Thursday, July 21, 2011

netstat oneliner: list the ports that are listening

A really quick one tonight. It will be nice to actually have some time soon to expound more on these things as this semester winds down (and maybe only one more to finish the Masters!)

Sometimes I want to konw what ports are listening on a server. I can use this information to help troubleshoot a non-working inbound connection or I can use this to make sure that specific ports are NOT listening. Run the below as root or using sudo:

netstat -an | grep -i listen     or    netstat -an | grep "LISTEN"

This command can, like every unix command I can think of tonight, can be used/piped with other commands, such as awk in order to clean-up/format the output.

Tuesday, July 19, 2011

ps oneliner: search for a specific running process

Have you ever wanted to verify/search for a running process? Or, have you ever wanted to see if you had multiple counts of the same process, possibly indicating orphans or hung processes?

It's rather easy! As an example, assuming you are logged in as root or su'd, and looking for snort:

ps -ef | grep -v grep | grep snort

The "grep -v grep" command will invert the selection for lines matching "grep" it will print ONLY lines that do not contain "grep". Why is this important?'s not. However, the grep command is a process itself so if you have one running snort process, you will get two lines returned:
- the line containing the actual results for the real snort process
- the line containing the grep action(s)

So, assuming that you have only snort running, and running only once, this command would return one line, showing the snort process information (including startup arguments...yay!)

But what if you need to count how many processes? Add the -c switch to the final pipe to grep:

ps -ef | grep -v grep | grep -c snort

This will return an integer value of the number of processes containing snort in the return of the ps command.
It's important to note that this DOES count/show EVERY line of the ps output that contains "snort". This could, if you were running other programs that integrated with snort parts, such as Barnyard, count/show more than one line.

 There is a lot more fun that could be had with this. For example, you could search for more than one process, use awk to strip their PIDs, and then find the difference of the two....a quick way to see if one of a group of automatically started programs might be have hung after the other one(s) restarted.

Don't forget these helpful notes too:
grep -i
||              ...logical OR operator...look for this OR that
&&          ...logical AND operator....must match BOTH
     --cat filename1 | grep something1 | grep something2 inherently a logical AND operation

Sunday, July 17, 2011

grep oneliner: get the line you want and its neighbors

Grep is great for printing out a line (or multiple lines) that match a given value. However, I have found it sometimes helpful to search large files, especially log files, at get the line I want plus a few before and after.

If I want to find errors in the /var/log/messages file and I know the line will contain the word "ERROR", I can use the below to get all the lines matching (case-sensitive in this example) as well as 3 before and 3 after.

grep ERROR -B 3 -A 3 /var/log/messages

Friday, July 15, 2011

Book Review Pending for ACM: Spyware and Adware

In a few weeks, I think, I am going to have my third book review published in an ACM journal. Yay! While I would prefer to have time to actually do research and write something a little more substantial than a review, I do find the reviews to be a fun and enjoyable experience, as well as a learning one.

This most recent review for SIGACT was actually for a relatively smaller book (less than 200 pages). The book itself is called Spyware and Adware by John Aycock. I am going to withhold any in depth comments, but I will say that this is a book that could be useful for one of the largest ranges of people I can think of for a technical book. It's also part of a bigger series by Springer.

alias oneliner: make yum installs a little faster

I should preface this with: I KNOW that alias is a oneliner command by its very nature. :-)  But sometimes it's just fun to pass on even the little commands. dw

Ever get tired of entering:

yum install WhatIWant

then having to enter y or no to confirm. Or worse, being reminded by the system that you need to be root and then having to:

sudo yum install WhatIWant

An easy thing to do in the bash shell is to use an alias. If you want permanent aliases, you can easily create these as well by creating the ~/.bash_aliases file, which will then run at start up. The file should have one row per alias command, exactly the same way you  would enter the below on the command line:

alias myyumi='sudo yum -y install'

After running this command, I am now able to enter the below to install something and have the YES option assumed. The two side notes here are:
1) You must be in the sudoers file to execute this alias
2) If you do not have NOPASSWD set in the sudoers file then you WILL have to enter your password prior to the yum process starting.

