The Mac OSX IPSEC VPN client setup via "System preferences" only supports IPSEC/XAUTH and IPSEC/L2TP both of which give you a different IP address for your tunnel interface. System preferences on the backend uses Racoon so it is possible via the command line to setup a pure IPSEC connection.

In my previous post i described how to configure a Strongswan server for use with Mac OSX, Ipad, Iphone clients. For the sake of brevity i will not repeat that in this post.

This scenario assumes you are connected to a lan 10.128.1.0/24 and your IP address is 10.128.1.2 and you are connecting to a remote network 192.168.1.0/24 protected by an IPSEC VPN running Strongswan on a gateway with a dynamic address being resolved via dynamic DNS. IPSEC Authentication is done using Certificates.

Configuration

Client configuration.

Edit /etc/racoon/racoon.conf and add the following to the bottom.

include "/opt/local/etc/cmdline-ipsec.conf" ;

Create a configuration template file /opt/local/etc/cmdline-ipsec.conf.tmpl. I am using a template because the remote side has a dynamic ip address and racoon does not support DNS names only IP addresses, a custom script resolves the hostname and then generates an updated racoon configuration from this template file with the resolved IP address.

remote %SERVERIP% {
        exchange_mode main;
        ca_type x509 "/opt/local/etc/pki/cacert.pem";
        certificate_type x509 "/opt/local/etc/pki/example.pem" "/opt/local/etc/pki/example.key.pem";
        proposal_check obey;
        mode_cfg off;
        dpd_delay 360;
        nat_traversal on;
        my_identifier asn1dn;
        ike_frag on;
        script "/opt/local/bin/phase1-up.sh" phase1_up;
        script "/opt/local/bin/phase1-down.sh" phase1_down;
        lifetime time 24 hour;
        passive off;
        proposal {
                encryption_algorithm aes256;
                hash_algorithm sha512;
                authentication_method rsasig;
                dh_group 2;
       }
}

sainfo anonymous {
        lifetime time 24 hour;
        pfs_group modp2048;
        encryption_algorithm aes256;
        authentication_algorithm hmac_sha1, hmac_sha256, hmac_sha512;
        compression_algorithm deflate ;
}

Create the phase1 up script /opt/local/bin/phase1-up.sh

#!/bin/sh

#
# sa-up.sh local configuration for a new SA
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/local/bin:/opt/local/sbin
MYIP=10.128.1.2
PROTECTEDNET=192.168.1.0/24

echo $@
echo "LOCAL_ADDR = ${LOCAL_ADDR}"
echo "LOCAL_PORT = ${LOCAL_PORT}"
echo "REMOTE_ADDR = ${REMOTE_ADDR}"
echo "REMOTE_PORT = ${REMOTE_PORT}"

LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"

echo "
spdadd ${MYIP}/32[any] ${PROTECTEDNET}[any] any
       -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd ${PROTECTEDNET} ${MYIP}[any] any
       -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
" | setkey -c

Create the phase1 down script /opt/local/bin/phase1-down.sh

#!/bin/sh

#
# sa-down.sh local remove SA
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
MYIP=10.128.1.2
PROTECTEDNET=192.168.1.0/24

echo $@
echo "LOCAL_ADDR = ${LOCAL_ADDR}"
echo "LOCAL_PORT = ${LOCAL_PORT}"
echo "REMOTE_ADDR = ${REMOTE_ADDR}"
echo "REMOTE_PORT = ${REMOTE_PORT}"

LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"

echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; 
spddelete ${MYIP}/32[any] ${PROTECTEDNET}[any] any
        -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
spddelete ${PROTECTEDNET}[any] ${MYIP}[any] any
        -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
" | setkey -c

