Monday 30 June 2008

Interactive Linux Kernel map & Presentations

Interactive Linux kernel map

Create beautiful presentations, access them from anywhere, and share them with the world. With 280 Slides, there's no software to download and nothing to pay for – and when you're done building your presentation you can share it any way you like.

Friday 27 June 2008

Traffic shaping scripts

http://slashdot.org/~IBitOBear/journal/

TCP Shaper Script

[ 0 Comments | #205883 ]

Thursday June 26, @08:32PM

#!/bin/bash ### BEGIN INIT INFO # Provides: shaper # Required-Start: firewall # Required-Stop: firewall # Default-Start: S # Default-Stop: 0 6 # Short-Description: Shape traffic on interfaces. ### END INIT INFO # init script written by shane at knowplace dot org # this script only creates the qdiscs and classes required for shaping, it # does NOT create the necessary filters # modified by Rob White rwhite at pobox dot com # mostly to take the link speed as an argument INTERFACE='eth1' declare -i INTERFACE_SPEED=768 declare -i BURST=1200 declare -i CBURST=1500 rc_done=" done" rc_failed=" failed" declare -i CEILING=$((INTERFACE_SPEED * 98 / 100)) declare -i COUNTER declare -ai WEIGHT=(2 2 2 2 2) declare -i SLOTS=${#WEIGHT[@]} declare -i AGGREGATE=0 for ((COUNTER=0; COUNTER<SLOTS; ++COUNTER)) do AGGREGATE=$((AGGREGATE+WEIGHT[COUNTER])) done AGGREGATE=$((AGGREGATE+1)) declare -ai SHARE declare -i USED=0 for ((COUNTER=0; COUNTER<SLOTS; ++COUNTER)) do USED=$(( USED + (SHARE[$COUNTER]=(CEILING * ${WEIGHT[$COUNTER]} / AGGREGATE)) )) done SHARE[$COUNTER]=$(( INTERFACE_SPEED - USED)) declare -i BURST_CEILING=$((CEILING * 100 / 100)) #declare -i BURST_CEILING=$CEILING return=$rc_done TC='/sbin/tc' tc_reset () { # Reset everything to a known state (cleared) $TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null } tc_status () { echo "[qdisc - $INTERFACE]" $TC -s qdisc show dev $INTERFACE echo "------------------------" echo echo "[class - $INTERFACE]" $TC -s class show dev $INTERFACE } tc_showfilter () { echo "[filter - $INTERFACE]" $TC -s filter show dev $INTERFACE } case "$1" in start) echo -n "Starting traffic shaping" tc_reset U320="$TC filter add dev $INTERFACE protocol ip parent 1:0 prio 0 u32" # # dev eth0 - creating qdiscs & classes # $TC qdisc add dev $INTERFACE root handle 1: htb default $((${#SHARE[@]}+1))0 $TC class \ add dev $INTERFACE \ parent 1: classid 1:1 \ htb rate ${CEILING}kbps \ ceil ${BURST_CEILING}kbps \ ${BURST:+burst ${BURST}b} \ ${CBURST:+cburst ${CBURST}b} for ((COUNTER=0; COUNTER < (${SLOTS} + 1); ++COUNTER)) do HANDLE=$((COUNTER+1))0 $TC class \ add dev $INTERFACE \ parent 1:1 classid 1:$HANDLE \ htb rate ${SHARE[$COUNTER]}kbps \ ceil ${BURST_CEILING}kbps \ ${BURST:+burst ${BURST}b} \ ${CBURST:+cburst ${CBURST}b} \ prio $COUNTER $TC qdisc \ add dev $INTERFACE \ parent 1:$HANDLE \ handle $HANDLE: \ sfq perturb 6 done tc_status ;; stop) echo -n "Stopping traffic shaper" tc_reset || return=$rc_failed echo -e "$return" ;; restart|reload) $0 stop && $0 start || return=$rc_failed ;; stats|status) tc_status ;; filter) tc_showfilter ;; *) echo "Usage: $0 {start|stop|restart|stats|filter}" exit 1 esac test "$return" = "$rc_done" || exit 1

Firewall Script

[ 0 Comments | #205881 ]

