Tuesday, 15 October 2024

How to check for open ports on Linux

Checking for open ports is among the first steps to secure your device. Listening services may be the entrance for attackers who may exploit service vulnerabilities to gain access or disrupt a system. 

A listening service or listening port is an open port with an application waiting for a client to connect (e.g an FTP server waiting for an FTP client) There is not sense in keeping a web server running if you aren’t serving a website, nor to keep the port 22 open if you don’t use ssh. 

This tutorial shows how to check for open ports both remotely and locally and how to close them.

How to check for open ports on Linux locally

The command netstat is present on all computer OS (Operating Systems) to monitor network connections. The following command uses netstat to show all listening ports using the TCP protocol:

netstat -lt

Where:
netstat: calls the program.
-l: lists listening ports.
-t: specifies TCP protocol.

The output is friendly, well ordered in columns showing the protocol, received and sent packets, local and remote IP addresses and the port state.

If you change the TCP protocol for UDP the result, at least on Linux, will display only open ports without specifying the state because contrary to the TCP protocol, the UDP protocol is stateless.

netstat -lu

You can avoid specifying protocols and use only the option -l or –listen to get information on all ports listening independently of the protocol:

netstat --listen

The option above will display information for TCP, UDP and Unix socket protocols.

All examples above show how to print information on listening ports without established connections. The following command shows how to display listening ports and established connections:

netstat -vatn

Where:
netstat: calls the program
-v: verbosity
-a: shows active connections.
-t: shows tcp connections
-n: shows ports in numerical value

Let’s say you identified a suspicious process in your system and you want to check associated ports to it. You can use the command lsof used to list open files associated to processes.

lsof -i 4 -a -p <Process-Numer>

In the next example I will check the process 19327:

lsof -i 4 -a -p 19327

Where:
lsof: calls the program
-i: lists files interacting with the internet, the option 4 instructs to print only IPv4, option 6 is available for IPv6.
-a: instructs the output to be ANDed.
-p: Specify the PID number of the process you want to check.

As you see the process is associated with the listening smtp port.

How to check for open ports on Linux remotely

If you want to detect ports on a remote system the most widely used tool is Nmap (Network Mapper). The following example shows a single port scan against Linuxhint.com:

nmap linuxhint.com

The output is ordered in 3 columns showing the port, the port state and the service listening behind the port.

Not shown: 988 closed ports
PORT           STATE         SERVICE
22/tcp         open          ssh
25/tcp         open          smtp
80/tcp         open          http
161/tcp        filtered      snmp
443/tcp        open          https
1666/tcp       filtered      netview-aix-6
1723/tcp       filtered      pptp
6666/tcp       filtered      irc
6667/tcp       filtered      irc
6668/tcp       filtered      irc
6669/tcp       filtered      irc
9100/tcp       filtered      jetdirect
By default, nmap scans the most common 1000 ports only. If you want Nmap to scan all ports run:

nmap -p- linuxhint.com
At the Related Articles section of this tutorial, you can find additional tutorials on Nmap to scan ports and targets with many additional options.

Removing services on Debian 10 buster

Additionally to firewall rules to keep your ports blocked removing unnecessary services is recommended. Under Debian 10 Buster this can be achieved with apt.
The following example shows how to remove the Apache 2 service using apt:

apt remove apache2

If requested press Y to end the removal.

How to close open ports on Linux using UFW


If you find open ports you don’t need to be open the easiest solution is to close it using UFW (Uncomplicated Firewall)

There are two ways to block a port, by using the option deny and with the option reject, the difference is the reject instruction will inform the second side the connection was rejected.

To block the port 22 using the rule deny just run:

ufw deny 22

To block the port 22 using the rule reject just run:

ufw reject 22


On the Related Articles section at the end of this tutorial, you can find a good tutorial on Uncomplicated Firewall.

How to close open ports on Linux using iptables

While UFW is the easiest way to manage ports, it is a frontend for Iptables.
The following example shows how to reject connections to the port 22 using iptables:

iptables -I INPUT -p tcp --dport 22 -j REJECT

The rule above instructs to reject all tcp incoming (INPUT) connections to destination port (dport) 22. Being rejected the source will be informed the connection was rejected.

The following rule just drops all packets without informing the source the connection was rejected:


iptables -A INPUT -p tcp --dport 22 -j DROP

I hope you found this brief tutorial useful. Keep following LinuxHint for additional updates and tips on Linux and Networking.

Tuesday, 8 October 2024

Terraform Build Azure Infrastructure

These are the links for us to use to build infrastructure on Azure


Git - Repositories

More links to investigate and learn to Build Terraform on Azure

Working on K8 Identity Management.

The configuration change is ready to be pushed into AWS - please guys let me know when you are ready for me to start pushing this into Dev cluster, then test/access the outcome.. If we are happy with it, then propose a rollout/push into PROD.


Using kubeconfig files


There are three main ways to point kubectl at your kubeconfig files:

1 - The --kubeconfig flag


You can pass a flag on every kubectl command that you run.  This flag will force kubectl to read from the kubeconfig file that you specify.  You can only use one kubeconfig file this way.  Also, you can only specify one instance of this flag on the command line.  This way is a little cumbersome as you have to type this for every kubectl command.

2 - The KUBECONFIG environment variable


You can also set a special environment variable named KUBECONFIG.  The value of this variable points at the kubeconfig file that you would like to use.  This variable can be pointed at multiple kubeconfig files, if you wish.  Just make sure to separate the files with colons (on Linux & Mac) or semi-colons (on Windows).  If you specify multiple kubeconfigs this way, then kubectl will merge them all into one config and use that merged version.

3 - The default config file


By default, the kubectl command-line tool will look for a kubeconfig file simply named config (no file extension) in the .kube directory of the user's profile:

  • Linux:
  • $HOME/.kube/config
  • Windows:
  • %USERPROFILE%\.kube\config
This is the easiest method to use, in my opinion.  Simply place a file in the correct directory, and kubectl will automatically pick it up and use it.

Some useful kubectl commands


#show the full contents of your kubeconfig file
kubectl config view

#show the value of the current-context line of your kubeconfig file
kubectl config current-context

#show all of the Users currently defined in your kubeconfig file
kubectl config get-users

#show all of the Clusters currently defined in your kubeconfig file
kubectl config get-clusters

#show all of the Contexts currently defined in your kubeconfig file
kubectl config get-contexts


kubectl Cheat Sheet

This page contains a list of commonly used kubectl commands and flags.

Kubectl autocomplete

BASH

source <(kubectl completion bash) # setup autocomplete in bash into the current shell, bash-completion package should be installed first.
echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell.
You can also use a shorthand alias for kubectl that also works with completion:

alias k=kubectl
complete -F __start_kubectl k

ZSH

source <(kubectl completion zsh) # setup autocomplete in zsh into the current shell
echo "[[ $commands[kubectl] ]] && source <(kubectl completion zsh)" >> ~/.zshrc # add autocomplete permanently to your zsh shell

Kubectl context and configuration

Set which Kubernetes cluster kubectl communicates with and modifies configuration information. See Authenticating Across Clusters with kubeconfig documentation for detailed config file information.

kubectl config view # Show Merged kubeconfig settings.


# use multiple kubeconfig files at the same time and view merged config
KUBECONFIG=~/.kube/config:~/.kube/kubconfig2


kubectl config view


# get the password for the e2e user
kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'


kubectl config view -o jsonpath='{.users[].name}' # display the first user
kubectl config view -o jsonpath='{.users[*].name}' # get a list of users
kubectl config get-contexts # display list of contexts
kubectl config current-context # display the current-context
kubectl config use-context my-cluster-name # set the default context to my-cluster-name


# add a new user to your kubeconf that supports basic auth
kubectl config set-credentials kubeuser/foo.kubernetes.com --username=kubeuser --password=kubepassword


# permanently save the namespace for all subsequent kubectl commands in that context.
kubectl config set-context --current --namespace=ggckad-s2


# set a context utilizing a specific username and namespace.
kubectl config set-context gce --user=cluster-admin --namespace=foo \
&& kubectl config use-context gce


kubectl config unset users.foo # delete user foo

Kubectl apply

Apply manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster by running kubectl apply. This is the recommended way of managing Kubernetes applications on production. See Kubectl Book.

Creating objects

Kubernetes manifests can be defined in YAML or JSON. The file extensions .yaml, .yml, and .json can be used.

kubectl apply -f ./my-manifest.yaml # create resource(s)
kubectl apply -f ./my1.yaml -f ./my2.yaml # create from multiple files
kubectl apply -f ./dir # create resource(s) in all manifest files in dir
kubectl apply -f https://git.io/vPieo # create resource(s) from url
kubectl create deployment nginx --image=nginx # start a single instance of nginx