Create the custom start script /opt/local/sbin/start-vpn

#!/bin/bash
#
#
SERVERNAME="strongswan-example.dyndns.org"
SERVERIP=$(host $SERVERNAME|awk '{print $4}')
status=$(racoonctl show-sa isakmp|wc -l|awk '{print $1}')
if [ "$status" != "2" ]; then
   echo "Not connected, starting conn"
   sed -e "s:%SERVERIP%:${SERVERIP}:" \
   /opt/local/etc/cmdline-ipsec.conf.tmpl > /opt/local/etc/cmdline-ipsec.conf
   racoonctl reload-config
   racoonctl vpn-connect $SERVERIP
else
   racoonctl show-sa isakmp
   echo "Already connect, exiting"
fi

Make the script executable

chmod +x /opt/local/sbin/start-vpn

Server configuration

Update the ipsec.conf configuration from my previous post to add the following conn

conn rw
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftfirewall=yes
        right=%any
        rightsubnet=0.0.0.0/0
        rekey=yes

Testing

Open a command prompt and run the command, as root or using sudo.

start-vpn

You should be able to connect to hosts on the protected network (192.168.1.0/24)

To stop the connection run the command.

racoonctl vpn-disconnect strongswan-example.dyndns.org

Related articles

• IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6
• Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6

In my previous post i described how to setup an IPSEC VPN for use with Iphone, Ipad and Mac OSX IPSEC VPN clients.

This post describes how to enable split tunneling which is supported by the Mac OSX IPSEC client. Although split tunneling is considered insecure there are cases where it is ideal to run split tunnels.

The scenario for this post is that you are connected to a LAN (10.128.0.0/24) with internet access via a gateway on the LAN, you want to connect to a different network 192.168.1.0/24 which is only accessible via VPN, but you want to retain access to resources on the LAN while accessing the remote 192.168.1.0/24 network.

To follow this howto you need to have strongswan rpm with the attr-sql plugin enabled with a sqlite or mysql backed plugin enabled. The EPEL rpm does not support these features at the time of writing. You need to build your own custom strongswan rpm. You can download my spec file and use it to build yourself the rpm.

Installation

Install the rpm

rpm -Uvh strongswan-5.0.0-5.el6.x86_64.rpm

Configuration

Use the following configuration files, if you installation is new refer to my previous post on how to create the certificates

Create strongswan configuration

This strongswan configuration allows you to use both certificates and pre shared keys.

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Add the preshared key to /etc/strongswan/ipsec.secrets

: PSK "very long pre shared key difficlult to guess"

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        esp=aes256-sha256-modp2048,aes256-sha1!
        ike=aes256-sha1-modp1536,aes256-sha512-modp1024,aes256-sha1-modp1024!
        auto=add

conn rw-xauth
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=%vpnclients
        rekey=yes

conn rw-xauth-psk
        leftfirewall=yes
        leftauth=psk
        right=%any
        rightauth=psk
        rightauth2=xauth
        rightsourceip=%vpnclients
        rekey=yes

Add the attr-sql plugin configuration to /etc/strongswan/strongswan.conf

libhydra {
        plugins {
                attr-sql {
                        database = sqlite:///var/lib/strongswan/ipsec.db
                }
        }
}

Restart the service

Restart the service for the configurations to take effect.

service strongswan restart

Create sql attr Database

Create a sqlite database to store the pool information.

wget http://bit.ly/PyMe08
cat sqlite.sql | sqlite3 /var/lib/strongswan/ipsec.db

Create a database based pool

The pool will store the address range, the split tunnel network (192.168.1.0/24), dns server to assign and a banner.

strongswan pool --add vpnclients --start 192.168.2.0 --end 192.168.2.254 --timeout 48
strongswan pool --addattr dns --server 192.168.1.1 --pool vpnclients
strongswan pool --addattr unity_def_domain --string "example.org" --pool vpnclients
strongswan pool --addattr banner --string "example.org - all activity is monitored" --pool vpnclients
strongswan pool --addattr unity_split_include --subnet "192.168.1.0/255.255.255.0" --pool vpnclients

Testing

Configure your Mac OSX VPN client.

• Launch System preferences then select Network > + > Interface > VPN > VPN Type > Cisco IPSEC > Create

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      name.example.org

Now when you connect, you will remain connected to your LAN as well as the remote network 10.128.0.0/24 if you run netstat -rn you will see the 10.128.0.0/24 network being routed via the tunnel interface.

