Scripting – Page 3 – Tech.It.2.Me

Put your Mac to sleep via e-mail

You’re at work, with no remote control access/capability to your Mac at home, brown-outs are occurring, and you forgot to plug it into a power strip due to some unknown reason last night. What do you do? Well, read on…

With some preparation, you can take advantage of Apple’s Mail‘s rules feature to run an AppleScript on a filtered message next time. Here’s how:

Type this script using the Script Editor:

tell application “Finder”

display dialog “This computer will go to sleep in 1 minute.” buttons {“Sleep”, “Cancel”} default button 2 giving up after 60

sleep

end tell

Save the file somewhere. I suggest Documents/Scripts (create the folder if it doesn’t exist and start saving all your useful scripts in here).
Open up Apple Mail and navigate to Preferences > Rules > Add Rules.
Copy and setup the following rules based on the screenshot below:

Fig. 1.1 – Apple Mail’s Add Rule window

Apply the changes and minimize Apple Mail.
That’s it! All you have to do now is send yourself an e-mail with “Sleep My Mac” as the subject with the message of “Go to sleep” from anywhere.

One caveat: For this to work, Apple Mail will need to be running (minimized is fine).

Hopefully, you find this tip helpful and empowering. Now back to work! =0)

Windows PowerShell script to check for specific hotfix

I was asked by our IT department to write something that would check if a specific Windows Update hotfix was installed on a number of servers (they gave me list), and they wanted it ASAP.

So, I thought, hmm…this is the perfect opportunity to give Microsoft’s new scripting tool, Windows PowerShell, a try. I tip my hat to Microsoft for creating this tool – it was about time – since something like this has been in need to combat the “last mile” in the IT world.

It shouldn’t take more than 5 minutes to write this script, but being familiar with the .NET Framework is sort of a prerequisite:

# Get content
$computers = get-content c:\computers.txt

# Get all the info using WMI
$results = get-wmiobject -class “Win32_QuickFixEngineering” -namespace “root\CIMV2” -computername $computers

# Loop through $results and look for a match then output to screen
foreach ($objItem in $results)
{
    if ($objItem.HotFixID -match “KB932168”)
    {
        write-host $objItem.CSName
        write-host “Hotfix KB932168 installed”
        write-host
    }
}

To use it:

1. Copy-and-paste this into notepad and save it as scriptname.ps1.

2. Set the execution policy, as Microsoft intentionally set it up like *nix scripts (right on!) wherein you need to chmod it, like so: Set-ExecutionPolicy Unrestricted.

Note: There are different execution policies, such as “AllSigned.” Google it if you want to know more about it.

3. Run it from the powershell by typing .\scriptname.ps1.

4. That’s it! Now wait for the results.

This script, unfortunately, will only print out the servers that have the specific “KB932168” (read: an example) hotfix installed. I could’ve expanded the script to output a list of servers that didn’t have it and output it to a text file using the Out-File cmdlet, but, at the end, it served its purpose and got the results our IT department needed.

BTW, this script will work on Win2k3, XP, Win2k, and Win98 – but the corresponding .NET Framework (version 2.0 is good; version 3.0 is already out) must be installed on the target machine. Also, know that the Windows PowerShell only works on Windows.

Hope this helps! =0)

Password-Protecting your pages with .htaccess

If you develop websites or adminster them, you’ve probably been asked or required to password-protect parts of a website.

So, to help you out, here’s a quick how-to in Apache using .htaccess:

Open a terminal window and navigate to the folder or page(s) you’d like to add a password requirement.
Once there, type the following: htpasswd -c .htpasswd username. BTW, you can name .htpasswd to another name (something that is hard to guess is preferable).
Enter the password you’d like to associate with the username (from above). This will create the user and an encrypted password.
Next, create the .htaccess file by typing: vi .htaccess, and add the following in the .htaccess file:

To protect a folder

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName “Your Secret Folder”
Require valid-user

To protect a page

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName “Your Secret Page”
<Files “yourpage.html”>
Require valid-user
</Files>

Note: You can use a different name for .htpasswd so it’s harder for a hacker to figure it out.

5. Type :wq! to save and exit.

6. For better security, perform a chmod on .htaccess, like so: chmod 644 .htaccess.

As you can see, the steps above are pretty straight-forward. Also as an FYI, Apache blocks any requests for anything that start with “.ht”.

