blog
Table des matières
0 billet(s) pour février 2026
Tester les flux réseaux UDP
Voir aussi remplacer_telnet_nc_sous_linux
telnet c'est pratique, mais ça ne marche que pour TCP
!! UDP n'est pas un protocole en mode connecté
Netcat est votre ami
$ nc -zvu 127.0.0.1 1-65535 Connection to 127.0.0.1 111 port [udp/*] succeeded! Connection to 127.0.0.1 161 port [udp/*] succeeded! Connection to 127.0.0.1 897 port [udp/*] succeeded! Connection to 127.0.0.1 1900 port [udp/*] succeeded! Connection to 127.0.0.1 2086 port [udp/*] succeeded! Connection to 127.0.0.1 5353 port [udp/*] succeeded! Connection to 127.0.0.1 32964 port [udp/*] succeeded! Connection to 127.0.0.1 34578 port [udp/*] succeeded! Connection to 127.0.0.1 37878 port [udp/*] succeeded!
$ nc -uvz serveur 1-162 serveur [172.17.39.87] 162 (snmp-trap) open serveur [172.17.39.87] 123 (ntp) open serveur [172.17.39.87] 67 (bootps) open
Sinon il existe Nmap
Netcat - bind binding NIC
nc -lnp 3306 192.168.200.62
$ ss -tln |grep 3306 LISTEN 0 1 192.168.200.62:3306 0.0.0.0:*
unixsock Unix domain sockets
echo -e "GET /containers/omsa82-snmp/stats HTTP/1.0\r\n" | nc -U /var/run/docker.sock
Autres
Bande passante :
- bwm-ng
- iperf
cat /sys/class/net/eth0/statistics/tx_bytes
# awk '/^Udp:/ { print $5}' /proc/1565/net/snmp
OutDatagrams
208064
Info
# cat /sys/class/net/eth0/duplex full
# cat /sys/class/net/eth0/speed 1000
# cat /sys/class/net/eth0/address 08:00:27:56:10:6a
Sauvegarder son système à chaud grâce à Mondorescue
Installation
/etc/apt/sources.list.d/mondo.list
deb ftp://ftp.mondorescue.org//debian 7 contrib deb-src ftp://ftp.mondorescue.org//debian 7 contrib
Utilisation
Exemple de sauvegarde en ligne de commande
#mondoarchive -OV -i -N -g -d /var/backup -T /var/tmp -S /var/tmp -E "/var/lib/mysql|/var/backup|/var/webapps" -s 4480m -p $HOSTNAME mondoarchive -k /boot/vmlinuz-$(uname -r) -OV -i -N -g -d /backup -T /tmp -S /tmp -E "/home|/media|/var/cache|/var/tmp|/run|/mnt" -s 4480m -p $HOSTNAME
Autre
i-want-my-lvm
/sbin/lvmdiskscan /sbin/lvm i=2 LVM version >= 2.0 found. Just before you extrapolate mountlist to include RAID partitions, extrapolate it to include the following LVM drives and partitions:- >>>>> /dev/sda5 To get started, type:- (insmod dm-mod) (insmod dm_mod) # lvm vgchange -an # echo y | lvm pvcreate -ff /dev/sda5 # lvm vgscan Create and activate the VG's (volume groups). # lvm vgcreate root-vg -l 0 -p 0 -s 4.00m /dev/sda5 # lvm vgchange -a y root-vg Finally, create the LV's (logical volumes). # lvm lvcreate -L 4096m -r auto -n lv_root root-vg # lvm lvcreate -L 1024m -r auto -n lv_swap root-vg # lvm lvcreate -L 10240m -r auto -n lv_home root-vg # lvm lvcreate -L 3072m -r auto -n lv_tmp root-vg # lvm lvcreate -L 6144m -r auto -n lv_usr root-vg # lvm lvcreate -L 6144m -r auto -n lv_var root-vg # lvm lvcreate -L 12288m -r auto -n lv_opt root-vg # lvm vgscan Now you may format the LV's:- (mkfs -t foo /dev/root-vg/lv_root or something like that) (mkfs -t foo /dev/root-vg/lv_swap or something like that) (mkfs -t foo /dev/root-vg/lv_home or something like that) (mkfs -t foo /dev/root-vg/lv_tmp or something like that) (mkfs -t foo /dev/root-vg/lv_usr or something like that) (mkfs -t foo /dev/root-vg/lv_var or something like that) (mkfs -t foo /dev/root-vg/lv_opt or something like that) Finally, to shut down and delete the volumes, do this:- (lvm lvremove -f /dev/root-vg/lv_root) (lvm lvremove -f /dev/root-vg/lv_swap) (lvm lvremove -f /dev/root-vg/lv_home) (lvm lvremove -f /dev/root-vg/lv_tmp) (lvm lvremove -f /dev/root-vg/lv_usr) (lvm lvremove -f /dev/root-vg/lv_var) (lvm lvremove -f /dev/root-vg/lv_opt) (lvm vgchange -a n root-vg) (lvm vgremove root-vg) (rmmod dm-mod & rmmod dm_mod & )
Ansible AWS - Cloud
Voir : Pourquoi ansible n’est pas un bon choix pour créer son infra AWS
~/.boto
[Credentials] aws_access_key_id = 01234ABC aws_secret_access_key = 01234ABC [Boto] debug = 0 proxy = 192.168.56.1 proxy_port = 3128 #ec2_region_name = us-east-2 #ec2_region_endpoint = ec2.us-east-2.amazonaws.com
~/.aws/credentials
[default] aws_access_key_id = 01234ABC aws_secret_access_key = 01234ABC
~/.aws/config
[default] #region = us-west-2 region = us-east-2 output = table
pb.yml
#! /usr/bin/env ansible-playbook --- - name: Configure new server hosts: localhost vars: ansible_python_interpreter: /usr/bin/python3 roles: - aws
roles/aws/tasks/main.yml
