Facebook Twitter
Linkedin LJ
Git Instagram
IPv6
31 post tagged

linux

Simple fail2ban log file parcer

I have written simple fail2ban log file parcer in Golang that finds banned IPs, makes a struct with date, time and IP and a map with IP as a key and count as a value. I am thinking of nmapping the values I’ve got and making a report out of them.

package main

import (
    "bufio"
    "fmt"
    "regexp"
    "os"
)


type record struct {
  day string
  time string
  ip string
}

type ip struct {
    ip string
    count int
}

// Checking most calls for errors.
// This helper will streamline our error checks below.
func check(e error) {
    if e != nil {
        panic(e)
    }
}

//reading file to array of lines

func readLines(path string) ([]string, error) {
  file, err := os.Open(path)
  check(err)
  defer file.Close()



  var lines []string
  scanner := bufio.NewScanner(file)
  for scanner.Scan() {
    lines = append(lines, scanner.Text())
  }
  return lines, scanner.Err()
}


func main() {

lines, err := readLines("./fail2ban.log")

  var log_records []record

if err != nil {
    fmt.Println("readLines: %s", err)
  }

//date
  dr, _ := regexp.Compile("[0-9]{4}-[0-9]{2}-[0-9]{2}")
//time
  tr, _ := regexp.Compile("[0-9]{2}:[0-9]{2}\\:[0-9]{2},[0-9]{3}")
//IPv4 address
  ir, _ := regexp.Compile("(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
//"Ban"
br, _ := regexp.Compile("Ban")
ip_map := make(map[string]int)

var j int
j = 0

for i, line := range lines {
  if (br.MatchString(line) == true){
    var tmp record
    log_records = append (log_records, tmp)
    log_records[j].day = dr.FindString(line)
    log_records[j].time = tr.FindString(line)
    log_records[j].ip = ir.FindString(line)
//count unique IPs
    ip_map[log_records[j].ip]++
    fmt.Println("Log line:     ",i)
    fmt.Println("Date:         ",log_records[j].day)
    fmt.Println("Time:         ",log_records[j].time)
    fmt.Println("IP address:   ",log_records[j].ip)
    fmt.Println("Count:        ",ip_map[log_records[j].ip])
    fmt.Println("")
    j++
}


}

//pring map of IPs
fmt.Println(ip_map)

}
Apr 18   golang   IT   linux   security

Google Accounts engine problem and Gnome 3

I have login.keychain corrupted in my Gnome 3 enabled workplace due to the recent Google Accounts engine problem. For some reason it has become completely unusable, Gnome Keychain was unable to unlock it, Google Chrome stopped loading sites, goa-daemon died (as usual) and Evolution has stopped getting mail.

Goog Friday morning frustration.

Feb 24   gnome   google   IT   linux

OOM-killer fun

Recently I had installed RHEL 7 FreeIPA test lab on my workplace. I have made virtual host with default 1GB RAM, installed the system, enrolled it into the IPA domain OK, then tried ipa-replica-install. Turns out that 1GB is not enough and OOM-killer tries to solve the problem by killing processes that ipa-replica-install had spawned. Surprisingly turns out that for some reason the script is not detecting errors caused and you have strangely configured replica as the result.

Feb 23   IT   linux

AD + SSSD

If you have host in the AD with the SSSD then your root user can be any user from the domain. So

%groupname ALL=(ALL) NOPASSWD:ALL

would actually give permissions to all users from the “groupname” to become any AD user they want, and if they’re SSH’ng the localhost then, they would have Kerberos ticket as well. It is not actually that evident, but Active Directory is an identity provider, so if you are superuser on the host – you can be AD user on the host.

Feb 15   IT   linux   sssd

Debugging IDM

One of the most frequent cases I have is that “sometimes” and “somewhere” user is not getting authenticated. Trying to SSH to the host works for some users not always, “id username” returns errors sometimes – it’s all the same problem in the environment with LDAP replication. It does not actually matter what kind of the LDAP server or domain controller is being used, always check:

  1. enable debug log on the client. If the client is SSSD, add “debug_level = 9” to the /etc/sssd/sssd.conf and then restart it. Invalidate it’s cache if possible.
  2. repeat the test so you would see the error.
  3. collect the log file from the client. You would see what server it has queried to get the information.
  4. check server’s log. Most likely there is no requested information on this LDAP instance due to replication issues.

This would help to identify and fix the problem.

