Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

FreeBSD Jails

Written by Arnaud no comments

We will use ezjail to make it easier :

pkg install ezjail
ezjail-admin install

service ezjail start

Create your first jail and connect to it (we will NAT the jail in this example):

ezjail-admin create myjailname 'lo1|10.11.12.1'
ezjail-admin start myjailname
ezjail-admin list
ezjail-admin console myjailname

Allow raw sockets (needed for ping, but not recommanded) by editing /usr/local/etc/ezjail/myjailname:

export jail_myjailname_parameters="allow.raw_sockets=1"

Enable features on skeleton of jails :

echo sshd_enable="YES" >> /usr/jails/newjail/etc/rc.conf

Enable NAT and port redirection in /etc/pf.conf:

ext_if = "em0"
int_if = "lo1"
rdr on $ext_if proto udp to port 1194 -> 10.11.12.1 port 1194
nat on $ext_if from $int_if:network -> ($ext_if)

Start PF and Check/Load PF config :

service pf onestart
pfctl -vf /etc/pf.conf
pfctl -e

Enable at startup in /etc/rc.conf :

gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
ezjail_enable="YES"

 

more about PF : https://www.freebsd.org/doc/handbook/firewalls-pf.html

more about ezjail : https://www.freebsd.org/doc/handbook/jails-ezjail.html

Classified in : UNIX Tags : none

FreeBSD Basics

Written by Arnaud no comments

If you choose to Install FreeBSD 10 on Proxmox, you MUST set CPU to QEMU64 or it won't boot (yes, it will be ok for install, but not for boot!)

If you choosed to install ssh and ntp, check they are enabled in  /etc/rc.conf :

sshd_enable="YES"
ntpd_enable="YES"

remember to modify theses lines in /etc/ntp.conf to avoid beeing a bot in a DDoS amplification attack :

#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
#
# Alternatively, the following rules would block all unauthorized access.
restrict default ignore
restrict -6 default ignore

and "service ntpd restart"

  • To allow root login in ssh and disable password authentication, edit /etc/ssh/sshd_config :

PermitRootLogin  yes
PasswordAuthentication no

and "service sshd restart"

  • Update the system:
freebsd-update fetch
freebsd-update install
  • Search and Install new software with PKGNG (binary):

pkg search tcpdump
pkg install tcpdump

 

  • Check installed packages and get details on a specific one  :

pkg info
pkg info tcpdump

  • Check for update and upgrade packages :

pkg update
pkg version
pkg upgrade

(more about packages install and ports : https://www.freebsd.org/doc/handbook/ports-finding-applications.html )

  • View partitions list and type :

gpart show

  • See free memory (RAM) in MB :

pkg install freecolor
freecolor -o -m

 

 

To use the BSD ports, first fetch and extract the list :

portsnap fetch
portsnap extract
portsnap fetch update

Find a port (if you know the name) :

#whereis nmap
nmap: /usr/ports/security/nmap

If you dont know the exact name, you can search :

# cd /usr/ports
# make search name=lsof

Compile & install  (if the file pkg-message exists, you should read it!) :

cd /usr/ports/security/nmap
make install clean

or simply install a port with portmaster :

pkg install portmaster
portmaster -d sysutils/password-store

update all your ports :

portmaster -a
Classified in : UNIX Tags : none

SSH configuration for Brocade MLX

Written by Arnaud no comments

Enable SSH

crypto key generate rsa modulus 2048
write mem
sync-standby

 

Disable SSH

This is definitely a bad idea!
The "best" to disable ssh, is to remove the host keys :

crypto key zeroize

Aha, you should disable telnet (but it's not enableb by default,unlike cisco!) :

no telnet server

 

Add a public key to log in without password

You have to "convert" manually your public key : 

cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA88pt28yU5jq4KZQ88nKsl2iYMhxatRv742Ak52c8/qIqivw+Drs9/r4ggnjCBrQ8+nycmc3Qe
DsAa7ci3bXUYebYHAuNbOF9QKJst2SquFSGUu5kGGDxNhdiYdVVuqH/DEzXN+CXaLexykSPfe/YpHRhHVK4Zhv1Vbr8pmLTtaOBep
dCUE+s9anqzDHRIfm6b/3XJSLlXx95mi4Yj/0BEM6SYHzsAr0jhlfvbA84HZpzQBrEi7dHrylm6UDtPXSWkZq3Ki+rMED6ZUUjWVL
O0YuVq5NJi9EkgbVSbhK+hr9BndLOpl0jUrjxHT4mtz7p+RTM5Wm3G7AB54LzNhxHWQ== afenioux@franceix.net

becomes :

