lost and found ( for me ? )

install FreeNX 4.2 on Ubuntu 14.04

download deb package from https://www.nomachine.com and install it.
# dpkg -i nomachine_4.2.25_1_amd64.deb

Unity is a little bit slow via remote desktop, so install gnome-session-fallback to use lightweight one rather than Unity.
# apt-get install gnome-session-fallback

reboot the OS
# reboot

Connect to the Ubuntu from NX client.
You will see login screen.
Slect GNOME Flashback(Metacity) and then log onto the Ubuntu.



dnstop

about dnstop

I am looking for ways to identify domain names which are used for DNS DDoS like below.

Src IP : spoofed IPs
FQDN : <random string>.www.foo.com
QPS per FQDN: very few

22:45:36.162809 IP 192.168.30.136.42344 > 192.168.30.254.53: 21282 A? a774.www.foo.com. (34)
22:45:36.231295 IP 192.168.30.136.57178 > 192.168.30.254.53: 22703 A? a775.www.foo.com. (34)
22:45:36.303128 IP 192.168.30.136.21903 > 192.168.30.254.53: 34912 A? a776.www.foo.com. (34)
22:45:36.367110 IP 192.168.30.136.33021 > 192.168.30.254.53: 10937 A? a777.www.foo.com. (34)
22:45:36.431912 IP 192.168.30.136.64286 > 192.168.30.254.53: 28269 A? a778.www.foo.com. (34)

I think we could relatively easily notice the attack by monitoring the number of nxdomain, servfail or recursive-clients, but it is sometimes take time to identify domains to block the attack.

I think that dnstop “-l” option would help identify domain names being used for the attack.
# apt-get install dnstop

# dnstop eth0 -l 4

-l option
    -l level
            keep counts on names up to level domain name levels.

            For example, with -l 2 (the default), dnstop will keep two
            tables: one with top-level domain names, and another with second-
            level domain names.  Increasing the level provides more details,
            but also requires more memory and CPU.

-l 4
query count of each FQDN is very few.
Query Name           Count      %
---------------- --------- ------
a590.www.foo.com         2    1.5
a589.www.foo.com         2    1.5
a588.www.foo.com         2    1.5
a587.www.foo.com         2    1.5
a586.www.foo.com         2    1.5
a585.www.foo.com         2    1.5
a584.www.foo.com         2    1.5
a583.www.foo.com         2    1.5
a582.www.foo.com         2    1.5
a581.www.foo.com         2    1.5

-l 3.
100%. so <random>.www.foo.com are used for DDoS.
Query Name      Count      %
----------- --------- ------
www.foo.com       990  100.0

dnstop can output statistics from a pcap file.
# dnstop -l 4 a.cap


docker : remote API part 1

Here are samples of docker remote API.

Reference
https://docs.docker.com/reference/api/docker_remote_api_v1.12/
http://blog.trifork.com/2013/12/24/docker-from-a-distance-the-remote-api/

root@ubuntu:~# docker version
Client version: 0.9.1
Go version (client): go1.2.1
Git commit (client): 3600720
Server version: 0.9.1
Git commit (server): 3600720
Go version (server): go1.2.1
Last stable version: 1.0.0, please update docker

root@ubuntu:~# tail -1 /etc/lsb-release ;uname -ri
DISTRIB_DESCRIPTION="Ubuntu 14.04 LTS"
3.13.0-29-generic x86_64

[ enable remote API ]

edit /etc/default/docker.io file to allow remote API via TCP 4243.
root@ubuntu:~# grep -i ^docker_opt /etc/default/docker.io
DOCKER_OPTS="-dns 8.8.8.8 -dns 8.8.4.4 -H tcp://192.168.11.100:4243 -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock"

restart docker.io
root@ubuntu:~# service docker.io restart
docker.io stop/waiting
docker.io start/running, process 7392

confirm that TCP 4243 opens for API.
root@ubuntu:~# lsof -ni:4243
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
docker.io 7394 root    4u  IPv4 337042      0t0  TCP 192.168.11.100:4243 (LISTEN)
docker.io 7394 root    6u  IPv4 337043      0t0  TCP 127.0.0.1:4243 (LISTEN)

[ list images ]

list images via API.
root@ubuntu:~# curl http://127.0.0.1:4243/images/json
[{"Created":1401930645,"Id":"e314931015bd259897b87925c7756c33235ae3a7a28eb4accf83169a5b862a5d","ParentId":"6ead103d9a346cb820f9dae4c240b65f58f895ca14d9b723b34756a5f31bda07","RepoTags":["ubuntu:12.10","ubuntu:quantal"],"Size":70975635,"VirtualSize":172159231}
,{"Created":1401930619,"Id":"145762641db9777df69f59d82db6bb6470aaecf8d10205bc8c65bc895b0e8542","ParentId":"2b039c0143640b24f5f6623ef89e316d63388fffcfdcee584a7ddec335c6b0da","RepoTags":["ubuntu:13.10","ubuntu:saucy"],"Size":73916791,"VirtualSize":180213803}

sample python scripts
# cat -n list_images.py
    1 #!/usr/bin/env python
    2
    3 ###
    4 # list images
    5 ###
    6
    7 import requests
    8 import json
    9
   10 url = 'http://127.0.0.1:4243/images/json'
   11
   12 def list_images():
   13    resp = requests.get(url=url)
   14    return resp.json()
   15
   16 if __name__ == '__main__':
   17    res = list_images()
   18    for i in res:
   19        print i['RepoTags']

the output of this script will look like this.
# python list_images.py
[u'ubuntu:12.10', u'ubuntu:quantal']
[u'ubuntu:13.10', u'ubuntu:saucy']
[u'ubuntu:14.04', u'ubuntu:latest', u'ubuntu:trusty']
[u'ubuntu:raring', u'ubuntu:13.04']
[u'ubuntu:12.04', u'ubuntu:precise']
[u'ubuntu:10.04', u'ubuntu:lucid']
[u'shipyard/shipyard:latest']
[u'shipyard/deploy:latest']
[u'shipyard/db:latest']
[u'shipyard/lb:latest']
[u'shipyard/router:latest']
[u'shipyard/redis:latest']
[u'ehazlett/py-helloworld:latest']

[ list containers ]

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
cdd38ff9aacf        ubuntu:14.04        /bin/bash           9 minutes ago       Up 9 minutes                            trusting_pasteur    

curl
# curl http://127.0.0.1:4243/containers/json
[{"Command":"/bin/bash ","Created":1402840031,"Id":"cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112","Image":"ubuntu:14.04","Names":["/trusting_pasteur"],"Ports":[],"Status":"Up 8 minutes"}
]hattori@ubuntu:~$

python
# cat -n list_containers.py
    1 #!/usr/bin/env python
    2
    3 ###
    4 # list containers
    5 ###
    6
    7 import requests
    8 import json
    9
   10 url = 'http://127.0.0.1:4243/containers/json'
   11
   12 def list_containers():
   13    resp = requests.get(url=url)
   14    return resp.json()
   15
   16 if __name__ == '__main__':
   17    res = list_containers()
   18    for i in res:
   19        print i['Id'], i['Status'], i['Image'], i['Command']

# python list_containers.py
cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112 Up 20 minutes ubuntu:14.04 /bin/bash

[ inspect containers ]

# docker inspect cdd38ff9aacf
[{
   "ID": "cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112",
   "Created": "2014-06-15T13:47:11.410060094Z",
   "Path": "/bin/bash",
   "Args": [],
   "Config": {
       "Hostname": "cdd38ff9aacf",
       "Domainname": "",
       "User": "",
       "Memory": 0,
       "MemorySwap": 0,
       "CpuShares": 0,
       "AttachStdin": true,
       "AttachStdout": true,
       "AttachStderr": true,
       "PortSpecs": null,
       "ExposedPorts": null,
       "Tty": true,
       "OpenStdin": true,
       "StdinOnce": true,
       "Env": [
           "HOME=/",
           "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
       ],
       "Cmd": [
           "/bin/bash"
       ],
       "Dns": null,
       "Image": "ubuntu",
       "Volumes": null,
       "VolumesFrom": "",
       "WorkingDir": "",
       "Entrypoint": null,
       "NetworkDisabled": false,
       "OnBuild": null
   },
   "State": {
       "Running": true,
       "Pid": 5042,
       "ExitCode": 0,
       "StartedAt": "2014-06-15T13:47:11.719576446Z",
       "FinishedAt": "0001-01-01T00:00:00Z",
       "Ghost": false
   },
   "Image": "ad892dd21d607a1458a722598a2e4d93015c4507abcd0ebfc16a43d4d1b41520",
   "NetworkSettings": {
       "IPAddress": "172.17.0.2",
       "IPPrefixLen": 16,
       "Gateway": "172.17.42.1",
       "Bridge": "docker0",
       "PortMapping": null,
       "Ports": {}
   },
   "ResolvConfPath": "/var/lib/docker/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/resolv.conf",
   "HostnamePath": "/var/lib/docker/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/hostname",
   "HostsPath": "/var/lib/docker/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/hosts",
   "Name": "/trusting_pasteur",
   "Driver": "aufs",
   "ExecDriver": "native-0.1",
   "Volumes": {},
   "VolumesRW": {},
   "HostConfig": {
       "Binds": null,
       "ContainerIDFile": "",
       "LxcConf": [],
       "Privileged": false,
       "PortBindings": {},
       "Links": null,
       "PublishAllPorts": false
   }

curl
# curl http://127.0.0.1:4243/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/json

python
# cat -n inspect_containers.py
    1 #!/usr/bin/env python
    2
    3 ###
    4 # inspect containers
    5 ###
    6
    7 import requests
    8 import json
    9
   10 url = 'http://127.0.0.1:4243/containers/json'
   11
   12 def list_containers():
   13    resp = requests.get(url=url)
   14    return resp.json()
   15
   16 def inspect_containers(id):
   17    url = 'http://127.0.0.1:4243/containers/%s/json' % id
   18    resp = requests.get(url=url)
   19    return resp.json()
   20
   21 if __name__ == '__main__':
   22    res = list_containers()
   23    print "%d containers are running\n" % len(res)
   24    for i in res:
   25        res2 = inspect_containers(i['Id'])
   26        print "inspect %s\n" % i['Id']
   27        for key, value in res2.items():
   28            print key, value
   29        print "---\n"


# python inspect_containers.py
2 containers are running

inspect c47c2e92a7c131b9b9a7220c194018f52138eaca039412cbbb1bd37f0f817053

HostsPath /var/lib/docker/containers/c47c2e92a7c131b9b9a7220c194018f52138eaca039412cbbb1bd37f0f817053/hosts
Created 2014-06-15T14:23:51.429094278Z
Image ad892dd21d607a1458a722598a2e4d93015c4507abcd0ebfc16a43d4d1b41520
Args []
Driver aufs
HostConfig {u'PortBindings': {}, u'Links': None, u'LxcConf': [], u'ContainerIDFile': u'', u'Binds': None, u'PublishAllPorts': False, u'Privileged': False}
VolumesRW {}
State {u'Ghost': False, u'Pid': 6461, u'Running': True, u'FinishedAt': u'0001-01-01T00:00:00Z', u'StartedAt': u'2014-06-15T14:23:51.528104763Z', u'ExitCode': 0}
ExecDriver native-0.1
ResolvConfPath /var/lib/docker/containers/c47c2e92a7c131b9b9a7220c194018f52138eaca039412cbbb1bd37f0f817053/resolv.conf
Volumes {}
Path /bin/bash
HostnamePath /var/lib/docker/containers/c47c2e92a7c131b9b9a7220c194018f52138eaca039412cbbb1bd37f0f817053/hostname
Config {u'Env': [u'HOME=/', u'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], u'Hostname': u'c47c2e92a7c1', u'Dns': None, u'Entrypoint': None, u'PortSpecs': None, u'Memory': 0, u'OnBuild': None, u'OpenStdin': True, u'User': u'', u'AttachStderr': True, u'AttachStdout': True, u'NetworkDisabled': False, u'StdinOnce': True, u'Cmd': [u'/bin/bash'], u'WorkingDir': u'', u'AttachStdin': True, u'Volumes': None, u'MemorySwap': 0, u'VolumesFrom': u'', u'Tty': True, u'CpuShares': 0, u'Domainname': u'', u'Image': u'ubuntu', u'ExposedPorts': None}
ID c47c2e92a7c131b9b9a7220c194018f52138eaca039412cbbb1bd37f0f817053
NetworkSettings {u'Bridge': u'docker0', u'PortMapping': None, u'Gateway': u'172.17.42.1', u'IPPrefixLen': 16, u'IPAddress': u'172.17.0.3', u'Ports': {}}
Name /cranky_albattani
---

inspect cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112

HostsPath /var/lib/docker/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/hosts
Created 2014-06-15T13:47:11.410060094Z
Image ad892dd21d607a1458a722598a2e4d93015c4507abcd0ebfc16a43d4d1b41520
Args []
Driver aufs
HostConfig {u'PortBindings': {}, u'Links': None, u'LxcConf': [], u'ContainerIDFile': u'', u'Binds': None, u'PublishAllPorts': False, u'Privileged': False}
VolumesRW {}
State {u'Ghost': False, u'Pid': 5042, u'Running': True, u'FinishedAt': u'0001-01-01T00:00:00Z', u'StartedAt': u'2014-06-15T13:47:11.719576446Z', u'ExitCode': 0}
ExecDriver native-0.1
ResolvConfPath /var/lib/docker/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/resolv.conf
Volumes {}
Path /bin/bash
HostnamePath /var/lib/docker/containers/cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112/hostname
Config {u'Env': [u'HOME=/', u'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], u'Hostname': u'cdd38ff9aacf', u'Dns': None, u'Entrypoint': None, u'PortSpecs': None, u'Memory': 0, u'OnBuild': None, u'OpenStdin': True, u'User': u'', u'AttachStderr': True, u'AttachStdout': True, u'NetworkDisabled': False, u'StdinOnce': True, u'Cmd': [u'/bin/bash'], u'WorkingDir': u'', u'AttachStdin': True, u'Volumes': None, u'MemorySwap': 0, u'VolumesFrom': u'', u'Tty': True, u'CpuShares': 0, u'Domainname': u'', u'Image': u'ubuntu', u'ExposedPorts': None}
ID cdd38ff9aacfe89a73b4fdef0e4c84679d18d2bff90c49a4d72c7a1f5fdb4112
NetworkSettings {u'Bridge': u'docker0', u'PortMapping': None, u'Gateway': u'172.17.42.1', u'IPPrefixLen': 16, u'IPAddress': u'172.17.0.2', u'Ports': {}}
Name /trusting_pasteur
---