19:39:24
|
#man socat |less
|
| /l3/users/ikravchuk/xg-ids/linux2.unix.nt/root :1 :2 :3 :4 :5 :6 :7 :8 :9 :10 :11 :12 |
|
|
#ls
0_hfile_469_1.doc phpsyslogng-2.6.tar.gz ssh-fake phpsyslogng-2.6(2).tar.gz prilozenie_1_4.doc Tablitsa_1_1.xls |
|
#vi ssh-fake
|
|
#man socat
|
|
#man socat
|
|
#man socat
|
|
#man socat |less
|
|
#cp ssh-fake ssh-fake.1
================================================== [root@linux3:user]# apt-get install john Reading package lists... Done Building dependency tree... Done Package john is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package john has no installation candidate |
|
#vi ssh-fake
8c8 < ( sleep 6 ; echo $password ) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > socat - EXEC "( sleep 6 ; echo $password ) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d'" |
|
#./ssh-fake
Password: 2007/06/21 12:45:30 socat[6639] E exactly 2 addresses required (there are 3); use option "-h" for help |
|
#vi ssh-fake
8c8 < socat - EXEC "( sleep 6 ; echo $password ) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d'" --- > socat - EXEC:"( sleep 6 ; echo $password ) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d'" |
|
#./ssh-fake
[root@linux3:user]# apt-get install john Reading package lists... Done Building dependency tree... Done Package john is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package john has no installation candidate Password: 2007/06/21 12:45:48 socat[6662] E parseopts(): unknown option "ctty | sed '1" |
|
#vi ssh-fake
8c8 < socat - EXEC:"( sleep 6 ; echo $password ) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d'" --- > ( sleep 6 ; echo $password ; while read line ; do echo $line done) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Password: ./ssh-fake: line 8: syntax error near unexpected token `)' ./ssh-fake: line 8: `( sleep 6 ; echo $password ; while read line ; do echo $line done) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d'' |
|
#ssh user@192.168.15.254
user@sky:~$ exit logout Connection to 192.168.15.254 closed. |
|
#dig @bigmir.net ns
[root@linux3:user]# apt-get install john Reading package lists... Done Building dependency tree... Done Package john is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package john has no installation candidate bash: dig: command not found |
|
#vi ssh-fake
8c8 < ( sleep 6 ; echo $password ; while read line ; do echo $line done) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > ( sleep 6 ; echo $password ; while read line ; do echo $line; done;) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Last login: Thu Jun 21 16:37:40 2007 from 192.168.15.201 Linux linux3 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the indZLO.ZLO.ZLOl files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. l3-agent is already running: pid=5705; pidfile=/root/.lilalo/l3-agent.pid |
|
#vi ssh-fake
8c8 < ( sleep 6 ; echo $password ; while read line ; do echo $line; done;) | socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > ( sleep 6 ; echo $password ; cat )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Last login: Thu Jun 21 17:11:03 2007 from 192.168.15.201 Linux linux3 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the indZLO.ZLO.ZLOl files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. l3-agent is already running: pid=5705; pidfile=/root/.lilalo/l3-agent.pid ls |
|
#vi ssh-fake
8c8 < ( sleep 6 ; echo $password ; cat )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > ( sleep 6 ; echo $password ; )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:04:75:75:46:B1
inet6 addr: fe80::204:75ff:fe75:46b1/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:65055 errors:0 dropped:0 overruns:0 frame:0
TX packets:56376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28430190 (27.1 MiB) TX bytes:6256967 (5.9 MiB)
Interrupt:169 Base address:0x2c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1351 errors:0 dropped:0 overruns:0 frame:0
TX packets:1351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:300469 (293.4 KiB) TX bytes:300469 (293.4 KiB)
|
|
$screen -x
|
|
$screen -x
|
|
#ifdown eth0
There is already a pid file /var/run/dhclient.eth0.pid with pid 2798 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.0.4 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:04:75:75:46:b1 Sending on LPF/eth0/00:04:75:75:46:b1 Sending on Socket/fallback DHCPRELEASE on eth0 to 192.168.15.254 port 67 send_packet: Network is unreachable send_packet: please consult README file regarding broadcast address. |
|
#ifup eth0
Internet Systems Consortium DHCP Client V3.0.4 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:04:75:75:46:b1 Sending on LPF/eth0/00:04:75:75:46:b1 Sending on Socket/fallback DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 10 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 18 DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 No DHCPOFFERS received. No working leases in persistent database - sleeping. |