I have met the two conditions above and run the alias command. Now I can run:

myyumy WhatIWant

and WhatIWant should install without any further interaction on my part (not accounting for any possible dependency hells that is).

A note on the nameing of my alias:
- I like to use 'my' at the start of aliases as a matter of personal preference....because I made it. :-)
- The 'yum' in the middle should be easy to grasp: it's a representation of the root command, in this case yum. If it was a command like system-config-network then I would use 'snc'
- The 'y' at the end is the parameter(s) I am including in the aliases. Metacharacters can be used in aliases too. So if I wanted to run the system-config-network aliased and in the background I would create the alias like:

alias mysnc&='system-config-network &'

Thursday, July 14, 2011

sed onliner: append a new line of text to a file

Missed a few days this week, but I think that it's okay to blame the homework and my birthday. I already posted one sed onliner dealing with the replacing of text. This one should append a new line to after a line that matches a sed script expression:


sed '/FINDME/ a\
The new line we are adding` fileToEdit.conf

The -i switch can be added to make this edit occur "in-place" (homework for the interested reader).
The new line is added after EVERY line matching the expression, in this case FINDME. I might get around to adding a part two to this, where you can append after only a single specific line, regardless of multiple matches. One way to do this would be with the ";" operator. However, I am getting back to my review assignment for school. Maybe tomorrow I will do this, or some Perl (yeah!)

Monday, July 11, 2011

tar oneliner: backup to a network location

tar is a pretty straightforward and handy tool that anyone administering anything on a *nix box should learn. If I don't have a typo, the below one liner will create a system backup, excluding the named directories and send it via SSH to a remote server, where the .tar file will be written. Errors are redirected ( 2> ) to a log file in /var/log/backups (assuming you have this directory and it has the appropriate permissions.
One last note: if you don't run this as root, you won't get a complete (if any) archive created.

Command (the line break is only formatting on here. This command can be entered on one line.
tar cvpj --exclude=/dev/* --exclude=/sys/* --exclude=/tmp/* / 2> /var/log/backups/`date +%d%M%Y`_Backup.log | ssh yourserver "cat > /home/backups/`date +%d%M%Y`_Backup.tar"

c - create backup tar
v - list files being tarred
p - maintain file perms
j - use bzip2 (slower but deeper compression) / can use z instead which is gzip
g - could be added to this string of commands in order to create incremental backups
--exclude=   exclude some directory. The trailing * will stop tar from creating an empty copy of the excluded directory.
ssh - should be self-explanatory

To schedule this, you can use at or create a new cron entry such as:
10 * * * 1,3,5 /usr/bin/backup
were /usr/bin/backup is a script containing the above tar command and the command should run at 12:10 am on Monday, Wednesday, and Friday (days 1, 3, and 5 of the week)

Sunday, July 10, 2011

ngrep oneliner: look for a domain name in DNS traffic

ngrep is a pretty useful tool and should be useful to any network security work. It is NOT the same as tcpdump, in case anyone was wondering. I may be a little off in my explanation tonight, but ngrep does something so much better than tcpdump: searches for regex's.

So, to search for a hostname, as a whole word, in DNS traffic in an already captured traffic file:

ngrep -w 'somehost' -I /stored/mypcaps.pcap port 53

Saturday, July 9, 2011

mtr oneliner: better than tracert sometimes

Another really quick on since I have two research papers to start .
A good tool for testing network link(s) is mtr. Check out the man page on your favorite linux machine or on the net.


or, to use only IPv4 and skip DNS resolution on each hop:
mtr 4 --no-dns

or, if you want to do the same thing but see how fast you can get into trouble at work or home:
mtr 4 --no-dns

Friday, July 8, 2011

netstat oneliner: what process are associated with what ports

Ever wanted to know what ports are open and what process is using these ports? Run the below as root and you should have your answer.

netstat -tlnp

Thursday, July 7, 2011

awk oneliner - remove all extra whitespace from file

Remove all extra whitespaces from each line of a file. Basically, a trim on both ends and all but one space between fields is removed:

awk '{ $1=$1; print }'

Yup...another very hard one to write. :-) But useful in formating. This could be combined with another awk to replace each single space between fields with a delimeter of your choice.

