Ulogd-viz, visualize iptables / netfilter / ufw logs

I have iptables on a couple of different Linux hosts. There are a number of tools that allow you to centralize the logs of different hosts (and services) but they often focus on some form of alert management. I need something that allows me to gather the logs from different hosts, put them all in one central database and then generate some statistics on this data.

Iptables logs to the local syslogger but ulogd allowsRead more.

Install ModSecurity on Ubuntu (from source)

ModSecurity is an embeddable web application firewall or WAF. It can be installed as part of your existing web server infrastructure.

ModSecurity is available as a package for different Linux distributions but these versions are often outdated. I installed ModSecurity from source on Ubuntu 12.0.4 LTS.

Start by downloading the source tarball from the ModSecurity website. The full code is available via GitHub and the links to the tarballs are available from the home page.

Read more.

Different shell types: interactive, non-interactive, login

Shells control how you interact with your computer systems. I always switch between the Bourne shell (sh), Korn shell (ksh) and Bourne-Again shell (bash) but there are numerous others.

There are three types of shells

a login shell; an interactive shell; a non-interactive shell.

The type of shell defines what set of features you can use. Choosing the type of shell is important to achieve your goal(s).

A login shell is the shell that isRead more.

HTTP POST from PHP

Sometimes it can be useful to do a HTTP GET or HTTP POST request from a PHP script. I used to use curl to do this but there’s a ‘cleaner’ way to do this.

For reference, this is how to do the HTTP POST request in curl from PHP

The PEAR – PHP Extension and Application Repository contains a number of useful reusable PHP components.

The component we are going to use is HTTP_Request2. YouRead more.

NMAP Open Service Scan – Open resolver test

From the CERT.be website : Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards websites, infrastructure and services..

You can detect open resolvers on your network with a vulnerability information management tool (for example Qualys), via the Open Resolver Project or manually with an nmap command.

Keeping track of the different output files becomes more difficult if you have to do this often. I wrote a script that imports the nmapRead more.

tiny Web Url Scanner

For a new project I needed a tool that could scan a web server for the http status code of different URLs and have the results listed in a easily parseable result. The URLs are typical Linux resources (f.e. the password file, the hostname, services file, …) that could lead to disclosing sensitive system information.

There are already a number of tools that can achieve this but none really provided the output that I needed.Read more.

Catch all web script

It can sometimes be useful to have a script that captures all the HTTP requests and that logs these requests to a file. The PHP script below works for me. I use this script in combination with the htaccess file to catch all web page requests and redirect them to one file.

The .htaccess file :

The apache config for the virtual host is straightforward.

Harvesting Facebook, Twitter and other web service accounts

This post demonstrates how relatively easy it is to setup a system that harvests user credentials (username and password) for different web services (Facebook, Twitter, Yahoo).

For this exercise we’ll use two machines :

An end-user laptop or desktop with a browser; Kali Linux with a number of pentesting tools. The Kali Linux machine needs at least one network interface with internet connection.

The exercise scenario involves three major steps :

HaveRead more.

The Linux password file, /etc/passwd

The /etc/passwd file stores crucial information which is required during login on Linux systems.

A line in /etc/passwd is one entry for a user account. The fields are separated by a colon (:).

The format is as follows (note that for the purpose of formatting the display, the line is split. A real /etc/passwd file would have all the data on one line).

If the password field (2) contains an X then the encryptedRead more.

Nmap scan through TOR

TOR (https://www.torproject.org/) is a great project if you want to take care of your privacy. You can use TOR to proxy your nmap scans making it very difficult for the scanned network to find the source.

First check that you have TOR installed. It should be listening on a local network port tcp/9050.

You also need to install a package called proxychains that will proxy all the traffic through TOR. Proxychains has its configuration fileRead more.