This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Logstash Grok Pattern for Bind9 input using Filebeat | |
%{BIND9_TIMESTAMP:timestamp}%{SPACE}%{LOGLEVEL:loglevel}:%{SPACE}client%{SPACE}%{IP:clientip}#%{POSINT:clientport}%{SPACE}\(%{DATA:query}\):%{SPACE}view%{SPACE}internal:%{SPACE}query:%{SPACE}%{DATA:query2} %{DATA:queryclass} %{DATA:querytype} %{DATA:queryflag} \(%{IP:dnsip}\) | |
#### | |
grok { | |
match => { | |
"message" => [ "%{BIND9_TIMESTAMP:timestamp}%{SPACE}%{LOGLEVEL:loglevel}:%{SPACE}client%{SPACE}%{IP:clientip}#%{POSINT:clientport}%{SPACE}\(%{DATA:query}\):%{SPACE}view%{SPACE}internal:%{SPACE}query:%{SPACE}%{DATA:query2} %{DATA:queryclass} %{DATA:querytype} %{DATA:queryflag} \(%{IP:dnsip}\)" ] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# origin https://gist.github.com/erlepereira/c11f4f7a3f60cd2071e79018e895fc8a | |
# logstash yaml "www.google.com": "known search engine" | |
# Choose from here https://github.com/StevenBlack/hosts | |
#HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | |
##### https://raw.githubusercontent.com/StevenBlack/hosts/master/data/malwaredomainlist.com/hosts | |
### first must using > and others using >> for pipe | |
##### first file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This logstash input is only for DNS Bind9. Filebeat at Bind9 server read the queries files and send to this port. | |
#### https://www.redpill-linpro.com/sysadvent/2015/12/15/rpz-malware-detection.html | |
#### For Bind9 RPZ log | |
#### TODO Need to put tags: [filebeat1] in filebeat and remove tags => in logstash input. | |
#### 29032019 | |
input { | |
beats { | |
id => "server-filebeat-input" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# convert shallalist.tar.gz into logstash yml | |
# http://www.shallalist.de/categories.html | |
# Harisfazillah Jamel 30032019 | |
# wget -c http://www.shallalist.de/Downloads/shallalist.tar.gz | |
# make sure uncompress under same directory as this script. | |
echo "localhost: locahost" > /etc/logstash/malware2.yml | |
find BL/ -name 'domains' -print0 | | |
while IFS= read -r -d $'\0' line; do |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ansible script for hardening two files play.yml and requirements.yml | |
This ansible steps are for hardening MariaDB server | |
1) ansible-galaxy install -r requirements.yml | |
2) ansible-playbook play.yml | |
#### start of requirements.yml | |
#### ansible-galaxy install -r requirements.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Haproxy For Elastic beats And Logstash | |
# Date: 13 May 2019 | |
# 1) Example of haproxy.cfg listen for Filebeat or other beats by using port 5044/tcp | |
# And load balance to 2 servers. | |
# https://www.haproxy.com/blog/introduction-to-haproxy-logging/ | |
# Please read above article for syslog configuration to listen port 514 | |
# Or change config log to |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
### | |
# Elasticsearch Rolling restart using Ansible | |
### | |
## | |
## Why is this needed? | |
## | |
# | |
# Even if you use a serial setting to limit the number of nodes processed at one |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# origin https://gist.github.com/erlepereira/c11f4f7a3f60cd2071e79018e895fc8a | |
# logstash yaml "www.google.com": "known search engine" | |
# Choose from here https://github.com/StevenBlack/hosts | |
#HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | |
##### https://raw.githubusercontent.com/StevenBlack/hosts/master/data/malwaredomainlist.com/hosts | |
### first must using > and others using >> for pipe | |
##### first file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# convert shallalist.tar.gz into csv | |
# http://www.shallalist.de/categories.html | |
# Harisfazillah Jamel 30032019 | |
# wget -c http://www.shallalist.de/Downloads/shallalist.tar.gz | |
# https://www.squidblacklist.org/downloads/dg-malicious.acl (masukkan dalam BL/malware dan tukar nama fail ke domains | |
echo "\"localhost\",locahost" > malware3.tmp | |
find BL/ -name 'domains' -print0 | | |
while IFS= read -r -d $'\0' line; do |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Terima Kasih Kepada Amir Haris Ahmad, Localhost Sdn Bhd | |
### kerana izinkan saya gunakan servers ujian mereka di Digital Ocean | |
### dan team beliau dengan berkongsi pengalaman dan pandangan mereka. | |
### | |
### Untuk saya menguji bruteforce attack log kepada syslog dengan fail2ban | |
### | |
### Server telah dipasang dengan fail2ban dan SSH dibuka dengan port 22. | |
### SSH tidak membenarkan module password dan hanya digital cert. | |
### | |
### Filebeat telah digunakan untuk mengumpulkan log. |