|
#ifup eth0
ifup: interface eth0 already configured |
|
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:04:75:75:46:B1
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:65055 errors:0 dropped:0 overruns:0 frame:0
TX packets:56376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28430190 (27.1 MiB) TX bytes:6256967 (5.9 MiB)
Interrupt:169 Base address:0x2c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1351 errors:0 dropped:0 overruns:0 frame:0
TX packets:1351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:300469 (293.4 KiB) TX bytes:300469 (293.4 KiB)
|
|
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:04:75:75:46:B1
inet6 addr: fe80::204:75ff:fe75:46b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65055 errors:0 dropped:0 overruns:0 frame:0
TX packets:56379 errors:0 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:28430190 (27.1 MiB) TX bytes:6257205 (5.9 MiB)
Interrupt:169 Base address:0x2c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1351 errors:0 dropped:0 overruns:0 frame:0
TX packets:1351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:300469 (293.4 KiB) TX bytes:300469 (293.4 KiB)
|
|
#ifdown eth0
There is already a pid file /var/run/dhclient.eth0.pid with pid 8257 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.0.4 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:04:75:75:46:b1 Sending on LPF/eth0/00:04:75:75:46:b1 Sending on Socket/fallback DHCPRELEASE on eth0 to 192.168.15.254 port 67 send_packet: Network is unreachable send_packet: please consult README file regarding broadcast address. |
|
#ifup eth0
Internet Systems Consortium DHCP Client V3.0.4 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:04:75:75:46:b1 Sending on LPF/eth0/00:04:75:75:46:b1 Sending on Socket/fallback DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 DHCPOFFER from 192.168.15.254 DHCPREQUEST on eth0 to 255.255.255.255 port 67 DHCPACK from 192.168.15.254 bound to 192.168.15.201 -- renewal in 283 seconds. |
|
#ifconfig
eth0 Link encap:Ethernet HWaddr 00:04:75:75:46:B1
inet addr:192.168.15.201 Bcast:192.168.15.255 Mask:255.255.255.0
inet6 addr: fe80::204:75ff:fe75:46b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65060 errors:0 dropped:0 overruns:0 frame:0
TX packets:56389 errors:0 dropped:0 overruns:0 carrier:5
collisions:0 txqueuelen:1000
RX bytes:28431056 (27.1 MiB) TX bytes:6258499 (5.9 MiB)
Interrupt:169 Base address:0x2c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1351 errors:0 dropped:0 overruns:0 frame:0
TX packets:1351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:300469 (293.4 KiB) TX bytes:300469 (293.4 KiB)
|
|
#ssh linux3
root@linux3's password: |
|
#ls
0_hfile_469_1.doc phpsyslogng-2.6.tar.gz ssh-fake Tablitsa_1_1.xls phpsyslogng-2.6(2).tar.gz prilozenie_1_4.doc ssh-fake.1 |
|
#vi ssh-fake
|
|
#man socat
|
|
#man socat |less
|
|
#vi ssh-fake
|
|
#vi ssh-fake
8c8,9 < ( sleep 6 ; echo $password ; )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > #( sleep 6 ; echo $password ; )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' > ( sleep 6 ; echo $password ; socat EXEC:'cat ',setsid,pty,ctty - )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Password: Last login: Fri Jun 22 09:33:39 2007 from 192.168.15.254 Linux linux3 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the indZLO.ZLO.ZLOl files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. l3-agent is already running: pid=4349; pidfile=/root/.lilalo/l3-agent.pid ls |
|
#vi ssh-fake
|
|
#vi ssh-fake
|
|
#vi ssh-fake
9c9 < ( sleep 6 ; echo $password ; socat EXEC:'cat ',setsid,pty,ctty - )| socat - EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > ( sleep 6 ; echo $password ; )| socat PTY EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Password: |
|
#vi ssh-fake
|
|
#vi ssh-fake
9c9 < ( sleep 6 ; echo $password ; )| socat PTY EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > ( sleep 6 ; echo $password ; )| socat PTY,openpty EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Password: |
|
#vi ssh-fake
9c9,10 < ( sleep 6 ; echo $password ; )| socat PTY,openpty EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' --- > socat PTY,openpty,link=/tmp/pty0 EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' & > sleep 6; echo $password >/tmp/pty0 |
|
#./ssh-fake
Password: |
|
#fg
bash: fg: current: no such job |
|
#jobs
|
|
#vi ssh-fake
9,10c9 < socat PTY,openpty,link=/tmp/pty0 EXEC:'ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' & < sleep 6; echo $password >/tmp/pty0 --- > socat - EXEC:'( sleep 6 ; echo $password ; )| ssh root@linux3.unix.nt',setsid,pty,ctty | sed '1,1d' |
|
#./ssh-fake
Password:
2007/06/22 06:29:43 socat[9220] E execvp("(", ...): No such file or directory
|
|
#vi ssh-fake
|
|
#nc n7.ZLO.ZLO.ZLO 25
~
~
~
~
~
~
~
~
~
~
...
