• Apt-Get HTTP Proxy — One-Liner

    I have a few Debian servers that are behind a firewall and they don’t have direct access to the internet. “Protected Servers”.  I occasionally have to update their packages via a web proxy in the DMZ. I know there a countless ways to do this, but I wanted a one-liner that i can use without having to modify the apt-get application or my hosts default proxy settings.

    Hope this helps someone else, cheers!

     

  • Linux HP Proliant SNMP Agent setup

    I wanted to put together a quick post on configuring the hp-snmp-agent and hp-health agents on HP Proliant servers using Linux. I stumbled across the need for this while working on a project to implement Icinga to monitor server hardware via SNMP.

    First things first, check that you are running a compatbable HP Proliant G series. The current stable relase of both hp-snmp-agent and hp-helath only work with G5+. This is important to keep in mind because I ran into this issue when trying to install both agents on a G4 Proliant. The dpkg install would fail because it cannot start the hp-health agent under a G4 Proliant. I am installing the agents ontop of Debian 7.

        1. Let’s download the packages, check http://downloads.linux.hp.com/SDR/repo/mcp/debian/pool/non-free/ for latest versions
        2. You will need snmp, snmpd, and some other library files before install the packages.
        3. Now install the two(2) agents. Start with hp-health first, then install hp-snmp-agent

    [Read More…]

  • What is an IPsec Site-to-Site VPN?

    What is IPsec?

    Most of the time when we are trying to establish a site-to-site or LAN-to-LAN connectivity between two independent parties over an untrusted medium we rely on IPsec. Internet Protocol Security (IPSec) is a open standard suite of protocols used to authenticate and encrypt IP Packets in a connection. This ensures data integrity and data confidentiality. IPsec can be used in a variety of ways, to secure host-to-host communication, network-to-network communication, host-to-network. The most common type is network-to-network. An argument can be made that host-to-host is the same as network-to-network with /32s (i.e. 192.168.1.1/32 to 192.168.255.1/32). Anyway!

    IPsec allows us to form a secure virtual communication link over a untrusted medium such as the internet to allow LAN to LAN communication. Sound familar? VPN anyone? For instance if CompanyA with 192.168.1.0/24 address space and CompanyB with 172.16.1.0/24 address space require hosts on each of their networks to talk to one another, this can be accomplished by utilizing a IPsec tunnel. Hosts at CompanyA would be able to traverse the IPsec tunnel to CompanyB as it appears to them to be nothing more than another routed LAN. It’s a cheap and easy way to create this linked infrastructure without the need to buy or lay-down physically dedicate cabling. Why not piggy back and on an already existing insecure circuit and make it secure with IPSec!!

    Phase 1 and Phase 2 ???

    “Phase 1” — Before IPsec can even begin to send your data, there is a negotiation and the establishment of an agreed upon method to create and secure this connection. The negotiation is performed by Internet Key Exchange (IKE), which consists of (I think) 3 different Key Management protocols. ISAKMP, Oakley, SKEME. All of which are used based on how you want to setup the key exchange, ISAKMP being the most popular. The main point of this Phase 1 is two things, one to agree upon a way to protect this negoitation, followed by authenticating each endpoint to form a trust relationship. This all happens bidirectionally. Once both of those have been completed we have a successfully formed a IKE Security Association(SA) that maintains this trust. IKE uses the key exchange algorithm called Diffie-Hellman to establish a secret key between each end. After this secure channel is setup it will be used in the next phase to negotiate the IPsec SAs, creatively called “Phase 2”. Keep in mind thata single Phase 1 SA can house multiple IPSec SAs!!!, unless you are using Perfect Forward Security(PFS). PFS make it so each IPSec tunnel has only 1 unique Phase 1 SA, that way if Phase 1 is ever compromised it won’t jeopardize all your IPSec tunnels under a single Phase 1 SA. Did I lose you? 🙂

    “Phase 2”IKE is used to negotiate IPSec SAs and how IPSec should be protected. In this Security Association (SA), the actual networks at each end of the tunnel must be agree upon. If they are not, Phase 2 will never come up as their SA are in mismatch. Furthermore, in this Phase 2 an agree upon Transform-set is established. The Transform-Set is the method on how the packets will be encrypted and transmitted out the tunnel interface. How should we transform the packets through the tunnel? Phase 2 also uses the key exchanged from Phase 1 to be used when encrypting the data. If PFS is used, keys are derived independently and not from Phase 1. The cost being time, benefit being a single key compromise does not compromise all IPSec tunnels. Keep in mind Phase 2 is required to be completed at both ends. If not the opposing side won’t know how to decrypt the data!!

    So in summary IKE is used to protect Phase 1 and Phase 2, IPSec is used to send the packets. If you want to understand these steps further, I recommned reading this overview. It is a great explaination. Also if you haven’t already bookmark PacketLife.net!!

    Tunnel vs Transport ??

    Difference between Tunnel and Transport mode is in Tunnel mode the complete IP packet with header information is encapsulated and encrypted, in Transport mode only the TCP/UDP payload is encrypted.
    http://www.amaranten.com/support/user%20guide/image146.gif from amaranten.com.

    The Design:


    Openswan U2.6.37/K3.2.0-4-amd64 w/NetKey Support connecting to a Cisco ASA 5505 running version 9.1(3). I include the versioning because I read a lot of articles where the version of OpenSwan matters tremendously, and also seems to influence what types of issues you might run into. The version I am running uses a fairly new feature called NetKey. From my research this was introduced to make configuring a IPSEC tunnel easier and not require the re-compiling of the Linux Kernel.
    [Read More…]

  • Reset ethX naming for Ubuntu/Debian

    I stumbled across this issue a long time ago and it is still present today. Adding or removing NIC’s from a Linux box, or even replacing them renumbers or messes with the numbering for each NIC. For example if you have 1 NIC and add a second, sometimes it won’t show up as eth0 and eth1, it will show up as eth0 and rename1. Or even sometimes, your original eth0 will be renamed to rename1 and the new NIC will be named eth0 when added. Yikes! Talk about confusion.

