A self note. List of private address ranges
- Class A: 10.0. 0.0 to 10.255. 255.255.
- Class B: 172.16. 0.0 to 172.31. 255.255.
- Class C: 192.168. 0.0 to 192.168. 255.255.
Networking
HOW TO : Query varnishlogs to show backend server
Command parameters for varnishlog to view the backend server that is processing the request. In this particular case, I wanted to see the request URL and backend server for any responses with HTTP code 401 (unauthorized access)
sudo varnishlog -i BackendOpen,BereqURL -q "BerespStatus == 401"
HOW TO : Check websockets using curl
Found this good article by Mark Huot regarding using curl to check websocket servers at http://www.thenerdary.net/post/24889968081/debugging-websockets-with-curl
curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: echo.websocket.org" -H "Origin: http://www.websocket.org" http://echo.websocket.org
HOW TO : Query varnishlogs for requests with 404 responses
varnishlog, one of the tools provided with varnish cache, uses VSL Query Expressions (https://www.varnish-cache.org/docs/trunk/reference/vsl-query.html) to provide some powerful insights into the requests and responses.
Here is a how you can use varnishlog to show all client requests that are ending up with a 404 response.
sudo varnishlog -g request -i ReqURL -q "BerespStatus != 200"
Technically, this particular query shows all client requests with a response other than 200.
Breaking down the commands
-g request : shows all entries related to the request
-i ReqURL : forces varnishlog to only display the Requesting URL
-q “BerespStatus != 200” : query filter to only match non 200 responses. Note that the query has to be enclosed in “”.
HOW TO : Enable wildcard domains in Squid
We were trying to modify some ACL (access control lists) in squid to allow traffic to certain websites. Instead of adding each individual hostnames in a domain, we wanted to add all traffic to a certain domain.
Document on the interwebs is old or not clear on how to achieve this.
After some trial and error, here is what works
say you want to allow all traffic to the google.com domain, you create a access list using dstdomain like below
acl name_of_acl dstdomain .google.comThe “.” before the domain name acts as a wildcard
Then you use the acl to allow http access to it like below
http_access allow name_of_aclHOW TO : Configure tcpdump to rotate capture files based on size
quick note for self. If you are capturing traffic using tcpdump, you can rotate the capture files based on size
[code]sudo tcpdump -i INTERFACE_TO_CAPTURE_TRAFFIC_ON -C 10 -s0 -W NO_OF_FILES_TO_ROTATE_THROUGH -w /PATH_TO_CAPTURE_FILE [/code]
explanation of the options used
-i : specify the interface you want to capture the traffic on. If not specified, tcpdump will listen on the lowest numbered interface. i.e. eth0
-C : specify the size of the file multiplied by 1000000 bytes. In this example, the file created would be 10000000 bytes. Or ~9.8MB
-s : specify the packet length to capture. 0 (zero) tells tcpdump to capture the entire packet
-W : specify the number of files to rotate through once the files size specified in -C is reached. The files keep rotating throughout the capture
-w : Specify the path to the capture file. tcpdump appends an integer to the end of the file based on the number of files it has to rotate through.
HOW TO : Restrict access to proxied content in Apache
If you are using the mod_proxy feature in Apache to forward requests for certain content to a backend server, but want to restrict access to that content to clients originating from certain IP addresses, you can use the location feature in Apache.
The Location directive limits the scope of the enclosed directives by URL. This is very similar to the Directory directive, but the difference is that you can put controls based on the URL rather than the location of the content.
In this example, I am forwarding content destined to https://kudithipudi.org/testLocation to an internal server at http://127.0.0.1:8080/testLocation. I am going to use the Location directive to restrict access to just requests originating from IP Address 10.10.10.10
[code]
<Location /testLocation>
Order Deny,Allow
Deny from all
Allow from 10.10.10.10
</Location>
ProxyPass /testLocation http://127.0.0.1:8080/testLocation
ProxyPassReverse /testLocation http://127.0.0.1:8080/testLocation [/code]
HOW TO : Use openssl client to check for PCI compliant SSL ciphers
Simple one liner to check if your web server is using strong ciphers
[code]
openssl s_client -cipher LOW -host SERVER_NAME -port 443 [/code]
Brilliant use of DNS
I was listening to this week’s edition of Steve Gibson’s Security Now podcast and Steve talked about a unique way of using DNS. His spintrite application uses DNS to check for the latest version of the application. Most applications use http to check version information. This might pose a problem in environments with proxy servers. DNS traffic on the other hand is generally allowed in most environments. He says his application does a DNS lookup for something like application.version.grc.com and the “IP” address that is returned denotes the major and minor versions of the code. And depending on the response, the application will prompt with a “need to update” message.
Brilliant!!!
Here’s a more technical post way back from 2006 by Jan-Piet Mens on the same subject
http://jpmens.net/pages/checking-current-application-or-data-versions-using-dns/
HOW TO : Capture all traffic to and from a host using tcpdump
Quick one liner for capturing traffic destined to and arriving from a host (IP address) using tcpdump and writing it to a file for analyzing later on
[code]tcpdump -s0 host x.x.x.x -w destination.pcap [/code]