Using IPTables with Dynamic IP hostnames like dyndns.org

Whenever IPTables has a hostname in a rule it looks up the hostname’s IP address and uses that instead of the actual hostname – so it’s stuck with the IP until the next time IPTables is flushed/restarted. Here’s a quick little python script to stick in a crontab which checks the IP of your dynamic IP hostname (free ones provided by dyndns.org) and will restart iptables if it catches a change in your hostname. The script was made for CentOS so should work on Red Hat based distributions – if you don’t have an /etc/init.d/iptables file you’ll have to modify the reload iptables command in the source. Viewable Source After Jump

I just set this up as root and in root’s crontab.

Download Source

Continue reading

Bash Script: Confirm domains in your DNS Bind server are still pointed at your address (haven’t moved to other DNS)

Here’s a quick script I wrote last year which I forgot about until today. I thought I should share it since it works fairly well with some modifications – it could be refined/improved quite a bit; I’m not the best bash/shell scripter. Be prepared to get your hands dirty with mods if you want to use this. Here’s a quick run down & description of what’s going on.

The script’s input is the bind9 file containing all zone entries you want to confirm are pointed to your server, I suggest making a copy – not working with any live configs. The script will run an lookup using `host -t ns` on google’s DNS server to find out what the outside world thinks the domains’ name servers are; I tried `whois` in the past but it was too unreliable due to timeouts & limits on the number of calls per minute. Then it checks the results of that host lookup against the hostnames, all capitalized hostnames, and IP addresses of your DNS servers (3 in my case). If any one of the DNS servers matches than we know the domain is still using our DNS. The other options are 1) it doesn’t find any DNS servers that are ours 2) it finds the phrase ‘not found’ which host returns if the domain is expired or there are no ‘NS’ type records in DNS. The script echos to shell what DNS servers match as it runs, but it only logs the DNS servers that don’t have any matches (so they can be removed by automation or manually later).

With the zone-audit.log output I then can remove the domains that aren’t using our DNS since they’re no longer in use. Please leave feedback in the comments if you think of a good improvement.

Code after the jump or Here
Continue reading

Using fail2ban to open back door ports in your iptables [Port Knocking]

The opposite of fail2ban would probably be called auth2allow (authenticate to allow) or fail2allow – but that’s not necessary because fail2ban’s configs can be customized to do exactly what I’m talking about. What am I talking about you ask? Basically what I’ve done and am about to explain how to do is setup fail2ban to look for a successful login on a FTP to allow the authenticated IP to get access to another port that isn’t as secure as FTP so is usually 100% black listed in IPTables. It’s just a hack of a security mechanism to allow your self or others into places securely through obscure means. Like most security it’s not perfect but it seems pretty solid in my mind.

If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.

So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.

Continue reading

GNUmp3d init.d with PIDs for running multiple instances of GNUmp3d

I made some modifications to my original gnump3d init.d script when I needed more than one instance of GNUmp3d running (for multiple folders completely separated). I still haven’t quite figured out how to get the tag database to work for my second GNUmp3d instance, if anyone can help please leave a comment. Here’s the script and some brief instructions:

Continue reading

MRTG Indexmaker Interface + Description

I like to have interfaces and description, not one or the other. So I do this. Use your favorite editor to open indexmaker: vi /usr/bin/indexmaker

Find this part:

for ($$opt{section}) {
#    ...Skip ahead to descr...
            /^descr(iption)?$/ &&
              do{
                  $section = "No Description for $item";
                  $$rcfg{setenv}{$item} =~ /MRTG_INT_DESCR="(.+?)"/  #"
                        and $section = $1;
                  $$rcfg{pagetop}{$item} =~
                          m,&lt;td>Description:&lt;/td&gt;\s*&lt;td&gt;\Q$section\E\s*([^&lt; ][^&gt;]+?)</td>,i
                        and $section = $1;
                  last;
              };

The first `and $section = $1;` is a catch all to assign the interface name if there’s no description. The second one overwrites it, replacing the int name if it does find a description. So all you need to do is modify the second instance of `and $section = $1;` to:

and $section = $section . " - " . $1;

And your MRTG index is infinitely improved!

Setting up my HDTV HTPC with xUbuntu 8.10

Here my chronicle of fixes and tasks I had to go through while setting up my HDTV HTPC / home server.

I upgraded from an older xUbuntu to xUbuntu 8.10 64-bit and the first thing I had to do is restore the windows file share where I backed up configurations, samba shares, and my Adaptec SATA Raid 1210SA. Then I had to conquer ATI’s proprietary drivers and restore my previous install’s server functionality. Next time I’ll be finishing up the HTPC portion by configuring my TV Tuner with mythTV and installing Boxee as well – and maybe integrating the two together if possible.
Continue reading