That’s basically it, I hope this post helps you out. =0)

iptables script

I’ve been running Fedora Core 1 for about, hmm…5 years(?) on my little ‘ole work-horse server, but this reliable/stable OS has started showing its age. Repository issues, keeping software and everything else up-to-date. Ugh. =0(

I was initially sold on installing RHEL ES 4 (I had the disks already), but my server had problems with the “transferring image to install…” phase. So, I took it as a sign to stick with Fedora, which I was happy about since I’m used to it. More importantly, however, it was an opportunity to try out the new Fedora Core release.

So with tools in hand, I backed up all my scripts and website files and installed Fedora Core 6 last night. It took about 4 hours to install and configure – in fact, I started a “how-to” on my wiki, just in case I have to do it all over again.

OK, so enough of the rambling. This post is, after all, about iptables (hats off to to the netfilter.org guys/gals and thanks to Dan Farino for helping out with this). BTW, I had to disable the security firewall on Fedora to have more control over the firewall.

Steps to take:

Open up a terminal
cd /usr/local/src
mkdir iptables
vi iptables
Copy and paste the script below
chmod 777 scriptname
./scriptname

Verify no errors occurred, then once done, type the following:

tail -f /var/log/messages

From this point, watch for some interesting stuff. =0)

Simple enough, huh? Hopefully, you can make use of this script to build your personal *nix firewall. Take care.

Make sure /proc/sys/net/ipv4/p_forward is ‘1’ and both ip_conntrack_ftp & ip_nat_ftp modules are loaded (use modprobe modulename).

#————————————————-#

# flush and delete chains
iptables -F
iptables -X
iptables -t nat -F

# default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -t nat –policy PREROUTING ACCEPT
iptables -t nat –policy POSTROUTING ACCEPT
iptables -t nat –policy OUTPUT ACCEPT

# new user-defined chains
iptables -N tcp-state-flags
iptables -N fragments
iptables -N spoof
iptables -N syn-flood

iptables -N log-tcp-state
iptables -N log-drop-spoof

iptables -N log-input-accept

iptables -N log-input-drop
iptables -N log-fwd-drop

#————————————————-#

# input rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! eth0 -j ACCEPT
iptables -A INPUT -p tcp -j tcp-state-flags
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -f -j fragments
iptables -A INPUT -m state –state NEW -j spoof
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A INPUT -j log-input-drop

# forward rules
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j log-fwd-drop

# output rules
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state INVALID -j DROP

#————————————————-#

# tcp-state-flags rules
iptables -A tcp-state-flags -p tcp –tcp-flags ALL NONE -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,FIN SYN,FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,RST SYN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags FIN,RST FIN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,FIN FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,PSH PSH -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,URG URG -j log-tcp-state

# fragments rules
iptables -A fragments -f -j LOG –log-level info –log-prefix “___ipt:fragment___: “
iptables -A fragments -f -j DROP

# spoof rules
iptables -A spoof -s 127.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 10.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 255.255.255.255 -j log-drop-spoof
iptables -A spoof -s 0.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 169.254.0.0/16 -j log-drop-spoof
iptables -A spoof -s 172.16.0.0/12 -j log-drop-spoof
iptables -A spoof -s 192.0.2.0/24 -j log-drop-spoof
iptables -A spoof -s 192.168.0.0/16 -j log-drop-spoof
iptables -A spoof -s 224.0.0.0/4 -j log-drop-spoof
iptables -A spoof -s 248.0.0.0/5 -j log-drop-spoof
iptables -A spoof -s 240.0.0.0/5 -j log-drop-spoof

# syn-flood rules
iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG –log-level info –log-prefix “___ipt-fw:syn-flood___: “
iptables -A syn-flood -j DROP

# log-tcp-state rules
iptables -A log-tcp-state -j LOG –log-level info –log-prefix “___ipt:invalid-tcp-flag___: “
iptables -A log-tcp-state -j DROP

# log-drop-spoof rules
iptables -A log-drop-spoof -j LOG –log-level info –log-prefix “___ipt:spoof,mcast___: “
iptables -A log-drop-spoof -j DROP

# log-input-accept rules
iptables -A log-input-accept -j LOG –log-level info –log-prefix “___ipt:input-accept___: “
iptables -A log-input-accept -j ACCEPT

# log-input-drop
iptables -A log-input-drop -j LOG –log-level info –log-prefix “___ipt:input-drop___: “
iptables -A log-input-drop -j DROP

# log-fwd-drop
iptables -A log-fwd-drop -j LOG –log-level info –log-prefix “___ipt:fwd-drop___: “
iptables -A log-fwd-drop -j DROP

#————————————————-#

# postrouting
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#————————————————-#

# activate rules
iptables-save
iptables-save > /etc/sysconfig/iptables
service iptables restart

#————————————————-#