NiceGuyIT

Intro

This is an example configuration to have nginx output JSON logs to make it easier for Logstash processing. I was trying to get nginx > Filebeat > Logstash > ES working and it wasn't until I connected Filebeat directly to Elasticsearch that I saw the expected data. Google led me to ingest-convert.sh and I realized filebeat setup works for Filebeat > ES but not Filebeat > Logstash > ES. This is because Logstash does not use ingest pipelines by default. You have to enable them in the elasticsearch output block.

Having nginx log JSON in the format required for Elasticsearch means there's very little processing (i.e. grok) to be done in Logstash. nginx can only output JSON for access logs; the error_log format cannot be changed.

Extra fields are output and not used by the Kibana dashboards. I included them in case they might be useful. Since they are not declared in the filebeat setup, their default is "string" when yo

AysadKozanoglu

### KERNEL TUNING ###

# Increase size of file handles and inode cache
fs.file-max = 2097152

# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2

AysadKozanoglu

Capture SMTP Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Extract HTTP Passwords in POST Requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Capture FTP Credentials and Commands

AysadKozanoglu

<?php 
if(
  strpos( $_SERVER['HTTP_REFERER'], 'wp-admin' ) === false &&
  strpos( $_SERVER['REQUEST_URI'], 'admin-ajax.php' ) !== false
) {
  header( 'Cache-Control: max-age=30000, must-revalidate' );
  header( 'Expires: ' . gmdate( 'D, d M Y H:i:s', strtotime( '+5000 minutes' ) ) . ' GMT' );
  header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s', strtotime( '-5000 minutes' ) ) . ' GMT' );
  header( $_SERVER["SERVER_PROTOCOL"]." 404 Not Found" );
  die;