syslogd modify $msg freebsd - freebsd

I have a simple issue to ask, let me put you in context first.
I am setting up a rsyslog server (centos 7) in order to gather (actually recieve) many syslogd (FreeBSD(pfsense) default) message from distributed devices.
Everything works as expected, but I can not identify WHO sent syslog messages as long as many of the distributed devices work on public dynamic ip's.
Then the point is:
Is there any chance to modify syslgod conf file to prepend some character in, for instance, the MSG field? Any field actually, for that would solve my problem, as I should only have to set some stuff like
"if $msg contains blabla then HELL YEAH!"
Thank you in advance!

To identify the sender, you have a few options, you can either set up vpn tunnels from each machine, so that they use a static vpn address, or use a dns service and track them by name. In rsyslog reverse lookups are enabled by default, so they would just show up by assigned name.
I don't think you can rewrite messages in rsyslog, but syslog-ng has filters and rewrite rules that would do what you want.

Related

How do I convert a lot of IP addresses to URLs in Python? Is this possible?

I have a .csv file with a bunch of IP addresses. I am looking for a way to run a script to import the file and convert them to URLs and maybe export them to another .csv or something similar. Is this possible? How would I do this? Admittedly, I am a novice when it comes to python. I have done enough research to know that a call to sockets is involved, but that's where the trail ends. I don't know where to go from there. Any and all help is greatly appreciated. Thank you in advance.
You cannot convert them to specific URL's, but I guess you want to get the domain names. This is called Reverse DNS Lookup.
You can run this command nslookup <IP-ADDRESS> and get the domain name (besides other info).
Example:
nslookup 75.126.153.206
However, this does not guarantee that only that domain is associated with that IP. This is due to load balancers, and you will get the load balancer's domain name as a result most of the times. To avoid that you can try to do a Reverse IP Lookup. This will provide you all the domains associated with that IP address (online example https://hackertarget.com/reverse-ip-lookup).
Besides that, detecting the protocol (http/s, ftp) is another story. You have to scan the targets for specific ports like 80 (http), 443 (https), 21 (ftp) etc. to verify for they services they run. Again this does not guarantee that a service is definitively running on default ports (like web servers a lot of time may run on 8080 or some other port). To avoid that you may need to scan for a wider range of ports and detect their services which will be far more time consuming and you may get into trouble by getting your IP banned since somewhere this may be considered illegal.
Anyway for port scanning I suggest you to take a look at Nmap (https://nmap.org/)
import requests
def ip_to_url(ip):
try:
r = requests.get(f'http://{ip}', timeout=1).url
return r
except:
return 'not found'
print(ip_to_url('142.250.189.238'))
Output
http://www.google.com/

Restricts daemons to open certain ports on linux

I want to restrict the daemons from opening certain ports, and i wish to achieve it at kernel level.
I came across an idea, i.e to write my own bind function and then redirect to the original bind function. But the user can bypass this by invoking the system call. Any suggestions?
Just a thought:
there's a chance that 'iptables' could do the work for you.
Using 'iptables' you can define a rule which will deny outgoing traffic from a port.
This solution may work for you if you can identify the deamon's traffic according to iptables options. It will not work for you if you can only identify the deamon's traffic according to its process id.

How to select a static port number for a custom app?

We've got a custom application that needs to serve requests on it's own port number. We really don't care what the number is, although we'll stick to that port after we decide. How do I select a number which is least likely to conflict with other applications or services that are running on the user's system?
Are there any rules or standards we should follow?
A clarification: once we pick a port, we need to stick with it. Can't use a dynamic one. We're building a custom SFTP server and we'll have to tell our customers what port it's running on.
For a static application, consider checking /etc/services to find a port that will not collide with anything else you are using and isn't in common use elsewhere.
$ tail /etc/services
nimspooler 48001/udp # Nimbus Spooler
nimhub 48002/tcp # Nimbus Hub
nimhub 48002/udp # Nimbus Hub
nimgtw 48003/tcp # Nimbus Gateway
nimgtw 48003/udp # Nimbus Gateway
com-bardac-dw 48556/tcp # com-bardac-dw
com-bardac-dw 48556/udp # com-bardac-dw
iqobject 48619/tcp # iqobject
iqobject 48619/udp # iqobject
If you can't predict the exact kind of environment your application is going to run, just don't bother with this. Pick any number over 1024 and also make it configurable so the user can change it in case of conflict with another service/application.
Of course you can still avoid very common ports like 8080 (alternative HTTP) or 3128 (proxies like squid), 1666 (perforce), etc. You can check a comprehensive list of known ports here, or take a look at /etc/services.
If you don't care about the port number, and don't mind that it changes every time your program is run, simply don't bind the port before you listen on it (or bind with port 0, if you want to bind a specific IP address). In both cases, you're telling the OS to pick a free port for you.
After you begin listening, use getsockname to find out which port was picked. You can write it to a file, display on it on the screen, have a child inherit it via fork, etc.
If you want a unique port number for your application, you need to request an assignment from IANA, who maintain the Service Name and Transport Protocol Port Number Registry for the IETF. /etc/services and other secondary records are populated from the IANA registry.
Please do not simply pick a number and ship your application (as mentioned in another answer), because sooner or later, IANA will assign the port you're squatting on to an incoming request, which can lead to conflicts for your application and the unaware assignee.