~
~
~
~
~
"ssh-fake" 10 lines, 273 characters written
[root@linux2:~]# nc n7.ZLO.ZLO.ZLO 25
n7.ZLO.ZLO.ZLO: forward host lookup failed: Unknown host
[root@linux2:~]# nc n7.um
n7.ZLO.ZLO.ZLO: forward host lookup failed: Unknown host
|
|
#ssh user@linux3
user@linux3's password: Linux linux3 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the indZLO.ZLO.ZLOl files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Fri Jun 22 09:51:02 2007 from linux1.local l3-agent is already running: pid=4519; pidfile=/home/user/.lilalo/l3-agent.pid |
|
#nc n7.ZLO.ZLO.ZLO 25
501 5.1.7 Bad sender address syntax
MAIL FROM: staska@ZLO.ZLO.ZLO
501 5.1.7 Bad sender address syntax
quit
221 2.0.0 Bye
[root@linux2:~]#
220 n7.ZLO.ZLO.ZLO ESMTP Ready
hello ZLO.ZLO.ZLO
502 5.5.2 Error: command not recognized
mail to: ivans@ZLO.ZLO.ZLO
...
exit
502 5.5.2 Error: command not recognized
by
502 5.5.2 Error: command not recognized
mail from: staska@ZLO.ZLO.ZLO
501 5.1.7 Bad sender address syntax
MAIL FROM: staska@ZLO.ZLO.ZLO
501 5.1.7 Bad sender address syntax
quit
221 2.0.0 Bye
|
|
#nc n7.ZLO.ZLO.ZLO 25
502 5.5.2 Error: command not recognized
bye
502 5.5.2 Error: command not recognized
exit
502 5.5.2 Error: command not recognized
by
502 5.5.2 Error: command not recognized
mail from: staska@ZLO.ZLO.ZLO
501 5.1.7 Bad sender address syntax
MAIL FROM: staska@ZLO.ZLO.ZLO
...
helo ZLO.ZLO.ZLO
250 n7.ZLO.ZLO.ZLO
mail from: staska@noc.ZLO.ZLO.ZLO
501 5.1.7 Bad sender address syntax
[root@linux2:~]#
220 n7.ZLO.ZLO.ZLO ESMTP Ready
helo ZLO.ZLO.ZLO
250 n7.ZLO.ZLO.ZLO
mail from: staska@noc.ZLO.ZLO.ZLO
501 5.1.7 Bad sender address syntax
|
|
#iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
|
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
250 2.1.0 Ok 554 5.7.1 <ikravchuk@ZLO.ZLO.ZLO>: Relay access denied 554 5.5.1 Error: no valid recipients [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 220 n7.ZLO.ZLO.ZLO ESMTP Ready 250 n7.ZLO.ZLO.ZLO 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> From: Pavel Pavlovsky ... 250 2.0.0 Ok: queued as 74FB982BC3 500 5.5.2 Error: bad syntax quit 221 2.0.0 Bye [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 [root@linux3:~]# [root@linux3:~]# [root@linux3:~]# #http://google.com/trends?q=postfix%2C+sendmail%2C+qmail%2C+exim [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo D [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 |
|
#iptables -A INPUT -p tcp --syn -j DROP
|
|
#iptables -L
354 End data with <CR><LF>.<CR><LF> From: Pavel Pavlovsky You're hacked!<>? . 250 2.0.0 Ok: queued as 74FB982BC3 500 5.5.2 Error: bad syntax quit 221 2.0.0 Bye [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 [root@linux3:~]# ... [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo D [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
|
#iptables -A INPUT -p tcp --flags SYN/SYN -j DROP
554 5.5.1 Error: no valid recipients [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 220 n7.ZLO.ZLO.ZLO ESMTP Ready 250 n7.ZLO.ZLO.ZLO 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> From: Pavel Pavlovsky You're hacked!<>? . ... quit 221 2.0.0 Bye [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 [root@linux3:~]# [root@linux3:~]# [root@linux3:~]# #http://google.com/trends?q=postfix%2C+sendmail%2C+qmail%2C+exim [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo D [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 iptables v1.3.6: Unknown arg `--flags' Try `iptables -h' or 'iptables --help' for more information. |
|
#man iptables
|
|
#iptables -A INPUT -p tcp --tcp-flags SYN/SYN -j DROP
554 5.5.1 Error: no valid recipients [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 220 n7.ZLO.ZLO.ZLO ESMTP Ready 250 n7.ZLO.ZLO.ZLO 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> From: Pavel Pavlovsky You're hacked!<>? . ... quit 221 2.0.0 Bye [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 [root@linux3:~]# [root@linux3:~]# [root@linux3:~]# #http://google.com/trends?q=postfix%2C+sendmail%2C+qmail%2C+exim [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo D [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 iptables v1.3.6: --tcp-flags requires two args. Try `iptables -h' or 'iptables --help' for more information. |
|
#iptables -A INPUT -p tcp --tcp-flags SYN SYN -j DROP
250 2.1.0 Ok 554 5.7.1 <ikravchuk@ZLO.ZLO.ZLO>: Relay access denied 554 5.5.1 Error: no valid recipients [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 220 n7.ZLO.ZLO.ZLO ESMTP Ready 250 n7.ZLO.ZLO.ZLO 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> From: Pavel Pavlovsky ... 250 2.0.0 Ok: queued as 74FB982BC3 500 5.5.2 Error: bad syntax quit 221 2.0.0 Bye [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 [root@linux3:~]# [root@linux3:~]# [root@linux3:~]# #http://google.com/trends?q=postfix%2C+sendmail%2C+qmail%2C+exim [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo D [root@linux3:~]# (sleep 1; echo HELO mail2.techexpZLO.ZLO.ZLO ; sleep 1 ; echo 'MAIL FROM: <ikravchuk@ZLO.ZLO.ZLO>'; sleep 1; echo 'RCPT TO: <ikravchuk@ZLO.ZLO.ZLO>' ; sleep 1; echo DATA ; cat ) | nc n7.ZLO.ZLO.ZLO 25 |
|
#iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN DROP tcp -- anywhere anywhere tcp flags:SYN/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
|
#iptables -D INPUT 3
|
|
#nc ZLO.ZLO.ZLO 80
GET /
HTTP/1.1 400 Bad Request ( The data is invalid. )
Via: 1.1 MEDUSA
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 3997
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
...
