Tag Archives: security

How to capture network traffic using tcpdump on a Linux machine

Posted on by
Reply

To capture network traffic using tcpdump on a Linux machine and analyze it in Wireshark, follow these steps:

  1. Install Wireshark: If Wireshark is not already installed on your Linux machine, you can install it using your package manager. For example, on Debian-based systems (like Ubuntu), you can use:sudo apt-get update sudo apt-get install wireshark Make sure you have appropriate permissions to run Wireshark or use it with sudo.
  2. Capture network traffic with tcpdump: Run tcpdump to capture the network traffic. For example, to capture all traffic on interface eth0 and save it to a file named capture.pcap:sudo tcpdump -i eth0 -w capture.pcap Replace eth0 with the name of your network interface, which you can find using the ifconfig command.
  3. Stop tcpdump: Once you’ve captured enough traffic, stop tcpdump by pressing Ctrl+C.
  4. Transfer the capture file to your local machine (optional): If you’re running Wireshark on a different machine, you’ll need to transfer the capture file (capture.pcap) from the Linux machine to your local machine. You can use utilities like scp (secure copy) or rsync for this purpose.
  5. Open the capture file in Wireshark: Launch Wireshark on your local machine and open the capture file (capture.pcap) that you created using tcpdump.wireshark capture.pcap Alternatively, you can open Wireshark first and then use the GUI to open the capture file.
  6. Analyze the captured traffic: In Wireshark, you can analyze the captured packets, apply filters, view packet details, and perform various other network analysis tasks.

By following these steps, you can capture network traffic using tcpdump on a Linux machine and analyze it in Wireshark for troubleshooting, security analysis, or network debugging purposes. Remember to use tcpdump with appropriate permissions (e.g., sudo) to capture traffic on privileged ports or interfaces.

Linux: traceroute command

Posted on by
Reply

The traceroute command in Linux is a network diagnostic tool used to trace the path that an Internet Protocol (IP) packet takes from the local machine to a specified destination host. It does this by sending a series of packets with increasing Time-To-Live (TTL) values, starting from 1.

Here’s how the traceroute command works and what information it provides:

  1. Sending packets with TTL: The traceroute command sends UDP packets (by default) or ICMP Echo Request packets towards the destination IP address with TTL set to 1. When a router receives a packet with TTL of 1, it decrements the TTL by 1 and if it reaches zero, it sends back an ICMP “Time Exceeded” message to the sender. This message indicates that the packet has expired.
  2. Analyzing ICMP Time Exceeded messages: traceroute captures these ICMP Time Exceeded messages and uses them to determine the route the packet took to reach the destination. Each router along the path responds with an ICMP Time Exceeded message, indicating its presence.
  3. Incrementing TTL: traceroute then sends another set of packets with TTL set to 2, and so on, until the packets finally reach the destination. Each time, it records the IP address and round-trip time (RTT) of the intermediate routers.
  4. Displaying the route: Once traceroute receives a response from the destination or reaches its maximum number of hops, it displays the route taken by the packets along with the round-trip time for each hop.
  5. Identifying delays: By analyzing the round-trip times, traceroute can identify network delays at each hop, helping to diagnose network performance issues.
  6. Options: The traceroute command supports various options to customize its behavior. For example, you can specify the maximum number of hops (-m option), the type of packets to send (-I for ICMP or -U for UDP), and the interval between packets (-i option).

Example usage:

traceroute google.com

This command would trace the route to google.com, showing the IP addresses of each hop along the way and the round-trip time for each hop.

traceroute is a valuable tool for network troubleshooting, allowing administrators to identify network routing issues, locate bottlenecks, and analyze network performance between two hosts.

Linux: display World Wide Port Names (WWPNs)

Posted on by
Reply

To display World Wide Port Names (WWPNs) and other information about Fibre Channel (FC) adapters on a Linux system, you can use various commands depending on the tools available on your system. Here are a few common methods:

