2. Extracted it to my users home folder
3. issue the command " sudo python setup.py install" - assuming that all dependencies has been installed.
4. Copy the pemu folder at /usr/local/
5. Then set the preferences.
Latest has been installed.
Wednesday, November 26, 2008
Installing GNS3 Latest on Mandriva 2008.1
1. Get the code from http://code.gns3.net/hgwebdir.cgi/gns3-devel/summary
2. Extracted it to my users home folder
3. issue the command " sudo python setup.py install" - assuming that all dependencies has been installed.
4. Copy the pemu folder at /usr/local/
5. Then set the preferences.
Latest has been installed.
2. Extracted it to my users home folder
3. issue the command " sudo python setup.py install" - assuming that all dependencies has been installed.
4. Copy the pemu folder at /usr/local/
5. Then set the preferences.
Latest has been installed.
Monday, November 10, 2008
DHCPD - sample conf file
/etc/dhcpd.conf for DHCP Server - Centos 4.5
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
ddns-update-style interim;
ignore client-updates;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.253.0 netmask 255.255.255.0 {
option routers 192.168.253.254;
option subnet-mask 255.255.255.0;
option domain-name-servers 203.115.130.40 , 203.115.130.42 , 192.168.254.10;
range 192.168.253.3 192.168.253.100;
# Windows xp Machine 1
host jagapewks002 {
hardware ethernet 00:0c:29:3c:b7:4c;
fixed-address 192.168.254.101;
}
}
# xp pc2
host xppx2 {
hardware ethernet 00:0b:29:3a:a4:7c;
fixed-address 192.168.254.102;
}
#Mandriva Desktop
host mandriva-desktop {
hardware ethernet 00:15:6a:cF:5E:21;
fixed-address 192.168.253.1;
}
IPTABLES - sample
I used this in my test internet gateway.
#!/bin/bash
ipt="iptables"
mod="/sbin/modprobe"
INTERNET="ppp0"
LAN="eth0"
public_ip=`ifconfig | grep ppp0 -A 1 | grep inet | gawk '{print $2}' | cut -d: -f2`
#load kernel modules
$mod ip_tables
$mod iptable_filter
$mod iptable_nat
$mod ip_conntrack
$mod iptable_mangle
$mod ipt_MASQUERADE
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
#Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT ACCEPT
$ipt -A INPUT -p tcp -m tcp -i ppp0 --dport 0:1023 -j DROP
$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j DROP
$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j LOG
$ipt -A INPUT -p tcp -m tcp -i ppp0 --tcp-flags SYN,RST,ACK SYN -j DROP
$ipt -A INPUT -p icmp -m icmp -i ppp0 --icmp-type 8 -j DROP
#$ipt -A INPUT -s 192.168.253.1 -j ACCEPT
$ipt -A INPUT -i $INTERNET -p tcp --dport 8910 -j ACCEPT
$ipt -A INPUT -i $INTERNET -p tcp --dport 8999 -j ACCEPT
#
$ipt -A INPUT -i $INTERNET -s checkip.dyndns.com -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 124.107.2.226 -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 125.212.34.154 -j ACCEPT
#LAN
$ipt -A INPUT -i $LAN -s 192.168.253.0/24 -j ACCEPT
#
#DNS of ISP
$ipt -A INPUT -i $INTERNET -s 203.115.130.40 -p udp -m udp --dport 53 -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 203.115.130.42 -p udp -m udp --dport 53 -j ACCEPT
#
$ipt -A INPUT -i $INTERNET -s 203.115.130.40 -p tcp -m tcp --dport 53 -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 203.115.130.42 -p tcp -m tcp --dport 53 -j ACCEPT
#
#$ipt -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
$ipt -A FORWARD -i $INTERNET -o $LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -A INPUT -p udp -m udp --dport 123 -j ACCEPT
$ipt -A INPUT -p udp -m udp --dport 53 -j ACCEPT
$ipt -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
$ipt -A OUTPUT -p tcp -m tcp --dport 1024:63335 -j ACCEPT
#$ipt -A INPUT -p tcp --dport 8910 -j ACCEPT
#
#
#$ipt -A INPUT -p tcp -m tcp -i ppp0 --dport 0:1023 -j DROP
#$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j DROP
#$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j LOG
#
#$ipt -A INPUT -p tcp -m tcp -i ppp0 --tcp-flags SYN,RST,ACK SYN -j DROP
#$ipt -A INPUT -p icmp -m icmp -i ppp0 --icmp-type 8 -j DROP
#$ipt -A INPUT -m state -s 192.168.254.1 --state INVALID -j ACCEPT
#
#Acting as Internet gateway
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
$ipt -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
#
$ipt -A PREROUTING -t nat -i $INTERNET -d $public_ip -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.253.1:80
$ipt -A FORWARD -p tcp -i $INTERNET -d 192.168.253.1 --dport 80 -j ACCEPT
#
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
#
#$ipt -A FORWARD -j LOG
#$ipt -A INPUT -j LOG
$ipt -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-prefix "DROP "
Friday, October 31, 2008
X11VNC at Fedora 8
I have a machine that needs to be access via VNC on the existing X session, x11vnc is not on the default repo of F8, but it can be found at dries repos. So I manually installed it.
here's my config.
1. First, I created a password for authentication.
2. Now ready to run x11vnc
that's it. I am now able to access via vnc. Of course, make sure iptables allowed you to access it.
here's my config.
1. First, I created a password for authentication.
x11vnc -storepasswd /home/user/.vnc/passwd
2. Now ready to run x11vnc
x11vnc -rfbauth /home/user/.vnc/passwd -display :0 -forever -bg
that's it. I am now able to access via vnc. Of course, make sure iptables allowed you to access it.
Tuesday, October 21, 2008
Nagios NDO Module - Remote mysqld
I'm installing ndo2db module on my nagios server, and I have to separate the mysql server due to heavy load on the server itself. Below are the config.
Portion of nagios.cfg
ndo2db.cfg
and ndomod.cfg
Other details:
Note: need to run the installdb script inside db folder of the extracted ndo2db source.
db = nagios
db_user=nagiosuser
db_pass=nagiospass
db host=10.254.1.47
#
Then login to mysql as privilege user
#
Installing now tables entries at db from 10.254.1.15 to 10.254.1.47
Portion of nagios.cfg
#nagios.cfg
#portion for ndo broker module config
# Controls what (if any) data gets sent to the event broker.
event_broker_options=-1
#event_broker_options=0
# This directive is used to specify an event broker module that should
#broker_module=/somewhere/module1.o
#broker_module=/somewhere/module2.o arg1 arg2=3 debug=0
broker_module=/usr/bin/ndomod.o config_file=/etc/nagios/ndomod.cfg
ndo2db.cfg
#ndo2db.cfg
ndo2db_user=nagios
ndo2db_group=nagios
socket_type=tcp
socket_name=/var/log/nagios/ndo.sock
tcp_port=5668
db_servertype=mysql
db_host=10.254.1.47
db_port=3306
db_name=nagios
db_prefix=nagios_
db_user=nagiosuser
db_pass=nagiospass
max_timedevents_age=1440
max_systemcommands_age=10080
max_servicechecks_age=10080
max_hostchecks_age=10080
max_eventhandlers_age=44640
debug_level=2
debug_verbosity=2
debug_file=/var/log/nagios/ndo2db.debug
max_debug_file_size=1000000
and ndomod.cfg
instance_name=default
output_type=tcpsocket
output=127.0.0.1
tcp_port=5668
output_buffer_items=5000
buffer_file=/var/log/nagios/ndomod.tmp
file_rotation_interval=14400
file_rotation_timeout=60
reconnect_interval=15
reconnect_warning_interval=15
data_processing_options=-1
config_output_options=2
Other details:
Note: need to run the installdb script inside db folder of the extracted ndo2db source.
db = nagios
db_user=nagiosuser
db_pass=nagiospass
db host=10.254.1.47
#
Then login to mysql as privilege user
mysql -u root -p
create database nagios;grant all privileges on nagios.* to 'nagiosuser'@'10.254.1.15' identified by 'nagiospass'; -- this gives access to database#
./installdb -u nagios -p nagiospass -h 10.254.1.47 -d nagios -- install tables at nagiosdb
Installing now tables entries at db from 10.254.1.15 to 10.254.1.47
Monday, October 20, 2008
GNS3 LAB - AAA Tacacs on Linux
Still very basic config, setup Tacacs server on my desktop, connected to cloud the to the inside IF of the PIX firewall on the LAB.
PIX Running config
pixfirewall# sh run
Config for Tacac_plus on my Mandriva Box /etc/tac_plus.conf
So all users on the /etc/passwd can login and after entering the enable passwd, it has a priv 15 capability.
Some log capture during some configuration changes.
PIX Running config
pixfirewall# sh run
: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (outside,inside) 192.168.254.1 200.200.200.10 netmask 255.255.255.255
static (inside,outside) 200.200.200.10 192.168.254.1 netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server tacacs-linux protocol tacacs+
max-failed-attempts 4
aaa-server tacacs-linux host 192.168.254.1
key cisco
aaa authentication telnet console tacacs-linux
aaa accounting enable console tacacs-linux
aaa accounting command tacacs-linux
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.254.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:21ca8ebca2ec428118bb83aa6c57a4ba
: end
Config for Tacac_plus on my Mandriva Box /etc/tac_plus.conf
#/etc/tac_plus.conf
key = cisco
# Use /etc/shadow file to do authentication
default authentication = file /etc/passwd
#Access logs
#access log = /var/log/tac_plus/%Y/%m/%d.access
# Where is the accounting records to go
accounting file = /var/log/tac_acc.log
logging = local6
#accounting file = "|exec /usr/bin/logger"
#All services are alowed..
user = DEFAULT {
default service = permit
}
# Profiles for user accounts
user = ohbet {
default service = permit
login = file /etc/shadow
}
So all users on the /etc/passwd can login and after entering the enable passwd, it has a priv 15 capability.
Some log capture during some configuration changes.
tail -f /var/log/tac_acc.log
Tue Oct 7 14:35:32 2008 192.168.254.254 enable_15 0 0.0.0.0 stop task_id=1 cmd=aaa accounting command TACACS service=shell elapsed_time=0
Tue Oct 7 14:37:08 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=2 cmd=configure terminal service=shell elapsed_time=0
Tue Oct 7 14:37:36 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=3 cmd=access-list in_nameif_outside rem "ACL from outside" service=shell elapsed_time=0
Tue Oct 21 09:12:57 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=1 cmd=aaa accounting command tacacs-linux service=shell elapsed_time=0
Tue Oct 21 09:13:07 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=2 cmd=write memory service=shell elapsed_time=0
Tue Oct 21 09:14:08 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=3 cmd=configure terminal service=shell elapsed_time=0
Tue Oct 21 09:14:40 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=4 cmd=static (outside,inside) 192.168.254.1 200.200.200.10 netmask 255.255.255.255 service=shell elapsed_time=0
Tue Oct 21 09:15:07 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=5 cmd=static (inside,outside) 200.200.200.10 192.168.254.1 netmask 255.255.255.255 service=shell elapsed_time=0
Tue Oct 21 09:15:12 2008 192.168.254.254 enable_15 23 192.168.254.1 stop task_id=6 cmd=write memory service=shell elapsed_time=0
Subscribe to:
Comments (Atom)