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "afenioux@franceix.net"
AAAAB3NzaC1yc2EAAAABIwAAAQEA88pt28yU5jq4KZQ88nKsl2iYMhxatRv742Ak52c8/qIqivw+Drs9/r4ggnjCBrQ8+nycmc3Qe
DsAa7ci3bXUYebYHAuNbOF9QKJst2SquFSGUu5kGGDxNhdiYdVVuqH/DEzXN+CXaLexykSPfe/YpHRhHVK4Zhv1Vbr8pmLTtaOBep
dCUE+s9anqzDHRIfm6b/3XJSLlXx95mi4Yj/0BEM6SYHzsAr0jhlfvbA84HZpzQBrEi7dHrylm6UDtPXSWkZq3Ki+rMED6ZUUjWVL
O0YuVq5NJi9EkgbVSbhK+hr9BndLOpl0jUrjxHT4mtz7p+RTM5Wm3G7AB54LzNhxHWQ==
---- END SSH2 PUBLIC KEY ----

You have to put ALL the allowed public keys in the same file, they will be deleted otherwise! 

ip ssh pub-key-file tftp 10.10.10.10 pkeys.txt

Remove all the clients keys :

 ip ssh pub-key remove

 

ACL on SSH

access-list 22 permit host 192.0.2.1
access-list 22 permit 10.10.0.0/16
ssh access-group 22

and obviously we think to l'IPv6

ipv6 access-list acl-ssh-in
  permit ipv6 2001:db8::/32 any
exit
ssh access-group ipv6 acl-ssh-in

 

 

About SSH

see actives connections :

sh ip ssh

see parameters : 

sh ip ssh config

list of authorized (public) keys :

sh ip client-pub-key

SCP

SCP is enable by default... just use it!

Classified in : MISC Tags : none

Super SCP

Written by Arnaud no comments
I use this script to scp files as root to the distant server, so that I don't need to type "root@"
eg : arnaud@local:~$./scp file srv:/root
 
#!/bin/bash
 
# we check the last argument
if [ `echo ${!#} | grep ":"` ] ; then
        # we pop $@
        # sed s,a,b is same as sed s/a/b
        # but no need to escape / :-)
        list=$(echo $@ | sed s,\ ${!#},,)
        scp -r $list root@${!#}
else
        # we unshift $@
        list=$(echo $@ | sed s,$1\ ,,)
        scp -r root@$1 $list
fi
Classified in : UNIX Tags : none

Linux and routing tables

Written by Arnaud no comments

To add another default gateway to a dedicated interface, in this example I want 2 interfaces and one default GW for each IP (my 2nd interface has IP 10.10.10.10)

ip route add default via 10.10.10.1 table 100
ip rule add from 10.10.10.10 table 100

ip rule list
ip route list table local
ip route list table 100

source & more : http://lartc.org/howto/lartc.rpdb.html

Classified in : UNIX Tags : none

Switch CAM, TCAM and SDM

Written by Arnaud no comments


Cisco Catalyst switches use CAM and TCAM to store MAC addresses, ACL, QoS tables in order to have wire-speed switching : they are ASICs and search the entire memory in one operation.

The CAM (Content Addressable Memory) stores MAC addresses, VLAN and ports assignments. During a lookup, the CAM returns the address where the data is stored (the inverse of regular RAM). It is used on L2 swich.
The TCAM (Ternary Content Addressable Memory) is used on L3 switch to store the routing table (it is also used to store ACL and QoS information). During the lookup, keys are network and mask and result can be next-hop or action (permit or deny) for ACL.

Very well explained and detailed post : https://supportforums.cisco.com/document/60831/cam-vs-tcam

To see CAM and CAM usage (Theses commands were used on a 3750):

show mac address-table dynamic
show mac address-table count

To see TCAM usage :

show platform tcam utilization 

To see routes that could'nt be inserted into TCAM :

show platform ip unicast counts

To view the number of route entries for each protocol :

show ip route summary

 

If you find a high number of prefixes not in TCAM, and a high TCAM usage, you should considering changing the SDM (switch database management) template.

To see the currently used SDM :

show sdm prefer

To see anoter SDM template :

show sdm prefer dual-ipv4-and-ipv6 routing 
 
To apply a new sdm :

 
conf t
 sdm prefer dual-ipv4-and-ipv6 routing
reload
 
In the worst case when the TCAM is full, "ip cef" is desactivated and switching is done by CPU,
to see CPU usage :
show processes cpu history

CEF (Cisco Express Forwarding) is a forwarding model in which all routing information is put into the FIB (forwarding information base). The FIB is used to store IP routing information (prefixes and next-hop), in addition to the FIB, CEF uses adjacency tables to store Layer 2 addressing information.

