Ryan's Adventures in Programming
Wednesday, April 16th, 2008
Right click, upload to Google.
I have been slightly interested in python for a while, but just never got around to actually writing anything. Not that I am enough of a programmer to be particularly swayed by one language over another - but the path of least resistance for writing plugins and such for the Linux desktop seems to by python. This was a simple project that taught me some basics, and since there isn’t a nicely developed perl module for the Google API I went on with the python.
Lets say you just made a little spreadsheet in OpenOffice
Now you want to share that amazingly complex spreadsheet with your lawyer on Google Docs
Now it’s up there…
and you can edit and share with friends
Nautilus, the Gnome file manager, lets you drop scripts of your choosing into ~/.gnome2/nautilus-scripts/. When you run the script on a file through the right-click menu the file name gets passed to the script. I knew this was possible, and have played around with OS X folder actions before, but I have to say that in practice this is a lot easier than AppleScript to me.
Grab the python script yourself, download and install the gdata python API, edit the file to have your own username/password, and right-click your way to uploading fun. Disclaimer: this is just a quick and dirty thing, do not expect it to be good.
Posted in Internet, Linux, Open Source, Programs | No Comments »
Friday, August 24th, 2007
To wrap up script week, I’d like to talk a little bit about arpwatch. Continuing on the theme of half-baked ideas, this was one that I was rather excited about as an entry level network engineer, but the complete lack of interest kinda took the wind out of my sails.
Here is the gist. From my experiences I’ve never seen the use of NAC, 802.1x, or even simple switch port security. I have to assume that many corporations remain blind to what devices are hard connecting to their local network. Each ethernet device has a universally unique burned-in address. It gladly shoots frames with this address out to the network as it attempts to get a dynamic address, or in response to another machine’s request. Arpwatch just sits there and listens for new devices, and creates a log entry when there is a new one.
To me it just stands to reason that a security conscious company would be interested in what mac addresses have been seen on the network, when they were first seen, what VLANs they’ve been on… especially when it is so simple. If you ask a branch office or campus LAN administrator what new mac addresses have shown up on the network TODAY, they simply cannot tell you.
So I thought it’d be a great idea to just set up a linux box with a trunk port to the corporate switches. This would be able to sniff for every ARP on the network and keep an inventory of hardware addresses. Since syslogs are a little lame, I made a database where this information was stored. You could run reports like “show me all devices that first appeared on the network on either VLAN 50 or VLAN 60 between October 10th and 16th which had 3Com network cards”. I also created scripts to use snmp to grab the dynamic cam table from Cisco switches. The idea here is to be able to tie those hardware addresses back into the cam tables to tell us which port and switch the machine had connected. This seems rather obvious to me, and somewhat simple to implement.
I seem to have trouble not with coding or implementing these things, but with marketing. As certain as I was that this is great information to have, there seemed to be no interest. I’ve not seen any other tool attempting to do the same thing.
Oh well, another ill-fated script. Here is some code. I don’t even know if I have all the pieces to this one. I certainly don’t have the database schema.
This one does the parsing and importing of arpwatch logs.
This one does the grabbing of data from switches.
This is really old, so is not exactly “good” but I still think the idea is worthwhile.
Posted in Open Source, Programs | No Comments »
Thursday, August 23rd, 2007
A long time ago I had searched around for a tool that would let you update DNS through a web interface. There were a few commercial products that wanted to run their own database - but nothing that just made existing DNS infrastructure easier. Sometimes it just doesn’t make sense to have folks editing files with vim and hoping that there are no mistakes. I know I am often guilty of adding a forward entry without a reverse too. This was my attempt to solve this problem - and to automate some things that were being done manually. I say make the computers do the work.
This package is a collection of perl CGIs that use Net::DNS to dynamically update DNS. Now in theory this could be any name server, but this was only tested with BIND. You will need to enable dynamic updates to these zones for this to work. You could add in security as well. Here is what it provides:
- Forward and reverse entries created (and removed) with one simple form - type, click, done
- TACACS+ authentication of users
- Audit trail of all entries
- New records show up instantly - no need to rndc reload or any of that jazz
- Search tool to look through a zone for an existing record
- Advanced configuration tool that can allow you to add/delete records such as NS, MX, or TXT
There was also an automated piece to this that would automatically discover and create entries. That was not at all generic so I have not included it. It would be trivial to add your own script to pull from a ordering database or scan the network to find new devices - go nuts.
That’s all for now. Comment if you find this useful.
Posted in Open Source, Programs | No Comments »
Wednesday, August 22nd, 2007
Ok, so most of the scripts I have are of the disposable variety. Someone may still find them useful.
Here is one that loops through the tacacs+ config file for folks whose password is going to expire soon, then sends out an email to them telling them to update their password. This is generic and could be used for your blossoming spam business I suppose.
Ok, so lets say you’ve got some Riverstone load-balancers and you’re moving over to F5 LTMs… here is a script that may or may not work for you to create a bigip.conf file. Oh, and since Riverstone kinda sucks and it can be difficult to remove load-balance groups without botching the config, here is a command line tool to give you a copy-and-paste template that should work. Oh, and lets say you want to build a graphviz drawing of your multiple sites of Riverstone load-balancers, you could use my little program to create a .dot file to visualize it.
Here is a really lame command line tool that asks you some information about how much your net worth is, what you think your savings rate, growth rate, and inflation rate will be… then it asks you how much money you’d like to retire and it tells you when you can retire. It’s kinda silly, you could do the same thing in a few minutes with MS Excel.
So lets say you are like I used to be and you have your own personal LDAP directory for storing your contacts in - you know, because people do that. And then lets say that you have a server that runs spamassassin to block spam and you want to make sure to automatically whitelist anybody who is in your LDAP directory. Here is a script that can do that. Again, this is just disposable perl.
Logging into Cisco routers with telnet and changing a few things can be easy. Here you go.
Ok, that’s all for now. More tomorrow.
Posted in Open Source, Programs | No Comments »
Tuesday, August 21st, 2007
If you have got Cisco Pix 7 firewalls and you’d like to have an easy to read spreadsheet to give an auditor, show your manager, or bring to firewall review meetings then this is a good tool for you (download here). Alternatively, if you are a firewall administrator and have a tough time figuring out if you need to add a new object-group or if you have one you can reuse, this can be a useful program. Pix has names, service groups, network objects, port ranges, network ranges… sometimes its just kooky trying to figure that all out on the command line. Here are the bullet points -
- goes through a repository of configs and puts all the firewall rules into a nice spreadsheet with a tab for each firewall
- for each rule, it actually shows you the hostnames and IPs of each group member
- for service groups, it looks in /etc/services for the name of the service rather than just listing the port
- descriptions of each group are put into those little cell note things, so you can just hover over to see more details
- disabled rules show as grayed out
- it actually works (unlike other cpan modules I tried to use to parse pix)
This program I actually like because it does a whole lot in a fairly easy to understand way. There is potential here beyond writing a spreadsheet. All of the rules are broken out into a decent data structure, so it would be simple to use this as a starting point for writing a script to convert your ruleset to Netscreen or something. To use the spreadsheet features this will require the Spreadsheet::WriteExcel module, but if you just want to parse pix it’s plain old perl.
As a quick offshoot of this script I made this script that uses List::Compare to look at the differences between firewalls in two sites. It also shows lists of unused names and unused object groups for cleanup purposes.
A feature that I started implementing was the ability to do rule shading detection. Lets say rule one is deny any any and rule two is permit any any - clearly rule one makes any subsequent rule useless and misleading. You Check Point people or fwbuilder folks have had this for a long time - but as far as I know in the Check Point and Netscreen world it seems like there is no such function. Alas I never finished that part.
If you use this please drop a comment and let me know.
Posted in Open Source, Programs | No Comments »
Monday, August 20th, 2007
In the past few years since I began writing perl I have collected a little arsenal of half-baked programs that have never really been exposed to the world, probably because I was too lazy to clean them up. I decided that I would use this week to expose some of the programs that I have written over the years. For the most part I worked on these until they worked rather than until they were done correctly, but they may serve as a starting point for someone else looking to do the same thing.
The first program on the list (download here) is a little web interface to the open source tacacs+ AAA server from shrubbery.net. The Cisco SecureACS server can be fine, but if you need regular expression support in ACLs or a way of automating entries it may not be the tool for you. That said, editing a flat config file can be problematic for some folks. This was my quick solution.
This is just a series of CGI scripts that allows the user to admin the tacacs+ server without learning vi. It includes the ability to add users, delete users, administrative password resets, show configuration, and test authentication. When a users password is near expiration they can log in and change it. Passwords are checked against the aspell dictionary to make sure that they’re not a simple word (yeah, there is room for much more improvement here).
There are also a couple little bonus scripts, one useful and one for fun. The tac2rad.pl script is for tying the shrubery tacacs+ user database in with a freeradius server with the MySQL back-end. It copies the users and passwords over to MySQL from tacacs+. The second, crack.pl, was just for my own learning experience. It scours the config file for des encrypted passwords and cracks them if they’re simple dictionary words… which I somehow thought would be difficult… it is not.
I don’t maintain these or fix them, but if they’re useful to you drop me a comment and let me know.
Posted in Open Source, Programs | No Comments »
Wednesday, June 28th, 2006
Well, I managed a while back to compile Handbrake for Ubuntu (Dapper Drake). It was a pain and I’m not sure many other people have it, so here is a binary if you’re interested.
I’ve also been working on a GTK front-end using the uber-easy zenity. It’s not very good yet, but its a start.
Posted in Dorkness, Linux, Programs | 3 Comments »
