Afenioux's Blog page - 3am; darkness; Maintenance window closing. Safety net: rollback.

FreeBSD Basics

Written by Arnaud 10 february 2015 no comments

If you choose to Install FreeBSD 10 on Proxmox, you MUST set CPU to QEMU64 or it won't boot (yes, it will be ok for install, but not for boot!)

If you choosed to install ssh and ntp, check they are enabled in /etc/rc.conf :

sshd_enable="YES"
ntpd_enable="YES"

remember to modify theses lines in /etc/ntp.conf to avoid beeing a bot in a DDoS amplification attack :

#restrict default kod nomodify notrap nopeer noquery #restrict -6 default kod nomodify notrap nopeer noquery # # Alternatively, the following rules would block all unauthorized access. restrict default ignore restrict -6 default ignore

and "service ntpd restart"

To allow root login in ssh and disable password authentication, edit /etc/ssh/sshd_config :

PermitRootLogin yes PasswordAuthentication no

and "service sshd restart"

Update the system:

freebsd-update fetch
freebsd-update install

Search and Install new software with PKGNG (binary):

pkg search tcpdump pkg install tcpdump

Check installed packages and get details on a specific one :

pkg info pkg info tcpdump

Check for update and upgrade packages :

pkg update pkg version pkg upgrade

(more about packages install and ports : https://www.freebsd.org/doc/handbook/ports-finding-applications.html )

View partitions list and type :

gpart show

See free memory (RAM) in MB :

pkg install freecolor freecolor -o -m

To use the BSD ports, first fetch and extract the list :

portsnap fetch
portsnap extract
portsnap fetch update

Find a port (if you know the name) :

#whereis nmap
nmap: /usr/ports/security/nmap

If you dont know the exact name, you can search :

# cd /usr/ports
# make search name=lsof

Compile & install (if the file pkg-message exists, you should read it!) :

cd /usr/ports/security/nmap
make install clean

or simply install a port with portmaster :

pkg install portmaster
portmaster -d sysutils/password-store

update all your ports :

portmaster -a

SSH configuration for Brocade MLX

Written by Arnaud 16 january 2015 no comments

Enable SSH

crypto key generate rsa modulus 2048
write mem
sync-standby

Disable SSH

This is definitely a bad idea!
The "best" to disable ssh, is to remove the host keys :

crypto key zeroize

Aha, you should disable telnet (but it's not enableb by default,unlike cisco!) :

no telnet server

Add a public key to log in without password

You have to "convert" manually your public key :

cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA88pt28yU5jq4KZQ88nKsl2iYMhxatRv742Ak52c8/qIqivw+Drs9/r4ggnjCBrQ8+nycmc3Qe
DsAa7ci3bXUYebYHAuNbOF9QKJst2SquFSGUu5kGGDxNhdiYdVVuqH/DEzXN+CXaLexykSPfe/YpHRhHVK4Zhv1Vbr8pmLTtaOBep
dCUE+s9anqzDHRIfm6b/3XJSLlXx95mi4Yj/0BEM6SYHzsAr0jhlfvbA84HZpzQBrEi7dHrylm6UDtPXSWkZq3Ki+rMED6ZUUjWVL
O0YuVq5NJi9EkgbVSbhK+hr9BndLOpl0jUrjxHT4mtz7p+RTM5Wm3G7AB54LzNhxHWQ== afenioux@franceix.net

becomes :

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "afenioux@franceix.net"
AAAAB3NzaC1yc2EAAAABIwAAAQEA88pt28yU5jq4KZQ88nKsl2iYMhxatRv742Ak52c8/qIqivw+Drs9/r4ggnjCBrQ8+nycmc3Qe
DsAa7ci3bXUYebYHAuNbOF9QKJst2SquFSGUu5kGGDxNhdiYdVVuqH/DEzXN+CXaLexykSPfe/YpHRhHVK4Zhv1Vbr8pmLTtaOBep
dCUE+s9anqzDHRIfm6b/3XJSLlXx95mi4Yj/0BEM6SYHzsAr0jhlfvbA84HZpzQBrEi7dHrylm6UDtPXSWkZq3Ki+rMED6ZUUjWVL
O0YuVq5NJi9EkgbVSbhK+hr9BndLOpl0jUrjxHT4mtz7p+RTM5Wm3G7AB54LzNhxHWQ==
---- END SSH2 PUBLIC KEY ----