Thursday June 26, @08:32PM

#!/bin/bash -e ### BEGIN INIT INFO # Provides: firewall # Required-Start: networking # Required-Stop: networking # Default-Start: S # Default-Stop: 0 6 # Short-Description: Secures interfaces. ### END INIT INFO ################################################################################# # # IPTABLES Firewall v 0.86 # by shadow999@firemail.de # # Small parts from http://members.optusnet.com.au/~technion/ # and some tutorials # # This script is intended to setup a masquerading firewall based on # the IPTABLES (Net)filter-machanism of Linux 2.3.15+ # Syslogging matches fireparse for graphical output (see http://www.fireparse.com) # # Normally this script will work 'out-of-the-box', but you should adapt it to # your own needs (At least you should set the correct default interfaces # --> see Default-Interfaces section) # # Comments, suggestions, etc. are welcome # # Usage on your own risk ;) # # Syntax to invoke script: firewall (start|stop|restart|status) EXTIF INTIF # Example: "firewall start eth1 eth0" # ################################################################################# # # Version History: # # 0.86: Added a few comments # # 0.85: Various re-arrangements # Added TCP-SYN-flood protection # Added separate logging of pingfloods # Added automatic detection of parameters on internal interface # Made flooding-parameters variable # # 0.84: Added special ICMP-Filtering # # 0.83: Added ICMP-logging-chain # Some minor changes # # 0.82: Reorganized parts of the script # Added special user-chains # # 0.80: Altered logging strings to match fireparse # # 0.78: Added many comments # Completed flushing of tables (missing -X) # # 0.75: Added automatic detection of IP-address, gateway, etc of external interface # # 0.7: Added new logging-chains # # 0.65: Added special sanity checks for TCP-Flags # Silently filter out SMB-traffic # Removed unclean-checks (according to some docs still unstable) # # 0.6: Major redesign of whole script, divided into chain-sections # # 0.5: Adopted parts of firewall-script from http://members.optusnet.com.au/~technion/ # Minor changes # # ######################################################################################## # This is the location of the iptables command IPTABLES="/sbin/iptables" case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "...done" ;; status) echo $"Table: filter" $IPTABLES --list echo $"Table: nat" $IPTABLES -t nat --list echo $"Table: mangle" $IPTABLES -t mangle --list ;; restart|reload) $0 stop $0 start ;; start) echo "Starting Firewall..." echo "" ##--------------------------Begin Firewall---------------------------------## #----Default-Interfaces-----# ## Default external interface (used, if EXTIF isn't specified on command line) DEFAULT_EXTIF="eth1" ## Default internal interface (used, if INTIF isn't specified on command line) DEFAULT_INTIF="eth0" #----Special Variables-----# # IP Mask for all IP addresses UNIVERSE="0.0.0.0/0" # Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535" # Specification of X Window System (TCP) ports. XWINPORTS="6000:6063" # Ports for IRC-Connection-Tracking IRCPORTS="6665,6666,6667,6668,1024,1025,1026,1027" #-----Port-Forwarding Variables-----# #For port-forwarding to an internal host, define a variable with the appropriate #internal IP-Address here and take a look at the port-forwarding sections in the FORWARD + #PREROUTING-chain: #These are examples, uncomment to activate #IP for forwarded Battlecom-traffic #BATTLECOMIP="192.168.0.5" #Bittorrent Computer BITTORRENT=192.168.10.10 BITTPORT=57981 MONOTONE=192.168.10.10 MONOTONEPORT=4691 #Vonage VONAGEIP=192.168.10.6 VONAGEPORTS=10000:20000 #Blizzard Downloader BLIZZARD_DEST=192.168.10.95 BLIZZARD_PORTS=3724,6112,6881:6999 #BLIZZARD_PORTS=3724 #IP for forwarded HTTP-traffic HTTPIP="192.168.10.250" #----Flood Variables-----# # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" # Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10" # Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10" #----Automatically determine infos about involved interfaces-----# ### External Interface: ## Get external interface from command-line ## If no interface is specified then set $DEFAULT_EXTIF as EXTIF if [ "x$2" != "x" ]; then EXTIF=$2 else EXTIF=$DEFAULT_EXTIF fi echo External Interface: $EXTIF ## Determine external IP EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$EXTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $EXTIF !" exit 1 fi echo External IP: $EXTIP ## Determine external gateway EXTGW=`route -n | grep '0.0.0.0' | grep -A 4 UG | awk '{ print $2}'` echo Default GW: $EXTGW echo " --- " ### Internal Interface: ## Get internal interface from command-line ## If no interface is specified then set $DEFAULT_INTIF as INTIF if [ "x$3" != "x" ]; then INTIF=$3 else INTIF=$DEFAULT_INTIF fi echo Internal Interface: $INTIF ## Determine internal IP INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$INTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $INTIF !" exit 1 fi echo Internal IP: $INTIP ## Determine internal netmask INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" echo Internal Netmask: $INTMASK ## Determine network