Related articles

• Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6
• Mac OSX IPSEC VPN via command line using builtin Racoon client

This howto describes setting up an IPSEC VPN for use with the Iphone, Ipad and Mac OSX VPN clients on Centos/RHEL 6. I am using the 5.x branch of Strongswan which is now the mainline actively maintained branch. At the time of writing the 5.x EPEL package was only available in the testing repo.

The configuration should work both with NAT and without NAT on both sides, if you are NATing on the server side make sure your forward UDP 500 and 4500 to the machine running strongswan.

This howto uses example.org and 192.168.1.0/24 and 192.168.2.0/24 networks for illustration purposes, you need to change these to suit your own setup.

Install

To access the EPEL packages you need to enable the EPEL repo. You are then able to install the strongswan package.

yum install --enablerepo=epel-testing strongswan

Create the required configuration directories

mkdir -p /etc/strongswan/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private}

Configuration

Create a CA

For RSA authentication you need to setup a CA which will issue the certificates to be used by the server and the clients.

cd /etc/pki/tls/misc
./CA -newca
echo 00 > /etc/pki/CA/crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl.pem

Install to strongswan directories

ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/
ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/

Create the server certificate

Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section

For DNS name set it to

subjectAltName=DNS:vpn.example.org

For IP address set it to

subjectAltName=IP:192.168.1.1

Now generate and sign the server certitifcate

./CA -newreq
./CA -sign

Install to strongswan directories.

mv newcert.pem /etc/strongswan/ipsec.d/certs/vpn.example.org.pem
mv newkey.pem /etc/strongswan/ipsec.d/private/vpn.example.org.key

Add the private key password to /etc/strongswan/ipsec.secrets

: RSA vpn.example.org.key "p4ssw0rd"

Create the client certificate

This is the certificate that will be used by you VPN clients ie Ipad/Iphone, edit the openssl.cnf and comment out the subjectAltName attribute setting.

Now generate and sign the client certificate, do this for all the clients you expect to use.

./CA -newreq
./CA -sign
openssl pkcs12 -export -in ipad.example.org.pem -inkey ipad.example.org.key \
 -certfile /etc/pki/CA/cacert.pem -out ipad.p12

You now need to import the CA certificate and the client p12 certificate on to the device. You need to download the Iphone configuration utility and use it to import the certificates to your device.

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Create strongswan configuration

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        auto=add

conn rw-xauth
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=192.168.2.0/24

The above setup assumes the network behind the vpn is 192.168.1.0/24 and virtual IP addresses will be assigned to VPN clients from the 192.168.2.0/24 network block.

Enable packet forwarding

If your system is not setup for packet forwarding enable it.

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit /etc/sysctl.conf and set

net.ipv4.ip_forward = 1

Testing

Start strongswan.

service strongswan start

Check /var/log/messages and /var/log/secure for any errors.

Ipad configuration

• Launch Settings then select General > Network > VPN > Add VPN Configuration
• Toggle VPN type to IPSec

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      ipad.example.org

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

Related articles

• IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6
• Mac OSX IPSEC VPN via command line using builtin Racoon client

Home page

• https://launchpad.net/pygpgme

Use

PyGPGME is a Python module that lets you sign, verify, encrypt and decrypt messages using the OpenPGP format.

Installation

You need the GPGME library and header files installed to successfully install PyGPGME

pip install PyGPGME

Usage

The documentation for this package is almost non existent i hope my examples will be able to help at least with getting users started

Creating a key

This is similar to running the following command:

gpg --gen-key

import os
import gpgme

key_params = """
<GnupgKeyParms format="internal">
Key-Type: RSA
Key-Length: 2048
Name-Real: Jaja of Opobo
Name-Email: jaja@example.com
Expire-Date: 0
Passphrase: secret
</GnupgKeyParms>
"""

# create custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
if not os.path.exists(gpghome):
    os.mkdir(gpghome, 0700)

# set the environment to custom gpg directory
os.environ['GNUPGHOME'] = gpghome
# create a blank configuration file
with open(os.path.join(gpghome, 'gpg.conf'), 'wv') as handle:
    handle.write('')