Feb 3   idm   IT   ldap   linux   sssd

Parsing sssd debug log

Lol, hope to add more in furure

grep -v "timed event" |grep -v "timer event"|grep -v "Requesting"|grep -v "SBUS"|grep -v "callback"|grep -v "dispatch"|grep -v "a sysbus message"|grep -v "No sub-attributes for" |grep -v "reusing cached connection" |grep -v "nesting:"|grep -v "sbus_remove_watch"|grep -v "be_client_destructor"|grep -v "sdap_process_result"|grep -v "Comparing LDAP with LDAP" |grep -v "Message type:"|grep -v "unenforced gpo skipped"
Jan 27   IT   linux   sssd

More .bashrc improvements

I need to see long path and host name. And not to lose command line space at the same time:

BOLD="\[$($TTY  && /usr/bin/tput bold)\]"
COLOR_BLACK="\[$($TTY  && /usr/bin/tput setaf 0)\]"
COLOR_RED="\[$($TTY  && /usr/bin/tput setaf 1)\]"
COLOR_GREEN="\[$($TTY  && /usr/bin/tput setaf 2)\]"
COLOR_YELLOW="\[$($TTY && /usr/bin/tput setaf 3)\]"
COLOR_BLUE="\[$($TTY  && /usr/bin/tput setaf 4)\]"
COLOR_MAGENTA="\[$($TTY  && /usr/bin/tput setaf 5)\]"
COLOR_CYAN="\[$($TTY  && /usr/bin/tput setaf 6)\]"
COLOR_WHITE="\[$($TTY  && /usr/bin/tput setaf 7)\]"
COLOR_GRAY="\[$($TTY  && /usr/bin/tput setaf 8)\]"
RESET="\[$($TTY  && /usr/bin/tput sgr0)\]"



function prompt_command  {     
    local TIMESTAMP="${BOLD}${COLOR_GRAY}\D{%d/%m %H:%M:%S}${RESET}"
    local CURPWD="${BOLD}${COLOR_BLUE}${PWD/#${HOME}/~}${RESET}"

    PS1="\n┌[${BOLD}\u@${COLOR_RED}\h${RESET}]─[${CURPWD}]\n"
    PS1=${PS1}"└─"${TIMESTAMP}${BOLD}"-> "

}

PROMPT_COMMAND=prompt_command
Jan 27   bash   IT   linux

Google group calendars in Evolution Mail

If your organization uses Google Apps as mail service but you are using Evolution, there is no evident way to view and edit shared group calendars until recent versions. To add group calendar you need:

  1. go to calendar settings on web
  2. Calendar Address: -> ID (somenting like example.com_1d32345331343234213832@resource.calendar.google.com)
  3. Evolution -> New Calendar -> Google
  4. User name -> this ID
  5. Auth with usual name-pass or other means you use (Kerberos, OTP) in the window appear.
  6. Allow Evolution to use the Google’s resources.
2017   desktop   IT   linux

DKIM=temperror

Recently I have checked my messages headers of the mail that comes from the andreybondarenko.com MX and found that Google shows that my DKIM signature is invalid:

Authentication-Results: mx.google.com; dkim=temperror (no key for
 signature) header.i=@andreybondarenko.com;

In the spam score section:

DKIM_SIGNED,T_DKIM_INVALID

However the header itself is present:

DKIM-Filter: OpenDKIM Filter v2.10.3 andreybondrenko.com CE25780BAC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=andreybondarenko.com; s=default; t=1483634085;
        bh=w00tuUhwty0/5n/YHiopiY3PpnqKT5BLK9l6TkDNUUk=;
        h=Subject:From:Reply-To:To:Date:From;
        b=J5qB5RF9lrOho1wBpLyLi5a6CwIHZK1sugCr2wpwnPKwEg76RFv2/y8xaiwquqftX
         VhTJH9NLJXcPdu8k8/zN/sc8P1RksNR9EvDw6k2YNEKoeMsKMGgyMC4kAAhcT31IgX
         eqnIqWxhVTVdjRqrqzNPn0wuBbGJgO2bwmFcVsy8=

I have found that it’s quite common configuration error of the OpenDKIM, the selector you choose to store key can be chosen randomly, but the TXT record should match /etc/opendkim.conf. In my case:

##  Defines the name of the selector to be used when signing messages.
Selector   default

But the DNS record:

[user@andreybondarenko ~]$ dig TXT mail._domainkey.andreybondarenko.com

;; ANSWER SECTION:
mail._domainkey.andreybondarenko.com. 1800 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdGRWtWPPZVIg0fy7Pr0+rsBsoL6Imt1GBE/QRd3X5Izv1iAJFUsOtea
f9TI9EO/YFwoLLahzuoZM1oUU4ED3fHlItEnqXCKQhX8Zripi7gfIO+DRFEhGuQtG6OIuA6+c3ivao7DTPk/IFqY7MG5M3wMvAfV+
eIBf1VjmajSwe3wIDAQAB"

Changing ‘Selector’ to ‘mail’ and restating opendkim (it’s faster then change DNS):

Authentication-Results: mx.google.com; dkim=pass
 header.i=@andreybondarenko.com;

In the spam score section:

DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU
2017   dkim   linux   mail   security
Ctrl + ↓ Earlier