In my Mac OS, With fluentd I'm trying to read tcp events and write it to local directory.
Below is the td-agent.conf that I have created to open TCP port and writing to local.
<!-- td-agent.conf-->
<source>
#type tcp
#log_level "trace"
tag "tcp.events"
port 2201
bind "0.0.0.0"
delimiter "\\n"
<parse>
#type "regexp"
expression "/^(?<field1>\\d+):(?<field2>\\w+)$/"
</parse>
</source>
<match tcp.events>
#type file
path "/Users/logs/outputlog"
<buffer time>
path "/Users/logs/outputlog"
</buffer>
</match>
To test, I was sending the tcp packages to the port (2201) using tools like telnet and netcat. But the terminal don't return after connecting to the ports. It stays there with out any response.
Checked the verbose of telnet / netcat. No luck.
I expect TCP to connect and get the data logged in fluentd logs. But connection is getting established to the port but data is not written into log or the control of tcp connection is not returned back to terminal.
Add the following to your conf file.
<source>
#type forward
port 24224
bind 0.0.0.0
</source>
https://docs.fluentd.org/input/forward
Related
Background
I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.
So, these are all off limits:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
192.0.2.0/24 TEST-NET-1
198.51.100.0/24 TEST-NET-2
203.0.113.0/24 TEST-NET-3
As:
For use in documentation and example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.
Which, was a "Jackpot" moment for me and my use case.
Config
I configured an OpenVPN server as such:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
With Client:
client
nobind
dev tun
proto tcp
...[Snip]...
And ufw rules:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.
No connection
Running the following commands:
Server: sudo python3 -m http.server 80
Client: curl -X GET / 203.0.113.1
Results in:
curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out
I have tried:
/sbin/ip route replace 203.0.113.0/24 dev tun 0 on client and server.
/sbin/ip route change 203.0.113.0/24 dev tun 0 on client and server.
Adding route 203.0.113.0 255.255.255.0 to the server.
Adding push "route 203.0.113.0 255.255.255.0 127.0.0.1" to server
And none of it seems to work.
Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?
This does actually work!
Just dont forget to allow connections within your firewall. I fixed my config with:
sudo ufw allow in on tun0
However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.
Currently, I am trying to create a TCP Reset Attack on 3 docker containers: Attacker, Host01, Host02. My goal is trying to attack the TCP connection between Host01 and Host02 and the end result would be the TCP connection breaks when executing the TCP reset attack.
Here is my code:
My procedure of testing is that: First, I run the code below in Attacker container. Then, on the Host02, I execute "nc -lvp 1337 -e /bin/bash" and on Host01, I execute "nc 192.168.124.20 1337". The source IP is 192.168.124.10 and the destination is 192.168.124.20. Source port is 40967 and the destination port is 1337.
I didn't know why when the script ran, the TCP connection between Host01 and Host02 did not break since I could still enter some commands from Host01.
I used Wireshark to check if that RST packet was sent and actually it was sent(the red line):
Please help me on this, Huy Nguyen.
I am going to do a time sync for my server.
Tried portqry to the time server with below results:
C:\PortQryV2>portqry -n "time server" -e 123 -p both
Querying target system called:
"time server"
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 123 (unknown service): NOT LISTENING
UDP port 123 (ntp service): LISTENING or FILTERED
UDP port 123 (ntp service): LISTENING or FILTERED
I am not sure if the port is available for time sync or not.
But our team has confirmed that no firewall should be blocking that.
It is not showing "LISTENING" because it is a UDP port?
LISTENING or FILTERED simply means Portqry does not get a response from the port specified.
The problem should be at
Failed to resolve IP address to name
resolve the hostname and try again.
I tried on a PC which is not going to do the time syn.
It can resolve the hostname but got the same result for UDP query:
C:\PortQryV2>portqry -n "IP Address" -e 123 -p both
Querying target system called:
"IP Address"
Attempting to resolve IP address to a name...
IP address resolved to xxx.corp.com
querying...
TCP port 123 (unknown service): NOT LISTENING
UDP port 123 (ntp service): LISTENING or FILTERED
Is there a way to bind Kibana to more than one IP address using kibana's config file: kibana.yml?
Right now, if I modify the line
server.host: "127.0.0.1"
to
server.host: ["127.0.0.1","123.45.67.89"]
which is valid YML, I get an error.
Is there any way to accomplish this from within Kibana or do I need to do it through a proxy/nginx?
Try 0.0.0.0 if you want kibana to be available on real ip and localhost at the same time.
Install ngrok from https://ngrok.com/, then from your command line type:
ngrok http 5601
Ngrok will create a tunnel to the server and provide you with a url from which you can access your kibana UI.
If you need to acceess the ngrok and the 4040 port is closed on the server then do the same
ngrok http 4040
I am using Oracle VirtualBox on Windows. I've setup NAT and forwarded ports.
When some forwarded ports are accidentally conflicting with host machine's ones, no errors are shown and all forwarded ports are failing.
Is there any possibility to detect those conflicting ports? I have used VBoxManage tool and there are neither output messages, nor verbose mode for startvm command.
Thanks
I would recommend using a combination of netstat and VBoxManage and parse the output. You can easily replace the findstr command with grep on non-Windows hosts.
First, I would get a listing of NAT ports on the VM in question. The VBoxManage showvminfo command will output a bunch of info about the configuration which you can filter to look for just the NAT rules. You will want to look for the host port and protocol fields in the output (and possibly host ip if configured) as that is what you will be looking to see if it is already in use.
C:\>vboxmanage showvminfo Linux | findstr Rule
NIC 1 Rule(0): protocol=tcp, host ip=, host port=2222, guest ip=, guest port=22
Second, using the info from above I know I need to check if anything is listening on port TCP port 2222, so I can use the netstat command to show me all the listening sockets, filtered by my criteria:
C:\>netstat -an | findstr LISTENING | findstr TCP | findstr 2222
Proto Local Address Foreign Address State
TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING
Because my guest is already running I can see that it has already grabbed a connection on TCP 2222. If you don't get any output then nothing is listening on that specific port and you are safe to start your VM.