# create a context
ctx = gpgme.Context()
# create the key using key_params
result = ctx.genkey(key_params)
# get the key
key = ctx.get_key(result.fpr, True)
[uid] = key.uids
# print key name and email
print uid.name, uid.email

Exporting a key

This is similar to running the following command:

gpg --export [UID]

import os
import gpgme
from io import BytesIO

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome

# create a context
ctx = gpgme.Context()
ctx.armor = True
keydata = BytesIO()
[key] = ctx.keylist()
ctx.export(key.subkeys[0].keyid, keydata)
print keydata.getvalue()

Importing a key

This is similar to running the following command:

gpg --import [Filename]

import os
import gpgme
import urllib2

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome

# create a context
ctx = gpgme.Context()
# Download a public key
handle = urllib2.urlopen('http://repo.baruwa.org/RPM-GPG-KEY-BARUWA')
# Import the key
_ = ctx.import_(handle)
# Get key and print out keyID
key = ctx.get_key('4BA17AC7')
print "Imported key ID: ", key.uids[0].uid

Delete a key

This is similar to running the following command:

gpg --delete-key UID

import os
import gpgme

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome

# create a context
ctx = gpgme.Context()
# Get the public key we just imported
key = ctx.get_key('4BA17AC7')
# Delete the key
ctx.delete(key)

Sign and verify text

This is similar to running the following commands:

gpg -s (or --sign) [Data]
gpg [--verify] [Data]

import os
import gpgme
from io import BytesIO

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome
# allow our passphrase callback to work
del os.environ['GPG_AGENT_INFO']

# passphrase callback function
def passphrase_cb(uid_hint, passphrase_info, prev_was_bad, fd):
    "pass phrase callback"
    os.write(fd, b'secret\\n')

# create a context
ctx = gpgme.Context()
ctx.armor = True
[key] = ctx.keylist()
ctx.signers = [key]
ctx.passphrase_cb = passphrase_cb

# sign the data
plaintext = BytesIO(b'Text to be signed\\n')
signature = BytesIO()
signed = ctx.sign(plaintext, signature, gpgme.SIG_MODE_DETACH)

# rewind files
_ = signature.seek(0)
_ = plaintext.seek(0)

# Verify signature
sigs = ctx.verify(signature, plaintext, None)
if sigs[0].fpr == key.subkeys[0].fpr:
    print "Signature verified"
    print sigs[0].fpr, key.subkeys[0].fpr
else:
    print "Signature verification failed"

Encrypt and Decrypt text

This is similar to running the following commands:

gpg -e Recipient [Data]
gpg [-d] [Data]

import os
import gpgme
from io import BytesIO

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome
# allow our passphrase callback to work
del os.environ['GPG_AGENT_INFO']

recipient_params = """
<GnupgKeyParms format="internal">
Key-Type: RSA
Key-Length: 2048
Name-Real: Nana of itsikiri
Name-Email: nana@example.com
Expire-Date: 0
Passphrase: secret
</GnupgKeyParms>
"""

# passphrase callback function
def passphrase_cb(uid_hint, passphrase_info, prev_was_bad, fd):
    "pass phrase callback"
    os.write(fd, b'secret\\n')

# create a context
ctx = gpgme.Context()
ctx.armor = True
# create a recipient's key
result = ctx.genkey(recipient_params)
recipient = ctx.get_key(result.fpr, True)

plaintext = BytesIO(b'Very Secret text\\n')
ciphertext = BytesIO()
ctx.encrypt([recipient], gpgme.ENCRYPT_ALWAYS_TRUST, plaintext, ciphertext)

# rewind files
_ = ciphertext.seek(0)
_ = plaintext = BytesIO()
ctx.passphrase_cb = passphrase_cb
ctx.decrypt(ciphertext, plaintext)
print "The decrypted text is: ", plaintext.getvalue()

List keys

This is similar to running the following command:

gpg --list-keys

import os
import gpgme

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome

# create a context
ctx = gpgme.Context()
# iterate key list
for key in ctx.keylist():
    for uid in key.uids:
        print uid.uid

List secret keys

This is similar to running the following command:

gpg --list-secret-keys

import os
import gpgme

# set the environment to custom gpg directory
gpghome = os.path.expanduser('~/gpghome')
os.environ['GNUPGHOME'] = gpghome

# create a context
ctx = gpgme.Context()
# iterate secret key list
for key in ctx.keylist(None, True):
    for uid in key.uids:
        print uid.uid

And there is more.