<LI id=L_default_13>Date: 22.06.2007 9:41:28
<LI id=L_default_14>Server: medusa.tech.inc
<LI id=L_default_15>Source: proxy
</UL>
</TD>
</TR>
</TBODY>
</TABLE>
</BODY>
</HTML>
|
|
#iptables -D INPUT 3
iptables: Index of deletion too big |
|
#iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
|
#w
08:42:48 up 1 day, 2:40, 5 users, load average: 0.02, 0.12, 0.14 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Thu06 26:32 0.04s 0.03s /bin/login -- user tty2 - Thu06 2:59 1.61s 0.01s /bin/login -- root tty3 - Thu06 21:36 0.14s 0.01s /bin/login -- root pts/3 :0.0 Thu08 0.00s 2.05s 0.04s script -f -q /root/.lilalo//1839824856246384740-1182428544.script user pts/5 192.168.15.200 06:04 0.00s 0.37s 0.27s script -f -q /home/user/.lilalo//69752173202049421-1182506673.script |
|
#iptables -t nat -L
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@linux2:~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
...
Chain OUTPUT (policy ACCEPT)
---------------------------------------------------------------------------------------------------------------------------------------------
target prot opt source destination --------------------------------------------------------------------------------
[root@linux2:~]#
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
|
#iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
|
#iptables -A INPUT -p tcp --syn -j REJECT --reject-with tcp-reset
l3-agent is already running: pid=2379; pidfile=/root/.lilalo/l3-agent.pid [root@linux2:~]# [root@linux2:~]# [root@linux2:~]# [root@linux2:~]# [root@linux2:~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ... target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) --------------------------------------------------------------------------------------------------------------------------------------------- target prot opt source destination -------------------------------------------------------------------------------- [root@linux2:~]# iptables -A INPUT -p tcp --syn -j REJECT --reject-with tcp-reset [root@linux2:~]# |
|
#iptables -D INPUT 2
[root@linux2:~]# [root@linux2:~]# [root@linux2:~]# [root@linux2:~]# [root@linux2:~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) ... ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) --------------------------------------------------------------------------------------------------------------------------------------------- target prot opt source destination -------------------------------------------------------------------------------- [root@linux2:~]# iptables -A INPUT -p tcp --syn -j REJECT --reject-with tcp-reset [root@linux2:~]# iptables -D INPUT 2 [root@linux2:~]# |
|
#man iptables
|
|
#iptables -A INPUT -m conntrack --cstate ESTABLISHED -j ACCEPT
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This moiptables v1.3.6: Unknown arg `--cstate'ssociated with a connection (which can be set using the CONNMARK target below).
Try `iptables -h' or 'iptables --help' for more information.
|
|
#iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below).
|
|
#iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below).
|
|
#lynx -dump ya.ru/
|
|
#apt-get install lynx
Reading package lists... Done Building dependency tree... Done The following NEW packages will be installed: lynx 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 1859kB of archives. After unpacking 4678kB of additional disk space will be used. Get:1 http://debian.ZLO.ZLO.ZLO etch/main lynx 2.8.5-2sarge2.2 [1859kB] Fetched 1859kB in 0s (5873kB/s) Selecting previously deselected package lynx. (Reading database ... 22479 files and directories currently installed.) Unpacking lynx (from .../lynx_2.8.5-2sarge2.2_i386.deb) ... Setting up lynx (2.8.5-2sarge2.2) ... |
|
#iptables -L
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
Allows match if the number of existing tcp connections is (not) above ner per client IP address (or address block).
