Cover V08, I05
Article



New Messages

Please send letters via email to saletter@mfi.com.
From: Phil Macias (pmacias@kenan.com)

I downloaded the syslog monitoring script from your site and gave it a go. It was nice, but I wanted to colorize key words and not the entire line. I hacked the script to do this, but found that it was highly processor-intensive.

I wrote a new script, enclosed below, that not only is faster but allows colorization of Perl regular expressions.

I run it on a Linux box. I have symlinks of all my logs in /root/LOGS/.

#!/usr/local/bin/perl
     
## by phil macias
## 10/7/98
  
%hash = (
         ## system
         "su " => "[41;31;1m",
         "kernel" => "[41;31;1m",
   
         ## DNS
         "named" => "[44;36;1m",
         "Err/TO" => "[44;36;1m",
     
         ## sendmail
         "sendmail" => "[40;36;1m",
         "stat=Deferred" => "[40;36;1m",
         "dead.letter" => "[40;36;1m",
         "return to sender" => "[40;36;1m",
    
         ## web
         "GET" => "[40;32;1m",
   
         ## ip addresses
         '\d+\.\d+\.\d+\.\d+' => "[40;33;1m",
         );
    
     
open(LOGGER, "tail -v -n1 -f /root/LOGS/* |");
while(<LOGGER>)
 {
  foreach $h (keys %hash)
    {
     if (/$h/i)
       {
        s/($h)/\033$hash{$h}$1\033[0m/;      
       }
     }
     print;
  }

Thank you.

From: Timothy Best (tbest@us.ibm.com)

On page 55 of the March 1999 issue, there are two errors. The article defines the $\ as the input record separator. It is in fact the output record separator in Perl. This is reflected a few lines down by the:

$/="";

Also, I believe there is an error a few lines below where the syntax is listed as:

$="/n/n";

This is an illegal operation in Perl as the $= is a special variable. I believe the author intended to once again refer to the input record separator, thus making the line:

$/="\n\n";

Just trying to help.

From: Keith R. Jarvis (kjarvis@iss.net)

On January 4th, 1999 on the public BUGTRAQ mailing list, the following message was posted at:

http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=4998

Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>

From: "Jan B. Koum" <jkb@BEST.COM>

Subject: January Sys Admin EY script DoS bug.

Lets make it short. Sys Admin (www.samag.com - btw, their DNS is broken. Isn't it ironic that they can't get their own systems running, yet they teach others how) magazine published a script in the Jan. 1999 issue which, after you run it as root, tells you stuff about your system. Here are some parts of this script:

    set HOSTNAME=`hostname`
    set basedir=/tmp/eyscan
    set OUTPUT=?{basedir}/ey-?{HOSTNAME}.out
After that, output like ls -l /etc/passwd is sent to $OUTFILE.

So, you know that your admin runs lame scripts as root and what do you do?

    % mkdir /tmp/eyscan
    % ln -s /etc/passwd /tmp/eyscan/ey-`hostname`.out
After an admin runs the script, he is toasted. A point to this story:

    o  set basedir=/root or /var/run ..
Yan
I am wondering if Sys Admin magazine will be making an official statement in regard to this post or providing a fix for the mentioned script. I do not wish to misrepresent your organization in any of our products or information. Thank you in advance.

Keith, thank you for bringing this to our attention. The author says for extra security, change the variable:

set basedir=/tmp/eyscan

to:

set basedir=/root

From: The Book Home (thebook@hammer.thebook.com)

I am currently reading your Anti-Spam articles and wanted to share our method of creating and using the access database.

Unless you have installed the Berkeley DB package, makemap hash does not work correctly. One obvious solution is to install the Berkeley package. The other is to configure the sendmail.cf for the dbm database format.

When building the sendmail.cf file, you add the following line to use the access database:

FEATURE(access_db)

This would use the hash format, alternately, you can use:

FEATURE(access_db, dbm -o /etc/mail/access)

to specify a dbm file.

We keep our spammers list in /etc/mail/spammer.txt, so then you can just create the /etc/mail/access database file using makemap:

makemap dbm /etc/mail/access < /etc/mail/spammer.txt

This is an alternative method for those without Berkeley DB who would rather not go though installing another package.

Thanks for the input. Good alternative.
REB