You have to put ALL the allowed public keys in the same file, they will be deleted otherwise!

ip ssh pub-key-file tftp 10.10.10.10 pkeys.txt

Remove all the clients keys :

 ip ssh pub-key remove

ACL on SSH

access-list 22 permit host 192.0.2.1
access-list 22 permit 10.10.0.0/16
ssh access-group 22

and obviously we think to l'IPv6

ipv6 access-list acl-ssh-in
  permit ipv6 2001:db8::/32 any
exit
ssh access-group ipv6 acl-ssh-in

About SSH

see actives connections :

sh ip ssh

see parameters :

sh ip ssh config

list of authorized (public) keys :

sh ip client-pub-key

SCP

SCP is enable by default... just use it!

presentation at NetSecure Day 2014

Written by Arnaud 08 december 2014 no comments

This is the presentation I made (in french) for the #NetSecureDay 2014 conference (http://www.netsecure-day.fr/) the 4th december.

The presentation is more about "How is made Internet" than pure security...

http://www.afenioux.fr/doc/presentations/NSD-2014.pdf

Super SCP

Written by Arnaud 18 september 2014 no comments

I use this script to scp files as root to the distant server, so that I don't need to type "root@"

eg : arnaud@local:~$./scp file srv:/root

#!/bin/bash

# we check the last argument

if [ `echo ${!#} | grep ":"` ] ; then

# we pop $@

# sed s,a,b is same as sed s/a/b

# but no need to escape / :-)

list=$(echo $@ | sed s,\ ${!#},,)

scp -r $list root@${!#}

else

# we unshift $@

list=$(echo $@ | sed s,$1\ ,,)

scp -r root@$1 $list

fi

Linux and routing tables

Written by Arnaud 12 september 2014 no comments

To add another default gateway to a dedicated interface, in this example I want 2 interfaces and one default GW for each IP (my 2nd interface has IP 10.10.10.10)

ip route add default via 10.10.10.1 table 100
ip rule add from 10.10.10.10 table 100

ip rule list
ip route list table local
ip route list table 100

source & more : http://lartc.org/howto/lartc.rpdb.html

Switch CAM, TCAM and SDM

Written by Arnaud 20 august 2014 no comments

Cisco Catalyst switches use CAM and TCAM to store MAC addresses, ACL, QoS tables in order to have wire-speed switching : they are ASICs and search the entire memory in one operation.

The CAM (Content Addressable Memory) stores MAC addresses, VLAN and ports assignments. During a lookup, the CAM returns the address where the data is stored (the inverse of regular RAM). It is used on L2 swich.
The TCAM (Ternary Content Addressable Memory) is used on L3 switch to store the routing table (it is also used to store ACL and QoS information). During the lookup, keys are network and mask and result can be next-hop or action (permit or deny) for ACL.

Very well explained and detailed post : https://supportforums.cisco.com/document/60831/cam-vs-tcam

To see CAM and CAM usage (Theses commands were used on a 3750):

show mac address-table dynamic
show mac address-table count

To see TCAM usage :

show platform tcam utilization

To see routes that could'nt be inserted into TCAM :

show platform ip unicast counts

To view the number of route entries for each protocol :

show ip route summary

If you find a high number of prefixes not in TCAM, and a high TCAM usage, you should considering changing the SDM (switch database management) template.