--connlimit-mask bits
group hosts using mask
Examples:
# allow 2 telnet connections per client host
...
This moChain INPUT (policy ACCEPT)mark field associated with a connection (which can be set using the CONNMARK target below).
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
ACCEPT 0 -- anywhere anywhere ctstate ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
|
#iptables -D INPUT 2
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below).
|
|
#iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT 0 -- anywhere anywhere ctstate ESTABLISHED REJECT tcp -- anywhere anywhere reject-with tcp-reset Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination |
|
#iptables -L
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
Allows match if the number of existing tcp connections is (not) above ner per client IP address (or address block).
--connlimit-mask bits
group hosts using mask
Examples:
...
conn--mark value[/mask]
This moChain INPUT (policy ACCEPT)mark field associated with a connection (which can be set using the CONNMARK target below).
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT 0 -- anywhere anywhere ctstate ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
|
#cat /proc/net/ip_conntrack
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
...
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This motcp 6 431785 ESTABLISHED src=192.168.15.201 dst=192.168.15.200 sport=43655 dport=514 packets=6 bytes=820 src=192.168.15.200 dst=192.168.15.201 sport=514 dport=43655 packets=6 bytes=312 [ASSURED] mark=0 use=1
tcp 6 43 TIME_WAIT src=192.168.15.201 dst=194.150.93.78 sport=39723 dport=18030 packets=6 bytes=2730 src=194.150.93.78 dst=192.168.15.201 sport=18030 dport=39723 packets=4 bytes=216 [ASSURED] mark=0 use=1
tcp 6 11 TIME_WAIT src=192.168.15.201 dst=194.150.93.78 sport=39722 dport=18030 packets=7 bytes=3793 src=194.150.93.78 dst=192.168.15.201 sport=18030 dport=39722 packets=5 bytes=268 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=192.168.15.200 dst=192.168.15.201 sport=22 dport=59148 packets=865 bytes=205412 src=192.168.15.201 dst=192.168.15.200 sport=59148 dport=22 packets=867 bytes=45612 [ASSURED] mark=0 use=1
tcp 6 431391 ESTABLISHED src=192.168.15.201 dst=192.168.15.200 sport=22 dport=51601 packets=40 bytes=9208 src=192.168.15.200 dst=192.168.15.201 sport=51601 dport=22 packets=52 bytes=3616 [ASSURED] mark=0 use=1
udp 17 103 src=192.168.15.201 dst=192.168.15.254 sport=32880 dport=53 packets=28 bytes=1678 src=192.168.15.254 dst=192.168.15.201 sport=53 dport=32880 packets=27 bytes=4681 [ASSURED] mark=0 use=1
|
|
#sysctl -a | grep ip_conntrack
error: "Success" reading key "dev.parport.parport0.autoprobe0" error: "Success" reading key "dev.parport.parport0.autoprobe" error: "Operation not permitted" reading key "net.ipv6.route.flush" error: "Operation not permitted" reading key "net.ipv4.route.flush" net.ipv4.ip_conntrack_max = 32752 net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3 net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0 net.ipv4.netfilter.ip_conntrack_tcp_loose = 3 net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300 net.ipv4.netfilter.ip_conntrack_log_invalid = 0 ... net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120 net.ipv4.netfilter.ip_conntrack_checksum = 1 net.ipv4.netfilter.ip_conntrack_buckets = 4094 net.ipv4.netfilter.ip_conntrack_count = 7 net.ipv4.netfilter.ip_conntrack_max = 32752 |
|
#history
491 man iptables 492 iptables -A INPUT -p tcp --tcp-flags SYN/SYN -j DROP 493 iptables -A INPUT -p tcp --tcp-flags SYN SYN -j DROP 494 iptables -L 495 iptables -D INPUT 3 496 nc ZLO.ZLO.ZLO 80 497 iptables -D INPUT 3 498 iptables -L 499 w 500 iptables -t nat -L ... 507 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 508 lynx -dump ya.ru/ 509 apt-get install lynx 510 iptables -L 511 iptables -D INPUT 2 512 iptables -L 513 iptables -L 514 cat /proc/net/ip_conntrack 515 sysctl -a | grep ip_conntrack 516 history |
|
#lsmod | grep ipt
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
...
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This moipt_REJECT 5248 1 field associated with a connection (which can be set using the CONNMARK target below).
iptable_nat 7044 0
ip_nat 16876 1 iptable_nat
ip_conntrack 49088 3 xt_conntrack,iptable_nat,ip_nat
iptable_filter 3104 1
ip_tables 13028 2 iptable_nat,iptable_filter
x_tables 13316 5 xt_conntrack,ipt_REJECT,iptable_nat,xt_tcpudp,ip_tables
|
|
#http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/netscreen_5_series/index.html
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This mobash: http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/netscreen_5_series/index.html: No such file or directory
|
|
##http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/netscreen_5_series/index.html
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This module matches the netfilter mark field associated with a connection (which can be set using the CONNMARK target below).
|
|
#apt-get scanlogd
The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
...
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This moE: Invalid operation scanlogdrk field associated with a connection (which can be set using the CONNMARK target below).
|
|
#apt-get install scanlogd
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
Reading package lists... Donee netfilter mark field associated with a connection (which can be set using the CONNMARK target below).
...
Get:1 http://debian.ZLO.ZLO.ZLO etch/main scanlogd 2.2.5-2 [19.2kB]
Fetched 19.2kB in 0s (92.1kB/s)
Selecting previously deselected package scanlogd.
(Reading database ... 22562 files and directories currently installed.)
Unpacking scanlogd (from .../scanlogd_2.2.5-2_i386.deb) ...
Setting up scanlogd (2.2.5-2) ...
Adding system user `scanlogd' (UID 104) ...
Adding new user `scanlogd' (UID 104) with group `nogroup' ...
Creating home directory `/home/scanlogd' ...
Starting scanlogd: scanlogd.
|
|
#ps aux | grep scanlogd
scanlogd 10454 0.0 0.0 1784 236 ? Ss 09:08 0:00 /usr/sbin/scanlogd root 10469 0.0 0.1 2852 708 pts/6 R+ 09:09 0:00 grep scanlogd |
|
#tail /var/log/messages
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
Allows match if the number of existing tcp connections is (not) above ner per client IP address (or address block).
--connlimit-mask bits
group hosts using mask
...
This moJun 22 08:22:56 192.168.15.200/192.168.15.200 ed with a connection (which can be set using the CONNMARK target below).
Jun 22 08:22:56 192.168.15.200/192.168.15.200
Jun 22 08:22:56 192.168.15.200/192.168.15.200 :
Jun 22 08:22:56 192.168.15.200/192.168.15.200 4æ
Jun 22 08:22:56 192.168.15.200/192.168.15.200
Jun 22 08:23:01 192.168.15.200/192.168.15.200 (CONNECT_DATA=(COMMAND=version))
Jun 22 08:31:21 s_all@linux2 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jun 22 08:45:39 s_all@linux2 kernel: Netfilter messages via NETLINK v0.30.
Jun 22 08:45:39 s_all@linux2 kernel: ip_conntrack version 2.4 (4094 buckets, 32752 max) - 224 bytes per conntrack
Jun 22 08:56:25 s_all@linux2 kernel: process `sysctl' is using deprecated sysctl (syscall) net.ipv6.neigh.eth0.base_reachable_time; Use net.ipv6.neigh.eth0.base_reachable_time_ms instead.
|
|
#tail /var/log/daemon.log
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
Allows match if the number of existing tcp connections is (not) above ner per client IP address (or address block).
--connlimit-mask bits
group hosts using mask
...
This moJun 22 08:56:08 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 255 seconds.g the CONNMARK target below).
Jun 22 09:00:23 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67
Jun 22 09:00:23 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
Jun 22 09:00:23 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 255 seconds.
Jun 22 09:04:38 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67
Jun 22 09:04:38 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
Jun 22 09:04:38 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 232 seconds.
Jun 22 09:08:30 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67
Jun 22 09:08:30 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
Jun 22 09:08:30 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 290 seconds.
|
|
#iptables -F
|
|
#tail /var/log/daemon.log
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
Allows match if the number of existing tcp connections is (not) above ner per client IP address (or address block).
--connlimit-mask bits
group hosts using mask
...
This moJun 22 09:00:23 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67 using the CONNMARK target below).
Jun 22 09:00:23 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
Jun 22 09:00:23 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 255 seconds.
Jun 22 09:04:38 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67
Jun 22 09:04:38 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
Jun 22 09:04:38 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 232 seconds.
Jun 22 09:08:30 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67
Jun 22 09:08:30 s_all@linux2 dhclient: DHCPACK from 192.168.15.254
Jun 22 09:08:30 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 290 seconds.