# create a Job which prints "Hello World"
kubectl create job hello --image=busybox -- echo "Hello World"


# create a CronJob that prints "Hello World" every minute
kubectl create cronjob hello --image=busybox --schedule="*/1 * * * *" -- echo "Hello World"


kubectl explain pods # get the documentation for pod manifests


# Create multiple YAML objects from stdin
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: busybox-sleep
spec:
containers:
- name: busybox
image: busybox
args:
- sleep
- "1000000"
---
apiVersion: v1
kind: Pod
metadata:
name: busybox-sleep-less
spec:
containers:
- name: busybox
image: busybox
args:
- sleep
- "1000"
EOF


# Create a secret with several keys
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: $(echo -n "s33msi4" | base64 -w0)
username: $(echo -n "jane" | base64 -w0)
EOF

Viewing, finding resources

# Get commands with basic output
kubectl get services # List all services in the namespace
kubectl get pods --all-namespaces # List all pods in all namespaces
kubectl get pods -o wide # List all pods in the current namespace, with more details
kubectl get deployment my-dep # List a particular deployment
kubectl get pods # List all pods in the namespace
kubectl get pod my-pod -o yaml # Get a pod's YAML


# Describe commands with verbose output
kubectl describe nodes my-node
kubectl describe pods my-pod


# List Services Sorted by Name
kubectl get services --sort-by=.metadata.name


# List pods Sorted by Restart Count
kubectl get pods --sort-by='.status.containerStatuses[0].restartCount'


# List PersistentVolumes sorted by capacity
kubectl get pv --sort-by=.spec.capacity.storage


# Get the version label of all pods with label app=cassandra
kubectl get pods --selector=app=cassandra -o \
jsonpath='{.items[*].metadata.labels.version}'


# Retrieve the value of a key with dots, e.g. 'ca.crt'
kubectl get configmap myconfig \
-o jsonpath='{.data.ca\.crt}'


# Get all worker nodes (use a selector to exclude results that have a label
# named 'node-role.kubernetes.io/master')
kubectl get node --selector='!node-role.kubernetes.io/master'


# Get all running pods in the namespace
kubectl get pods --field-selector=status.phase=Running


# Get ExternalIPs of all nodes
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'


# List Names of Pods that belong to Particular RC
# "jq" command useful for transformations that are too complex for jsonpath, it can be found at https://stedolan.github.io/jq/
sel=${$(kubectl get rc my-rc --output=json | jq -j '.spec.selector | to_entries | .[] | "\(.key)=\(.value),"')%?}
echo $(kubectl get pods --selector=$sel --output=jsonpath={.items..metadata.name})


# Show labels for all pods (or any other Kubernetes object that supports labelling)
kubectl get pods --show-labels


# Check which nodes are ready
JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}' \
&& kubectl get nodes -o jsonpath="$JSONPATH" | grep "Ready=True"


# Output decoded secrets without external tools
kubectl get secret my-secret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'


# List all Secrets currently in use by a pod
kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | sort | uniq


# List all containerIDs of initContainer of all pods
# Helpful when cleaning up stopped containers, while avoiding removal of initContainers.
kubectl get pods --all-namespaces -o jsonpath='{range .items[*].status.initContainerStatuses[*]}{.containerID}{"\n"}{end}' | cut -d/ -f3


# List Events sorted by timestamp
kubectl get events --sort-by=.metadata.creationTimestamp


# Compares the current state of the cluster against the state that the cluster would be in if the manifest was applied.
kubectl diff -f ./my-manifest.yaml


# Produce a period-delimited tree of all keys returned for nodes
# Helpful when locating a key within a complex nested JSON structure
kubectl get nodes -o json | jq -c 'path(..)|[.[]|tostring]|join(".")'


# Produce a period-delimited tree of all keys returned for pods, etc
kubectl get pods -o json | jq -c 'path(..)|[.[]|tostring]|join(".")'


# Produce ENV for all pods, assuming you have a default container for the pods, default namespace and the `env` command is supported.
# Helpful when running any supported command across all pods, not just `env`
for pod in $(kubectl get po --output=jsonpath={.items..metadata.name}); do echo $pod && kubectl exec -it $pod -- env; done

Updating resources

kubectl set image deployment/frontend www=image:v2 # Rolling update "www" containers of "frontend" deployment, updating the image
kubectl rollout history deployment/frontend # Check the history of deployments including the revision
kubectl rollout undo deployment/frontend # Rollback to the previous deployment
kubectl rollout undo deployment/frontend --to-revision=2 # Rollback to a specific revision
kubectl rollout status -w deployment/frontend # Watch rolling update status of "frontend" deployment until completion
kubectl rollout restart deployment/frontend # Rolling restart of the "frontend" deployment




cat pod.json | kubectl replace -f - # Replace a pod based on the JSON passed into std


