Tag: Linux

Bash shell script to query a domain name using dig without the any flag

How do I get all of the DNS records for a domain using the dig command in only “Answer Section” (+answer) format? The command should return A, MX, NS, TXT, SOA and CNAME records.

Normally using the “any” flag, we would get all of this information at once, however, when attempting to run a dig command with the ‘any’ switch, we do not get the DNS records we want:

dig jasoncoltrin.com any

The above command returns an answer section with only: “RFC8428” “”

According to chatgpt, this means that the ‘any’ query type is not guaranteed to return all the records for a given name, and some DNS servers may choose to return an empty answer instead. This is done to improve the performance and security of the DNS system.

Still, I want to have a single command to get the most information at once, and the following command does so, however, writing the command is impractical:

dig +noall +answer +multi jasoncoltrin.com A jasoncoltrin.com MX jasoncoltrin.com NS jasoncoltrin.com TXT jasoncoltrin.com SOA jasoncoltrin.com CNAME

I also tried the following with no luck:

dig +noall +answer jasoncoltrin.com A,MX,NS,TXT

This only returned the A records.

So instead, we can use a bash script to create a $domain variable, and have the script use the ‘read’ command to prompt us for the domain name:

#!/bin/bash

read -p "Enter the domain name: " domain

dig +noall +answer +multi $domain A $domain MX $domain NS $domain TXT $domain SOA $domain CNAME

To write the script, do the following:

vi digdomain.sh

(insert) > copy/paste script > (Escape) > :wq

Then make the script executable with the command:

chmod +x digdomain.sh

Run the command using the ./ prefix:

./digdomain.sh

When we run the script, we’re prompted for the domain name, then the result is most of the information we want in an easy-to-read format:

jason@ubuntu0:~$ ./digdomain.sh
Enter the domain name: jasoncoltrin.com
jasoncoltrin.com.       118 IN A 172.67.196.181
jasoncoltrin.com.       118 IN A 104.21.44.69
jasoncoltrin.com.       1854 IN MX 10 mailstore1.secureserver.net.
jasoncoltrin.com.       1854 IN MX 0 smtp.secureserver.net.
jasoncoltrin.com.       5652 IN NS daisy.ns.cloudflare.com.
jasoncoltrin.com.       5652 IN NS lee.ns.cloudflare.com.
jasoncoltrin.com.       300 IN TXT "Currently located in a black hole\" \"Likely to be eaten by a grue"
jasoncoltrin.com.       300 IN TXT "google-site-verification=key"
jasoncoltrin.com.       300 IN TXT "google-site-verification=key"
jasoncoltrin.com.       2052 IN SOA daisy.ns.cloudflare.com. dns.cloudflare.com. (
                                2305113011 ; serial
                                10000      ; refresh (2 hours 46 minutes 40 seconds)
                                2400       ; retry (40 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )

This made me happy because I had forgotten about my easter egg TXT record. 🙂

Ubuntu Linux Server setup guide – Setup ssh, keygen, brew, and ssh-copy-id on Mac OS X

 

 

iTerm on OS X
ssh config file in iTerm on OS X

What follows is a ubuntu/linux server setup guide that can be used to configure, 1. A new linux server and 2. setup an OS X workstation to easily connect to your linux servers with preshared keys.

  • Build the server on Hyperv, then setup your initial account during the Ubuntu LTS 14.04.2 setup.
  • Log in as the initial user and add accounts as necessary:
    • “sudo su -“ – this does a sudo and copies root path and all environmental variables
    • useradd -m -s /bin/bash jcoltrin
    • passwd jcoltrin
    • vi /etc/sudoers
      • (end of file) add line: jcoltrin ALL=NOPASSWD: ALL
    • su jcoltrin – make sure you can su.
    • sudo su – this sequence has allowed you to sudo without having to type in your password.
    • Just a note: modifying /etc/group – putting users in here is the wrong way of adding sudoers – no granular control – users here will be required to enter their password when doing sudo.
  • ctrl+l clears screen
  • Add static IP address and dns-nameservers to /etc/network/interfaces
    • Get the name of your network interface with command:
    • ifconfig -a

      In my case, the network interface name is ens33. So to make my ens33 interface a static interface, I configure the /etc/network/interface with the text editor vi. The first interface is lo, which is the loopback interface. The line ‘auto ens33’ is necessary because it is used to start the interface when the system boots.

