22 September 2020

ssh account for upload files only (SSH)

SFTP Setup:
/etc/ssh/sshd_config:

    Subsystem sftp internal-sftp
    Match Group sftpusers
    PasswordAuthentication yes
    ChrootDirectory /srv/sftponly
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Adding the sftp group:
    groupadd sftpusers

Creating the only account for SFTP Access
    useradd -d /srv/sftponly -g sftpusers -s /bin/false sftpuser
    passwd sftpuser

Restart openssh:
    /etc/init.d/ssh restart

Setting Permission for the directory
chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly

Making a Public Directory:
mkdir /srv/sftponly/public
chown sftpuser:sftpusers /srv/sftponly/public/
chmod 333 /srv/sftponly/public/
ls -ltd
d-wx-wx-wx 2 sftpuser sftpusers 4096 Oct 15 14:51 /srv/sftponly/public/



 ref

https://www.unix.com/unix-for-advanced-and-expert-users/238265-sftp-resticting-only-uploading-file.html

21 September 2020

Install winlogbeat

# Test Winlogbeat Configuration
winlogbeat.exe test config -c winlogbeat.yml -e    





If you want to send to LOGSTASH instead directly to elastic:
...
...

#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["localhost:9200"]

...
...

output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]

...
...




Install/Uninstall Service:
# Install Service
.\install-service-winlogbeat.ps1

# Uninstall Service
.\uninstall-service-winlogbeat.ps1

Join or Leave AD domain via command line

Join Domain:

netdom join %computername% /domain:vdom /reboot /UserD:user /PasswordD:* /Force


Leave Domain:

netdom remove %computername% /domain:vdom /reboot /UserD:user /PasswordD:* /Force



Ref 

 - https://www.dell.com/support/article/en-my/how10118/joining-and-removing-a-server-from-an-active-directory-domain-using-netdom-exe?lang=en

- https://serverfault.com/questions/412263/command-to-remove-computer-from-non-existant-domain



17 September 2020

Logstash: custome index template

1) create template json

vim elasticsearch-template_v00005.json
{
        "index_patterns": "logstash_v00005-*",
        "settings": {
                "index" : {
                        "refresh_interval": "10s" ,
                        "number_of_shards" : 1,
                        "number_of_replicas" : 0
                }
       }
} 


2) import template and check

$ curl -XPUT -H 'Content-Type: application/json' 'http://localhost:9200/_template/logstash_v00005?pretty' -d@elasticsearch-template_v00005.json
{
  "acknowledged" : true
}

and check..

$ curl -XGET 'http://localhost:9200/_template/logstash_v00005?pretty'
{
  "logstash_v00005" : {
    "order" : 0,
    "index_patterns" : [
      "logstash_v00005-*"
    ],
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "number_of_replicas" : "0",
        "refresh_interval" : "10s"
      }
    },
    "mappings" : { },
    "aliases" : { }
  }
}


3) set logstash output config

cat /etc/logstash/conf.d/98-elasticsearch-output.conf
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => true
    template_overwrite => true

    template => '/etc/logstash/elasticsearch-template_v00005.json'
    template_name => 'logstash_v00005'
    index => 'logstash_v00005-%{+YYYY.MM.dd}'
  }
  stdout { codec => rubydebug }
}


last, dont forget to restart your logstash


ref  https://github.com/elastic/logstash/issues/10687

09 September 2020

Windows version, OS_build



ref:  https://docs.microsoft.com/en-us/windows/release-information/



08 September 2020

Windows Share folder

1) net share

2) $ at the end(eg: C$):
     - is an administrative share.
     - hidden,
     - need membership in the local Administrators security group.


3) fsmgmt.msc


4) Default sharre
    - DriveLetters$
    - ADMIN$   (c:\Windows)
    - IPC$
    - NETLOGON   (on DC only)
   - SYSVOL  (on DC only)



5) EVENT LOG

a) 5142 - success create file share

b) 4657 - registry value was modified
     \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Shares


c) 5144 - success delete file Share


d) 5140 - success File_share access
     - one time persession. windows10 default timeout is 15 minutes.

e) 5145 - successfull file_share file/folder operations
     -  need to enable 'Objec_Access - > Detailed File Share' auditing sub-category  



03 September 2020

Sandbox: vmImage preparation

Sandbox normally will need a clean snapshot of vmImage.

If you are using qemu/kvm, this is how to create snapshot


1) run the guest, make sure evertyhing works
    - network ok 
    - - - can go to internet, 
    - - -  can communicate to sandbox manager(can ping to sandbox mgr)
    - - -  sandbox mgr can ping to vmImage
    - agent already running


2) create snapshot:
     $ virsh snapshot-create-as --domain <vm_image>  --name <snapshot_name>

3) to verified your snapshot is working
   -  shutdown the guest
          $  virsh shutdown <vm_image>
           or  virsh destroy <vm_image>

   -  revert to snapshot
           $ virsh snapshot-revert <vm_image> <snapshot_name>






01 September 2020

Elastic check timeout Task

 Sometime task take a very long time to complete such as reindex a big index. This will cause a timeout.

Actually the task is not terminate, but still continue on the background. How to check/list these background process?


1) list all tasks

GET _tasks?actions=indices*reindex
{
"query": {
"match_all": {}
   }
}

This will result such as this:

      "tasks" : {
        "kxXru-l2R92uy63iVzUYww:2365783289" : {
          "node" : "kxXru-l2R92uy63iVzUYww",
          "id" : 2365783289,
          "type" : "transport",
          "action" : "indices:data/write/reindex",
          "start_time_in_millis" : 1598930492885,
          "running_time_in_nanos" : 35909231518,
          "cancellable" : true,
          "headers" : { }
        }
      }


2) see details task
GET _tasks/kxXru-l2R92uy63iVzUYww:2365783289
  "query": {
    "match_all": {}
  }
}

This will resulted:
{
  "completed" : false,
  "task" : {
    "node" : "kxXru-l2R92uy63iVzUYww",
    "id" : 2365783289,
    "type" : "transport",
    "action" : "indices:data/write/reindex",
    "status" : {
      "total" : 346450,
      "updated" : 0,
      "created" : 262000,
      "deleted" : 0,
      "batches" : 263,
      "version_conflicts" : 0,
      "noops" : 0,
      "retries" : {
        "bulk" : 0,
        "search" : 0
      },
      "throttled_millis" : 0,
      "requests_per_second" : -1.0,
      "throttled_until_millis" : 0
    },
    "description" : "reindex from [my-event-b086cd38-fde3-4d0b-8403-154942d42a9f-2020-07-*] to [my-event-b086cd38-fde3-4d0b-8403-154942d42a9f-2020-07][_doc]",
    "start_time_in_millis" : 1598930492885,
    "running_time_in_nanos" : 261954757922,
    "cancellable" : true,
    "headers" : { }
  }
}