Happy New Year all!
So, I've been having some trouble matching the host IP of an attacker when using Fail2Ban to read my FreeSwitch log file. Please pardon me if this is the wrong forum for this, but I couldn't think of anywhere else to post this.
Here's the log line:
2017-01-01 10:44:08.717205 [DEBUG] sofia.c:9746 sofia/external/1001#105.121.25.131 receiving invite from 217.79.182.240:5080 version: 1.6.13 -21-e755b43 64bit
This was my first attempt:
\[DEBUG\] sofia.c:\d+ ...................#\d+.\d+.\d+.\d+ receiving invite from <HOST>$:\d+
This was my second attempt (simplifying the first):
\[.*#\d+.\d+.\d+.\d+ receiving invite from <HOST>$
My problem is, I'm having a hard time stripping out the IP address from the Port# in this string: 217.79.182.240:5080 so that it is passed to the <HOST> variable. My understanding of REGEX composition has hit a roadblock and could use the combined expertise of others on this forum, thanks.
This is what worked for me (in case someone else runs into this problem):
.*#\d+.\d+.\d+.\d+ receiving invite from <HOST>.*$
Thanks to DigiDaz from the FusionPBX IRC Channel for assisting me with this.
Related
Good morning,
Commands from the master console are apparently not processed by IMS11. "/DIS A" for example returns nothing to the operator master console. The name of the IMS system is IVP1. I also tried IVP1DIS A and no results.
In IMS1110.PROCLIB(DFSPBIV1) the parms are:
CMDMCS=Y,
CRC=/,
IMSID=IVP1,
There are 4 IMS jobs running
JOBNAMEs : IMS11RL1, IMS11CR1, IMS11DL1 and IMS11RC1
I appreciate any help.
Thank you.
The results from the SDSF command execution:
I found the solution.
After the IMS starts up. There will be a message like "*30 DFS810A IMS READY 22311/2128438 IMS11CR1.IMS11CR1 IVP1".
If you want to send commands to IMS, just Reply to it. For example: R 30,/DIS A
Thank you very much for you support.
I know I got quite rusty when it comes to bash coding, especially the more elaborate needed trickery handling awk or sed parts.
I do have a script that logs the IP address currently in use for the interwebs.
It gets that by either using wget -q0 URL or lynx -dump URL.
The most easy one was a site that only returned the IP address in plain text and nothing else. Unfortunately that site no longer exists.
The code was simple as can be:
IP=$(wget -qO - http://cfaj.freeshell.org/ipaddr.cgi)
But alas! using the code returns nothing cause the site is gone, as lynx can tell us:
$ lynx -dump http://cfaj.freeshell.org/ipaddr.cgi
Looking up cfaj.freeshell.org
Unable to locate remote host cfaj.freeshell.org.
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://cfaj.freeshell.org/ipaddr.cgi
Some other sites I used to retrieve for the same purpose no longer work either.
And the one I want to use is a German speaking one, not that I care one way or the other, it could be in Greek or Mandarin for all I care. I want only to have the IP address itself extracted, but like I said, my coding skills got rusty.
Here is the relevant area of what lynx -dump returns
[33]powered by
Ihre IP-Adresse lautet:
178.24.x.x
Ihre IPv6-Adresse lautet:
Ihre System-Informationen:
when running it as follows:
lynx -dump https://www.wieistmeineip.de/
Now, I need either awk or sed to find the 178.24.x.x part. (I know it can be done with python or Perl as well, but both are not part of a standard setting of my Linux, while awk and sed are.)
Since the script is there to extract the IP address, one needs to do the following either via sed or awk:
Search for "Ihre IP-Adresse lautet:"
Skip the next line.
Skip the whitespace at the beginning
Only return what is left of that line (without the lf at the end).
In the above example (that shows only the relevant part of the lynx dump, the whole dump is much larger but all above and below is irrelevant.) it would be "178.24.x.x" that should be returned.
Any help greatly appreciated to get my log-ip script back into working order.
Currently I have collected some other working URLs that report back the own internet IP. Any of these can also be used, but the area around the reported IP will differ from the above example. These are:
https://meineipinfo.de/
http://www.wie-ist-meine-ip.net/
https://www.dein-ip-check.de/
https://whatismyipaddress.com/
https://www.whatismyip.org/
https://www.whatismyip.net/
https://mxtoolbox.com/whatismyip/
https://www.whatismyip.org/my-ip-address
https://meineipadresse.de/
Even duckduckgo returns the IP address when e.g. asked this: https://duckduckgo.com/?q=ip+address&ia=answer
At least I know of no way of getting the own IP address when using the internet without retrieving an outside URL that reports that very IP address back to me.