Jun 22 13:09:33 s_all@linux2 scanlogd: 192.168.15.200:51994 to 192.168.15.201 ports 443, 1723, 21, 80, 22, 3389, 23, 554, ..., fSrpauxy, TOS 00 @09:09:33
|
|
#tail -f /var/log/daemon.log
Jun 22 13:10:31 s_all@linux2 scanlogd: 1.2.3.4:53196 to 192.168.15.201 ports 256, 25, 554, 636, 113, 389, ..., fSrpauxy, TOS 00 @13:10:31 Jun 22 13:10:31 s_all@linux2 scanlogd: 5.6.7.8:53196 to 192.168.15.201 ports 256, 25, 554, 636, 113, 389, ..., fSrpauxy, TOS 00 @13:10:31 Jun 22 13:10:31 s_all@linux2 scanlogd: 9.10.11.12:53196 to 192.168.15.201 ports 256, 25, 554, 636, 113, 389, ..., fSrpauxy, TOS 00 @13:10:31 Jun 22 13:10:31 s_all@linux2 scanlogd: 13.14.15.16:53196 to 192.168.15.201 ports 256, 25, 554, 636, 113, 389, ..., fSrpauxy, TOS 00 @13:10:31 Jun 22 13:10:31 s_all@linux2 scanlogd: 192.168.15.200:53196 to 192.168.15.201 ports 256, 25, 554, 636, 113, 389, ..., fSrpauxy, TOS 00 @13:10:31 Jun 22 13:10:31 s_all@linux2 scanlogd: More possible port scans follow Jun 22 09:13:20 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67 Jun 22 09:13:20 s_all@linux2 dhclient: DHCPACK from 192.168.15.254 Jun 22 09:13:20 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 285 seconds. Jun 22 13:15:04 s_all@linux2 scanlogd: 213.156.70.224:55938 to 192.168.15.201 ports 1723, 256, 53, 443, 636, 554, 22, ..., fSrpauxy, TOS 00 @13:15:04 Jun 22 13:15:04 s_all@linux2 scanlogd: 62.244.0.193:55938 to 192.168.15.201 ports 1723, 256, 53, 443, 636, 554, 22, ..., fSrpauxy, TOS 00 @13:15:04 Jun 22 13:15:04 s_all@linux2 scanlogd: 88.81.240.35:55938 to 192.168.15.201 ports 1723, 256, 53, 443, 636, 554, 22, ..., fSrpauxy, TOS 00 @13:15:04 Jun 22 13:15:04 s_all@linux2 scanlogd: 195.34.200.251:55938 to 192.168.15.201 ports 1723, 256, 53, 443, 636, 554, 22, ..., fSrpauxy, TOS 00 @13:15:04 Jun 22 13:15:04 s_all@linux2 scanlogd: 193.19.240.84:55938 to 192.168.15.201 ports 1723, 256, 53, 443, 636, 554, 22, ..., fSrpauxy, TOS 00 @13:15:04 Jun 22 13:15:04 s_all@linux2 scanlogd: More possible port scans follow Jun 22 09:18:05 s_all@linux2 dhclient: DHCPREQUEST on eth0 to 192.168.15.254 port 67 Jun 22 09:18:05 s_all@linux2 dhclient: DHCPACK from 192.168.15.254 Jun 22 09:18:05 s_all@linux2 dhclient: bound to 192.168.15.201 -- renewal in 278 seconds. |
[!] --connbytes from:[to]
if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range.less than TO bytes/packets.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes transferred or the average size (in bytes) of all packets received
so far. Note that when "both" is used together with "avgpkt", and data is going (mainly) only in one direction (for example
Example:
HTTP), the average packet size will be about half of theZLO.ZLO.ZLOl data packets.
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes ...
conn[!] --connlimit-above n
Allows match if the number of existing tcp connections is (not) above ner per client IP address (or address block).
--connlimit-mask bits
group hosts using mask
Examples:
# allow 2 telnet connections per client host
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
conn--mark value[/mask]
This motcp 6 431785 ESTABLISHED src=192.168.15.201 dst=192.168.15.200 sport=43655 dport=514 packets=6 bytes=820 src=192.168.15.200 dst=192.168.15.201 sport=514 dport=43655 packets=6 bytes=312 [ASSURED] mark=0 use=1
tcp 6 43 TIME_WAIT src=192.168.15.201 dst=194.150.93.78 sport=39723 dport=18030 packets=6 bytes=2730 src=194.150.93.78 dst=192.168.15.201 sport=18030 dport=39723 packets=4 bytes=216 [ASSURED] mark=0 use=1
tcp 6 11 TIME_WAIT src=192.168.15.201 dst=194.150.93.78 sport=39722 dport=18030 packets=7 bytes=3793 src=194.150.93.78 dst=192.168.15.201 sport=18030 dport=39722 packets=5 bytes=268 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=192.168.15.200 dst=192.168.15.201 sport=22 dport=59148 packets=865 bytes=205412 src=192.168.15.201 dst=192.168.15.200 sport=59148 dport=22 packets=867 bytes=45612 [ASSURED] mark=0 use=1
tcp 6 431391 ESTABLISHED src=192.168.15.201 dst=192.168.15.200 sport=22 dport=51601 packets=40 bytes=9208 src=192.168.15.200 dst=192.168.15.201 sport=51601 dport=22 packets=52 bytes=3616 [ASSURED] mark=0 use=1
udp 17 103 src=192.168.15.201 dst=192.168.15.254 sport=32880 dport=53 packets=28 bytes=1678 src=192.168.15.254 dst=192.168.15.201 sport=53 dport=32880 packets=27 bytes=4681 [ASSURED] mark=0 use=1
| Время первой команды журнала | 19:38:37 2007- 6-21 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Время последней команды журнала | 16:20:56 2007- 6-22 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Количество командных строк в журнале | 101 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Процент команд с ненулевым кодом завершения, % | 11.88 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Процент синтаксически неверно набранных команд, % | 5.94 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Суммарное время работы с терминалом *, час | 2.93 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Количество командных строк в единицу времени, команда/мин | 0.57 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Частота использования команд |
|
В журнал автоматически попадают все команды, данные в любом терминале системы.
