## Build RPM as per
# Do this elsewhere, you don't want dev tools on a box you're trying to secure.  ;) 
# Also note, the repo has moved, so you need to adjust the git path:

sudo yum install epel-release -y
sudo yum install qrencode qrencode-devel qrencode-libs
sudo yum install google-authenticator-1.03-1.el7.centos.x86_64.rpm
google-authenticator  #per-user setup
View 00-README.adoc


This is a CentOS-themed /etc/issue w/ hooks to update IP address and OS release upon ifup/ifdown. My motivation was that I was tired of logging into an otherwise headless box just to find the IP of the system so I can SSH to it.

The file actually contains control characters to do the color in the text. The easiest way to preserve that is to clone this gist and run the script w/ sudo, which will copy the file and set the SELinux

Keybase proof

I hereby claim:

  • I am jeffgeiger on github.
  • I am jeffgeiger ( on keybase.
  • I have a public key whose fingerprint is 3EE0 89DC 9EA2 CB58 703C 658F 67F2 38AC C74F 83F8

To claim this, I am signing this object:

#Clean out old marvel indexes, only keeping the current index.
for i in $(curl -sSL http://localhost:9200/_stats/indexes\?pretty\=1 | grep marvel | grep -Ev 'es-data|kibana' | grep -vF "$(date +%m.%d)" | awk '{print $1}' | sed 's/\"//g' 2>/dev/null); do
curl -sSL -XDELETE$i > /dev/null 2>&1
#Delete Logstash indexes from 60 days ago.
curl -sSL -XDELETE "$(date -d '60 days ago' +%Y.%m.%d)" 2>&1
CURRENTIP=$(curl 2>/dev/nulll)
if [[ $CURRENTIP != $(cat /tmp/ipdata) ]]; then
echo "CHANGE: $CURRENTIP - $(date) FROM: $(cat /tmp/ipdata)"
/usr/sbin/ez-ipupdate -c /etc/ez-ipupdate/default.conf -a $CURRENTIP
echo $CURRENTIP > /tmp/ipdata
curl -Lk -XPOST -d "apikey=xxxxxxxxxxxxxxxxxx&priority=-2&application=Labs&event=IP%20Change&description=New%20IP%3A%20${CURRENTIP}"
curl -A "DDUpdater - Dynamic DNS Updater - 0.0.1" -u ''
echo "ALL GOOD - $(date) - $CURRENTIP"


These changes should keep snort and bro working together in ROCK. I've tested it on 3 production instances and it's held up for almost 2 weeks.

Create the dir for old snort logs
mkdir /data/snort/OLD

Add the (content below)
vim /usr/local/bin/ # Insert content
chmod +x /usr/local/bin/

#Silliness abounds
nocolor() { echo -en "\033[0;39m"; }
dots() { clear; while :; do let "first = $RANDOM % 2"; let "second = $RANDOM % 6 +1"; let "PAUSE = $RANDOM % 9 +1"; echo -en "\033[${first};3${second}m⬤ "; sleep .${second}; if [[ $RANDOM -gt 22000 ]]; then echo -en "\b\b\b\b \b\b\b\b"; fi; done; }
arrows() { clear; ARROWS=(⬅ ⬆ ⬇); while :; do let "arrval = $RANDOM % 3"; let "first = $RANDOM % 2"; let "second = $RANDOM % 6 +1"; let "PAUSE = $RANDOM % 9 +1"; echo -en "\033[${first};3${second}m${ARROWS[$arrval]} "; sleep .${second}; if [[ $RANDOM -gt 22000 ]]; then echo -en "\b\b\b\b \b\b\b\b"; fi; done; }
View ping_check
ping_check() { while :; do PINGRESULT=$(ping -c1 $1 | grep "bytes from"); if [[ $? -eq 0 ]]; then RTT=$(echo $PINGRESULT | awk -F= '{print $NF}'); echo "👍 $RTT"; else echo "💩 NO CONNECTION"; fi; sleep 5; done; }
View cron
*/5 * * * * /usr/local/bin/ >> /var/log/ipupdate.log 2>&1
/usr/sbin/aide --check 2>&1 | tee /tmp/aide-daily.out | /bin/grep "Looks okay" > /dev/null
if [[ $? -ne 0 ]]; then
LOGDATE=$(date +%s)
cat /tmp/aide-daily.out > /tmp/aide_mail.$LOGDATE
echo -e "\n\n=============\nLOGIN INFO\n=============\n" >> /tmp/aide_mail.$LOGDATE
/bin/last -ax -n 25 >> /tmp/aide_mail.$LOGDATE
cat /tmp/aide_mail.$LOGDATE | mail -s "[ALERT] $(hostname -f) AIDE report"