For more GPG operations you can perform look at the API

import gpgme
help(gpgme)

Home page

• http://hewgill.com/pydkim/

Use

The pydkim module is a Python module that implements DKIM (DomainKeys Identified Mail) email signing and verification.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

Although DKIM is implemented in most MTA's, in some cases you have a setup where you do not want to run and manage an SMTP server yourself say for example if your Python application uses Amazon SES to send out email. So you can use pydkim within your email generation code to sign your messages before passing them to SES.

Installation

pip install pydkim

Usage

The package provides a command line interface as well as a Python Class.

Python Class

Sign a message

from email.message import Message

from dkim import sign

body = """Hi There,

This is a simple message that will be signed by pydkim

--The signer
"""
# compose a simple message
msg = Message()
msg['From'] = 'Sender <sender@topdog-software.com>'
msg['To'] = 'Recipient <recipient@example.com>'
msg['Subject'] = 'Test message'
msg.set_payload(body)

# sign the message
private_key = open('default.pem').read()
headers = ['To', 'From', 'Subject']
email = msg.as_string()
sig = sign(email, 'default', 'topdog-software.com', private_key, include_headers=headers)
print sig, email

Output:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=topdog-software.com; i=@topdog-software.com; q=dns/txt; s=default;
 t=1336488625; h=From : To : Subject;
 bh=skd2vA1wrCEzamCzKOvVKCaVhhpP1ihoQgGldgTSVUE=; b=vGQgSjJxkTZe+NZZl
lqszgxGshTcixlcfFos+XpLnAj1fnhA5SuBASoB4dVQUlVW76U5s9Dn1zSSsKH
6bCahl4oPqZaE5t6Ke5wpGwA+cBWZRrSuDDD/L8g9nYi04SVb+lMF9mJyQCeZj
pBtMomaOvGF8GNXsiKTFZR9RDv0wWw=
From: Sender <sender@topdog-software.com>
To: Recipient <recipient@example.com>
Subject: Test message

Hi There,

This is a simple message that will be signed by pydkim

--The signer

Verify a message (I use the same message signed above)

from dkim import verify

if verify(open('email.txt').read()):
    print "Email verified successfully"

True

Command line

Sign a message

dkimsign.py selector domain privatekeyfile [identity]

Verify a message

cat email.txt | dkimverify.py
echo $?

And there is more.

For details of the API please refer to the documentation. Happy DKIMing

Home page

• http://www.dnspython.org/

Use

dnspython is a DNS toolkit for Python. It supports almost all record types. It can be used for queries, zone transfers, and dynamic updates. It supports TSIG authenticated messages and EDNS0.

dnspython provides both high and low level access to DNS. The high level classes perform queries for data of a given name, type, and class, and return an answer set. The low level classes allow direct manipulation of DNS zones, messages, names, and records.

Installation

pip install dnspython

Usage

Lookup DNS records (A, AAAA, MX, NS)

A Records

import dns.resolver
answers = dns.resolver.query('topdog.za.net', 'A')
for rdata in answers:
    print rdata.address

AAAA Records

import dns.resolver
answers = dns.resolver.query('topdog.za.net', 'AAAA')
for rdata in answers:
    print rdata.address

MX Records

import dns.resolver
answers = dns.resolver.query('topdog.za.net', 'MX')
for rdata in answers:
    print 'host', rdata.exchange, 'has preference', rdata.preference

NS Records

import dns.resolver
answers = dns.resolver.query('topdog.za.net', 'NS')
for rdata in answers:
    print rdata.to_text()

