Dropbox 16 – Dropbox Server (Logging)

We can fix a lot of issues by modifying our dynamic configuration files, but not if we don’t know what the problem is. Did the client give us the wrong gateway? Did they forget to enable our credentials on their proxy? Or, did we fat-finger the static IP?

We’ll log a good deal of information to the USB so the client can just pull it off and email it to us. Some of the information might be considered a bit sensitive, though, so we’ll go ahead and encrypt it at the source.

One step you may or may not want to take is the DNS “exfiltration”. I have the Dropbox Server reach out to ipecho.net to find out its external IP. It then obfuscates that information and makes a request to our DNS server for a non-existent FQDN based on the obfuscated IP. What this allows us to do is block all traffic to the HAProxy except for the source addresses of our Dropbox Servers. The client should provide this information, but it isn’t always correct…

Create a directory on the USB drive for the logs.

mkdir /media/root/USB/logs

Dump whatever you find useful, but here’s what I did.

vi/vim/nano /root/scripts/dumplogs.sh

#!/bin/bash
EXTIP=$(curl -s ipecho.net/plain)
OBIP=$(echo $EXTIP | tr 0 s | tr 1 t | tr 2 e | tr 3 a | tr 4 d | tr 5 o | tr 6 u | tr 7 y | tr 8 n | tr 9 c | tr . - )
INTIP=$(hostname -I)
HOST=dbox-01
SN=01
DOMAIN=<FQDN of Dropbox Relay>
FQDN=$OBIP"-$SN."$DOMAIN
NOW=$(date +"%Y%m%d%H%M")
LOGDIR=/root/logs
FILENAME=$HOST.$NOW
USB=/media/root/USB/logs
PASSPHRASE=<PASSPHRASE>
touch $LOGDIR/$FILENAME.log
echo "$HOST $NOW Logs" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "External IP: $EXTIP" >> $LOGDIR/$FILENAME.log
echo "Internal IP: $INTIP" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "nmcli device show" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/usr/bin/nmcli device show >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "nslookup $FQDN >> $LOGDIR/$FILENAME.log" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/usr/bin/nslookup $FQDN >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "nslookup <FQDN of Dropbox Relay>" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/usr/bin/nslookup <FQDN of Dropbox Relay> >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "netstat -plant" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/bin/netstat -plant >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "systemctl status --no-pager" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/bin/systemctl status --no-pager >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "journalctl -b --no-pager" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/bin/journalctl -b --no-pager >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
echo "traceroute <IP of Dropbox Relay>" >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
/usr/bin/traceroute <IP of Dropbox Relay> >> $LOGDIR/$FILENAME.log
echo "------------------------------------------------------------------------------" >> $LOGDIR/$FILENAME.log
gpg --yes --batch --passphrase=$PASSPHRASE -c $LOGDIR/$FILENAME.log
cp $LOGDIR/$FILENAME.log.gpg $USB

Make it executable.

chmod 700 /root/scripts/dumplogs.sh

Add it to launcher.sh

vi/vim/nano /root/scripts/launcher.sh

#!/bin/bash
sleep 60
/root/scripts/auth.sh
sleep 5
/root/scripts/netset.sh
sleep 10
/root/scripts/connection.sh
sleep 5
/root/scripts/dumplogs.sh

Reverse the obfuscated IP address with the following script.

vi/vim/nano /root/scripts/deobip.sh

#!/bin/bash
echo "Enter obfuscated IP address followed by [ENTER]:"
read OBIP
echo $OBIP | tr s 0 | tr t 1 | tr e 2 | tr a 3 | tr d 4 | tr o 5 | tr u 6 | tr y 7 | tr n 8 | tr c 9 | tr - .
chmod 700 /root/scripts/deobip.sh

Leave a Reply

Your email address will not be published. Required fields are marked *