Wednesday, July 6, 2011

passwd oneliner - Locked user account listing

A quick one to get a list of user accounts that are locked out:

passwd -S -a | awk '/LK/{print $1}'

Pretty straightforward but must be run as root.

Sunday, July 3, 2011

grep oneliner: search for a value recursively

Ever forget exactly which file you had placed some particular code in and really wanted to find it quick. Here's a grep oneliner to do just that. In this example, I am looking for "#define MAX_VALUE" in a directory containing many source files and sub-directories.
grep -R --include "*.c" "#define MAX_VALUE" .

Note: the "." indicates the current directory in Linux. If your files are in a different tree, just replace the "." with that tree's root location. For example, if you wanted to look /usr/bin/local/:

grep -R --include "*.c" "#define MAX_VALUE" /usr/bin/local

Saturday, July 2, 2011

for oneliner - make backups in a directory

Create a backup copy of all filenames of a specific extension:
for f in *.c; do cp $f $f.c.backup; done
This will find all "c" files in the current directory you are in and then make a copy of them, appending ".backup" to the end of the original filename.

Simple, and maybe overused....yet so nice to use sometimes when pushing around a lot of files.

Friday, July 1, 2011

sed oneliner - replace text in file

One liner for use inside of a script where a line, or part of a line, or a file needs to be changed:

Suppose that we are passing the name of a file to edit to this script as the first parameter

OLDVARIABLE="the old variable"
NEWVARIABLE="the new variable"

This will do an in place (-i) edit of the file passed to the sed script (the first parameter $1). The sed script itself will do a substitution (s) of the first instance of OLDVARIABLE with the value of NEWVARIABLE. If you wanted to do this at every instance, add (g) to the end of the sed script /g"
The double qoutes around the sed script are not a typo...they are there because I am using variables instead of text or regex.
And that's my oneliner for today...snuck it right in before midnight.

July Gifts

My birthday is this month and I realized that not only am I getting a little older but it's been some time since I really posted on here. So, amidst a book review I am working on, family, school, an IEEE standard, and hopefully fishing, I have decided to try something new....but not really unique.
For the month of July, I want to try to post some useful oneliner script or small code block that I find helpful. I think I am going to start with some sed or awk love....but there are probably 8 billion of those on the net. I will think about while I dream of packets, beer, babes, and the beach. LOL

Updated my certs --- GSNA and MCTS

This last week I reviewed and sat the GSNA and the MS70-643 (which I was certain that I would fail). I ended up falling asleep in the GSNA and passing with 86%. Next time it'll be above 90% though. I was surprised at the 70-643. I took it cold a few months ago and bombed it...I think my score was just under 500. That was my first ever MS test experience and for some reason I thought the CISSP experience was more pleasant. In any event, I earned an 890 on that exam.
I had initially bought the vouchers (a 2-pack) for my previous job. However, I don't really need any MS certs now for where I am (Back in packet analysis heaven!!!!!). I do have another voucher out of the pack I bought, so I'll have to se that one. After that, maybe the full MCITP.
But I want to really look into is the SANS GSE or Cyber Guardian programs, the GREM, GCIH, and GCFA. Those sound like fun. Some linux ones would be cool too.
I realize that I like the certs. Not for my resume or my wall...but for my own sense of accomplishment. I mean let's face it, only the person sitting the exam knows for sure how much knowledge they had and how much brain-dump help that they had in passing. I like to learn new things, and expanding my skillset and then proving to ME that I learned something....I like that!!!

I even made a picture: