evilrouters.net

I was bored so decided to play with hping3 a bit tonight.

[jlgaddis@bertram:~]$ sudo hping3 --udp -p 10000 --destport 10000 --flood 192.168.1.12
HPING 192.168.1.12 (eth0 192.168.1.12): udp mode set, 28 headers + 1400 data bytes
hping in flood mode, no replies will be shown

I have the same thing running 192.168.1.12 as well, for “bi-directional” traffic.

c1811# sh int fa7 | in put\ rate
  5 minute input rate 96657000 bits/sec, 8404 packets/sec
  5 minute output rate 93537000 bits/sec, 11389 packets/sec

-----Original Message-----
From: PCC-Americas
Sent: Friday, December 19, 2008 5:22 PM
To: Jeremy L. Gaddis
Subject:RE: en-us: Possible bug in K.13.45 (5400zl series)?

Dear Jeremy,

Thank you for contacting HP ProCurve Networking.

It seems that you have discovered an anomaly.  We would like to
investigate this for you.  At your convenience, would you mind
collecting the textual output of the command, "show tech all" as
issued within the CLI of the switch?  Please follow-up the text
capture by again issuing the "show ip igmp config" command.

We will work with our engineers to reproduce this issue, and
identify its root cause.

Thank you very much for contacting HP ProCurve Networking Support.
We hope to hear form you soon.

Sincerely,
Linda
HP ProCurve Networking

Here’s what I was seeing (serial numbers of my installed GBICs “sanitized”). This was on a HP ProCurve 5406zl:

SWITCH# show ip igmp config

 IGMP Service

                       IGMP     Forward with   Querier  Querier
  VLAN ID VLAN Name    Enabled  High Priority  Allowed  Interval
  ------- ------------ -------- -------------- -------- ---------
  1       DEFAULT_VLAN No       No             Yes      125
  2       VLAN2        No       No             Yes      125
  14      VLAN14       No       No             Yes      125
  16      VLAN16       No       No             Yes      125
  20      VLAN20       No       No             Yes      125
  30      VLAN30       No       No             Yes      125
  31      VLAN31       No       No             Yes      125
  32      VLAN32       No       No             Yes      125
  36      VLAN36       No       No             Yes      125
  38      VLAN38       No       No             Yes      125
  41      VLAN41       No       No             Yes      125
  42      VLAN42       No       No             Yes      125
  43      VLAN43       No       No             Yes      125
  64      VLAN64       No       No             Yes      125
        GBIC 1 (  Port A1): J4858C               XXXX2EK3W9
        GBIC 2 (  Port A2): J4858C               XXXX2EK3X4
        GBIC 3 (  Port A3): J4858C               XXXX2EK1Z2
        GBIC 4 (  Port A5): J4858C               XXXX2EK1RT
        GBIC 5 (  Port A7): J4858C               XXXX2EK2G4
        GBIC 6 (  Port A9): J4858C               XXXX2EK3FM
        GBIC 7 ( Port A11): J4858C               XXXX2EK3WD
        GBIC 8 ( Port A13): J4858C               XXXX2EK2NF
        GBIC 9 ( Port A14): J4858C               XXXX2EK4YD
        GBIC 10 ( Port A15): J4858C               XXXX2EK1HG
        GBIC 11 ( Port A16): J4858C               XXXX2EK5HA
        GBIC 12 ( Port A17): J4858C               XXXX2EK2CG
        GBIC 13 ( Port A18): J4858C               XXXX2EK2GH
        GBIC 14 ( Port A20): J4858C               XXXX2EK1RP
        GBIC 15 ( Port A21): J4859C               XXXX0EL04Y
        GBIC 16 ( Port A22): J4859C               XXXX0EL06W
        GBIC 17 ( Port A23): J4859C               XXXX4EL053
        GBIC 18 ( Port A24): J4859C               XXXX4EL02X
  78      VLAN78       No       No             Yes      125
  79      VLAN79       No       No             Yes      125
  80      VLAN80       No       No             Yes      125
  94      VLAN94       No       No             Yes      125
  96      VLAN96       No       No             Yes      125
  101     VLAN101      No       No             Yes      125
  110     VLAN110      No       No             Yes      125
  112     VLAN112      No       No             Yes      125
  128     VLAN128      No       No             Yes      125
  172     VLAN172      No       No             Yes      125
  192     VLAN192      No       No             Yes      125
  202     VLAN202      No       No             Yes      125
  4011    VLAN4011     No       No             Yes      125
  4012    VLAN4012     No       No             Yes      125
  4030    VLAN4030     No       No             Yes      125
  4040    VLAN4040     No       No             Yes      125
  4050    VLAN4050     No       No             Yes      125
  4060    VLAN4060     No       No             Yes      125
  4070    VLAN4070     No       No             Yes      125

Geez, an “anomaly”? Ya think? =)

This morning, I received an e-mail from a cronjob on one of my production RHEL 5.2 servers:

From: Cron Daemon
To: Jeremy L. Gaddis
Cc:
Subject: Cron <root@SERVERNAME> run-parts /etc/cron.weekly

/etc/cron.weekly/makewhatis.cron:

rpmdb: Lock table is out of available locker entries
rpmdb: Unknown locker ID: b4a0
error: db4 error(22) from db->close: Invalid argument
error: cannot open Pubkeys index using db3 - Cannot allocate memory (12)

...

There were probably a couple hundred errors in that e-mail. In addition, I also received an e-mail from our RHN Satellite Server letting me know that this particular server had failed to check in. Logging in, I saw that, indeed, it had not been checking in with the our satellite.

So, what to do? Google, of course! Fortunately, major over at Racker Hacker encountered this same issue about a year and a half ago and has already provided the fix for us:

[root@SERVERNAME ~]# tar cvzf rpmdb-backup.tar.gz /var/lib/rpm
[root@SERVERNAME ~]# rm /var/lib/rpm/__db.00*
[root@SERVERNAME ~]# rpm --rebuilddb
[root@SERVERNAME ~]# rpm -qa | sort # to make sure everything's okay

I wanted to verify that the cronjob would now successfully execute, so I invoked it manually:

[root@SERVERNAME ~]# sh /etc/cron.weekly/makewhatis.cron
[root@SERVERNAME ~]#

Success! It also seemed like a good time to go ahead and install the updates that were missing so I took care of those using yum.

Many thanks to major at Racker Hacker for the fix!

Today, once again, I got annoyed by someone complaining about Microsoft “not including” a telnet client with Windows Vista, so here I am.

Most people will simply use another telnet client: PuTTY, TeraTerm Pro, or — my personal favorite — SecureCRT. The truth is, however, Microsoft actually did include a telnet client with Windows Vista. The problem is that it simply is not installed by default. Below is a step-by-step guide detailing how to install it:

• Start by opening up the Control Panel by clicking the Start button, then “Control Panel”
• Once in the control panel, click on “Programs”.
• Under “Programs and Features”, click on “Turn Windows features on or off”.
• If you get a “User Account Control” popup asking for your permission, click “Continue”
• In the “Windows Features” window that appears, scroll down and click the checkbox next to “Telnet client”.
• Click the “OK” button.
• Windows will then make you wait a random period of time while it installs the telnet client.
• Close the “Control Panel” window.

At this point, you can open up a command prompt (click “Start”, “All Programs”, “Accessories”, and “Command Prompt”) and start the telnet client by typing in “telnet” and pressing the Enter key.

See, wasn’t that simple!?

• “Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning.” –Unknown

I have no idea where this quote originated; if you do, let me know so that I can give proper credit.

From an e-mail I received Tuesday:

Hello Jeremy,

Thank you for your interest in VMware beta programs. Our upcoming release of VMware Converter 4.0 Standalone product includes many exciting enhancements that our customers have been requesting including P2V support for Linux and Win 2K8 sources, hot cloning enhancements as well as workflow automation enhancements. We are certain you will find participation in this beta program a valuable experience. We are looking forward to working closely with you during this beta program.

As part of this beta, we request you to extensively test several areas of feature enhancements including P2V support for Linux and Win 2K8 sources, hot cloning enhancements as well as workflow automation enhancements. Your active participation in this beta program is critical. We appreciate and value your efforts to install upon downloading the software and actively provide us with your valuable product feedback.

I’m just about (in the next week or so) to attempt to P2V a Red Hat Enterprise Linux 4 host over to ESX, so maybe I’ll give the new 4.0 beta a shot. Anyone used it yet, especially to P2V Linux hosts? I am, of course, interested in hearing feedback on it.

In this demonstration, we’re going to install FreeRADIUS onto a CentOS 5.2 server and configure it to support AAA on Cisco devices.

“FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used in the academic community, including eduroam. The server is fast, feature-rich, modular, and scalable.” –FreeRADIUS home page

I’ve been using FreeRADIUS in production for a few years now, mostly to support wireless users. One of the benefits of FreeRADIUS — besides being open source, of course — is the numbers of backends one can use for authentication:

“If a password is not available locally for some reason, the server can pass the authentication to another system such as LDAP, PAM, Unix (/etc/passwd), Kerberos, Active Directory, or RADIUS server via RADIUS proxying. Local programs (e.g. CGI scripts) can also be used to authenticate users via shell scripts or any other method. Perl or Python scripts can be pre-loaded into the server, which significantly lowers the cost of running such programs.”

Powerful, huh? Indeed.

For this demonstration, I’m installing a new CentOS 5.2 virtual machine on my MacBook under VMware Fusion. Installing the operating system, however, is beyond the scope of this document. Also, we’ll just be using the local system database for now — we’ll save SQL and LDAP (perhaps even Active Directory) authentication for later. After we get FreeRADIUS up and running, we’ll set up a user account and then configure a Cisco router to use RADIUS for authentication.

Let’s begin with installing FreeRADIUS by running (as root) the following command:

[root@bertram ~]# yum -y install freeradius

“yum” should have went out, grabbed the appropriates packages and dependencies, and installed them. If the end of your output looks like this, you’re all set:

Complete!
[root@bertram ~]#

Because FreeRADIUS will need to use the local system database for authentication, we need to set ‘user = root’ and ‘group = root’ in radiusd.conf. This is easy enough, just open up /etc/raddb/radiusd.conf, and change the lines that reads “user = radiusd” and “group = radiusd” to “user = root” and “group = root”, respectively. Note that this (running our daemons as root) is almost always something we want to avoid. Using other authentication backends, such as SQL or LDAP, would not require this change and would allow the FreeRADIUS service to run under the default “radiusd” unprivileged account.

Next, we need to let FreeRADIUS know about our NAS — in this case, our Cisco router. For the sake of this demonstration, our router (R1) will have IP address 192.168.1.201. We’ll also need a shared secret that the router and RADIUS server use. Let’s use the ever popular “SECRET_KEY”. Add the following to the end of /etc/raddb/clients.conf:

client 192.168.1.201 {
        secret = SECRET_KEY
        shortname = R1
        nastype = cisco
}

Then, on the FreeRADIUS side, we need to create a user account in the local user database that we’ll use for actually authenticating to R1. Nothing special here, just creating a new user account and setting the password. I’ve passed the plain-text password into “passwd” via stdin so that you can see it. Normally, we wouldn’t do that — just run “passwd cisco” and enter the password when prompted:

[root@bertram ~]# /usr/sbin/useradd cisco
[root@bertram ~]# echo secret | passwd --stdin cisco
Changing password for user cisco.
passwd: all authentication tokens updated successfully.
[root@bertram ~]#

We now have a local user named “cisco” with a password of “secret” that we’ll use when it comes time to authenticate to R1. Before we can do that, however, we must let FreeRADIUS know about the user. Append the following to /etc/raddb/users:

cisco   Auth-Type := System
        Service-Type = NAS-Prompt-User,
        cisco-avpair = "shell:priv-lvl=15"

This notifies FreeRADIUS of a local user account named “cisco”. Using the “cisco-avpair” attribute in this manner allows us to automatically assign privilege level 15 to the user, removing the requirement for the user to issue “enable” (and the enable secret) in order to gain elevated access.

Let’s get started configuring R1. I’m going to assume that you’re starting from a default configuration. The first thing we want to do is create a “fallback” user account (on the router itself) that we can use to authenticate if, for some reason, connectivity to the RADIUS server is lost. Let’s create a user named “admin” with a password of “letmein”:

R1(config)#username admin privilege 15 secret letmein

Under normal circumstances, we’ll never use this local account — only when the RADIUS server is unavailable.

The first thing I need to do is configure my interface on R1 and verify we can ping the RADIUS server. Assuming you already have your router up and running, you can likely skip this step:

R1(config)#interface fastethernet 3/0
R1(config-if)#ip address 192.168.1.201 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Mar  1 00:10:14.635: %LINK-3-UPDOWN: Interface FastEthernet3/0, changed state to up
*Mar  1 00:10:15.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up
R1(config-if)#do ping 192.168.1.51

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.51, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/11/24 ms
R1(config-if)#

Excellent, all set! Let’s start configuring R1 for AAA:

R1(config)#aaa new-model
R1(config)#radius-server host 192.168.1.51 auth-port 1812 acct-port 1813 key SECRET_KEY

AAA should now be enabled on R1. Note that we provided the IP address of the RADIUS server as well as the shared secret we configured in FreeRADIUS earlier. In addition, we must specify the “auth-port” and “acct-port” used by FreeRADIUS, as these are different from Cisco’s defaults (1645 and 1646). Let’s configure authentication:

R1(config)#aaa authentication login default group radius local
R1(config)#line vty 0 4
R1(config-line)#login authentication default
R1(config-line)#line con 0
R1(config-line)#login authentication default

Here, we’ve told R1 to use RADIUS for authentication and to fall back to the local user database if the RADIUS server is not available. We don’t want to DoS ourselves!

The following command will allow the user to run an “exec” shell when logging into the router:

R1(config)#aaa authorization exec default group radius if-authenticated 

Last, but not least, we want accounting (the final “A” in “AAA”):

R1(config)#aaa accounting exec default start-stop group radius
R1(config)#aaa accounting system default start-stop group radius

That should be enough to allow us to login with our local (Linux) system account “cisco” that we created earlier. Let’s give it a shot:

macbook:~ jlgaddis$ telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.


User Access Verification

Username: cisco
Password:

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  administratively down down
Ethernet0/1                unassigned      YES unset  administratively down down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Serial1/0                  unassigned      YES unset  administratively down down
Serial1/1                  unassigned      YES unset  administratively down down
Serial1/2                  unassigned      YES unset  administratively down down
Serial1/3                  unassigned      YES unset  administratively down down
FastEthernet3/0            192.168.1.201   YES manual up                    up
R1#exit
Connection closed by foreign host.
macbook:~ jlgaddis$

Success! We’ve installed FreeRADIUS, added a local user account, set up the NAS client (R1) and configured it to authenticate against the RADIUS server. Let’s take a look at what was logged by FreeRADIUS:

[root@bertram ~]# cat /var/log/radius/radacct/192.168.1.201/detail-20081119
Wed Nov 19 00:24:47 2008
        Acct-Session-Id = "00000005"
        User-Name = "cisco"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port = 130
        NAS-Port-Id = "tty130"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.1.49"
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 192.168.1.201
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.1.201
        Acct-Unique-Session-Id = "31b757fca2145e79"
        Timestamp = 1227072287

Wed Nov 19 00:25:14 2008
        Acct-Session-Id = "00000005"
        User-Name = "cisco"
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = User-Request
        Acct-Session-Time = 27
        Acct-Status-Type = Stop
        NAS-Port = 130
        NAS-Port-Id = "tty130"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.1.49"
        Service-Type = NAS-Prompt-User
        NAS-IP-Address = 192.168.1.201
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.1.201
        Acct-Unique-Session-Id = "31b757fca2145e79"
        Timestamp = 1227072314

[root@bertram ~]#

If there’s interest, I may expand on this later to include huntgroups, multiple RADIUS servers, using MySQL for accounting, or even through some LDAP and/or Active Directory authentication into the mix. If you’re interested, please leave a comment below!

While browsing through my archives tonight, my thoughts went back to the reliable little Buffalo WHR-G125 router/access point over in the corner. Back in January, I wrote about having issues with my MacBook’s wireless and upgrading to — at the time — the latest version of DD-WRT to see if it would help with the issues.

Many months have passed since then and the wireless issues have went away. Unfortunately, I don’t really remember when they went away. I’m not sure if it had anything to do with the firmware upgrade or not.

Regardless, I browsed over to the DD-WRT site again to see if there was newer firmware available. There was, so I decided to upgrade. Upgrading to the latest version was really easy:

[jlgaddis@cleveland ~]$ ssh root@ap
root@ap's password:
root@router:~# cd /tmp
root@router:/tmp# wget http://tinyurl.com/5qv69u
root@router:/tmp# write dd-wrt.v24_vpn_generic.bin linux

At this point, we have a few minutes to kill. The flash memory isn’t the fastest in the world, and it’ll take a bit to save the file to flash. Once it’s done and our prompt has came back back, we just need to reboot.

root@router:/tmp# reboot

Give the router a minute or two to reboot, and we should be able to login again:

[jlgaddis@cleveland ~]$ ssh root@ap
DD-WRT v24 vpn (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
root@ap's password:
==========================================================

 ____  ___    __        ______ _____         ____  _  _
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                       DD-WRT v24
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.11.1 (2008-07-27 16:20:53 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@router:~# exit
Connection to ap closed.
[jlgaddis@cleveland ~]$

computer world is reporting that:

a laptop containing “strategic information” was stolen from a campaign field office of presidential contender John McCain.

The laptop contained “strategic information for the [Republican party] on how we are going to reach out to people in the Kansas City area.”

i guess they’ve never heard of pgp or whole disk encryption, in general, both of which i use and recommend.

read more

iman jalali, director of sales and support at trainsignal, was nice enough to send me a free copy of their ccnp video course.

the ccnp certification training package, according to the website, contains over 50 hours of training for the bsci, bcmsn, ont, and iscw exams for the ccnp certification.

the videos are led by chris bryant, ccie, who never misses an opportunity to try to get you to visit his own website (link intentionally missing), where he sells his own training products as well. i don’t particular care for him, but i’ll try not to let that bias my opinion of trainsignal’s course as a whole. i hope to “review” it here soon.