address of the internal network INTLAN=$INTIP'/'23 echo Internal LAN: $INTLAN echo "" #----Load IPTABLES-modules-----# #Insert modules- should be done automatically if needed #If the IRC-modules are available, uncomment them below echo "Loading IPTABLES modules" dmesg -n 1 #Kill copyright display on module load /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS /sbin/modprobe ip_nat_irc ports=$IRCPORTS dmesg -n 6 echo " --- " #----Clear/Reset all chains-----# #Clear all IPTABLES-chains #Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat #Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP #----Set network sysctl options-----# echo "Setting sysctl options" #Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter echo 1 > /proc/sys/net/ipv4/conf/${EXTIF}/rp_filter #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 1 > /proc/sys/net/ipv4/tcp_sack echo 1 > /proc/sys/net/ipv4/tcp_timestamps #Ignore icmp echo (ping) broadcast events echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " --- " echo "Creating user-chains" #----Create logging chains-----# ##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding ##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com) #Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -N LINVALID $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=INVALID:1 a=DROP " $IPTABLES -A LINVALID -j DROP #TCP-Packets with one ore more bad flags $IPTABLES -N LBADFLAG $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=BADFLAG:1 a=DROP " $IPTABLES -A LBADFLAG -j DROP #Logging of connection attempts on special ports (Trojan portscans, special services, etc.) $IPTABLES -N LSPECIALPORT $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SPECIALPORT:1 a=DROP " $IPTABLES -A LSPECIALPORT -j DROP #Logging of possible TCP-SYN-Floods $IPTABLES -N LSYNFLOOD $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SYNFLOOD:1 a=DROP " $IPTABLES -A LSYNFLOOD -j DROP #Logging of possible Ping-Floods $IPTABLES -N LPINGFLOOD $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=PINGFLOOD:1 a=DROP " $IPTABLES -A LPINGFLOOD -j DROP #All other dropped packets $IPTABLES -N LDROP $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=DROP " $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=DROP " $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=DROP " $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=DROP " $IPTABLES -A LDROP -j DROP #All other rejected packets $IPTABLES -N LREJECT $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=REJECT " $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=REJECT " $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=REJECT " $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=REJECT " $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A LREJECT -j REJECT #----Create Accept-Chains-----# #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in $IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT #----Create special User-Chains-----# #CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan) $IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG #FILTERING FOR SPECIAL PORTS #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs) #SMB-Traffic $IPTABLES -N SMB $IPTABLES -A SMB -p tcp --dport 137 -j DROP $IPTABLES -A SMB -p tcp --dport 138 -j DROP $IPTABLES -A SMB -p tcp --dport 139 -j DROP $IPTABLES -A SMB -p tcp --dport 445 -j DROP $IPTABLES -A SMB -p udp --dport 137 -j DROP $IPTABLES -A SMB -p udp --dport 138 -j DROP $IPTABLES -A SMB -p udp --dport 139 -j DROP $IPTABLES -A SMB -p udp --dport 445 -j DROP $IPTABLES -A SMB -p tcp --sport 137 -j DROP $IPTABLES -A SMB -p tcp --sport 138 -j DROP $IPTABLES -A SMB -p tcp --sport 139 -j DROP $IPTABLES -A SMB -p tcp --sport 445 -j DROP $IPTABLES -A SMB -p udp --sport 137 -j DROP $IPTABLES -A SMB -p udp --sport 138 -j DROP $IPTABLES -A SMB -p udp --sport 139 -j DROP $IPTABLES -A SMB -p udp --sport 445 -j DROP #Inbound Special Ports $IPTABLES -N SPECIALPORTS #Deepthroat Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT #Subseven Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT #Netbus Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT #Back Orifice scan $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT #X-Win $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT #Hack'a'Tack 2000 $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT #ICMP/TRACEROUTE FILTERING #Inbound ICMP/Traceroute $IPTABLES -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT # $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP #Allow all other ICMP in $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT #Outbound ICMP/Traceroute $IPTABLES -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP #Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP #Block ICMP-Parameter-Problem $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP ##Accept all other ICMP going out $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT ######## # Throttle SSH connections by host # to prevent brute force attacks ######## $IPTABLES --new-chain SSHTHROTTLE $IPTABLES --flush SSHTHROTTLE $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --seconds $(( 3600 * 18)) --update -j DROP $IPTABLES --append SSHTHROTTLE --match limit --limit 3/hour -j RETURN $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --set -j DROP #----End User-Chains-----# echo " --- " #----Start Ruleset-----# echo "Implementing firewall rules..." ################# ## INPUT-Chain ## (everything that is addressed to the firewall itself) ################# ##GENERAL Filtering # Kill INVALID packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A INPUT -m state --state INVALID -j LINVALID # Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG ##Packets FROM FIREWALL-BOX ITSELF #Local IF $IPTABLES -A INPUT -i lo -j ACCEPT # #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT ##Packets FROM INTERNAL NET ##Allow unlimited traffic from internal network using legit addresses to firewall-box ##If protection from the internal interface is needed, alter it $IPTABLES -A INPUT -i ! $EXTIF -s $INTLAN -j ACCEPT #Allow Local DHCP Service Nonsense $IPTABLES -I INPUT -i ! $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter) $IPTABLES -A INPUT -s $INTLAN -j LREJECT ##Packets FROM EXTERNAL NET ## DHCP Server on ISP's Site $IPTABLES -I INPUT -i $EXTIF -p udp -s 0.0.0.0 -d 255.255.255.255 --sport 67 --dport 68 -j ACCEPT if [ -f /var/lib/dhcp3/dhclient.${EXTIF}.leases ]; then DHCPSID=$(grep dhcp-server-identifier /var/lib/dhcp3/dhclient.${EXTIF}.leases | tail --lines=1 | sed --expression='s;.* $[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$.*;\1;') echo $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT fi ##ICMP & Traceroute filtering #Filter ICMP $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND #Block UDP-Traceroute $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP ##Silent Drops/Rejects (Things we don't want in our logs) #Drop all SMB-Traffic $IPTABLES -A INPUT -i $EXTIF -j SMB #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection) $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset ##Public services running ON FIREWALL-BOX (comment out to activate): # ftp-data #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT # ftp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT # ssh $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --syn -j SSHTHROTTLE $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --match state --state NEW -j TCPACCEPT #telnet #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT # smtp #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT # DNS $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT # http # $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT # https #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT # POP-3 #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT ##Separate logging of special portscans/connection attempts $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS ##Allow ESTABLISHED/RELATED connections in $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT ##Catch all rule $IPTABLES -A INPUT -j LDROP ################## ## Output-Chain ## (everything that comes directly from the Firewall-Box) ################## ##Packets TO FIREWALL-BOX ITSELF #Local IF $IPTABLES -A OUTPUT -o lo -j ACCEPT ##Packets TO INTERNAL NET #Allow unlimited traffic to internal network using legit addresses $IPTABLES -A OUTPUT -o ! $EXTIF -d $INTLAN -j ACCEPT ##Packets TO EXTERNAL NET ##NTP $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport ntp --dport ntp -j ACCEPT ##ICMP & Traceroute $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND ##Silent Drops/Rejects (Things we don't want in our logs) #SMB $IPTABLES -A OUTPUT -o $EXTIF -j SMB #Ident $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset ##Public services running ON FIREWALL-BOX (comment out to activate): # ftp-data #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT # ftp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT # ssh $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 8193 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #telnet #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT # smtp #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT # DNS $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT # http #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # https #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # POP-3 #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT # DHCP Server on ISP's Site $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 68 --dport 67 --source 0.0.0.0 --destination 255.255.255.255 -j ACCEPT if [ -f /etc/dhcpc/dhcpcd-${EXTIF}.info ]; then DHCPSID=$(grep DHCPSID /etc/dhcpc/dhcpcd-${EXTIF}.info | awk -F= '{print $2}') $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 68 --dport 67 --destination $DHCPSID -j ACCEPT fi # DHCP Server inside Firewall Box $IPTABLES -A OUTPUT -o ! $EXTIF -p udp --sport 67 --dport 68 -j ACCEPT ##Accept all tcp/udp traffic on unprivileged ports going out $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT ##Catch all rule $IPTABLES -A OUTPUT -j LDROP #################### ## FORWARD-Chain ## (everything that passes the firewall) #################### ##GENERAL Filtering # optimal forwarding rates $IPTABLES -A FORWARD -i ! $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -m state --state NEW -j ACCEPT #Kill invalid packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID # Check TCP-Packets for Bad Flags $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG # Bad Broadcasting $IPTABLES -A FORWARD -d 255.255.255.255 -j DROP $IPTABLES -A FORWARD -d 192.168.10.0 -j DROP $IPTABLES -A FORWARD -d 192.168.11.0 -j DROP # Spoofing $IPTABLES -A FORWARD -i $EXTIF -s 192.168.10.0/23 -j LDROP ##Silent Drops/Rejects (Things we don't want in our logs) #SMB $IPTABLES -A FORWARD -o $EXTIF -j SMB $IPTABLES -A FORWARD -p tcp -m multiport --destination-ports 137,138,139,445 -j DROP $IPTABLES -A FORWARD -p udp -m multiport --destination-ports 137,138,139,445 -j DROP ##Filtering FROM INTERNAL NET ##Special Drops/Rejects # - To be done - ##Filter for some Trojans communicating to outside # - To be done - ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING) #HTTP-Forwarding #$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT ##Allow non-external nets to talk to each other, q.v. wireless to wired "internal" networks $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT ##Filtering FROM EXTERNAL NET ##Silent Drops/Rejects (Things we don't want in our logs) #SMB Handled Above #$IPTABLES -A FORWARD -i $EXTIF -j SMB ##Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED -j ACCEPT ##Port-Forwarding [inbound] (--> Also see chain PREROUTING) #HTTP-Forwarding $IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT #Battlecom-Forwarding #$IPTABLES -A FORWARD -p tcp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT #$IPTABLES -A FORWARD -p udp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT #$IPTABLES -A FORWARD -p tcp --dport 47624 -i $EXTIF -d $BATTLECOMIP -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT $IPTABLES -A FORWARD -p udp --dport $BITTPORT -i $EXTIF -d $BITTORRENT -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport $MONOTONEPORT -i $EXTIF -d $MONOTONE -j ACCEPT $IPTABLES -A FORWARD -p udp --dport $VONAGEPORTS -i $EXTIF -d $VONAGEIP -j ACCEPT $IPTABLES -A FORWARD -p tcp --match multiport --destination-ports $BLIZZARD_PORTS -i $EXTIF -d $BLIZZARD_DEST -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -d $BLIZZARD_DEST -p tcp --match multiport --destination-ports $BLIZZARD_PORTS --match state --state NEW -j ACCEPT ##Catch all rule/Deny every other forwarding $IPTABLES -A FORWARD -j LDROP ################ ## PREROUTING ## ################ ##Port-Forwarding (--> Also see chain FORWARD) ##NTP $IPTABLES -A PREROUTING -t nat -i ! $EXTIF -p udp --destination-port ntp -j REDIRECT ##HTTP $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $HTTPIP ##Battlecom #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 47624 -i $EXTIF -j DNAT --to $BATTLECOMIP:47624 $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT ##Monotone $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $MONOTONEPORT -i $EXTIF -j DNAT --to $MONOTONE:$MONOTONEPORT ##Vonage $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $VONAGEPORTS -i $EXTIF -j DNAT --to $VONAGEIP ##Blizzard $IPTABLES -t nat -A PREROUTING --destination $EXTIP --in-interface $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --match multiport --destination-ports $BLIZZARD_PORTS -j DNAT --to $BLIZZARD_DEST ################### ## POSTROUTING ## ################### #Masquerade from Internal Net to External Net $IPTABLES -A POSTROUTING -t nat --out-interface $EXTIF -j SNAT --to-source $EXTIP # Initial Shape Classifier # gIive "overhead" packets highest priority $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -j CLASSIFY --set-class 1:60 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:68 -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10 #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10 #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL FIN -j CLASSIFY --set-class 1:10 # interactive SSH traffic and UDP gaming $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:20 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF --source $VONAGEIP -p udp -j RETURN $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20 # interactive mail or web traffic $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --dport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --sport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30 # dns lookups $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport domain -j CLASSIFY --set-class 1:30 # ICMP $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY --set-class 1:40 # bulk traffic $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 101: -j CLASSIFY --set-class 1:50 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 101: -j CLASSIFY --set-class 1:50 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport 25 -j CLASSIFY --set-class 1:50 $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport 6667 -j CLASSIFY --set-class 1:50 ip6tables -P FORWARD DROP #------End Ruleset------# echo "...done" echo "" echo "--> IPTABLES firewall loaded/activated <--" ##--------------------------------End Firewall---------------------------------## ;; *) echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" exit 1 esac exit 0

