目录
一、很容易地改变远程Windows主机口令的工具:... 1
一、很容易地改变远程Windows主机口令的工具:
https://www.itefix.no/i2/chwinpw
Chwinpw is a small command line utility that can securely change passwords on windows machines. By periodic password maintenance of your vital accounts, chwinpw can help you to enforce a higher degree of security in your environment. Chwinpw can notify a service about a password change of its service account, and has the ability of password reset (change without supplying the old password) on local machines. Chwinpw can be run from a logon script or from a central location. It is also possible to instruct chwinpw to make bulk changes.
NB! I KNOW the encryption key and the scrambling logic used in chwinpw. If you are comfortable with that, then go ahead.
Usage
Supported platforms: NT/2000/XP/2003.
Chwinpw has two operation modes :
Mode | Description |
encryption | Since chwinpw is a command line utility and deals with passwords, it is obvious that password information must be encrypted before use. Chwinpw in encryption mode uses TEA encryption algorithm and some scrambling, and produces a command with encrypted passwords for changing passwords securely. |
set | By default, Chwinpw in this mode decrypts passwords from command line and performs password change. This command can be generated automatically from chwinpw in encryption mode and can be used in logon scripts or can be activated from a central location. It is also possible to specify plain passwords by using --plain switch. |
Example 1:
chwinpw -c encrypt -u testuser -n T1e3s5t% -o plainpw -m testnode
produces following output :
Command to set password :
You can use this command to change testuser's password on machine testnode.
Example 2:
chwinpw -c set --plain --new password1--old password2 --user testuser --machine testnode --Service MyService
You can use this command to change testuser's password on machine testnode and notify service MyService for password change.
Example 3:
chwinpw -c encrypt -u test -n test123
produces following output :
Command to set password :
CHWINPW -c set --user test --machine local-machine --new t1IgxqICBj8
You can use this command to reset test's password on the local machine.
Command Syntax
Argument | Description |
--command, -c | Instructs chwinpw what to do. Can be encrypt or set (required). |
--user, -u | (Local) user account for password change (required). |
--newpwd, -n | New password (required) |
--oldpwd, -o | Old password (required for remote, optional for local). |
--machine, -m | Machine name. You can also specify a domain name here. A leading @ causes to read machine names from a file for bulk change(One machine, one line). |
--service, -s | Name of the service to be notified about password change. |
--plain, -p | Use plain passwords instead of encrypted ones |
Exit codes
Chwinpw produces following exist codes upon completion :
- 0 - successful completion
- 1 - usage error
- 2 - system error
License
This package comes with following terms of licensing:
Component | Licensing | In short |
chwinpw | Free to use (MIT License) |
二、生成随机口令的工具:
https://www.itefix.no/i2/ipwdgen
NAME
ipwdgen - generate passwords (pronounceable if you wish)
ipwdgen [--mode mode] [--length password length] [--count number of passwords] [--numspec number/special char count] [--capital capital letter count] [--base64] [--help]
ipwdgen is a yet another password generator, capable of generating secure random pronounceable passwords. It uses Crypt::GeneratePassword module.
Specify password generation mode. Three modes are supported:
- chars - generates a completely random password (Default mode).
- word - generates a random pronounceable word.
- word3 - generates a random trigram.
Specify the length of the password(s) to be generated. Default is 8.
Specify the number of passwords to be generated. Default is 1.
--numspec number/special char count
Specify the maximum number of numbers/special characters in the generated passwords. The default is 0.
--capital capital letter count
Specify the maximum number of capital letters in the generated passwords. The default is 0.
Print the passwords as BASE64-encoded as well.
Produces a help message.
ipwdgen
Generates a 8-char password with lowercase letters.
ipwdgen --mode word --len 10
Generates a 10-char pronounceable password.
ipwdgen --length 12 --numspec 3 --capital 3 --count 10 --base64
Generates 10 pieces of 12-char passwords containing 1-3 numbers/specials and 1-3 capitals. BASE64-encoded passwords will also be printed at the same line.