--- - ec2_instance: name: "test-ansible" key_name: "jean@vmdeb1" #vpc_subnet_id: subnet-5ca1ab1e instance_type: t2.micro #security_group: default security_group: 'sg-018f964b5b82d2361' network: assign_public_ip: true image_id: ami-05829248ffee66250 register: new_ec2_instance - name: DEBUG debug: var=new_ec2_instance.instances[0].network_interfaces[0].association.public_ip
Pare-feu iptables openwrt IPV4
Note : iptables est remplacé maintenant par nftables
Voir aussi :
- OPNsense
Pour ICMP voir http://www.oregontechsupport.com/articles/icmp.txt
TODO : Copie sur git
#!/bin/sh # # rc.icmp Advanced ICMP Filtering with iptables # # Version Hx: $Id: rc.icmp,v 1.00 2003/01/28 09:04:10 david Exp $ # $Id: rc.icmp,v 1.01 2013/09/07 16:59:38 david Exp $ # ################################################################ # # # Internet Control Message Protocol (ICMP), documented in RFC # # 792, is a required protocol tightly integrated with IP. ICMP # # messages, delivered in IP packets, are used for out-of-band # # messages related to network operation or misoperation. Since # # ICMP relies on IP, packet delivery is unreliable (as # # opposed to TCP). # # # # ICMP functions typically include: # # - Announce network errors # # - Announce network congestion (source quench) # # - Assist troubleshooting (ping) # # - Announce timeouts (traceroute) # # # # Be cautious; blocking ICMP can have unpredictable results. # # You may find that your TCP/IP connectivity may break. # # # # A good resource for ICMP filtering can be found at: # # www.oregontechsupport.com/articles/ICMP_Scanning_v3.0.pdf # # # # Netfilter (iptables) can implement the ICMP Extension by # # name (e.g., "host unreachable"), numeric type (e.g., "3"), # # or a numeric type and code separated by a "/" (e.g., "3/3"). # ################################################################ ################################################################ # ICMP echo-reply (type 0) # # # # Ping scanning is typically used to determine which hosts on # # a network are up. Typically this is done by sending ICMP # # ECHO request packets to the target host. # ################################################################ iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT ################################################################ # ICMP types 1-2 are unassigned # ################################################################ ################################################################ # ICMP destination-unreachable (type 3) # # # # Filtering "fragmentation-needed" traffic is a BAD idea. # # # # Codes # # 0 network-unreachable # # 1 host-unreachable # # 2 protocol-unreachable # # 3 port-unreachable # # 4 fragmentation-needed # # 5 source-route-failed # # 6 network-unknown # # 7 host-unknown # # 8 Source Host Isolated # # 9 network-prohibited # # 10 host-prohibited # # 11 TOS-network-unreachable # # 12 TOS-host-unreachable # # 13 communication-prohibited [RFC1812] # # 14 host-precedence-violation [RFC1812] # # 15 precedence-cutoff [RFC1812] # ################################################################ iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT ################################################################ # ICMP Source Quench (type 4) # # # # This is detailed in RFC 792. Filtering this type of # # traffic is generally considered a BAD idea. # ################################################################ iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT ################################################################ # ICMP Redirect (type 5) # # # # Codes # # 0 Redirect Datagram for the Network (or subnet) # # 1 Redirect Datagram for the Host # # 2 Redirect Datagram for the Type of Service and Network # # 3 Redirect Datagram for the Type of Service and Host # ################################################################ if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo " Kernel ignores all ICMP redirects" echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects fi ################################################################ # ICMP Alternate Host Address (type 6) # # ICMP Unassigned (type 7) # ################################################################ ################################################################ # ICMP Echo Request (type 8) # ################################################################ iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " iptables -A INPUT -p icmp --icmp-type 8 -j DROP iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then echo " Kernel answers ICMP Echo requests" echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all fi ################################################################ # Prevention: Smurf IP Denial-of-Service Attacks # # # # See http://www.cert.org/advisories/CA-1998-01.html # ################################################################ if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo " Kernel ignores ICMP Echo requests sent to broadcast/multicast addresses" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ################################################################ # ICMP Router Advertisement (type 9) # # ICMP Router Solicitation (type 10) # # # # These are described in RFC 1256. # ################################################################ ################################################################ # ICMP Time Exceeded (type 11) # # # # Codes # # 0 Time to Live exceeded in Transit # # 1 Fragment Reassembly Time Exceeded # ################################################################ iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT ################################################################ # ICMP Parameter Problem (type 12) # # # # Codes # # 0 Pointer indicates the error # # 1 Missing a Required Option [RFC1108] # # 2 Bad Length # ################################################################ iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT ################################################################ # ICMP Timestamp (type 13) # # ICMP Timestamp Reply (type 14) # # ICMP Information Request (type 15) # # ICMP Information Reply (type 16) # # ICMP Address Mask Request (type 17) # # ICMP Address Mask Reply (type 18) # # ICMP Reserved (types 19-29) # # ICMP Traceroute (type 30) # # ICMP Datagram Conversion Error (type 31) # ################################################################ ################################################################ # ICMP bogus error responses # # # # Sometimes you will come across routers that send out invalid # # responses to broadcast frames. This is a violation of RFC # # 1122, "Requirements for Internet Hosts -- Communication # # Layers". As a result, these events are logged by the kernel. # # To avoid filling up your logfile with unnecessary clutter, # # you can tell the kernel not to issue these warnings. # ################################################################ if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo " Kernel ignores bogus responses to broadcast frames" echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi ################################################################ # ICMP Catch-all # # # # There are many more ICMP types than this, but most aren't # # implemented in large-scale (yet). We can safely say that # # anything not specifically allowed above should be blocked. # ################################################################ iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " iptables -A FORWARD -p icmp -m limit -j LOG --log-prefix "ICMP/FWD: " iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp -j DROP iptables -A FORWARD -p icmp -j DROP ################################################################ # This document was lovingly handcrafted on a Dell Latitude # # C400 laptop running Slackware Linux 8.1, in case anyone # # asks. # ################################################################ # This work is licensed under a Creative # Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License, # available at http://creativecommons.org/licenses/by-nc-nd/3.0/
DRAFT Oops j'ai fait un boulette
Exemple de connerie 1
chown -R oracle:dba /
Comment la retrapper (en ajustant ctime & mtime par les valeurs qu'il est possible de trouver avec la commande stat) :
Pour info : Différence en CTIME *(change time)* et MTIME *(modification time)* Voir aussi man ls [--time={atime,access,use,ctime,status}]
$ cat foo Hello, World
Met à jour atime (access time), mais pas ctime (change time) ni mtime (modification time)
chmod 777 foo
Met à jour ctime mais pas atime ni mtime. Car le fichier n'est pas modifié, seulement les métadonnées (droits)
echo "Goodbye, World!" > foo
Met à jour ctime et mtime mais pas atime.
