0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for the ‘utility’ Category

System Event Monitoring with Prosody and jablog.rb

leave a comment »

The tl;dr version of this post is:

It turns out to be super handy to be able to monitor your logs (and send commands) via XMPP. To do so, here is a simple setup.

  • apt-get install prosody (Tested on ubuntu 10.04.2 LTS)
  • configure a VirtualHost for your domain in the config file /etc/prosody/ (see: http://www.0x0e.org/x/prosody.ctl.lua)
  • set up srv records, (use this generator: http://www.jms1.net/jabberd2/srv.shtml)
  • create 2 accounts – prosodyctl adduser user@domain && prosodyctl addusser minion@domain (one for you, one for your bot/minion)
  • install ruby / gem install xmpp4r, add a sigs.txt and configure the script with jabber/ syslog-ng
  • configure syslog-ng (and make it report to the jablog.rb script)

… And the backstory / howto:

Just got done setting up an internal jabber server on my domain. Why you might ask? You’re not that popular that you need your own chat server are you? Definitely not. But there’s a lot of crap going on in a network, even a small one, for you to benefit from on-demand notifications. An internal jabber server is a great way to implement this.

To be fair, the idea and the code for the log monitoring daemon is blatently stolen. I discovered it when attempting to connect to a friend’s server, and he immediately pinged me to ask what i was doing (for the record, not malicious, just remote-mounting a drive. :p). Paraphrasing:

Me: “How did you see me doing that?” (Thinking he was tail -f’ing his logs)
Him: “Oh I monitor logs & route certain events through XMPP”
Me: “Neat!”
Him: “Check it out –> jablog.rb

Okay, well, now i need a jabber server.

So, naturally, if you’re like me, you take the first google link and run w/ it.

$sudo apt-get install jabberd

Fail, and fail hard. Jabberd, the original Jabber implementation, is a pain to set up.

Okay, let’s scrap that and try again.

Ejabberd. “Oh neat, Erlang!” you might say. — Wrong again. I wasn’t able to get this set up an configured in any sort of easy way. :/ Possibly due to leftover cruft from jabberd. Here’s the link just for the record.

…more searching, and came across this server called Prosody. Hmm, this looks really trivial, and it’s in apt already. Exactly what I’m looking for.

$ apt-cache search prosody
prosody - Lightweight Jabber/XMPP server written in Lua



$ apt-get install prosody
...
 * Starting Prosody XMPP Server prosody [ OK ]

Now, just configure w/ a host (toss these lines to the top of the config file /etc/prosody/prosody.cfg.lua) - or see the full config.

Host "0x0e.local"
	enabled = "true"

See the full config here:

And set up your srv records in bind for your host named jabber and domain named 0x0e.local (or use this awesome generator):

_jabber._tcp.0x0e.local.       IN SRV   0 0 5269   jabber.
_xmpp-server._tcp.0x0e.local.  IN SRV   0 0 5269   jabber.
_xmpp-client._tcp.0x0e.local.  IN SRV   0 0 5222   jabber.

Then add a couple users / passwords and you're all set:

 $prosodyctl adduser jcran@0x0e.local
 $prosodyctl adduser jablog@0x0e.local

More info on account control here. Other, more specialized config info can be found here.

Getting the script going is as installing ruby (you probably already have it) and the xmpp4r gem (you probably don't)

$sudo apt-get install ruby ## consider using RVM, but this is system-wide for syslog
$sudo gem install xmpp4r

Add a sigs.txt file with a few lines you'd like to be notified of (wouldn't you want to be notified if  "oh noes!" is printed in the logs?):

error
failed
segfault
oh noes!

Then modify a few lines of the script to point to the right accounts:

@host = `hostname`.strip
@mine = "jablog@0x0e.local/#{@host}"    # Change this to your user/pass/server
@pass = "SECRETZ"                    # Set a password here
@targ = "jcran@0x0e.local/jcran"     # Change this to your jabber ID

Now just configure your IM client to talk XMPP to the server (just point it at the domain, the client should read the SRV records & do the right thing):

pidgin config

Configuration in Pidgin

 

 

 

 

 

 

 

 

 

To complete the setup, you'll want to install syslog-ng and place the jablog.rb script & sigs in /usr/sbin/:

# apt-get install syslog-ng
# cp jablog /usr/sbin
# cp sigs.txt /usr/sbin

Test this by running the script as root:

# ruby jablog.rb

You should see the script initialize in your im client if everything's configured properly.

Now, you just need to configure syslog-ng to run the script:

destination jabber {
program("/usr/sbin/jablog.rb");
};

log {     source(s_all);
destination(jabber);
};

One thing you may run into is that syslog-ng may exit immediately, and keep attempting to run the jablog.rb file. If this happens, double-check your ruby config (make sure the syslog-ng user has access to the ruby environ (ie, not in your user's rvm environment).

Once it's configured properly, restart syslog-ng and you should see the script initialize in your IM client.

Note that I didn't specify how to configure SSL here, but you can definitely do that. See the docs. Special thanks to quine who pointed out you don't need to specify a connect server, the SRV records take care of that.

Take the recipe / script, rinse and repeat on all your servers, and let me know if you make any improvements.

Also, if you end up running the jabber server on one network, and need access to it from another, dnsmasq is super handy. See this blog.

Advertisements

Written by jcran

March 22, 2011 at 3:27 AM

searching ruby source code

with one comment

contributing to open source? need to search & understand ruby code faster? This bash function should save you some time. I use it atleast 50-60 times a day.

Stick this in your .bashrc:

function rgrep() {
   find -L . -type f -name \*.rb -exec grep -n -i -H --color "$1" {} \;
}

Use like: $ rgrep “something”

Written by jcran

July 19, 2010 at 4:21 PM

Posted in utility

Tagged with , , , ,

10 min project hosting & sharing

with one comment

Need a simple way to backup (and share) local files & scripts? Yeah yeah, another svn/websvn howto – but my brain sucks, and i forget this stuff if i don’t write it down…

The only prereqs to this quick howto are that you have an ubuntu box and you know a thing or two about subversion. Preferably a shellhost – I use slicehost and i’ve heard great things about linode.com.

I use svn for many of my projects, and for my toolkit. Tonight i needed to quickly and securely share a few files from that toolkit, so i stuck websvn on a host, and configured htaccess authentication. Total time? 10 min. Here’s the setup.

(Yes, i know the cool kids are all on git now)

  • Create subversion repository in /var/svn
cd /var/svn
svnadmin create repository
  • install apache / websvn (apt-get install)
$apt-get install apache2 websvn
  • Configure websvn – this is handled with the debian package, so when you’re done, your config (/etc/websvn/svn_deb_conf.inc) should look like this
<?php
// please edit /etc/websvn/config.php
// or use dpkg-reconfigure websvn
$config->parentPath("/var/svn/");
$config->addRepository("repository", "file:///var/svn/repository");
$config->setEnscriptPath("/usr/bin");
$config->setSedPath("/bin");
$config->useEnscript();
?>
  • Create htpasswd file
$htpasswd -c -s /var/svn/htaccess testuser
  • Configure htpasswd in apache config (/etc/websvn/apache.conf)
# Configuration for websvn using php4.
Alias /websvn /usr/share/websvn
<Directory /usr/share/websvn>
DirectoryIndex index.php
Options FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "Subversion Repository"
Require valid-user
AuthUserFile /var/svn/htaccess
<IfModule mod_php4.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
</IfModule>
</Directory>
  • Restart Apache and you’re done.
$/etc/init.d/apache2 restart

Written by jcran

July 13, 2010 at 6:01 AM

Posted in howto, utility