# Force replace, delete and then re-create the resource. Will cause a service outage.
kubectl replace --force -f ./pod.json


# Create a service for a replicated nginx, which serves on port 80 and connects to the containers on port 8000
kubectl expose rc nginx --port=80 --target-port=8000


# Update a single-container pod's image version (tag) to v4
kubectl get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | kubectl replace -f -


kubectl label pods my-pod new-label=awesome # Add a Label
kubectl annotate pods my-pod icon-url=http://goo.gl/XXBTWq # Add an annotation
kubectl autoscale deployment foo --min=2 --max=10 # Auto scale a deployment "foo"

Patching resources

# Partially update a node
kubectl patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'


# Update a container's image; spec.containers[*].name is required because it's a merge key
kubectl patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'


# Update a container's image using a json patch with positional arrays
kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'


# Disable a deployment livenessProbe using a json patch with positional arrays
kubectl patch deployment valid-deployment --type json -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/livenessProbe"}]'


# Add a new element to a positional array
kubectl patch sa default --type='json' -p='[{"op": "add", "path": "/secrets/1", "value": {"name": "whatever" } }]'

Editing resources

Edit any API resource in your preferred editor.

kubectl edit svc/docker-registry # Edit the service named docker-registry
KUBE_EDITOR="nano" kubectl edit svc/docker-registry # Use an alternative editor

Scaling resources

kubectl scale --replicas=3 rs/foo # Scale a replicaset named 'foo' to 3
kubectl scale --replicas=3 -f foo.yaml # Scale a resource specified in "foo.yaml" to 3
kubectl scale --current-replicas=2 --replicas=3 deployment/mysql # If the deployment named mysql's current size is 2, scale mysql to 3
kubectl scale --replicas=5 rc/foo rc/bar rc/baz # Scale multiple replication controllers

Deleting resources

kubectl delete -f ./pod.json # Delete a pod using the type and name specified in pod.json
kubectl delete pod unwanted --now # Delete a pod with no grace period
kubectl delete pod,service baz foo # Delete pods and services with same names "baz" and "foo"
kubectl delete pods,services -l name=myLabel # Delete pods and services with label name=myLabel
kubectl -n my-ns delete pod,svc --all # Delete all pods and services in namespace my-ns,
# Delete all pods matching the awk pattern1 or pattern2
kubectl get pods -n mynamespace --no-headers=true | awk '/pattern1|pattern2/{print $1}' | xargs kubectl delete -n mynamespace pod

Interacting with running Pods

kubectl logs my-pod # dump pod logs (stdout)
kubectl logs -l name=myLabel # dump pod logs, with label name=myLabel (stdout)
kubectl logs my-pod --previous # dump pod logs (stdout) for a previous instantiation of a container
kubectl logs my-pod -c my-container # dump pod container logs (stdout, multi-container case)
kubectl logs -l name=myLabel -c my-container # dump pod logs, with label name=myLabel (stdout)
kubectl logs my-pod -c my-container --previous # dump pod container logs (stdout, multi-container case) for a previous instantiation of a container
kubectl logs -f my-pod # stream pod logs (stdout)
kubectl logs -f my-pod -c my-container # stream pod container logs (stdout, multi-container case)
kubectl logs -f -l name=myLabel --all-containers # stream all pods logs with label name=myLabel (stdout)
kubectl run -i --tty busybox --image=busybox -- sh # Run pod as interactive shell
kubectl run nginx --image=nginx -n mynamespace # Start a single instance of nginx pod in the namespace of mynamespace
kubectl run nginx --image=nginx # Run pod nginx and write its spec into a file called pod.yaml
--dry-run=client -o yaml > pod.yaml


kubectl attach my-pod -i # Attach to Running Container
kubectl port-forward my-pod 5000:6000 # Listen on port 5000 on the local machine and forward to port 6000 on my-pod
kubectl exec my-pod -- ls / # Run command in existing pod (1 container case)
kubectl exec --stdin --tty my-pod -- /bin/sh # Interactive shell access to a running pod (1 container case)
kubectl exec my-pod -c my-container -- ls / # Run command in existing pod (multi-container case)
kubectl top pod POD_NAME --containers # Show metrics for a given pod and its containers
kubectl top pod POD_NAME --sort-by=cpu # Show metrics for a given pod and sort it by 'cpu' or 'memory'

Copy files and directories to and from containers

kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the current namespace
kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar # Copy /tmp/foo from a remote pod to /tmp/bar locally