Tuesday 24 June 2008

Deki Wiki & Anti-patterns

Deki Wiki Overview

MindTouch Deki Wiki is a free open source wiki and application platform for communities and enterprises. Deki Wiki is an easy to use and sophisticated wiki for authoring, aggregating, organizing, and sharing content. Deki Wiki is also a platform for creating collaborative applications, or adding wiki capabilities to existing applications.

Anti-pattern

Friday 20 June 2008

google tools

Custom Search Engine

Have a website or collection of sites you'd like to search over? With Custom Search Engine, you can harness the power of Google to create a search engine tailored to your needs.

Create a search engine tailored to your needs

Include one website, multiple websites, or specific webpages
Host the search box and results on your own website
Customize the colors and branding to match your existing webpages
Learn more with our featured examples, developer documentation, and FAQs

Website Optimiser

Increase your site's conversion rate

Website Optimiser, Google's free website testing and optimisation tool, allows you to increase the value of your existing websites and traffic without spending a penny. Using Website Optimiser to test and optimise site content and design, you can quickly and easily increase revenue and ROI, whether you're new to marketing or an expert.

Google Send to Phone

Introduction

Google Send to Phone for Firefox is an extension that enables you to send short text messages of web page content to your mobile phone. For example, you might text message yourself a phone number, an address, or directions that you find on the Web.

Thursday 19 June 2008

Two ways to do XSLT processing on Linux

use xsltproc system command
use Python:

  from Ft.Xml import InputSource
    from Ft.Xml.Xslt.Processor import Processor

    document = InputSource.DefaultFactory.fromUri(xmlfile)
    stylesheet = InputSource.DefaultFactory.fromUri(xsltfile)
     # there's also a fromString() method
    
    processor = Processor()
    processor.appendStylesheet(stylesheet)
    result = processor.run(document)

Open source developers conference 2008 - Sydney Australia

http://www.osdc.com.au/2008/index.html

Monday 16 June 2008

The NSW Enterprise Workshop

The Enterprise Workshop program

4 month part-time program
Run primarily outside business hours
Two programs are offered each year – March to July & July to November
~65 hrs of face-to-face sessions plus ~15 hrs of interactive online sessions via the Workshop blogging site (for participants only).

The program begins with face-to-face sessions in which senior business people provide instruction and advice on the essential elements of contemporary business practice.

Subsequently, participants work as a member of a small project team under the guidance of a mentor to analyse and prepare marketing, operations and financial plans to either:

improve the performance of an existing business; or
evaluate the commercial potential and plan the introduction of a new business.

The program structure follows a well-established formula solidly based on practical 'hands-on' business experience. It is 'real-world' learning - not academic or theoretical!

Costs $4000 for individual

Underhanded C contest & Simple directmedia layer

Underhanded C contest

Introduction

We hereby announce our fourth annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

As of June 12, the 2008 Underhanded C Contest is officially underway. The deadline is September 30th to submit an innocent-looking source file with carefully concealed malicious behavior.

Simple DirectMedia Layer is a cross-platform multimedia library designed to provide low level access to audio, keyboard, mouse, joystick, 3D hardware via OpenGL, and 2D video framebuffer. It is used by MPEG playback software, emulators, and many popular games, including the award winning Linux port of "Civilization: Call To Power."

SDL supports Linux, Windows, Windows CE, BeOS, MacOS, Mac OS X, FreeBSD, NetBSD, OpenBSD, BSD/OS, Solaris, IRIX, and QNX. The code contains support for AmigaOS, Dreamcast, Atari, AIX, OSF/Tru64, RISC OS, SymbianOS, and OS/2, but these are not officially supported.

SDL is written in C, but works with C++ natively, and has bindings to several other languages, including Ada, C#, D, Eiffel, Erlang, Euphoria, Guile, Haskell, Java, Lisp, Lua, ML, Objective C, Pascal, Perl, PHP, Pike, Pliant, Python, Ruby, Smalltalk, and Tcl.

SDL is distributed under GNU LGPL version 2. This license allows you to use SDL freely in commercial programs as long as you link with the dynamic library.

SDL_image 1.2

Friday 13 June 2008

Cool comments

http://www.codinghorror.com/blog/archives/001130.html
Programming is all about knowing when to boil the orange sponge donkey across the phillipines with an orangutang gorilla crossed with a ham sandwich to the fourth power of twelve across the nile with an awful headache from the previous night when all of alfred's naughty jalapeno peppers frog-marched the nordic elves across the loom-lined geronimo induced swamp donkey over and above the fortran fortified kilomanjaro fence past the meticulously crafted anti disgusting sponge cake scenario where all the hats doth quoteth the milk which is not unlike the super werewolf from the infinite realm of ninja-step. it's hard to define, really.