Tevfik Karagulle http://www.itefix.no
Perl module Crypt::GeneratePassword http://search.cpan.org/dist/Crypt-GeneratePassword/lib/Crypt/GeneratePassword.pm
This program is distributed under the Artistic License. http://www.opensource.org/licenses/artistic-license.php
Version 1.0, August 2008
三、一个用户友好的SNMP Trap控制台
https://www.itefix.no/i2/vutrapcon
NAME
vutrapcon - A very descriptive and user friendly SNMP Trap Console
SYNOPSIS
vutrapcon [options]
DESCRIPTION
vutrapcon is an SNMP trap console. It monitors incoming traps, searches installed MIBs for descriptions and generates a very detailed and user friendly mail notification. vutrapcon is based on components from Net-Snmp.
Mail notification parameters can be configured from the command line or via configuration file vutrapcon.conf in the same directory as vutrapcon.
vutrapcon expects that MIBs are installed in the mibs-subdirectory.
OPTIONS
Use quotes for values containing spaces.
Mail server name / address. Notifications will be sent to this server for distribution.
Sender mail address. Corresponds to From-field in the mail message.
Comma-separated list of mail addresses for receivers. Correpsonds to To-field in the mail message
Shows this message.
The current version of vutrapcon is NOT designed for high-performance. However, that may change in the future.
四、系统服务帐号维护工具
https://www.itefix.no/i2/isvcpwd
NAME
isvcpwd - Service Account Password Maintenance
SYNOPSIS
isvcpwd --account account[,account] ... [[--account ... ] ... ] [[--password password[,password] ... ] ... ] [[--filter filterspec[,filterspec] ... ] ... ] [--domain domain] [--verbose] [--help]
DESCRIPTION
It is a general practice to use dedicated accounts for network-aware services in windows environments. However, some of those accounts may have elevated privileges and their passwords tend to be static over time, thus creating a security risk. isvcpwd may help you to locate service accounts domain-wide and let you notify them about password changes. You can run it from a central location, allowing you to perform periodic password maintenance in an easy way. It is also possible to filter target machines based on name or ip-addresses/networks.
OPTIONS
This option specifies service accounts to check. You can specify several comma separated accounts for one --account option, as well as several --account options. At least one is required.
--password password[,password]
This option specifies new passwords of service accounts. You can specify several comma separated passwords for one --password option, as well as several --password options. Optional. If specified, there must a one-to-one correspondence between accounts and passwords specified.
--filter filterspec[,filterspec]
Specify filters to select target machines. A filterspec consists of three fields: filter name, operator and value. You can specify several comma separated filters for one --filter option, as well as several --filter options. Defaults to all machines if no filter is defined. List of filters available:
Specify the domain to select machines from. Optional. Local machine is assumed if not specified.
Increases output verbosity for debugging.
--help
Produces a help message.
EXAMPLES
Lists all services run by the accounts matching SvcDHCP on the local machine (case sensitive).
Enumerates all servers in the domain mydomain, finds all services run by the account(s) matching SvcDHCP or SvcDB, and notifies them about new passwords password1 and password2 respectively.
Enumerates all servers in the domain mydomain, selects servers with the names matching sqlserv and the ip-addresses matching 10.10.10, finds all services run by account(s) matching SvcSQL and notifies them about the new password password1.
AUTHOR
Tevfik Karagulle http://www.itefix.no
This program is distributed under the Artistic License. http://www.opensource.org/licenses/artistic-license.php
Version 1.1, December 2008
CHANGELOG
五、保持windows文件系统整洁维护工具
File Policy Enforcer allows server administrators to create and enforce file policies for their Windows systems. A file policy ensures that file resources are being used according to specified rules, thus making file usage complying with regulations available, and avoiding system outages due to lack of resources.