  1. Using lsscsi and sg_map commands:This method requires the lsscsi and sg_map utilities, which are commonly available on many Linux distributions.sudo lsscsi -g This command lists SCSI devices, including Fibre Channel adapters. Note down the device corresponding to your Fibre Channel adapter.Then, use sg_map to map SCSI generic (sg) device names to WWPNs:sudo sg_map -i This command will show the mapping of SCSI generic devices to WWPNs and other information.
  2. Using systool:On systems with sysfs support, you can use the systool command to display information about Fibre Channel adapters:sudo systool -c fc_host -v This command lists information about Fibre Channel host adapters, including WWPNs and other details.
  3. Using fcinfo (For systems with Emulex HBAs):If you’re using Emulex HBAs, you can use the fcinfo command:sudo fcinfo <adapter_name> Replace <adapter_name> with the name of your Fibre Channel adapter (e.g., lpfc0). This command will display detailed information about the adapter, including WWPNs.
  4. Using scli (For systems with QLogic HBAs):If you’re using QLogic HBAs, you can use the scli command:sudo scli -p <port_number> -g Replace <port_number> with the port number of your Fibre Channel adapter (e.g., 0). This command will display detailed information about the HBA, including WWPNs.

Choose the method that best fits your system configuration and the tools available. These commands should provide you with the necessary information about WWPNs and other details of your Fibre Channel adapters on Linux.

Linux: Using lsblk and smartctl to display hard disk overall-health self-assessment

Posted on by
Reply

root@debian01:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
├─nvme0n1p2 259:2 0 488M 0 part /boot
└─nvme0n1p3 259:3 0 476G 0 part
└─nvme0n1p3_crypt 254:0 0 475.9G 0 crypt
├─debian01–vg-root 254:1 0 23.3G 0 lvm /
├─debian01–vg-var 254:2 0 9.3G 0 lvm /var
├─debian01–vg-swap_1 254:3 0 976M 0 lvm
├─debian01–vg-tmp 254:4 0 1.9G 0 lvm /tmp
└─debian01–vg-home 254:5 0 440.5G 0 lvm /home

root@debian01:~# smartctl -a –test=long /dev/nvme0n1
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.1.0-18-amd64] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, http://www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Number: SAMSUNG MZ9LQ512HBLU-00B00
Serial Number: S7DANXMW102944
Firmware Version: FXM7601Q
PCI Vendor/Subsystem ID: 0x144d
IEEE OUI Identifier: 0x002538
Total NVM Capacity: 512,110,190,592 [512 GB]
Unallocated NVM Capacity: 0
Controller ID: 5
NVMe Version: 1.4
Number of Namespaces: 1
Namespace 1 Size/Capacity: 512,110,190,592 [512 GB]
Namespace 1 Utilization: 61,558,759,424 [61.5 GB]
Namespace 1 Formatted LBA Size: 512
Namespace 1 IEEE EUI-64: 002538 d130ba314d
Local Time is: Mon Mar 18 11:42:24 2024 CST
Firmware Updates (0x16): 3 Slots, no Reset required
Optional Admin Commands (0x0017): Security Format Frmw_DL Self_Test
Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp
Log Page Attributes (0x1e): Cmd_Eff_Lg Ext_Get_Lg Telmtry_Lg Pers_Ev_Lg
Maximum Data Transfer Size: 512 Pages
Warning Comp. Temp. Threshold: 83 Celsius
Critical Comp. Temp. Threshold: 85 Celsius
Namespace 1 Features (0x10): NP_Fields

Supported Power States
St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat
0 + 5.12W – – 0 0 0 0 0 0
1 + 3.59W – – 1 1 1 1 0 0
2 + 2.92W – – 2 2 2 2 0 500
3 – 0.0500W – – 3 3 3 3 210 1200
4 – 0.0050W – – 4 4 4 4 1000 9000

Supported LBA Sizes (NSID 0x1)
Id Fmt Data Metadt Rel_Perf
0 + 512 0 0

=== START OF SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

SMART/Health Information (NVMe Log 0x02)
Critical Warning: 0x00
Temperature: 51 Celsius
Available Spare: 100%
Available Spare Threshold: 50%
Percentage Used: 0%
Data Units Read: 181,599 [92.9 GB]
Data Units Written: 1,857,619 [951 GB]
Host Read Commands: 1,898,681
Host Write Commands: 48,222,637
Controller Busy Time: 238
Power Cycles: 75
Power On Hours: 52
Unsafe Shutdowns: 61
Media and Data Integrity Errors: 0
Error Information Log Entries: 0
Warning Comp. Temperature Time: 153
Critical Comp. Temperature Time: 3
Temperature Sensor 1: 51 Celsius
Thermal Temp. 1 Transition Count: 1236
Thermal Temp. 2 Transition Count: 1014
Thermal Temp. 1 Total Time: 2672
Thermal Temp. 2 Total Time: 12386

