Monthly Archives: July 2015

Installing and Configuring OpenSSH

Reading Time: 2 minutes

Made the fantastic error of not installing OpenSSH, when creating a new VM for test… Genius at work!!!

This will be a quick post on how you install and enable ssh on Ubuntu, so lets get started!

Installing OpenSSH Server

As this is a fresh install, your user should have sudo permission. You will need to install the OpenSSH package, which is easily available from the Ubuntu repositories. You can will use following command:

sudo apt-get install openssh-server

Or you can run the command

sudo tasksel

This will give you the screen below and you can select SSH server or whatever defined package you like (I just learnt this myself!!)

Screenshot 2015-07-31 09.52.12

Configuring OpenSSH

Now that the package has been installed, we will need to edit the config file. First create a backup of the original file, just in case something going terrible wrong, it will be an easier rollback!

sudo cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

Now let’s make the magic happen πŸ˜€

sudo nano /etc/ssh/sshd_config

Firstly thing to consider is changing the port that your SSH server listens. By default SSH servers listen on port 22, as this is the default everyone will know what port to attack if they want to illegally access your machine. By changing this to a non-standard port you will be securing your server from kiddie scripts and bots.

# What ports, IPs and protocols we listen for
Port 2222

Next you would want to disable SSH access for the root user. As root is the super user, if your root password gets hacked, you will be screwed royally! So with that in mind, we need to look for PermitRootLogin and set this no to disable anyone from logging in as root.

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

Finally, you can list specific users that you want to have SSH access to your server. By adding this line to the end of ssh_config file, you will allow selected users:

AllowUsers bob bill jack millie

Once you have happy with everything, you can save and exit the file and you will need to restart the daemon for the changes to take affect Use the following to restart SSH:

sudo service ssh restart

Job done πŸ˜€

Share this:
Share

Junos Space Password Recovery

Reading Time: 2 minutes

Annoyingly I have created this post as the Junos Space instance, we have at work (after a reboot) as made an executive decision not to like the “Super user” password anymore, in turn locking me out of the Web GUI……… Joyasm :s

However, I will make this into a positive and ill show; how you can reset your super, admin and maintenance user passwords. As long as you don’t forget your admin password you will be able to make all changes via the CLI.

Note
The Junos Space node, we have is clustered and Virtual Machine on an ESX host. For the physical Junos Space JA1500 or JA2500 from what I’ve read it should work the same.

Change admin password

You can change the admin password via the CLI option 1

Welcome to the Junos Space network settings utility.

Initializing, please wait

Junos Space Settings Menu

1> Change Password
2> Change Network Settings
3> Change Time Options
4> Retrieve Logs
5> Security
6> Expand VM Drive Size
7> (Debug) run shell

A> Apply changes
Q> Quit
R> Redraw Menu

Choice [1-7,AQR]:

Change Super user password

You are able to reset the super password back to factory default juniper123 by changing the mysql database. You will need to access the “run shell” (option 7) and run the command below:

mysql -u jboss -pnetscreen build_db

Once you have run this command you get this output:

[[email protected] ~]# mysql -u jboss -pnetscreen build_db
Warning: Using a password on the command line interface can be insecure.
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 225
Server version: 5.6.20-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Now that we are into mysql, we can reset the “super” password back to the default of juniper123

mysql> update USER set password="ok89Nva6qHxytSHsP8AeLg==" where name="super";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Having updated the password, we can exit mysql and you should be able to log onto

To update the maintenance mode password

You will need to update the htpasswd file, with the new password for the “maintenance” user

htpasswd -sb /var/www/maintenance/maintPW maintenance password

Once this has been run, you will see this output:

[[email protected] ~]# htpasswd -sb /var/www/maintenance/maintPW maintenance password123
Updating password for user maintenance

Hopefully you should be good to go with logging back into your node. If not you will probably have to raise a JTAC case!

Share this:
Share

Configuring SNMPv3

Reading Time: 2 minutes

This page will show, how you would configure SNMPv3 on Cisco and Juniper network device

Cisco IOS

You need to create a group, select the version of SNMP and whether you want to add USM (User Security Model) aka security level. Once the group has been created we will need to create a user, associate the user to the newly created group and set the authentication password and privacy password.

Cisco Security Levels
noAuthNoPrivThere is no authentication password requested and the communications between the agent and the server are not encrypted. The SNMP process just requests authorized username string match.
authNoPrivpassword authentication is requested either by MD5 or SHA hashing, however no encryption is used for communications between the devices.
authPrivauthentication is the same as authNoPriv however communications between the snmp process and the logging server is encrypted.

On Cisco IOS, its quite simple to get it SNMPv3 configured:

Switch(config)#snmp-server group test1 v3 priv
Switch(config)#snmp-server user test1 test1 v3 auth sha test1 priv aes 128 test1

Now that v3 user has been created, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 172.31.184.140
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 15:42 by antonino
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.516
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (582733) 1:37:07.33
SNMPv2-MIB::sysContact.0 = STRING: "Write a comment :D"
SNMPv2-MIB::sysName.0 = STRING: Switch.lab.co
SNMPv2-MIB::sysLocation.0 = STRING: "The Lab in Space"
SNMPv2-MIB::sysServices.0 = INTEGER: 6
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00"

Juniper Junos

With Junos, you will need to create your user, create your security-group, set the security-model, assign a user and once you have the group created and confirmed you will be able to set the privileges for each of the groups by assigned the MIB views

Security Model levelsSecurity LevelMIB Views
Any β€” Any security model
USM β€” SNMPv3 security model
v1 β€” SNMPV1 security model
v2c β€” SNMPv2c security model
None β€” Provides no authentication and no encryption.
Authentication β€” Provides authentication but no encryption.
Privacy β€” Provides authentication and encryption.
Notify-viewgroup user is inform of MIB updates
Read-viewthe group user can see the MIB updates
Write-viewthe group user can make changes to the MIB updates.

