Thursday, August 18, 2016

Sed one-liners

I may occasionally publish small notes on clever commands I learn about.  Putting it here helps me store knowledge that my shoddy personal data management practices might otherwise lose...  One such note is a one-line sed command to print out the Linux interface(s) which handles the default route:
sed -n 's/\(^[^\t]*\)\t00000000.*/\1/p' /proc/net/route
An explanation, from left to right: Don't print each line (-n), prepare for a substitution ('s/), look for a string of non-tab characters at the beginning of the line (^[^\t]*) while saving the results (the \( and \) parts surrounding that), followed by a single tab and a string of eight 0s (\t00000000), followed by anything to gobble up the rest of the line (.*), then substitute it all with the non-tabs string saved earlier (/\1/), and print it (p').  The eight 0s represent the default route of 0.0.0.0/0.

To be really specific the eight 0s specify a route for a network of undetermined size starting at 0.0.0.0.  For the true default route, I should also check for a mask of 00000000, as OpenVPN sometimes adds two net routes (0.0.0.0/1 and 128.0.0.0/1) to avoid the need to replace the existing default route.  This command will find anything starting at 0.0.0.0 as a default route, which may or may not be what you want...  In reality, since 0.0.0.0/8 is reserved, if a route starts at zero, it's pretty defaulty anyway..

Labels: , ,

Friday, July 1, 2016

Forcing SaltStack to "knock harder"

I really like the "knocking harder" technique I developed.  I haven't seen it mentioned in any other places, and it effectively gives the protected service a smart layer of obscurity with minimal effort and complexity.

I also like SaltStack as a remote configuration and management tool.  It connects over two ports, and I was looking for a way to use my technique on this service.  Salt uses ports 4505 and 4506, where 4506 is first to connect and has several short-lived connections as well as a long-lasting session, and 4505 has a single long-lasting session.

I wanted to protect the first connection by requiring multiple SYN packets (a "hard knock"), but then allow connections to both ports with no delay as long as there's continuous traffic and sessions between them.  To that end, I've come up with the following patch to ufw's after.rules file.

Labels: , , , ,