To see the currently used SDM :

show sdm prefer

To see anoter SDM template :

show sdm prefer dual-ipv4-and-ipv6 routing

To apply a new sdm :

conf t

sdm prefer dual-ipv4-and-ipv6 routing

reload

In the worst case when the TCAM is full, "ip cef" is desactivated and switching is done by CPU,
to see CPU usage :

show processes cpu history

CEF (Cisco Express Forwarding) is a forwarding model in which all routing information is put into the FIB (forwarding information base). The FIB is used to store IP routing information (prefixes and next-hop), in addition to the FIB, CEF uses adjacency tables to store Layer 2 addressing information.

Source : http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/... and http://www.ciscopress.com/articles/article.asp?p=425816&seqNum=2

dBm / mW and DWDM

Written by Arnaud 07 august 2014 no comments

You will learn in this ticket : dBm/mW equivalence, Appx Attenuation/range (km), DWDM Channels length and Freq:

20dBm = 100mW

10dBm = 10mW

3dBm = 2mW

0dBm = 1mW

-3dBm = 0,5mW

-10dBm = 0,1mW

-20dBm = 0,01mW

do not trust distance, you should make your math (adding attenuation of your links/connectors):
10dB 2/10km LR
13dB 15km
16/24dB 40km ER
26/28dB 80km ZR
32db 120km
37dB 160km


Channel		      Lamda (nm) Freq (Thz)
72   (DWDM Channel C72)	1520,25	197,20
71   (DWDM Channel C71)	1521,02	197,10
70   (DWDM Channel C70)	1521,79	197,00
69   (DWDM Channel C69)	1522,56	196,90
68   (DWDM Channel C68)	1523,34	196,80
67   (DWDM Channel C67)	1524,11	196,70
66   (DWDM Channel C66)	1524,89	196,60
65   (DWDM Channel C65)	1525,66	196,50
64   (DWDM Channel C64)	1526,44	196,40
63   (DWDM Channel C63)	1527,22	196,30
62   (DWDM Channel C62)	1527,99	196,20
61   (DWDM Channel C61)	1528,77	196,10
60   (DWDM Channel C60)	1529,55	196,00
59   (DWDM Channel C59)	1530,33	195,90
58   (DWDM Channel C58)	1531,12	195,80
57   (DWDM Channel C57)	1531,90	195,70
56   (DWDM Channel C56)	1532,68	195,60
55   (DWDM Channel C55)	1533,47	195,50
54   (DWDM Channel C54)	1534,25	195,40
53   (DWDM Channel C53)	1535,04	195,30
52   (DWDM Channel C52)	1535,82	195,20
51   (DWDM Channel C51)	1536,61	195,10
50   (DWDM Channel C50)	1537,4	195,00
49   (DWDM Channel C49)	1538,19	194,90
48   (DWDM Channel C48)	1538,98	194,80
47   (DWDM Channel C47)	1539,77	194,70
46   (DWDM Channel C46)	1540,56	194,60
45   (DWDM Channel C45)	1541,35	194,50
44   (DWDM Channel C44)	1542,14	194,40
43   (DWDM Channel C43)	1542,94	194,30
42   (DWDM Channel C42)	1543,73	194,20
41   (DWDM Channel C41)	1544,53	194,10
40   (DWDM Channel C40)	1545,32	194,00
39   (DWDM Channel C39)	1546,12	193,90
38   (DWDM Channel C38)	1546,92	193,80
37   (DWDM Channel C37)	1547,72	193,70
36   (DWDM Channel C36)	1548,51	193,60
35   (DWDM Channel C35)	1549,32	193,50
34   (DWDM Channel C34)	1550,12	193,40
33   (DWDM Channel C33)	1550,92	193,30
32   (DWDM Channel C32)	1551,72	193,20
31   (DWDM Channel C31)	1552,52	193,10
30   (DWDM Channel C30)	1553,33	193,00
29   (DWDM Channel C29)	1554,13	192,90
28   (DWDM Channel C28)	1554,94	192,80
27   (DWDM Channel C27)	1555,75	192,70
26   (DWDM Channel C26)	1556,55	192,60
25   (DWDM Channel C25)	1557,36	192,50
24   (DWDM Channel C24)	1558,17	192,40
23   (DWDM Channel C23)	1558,98	192,30
22   (DWDM Channel C22)	1559,79	192,20
21   (DWDM Channel C21)	1560,61	192,10
20   (DWDM Channel C20)	1561,42	192,00
19   (DWDM Channel C19)	1562,23	191,90
18   (DWDM Channel C18)	1563,05	191,80
17   (DWDM Channel C17)	1563,86	191,70
16   (DWDM Channel C16)	1564,68	191,60
15   (DWDM Channel C15)	1565,50	191,50
14   (DWDM Channel C14)	1566,31	191,40
13   (DWDM Channel C13)	1567,13	191,30
12   (DWDM Channel C12)	1567,95	191,20
11   (DWDM Channel C11)	1568,67	191,10
10   (DWDM Channel C10)	1569,59	191,00
9   (DWDM Channel C09)	1570,42	190,90
8   (DWDM Channel C08)	1571,24	190,80
7   (DWDM Channel C07)	1572,06	190,70
6   (DWDM Channel C06)	1572,89	190,60
5   (DWDM Channel C05)	1573,71	190,50
4   (DWDM Channel C04)	1574,54	190,40
3   (DWDM Channel C03)	1575,37	190,30
2   (DWDM Channel C02)	1576,20	190,20
1   (DWDM Channel C01)	1577,03	190,10