The configuration looks more complex on Junos than on IOS however it’s quite straightforward:

set snmp name "This a test for snmpwalk example :p"
set snmp location "The Lab in Space"
set snmp contact "Write a comment :D"
set snmp v3 usm local-engine user test1 authentication-sha authentication-password test1234
set snmp v3 usm local-engine user test1 privacy-aes128 privacy-password test1234
set snmp v3 vacm security-to-group security-model usm security-name test1 group view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy read-view view-all
set snmp v3 vacm access group view-all default-context-prefix security-model usm security-level privacy notify-view view-all
set snmp view view-all oid .1 include

As like before, we can run and snmpwalk to make sure it working as expected:

[email protected]:~$ snmpwalk -v3 -u test1 -l authPriv -a SHA -A test1234 -x AES -X test1234 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment πŸ˜€
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

With SNMPv3 available, you should be using v3 for the additional security available. You don’t have the option to configure SNMPv3 without user authentication and/or unencrypted (noAuthNoPriv) but this kinda pointless use SNMPv3 with no authentication or encryption. There could be situations where you will need user authentication but not need encryption (authNoPriv) however in most cases you will use both.

Share this:
Share

How to Snmpwalk on Ubuntu 14.04LTS

Reading Time: 2 minutes

You will need to sudo or root privileges to install the following packages

snmpd 
snmp

Once these have been installed you will get following command available to you:

[email protected]:~$ snmp
snmp-bridge-mib  snmpconf         snmpget          snmpset          snmptranslate    snmpvacm
snmpbulkget      snmpd            snmpgetnext      snmpstatus       snmptrap         snmpwalk
snmpbulkwalk     snmpdelta        snmpinform       snmptable        snmptrapd        
snmpcheck        snmpdf           snmpnetstat      snmptest         snmpusm

Snmpwalk is useful command to collect information from network device with SNMP agents. Depending on what version of SNMP, you will need to use one of the following commands

SNMPv1

snmpwalk -v1 -c{ community-name } ip_address

snmpwalk -v 1 -ctest-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458062064) 53 days, 0:23:40.64
SNMPv2-MIB::sysContact.0 = STRING: Write a comment πŸ˜€
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SNMPv2

snmpwalk -v2c -c{ community-name } ip_address

snmpwalk -v2c -ctest-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458070509) 53 days, 0:25:05.09
SNMPv2-MIB::sysContact.0 = STRING: Write a comment πŸ˜€
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4

SNMPv3

snmpwalk -v 3 -u { username } -l { noAuthNoPriv|authNoPriv|authPriv } -a { MD5|SHA } -A { authentication-password } -x { DES|AES } -X { privary-password } ip_address

snmpwalk -v3 -u test -l authPriv -a SHA -A test-lab -x AES -X test-lab 10.1.0.201
SNMPv2-MIB::sysDescr.0 = STRING: Juniper Networks, Inc. srx220h2 internet router, kernel JUNOS 12.1X44-D45.2 #0: 2015-01-12 14:20:16 UTC     [email protected]:/volume/build/junos/12.1/service/12.1X44-D45.2/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel Build date: 2015-01-12 15:4
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.58
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (458338855) 53 days, 1:09:48.55
SNMPv2-MIB::sysContact.0 = STRING: Write a comment πŸ˜€
SNMPv2-MIB::sysName.0 = STRING: This a test for snmpwalk example :p
SNMPv2-MIB::sysLocation.0 = STRING: The Lab in Space
SNMPv2-MIB::sysServices.0 = INTEGER: 4
Share this:
Share

Checking ISO and/or File Images via CLI

Reading Time: 1 minute

If you have downloaded an iso or image and you want to check that image/iso hasn’t been tampered or corrupted. Ubuntu has a md5 and sha hash checker pre-installed within the OS.

For MD5 checking you will use md5sum

md5sum path/to/image

[email protected]:/tmp$ md5sum ubuntu-14.04.2-server-amd64.iso 
83aabd8dcf1e8f469f3c72fff2375195  ubuntu-14.04.2-server-amd64.iso

For Sha checking, you will use one of the below (depending on the hashing value)

[email protected]:~$ sha
sha1sum       sha256sum     sha512sum     shasum        
sha224sum     sha384sum     shadowconfig

sha1 path/to/image

[email protected]:/tmp$ sha1sum ubuntu-14.04.2-server-amd64.iso 
3bfa6eac84d527380d0cc52db9092cde127f161e  ubuntu-14.04.2-server-amd64.iso

You then can check the md5/sha hashes against the known correct has values. If they match (which these do):

Screenshot 2015-07-03 09.19.05
Screenshot 2015-07-03 09.18.39

 

 

 

 

 

 

 

 

You are good to go, knowing you have a legit version! πŸ˜€

Share this:
Share