Archive

Archive for the ‘Networking’ Category

squid max file descriptor – problem and fix

June 29, 2010 7 comments

Symptoms:
Squid (2.6) stops responding when the number of connections reaches a certain number.

More symptoms:
A lot of lines like below start to appear in /var/log/squid/cache.log
WARNING! Your cache is running out of filedescriptors

Reason:
The default max file descriptor is set to 1024 in squid, which can be verified with
/usr/sbin/squidclient -h squid_host_or_ip -p squid_port mgr:info | grep descrip
or
/usr/sbin/squidclient mgr:info | grep descrip
if squid runs on localhost and default port.

The fix:
http://blog.nazmi.web.id/2007/06/20/squid-warning-your-cache-is-running-out-of-filedescriptors/comment-page-1/#comment-2828
http://paulgoscicki.com/archives/2007/01/squid-warning-your-cache-is-running-out-of-filedescriptors/

Os tested:

Centos

Categories: Networking, web_proxy

Stop ftp brute force attacks using simple bash script

July 1, 2009 1 comment

In one of the servers I am managing I’ve noticed a lot of ftp login attempts recently (server is running ncftp). The pattern of login failures is pretty straightforward hence I’m using tail -f combined with grep to monitor /var/log/messages real-time and add the bad ips to /etc/hosts.deny as soon as attacks are detected. It’s also a good idea to lower the maximum number of failure thread-hold in Ncftpd. This script has been tested on OpenSuSE but it should run with none or little modification on other Linux systems. Here’s the code, don’t forget to change the admin’s email address.

#!/bin/bash
DEBUG=0
LOG=/var/log/messages

ACTION() {
    DENY=/etc/hosts.deny
    ADMIN=change_to_admin@email.address
    while read line; do
    grep -q $line $DENY
    if [ $? -ne 0 ]; then
        if [ $DEBUG == 1 ]; then
            echo "will append $line to $DENY"
        else
            echo "ALL:$line">>$DENY
            [ -n "$ADMIN" ] && echo $line | \
            mail -s "ftp attacks `hostname -f`:action taken" $ADMIN
        fi
    fi
    done
    #change ALL to NcFTPd to block FTP access
}

tail -f $LOG|while read line; do echo $line |grep "Too many login failures from"|\
 awk 'BEGIN{FS="[ ;]+"} {print $11}'|ACTION; done &

myping.py

June 28, 2009 Leave a comment

A ping script using python thread. Examples of usage:

myping.py -n 192.168.1 -s 10 -e 150
  Scans 192.168.1.10 – 192.168.1.150
myping.py -n 172.16.0 -g
  Scans 172.16.0.0/24 subnet and returns active hosts only

[ direct link: http://rc3.fileave.com/myping.py.txt ]

#!/usr/bin/env python
DEBUG=False
import os
import re
import time
from threading import Thread

class pingtest(Thread):
	def __init__ (self,ip):
		Thread.__init__(self)
		self.ip = ip
		# -1 means not found, any other number indicates 
		#the index of the found pattern
		self.status = -1 
	def run(self):
		pingaling = os.popen("ping -q -c 2 -w 3 "+self.ip,"r")
		while 1:
			line = pingaling.readline()
			if not line: break
			igot = re.findall(pingtest.lifeline,line)
			if igot:
				self.status = int(igot[0])

def usage():
	print('''\
	usage 1:
	myping.py -n network_adr [ -s start -e end -g ]
	for example: myping -n 192.168.1 -s 10 -e 150

	usage 2:
	myping.py -f ip_list_file [ -g ]
	''')
if __name__=="__main__":
	import sys
	if (len(sys.argv)) < 2:
		usage()
		sys.exit()
	else:
		import getopt
		try:
			opts, args = getopt.getopt( sys.argv[1:], 'n:s:e:f:hg' )
		except getopt.GetoptError, err:
			usage()
			print str(err)
			sys.exit(1)

		#variables initialize:
		S=1
		E=254
		N=''
		FILE=''
		GOODONLY=False
		for o, a in opts:
			if DEBUG: print o
			if o == '-h':
				usage()
				sys.exit(0)
			elif o=='-g':
				GOODONLY=True
			elif o=='-n':
				N=a
			elif o=='-s':
				try:
					S=int(a)
				except Exception:
					print("int argument expected")
			elif o=='-e':
				try:
					E=int(a)
				except Exception:
					print("int argument expected")
			elif o=='-f':
				FILE=a
			else:
				assert False, "unhandled option"

		if len(N) > 0 and len(FILE)>0:
			usage()
			print("Please do not specify -n and -f at the same time")
			sys.exit(1)
		elif len(N)==0 and len(FILE)==0:
			usage()
			print("Please specify option -n or -f")
			sys.exit(1)
		else:
			pinglist = []
			pingtest.lifeline = re.compile(r"(\d) received")
			report = ("No response","Partial Response","Alive")
			print "***ping started: " + time.ctime()
			if len(N)>0:
				for host in range(S,E):
					ip = N + '.'+ str(host)
					current = pingtest(ip)
					pinglist.append(current)
					current.start()
			elif len(FILE)>0:
				try:
					f=open(FILE)
					for ip in f:
						current=pingtest(ip.strip())
						pinglist.append(current)
						current.start()
					f.close()
				except IOError, err:
					print( str(err) )
			for pingle in pinglist:
				pingle.join()
				if GOODONLY:
					if pingle.status == 2: 
						print "Status from ",pingle.ip,\
							 ": ",report[pingle.status]
				else:
					print "Status from ",pingle.ip,": ",report[pingle.status]
			print "***ping finished: "+time.ctime()

 

If you have fping installed, you can achieve the similar results with the following perl one-liner

perl -e 'for (1..254) { print "192.168.1.$_\n" }' | fping -a -q 2>/dev/null

Categories: Networking, Programming, python