View Single Post
  #4   (View Single Post)  
Old 24th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

1.5 The 'patchcreate' script

Code:
     1  #!/bin/sh
     2  # $Id: Patchcreate.xml,v 1.6 2010/01/24 14:11:53 j65nko Exp $
     3  
     4  EDIT=/usr/bin/vi
     5  PATCHSCRIPT=_patcher
     6  
     7  mkdir -p ORIG 
     8  mkdir -p NEW
     9  
    10  # -- file name specified?
    11  if [ $# -ne 1 ] ; then
    12     echo $0 ERROR: No file name specified!
    13     exit 1
    14  fi 
    15  
    16  # -- specified file exists?
    17  if [ -f $1 -o -f ORIG/$1 ] ; then 
    18      echo Ok, found file $1
    19  else
    20      echo $0 ERROR file "$1" does not exist!
    21      exit 1
    22  fi    
    23  
    24  if [ -f ORIG/$1 ]; then
    25      echo Good, found original $1 in directory ORIG
    26  else
    27       echo Saving copy of $1 in directory ORIG 
    28       cp -p $1 ORIG/$1
    29  fi
    30  
    31  ls -l ORIG/$1
    32  
    33  if [ -f NEW/$1 ]; then
    34      echo Good, found  $1 in directory NEW
    35      ls -l NEW/$1
    36  else
    37      echo Copy original $1 to directory NEW for editing 
    38      cp -p ORIG/$1 NEW/$1
    39      ls -l NEW/$1
    40  fi
    41  
    42  # exit
    43  
    44  printf "\nPress Enter to edit $1" ; read X
    45  
    46  $EDIT NEW/$1
    47  
    48  # ------- create patch script with the patch in-line
    49  
    50  cat <<END > ${PATCHSCRIPT}
    51  # ----------------------------------------------------------
    52  echo
    53  echo --- patch script for: $1 --- BEGIN
    54  
    55  # ---  edit the following line if needed
    56  FILE=./$1
    57  
    58  patch -b -p0 \${FILE} <<END_OF_PATCH
    59  $(diff -u ORIG/${1} NEW/${1})
    60  $(echo 'END_OF_PATCH')
    61  
    62  echo  --- patch script for: $1 --- END
    63  END
    64  
    65  echo "Copying original ORIG/$1 back to current dir to test <${PATCHSCRIPT}>" 
    66  cp -p ORIG/$1 .
    67  ls -l $1 ${PATCHSCRIPT}
    68
Keep the unmodified file in 'ORIG', the file to be changed, or already modified in 'NEW'. At the end (lines 65-67), copy the original to the current directory for testing.

The actual work, creating a here document to be used by 'patch', is done in 58-60. The complete script generation, starts on line 50 and ends on line 63 and is done with another here document.

As dessert, the next section shows the effect of this 'sshd_config' patch.


1.6 Comparison of 'sshd' before and after patching

Before the patch:

Code:
$ netstat -a -f inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0     48  vintrax.ssh            hercules.47094         ESTABLISHED
tcp          0      0  localhost.submissi     *.*                    LISTEN
tcp          0      0  localhost.smtp         *.*                    LISTEN
tcp          0      0  *.ssh                  *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  vintrax.4599           virtueledoos.nl.ntp   
udp          0      0  vintrax.13835          ntp2.hro.nl.ntp       
udp          0      0  vintrax.43599          ntp.mediamatic.n.ntp  
udp          0      0  *.syslog               *.*                   

$ netstat -a -f inet6
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp6         0      0  localhost.submissi     *.*                    LISTEN
tcp6         0      0  localhost.smtp         *.*                    LISTEN
tcp6         0      0  *.ssh                  *.*                    LISTEN
After the patch and stopping and restarting 'sshd':

Code:
$ netstat -af inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0     48  vintrax.ssh            hercules.33562         ESTABLISHED
tcp          0      0  vintrax.ssh            *.*                    LISTEN
tcp          0      0  localhost.submissi     *.*                    LISTEN
tcp          0      0  localhost.smtp         *.*                    LISTEN

$ netstat -af inet6
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp6         0      0  localhost.submissi     *.*                    LISTEN
tcp6         0      0  localhost.smtp         *.*                    LISTEN
Instead of LISTENing on all IP4 addresses (*.ssh), 'sshd' will now restrict itself to the 192.168.222.244 'vintrax' IP address. It also stopped LISTENing on all IPv6 addresses (*.ssh).

$Id: Patchcreate.xml,v 1.6 2010/01/24 14:11:53 j65nko Exp $
$Id: vbul-html.xsl,v 1.15 2010/01/16 00:58:03 j65nko Exp $
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote