Friday, October 28, 2011

Advanced Linux Networking Tools

Some of the more common tools for advanced networking include: tcpdump, netstat, wireshark, and tshark.

A previous article covered Basic Linux Networking Tools.

Discover Switch Information

Now for the advanced stuff. We use tcpdump, and write it to a file pkt.cap. Then we use tshark to read the file.

How to check the router to which the linux host is connected.

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00
# tshark -V -r pkt.cap

# tcpdump -nvi eth0 -c 1 -s 1500 -w pkt.cap ether proto 0xaa and ether dst 01:00:0c:cc:cc:cc and ether\[20\] \=\= 0x20 and ether\[21\] \=\= 0x00;tshark -V -r pkt.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
1 packets captured
1 packets received by filter
0 packets dropped by kernel
Running as user "root" and group "root". This could be dangerous.
Frame 1 (416 bytes on wire, 416 bytes captured)
Arrival Time: Aug 26, 2011 12:49:00.909559000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 416 bytes
Capture Length: 416 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:cdp:data]
IEEE 802.3 Ethernet
Destination: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
Address: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
Address: 00:27:0c:b0:5d:87 (00:27:0c:b0:5d:87)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 402
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
.... ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Cisco (0x00000c)
PID: CDP (0x2000)
Cisco Discovery Protocol
Version: 2
TTL: 180 seconds
Checksum: 0xde0a [correct]
[Good: True]
[Bad : False]
Device ID: example-lab-switch.example.com
Type: Device ID (0x0001)
Length: 33
Device ID: example-lab-switch.example.com
Software Version
Type: Software version (0x0005)
Length: 190
Software Version: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 09-Mar-09 18:10 by gereddy
Platform: cisco WS-C2960G-24TC-L
Type: Platform (0x0006)
Length: 26
Platform: cisco WS-C2960G-24TC-L
Addresses
Type: Addresses (0x0002)
Length: 17
Number of addresses: 1
IP address: 10.10.5.7
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address: 10.10.5.7
Port ID: GigabitEthernet0/7
Type: Port ID (0x0003)
Length: 22
Sent through Interface: GigabitEthernet0/7
Capabilities
Type: Capabilities (0x0004)
Length: 8
Capabilities: 0x00000028
.... .... .... .... .... .... .... ...0 = Not a Router
.... .... .... .... .... .... .... ..0. = Not a Transparent Bridge
.... .... .... .... .... .... .... .0.. = Not a Source Route Bridge
.... .... .... .... .... .... .... 1... = Is a Switch
.... .... .... .... .... .... ...0 .... = Not a Host
.... .... .... .... .... .... ..1. .... = Is IGMP capable
.... .... .... .... .... .... .0.. .... = Not a Repeater
Protocol Hello: Cluster Management
Type: Protocol Hello (0x0008)
Length: 36
OUI: 0x00000C (Cisco)
Protocol ID: 0x0112 (Cluster Management)
Cluster Master IP: 0.0.0.0
UNKNOWN (IP?): 0xFFFFFFFF (255.255.255.255)
Version?: 0x01
Sub Version?: 0x02
Status?: 0x21
UNKNOWN: 0xFF
Cluster Commander MAC: 00:00:00:00:00:00
Switch's MAC: 00:27:0c:b0:5d:80
UNKNOWN: 0xFF
Management VLAN: 0
VTP Management Domain:
Type: VTP Management Domain (0x0009)
Length: 4
VTP Management Domain:
Native VLAN: 205
Type: Native VLAN (0x000a)
Length: 6
Native VLAN: 205
Duplex: Full
Type: Duplex (0x000b)
Length: 5
Duplex: Full
Trust Bitmap: 0x00
Type: Trust Bitmap (0x0012)
Length: 5
Trust Bitmap: 00
Untrusted port CoS: 0x00
Type: Untrusted Port CoS (0x0013)
Length: 5
Untrusted port CoS: 00
Management Addresses
Type: Management Address (0x0016)
Length: 17
Number of addresses: 1
IP address: 10.10.5.7
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address: 10.10.5.7
Power Available: 0 mW, 4294967295 mW
Type: Power Available (0x001a)
Length: 16
Request-ID: 0
Management-ID: 1
Power Available: 0 mW
Power Available: 4294967295 mW


Netstat

Another valuable tool is netstat

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

To find out what port a service, such as sshd is listening on, use something like this:


# netstat -alp |grep ssh

tcp 0 0 *:ssh *:* LISTEN 3002/sshd

unix 2 [ ACC ] STREAM LISTENING 27251 4387/ssh-agent /tmp/ssh-tOqWgf4348/agent.4348


Note that some of these commands require root, or sudo. If you are not logged in as root, use sudo in front of the command. Also, most of the utilities are found in /sbin, or /usr/sbin.