Для того чтобы убедиться, что журнал на текущем терминале ведётся, и команды записываются, дайте команду w. В поле WHAT, соответствующем текущему терминалу, должна быть указана программа script.
Команды, при наборе которых были допущены синтаксические ошибки, выводятся перечёркнутым текстом:
$ l s-l bash: l: command not found |
Если код завершения команды равен нулю, команда была выполнена без ошибок. Команды, код завершения которых отличен от нуля, выделяются цветом.
$ test 5 -lt 4 |
Команды, ход выполнения которых был прерван пользователем, выделяются цветом.
$ find / -name abc find: /home/devi-orig/.gnome2: Keine Berechtigung find: /home/devi-orig/.gnome2_private: Keine Berechtigung find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung find: /home/devi-orig/.metacity: Keine Berechtigung find: /home/devi-orig/.inkscape: Keine Berechtigung ^C |
Команды, выполненные с привилегиями суперпользователя, выделяются слева красной чертой.
# id uid=0(root) gid=0(root) Gruppen=0(root) |
Изменения, внесённые в текстовый файл с помощью редактора, запоминаются и показываются в журнале в формате ed. Строки, начинающиеся символом "<", удалены, а строки, начинающиеся символом ">" -- добавлены.
$ vi ~/.bashrc
|
Для того чтобы изменить файл в соответствии с показанными в диффшоте изменениями, можно воспользоваться командой patch. Нужно скопировать изменения, запустить программу patch, указав в качестве её аргумента файл, к которому применяются изменения, и всавить скопированный текст:
$ patch ~/.bashrc |
Для того чтобы получить краткую справочную информацию о команде, нужно подвести к ней мышь. Во всплывающей подсказке появится краткое описание команды.
Если справочная информация о команде есть, команда выделяется голубым фоном, например: vi. Если справочная информация отсутствует, команда выделяется розовым фоном, например: notepad.exe. Справочная информация может отсутствовать в том случае, если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно; (3) если информация о команде неизвестна LiLaLo. Последнее возможно для редких команд.
Большие, в особенности многострочные, всплывающие подсказки лучше всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer. В браузерах Mozilla и Firefox они отображаются не полностью, а вместо перевода строки выводится специальный символ.
Время ввода команды, показанное в журнале, соответствует времени начала ввода командной строки, которое равно тому моменту, когда на терминале появилось приглашение интерпретатора
Имя терминала, на котором была введена команда, показано в специальном блоке. Этот блок показывается только в том случае, если терминал текущей команды отличается от терминала предыдущей.
Вывод не интересующих вас в настоящий момент элементов журнала, таких как время, имя терминала и других, можно отключить. Для этого нужно воспользоваться формой управления журналом вверху страницы.
Небольшие комментарии к командам можно вставлять прямо из командной строки. Комментарий вводится прямо в командную строку, после символов #^ или #v. Символы ^ и v показывают направление выбора команды, к которой относится комментарий: ^ - к предыдущей, v - к следующей. Например, если в командной строке было введено:
$ whoami
user
$ #^ Интересно, кто я?в журнале это будет выглядеть так:
$ whoami
user
| Интересно, кто я? |
Если комментарий содержит несколько строк, его можно вставить в журнал следующим образом:
$ whoami
user
$ cat > /dev/null #^ Интересно, кто я?
Программа whoami выводит имя пользователя, под которым мы зарегистрировались в системе. - Она не может ответить на вопрос о нашем назначении в этом мире.В журнале это будет выглядеть так:
$ whoami user
|
Комментарии, не относящиеся непосредственно ни к какой из команд, добавляются точно таким же способом, только вместо симолов #^ или #v нужно использовать символы #=
1
2
3
4
Группы команд, выполненных на разных терминалах, разделяются специальной линией.
Под этой линией в правом углу показано имя терминала, на котором выполнялись команды.
Для того чтобы посмотреть команды только одного сенса,
нужно щёкнуть по этому названию.
LiLaLo (L3) расшифровывается как Live Lab Log.
Программа разработана для повышения эффективности обучения Unix/Linux-системам.
(c) Игорь Чубин, 2004-2008