Sunday, January 21, 2018

Detecting DNS flood using dns-flood-detector

You need to install dns-flood-detector
# apt-get install dns-flood-detector

dns-flood-detector will give you warning in dmesg something like:
[1309426.142779] TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending cookies.  Check SNMP counters.

To show where it is come from
# /etc/init<dot>d/dns-flood-detector status
* dns-flood-detector<dot>service - LSB: start and stop the dns-flood-detector daemon
   Loaded: loaded (/etc/init<dot>d/dns-flood-detector; generated; vendor preset: enabled)
   Active: active (running) since Fri 2018-01-05 14:25:46 WIB; 2 weeks 1 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 2 (limit: 4915)
   CGroup: /system<dot>slice/dns-flood-detector<dot>service
           `-475 /usr/bin/dns-flood-detector -d -v -v -t5 -w3
Jan 20 18:09:20 mars dns_flood_detector[475]: source [66<dot>220<dot>156<dot>144] - 3 tc…AA]
Jan 20 18:09:23 mars dns_flood_detector[475]: source [173<dot>252<dot>90<dot>118] - 3 tc…AA]
Warning: Journal has been rotated since unit was started<dot> Log output is incomplete or unavailable<dot>
Hint: Some lines were ellipsized, use -l to show in full<dot>

or
# service dns-flood-detector status
* dns-flood-detector<dot>service - LSB: start and stop the dns-flood-dete
ctor daemon
   Loaded: loaded (/etc/init<dot>d/dns-flood-detector; generated; vendor preset: ena
bled)
   Active: active (running) since Fri 2018-01-05 14:25:46 WIB; 2 week
s 1 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 2 (limit: 4915)
   CGroup: /system<dot>slice/dns-flood-detector<dot>service
           `-475 /usr/bin/dns-flood-detector -d -v -v -t5 -w3
Jan 20 18:09:20 mars dns_flood_detector[475]: source [66<dot>220<dot>156<dot>144] -
3 tcp qps : 3 udp qps [1 qps A] [5 qps AAAA]
Jan 20 18:09:23 mars dns_flood_detector[475]: source [173<dot>252<dot>90<dot>118] -
3 tcp qps : 3 udp qps [1 qps A] [5 qps AAAA]
Warning: Journal has been rotated since unit was started<dot> Log output is incomple
te or unavailable<dot>

Lets we find out who they are
# whois 66<dot>220<dot>156<dot>144
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=66<dot>220<dot>156<dot>144?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange:       66<dot>220<dot>144<dot>0 - 66<dot>220<dot>159<dot>255
CIDR:           66<dot>220<dot>144<dot>0/20
NetName:        TFBNET3
NetHandle:      NET-66-220-144-0-1
Parent:         NET66 (NET-66-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc<dot> (THEFA-3)
RegDate:        2009-02-13
Updated:        2012-02-24
Ref:            https://whois<dot>arin<dot>net/rest/net/NET-66-220-144-0-1
...

and
# whois 173<dot>252<dot>90<dot>118
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=173<dot>252<dot>90<dot>118?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange:       173<dot>252<dot>64<dot>0 - 173<dot>252<dot>127<dot>255
CIDR:           173<dot>252<dot>64<dot>0/18
NetName:        FACEBOOK-INC
NetHandle:      NET-173-252-64-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc<dot> (THEFA-3)
RegDate:        2011-02-28
Updated:        2012-02-24
Ref:            https://whois<dot>arin<dot>net/rest/net/NET-173-252-64-0-1

Ops they are Facebook.inc :D

Lets we block it
# ipset add mynetrules 66<dot>220<dot>156<dot>144
# ipset add mynetrules 173<dot>252<dot>90<dot>118
# iptables -L | grep mynetrules
DROP       all  --  anywhere             anywhere             match-set mynetrules src

These are how to block class C
Jan 21 10:11:31 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>119] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>125] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>126] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>123] - 3 t…AA]

Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>124] - 3 t…AA]

Just check one of them
# whois 173<dot>252<dot>124<dot>124
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=173<dot>252<dot>124<dot>124?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange:       173<dot>252<dot>64<dot>0 - 173<dot>252<dot>127<dot>255
CIDR:           173<dot>252<dot>64<dot>0/18
NetName:        FACEBOOK-INC
NetHandle:      NET-173-252-64-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc<dot> (THEFA-3)
RegDate:        2011-02-28
Updated:        2012-02-24
Ref:            https://whois<dot>arin<dot>net/rest/net/NET-173-252-64-0-1

Lets we block it
# ipset add mynetrules 173<dot>252<dot>124<dot>0/24



Friday, January 12, 2018

Using incron to monitor/watch a directory/folder

Requirement:
  • kernel 2.6.13 or later
Note:
  • "Note: It is important to know that incron is not recursive, so you need to manually add all sub-directories you want it to watch"
  • "There are two categories of tables: system tables (with root privileges) and user tables (with user privileges)."
  • "Each user has their own table, and commands in any given incrontab will be executed as the user who owns the incrontab. System users (such as apache, postfix, nobody etc.) may have their own incrontab."
  • "Please remember that the same path may occur only once per table (otherwise only the first occurrence takes effect and an error message is emitted to the system log)."
Installation
# apt-get install incron