    • 
source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens33
iface ens33 inet static
        address 10.0.10.151
        netmask 255.255.255.0
        gateway 10.0.10.254
        dns-nameservers 8.8.8.8 8.8.4.4

       

  • apt-get:
    • apt-get update – checks online for updates
    • apt-get upgrade – installs updates and security patches
    • apt-get dist-upgrade – note: make sure /boot dir is not more than 80% full. If it’s full it may have old kernel upgrades so google ubuntu clean old kernels.
    • reboot
Setup ssh, keygen, brew, and ssh-copy-id on Mac OS X

Now we need to establish a secure and easy connection from our mac to the new server. On our Mac issue the commands:

  • Install iTerm on your Mac. Configure to your liking, but it’s a good idea to set, in the Terminal settings, the scroll-back limit to either 99,999 or unlimited. Now in our new iTerminal, issue the command: ssh-keygen – this generates both public and private keys in our .ssh directory in our home directory.
    • Install HomeBrew on your Mac in order to get unix tools installed on your mac:
      • Make sure your account on your Mac is an administrator by going into System Preferences → Users and Groups → (unlock) → Select Account → checkmark Allow user to administer this computer.
      • First install XCode, then open a terminal again and paste in the command for installing homebrew from http://brew.sh
      • ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)“
      • Install homebrew as it prompts, and run brew doctor so that we know we’re ready to install homebrew
      • brew install nmap ssh-copy-id wget htop ccze – this installs the linux tools we want on our mac
  • ssh-copy-id jcoltrin@serverIPaddress (password) – this copies our public key into the server we connected to. Now we can log into the servers from our mac terminal without having to type in the password.
    • Also on the mac we want to make it easy to ssh into, for example, server.domain.com.
    • vi .ssh/config
    • Line 1: host server
    • Line 2: hostname server.domain.com
    • Line 3: User jcoltrin
    • Line 4: KeepAlive yes
    • ctrl+wq!
    • The result should look like the following:

jcmbp:.ssh jcoltrin$ cat config

Host	    server
    Hostname server.domain.com
    User jcoltrin
    KeepAlive yes
    ServerAliveInterval 15

Host    myAmazonAWS1
    Hostname jasoncoltrin.com
    user ubuntu
    IdentityFile ~/.ssh/jasoncoltrin_keypair1.pem
    KeepAlive yes  
    ServerAliveInterval 15
  • ssh server – now we are able to issue this command and get in immediately without having to enter a password and also we can run sudo commands without having to enter our password again. As you can see in the config file above, we can also copy our .pem files into our .ssh directory and have config point to them so that we can easily ssh into our amazon AWS servers as well.
  • If we will be running websites, we now want to install virtualmin. Go to http://www.virtualmin.com/download.html#gpl and follow instructions here for downloading install.sh
Adding a new remote Administrative User’s ssh keys to a Linux Server

useradd -m -s /bin/bash newadmin1
mkdir ~newadmin1/.ssh
echo ssh-dss ****key data***..xxblahblahACBAM……kpucyrGw== [email protected] » ~newadmin1/.ssh/authorized_keys
chown -R newadmin1:newadmin1 ~newadmin1/.ssh
chmod 700 ~newadmin1/.ssh
chmod 600 ~newadmin1/.ssh/authorized_keys

vi /etc/sudoers

newadmin1 ALL=NOPASSWD: ALL

While this guide is not meant to be a comprehensive step-by-step guide, it should provide you with enough to setup an OS X workstation with pre-shared keys, and copy those keys to your new server. Working with iTerm and pre-shared keys, I think, is vastly superior to Putty on Windows. I hope this guide helps a few admins become more efficient and versatile working on OS X and linux.

 

linux iptables intro and basic network information

Introduction iptables – the standard linux firewall

iptables is a standard firewall built into common Linux distributions such as ubuntu, debian, and centOS.

First, packets are logical containers of data representing the flow of data. Protocols are languages and sets of rules used by network devices to send and/or receive data. Ports are numerical representations of protocols and are common throughout TCP/IP networking. Registered ports are those from 0 through 49151. IANA maintains the official list of both ranges.The dynamic or private ports are those from 49152 through 65535. One common use for ephemeral ports are used by servers to continue communications with a client that initially connected to one of the server’s well-known service listening ports. Here is a list of about 250 well-known ports.

iptables drops network packets when those packets meet a certain set of pre-defined CHAINS of rules stored in the computer’s memory. The chains can be placed in different binding orders and they organize the firewall.

A packet, or a datagram, is a unit of a series of bits that forms a container that can be examined, routed, dropped, and filtered in regards to it’s headers, source, destination, and content.