You can do:
wget -O - v4.ident.me 2>/dev/null && echo
So, if you have a VM in some cloud provider you can solve this easily. I wrote some small Go app than echoes back an HTTP request. For instance :
$ curl 167.99.63.182:8888
Method ->
GET
Protocol ->
HTTP/1.1
Headers ->
User-Agent: [curl/7.54.0]
Accept: [*/*]
Content length (in Bytes) ->
0
Remote address ->
179.XXXXX
Payload
####################
####################
Where remote address is the address which the app received, hence, your IP.
And in case you are wondering, yes, 167.99.63.182 is the IP of the server and you can curl it right now and check it. I am disclosing the IP as anyway I get bombarded by brute force attacks for as long as I can remember and the machine does not have anything worth the break through.
Not exactly without relying on external services, but you could use dig to reach out to the resolver at opendns.com:
dig +short myip.opendns.com #resolver1.opendns.com
I think this is easier to integrate to a script.
I'd like to know what would be the best way to populate a Chef attribute in a cookbook with the last octet of the IP address.
Here is how I do it now. It seems to work; however,I'd like to know how I can improve it.
default['application']['host_ip'] = node['network']['interfaces']['eth0']['addresses'].keys[1]
default['application']['app_id'] = node['application']['host_ip'].split('.')[-1]
Thanks!
That looks fine. You might want some error handling since this will crash if there isn't an eth0, but that's up to you. You could also use node['ipaddress'] which is the IP on the default interface.
We are trying to forward all emails to a specific email address. I think everything is set up okay, such as 'main.cf' and 'virtual-regexp' files. If we put the following in the 'virtual' file, the forwarding works correctly:
#ourmail.com mainid#ourmail.com
However, if we try to use the following in 'virtual' to send ALL email to the ID, it ignores it and sends it to the original user:
(.*) mainid#ourmail.com
We got the idea for the above from the following question and answer:
postfix 2.9.6.1 forward all mail to an external mail address
Any ideas why the pattern '(.*)' doesn't work? We've tried so many different patterns that our heads are starting to spin.
we solved the issue.
You need to complete the steps listed in the link above. But, in addition, you need to comment out the following lines in main.cf (if they are there) before restarting the postfix process:
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = hash:/etc/postfix/virtual
I'm looking at using a X3270 terminal emulator. I have http://x3270.bgp.nu/ looked over this source material and still don't see how to start using the tool or configure it.
I'm wonder how I can open a terminal and connect. Another question is how could I integrate this into a python program?
edit:
here is a snippet:
em = Emulator()
em.connect(ip)
em.send_string('*user name*')
em.exec_command('Tab')
em.send_string('*user password*')
em.send_enter()
em.send_enter()
em.wait_for_field()
em.save_screen("{0}screenshot".format(*path*))
looking at the save screen i see that the cursor hasn't moved? I can move the cursor using
em.move_to(7,53)
but after that i don't get any text sent through. Any Ideas?
Here's what I do; it works 100% of the time:
from py3270 import *
import sys, os
host = "%s" % sys.argv[1].upper()
try:
e = Emulator()
e.connect(host)
e.wait_for_field()
except WaitError:
print "py3270.connect(%s) failed" % (host)
sys.exit(1)
print "--- connection made to %s ---" % (host)`
If you haven't got a network connection to your host, that wait_for_field() call is going to wait for a full 120 seconds. No matter what I do, I don't seem to be able to affect the length of that timeout.
But your user doesn't have to wait that long, just have him kill your script with a KeyboardInterrupt. Hopefully, your user will grow accustomed to success equaling the display of that "--- connection made ..." message so he'll know he's in trouble when/if the host doesn't respond.
And that's a point I need to make: you don't connect to a terminal (as you described), rather you connect to a host. That host can be either a VTAM connection or some kind of LPAR, usually TSO or z/VM, sometimes CICS or IMS, that VTAM will take you to. Each kind of host has differing prompts & screen content you might need to test for, and sometimes those contents are different depending on whose system you're trying to connect to. Your script becomes the "terminal", depending on what you want to show your user.
What you need to do next depends on what kind of system you're trying to talk to. Through VTAM? (Need to select a VTAM application first?) To z/VM? TSO? Are you logging on or DIALing? What's the next keystroke/field you have to use when you're working with a graphic x3270/c3270 terminal? You need to know that in order to choose your next command.
Good luck!
Please read my comment above first - it would be helpful to have more detail as to what you need to do.
After considering that…have you looked at the py3270 package at https://pypi.python.org/pypi/py3270/0.1.5 ? The summary says it talks to x3270.