Archive for the ‘Open Source’ Category
Thursday, August 23rd, 2007
A long time ago I had searched around for a tool that would let you update DNS through a web interface. There were a few commercial products that wanted to run their own database – but nothing that just made existing DNS infrastructure easier. Sometimes it just doesn’t make sense to have folks editing files with vim and hoping that there are no mistakes. I know I am often guilty of adding a forward entry without a reverse too. This was my attempt to solve this problem – and to automate some things that were being done manually. I say make the computers do the work.
This package is a collection of perl CGIs that use Net::DNS to dynamically update DNS. Now in theory this could be any name server, but this was only tested with BIND. You will need to enable dynamic updates to these zones for this to work. You could add in security as well. Here is what it provides:
- Forward and reverse entries created (and removed) with one simple form – type, click, done
- TACACS+ authentication of users
- Audit trail of all entries
- New records show up instantly – no need to rndc reload or any of that jazz
- Search tool to look through a zone for an existing record
- Advanced configuration tool that can allow you to add/delete records such as NS, MX, or TXT
There was also an automated piece to this that would automatically discover and create entries. That was not at all generic so I have not included it. It would be trivial to add your own script to pull from a ordering database or scan the network to find new devices – go nuts.
That’s all for now. Comment if you find this useful.
Posted in Open Source, Programs | Comments Off
Wednesday, August 22nd, 2007
Ok, so most of the scripts I have are of the disposable variety. Someone may still find them useful.
Here is one that loops through the tacacs+ config file for folks whose password is going to expire soon, then sends out an email to them telling them to update their password. This is generic and could be used for your blossoming spam business I suppose.
Ok, so lets say you’ve got some Riverstone load-balancers and you’re moving over to F5 LTMs… here is a script that may or may not work for you to create a bigip.conf file. Oh, and since Riverstone kinda sucks and it can be difficult to remove load-balance groups without botching the config, here is a command line tool to give you a copy-and-paste template that should work. Oh, and lets say you want to build a graphviz drawing of your multiple sites of Riverstone load-balancers, you could use my little program to create a .dot file to visualize it.
Here is a really lame command line tool that asks you some information about how much your net worth is, what you think your savings rate, growth rate, and inflation rate will be… then it asks you how much money you’d like to retire and it tells you when you can retire. It’s kinda silly, you could do the same thing in a few minutes with MS Excel.
So lets say you are like I used to be and you have your own personal LDAP directory for storing your contacts in – you know, because people do that. And then lets say that you have a server that runs spamassassin to block spam and you want to make sure to automatically whitelist anybody who is in your LDAP directory. Here is a script that can do that. Again, this is just disposable perl.
Logging into Cisco routers with telnet and changing a few things can be easy. Here you go.
Ok, that’s all for now. More tomorrow.
Posted in Open Source, Programs | Comments Off
Tuesday, August 21st, 2007
If you have got Cisco Pix 7 firewalls and you’d like to have an easy to read spreadsheet to give an auditor, show your manager, or bring to firewall review meetings then this is a good tool for you (download here). Alternatively, if you are a firewall administrator and have a tough time figuring out if you need to add a new object-group or if you have one you can reuse, this can be a useful program. Pix has names, service groups, network objects, port ranges, network ranges… sometimes its just kooky trying to figure that all out on the command line. Here are the bullet points -
- goes through a repository of configs and puts all the firewall rules into a nice spreadsheet with a tab for each firewall
- for each rule, it actually shows you the hostnames and IPs of each group member
- for service groups, it looks in /etc/services for the name of the service rather than just listing the port
- descriptions of each group are put into those little cell note things, so you can just hover over to see more details
- disabled rules show as grayed out
- it actually works (unlike other cpan modules I tried to use to parse pix)
This program I actually like because it does a whole lot in a fairly easy to understand way. There is potential here beyond writing a spreadsheet. All of the rules are broken out into a decent data structure, so it would be simple to use this as a starting point for writing a script to convert your ruleset to Netscreen or something. To use the spreadsheet features this will require the Spreadsheet::WriteExcel module, but if you just want to parse pix it’s plain old perl.
As a quick offshoot of this script I made this script that uses List::Compare to look at the differences between firewalls in two sites. It also shows lists of unused names and unused object groups for cleanup purposes.
A feature that I started implementing was the ability to do rule shading detection. Lets say rule one is deny any any and rule two is permit any any – clearly rule one makes any subsequent rule useless and misleading. You Check Point people or fwbuilder folks have had this for a long time – but as far as I know in the Check Point and Netscreen world it seems like there is no such function. Alas I never finished that part.
If you use this please drop a comment and let me know.
Posted in Open Source, Programs | Comments Off
