +0000

Whenever IPTables has a hostname in a rule it looks up the hostname’s IP address and uses that instead of the actual hostname – so it’s stuck with the IP until the next time IPTables is flushed/restarted. Here’s a quick little python script to stick in a crontab which checks the IP of your dynamic IP hostname (free ones provided by dyndns.org) and will restart iptables if it catches a change in your hostname. The script was made for CentOS so should work on Red Hat based distributions – if you don’t have an /etc/init.d/iptables file you’ll have to modify the reload iptables command in the source. Viewable Source After Jump

I just set this up as root and in root’s crontab.

Download Source

Source:

#!/usr/bin/python
 
import os
 
def gettextoutput(cmd):
    """Return (status, output) of executing cmd in a shell."""
    pipe = os.popen('{ ' + cmd + '; } 2>&1', 'r')
    pipe = os.popen(cmd + ' 2>&1', 'r')
    text = pipe.read()
    if text[-1:] == '\n': text = text[:-1]
    return text
 
home_dyndns = "example.dyndns.org"
log_dyndns = "./new_home_ip_check.log"
last_dyndns = gettextoutput("cat " + log_dyndns)
cur_dyndns = gettextoutput("host " + home_dyndns)
 
print "Log: "+ last_dyndns
print "Cur: "+ cur_dyndns
 
if last_dyndns == cur_dyndns:
    print "IPs match, no restart necessary"
else:
    print "Updating last IP with current"
    os.system("echo '" + cur_dyndns + "' > " + log_dyndns)
    print "Restarting iptables to update"
    os.system("/etc/init.d/iptables restart")

Output looks like:

Log: example.dyndns.org has address 114.76.37.112
Cur: example.dyndns.org has address 114.76.37.112
IPs match, no restart necessary
 
Log: example.dyndns.org has address 114.76.37.113
Cur: example.dyndns.org has address 114.76.37.112
Updating last IP with current
Restarting iptables to update
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Bash Script: Confirm domains in your DNS Bind server are still pointed at your address (haven’t moved to other DNS)

diginc — Fri, 07 May 2010 16:02:13 +0000

Here’s a quick script I wrote last year which I forgot about until today. I thought I should share it since it works fairly well with some modifications – it could be refined/improved quite a bit; I’m not the best bash/shell scripter. Be prepared to get your hands dirty with mods if you want to use this. Here’s a quick run down & description of what’s going on.

The script’s input is the bind9 file containing all zone entries you want to confirm are pointed to your server, I suggest making a copy – not working with any live configs. The script will run an lookup using `host -t ns` on google’s DNS server to find out what the outside world thinks the domains’ name servers are; I tried `whois` in the past but it was too unreliable due to timeouts & limits on the number of calls per minute. Then it checks the results of that host lookup against the hostnames, all capitalized hostnames, and IP addresses of your DNS servers (3 in my case). If any one of the DNS servers matches than we know the domain is still using our DNS. The other options are 1) it doesn’t find any DNS servers that are ours 2) it finds the phrase ‘not found’ which host returns if the domain is expired or there are no ‘NS’ type records in DNS. The script echos to shell what DNS servers match as it runs, but it only logs the DNS servers that don’t have any matches (so they can be removed by automation or manually later).

With the zone-audit.log output I then can remove the domains that aren’t using our DNS since they’re no longer in use. Please leave feedback in the comments if you think of a good improvement.

Code after the jump or Here

#!/bin/bash
#
 
domains=`sed -n 's/^zone\s*\"\([^\"]*\)\"\s* {[^\r]*/\1/p' /root/confirm-dns-zones/named.master`
date > /root/confirm-dns-zones/zone-audit.log
 
for i in $domains
do
  echo "Checking $i"
  domain_ns=`host -t ns $i 8.8.8.8 | grep "$i"`
  echo $domain_ns
 
  if [[ $domain_ns =~ 'NS1.EXAMPLE' || $domain_ns =~ 'ns1.example' || $domain_ns =~ '4.3.2.1' ]]; then
    echo "$i contains DNS1 (4.3.2.1)"
    match_dns1=TRUE
  else
    #echo "DNS1 NOT FOUND"
    match_dns1=FALSE
  fi;
 
  if [[ $domain_ns =~ 'NS2.EXAMPLE' || $domain_ns =~ 'ns2.example' || $domain_ns =~ '4.3.2.2' ]]; then
    echo "$i contains DNS2 (4.3.2.2)"
    match_dns2=TRUE
  else
    #echo "DNS2 NOT FOUND"
    match_dns2=FALSE
  fi;
 
  if [[ $domain_ns =~ 'NS3.EXAMPLE' || $domain_ns =~ 'ns3.example' || $domain_ns =~ '4.3.2.3' ]]; then
    echo "$i contains DNS3 (4.3.2.3)"
    match_dns3=TRUE
  else
    #echo "DNS3 NOT FOUND"
    match_dns3=FALSE
  fi;
 
  if [[ $match_dns1 == FALSE && $match_dns2 == FALSE && $match_dns3 == FALSE ]]; then
   echo "* ERROR: $i - None of our DNS found for this domain using 8.8.8.8"
   echo $i >> /root/confirm-dns-zones/zone-audit.log
  fi;
 
  if [[ $domain_ns =~ 'not found' ]]; then
    echo "* Possible script error or missing DNS / Expired domain"
    echo "* ERROR: $i - Possible script error or missing DNS / Expired domain" >> /root/confirm-dns-zones/zone-audit.log
  fi 
 
  echo
  echo "----------------"
  echo
  sleep 1
done

Encrypt forms’ passwords before submitting with jquery

diginc — Wed, 05 May 2010 19:49:07 +0000

If a site’s login/registration isn’t encrypted using SSL why would you risk sending a user’s password in plain text to the form’s processing script? Because you didn’t know any better and didn’t read this how-to, that’s why. With today’s average computer and connection speed adding a little encryption and downloading small library (in addition to jquery’s 76k or so) isn’t a big deal. Here’s how I’m encrypting a password before form submission:

Browser/Client side password encryption example
Download Source