Network Drivers

Another advanced topic is network drivers. The last time I checked, http://tldp.org/HOWTO/Ethernet-HOWTO.html discussed /etc/modules.conf, but in newer versions of redhat variants the file has changed to /etc/modprobe.conf or /etc/modprobe.d/modprobe.conf.dist. Any of those files should have basically the same information:

alias eth0 module_name
options module_name option1=value1 option2=value2 ...

It may look something like this:

alias eth0 e1000

or

alias eth0 tg3

depending on the type of network card or module that is installed on the system.

Other Advanced Networking Topics

There are more topics to be covered, such as how to configure multiple NICs, how to use network configuration utilities, other tools, such as nmap, and configuration for other linux distributions.

For more advanced networking tips, check out http://tldp.org/HOWTO/Adv-Routing-HOWTO

For more basic networking info, see this article: http://systemnotesorg.blogspot.com/2011/08/basic-linux-networking-tools.html

Thursday, October 27, 2011

Free AntiVirus and AntiSpyware Software


Computers running Windows seem to have virus and spyware problems quite often. When fixing other peoples computers, I have found these free options to be very useful.

Free Windows Anti Virus Software

ClamWin Free Antivirus
http://www.clamwin.com

ClamWin is a Free Antivirus program for Microsoft Windows 7 / Vista / XP / Me / 2000 / 98 and Windows Server 2008 and 2003.

avast! Free Antivirus
http://www.avast.com


Free Anti-Adware / Anti-Spyware Information


Some of this Windows software is offered as a free version, with an option to upgrade. Generally, the free version is enough to clean any problems, but has to be run manually.

Ad-Aware – check for updates, and run occasionally
http://www.lavasoftusa.com

Spy Bot Search and Destroy
http://www.safer-networking.org

Malwarebytes
http://www.malwarebytes.org

Malwarebyes Anti-Malware is often the best tool to remove fake anti-virus software.

Super Anti Spyware
http://www.superantispyware.com

Super Anti Spyware: Remove spyware, NOT just the easy ones!



More adware stuff here: http://www.cexx.org

I have found this site to be an excellent resource, with information on computer security: http://www.selectrealsecurity.com


Behavioral Advertising Opt Out

Have you noticed that certain types of ads appear after you visited a particular website? That is called Behavioral Advertising, and is usually done by storing cookies on your computer.


The Network Advertising Initiative has to offer the ability to opt-out. Go to their website, and select opt out.

http://www.networkadvertising.org

You may be surprised at how many active cookies you have.

Another place to opt out:
http://tellapart.com/other/faqs

I am not a big fan of the opt-out idea, as it has to potential to give information to precisely the people you don't want to give it to.  It's like calling a telemarketing company and saying, "Here's my phone number, please don't call me."  The scammers can still use the do not call list to pretend they are a charity.  I would rather not be on a list.  By the way, there is an article on how to defeat telemarketers on the systemnotes.org blog.

Web Browser Security

Browsers also have options to clear the cache, and history, but you may not want to clear all history and cookies, since they can make browsing your favorites sites easier. You may have to opt out again after clearing cookies.

Check for the latest Add-ons or Plugins for your browser.  For example, in Firefox, select Add-ons, and search for some of these terms:  "Do Not Track", privacy, block, security, ad, virus, etc.  There are lots of good options available.

Other Notes

People generally think of viruses when a computer starts acting strange, or starts running slower, but there are all kinds of bad programs known as malware. These include worms, trojans, rootkits, rouges, dialers, spyware, viruses, etc. It may be useful to search the internet on those terms when attempting to clean a computer. Your computer may be used to store someone else's illegally copied files.

There are plenty of other software options, but many do not offer a fully functional free version. Free trials are not as good, in my opinion. Some of the major anti-virus publishers offer free scanning tools as well, so it can be helpful to check their sites for the latest offers.

Remember, when all else fails, you can always re-install Windows. Or better yet, upgrade to Linux :-).

Sysadmin Notes:  Systems Administrators are usually familiar with resources for securing systems and networks they are responsible for, but software is updated frequently, so it is good to have sources to check for updates.  One of my favorite sources for Open Source software has been sourceforge.net, but use caution, since anyone can upload software.

Security Software Resources

http://insecure.org - nmap, and network security

Be careful with this site, as malware seems to show up occasionally:
http://sourceforge.net/directory/security-utilities

For example:
I'm not sure about the next one, since McAfee SiteAdvisor gave a warning that it may be a dangerous site:  YAC - Yet Another Cleaner http://www.yac.mx

"YAC: The World's Fastest & Lightest PC Cleaner
Fast, Easy to use PC cleaning software.  Clean junk files, privacy files, potential adware, and malicious plugins."