General use
<path> <mask> <command>

<mask>
IN_ACCESS File was accessed (read) (*)
IN_ATTRIB Metadata changed (permissions, timestamps, extended attributes, etc.) (*)
IN_CLOSE_WRITE File opened for writing was closed (*)
IN_CLOSE_NOWRITE File not opened for writing was closed (*)
IN_CREATE File/directory created in watched directory (*)
IN_DELETE File/directory deleted from watched directory (*)
IN_DELETE_SELF Watched file/directory was itself deleted
IN_MODIFY File was modified (*)
IN_MOVE_SELF Watched file/directory was itself moved
IN_MOVED_FROM File moved out of watched directory (*)
IN_MOVED_TO File moved into watched directory (*)
IN_OPEN File was opened (*)
Special Events
IN_ALL_EVENTS Combines all of the above events
IN_DONT_FOLLOW Don't dereference pathname if it is a symbolic link
IN_ONESHOT Monitor pathname for only one event
IN_ONLYDIR Only watch pathname if it is a directory
Wildcard Event
IN_NO_LOOP Disable monitoring of events until the current event is handled completely (until its child process exits – avoids infinite loops)

Wildcards
$$ dollar sign
$@ watched filesystem path (see above)
$# event-related file name
$% event flags (textually)
$& event flags (numerically)

Add/edit user
# vi /etc/incron.allow
myuser

Status incron
# service incron status
* incron.service - file system events scheduler
   Loaded: loaded (/lib/systemd/system/incron.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-01-12 07:44:06 WIB; 33min ago
  Process: 7935 ExecStart=/usr/sbin/incrond (code=exited, status=0/SUCCESS)
 Main PID: 7936 (incrond)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/incron.service
           `-7936 /usr/sbin/incrond

Test using user myuser

Create folder testincron under directory /home/myuser
$ mkdir testincron
$ ls /home/myuser/testincron

Create script to log change in testincron directory
$ vi testincron.sh
#!/bin/bash
echo "wildcard test: $1 $2 $3 $4 $5" >> /home/myuser/myincron.log

Make script to run
$ chmod u+x testincron.sh

Ereate/edit incrontab
$ incrontab -e
/home/myuser/testincron IN_ALL_EVENTS /home/myuser/testincron.sh $$ $@ $# $% $&

Create and delete example.txt in directory /home/myuser/testincron and see the log file
$ touch /home/myuser/testincron/example.txt
$ rm /home/myuser/testincron/example.txt
$ cat /home/myuser/myincron.log
   wildcard test: $ /home/myuser/testincron example.txt IN_CREATE 256
   wildcard test: $ /home/myuser/testincron example.txt IN_OPEN 32
   wildcard test: $ /home/myuser/testincron example.txt IN_ATTRIB 4
   wildcard test: $ /home/myuser/testincron example.txt IN_CLOSE_WRITE 8
   wildcard test: $ /home/myuser/testincron  IN_OPEN,IN_ISDIR 1073741856
   wildcard test: $ /home/myuser/testincron  IN_ACCESS,IN_ISDIR 1073741825
   wildcard test: $ /home/myuser/testincron  IN_CLOSE_NOWRITE,IN_ISDIR 1073741840
   wildcard test: $ /home/myuser/testincron example.txt IN_DELETE 512

To display date in yyyymmdd hh:mm:ss edit testincron.sh:
$ vi testincron.sh
#!/bin/bash
echo "$(date +%Y%m%d' '%H:%M:%S): $1 $2 $3 $4 $5" >> /home/myuser/myincron.log

References:
  • http://www.linux-magazine.com/Issues/2014/158/Monitoring-with-incron
  • https://linux.die.net/man/5/incrontab
  • https://www.linux.com/learn/how-use-incron-monitor-important-files-and-folders
  • https://www.garron.me/en/linux/use-incron-rsync-dropbox-backup.html

Friday, January 5, 2018

Debian Stretch: Install Genymotion

Requirement: VirtualBox 5.0.28

To install Genymotion:
  1. Download genymotion from https://www.genymotion.com/ (you need account to access download page).
    $ ./Downloads/genymotion-2.11.0-linux_x64.bin
    Installing for current user only. To install for all users, restart this installer as root.

    Installing to folder [/home/username/genymotion]. Are you sure [y/n] ? y


    - Trying to find VirtualBox toolset .................... OK (Valid version of VirtualBox found: 4.3.36_Debianr105129)
    - Extracting files .....................................
    OK (Extract into: [/home/username/genymotion])
    - Installing launcher icon ............................. OK

    Installation done successfully.

    You can now use these tools from [/home/username/genymotion]:
     - genymotion
     - genymotion-shell
     - gmtool

  2. To run genymotion
    $ ./genymotion/genymotion
    Logging activities to file: /home/dedetok/.Genymobile/genymotion.log

Note: You don't need root access to run genymotion.

References:
  • https://www.genymotion.com/

Debian Stretch: install virtual box from virtualbox.org repository

These are steps to install virtualbox from virtualbox.org repository:
  1. Add virtualbox.org repository into system:
    # echo 'deb http://download.virtualbox.org/virtualbox/debian stretch contrib' > /etc/apt/sources.list.d/virtualbox.list
  2. Download and install virtualbox.org key
    # wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
    # apt-key add oracle_vbox_2016.asc
  3. Update your system
    # apt-get update
  4. Install latest virtualbox (currently version 5.2)
    # apt-get install virtualbox-5.2



References:
  • https://wiki.debian.org/VirtualBox

Windows 10: entering windows repair mode

On my pc, windows 10 update often cause my PC to unstable (application error and system not responded after update).

This note, as my personal guide to enter windows repair mode.

To enter windows repair mode, do these steps:
  1. At window 10 login screen, hold shift button and click Power -> Restart.
  2. Next screen choose Troubleshoot and Advanced Options.
  3. There are some option to choose depend on what we want to repair:
    1. Command prompt (my favorite)
    2. Startup Setting
    3. Startup repair 
    4. others
  4. Then restart your windows, it will start your windows in repair mode.

For common troubleshooting do these sequence:
  1. sfc /scannow
  2. chkdsk c: /f
You may need to have handy windows update troubleshooter from micro soft site https://support.microsoft.com/en-ca/help/4027322/windows-update-troubleshooter