Transfer a Zone from a server.

import dns.zone
import dns.query
zone = dns.zone.from_xfr(dns.query.xfr('174.136.108.83', 'topdog.za.net'))
print "*" * 10, "A records", "*" * 10
for (name, ttl, rdata) in zone.iterate_rdatas('A'):
    print name, "with TTL", ttl, "points to", rdata
print "*" * 10, "MX records", "*" * 10
for (name, ttl, rdata) in zone.iterate_rdatas('MX'):
    print name, "with TTL", ttl, "points to", rdata
print "*" * 10, "NS records", "*" * 10
for (name, ttl, rdata) in zone.iterate_rdatas('NS'):
    print name, "with TTL", ttl, "points to", rdata

Generate reverse names

import dns.reversename
print dns.reversename.from_address('174.136.108.83')

Perform a Dynamic record update (example from documentation modified)

import dns.query
import dns.tsigkeyring
import dns.update
import sys

if __name__ == '__main__':
    keyring = dns.tsigkeyring.from_text({
        'host-example.' : 'XXXXXXXXXXXXXXXXXXXXXX=='
    })
    # Replace an A record
    update = dns.update.Update('example.com', keyring=keyring)
    update.replace('host', 300, 'a', sys.argv[1])
    response = dns.query.tcp(update, '10.0.0.1')

And there is more

There is more that can be done using this package please refer to the documentation.

Home page

• https://github.com/haypo/python-ipy/

Use

The IP class allows a comfortable parsing and handling for most notations in use for IPv4 and IPv6 addresses and networks. It was greatly inspired by RIPE's Perl module NET::IP's interface but doesn't share the implementation.

Installation

pip install IPy

Usage

Print IP addresses in an IP range

from IPy import IP
network = IP('192.168.0.0/30')
for ip in network:
    print ip

Output:

192.168.0.0
192.168.0.1
192.168.0.2
192.168.0.3

Generate Reverse names for reverse lookup/PTR records

from IPy import IP
network = IP('192.168.0.0/30')
for ip in network:
    print ip.reverseName()

from IPy import IP
network = IP('192.168.0.0/30').reverseNames()
for ip in network:
    print ip

Output:

0.0.168.192.in-addr.arpa.
1.0.168.192.in-addr.arpa.
2.0.168.192.in-addr.arpa.
3.0.168.192.in-addr.arpa.

Check IP version:

from IPy import IP
print IP('192.168.0.0/30').version()
print IP('::1').version()

Output:

4
6

Get network prefixes

from IPy import IP
print IP('192.168.0.0/30')
print IP('192.168.0.0/255.255.255.252')
print IP('192.168.0.0-192.168.0.3)

Output:

192.168.0.0/30
192.168.0.0/30
192.168.0.0/30

Get the broadcast address

from IPy import IP
print IP('192.168.0.0/30').broadcast()

Output:

192.168.0.3

Get the network mask

from IPy import IP
print IP('192.168.0.0/30').netmask()

Output:

255.255.255.252

Check if an IP address is within a network

from IPy import IP
'192.168.0.1' in IP('192.168.0.0/30')

Check a network type LOOPBACK, PRIVATE, PUBLIC, RESERVED

from IPy import IP
print IP('192.168.0.1').iptype()

Output:

PRIVATE

And there is more

There is more that can be done using this package please refer to the documentation or run.

import IPy
help(IPy)

Home page

• http://xael.org/norman/python/pyclamd/

Use

pyClamd is a python interface to Clamd (Clamav daemon). By using pyClamd, you can add virus detection capabilities to your python software in an efficient and easy way.

pyClamd may be used by a closed source product, as it does not link with the GPL licensed libclamav.

Installation

This package is not available on the cheeseshop (PYPI) so you need to install it by downloading the module.

wget http://xael.org/norman/python/pyclamd/pyclamd.py
mv pyclamd.py $(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")/

Usage

pyClamd supports connections to clamd using both TCP and UNIX sockets.