- Multiple policies
- Policy targets can be be directories or Active Directory containers
from where users' home directories and mail adresses are extracted. - File count, -size and/or extensions as selection criteria
- Warning notification or file removal as policy actions
- Flexible definition of time periods and time/date values
- E-mail notifications and templates with scan codes
- Wild card based exclusion of files
- Persistent storage to resume operations
- Installs as a service and available all the time
- Configurable via a simple set of parameters in a configuration file
Policy | Definition in the configuration file |
Check home directories of users in the Active Directory container "OU=MyUsers,DC=MyDomain,DC=com" for multi media content every sunday and saturday in february, april, september and november. Randomize start time between 8 and 16 hours. Send the user a notification immediately, wait two weeks before sending a second warning and wait one more week before removing files and notifying user. | [General] [Policy MULTIMEDIA-HOMEDIR] |
Check the directory C:\MyApp\Logs for files three times a day (1am, 9am, 5pm) during the summer season, once a day otherwise (1 am). Randomize start time between 40 and 50 minutes. Remove files older than one day if the total size of the files exceeds 1 GB. Notify the admin. | [General] [Policy MyApp-Logs] |
How to install File Policy Enforcer?
Supported platforms are Windows 2000/XP/2003/Vista/2008/7.
- Run the installer.
- Accept the license agreement if you agree.
- Specify an installation location.
- Installation starts.
File Policy Enforcer
License
Component | Version | Licensing | In short |
File Policy Enforcer | 1.2.0 | BSD License | Free to use |
Copyright (c) 2009-2012, ITEFIX Consulting & Software
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
2. Redistributions in binary form must reproduce the above copyright notice,
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation are those
of the authors and should not be interpreted as representing official policies,
either expressed or implied, of the FreeBSD Project.
Uninstallation
Run Uninstall
六、一个基于Windows的反垃圾邮件工具
https://www.itefix.no/i2/wrbldnsd
wrbldnsd是一个基于Windows的反垃圾邮件解决方案,本地服务的DNSBL区域。这是一个包装的rbldnsd,rsync的,SSH和cygwin。您可以使用本地镜像DNSBL区域文件wrbldnsd,从而消除延迟的问题,在更大的环境和减少过滤显著电子邮件使用的时间。
Wrbldnsd is a windows-based anti-spam solution by serving DNSBL zones locally. It is a packaging of rbldnsd, rsync, ssh and cygwin.
Rbldnsd is a small and fast DNS daemon which is especially engineered for serving DNSBL zones.
Installation
Supported platforms : Windows 2000/XP/2003/Vista/2008/7.
Wrbldnsd comes as a ZIP file containing an NSIS installer. Simply unzip your downloaded copy and run the package "wrbldnsd_x.x_Installer.exe" :
- Accept License agreement.
- Specify an installation location.
- Specify a service account.
- Specify IP-address and port number which rbldnsd will listen to, and the list of zone:dataset mappings
- Installation starts. By clicking 'Details' button, you can get more detailed information about installation. Check if everything seems ok.
You may check wrbldnsd forum if you experience problems.
You're DONE! Wrbldnsd is installed and the rbldnsd portion is activated as a service.
License/Version
This package contains components with different terms of licensing:
Component | Version | Licensing | In short | |
Rbldnsd | 0.996b | Free to use (GPL) | ||
Cygwin and GNU tools | 1.7.7 | Free to use (GPL mostly) | ||
Rsync | 3.0.6 | Free to use (GPL) | ||
Wrbldnsd (the rest) | 3.0.1 | Free to use (MIT-license) |
七、收集系统日志的工具
https://www.itefix.no/i2/logrepserver
Logrep is a secure multi-platform framework for the collection, extraction, and presentation of information from various log files. It features HTML reports, multi dimensional analysis, overview pages, SSH communication, and graphs, and supports over 30 popular systems including Snort, Squid, Postfix, Apache, Sendmail, syslog, ipchains, iptables, NT event logs, Firewall-1, wtmp, xferlog, Oracle listener and Pix.
I am interested in enhancing logrep with new log file formats. Please send me log file segments (2-3000 lines), If you would like to see logrep supporting your log files. |
Logrepserver - Linux Server Setup
Requirements
OPENSSH client, PERL 5.6 or 5.8, gd library with png support.
Normally, they are part of a standard Linux distribution.
Installation
- Download RPM package for Logrep server.
- Install package : rpm --install package name
Logrep is installed with following directory structure:
/usr/local/logrep - logrep installation files
/etc/logrep - logrep configuration files
/etc/init.d/logrepd - Logrep daemon script
/var/log/logrep - Logrep activity log directory
/var/logrep - Logrep data directory for log files and reports
- Configure Logrep configuration file /etc/logrep/logrep.conf as needed. Currently, there is no other documentation than the file itself.
