Network reminder

Rsync synchronisation

Using rsync.

function brsync(){
    [[ -z "$2" ]]\
        && echo "usage: brsync <src> <dst>"\
        && return 255

    local SOURCE="$1"
    local DEST="$2"

    rsync -vrlHpEAXogtzD --delete "$SOURCE" "$DEST"
}

Iptables default firewall

This default configuration script is linked to an ipset set.

#####################################
# automatic firewall script
# author antlas
#####################################
PORT_SSH=64762
IPSET_NAME="countryblock"

######################
# Flushing all rules
######################
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -X

################################
# Setting default filter policy
################################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

######################################
# Allow unlimited traffic on loopback
######################################
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

################
# Allow ping
################
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

###################################
# Do not break current connections
###################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

############
# Allow SSH
############
iptables -A INPUT -p tcp --dport $PORT_SSH -m state --state NEW,ESTABLISHED,RELATED -s 0.0.0.0/0 -j ACCEPT

#############
# drop ipset
############
iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP

###################
# Allow http/https
###################
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -s 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -s 0.0.0.0/0 -j ACCEPT

#####################
# Allow DNS outbound
#####################
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

Manage `ipset` sets

Create a set

 $ ipset create "$IPSET_NAME" hash:net

Add an entry

 $ ipset add "$IPSET_NAME" "$IP"

Delete an entry

 $ ipset del "$IPSET_NAME" "$IP"

Network connection overview

Considering a debian based linux distribution.

Using Socket Stats

Printing all connected TCP connections for an host.

 $ ss -t state established

Docker containers case

Printing all connected TCP connections for each runinng docker container.

function print_docker_connections(){
    for i in $(docker ps -a --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}\t{{.Status}}" | grep -iv "Exited" | awk '{print $2}'|grep -v ID);do echo "__ $i __";nsenter -t $(docker inspect -f '{{.State.Pid}}' $i) -n ss state established -tu | tr -s " " ;done
}

Using Network Manager

On a desktop system, using nmcli can help a lot to quickly print network informations.

# show all connections
nmcli con show

# show a specific connection details
nmcli con show $UUID

# show all devices
nmcli device

# terse view
nmcli -t device

# pretty view
nmcli -p device

# print relative info from device
# fields available are : GENERAL,CAPABILITIES,INTERFACE-FLAGS,WIFI-PROPERTIES,AP,WIRED-PROPERTIES,WIMAX-PROPERTIES,NSP,IP4,DHCP4,IP6,DHCP6,BOND,TEAM,BRIDGE,VLAN,BLUETOOTH,CONNECTIONS
nmcli -p -f IP4  device show $DEVICE
nmcli -f DHCP4 device show $DEVICE

Fail2ban

Two recurrent operations always remain : unban false positive and check the activity.

function ftb()
{
	for i in `sudo fail2ban-client status  | tail -1 | tr "," " "|tr -s " " | cut -c 14-`;do
		sudo fail2ban-client status "$i"
	done
}

# unban
fail2ban-client unban $IP

TCPDump

tcpdump -tX host X.X.X.X
tcpdump -tX port Y
tcpdump -tX host X.X.X. and port Y

Snort

Sniffer mode

# print out the TCP/IP packet headers to the screen (i.e. sniffer mode)
snort -v

# show the application data in transit, try the following:
snort -vd

# more descriptive display
snort -vde

Logger mode

snort -dev -l ./log -h 192.168.1.0/24

# binary mode
snort -l ./log -b

# reading
snort -dv -r packet.log
# filtering when reading
snort -dvr packet.log icmp

Nmap

Linked to the TCP three-way handshake,

SYN packet: is a packet requesting or confirming the synchronization of a connection.
ACK packet: is a packet confirming the receipt of a SYN packet.
RST packet: is a packet informing the connection attempt should be discarded.

# host
nmap 10.0.0.1

# subnet ping scan
nmap -sP 10.0.0.0/24

# host port
nmap 10.0.0.1 -p 1024

# host port range
nmap 10.0.0.1 -p 1024-2024

# TCP SYN scan
nmap -sS 10.0.0.0/24

# TCP connect() scan
nmap -sT 10.0.0.0/24

# TCP Ack scan
nmap -sA 10.0.0.0/24

# TCP Xmas scan
nmap -sX 10.0.0.0/24

# UDP scan
nmap -sU 10.0.0.0/24

# TCP null scan
nmap -sN 10.0.0.0/24

# TCP Fin scan
nmap -sF 10.0.0.0/24

# os detection
# Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match.
nmap -O --osscan-guess 10.0.0.1

Rsync synchronisation#

Iptables default firewall#

Manage ipset sets#

Network connection overview#

Using Socket Stats#

Docker containers case#

Using Network Manager#

Fail2ban#

TCPDump#

Snort#

Sniffer mode#

Logger mode#

Nmap#