I tried these commands:
1.tcpdump -r bpf-pcap.pcapng -w op2.txt proto not dns and not tcp
2.tcpdump -r bpf-pcap.pcapng -w op2.txt proto not dns and tcp
None of these are correct. I also checked the manual page but couldn't find what's wrong.
What have I missed?
I think you want:
tcpdump -r bpf-pcap.pcapng -w op2.pcap not port 53 and not tcp
Note -w doesn't write a text file but a binary file with the raw packets.
Related
I'm trying to use Rundeck on Ubuntu 14.04.
How do I change the web interface port from 4440 (default) to 80?
The port number seems to be referred to in various config locations (including /etc/rundeck/profile and /etc/rundeck/framework.properties) but changing these had no effect for me and I can't find a specific section in the documentation on changing the web port.
Use a proxy pass with either Apache or Nginx. Its a solution..
You needed to modify these files from 4440 to 80
framework.properties
profile
rundeck-config.properties
But you will get the following java exception when trying to run in 80.
java.net.SocketException: Permission denied
Hence apache or nginx proxy pass is the working solution
Do you can use two rules iptables
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 4440
iptables -I INPUT -p tcp --dport 4440 -j ACCEPT
I'm trying to set up a client machine so that only kinit traffic works. So far, my rules look like
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -s 192.168.1.130 -p tcp -m tcp --sport kerberos -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.130 -p udp -m udp --sport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p tcp -m tcp --dport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p udp -m udp --dport kerberos -j ACCEPT
With this as-is, when I run "kinit remuser", I keep getting the error
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
If I run
iptables -P INPUT ACCEPT
then "kinit remuser" works as expected. And after that first success, if I run
iptables -P INPUT DROP
it still keeps working.
I've tried using wireshark to see what I'm initially disallowing. It seems arp related, but I can't consistently see that... and I thought iptables wasn't supposed to mess with arp. I'm not seeing anything missing with "arp -n" or "ip -s neigh".
I've got the client and server configured correctly enough to work, but I'm still too new to this stuff to know what other ports I need to allow to get this working. If anyone can give me some tips I'd appreciate it.
UPDATE
Although my adapter claimed to be in promiscuous mode, it wasn't. I ended up running wireshark on the server, and saw no other port numbers needed. To verify that, I updated the rules to include
-A INPUT -s 192.168.1.130 -j ACCEPT
and as the successful kinit wireshark capture suggested, it didn't help. It's only when I open up all INPUTs that it works.
Thanks.
Hector
Kerberos is generally udp by default. I'm not that familiar with IP tables, but while port number on the server is defined the port number on the client is entirely random. So any ip based filter has to allow incoming udp packets with arbitrary client port numbers.
Similarly on the outgoing side, you need to be able to send packets with arbitrary udp ports on the client side. For kinit you only need the kerberos port, but changing passwords, etc, you will also need the kadmin ports.
Having said all that and making my best guess at what the ip tables rules mean, I think that's what you've implemented. However, you also need access to DNS srv records or a working krb5.conf.
http://wiki.unixh4cks.com/index.php/Using_DNS_SRV_records_to_find_Kerberos_realm_servers
It may be that kinit starts working when you allow incoming DNS record lookups. This would also explain why it continues to work after the first connection as it likely the DNS record is cached on the system. Is the server listed in your krb5.conf in your /etc/hosts file? If not that would explain the behaviour.
Thinking about this a bit more, what exactly do you expect to do with this ticket after you get it? The whole point of kerberos is to implement security on an open network by securing the endpoints, not by implementing firewalls.
I got it. And perhaps this only applies to me or anyone else using a HW VPN. An ICMP type 3 packet needed to be received from the gateway for the krb5 transaction to continue. My co-workers who are testing something similar on a work network aren't seeing this issue, so we'll need to figure out what's special in my case and whether it applies to other things.
The hardest part of all this was finding a wired adapter that truly supports promiscuous mode.
I'm running memcached, but can't connect. How should I start to debug this? Something appears to be stopping me connecting.
ps -elf | grep memcached
0 S lee 10744 529 0 80 0 - 30529 ep_pol 03:36 pts/22 00:00:00 /usr/bin/memcached -m 512 -p 11211 -u nobody -l 127.0.0.1
(Memcached is definitely running)
But when I try to telnet in, I get a timeout.
telnet 127.0.0.1 11211
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection timed out
Any advice would be appreciated.