 

Source : http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/... and http://www.ciscopress.com/articles/article.asp?p=425816&seqNum=2

Classified in : cisco Tags : none

dBm / mW and DWDM

Written by Arnaud no comments
 
You will learn in this ticket : dBm/mW equivalence, Appx Attenuation/range (km), DWDM Channels length and Freq:
 
20dBm = 100mW
10dBm = 10mW
  3dBm = 2mW
  0dBm = 1mW
-3dBm = 0,5mW
-10dBm = 0,1mW
-20dBm = 0,01mW
 
do not trust distance, you should make your math (adding attenuation of your links/connectors):
10dB 2/10km LR
13dB 15km
16/24dB 40km ER
26/28dB 80km ZR
32db 120km
37dB 160km


Channel		      Lamda (nm) Freq (Thz)
72   (DWDM Channel C72)	1520,25	197,20
71   (DWDM Channel C71)	1521,02	197,10
70   (DWDM Channel C70)	1521,79	197,00
69   (DWDM Channel C69)	1522,56	196,90
68   (DWDM Channel C68)	1523,34	196,80
67   (DWDM Channel C67)	1524,11	196,70
66   (DWDM Channel C66)	1524,89	196,60
65   (DWDM Channel C65)	1525,66	196,50
64   (DWDM Channel C64)	1526,44	196,40
63   (DWDM Channel C63)	1527,22	196,30
62   (DWDM Channel C62)	1527,99	196,20
61   (DWDM Channel C61)	1528,77	196,10
60   (DWDM Channel C60)	1529,55	196,00
59   (DWDM Channel C59)	1530,33	195,90
58   (DWDM Channel C58)	1531,12	195,80
57   (DWDM Channel C57)	1531,90	195,70
56   (DWDM Channel C56)	1532,68	195,60
55   (DWDM Channel C55)	1533,47	195,50
54   (DWDM Channel C54)	1534,25	195,40
53   (DWDM Channel C53)	1535,04	195,30
52   (DWDM Channel C52)	1535,82	195,20
51   (DWDM Channel C51)	1536,61	195,10
50   (DWDM Channel C50)	1537,4	195,00
49   (DWDM Channel C49)	1538,19	194,90
48   (DWDM Channel C48)	1538,98	194,80
47   (DWDM Channel C47)	1539,77	194,70
46   (DWDM Channel C46)	1540,56	194,60
45   (DWDM Channel C45)	1541,35	194,50
44   (DWDM Channel C44)	1542,14	194,40
43   (DWDM Channel C43)	1542,94	194,30
42   (DWDM Channel C42)	1543,73	194,20
41   (DWDM Channel C41)	1544,53	194,10
40   (DWDM Channel C40)	1545,32	194,00
39   (DWDM Channel C39)	1546,12	193,90
38   (DWDM Channel C38)	1546,92	193,80
37   (DWDM Channel C37)	1547,72	193,70
36   (DWDM Channel C36)	1548,51	193,60
35   (DWDM Channel C35)	1549,32	193,50
34   (DWDM Channel C34)	1550,12	193,40
33   (DWDM Channel C33)	1550,92	193,30
32   (DWDM Channel C32)	1551,72	193,20
31   (DWDM Channel C31)	1552,52	193,10
30   (DWDM Channel C30)	1553,33	193,00
29   (DWDM Channel C29)	1554,13	192,90
28   (DWDM Channel C28)	1554,94	192,80
27   (DWDM Channel C27)	1555,75	192,70
26   (DWDM Channel C26)	1556,55	192,60
25   (DWDM Channel C25)	1557,36	192,50
24   (DWDM Channel C24)	1558,17	192,40
23   (DWDM Channel C23)	1558,98	192,30
22   (DWDM Channel C22)	1559,79	192,20
21   (DWDM Channel C21)	1560,61	192,10
20   (DWDM Channel C20)	1561,42	192,00
19   (DWDM Channel C19)	1562,23	191,90
18   (DWDM Channel C18)	1563,05	191,80
17   (DWDM Channel C17)	1563,86	191,70
16   (DWDM Channel C16)	1564,68	191,60
15   (DWDM Channel C15)	1565,50	191,50
14   (DWDM Channel C14)	1566,31	191,40
13   (DWDM Channel C13)	1567,13	191,30
12   (DWDM Channel C12)	1567,95	191,20
11   (DWDM Channel C11)	1568,67	191,10
10   (DWDM Channel C10)	1569,59	191,00
9   (DWDM Channel C09)	1570,42	190,90
8   (DWDM Channel C08)	1571,24	190,80
7   (DWDM Channel C07)	1572,06	190,70
6   (DWDM Channel C06)	1572,89	190,60
5   (DWDM Channel C05)	1573,71	190,50
4   (DWDM Channel C04)	1574,54	190,40
3   (DWDM Channel C03)	1575,37	190,30
2   (DWDM Channel C02)	1576,20	190,20
1   (DWDM Channel C01)	1577,03	190,10

 

Classified in : MISC Tags : none
Rss feed of the articles