Query DNS in Ubuntu

I use two DNS servers a public one (8.8.8.8)
and a local one (192.168.1.20)
In ubuntu, If I wrote both DNSs 192.168.1.20, 8.8.8.8
it will always query the first and until the first is down and then it will start querying the second.
And of course I have to make the local point again to 8.8.8.8
Like this i have almost no problems, I can resolve local addresses and also public ones
but when I'm out of the office that's were all the problems start.
Having the local DNS first makes ubuntu checks for it every single time it needs to resolve.
So I end up switching switching the priority of the DNS every (8.8.8.8, 192.168.1.20) time I change my location.
This is not the case if I was using windows. It somehow sends to both DNSs at once or something of that sort.
Is there a way to avoid changing the DNS for every location?
Ubuntu also must query each server in /etc/resolv.conf if there is no answer from the first server.
Give an output of 'dig google.com' please
You wrote 'until the first is down'...
The system of course will connect other servers ONLY if has no respond from the first one!!
The servers are listed in preferable order
Not an answer but a possible work around.
Are you able to use different network interfaces for each network?
If so you can specify different "dns-nameservers" in the "/etc/network/interfaces" file.

Cant send to MSMQ with 2 DNS names

We're Having an issue with sending an MSMQ message to the second DNS name on a server. If we send the IP for that same server, we're fine, but thats not where we are going architecturally. Any ideas as to why MSMQ would care about which name it receives?
Server Information:
The physical server load-int-01, has a second IP and DNS name associated with it.
First IP/DNS: load-int-01, with IP 10.0.10.10
Second IP/DNS: load-intv, with IP 10.0.10.20
Queue Path Formats Used:
FormatName:DIRECT=OS:load-int-01\private$\MyQueue → Works Fine
FormatName:DIRECT=OS:load-intv\private$\MyQueue → Returns the error…
The queue does not exist or you do not have sufficient permissions to perform this operation
We have also tried using the IP addresses instead, and both sets of IPs work fine.
FormatName:DIRECT=TCP:10.0.10.10\private$\MyQueue → Works Fine
FormatName:DIRECT=TCP:10.0.10.20\private$\MyQueue → Works Fine
We just got off the phone with Microsoft. This is a limitation of MSMQ. You can not receive on queues with a DNS name different than the server NETBIOS name. You can SEND to queues with an alternate DNS name provided you use the two registry keys mentioned above, OptionalNames and IgnoreOSNameValidation.
Back to virtual ip's for us, or we might keep the virtual name for the sending connection strings (with the reg settings) and use .\ for the receiving servername...that works.
Thanks for the help.
From:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;899611
By default, Message Queuing verifies the message that it receives to determine whether the message is intended for the local computer. If the message is not intended for the local computer, the message is rejected.
So follow the section on "IgnoreOSNameValidation" in this article and I hope it will help.
Very frustrating. I'm trying to migrate some MSMQ targets (web services) and I guess I will have to configure them to use virtual IPs, and migrate the virtual IPs, since migrating the NetBIOS name will be a mission.
MSMQ should be re-christened MSMQ-1982, since it appears to predate the invention of a cunning and useful abstraction layer called "DNS" in 1983.
I had the same issue and got it working. The trick for me was after setting the IgnoreOSNameValidation registry key, you have to restart the Message Queuing service.
I know this is an old post, but it comes up in Google when searching for a solution to this issue.
This did work for me:
FormatName:DIRECT=TCP:HOST.TLD\PRIVATE$\MyQueue
Note that uses TCP instead of OS. This is the relevant documentation:
Non-transactional messaging by using Direct=TCP This configuration
functions without any particular configuration changes.

Resources