TCP

import pyclamd
pyclamd.init_network_socket('localhost', 3310)
print pyclamd.version()

Output:

ClamAV 0.97.4/14869/Tue May  1 22:38:26 2012

Unix socket

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
print pyclamd.version()

Output:

ClamAV 0.97.4/14869/Tue May  1 22:38:26 2012

Scan files

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
pyclamd.contscan_file('/tmp')

Scan and stop if virus detected

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
pyclamd.scan_file('/tmp')

Ping server to check if still alive

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
pyclamd.ping()

Scan a stream

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
mystring = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
pyclamd.scan_stream(mystring)

Output:

{'stream': 'Eicar-Test-Signature'}

Reload clamd

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
pyclamd.reload()

Output:

'RELOADING'

Shutdown clamd

import pyclamd
pyclamd.init_unix_socket('/tmp/clamd.socket')
pyclamd.shutdown()

The module raises various exceptions that you will need to catch, please refer to the documentation for details.

Home page

• http://alastairs-place.net/projects/pwtools/

Use

pwtools is a Python package that provides the ability to generate passwords, and also allows you to test them to ensure that they are reasonably secure.

The algorithms used were borrowed from the Openwall Project’s passwdqc project, but have been re-implemented in Python for increased portability.

Installation

This package is not available on the cheeseshop (PYPI) so you need to install it from the Mercurial repository.

pip install hg+http://alastairs-place.net/hg/pwtools

Usage

Generate a strong password:

from pwtools import PasswordGenerator
pwgen = PasswordGenerator()
pwgen.generate()

Output:

'amaze*Period&Thirst'

Check password strength:

from pwtools import PasswordChecker
pwchecker = PasswordChecker('/usr/share/dict/words')
pwchecker.checkPassword('password')
pwchecker.checkPassword('zxcvbnm')
pwchecker.checkPassword('123456abcdef')
pwchecker.checkPassword('m1ll10n')
pwchecker.checkPassword('amaze*Period&Thirst')

Output:

'too simple (not enough different kinds of character)'
'too simple (not enough different kinds of character)'
'based on a common sequence of characters'
'too simple (not enough different kinds of character)'
False

Home page

• http://slimit.org/

Use

SlimIt is a JavaScript minifier written in Python. It compiles JavaScript into more compact code so that it downloads and runs faster.

SlimIt also provides a library that includes a JavaScript parser, lexer, pretty printer and a tree visitor.

Installation

pip install slimit

Usage

The package provides a command line interface as well as Python functions.

Python functions

Minify Javascript

from slimit import minify
minified = minify(open('jquery-1.7.2.js').read(), mangle=True, mangle_toplevel=True)
print minified

Modify Javascript within Python and beautify it

This example is taken directly from the documentation. It modifies the counter variable changing it from "i" to "hello" and formats it in a more readable style.

from slimit.parser import Parser
from slimit.visitors import nodevisitor
from slimit import ast

parser = Parser()
tree = parser.parse('for(var i=0; i<10; i++) {var x=5+i;}')
for node in nodevisitor.visit(tree):
    if isinstance(node, ast.Identifier) and node.value == 'i':
        node.value = 'hello'
print tree.to_ecma()

Output:

for (var hello = 0; hello < 10; hello++) {
  var x = 5 + hello;
}

Command line

slimit --mangle < jquery-1.7.2.js > jquery-1.7.2.slimit.default.js

Performance

The performance is very good, most times it creates smaller files than the YUI compresser. I tested minifying Jquery using 3 javascript minification tools:

• jsmin
• yuicompressor
• slimit

The results are below.

-rw-r--r--  1 andrew  staff   247K Mar 21 21:46 jquery-1.7.2.js
-rw-r--r--  1 andrew  staff   138K Apr 30 08:26 jquery-1.7.2.jsmin.js
-rw-r--r--  1 andrew  staff    96K Apr 30 08:22 jquery-1.7.2.slimit.js
-rw-r--r--  1 andrew  staff   103K Apr 30 08:19 jquery-1.7.2.yui.js

And there is more

Slimit also exposes JavaScript parser and lexer functions which you can use within your code, please refer to the documentation for usage information.