Error Information (NVMe Log 0x01, 16 of 64 entries)
No Errors Logged

root@debian01:~#

Linux: How to replace a bad disk on a Linux RAID configuration

Posted on by
Reply

Replacing a failed disk in a Linux RAID configuration involves several steps to ensure that the array remains operational and data integrity is maintained. Below is a step-by-step guide on how to replace a bad disk in a Linux RAID configuration using the mdadm utility:

  1. Identify the Failed Disk:
    • Use the mdadm --detail /dev/mdX command to display detailed information about the RAID array.
    • Look for the state of each device in the array to identify the failed disk.
    • Note the device name (e.g., /dev/sdX) of the failed disk.
  2. Prepare the New Disk:
    • Insert the new disk into the system and ensure it is recognized by the operating system.
    • Partition the new disk using a partitioning tool like fdisk or parted. Create a Linux RAID (type FD) partition on the new disk.
  3. Add the New Disk to the RAID Array:
    • Use the mdadm --manage /dev/mdX --add /dev/sdX1 command to add the new disk to the RAID array.
    • Replace /dev/mdX with the name of your RAID array and /dev/sdX1 with the partition name of the new disk.
    • This command starts the process of rebuilding the RAID array onto the new disk.
  4. Monitor the Rebuild Process:
    • Monitor the rebuild process using the mdadm --detail /dev/mdX command.
    • Check the progress and status of the rebuild operation to ensure it completes successfully.
    • The rebuild process may take some time depending on the size of the RAID array and the performance of the disks.
  5. Verify RAID Array Status:
    • After the rebuild process completes, verify the status of the RAID array using the mdadm --detail /dev/mdX command.
    • Ensure that all devices in the array are in the “active sync” state and that there are no errors or warnings.
  6. Update Configuration Files:
    • Update configuration files such as /etc/mdadm/mdadm.conf to ensure that the new disk is recognized and configured correctly in the RAID array.
  7. Perform Testing and Verification:
    • Perform thorough testing to ensure that the RAID array is functioning correctly and that data integrity is maintained.
    • Test read and write operations on the array to verify its performance and reliability.
  8. Optional: Remove the Failed Disk:
    • Once the rebuild process is complete and the RAID array is fully operational, you can optionally remove the failed disk from the array using the mdadm --manage /dev/mdX --remove /dev/sdX1 command.
    • This step is optional but can help clean up the configuration and remove any references to the failed disk.

By following these steps, you can safely replace a bad disk in a Linux RAID configuration using the mdadm utility while maintaining data integrity and ensuring the continued operation of the RAID array.

Linux: Troubleshooting network connectivity issues

Posted on by
Reply

Troubleshooting network connectivity issues in Linux involves identifying and diagnosing the root cause of the problem by checking various network components and configurations. Here’s a systematic approach to troubleshoot network connectivity issues in Linux:

  1. Check Physical Connections:
    • Ensure that all network cables are securely connected, and network interfaces (Ethernet, Wi-Fi) are properly seated in their respective ports.
  2. Verify Network Interface Status:
    • Use the ip or ifconfig command to check the status of network interfaces.ip addr show orcssCopy codeifconfig -a
    • Ensure that the network interface is up (UP state) and has an IP address assigned.
  3. Check IP Configuration:
    • Use the ip or ifconfig command to verify the IP address, subnet mask, gateway, and DNS server settings of the network interface.
    • Ensure that the IP configuration is correct and matches the network configuration of your environment.
  4. Verify DNS Resolution:
    • Use the ping command to test DNS resolution by pinging a domain name.ping example.com
    • If DNS resolution fails, check the /etc/resolv.conf file for correct DNS server configurations and try using alternative DNS servers.
  5. Test Local Network Connectivity:
    • Use the ping command to test connectivity to other devices on the local network by pinging their IP addresses.ping <IP_address>
    • If local pings fail, check the network configuration of the local device, including IP address, subnet mask, and gateway settings.
  6. Check Firewall Settings:
    • Disable the firewall temporarily using the appropriate command for your firewall software (e.g., ufw disable for Uncomplicated Firewall).
    • If network connectivity improves after disabling the firewall, adjust firewall rules to allow necessary network traffic.
  7. Inspect Routing Table:
    • Use the ip route command to view the routing table and ensure that the default gateway is configured correctly.ip route show
    • If necessary, add or modify routing entries using the ip route add command.
  8. Check Network Services:
    • Verify that essential network services (such as DHCP client, network manager, and DNS resolver) are running using the systemctl command.systemctl status NetworkManager systemctl status systemd-resolved
    • Restart or troubleshoot network services as needed.
  9. Review System Logs:
    • Check system logs (e.g., /var/log/syslog, /var/log/messages) for any network-related errors or warnings that may provide clues about the issue.bashCopy codetail -n 50 /var/log/syslog
  10. Test Connectivity to External Resources:
    • Use the ping or traceroute command to test connectivity to external servers and websites.ping google.com traceroute google.com
    • If external pings or traceroutes fail, check for network issues outside your local network, such as ISP problems or internet service disruptions.