- Create setup packages for your clients and configure them.
- Start Logrep server for the first time: /etc/init.d/logrepd start
Logrepserver - Windows Server Setup
Requirements
Standard PERL distribution.
Installation
- Download and unzip ZIP file containing Installer executable.
- Run the installation package. You can specify a new directory during installation. Monitoring the installation process can be done by clicking Details button. If everyting seems ok, then Logrep is installed and configured as a service.
- Configure Logrep configuration file Installation directory\etc\logrep.conf as needed. Currently, there is no other documentation than the file itself.
- Create setup packages for your clients and configure them.
- By default, the LogrepServer service is configured with LocalSystem as logon account. Due to some complications caused by ssh public key authentication, however, it is necessary to configure this service with the current user as logon account. A better solution will appear in future versions, I hope.
- Start Logrep server for the first time: net start LogrepServer
Logrepserver - Linux Client Setup
Requirements
Logrep Server 1.4.x is installed on your server. OPENSSH server on client. Normally, it is a part of a standard Linux distribution.
Installation
- Create a client setup package on your server :
perl bin/logrep-admin.pl --makeclient linux
(Assuming that you run this command from logrep inst.directory on linux)
This command creates a tar file containing a shell script and public key file for ssh authentication.
- Transfer this tar file to a temporary directory on your linux client(s). Extract contents of the tar archive.
- Run the following commands :
cd tar created directory
source install.sh
This script generates a local logrep user and a home directory, copies public key for ssh authentication and sets ownership and permissions. NB! install.sh contains password information. Please remove tar created directory and tar archive itself after a successful setup.
- Establish an ssh session on your server :
bin\util\bin\ssh -l logrep -i etc/logrep.key "client ip/name" echo EVERYTHING SEEMS OK!
(Assuming that you run this command from logrep inst.directory and with default configuration values on windows)
You get a question about the authenticity of your client. Answer yes to add your client permanently to the list of known hosts. Your client setup is done successfully if you get the message "EVERYTHING SEEMS OK!" without any further prompting.
Logrepserver - Windows Client Setup
Requirements
Logrep Server 1.4.x is installed on your server.
COPSSH. You don't need to activate any user. Logrep does this job itself.
Installation
- Create a client setup package on your server :
perl bin\logrep-admin.pl --makeclient windows
(Assuming that you run this command from logrep inst.directory on windows)
This command creates a tar file containing a shell script and public key file for ssh authentication.
- Transfer this tar file to "COPSSH inst.directory\tmp" directory on your windows client(s). Extract contents of the tar archive.
- Start an interactive BASH shell session from copSSH start menu and run the following commands :
cd /tmp/tar created directory
source install.sh
This script generates a local logrep user and a home directory, copies public key for ssh authentication and sets ownership and permissions. NB! install.sh contains password information. Please remove tar created directory and tar archive itself after a successful setup.
- Establish an ssh session on your server :
bin\util\bin\ssh -l logrep -i etc/logrep.key "client ip/name" echo EVERYTHING SEEMS OK!
(Assuming that you run this command from logrep inst.directory and with default configuration values on windows)
You get a question about the authenticity of your client. Answer yes to add your client permanently to the list of known hosts. Your client setup is done successfully if you get the message "EVERYTHING SEEMS OK!" without any further prompting.
Logrep sees log files as logical blocks containing attributes. Mostly, one block corresponds to one line. However, there are some exceptions like postfix and sendmail files with multi-line blocks, and syslogs with last line repeated messages that contain many blocks in a one single line!.
Logrep parsing modules extract attributes from each block and populate multi dimensional data structures for further analysis and reporting.
Composite attributes
As of version 1.4.3, Logrep supports composite attributes. With this feature you can combine several basic attributes into a composite attribute for logrep analysis. For example, combined attribute 'month.day' can give you trend analysis spanning several months. Another example can be "from.to.result", giving a one-step overview of transfer results from one source to a destination.
Currently, only concatenation operator (.) is supported.