Ensure that the local loopback network interface is running. It sounds like you're using a Unix system, so I would recommend running /sbin/ifconfig to see if a section labeled lo with the IP address (labeled as the inet addr) 127.0.0.1 is up and running. If not, run ifdown lo then ifup lo, this should get it going. Read your /etc/hosts file to make sure that localhost or you machine's name is bound to 127.0.0.1. And if your machine is using ipchains or iptables, ensure that those are configured to let traffic pass to 127.0.0.1 from 127.0.0.1.
These things are all fine 99% of the time, but being unable to connect to localhost is indeed odd, so a sanity check is in order.
Make sure you don't have any firewall enabled. In my case I found following entries for iptables:
target prot opt source destination
ACCEPT tcp -- example.com.internal anywhere tcp dpt:11211
ACCEPT udp -- example.com.internal anywhere udp dpt:11211
DROP tcp -- anywhere anywhere tcp dpt:11211
DROP udp -- anywhere anywhere udp dpt:11211
They allow connection only from the example.com.internal and deny from anywhere else, including localhost. To fix that I added specific rule for localhost:
ACCEPT tcp -- localhost anywhere tcp dpt:11211
ACCEPT udp -- localhost anywhere udp dpt:11211
I am having some problems with memcached and one idea I am having is that perhaps it is already running on the port I am trying to run it on, started by some other user on our network. Is there a way to tell what memcached ports are currently in use?
To see if it is running you could also try telnetting into the port:
telnet localhost 11211
If this works you will see the following (telling you that the given port is open):
Connected to localhost.
Escape character is '^]'.
Now if memcached IS running you can see some basic stats by issuing the given command:
stats
If this fails you will know that memcached is not running.
Try
netstat -ap | grep TheChosenPort#
and see if anything is listening on those TCP or UDP ports.
netstat
In Linux, check via netstat, e.g.
$ sudo netstat -nap | grep memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 5067/memcached
ps
Use ps to filter the processes:
$ ps wuax | grep memcache
497 5067 0.0 1.3 384824 53928 ? Ssl Apr11 1:28 memcached -d -p 11211 -u memcached -m 64 -c 1024 -P /var/run/memcached/memcached.pid -l 127.0.0.1
The port can be found next to -p, e.g. -p 11211. If port hasn't been specified, default is 11211.
Bash
You can send stats command to the given port and see if the memcached responds, e.g.
exec 3<>/dev/tcp/localhost/11211; printf "stats\nquit\n" >&3; cat <&3
Telnet
Use telnet to connect to the host and run stats (as above), e.g.
$ telnet localhost 11211
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
stats
STAT pid 23669
STAT uptime 433859
Then hit Ctrl-] and Ctrl-D to finish.
Use the following command
ps -U user | grep -v grep | grep memcached
You can check memcached status
service memcached status
You will see a line like this at the bottom:
└─1560 /usr/bin/memcached -vv -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid
The -p 11211 is what port it's running on.
If you're asking this question, it sounds like you're running a really old version. If you did this on a recent version, you'd see this:
% ./memcached
failed to listen on TCP port 11211: Address already in use
I copied the following script and run it to have it listen on port 80. But netstat doesn't show port 80. Why does netstat not sow it, or the Perl script is not correct?
#!/usr/bin/perl -w
use Socket;
use IO::Handle;
$port=80;
$host='localhost';
$packhost=inet_aton($host);
$address=sockaddr_in($port,$packhost);
socket(SERVER,AF_INET,SOCK_STREAM,getprotobyname('tcp'));
bind(SERVER,$address);
listen(SERVER,10);
while( 1 ) {
next unless (accept(CLIENT,SERVER));
CLIENT->autoflush(1);
$msg_out="WHAT DO YOU WANT?\n";
send(CLIENT,$msg_out,0);
close CLIENT;
}
close SERVER;
exit 1;
What platform are you on? How are you invoking netstat?
On Windows XP, after running the script with admin privileges, netstat -a gives me:
TCP aardvarkvi:http aardvarkvi:0 LISTENING
Binding to ports below 1024 requires root privileges on *nix systems. Since you do not (or, shall I say, code you seem to have blindly copied does not) check the return values of various calls, you would not know if they failed.
In general, you should not have to use Socket.pm. Stick with IO::Socket and avoid blindly copying code without knowing what it does.
You might also want to look into HTTP::Daemon.
It's likely that netstat is replacing the numeric port number by the name from /etc/services. For example:
~, 503> netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:svn *:* LISTEN
One thing that you can do is grep netstat's output to find all sockets where it's listening:
netstat -a | grep LISTEN | grep tcp
You can also tell netstat to show numeric addresses rather than doing a hostname or services lookup (and there's another option where you can limit just port numbers; do man netstat):
netstat -an | grep LISTEN | grep tcp
Sorry, my fault, when I run netstat, I didn't put the option -a. When use netstat -a, it shows that port.