By following these steps and systematically checking network components and configurations, you can effectively troubleshoot and resolve network connectivity issues in Linux.

MTTR Definition

Posted on by
Reply

MTTR stands for Mean Time To Recovery. It is a key performance indicator (KPI) used to measure the average time it takes to restore a service or system to normal operation after a failure or incident occurs. MTTR is an important metric in incident management and is used to assess the efficiency of an organization’s response and resolution processes.

The formula to calculate MTTR is:

MTTR = Total Downtime / Number of Incidents

Where:

  • Total Downtime: The cumulative duration of time during which a service or system was unavailable or degraded due to incidents.
  • Number of Incidents: The total number of incidents that occurred during a specific period.

For example, if a service experiences three incidents in a month, with respective downtime durations of 2 hours, 3 hours, and 4 hours, the total downtime would be 2 + 3 + 4 = 9 hours. If we divide this total downtime by the number of incidents (3), we would get an MTTR of 3 hours.

A lower MTTR indicates that incidents are being resolved quickly, minimizing the impact on users and the business. Organizations strive to continuously reduce their MTTR by improving incident detection, response, and resolution processes, implementing automation, and investing in proactive monitoring and preventive measures. By reducing MTTR, organizations can improve service reliability, minimize downtime, and enhance overall customer satisfaction.

DevSecOps Overview

Posted on by
Reply

DevSecOps is an approach to software development and IT operations that integrates security practices and principles throughout the entire software development lifecycle (SDLC), from planning and coding to testing, deployment, and operations. It extends the principles of DevOps (Development + Operations) to include security, aiming to build security into every stage of the development and delivery process rather than treating it as an afterthought.

Key aspects of DevSecOps include:

  1. Shift Left: DevSecOps emphasizes shifting security practices and considerations to the left, meaning integrating security into the earliest stages of the development process. This includes incorporating security requirements into initial planning, design, and coding phases.
  2. Automation: Automation is a fundamental aspect of DevSecOps, enabling security processes such as vulnerability scanning, code analysis, configuration management, and compliance checks to be integrated seamlessly into development and deployment pipelines. Automated security tests and checks are performed continuously throughout the SDLC, allowing for rapid detection and remediation of security vulnerabilities.
  3. Culture and Collaboration: DevSecOps promotes a culture of collaboration and shared responsibility among development, operations, and security teams. It encourages open communication, knowledge sharing, and collaboration to ensure that security considerations are addressed effectively across all teams.
  4. Continuous Security Monitoring: DevSecOps advocates for continuous monitoring of applications, infrastructure, and environments to detect and respond to security threats in real-time. This includes monitoring for suspicious activities, unauthorized access, configuration drift, and other security-related events.
  5. Compliance and Governance: DevSecOps integrates compliance and governance requirements into the development process, ensuring that applications and systems adhere to relevant security standards, regulations, and industry best practices. Compliance checks are automated and performed continuously to maintain security and regulatory compliance.
  6. Security as Code: DevSecOps promotes the concept of “security as code,” where security policies, configurations, and controls are defined and managed using code and version-controlled repositories. This enables security to be treated as an integral part of infrastructure and application development, with security controls defined programmatically and deployed alongside application code.

Overall, DevSecOps aims to improve the security posture of software systems by embedding security practices and principles into every aspect of the development and delivery process. By integrating security into DevOps workflows, organizations can build more secure, resilient, and compliant software while maintaining agility and speed of delivery.