Supported systems and attributes The current version of logrep can analyze log files with 31 different formats. The table below shows lists of available attributes by system :
|
八、收集系统日志的轻型工具
https://www.itefix.no/i2/logreplight
LogrepLight is a downsized version of logrep, allowing you to analyze logfiles you already have on your PC. It contains a GUI and logrep parsing modules.
Requirements
Binary versions for Windows and Linux have no requirements. They are ready to run.
Source version of logrep requires perl 5.6/5.8 and modules Tk, GD, GD::Graph, GD::TextUtil and Storable.
Installation
Windows
- Download and unzip ZIP file containing Logrep light Installer executable.
- Run the installation package. You can specify a new directory during installation. Monitoring the installation process can be done by clicking Details button.
Linux
- Download tar.gz file for Logrep light.
- Install package : tar xvzf tar.gz file wherever you want.
Usage Binary versions: logreplight [options] Source version: perl logreplight.pl [options] (Assuming that you run this command from logrep light inst. directory)
|
九、windows下的备份工具
https://www.itefix.no/i2/hardbackup
hardBackup is a powerful solution for disk-based backup on windows systems. By utilizing well proven open source technologies like Dirvish, Rsync, Openssh
- keep several images of backup in a rotating scheme
- represent identical files in different images by one single physical copy
- transfer only changes in files via secure channels
Dirvish
Installation
Supported platforms:
hardBackup comes as a zip archive containing a Nullsoft Installer package. Unzip downloaded file and run hardBackup_x.x.x_Installer.exe :
- Click Next at Welcome-page
- View license agreement.
- Specify an installation location.
- Installation starts. By clicking 'Details' button, you can get more detailed information about installation. Check if everything seems ok.
- At the end of the installation, hardBackup gives you some information about usage.
You're DONE! hardBackup is installed on your machine.
Usage
You should first customize the master configuration file available from the start menu. Master configuration allows you to specify:
- where you want to store your backups
- naming scheme for backup images
- how to store logs
- how to store search indexes
- exclude patterns
- when backup images will expire
- backup vaults to run
Customizable parameters in the master configuration are not limited by those listed above. Consult Dirvish Configuration from the start menu for a complete list.
You can now define your backup vaults. A vault is simply a directory within the root of the backup directory specified in the master configuration. Existence of a vault is determined by a dirvish subdirectory containing a file named default.conf. It allows you to specify:
- target host
- local directory/rsync module that will be backed up
Customizable parameters in the vault configuration are not limited by those listed above. You can override almost every master configuration value here. Consult Dirvish Configuration for a complete list. A vault example and vault related instructions are available from the start menu.
The third step is to activate your hardBackup environment. A batch file (hardbackup.cmd) is created for that purpose. It processes vaults according to your configuration, removes expired images and creates new ones. You can simply schedule it as a windows task.
License/Version
This package contains components with following terms of licensing:
Component | Version | Licensing | In short | |
Dirvish | 1.2.1 | Free to use (OSL v2) | ||
Rsync | 3.0.7 | Free to use (GPL) | ||
Cygwin and GNU tools | 1.7.7 | Free to use (GPL mostly) | ||
OpenSSH | 5.6p | Free to use (BSD) | ||
OpenSSL | 0.9.8o | Free to use (BSD) | ||
hardBackup | 2.0.0 | Free to use (OSL v2) |
Uninstallation
This one is easy too:
- Make sure that no backup clients are connected.
- Choose Uninstall hardBackup from Start menu. Again, you can monitor uninstallation process by clicking 'Details' button.
Let me emphasize that I play a very small role in this big game :-) I would like to thank to all people that make dirvish+rsync+openssh+cygwin a powerful, flexible and secure solution for rotating disk-based network backups.
十、一些Nagios工具插件
检查Windows事件: |
检查Windows服务: |
Ping工具: check_winping - Nagios ping check plugin for Windows systems |
Rsync检查插件: |
Windows 进程检查插件: |
check_tslicense - NRPE check plugin for Microsoft Terminal Services Licensing |
检查处理器、磁盘、内存插件: check_pdm - NRPE check plugin for processor, disk and memory on Windows |
检查Oracle插件: |
检查Windows 文件/目录插件: check_winfile - NRPE check plugin for Windows files/directories |
检查Dell服务器硬件插件: |