Juniper basics

Written by Arnaud 07 august 2014 no comments

First step is to read these "day one" free books : http://www.juniper.net/us/en/community/junos/training-certification/day-...

I choosed Configuring Junos Basics, and Junos for IOS Engineers.

I've also followed http://www.x83.net/first-steps-configuring-juniper-routers/ and

http://www.firstdigest.com/2012/06/juniper-first-steps-after-power-on-th...

Now, let's get a Switch! for my first try I had 2 QFX5100 : https://twitter.com/afenioux/status/496269731171946497

The default login is "root" and there is no password, once logged in, type "cli" to enter into the Juniper CLI.

Show status and desc of the interfaces :
show interfaces descriptions

Enter "config mode" :

edit

Show binding with agregated ethernet interface (PortChannel), we use "run" in edit mode (like a cisco "do"):

run show interfaces terse

Show config in indented mode

show configuration

Show config as you would type it:

show configuration | display set

You can double pipe and use match (cisco "include"):

show configuration | display set | match interface

Set a description to an interface, and show its config:
edit interface xe-0/3/6 set description "my INT description" show

Shutdown an interface (you are not obliged to edit into the interface mode):
set interfaces xe-0/3/2 disable

See you modifications before commiting:
show | compare

Apply your configuration changes
commit

Apply you configuration, and schedule a rollback (by default) in 10 min :
commit confirmed

Check your config before commit (or confirm commit after a "commit confirmed"):
commit check

See the configuration history:

show system commit

"deactivate" comment the config, good for tests, delete is delete :

deactivate system syslog

delete system syslog

Activate SSH to login, and set an IP on the managment interface (with a default route) :

set system services ssh

set interfaces vme unit 0 family inet address 192.168.1.100/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

Show random (but usefull) tips:

help tip cli

List the Serial numbers and the type of all components (SFP / FPC (LineCard) / PFE (Switch Fabric)/ PS...):
show chassis hardware

Show optical level and power information of an optic:
show interfaces diagnostics optics xe-0/2/3

Start a shell (with your id or as root)
start shell start shell user root

Show all log (but only last lines) :
show log messages | last

enable/disable debuging (caution!) in is example we "tail" the messages logs :
monitor start messages monitor stop messages

Watch interface statistics in live :
monitor interface xe-0/3/6