Friday, October 8, 2010

A Few Handy Built-Ins

Anyone who's worked with Linux knows it's a great operating system (which ever of the many flavors you run). Not only is it stable and secure, but it makes great use of hardware with lower overhead, making it fast as well. Another really nice thing about an open source OS is the constant additions of utilities that make life easier for both the admin of the box and the user.
Here are a few of my favorites for those new to Linux...

watch: watch allows you to re-execute a program over and over and output to the screen. It's very handy to watch for changes to a directory, or to watch for a service to start or monitor connections. For example, let's say you run a service on port 8000. You want to watch for any connections to that port. You could do that by running "netstat -an | grep 8000", or better yet, "netstat -an | grep 8000 | grep EST". that would take the output of netstat, which shows network connectivity, statistics and such, pipe it through grep to filter out all lines except those that contain 8000, the port you wish to monitor, then filter out from those lines any except ones that have upper case EST in them. This would show ports in the ESTABLISHED state.
That's great, but what if you were watching for connections over an hours time span? watch works great for this. watch takes a -n parameter, which is the number of seconds between executions. The default is 2 seconds. If we wanted updates as quickly as possible, we would run:
watch -n 1 'netstat -an | grep 8000 | grep EST'. Every second, watch would rerun the netstat command and show you the results, clearing the screen between each iteration.

lokkit: lokkit is a command line (used to be ncurses GUI based) utility to modify the iptables firewall. It's very simple to quickly open up a port with lokkit (I'd recommend making a copy of iptables, found in /etc/sysconfig, first). If you want to open port 21 to all inbound traffic, you'd run "lokkit  -p 21:tcp". Viewing your firewall tables by running "iptables -L' should show:
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
You can also disable and enable the firewall, open ports by service name, add trusted interfaces, add custom rules and add and remove modules.
Just make sure you back up before making changes, and be careful modifying iptables remotely, whether using lokkit or manually, as you could lock yourself out when you restart (if you screw up).

ntsysv: ntsysv is a ncurses GUI that allows you to enable or disable services at start up, the equivalent of using the chkconfig command. chkconfig is more granular, as you can specify the startlevel you wish, but if you're unfamiliar with Linux, it's helpful till you get up to speed. Just invoke the command, no parameters, and you'll be presented with a list of all the available services. Each has a box beside it that can be checked to enable it. Use the arrow keys to scroll down and back up and hit the space bar to toggle on or off.
Yes, there X apps that do the same thing with a nice GUI, but if you're working on NetSec boxes, you won't have X installed a lot of times (or shouldn't). Do you really want a GUI, with all the myriad of apps that installs that could have security flaws installed on your IDS or packet auditor?

No comments:

Blog Archive