Skip to main content

About This Project

A website dedicated to the ins and outs of running a server.

Home

Posted in Security.

Resources for researching IP Addresses, and other things

In my job, we have lots of organizations that abuse the free services we provide.  I try to identify them and ask them politely to stop, before just blocking them.  In doing this, I've found several free resources that have been helpful in identifying network owners and contacts.

UIC - time, MAC, IP, speed test, whois, your info, character code tables/conversion, encode/decode, color codes.  Thanks to my friend Darren for letting me know about this one!

Internet Storm Center - They provide reports on IP addresses, including Country Code, ASN, AS Name, Whois info and abuse PoC.  With DShield, you can see reports on if the IP has been reported, how frequently, first report, last report, etc.  I start here.

BPGView - I found this useful for find a PoC for a network that ISC didn't have.

IPduh - very basic interface, but quite a bit of information and possible actions.

UPDATE:
I'm going to add the MAC Address research items here, not enough ATM to have a separate page.

Wireshark OUI Lookup Tool - The Wireshark OUI lookup tool provides an easy way to look up OUIs and other MAC address prefixes.

Didn't list your favorite?  Email me at This email address is being protected from spambots. You need JavaScript enabled to view it. and let me know yours!

network

Posted in Linux.

Logwatch conf files

Logwatch is a great tool, until you want to change the default or do something different than how the basic install is configured.

Then the location of the conf files can be quite confusing.  Here are the basics you (and I) have to remember:

  • Default conf files are in /usr/share/logwatch
  • Other conf files and local changes to default conf files should be placed in /etc/logwatch/conf
  • /etc/cron.daily/0logwatch (YMMV) overrides all, especially the mail or file output option...

linux

Posted in Linux.

rsyslogd to a commercial cloud SIEM with encryption

rsyslog can be used to log locally and send the logs to a remote server.  Doing that while encrypting the traffic is a bit more challenging.

Kristian Reese has a wonderful guide here: https://kristianreese.com/2019/07/11/How-to-configure-rsyslog-7-4-9-with-TLS/

It gave me the basics, but my situation was going to a cloud commercial SIEM, and I couldn't generate the CA and the keys.

linux

Read more …rsyslogd to a commercial cloud SIEM with encryption

Posted in Linux.

What's Hogging the Disk Space?

To "find" files greater than 1024k and "sort" by largest size first:

find / -mount -size +1024k -type f -exec ls -la {} \;|sort -rnb -k 5|more

To find directories that are consuming large amount of space (with files) and sort by largest first:

du -x / |sort -rnb |more

To see how much space is being used in a specific directory:

du -sh /var/logs

After all the cleanup, I didn’t free the diskspace, and used this command to identify processes holding open deleted files:

sudo /usr/sbin/lsof | grep deleted

disk volume, linux