Azure: Data Management Tools

Posted on by
Reply

Microsoft Azure offers a comprehensive suite of data management tools and services to help organizations store, process, analyze, and visualize their data. Here are some key Azure data management tools and services:

  1. Azure SQL Database: Azure SQL Database is a fully managed relational database service that offers built-in high availability, automated backups, and intelligent performance optimization. It supports both single databases and elastic pools for managing multiple databases with varying resource requirements.
  2. Azure Cosmos DB: Azure Cosmos DB is a globally distributed, multi-model database service designed for building highly responsive and scalable applications. It supports multiple data models including document, key-value, graph, and column-family, and offers automatic scaling, low-latency reads and writes, and comprehensive SLAs.
  3. Azure Data Lake Storage: Azure Data Lake Storage is a scalable and secure data lake service that allows organizations to store and analyze massive amounts of structured and unstructured data. It offers integration with various analytics and AI services and supports hierarchical namespace for organizing data efficiently.
  4. Azure Synapse Analytics: Azure Synapse Analytics (formerly SQL Data Warehouse) is an analytics service that enables organizations to analyze large volumes of data using both serverless and provisioned resources. It provides integration with Apache Spark and SQL-based analytics for data exploration, transformation, and visualization.
  5. Azure HDInsight: Azure HDInsight is a fully managed Apache Hadoop, Spark, and other open-source big data analytics service in the cloud. It enables organizations to process and analyze large datasets using popular open-source frameworks and tools.
  6. Azure Data Factory: Azure Data Factory is a fully managed extract, transform, and load (ETL) service that allows organizations to create, schedule, and orchestrate data workflows at scale. It supports hybrid data integration, data movement, and data transformation across on-premises and cloud environments.
  7. Azure Stream Analytics: Azure Stream Analytics is a real-time event processing service that helps organizations analyze and react to streaming data in real-time. It supports both simple and complex event processing using SQL-like queries and integrates with various input and output sources.
  8. Azure Databricks: Azure Databricks is a fast, easy, and collaborative Apache Spark-based analytics platform that provides data engineering, data science, and machine learning capabilities. It enables organizations to build and deploy scalable analytics solutions using interactive notebooks and automated workflows.
  9. Azure Data Explorer: Azure Data Explorer is a fully managed data analytics service optimized for analyzing large volumes of telemetry data from IoT devices, applications, and other sources. It provides fast and interactive analytics with support for ad-hoc queries, streaming ingestion, and rich visualizations.

These are just a few examples of the data management tools and services available on Azure. Depending on specific requirements and use cases, organizations can leverage Azure’s comprehensive portfolio of data services to meet their data management needs.

Xen open-source hypervisor command line reference

Posted on by
Reply

Xen is a popular open-source hypervisor that allows for running multiple virtual machines on a single physical host. Here are some common command-line references for managing Xen:

  1. Starting and Stopping Xen:
    • xl create <config_file>: Start a virtual machine defined in the specified configuration file.
    • xl destroy <domain_name>: Forcefully shutdown a virtual machine.
    • xl shutdown <domain_name>: Gracefully shutdown a virtual machine.
    • xl list: List all running domains.
    • xl console <domain_name>: Connect to the console of a running virtual machine.
  2. Managing Virtual Machine Configurations:
    • xl list: List all virtual machines and their states.
    • xl info: Display information about the Xen hypervisor.
    • xl config-list: List all defined VM configurations.
    • xl config-edit <domain_name>: Edit the configuration file of a virtual machine.
    • xl save <domain_name> <state_file>: Save the state of a virtual machine to a file.
    • xl restore <state_file>: Restore a virtual machine from a saved state.
  3. Resource Management:
    • xl mem-set <domain_name> <memory_in_mb>: Set the memory allocation for a virtual machine.
    • xl vcpu-set <domain_name> <num_vcpus>: Set the number of virtual CPUs for a virtual machine.
  4. Networking:
    • Xen usually relies on Linux networking configuration for virtual networking. You can use brctl or ip commands for managing bridges and interfaces.
  5. Snapshot Management:
    • Xen doesn’t have built-in snapshot management like some other hypervisors. You can achieve similar functionality by saving the state of a VM and restoring it later.
  6. XenStore:
    • XenStore is a shared configuration database used by Xen. You can interact with it using the xenstore command. Example:perlCopy codexenstore-ls xenstore-read /local/domain/<domain_id>/memory/target
  7. Debugging and Troubleshooting:
    • xl dmesg: Display Xen hypervisor debug messages.
    • xl top: Display real-time information about the system’s virtualization.
    • xl debug-keys: Print the list of available debug key combinations.

These are some of the basic commands for managing Xen virtual machines and resources. For more detailed information and advanced usage, you can refer to the official documentation for Xen or consult the man pages for the xl command.