Machine de référence
find / ! -wholename "/proc/*" -type f -fprintf jbset_f.sh "chown %u:%g \"%p\" \n" find / ! -wholename "/proc/*" -type d -fprintf jbset_d.sh "chown %u:%g \"%p\" \n" find / ! -wholename "/proc/*" -type l -fprintf jbset_l.sh "chown -h %u:%g \"%p\" \n" find / ! -wholename "/proc/*" ! -type d -a ! -type f -a ! -type l -fprintf jbset_o.sh "chown %u:%g \"%p\" \n" find / ! -wholename "/proc/*" -type f -perm /u+s -fprintf jbset_suid.sh "chmod %m \"%p\" \n" find / ! -wholename "/proc/*" -type f -perm /g+s -fprintf jbset_guid.sh "chmod %m \"%p\" \n"
Machine à corriger
bash jbset_f.sh 2>jbset_f.err bash jbset_d.sh 2>jbset_d.err bash jbset_l.sh 2>jbset_l.err bash jbset_o.sh 2>jbset_o.err
On repositionne les SUID & GUID.
bash jbset_suid.sh 2>jbset_suid.err bash jbset_guid.sh 2>jbset_guid.err
On jete un petit coup d'oeil sur les logs
cat *.err |grep -v "No such file or directory"
Fichiers restants à modifier
find / -ctime -1 -mtime +2 -user oracle -group dba
Root propriétaire des fichiers restants
find / -ctime -1 -mtime +2 -user oracle -group dba -type f ! -iname "*oracle*" ! -iwholename "*oracle*" -print0 |xargs -0 chown root:root find / -ctime -1 -mtime +2 -user oracle -group dba -type d ! -iname "*oracle*" ! -iwholename "*oracle*" -print0 |xargs -0 chown root:root find / -ctime -1 -mtime +2 -user oracle -group dba -type l ! -iname "*oracle*" ! -iwholename "*oracle*" -print0 |xargs -0 chown -h root:root
On jete un coup d'oeil :
find / -user oracle -group dba |grep -iv oracle
Un reboot est nécessaire pour les devices de type char/block/socket de /proc /dev /sys.
Il faudra (peut-être) redéfinir les droits Oracle tel que initialement prévu.
Exemple de connerie 2
chmod -R 777 /etc
Comment la rattraper :
find /etc/ ! -type l ! -type d -exec ls -l {} \;|awk ' { u=substr($1,2,3); gsub("\-","",u); g=substr($1,5,3); gsub("\-","",g); o=substr($1,8,3); gsub("\-","",o); print "chmod u="u",g="g",o="o,$NF }' >/tmp/liste.ksh find /etc/ -type d -exec ls -ld {} \;|awk ' { u=substr($1,2,3); gsub("\-","",u); g=substr($1,5,3); gsub("\-","",g); o=substr($1,8,3); gsub("\-","",o); print "chmod u="u",g="g",o="o,$NF }' >>/tmp/liste.ksh
blog.txt · Dernière modification : de 127.0.0.1