    It appears that this naming information is stored in a file located in  /etc/udev/rules.d/70-persistent-net.rules

    So if you want to reset the numbering completely, delete this file and reboot! Now you have clean eth# numbering again!

    NOTE: You can also manipulate and edit this file rather than deleting it.

  • Resetting Windows Administrator and the Linux Root passwords with Pictures!!

    Resetting the Windows administrator’s password or Linux root account password is a common troubleshooting practice when faced with systems infected with mailware, data corruption, and system recoveries. This article does not prompt malicious use, but instead stress the point that an account password does not protect your data.
    In principle, passwords are stored locally, anything stored locally can be obtained and modified by slaving that physical data. For example, a hard drive can be removed, added to a different computer already running it’s own OS. That drive will now show up as a slave drive and the contents easily accessible. The following tutorial does not use any third party tools, and only relies on the initial media used to install the OS.

     

     

    [Read More…]

  • Linux Fibre Channel SCSI Target using SCST

    Fibre channel or Fiber Channel is also another way to present SCSI devices over a network medium using a complete different protocol suite then my previous article on iSCSI. With Fiber Channel transfer speeds and protocl delivery is much faster than iSCSI. The fundamental difference between the two is iSCSI uses TCP/IP protocol suite to deliver SCSI messages, and Fiber Channel uses Fiber channel to deliver SCSI message. This means that you will have to have network equipment that is Fiber Channel capable, such as Fiber Channel switches, Fiber Channel HBA (similar to TCP/IP NICs), etc. For the purposes of this article I will not go into how Fiber Channel works, or how it does it’s job of delivering SCSI messages two and from SCSI initiators and SCSI targets. This article will step through how to turn a Linux machine into a Fiber channle SCSI Target. There are a few things you will need to even attempt this:

    • A Linux machine running Kernel 3.2+
    • SCST and SCSTAdmin (see below steps)
    • A separate machine that will act as a Fiber channel initiator, this can be another Linux machine, or an ESX host, etc
    • At least two(2) Fiber channel HBA’s with one physical WWN port each installed in both machines
    • A OM2 or 3 Multi-mode Fiber cable with connectors capable of being used with the HBAs
    • Enough disk space to create a Virtual Disk so we may present it as a LUN
    • And lastly, some excitement!! you are about to enter the new world of Fiber Channel!!

    [Read More…]

  • The BIGIP F5 Alternative using HAProxy and keepalived — Part 2

    Okay we’re back!! Welcome to Part#2. If you’ve read my last post in this high availability and load balancing series(Part#1) you understand the need for HAProxy to complete our setup. If you recall, I am looking for a alternative solution to BIGIP F5 LTMs products. These products provide both high-availability fail-over via a Floating IP between LTMs, and the Load Balancing of requests to service endpoints. In the previous post, we managed to tackle the former part and provide High Availability, but not the Load Balancing part.

    To complete this alternative we now add HAProxy into our setup.
    [Read More…]

  • The BIGIP F5 Alternative using HAProxy and keepalived — Part 1

    I come from a strong BIG IP F5 background and wanted to explorer alternatives to their LTM product line. BIG IP F5 LTMs are their Highly Availability and Load-Balancing network products, see here. They are primarily used as a means to mitigate infrastructure failover across server clusters. How this is done is by use of a floating IP address that is shared between two independent devices, in this case LTMs. One LTM is always active and responds to request for this Floating IP from client devices. In the event of a device failure, the secondary LTM will sense this via a variety of means and take over as the Active LTM. This essentially is how the High-Availability or failover is maintained at an infrastructure connectivity perspective. The second piece to these devices is their load-balancing functionality. Load-balancing has many forms, for this case, we are talking about network service load balancing (pretty much layer 4 and above. This allows more intelligence into the distribution of request to a server farm or cluster.

    Now as I stated previously, I was looking into alternative solutions and I came across a GNU free software called keepalived which seemed to do exactly what I needed. Remember their are two pieces I wanted to fullfill as an alternative solution to LTM; it has to be able to maintain Network failover (seamlessly) and provide load-balancing for serivce endpoints. Also, surprisingly, much of the configuration statements in the keepalived.conf look very simlar to F5 LTM bigip.conf file.
    [Read More…]

  • MRTG in Minutes!

    MRTG is one of those tools a Network Engineer has on his/her toolbelt. MRTG allows the graphing of trending network activity for a wide range of devices. It uses SNMP to query a host and poll it’s network information and statistics. It can be used with Routers, Switches, Linux Hosts, etc.

    I’m going to run MRTG against a Linux Router(running IPtables), a HP PowerConnect Switch, a Cisco Router, and an ESXi host. Anyway….Let’s get started.

    [Read More…]

  • Linux dd Operations

    I recently was helping a friend with some computer trouble which resulting in me first creating a full disk Image backup using “dd”. I’ve done this before years ago, but I wanted to add some of the common dd backup/restore methods to my notepad. There are so many articles online on how to use dd to do a Full disk backup and restore it. I will be using similar methods.

    dd Terms

    • if — input device (file,hardware,CD,etc).
    • of — output device (file,hardware,CD,etc).
    • bs — sets “dd” read and write size.
    • noerror — continues after read errors.
    • readom — CD to ISO utility.
    • mount — Linux command to mount file-systems
    • gz — gunzip is a compression utility which helps to reduce the size of images created with dd.
    • md5sum — a checksum utility to ensure integrity when moving large image files.

    [Read More…]