Thursday 12 June 2008

Python matplotlib and web severs

http://www.answermysearches.com/index.php/making-dynamic-charts-and-graphs-for-your-webpage/135/
http://matplotlib.sourceforge.net/
Requires Python 2.4

NTP scripts

http://www.david-taylor.myby.co.uk/ntp/NTPandMRTG.txt

People have asked how I get the NTP statistics plotted by
MRTG.  Well I got the idea from Piotr Trojanek who had the 
 following code for Unix:

#!/bin/sh

ntpq -c rv \
	|tail -n 1 \
	|sed 's/[a-z=,]//g' \
	|mawk '{printf "%d\n%d\n",
	int(($1 > 0) ? $1 : -$1),
	int(($2 > 0) ? $2 : -$2)}'
 
ntpdc -c sysstats \
	|mawk '{TOTSEC = $3;
		H = int(TOTSEC/3600);
		TOTSEC -= H*3600;
		M = int(TOTSEC/60);
		TOTSEC -= M*60;
		printf "%02d:%02d:%02d\n", H, M, TOTSEC;
		exit 0}'
 echo "ntp_host"

as the command to be run from MRTG, but as I am running 
Windows, I substituted a Perl script for the Unix script.
The first step is to get MRTG to take its data from a 
command line rather than an SNMP query.  You do this by 
 placing the command to run in back-quotes as the argument
to an MRTG "Target" statement.  Then you need to write the
command or script to write the four values MRTG is expecting 
to standard output.
 ---------------------------------------------------------------


Extract from mrtg.cfg
---------------------------------------------------------------

Target[odin_ntp]: `perl GetNTP.pl odin`
MaxBytes[odin_ntp]: 200
 MaxBytes2[odin_ntp]: 200
Unscaled[odin_ntp]: dwmy
Timezone[odin_ntp]: GMT
Title[odin_ntp]: NTP statistics for Odin - offset from NTP
Options[odin_ntp]: integer, gauge, nopercent, growright
YLegend[odin_ntp]: offset+100 ms
 ShortLegend[odin_ntp]: ms
LegendI[odin_ntp]: 
LegendO[odin_ntp]: offset:&nbsp;
Legend1[odin_ntp]: n/a
Legend2[odin_ntp]: time offset in ms, with 100ms offset added to ensure it's positive!
PageTop[odin_ntp]: <H1>NTP -- PC Odin</H1>
 

Perl script run to manipulate NTPQ output - file: GetNTP.pl
-----------------------------------------------------------

$ntp_str = `ntpq -c rv $ARGV[0]`;
$val = (split(/\,/,$ntp_str))[20];
$val =~ s/offset=//i;
 $val = int ($val + 100);
if ($val < 0) {
  $val = 0;
}
print "0\n";
print "$val\n";
print "0\n";
print "0\n";


-----------------------------------------------------------
 Update 2004-Mar-13:

Thanks to Jim O'Boyle, who mentioned that I could use parameter-passing from 
the mrtg.cfg to avoid hard-coding the node name into GetNTP.pl.  The version 
above includes his update.
 
Thanks, Jim!


-----------------------------------------------------------
Update 2006-Jul-10:

In February, I added a simple stratum 1 server, and added a different version
of the Perl script to cover the more limited range of +/-20 microseconds 
 (displayed as 0..40us).  By July, the GPS was failing more often (tree leaf 
growth?), so I modified the script to limit on both positive and negative
excursions (as without the GPS the server could be hundreds of microseconds
 out).

$ntp_str = `ntpq -c rv $ARGV[0]`;
$val = (split(/\,/,$ntp_str))[20];
$val =~ s/offset=//i;
$val = 1000.0 * $val;	# convert to microseconds
$report = int ($val + 20);
if ($report < 0) {
  $report = 0;
 }
if ($report > 40) {
  $report = 40;
}
print "0\n";
print "$report\n";
print "0\n";
print "0\n";


Thanks, Jim!

Friday 6 June 2008

Itrade - system written in python

http://itrade.sourceforge.net/snaps.htm

ProfitPy is a set of libraries and tools for the development, testing, and execution of automated trading systems.

Python - Generating Sparkline Graphs For Stock Pricing

http://coreygoldberg.blogspot.com/2008/06/python-generating-sparkline-graphs-for.html

Thursday, June 5, 2008

Python - Generating Sparkline Graphs For Stock Pricing

In a previous post, I introduced the new historical stock pricing function in the ystockquote.py module.

Here is an interesting use of the module to create sparklines of historical stock pricing for a given stock.

To generate the sparklines, I use Grig Gheorghiu's Sparkplot Python module (which uses Matplotlib for graphing).

This module expects a file named data.txt, which contains lines of data to be graphed. All you need to do is generate a data file with the pricing data, and the Sparkplot module will take care of the rest.