The packet is organized into different fields. It is typically 32bits and contains different data objects which contain mac address source/destination, and IP address source/destination. Cyclical redundancy checks (CRCs) are used to check the values of a packet before they are sent. When the datagrams reach their destination a checksum is attained and checked against the CRC field. In TCP, if the two match then the datagram is marked as successfully sent. If it is different, the source is notified that the packet is bad and will need to be resent.

Datagrams on a wired network really just represent electrons (ethernet) or pulses of light and radio waves that modulate in frequency and amplitude in optical transmissions.

CSMA/CD is used to manage collisions and prevents simultaneous transmission of data on both wired and wireless networks.

Layer 3 of the OSI model is where routers route packets to different vlans and subnets based on their field values using static routes and dynamic protocols such as RIP and OSPF. Layer 2 switches create connections between nodes with addresses in their MAC tables through Application Specific Integrated Circuit (ASICs).

Services running on a server rely on field data in each datagram. The traffic is organized by standard protocols that are bound to specific ports. Each port is represented by a number and are filtered by opening or closing the ports to accept or drop packets whole field data matches that port.

Like other firewalls, iptables manages ports on a NIC where packets can enter, pass, or exit. Ports can be opened, listen, or closed for each service or kind of traffic that will be allowed. Other ports are closed for traffic to be denied.

Chains are sets of rules that manage network traffic by opening or closing ports that can be applied or bound to a Network Interface in a particular order.

There are three kinds of CHAINS:

  1. INPUT – packets coming into the PC.
  2. OUTPUT – packets leaving out our PC.
  3. FORWARD – packets that pass through the PC if it’s multi-homed and being used as a router.

Here are common iptables switches used in chains:

  • -s = source address
  • -d = destination address
  • -p = protocol
  • -j = action
  • -P = specify default policy for a chain
  • -D = delete a rule for a chain
  • -R = replace a rule for a chain
  • -F = remove all rules for specified chain.
  • -L = list all chain rules
  • -A = add/append a rule to the end of a chain

Rules are used to define and manage the traffic you want to ALLOW first in iptables. Then you add the last rule, or the catch-all rule at the bottom of these rules. The last rule blocks all other traffic not previously allowed.

Example of a rule applied to the INPUT chain:

  1. Allow HTTP traffic for an Apache2 web server on port 80 on the interface named eth0:

iptables -A INPUT -j ACCEPT -p tcp –destination-port 80 -i eth0

2. Allow FTP packets for the VSFTPD daemon/service on port 21:

iptables -A INPUT -j ACCEPT -p tcp –destination-port 21 -i eth0

3. Allow SSH traffic for Secure Shell connections on port 22:

iptables -A INPUT -j ACCEPT -p tcp –destination-port 22 -i eth0

4. Apply a CATCH-ALL rule:

iptables -A INPUT -j DROP -p tcp -i eth0

*Note – catch-all rules must be entered and applied LAST.

You can define your own iptables chains as well as view the built-in chains present. Many users will define their own iptables rules in a shell script that is run automatically at boot.

 

Usage of suid and sgid in linux

So when it comes to certain files and executable scripts, as a linux admin you may want to allow certain users to run these scripts with elevated privileges.

setuid and setgid allow you to grant limited elevated privileges (root) without having to add the users to the sudoers file.

Similar to chmod, where you indicate where you want to set the user id bit, you can set the permissions with 4, 2 and 1: suid = 4 sgid = 2 stickybit = 1

To do a suid:

$chmod 4777 script  – would give you permissions of

-rwsrwxrwx 1 jason jason

to do sgid use:

$chmod 2777 script – would give you

-rwxrwsrwx 1 jason jason

by using $chmod 6777 script – you would get

-rwsrwsrwx 1 jason jason

For setting back to normal you would use

$chmod 0777 script

SGID is often used with folders for example

$mkdir groupFolder

#chmod 2775 groupFolder

would give you:

-drwxrwsr-x 2 jason jason

when you set groupid on the folder, anyone that adds a file to that folder, the group ownership of the file will receive the group ownership of that folder.

If you have a file that is suid, and is malicious, you can find files on your system that have the suid and/or sgid bit set:

find .  -perm +6000

find .  -perm +2000

find .  -perm +4000

You should occasionally look for these files so you know which files and/or folders are automatically setting permissions.

ESXi 5.1 – Setting up an Ubuntu Server as a SAMBA Domain Controller

If you want to run a domain controller on your network but don’t have access to a Windows Server license, you can use SAMBA, the free open-source software, and VirtualBox, the free virtualization software. We’ll describe the procedure for setting up a virtual server using VirtualBox and netboot.xyz iPXE and move on to setting up your domain controller with SAMBA.

Read more here:

Set up Ubuntu as a domain controller with SAMBA on VirtualBox