Note:kubectl cprequires that the 'tar' binary is present in your container image. If 'tar' is not present,kubectl cpwill fail. For advanced use cases, such as symlinks, wildcard expansion or file mode preservation consider using kubectl exec.

tar cf - /tmp/foo | kubectl exec -i -n my-namespace my-pod -- tar xf - -C /tmp/bar # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
kubectl exec -n my-namespace my-pod -- tar cf - /tmp/foo | tar xf - -C /tmp/bar # Copy /tmp/foo from a remote pod to /tmp/bar locally

Interacting with Deployments and Services

kubectl logs deploy/my-deployment # dump Pod logs for a Deployment (single-container case)
kubectl logs deploy/my-deployment -c my-container # dump Pod logs for a Deployment (multi-container case)


kubectl port-forward svc/my-service 5000 # listen on local port 5000 and forward to port 5000 on Service backend
kubectl port-forward svc/my-service 5000:my-service-port # listen on local port 5000 and forward to Service target port with name <my-service-port>


kubectl port-forward deploy/my-deployment 5000:6000 # listen on local port 5000 and forward to port 6000 on a Pod created by <my-deployment>
kubectl exec deploy/my-deployment -- ls # run command in first Pod and first container in Deployment (single- or multi-container cases)

Interacting with Nodes and cluster

kubectl cordon my-node # Mark my-node as unschedulable
kubectl drain my-node # Drain my-node in preparation for maintenance
kubectl uncordon my-node # Mark my-node as schedulable
kubectl top node my-node # Show metrics for a given node
kubectl cluster-info # Display addresses of the master and services
kubectl cluster-info dump # Dump current cluster state to stdout
kubectl cluster-info dump --output-directory=/path/to/cluster-state # Dump current cluster state to /path/to/cluster-state


# If a taint with that key and effect already exists, its value is replaced as specified.
kubectl taint nodes foo dedicated=special-user:NoSchedule

Resource types

List all supported resource types along with their shortnames, API group, whether they are namespaced, and Kind:

kubectl api-resources

Other operations for exploring API resources:

kubectl api-resources --namespaced=true # All namespaced resources
kubectl api-resources --namespaced=false # All non-namespaced resources
kubectl api-resources -o name # All resources with simple output (only the resource name)
kubectl api-resources -o wide # All resources with expanded (aka "wide") output
kubectl api-resources --verbs=list,get # All resources that support the "list" and "get" request verbs
kubectl api-resources --api-group=extensions # All resources in the "extensions" API group

Formatting output

To output details to your terminal window in a specific format, add the -o(or --output) flag to a supported kubectlcommand.

Output formatDescription
-o=custom-columns=<spec>Print a table using a comma separated list of custom columns
-o=custom-columns-file=<filename>Print a table using the custom columns template in the <filename>file
-o=jsonOutput a JSON formatted API object
-o=jsonpath=<template>Print the fields defined in a jsonpathexpression
-o=jsonpath-file=<filename>Print the fields defined by the jsonpathexpression in the <filename>file
-o=namePrint only the resource name and nothing else
-o=wideOutput in the plain-text format with any additional information, and for pods, the node name is included
-o=yamlOutput a YAML formatted API object
Examples using -o=custom-columns:

# All images running in a cluster
kubectl get pods -A -o=custom-columns='DATA:spec.containers[*].image'


# All images running in namespace: default, grouped by Pod
kubectl get pods --namespace default --output=custom-columns="NAME:.metadata.name,IMAGE:.spec.containers[*].image"


# All images excluding "k8s.gcr.io/coredns:1.6.2"
kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="k8s.gcr.io/coredns:1.6.2")].image'


# All fields under metadata regardless of name
kubectl get pods -A -o=custom-columns='DATA:metadata.*'
More examples in the kubectl reference documentation.

Kubectl output verbosity and debugging

Kubectl verbosity is controlled with the -vor --vflags followed by an integer representing the log level. General Kubernetes logging conventions and the associated log levels are described here.

VerbosityDescription
--v=0Generally useful for this to alwaysbe visible to a cluster operator.
--v=1A reasonable default log level if you don't want verbosity.
--v=2Useful steady state information about the service and important log messages that may correlate to significant changes in the system. This is the recommended default log level for most systems.
--v=3Extended information about changes.
--v=4Debug level verbosity.
--v=5Trace level verbosity.
--v=6Display requested resources.
--v=7Display HTTP request headers.
--v=8Display HTTP request contents.
--v=9Display HTTP request contents without truncation of contents.

How to check for open ports on Linux

Checking for open ports is among the first steps to secure your device. Listening services may be the entrance for attackers who may exploit...