To generate the data, I use a script like this:

 import ystockquote

ticker = 'GOOG'
start = '20080101'
end = '20080523'

data = ystockquote.get_historical_prices(ticker, start, end)

closing_prices = [x[4] for x in data][1:]
 closing_prices.reverse()

fh = open('data.txt', 'w')
for closing_price in closing_prices:
    fh.write(closing_price + '\n')
fh.close()

Now that you have the data.txt file setup, you can call the Sparkplot script via the command line to generate the sparkline image:

 python sparkplot.py --label_first --lable_last

*Note: The Sparkplot module needs Matplotlib installed.

The sparkline output is an image (png) like this:

Posted by Corey Goldberg at 9:32 AM

Fully Automated Nagios Linux distribution

FAN (Fully Automated Nagios)

FAN (Fully Automated Nagios) aims to provide a CD based on CentOS in order to simplify installation of Nagios and other Nagios tools. Tools installed by FAN are: Linux, MySQL, Nagios, Nagios Plugins, NaReTo, NagVis, Centreon, Net-SNMP and NDOUtils. Version 0.3 was recently released.

Wednesday 4 June 2008

Big databases

Welcome to HBase!

HBase is the Hadoop database. Its an open-source, distributed, column-oriented store modeled after the Google paper, Bigtable: A Distributed Storeage System for Structured Data by Chang et al. Just as Bigtable leverages the distributed data storage provided by the Google File System, HBase provides Bigtable-like capabilities on top of Hadoop.

HBase's goal is the hosting of very large tables -- billions of rows X millions of columns -- atop clusters of commodity hardward. Try it if your plans for a data store run to big.

http://tomictech.com/blog/?p=9

What is sharding?

While working at Auction Watch, Dathan got the idea to solve their scaling problems by creating a database server for a group of users and running those servers on cheap Linux boxes. In this scheme the data for User A is stored on one server and the data for User B is stored on another server. It's a federated model. Groups of 500K users are stored together in what are called shards.

Tuesday 3 June 2008

Goosh google shell and Meow - Twitter on Google App. Engine

goosh.org - the unofficial google shell.

This google-interface behaves similar to a unix-shell.
You type commands and the results are shown on this page.

goosh is written by Stefan Grothkopp it is NOT an official google product!

appengine vs twitter

Eric Moritz

So Glenn Franxman was opining this afternoon about how twitter is going to reach a point where they're going to grow to big and need to make money somehow. He said that they're either going to have to throw ads everywhere or hope to be aquired.

He thinks that they're like every startup in web 2.0 where they're hoping to be aquired by Google.

I said to him, "Why would Google aquire them? I could write twitter on google app engine in like 30 minutes."

Well it took me two hours to shoehorn Django into GAE and about an hour to get a working prototype. It's far from complete, but it works. I still have to integrate textmarks to enable SMS i/o, add following and replies, but it works.

You can view the app at http://meow.appspot.com/ and you can checkout the code at https://code.launchpad.net/~ericmoritz/+junk/meow

Monday 2 June 2008

C++ website toolkit

Wt (pronounced 'witty') is a C++ library and application server for developing and deploying web applications. It is not a 'framework', which enforces a way of programming, but a library.
A web application developed with Wt is written in only one compiled language (C++), from which the library generates the necessary HTML/XHTML, Javascript, CGI, SVG/VML/Canvas and AJAX code. The responsibility of writing secure and browser-portable web applications is handled by Wt. For example, if available, Wt will maximally use JavaScript and AJAX, but applications developed using Wt will also function correctly when AJAX is not available, or when JavaScript is disabled, reverting to a plain HTML/CGI mechanism for communication between browser and server.

Uses

Ext JS 2.0

Ext JS is a cross-browser JavaScript library for building rich internet applications.

Wt: A Web Toolkit

Writing web applications using a C++ GUI programming style

http://www.webtoolkit.eu/wt/hello.C

Monday 30 June 2008

Friday 27 June 2008

TCP Shaper Script

Firewall Script

Tuesday 24 June 2008

Friday 20 June 2008

Website Optimiser

Increase your site's conversion rate

Introduction

Thursday 19 June 2008

Monday 16 June 2008

Introduction

Friday 13 June 2008

Thursday 12 June 2008

Friday 6 June 2008

Thursday, June 5, 2008

Wednesday 4 June 2008

Welcome to HBase!

What is sharding?

Tuesday 3 June 2008

Eric Moritz

Monday 2 June 2008

Wt: A Web Toolkit

tim's shared items

Blog Archive

About Me