Tag Archives: ssh

How to access HP’s ILO remote console via SSH

Reading Time: 2 minutes

This will be a quick reminder for myself on how you can remote console via SSH on HP Blade Server and Standalone Servers 🙂

1. Connect to the ilo using SSH, Whether its with PuTTy (Windows) or Terminal (MacOSX or Linux) with the super or admin user and pass.
ssh [email protected]_address

[[email protected] ~]$ ssh 10.2.0.21 -l Administrator
[email protected]'s password: 
User:Administrator logged-in to ILO----n.(10.2.0.21)
iLO 2 Standard Blade Edition 2.25 at 16:36:26 Apr 14 2014
Server Name: vMX-Bay1
Server Power: On

hpiLO-> 

2. Having entered onto the server now via ilo, you will be able to connect to the remote console by either using the commands TEXTCONS or VSP

TEXTCONS

TEXTCONS is short for text console. When I used TEXTCONS, I got this output Monitor is in graphics mode or an unsupported text mode.

hpiLO-> TEXTCONS

Starting text console.
Press 'ESC (' to return to the CLI Session.

hpiLO-> 

Monitor is in graphics mode or an unsupported text mode.

From some quick reading it appears that some OS do not supported access using TEXTCONS, which is no help for me, however this is one way!

VSP

VSP is Virtual Serial Port. As the name suggests it is the virtual port, that is the same as, if you connected a serial cable onto the server. This worked a treat for me, so I am happy now 😀

hpiLO-> VSP

Starting virtual serial port.
Press 'ESC (' to return to the CLI Session.

hpiLO-> Virtual Serial Port active: IO=0x03F8 INT=4

Ubuntu 14.04.2 LTS lab13 ttyS0

lab13 login: 

Job done 🙂

Other CLI commands available:

HP CLI Commands:

POWER    : Control server power.
UID      : Control Unit-ID light.
NMI      : Generate an NMI.
VM       : Virtual media commands.
VSP      : Invoke virtual serial port.
VSP LOG  : Invoke virtual serial port data logging.
TEXTCONS : Invoke Remote Text Console on supported platforms.
NOTE
It is important to note as well, there some OS that don’t support TEXTCONS or VSP. I had installed ESXi 6 on the blade and although it didn’t give me an error I wasn’t able to get any output. So this can be a little hit and miss at times. Its something I probably should look into but when i have some time in the future!
Share this:
Share

Useful tcpdump Commands

Reading Time: 3 minutes

Tcpdump is a network debugging tool that runs under the command line. It allows the user to intercept and display TCP/UDP/IP and other packets being transmitted or received over a network to which the computer is attached. Running tcpdump by it’s self will begin recording traffic that is seen on the wire printing the output to the screen.

I found this list by @r_paranoid on their website Rationally Paranoid. Very Very useful set of tcpdump commands that can assist with troubleshooting and/or when a packet capture is needed.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

Additionally cyberciti.biz has a great man page on tcpdump commands

Share this:
Share

Clearing IDLE TTY Sessions in Junos

Reading Time: 2 minutes

This is going to be a quick post on how you can forcibly disconnect idle and/or other users by using their PID or TTY session.

This is very useful, when you have too many simultaneous concurrent connections (normally when you having some issue) or because of some dodgy connections you get from time to time, and your terminal gets timed out in the middle of configuring and you have to reconnect. To be then greeted with:

[[email protected] ~]$ ssh 10.1.0.243
Password:
--- JUNOS 14.1X53-D25.2 built 2015-04-01 01:53:36 UTC
{master:0}
[email protected]> edit 
Entering configuration mode
Users currently editing the configuration:
  marquk01 terminal p0 (pid 41263) on since 2015-05-04 11:22:50 UTC, idle 02:01:13
      {master:0}[edit firewall]
  marquk01 terminal p1 (pid 41306) on since 2015-05-04 12:02:30 UTC, idle 01:16:58
      {master:0}[edit]

If you’re like me and find this annoying. There is a simple way of; firstly, showing all the current concurrent session on the device and then how you can disconnect them.

To show all the user sessions that are on the switch, you can run the command show system users no-resolve:

[email protected]> show system users no-resolve 
fpc0:
--------------------------------------------------------------------------
 1:26PM  up 33 days,  6:56, 3 users, load averages: 0.00, 0.01, 0.00
USER     TTY      FROM                              [email protected]  IDLE WHAT
marquk01 p0       10.1.0.17                        11:22AM  2:03 -cli (cli)    
marquk01 p1       10.1.0.17                        12:02PM  1:19 -cli (cli)    
marquk01 p2       10.1.0.17                        1:24PM      - -cli (cli)

This command provides information on:

  • Connected Users
  • TTY session
  • IP address each user has connected from
  • Login Times
  • Idle Timer
  • User’s method of remote access

We can see that I have 3 sessions currently but only one is active, as 2 connection have IDLE times.

To clear to two session we can either use the TTY session number, shown in the output or by the process ID (pid).

To clear by the TTY session, I had to need to run the command request system logout terminal {TTY session} to disconnect the first idle session.

[email protected]> request system logout terminal p0
{master:0}
[email protected]> show system users no-resolve         
fpc0:
--------------------------------------------------------------------------
 1:27PM  up 33 days,  6:57, 2 users, load averages: 0.23, 0.06, 0.02
USER     TTY      FROM                              [email protected]  IDLE WHAT
marquk01 p1       10.1.0.17                        12:02PM  1:19 -cli (cli)    
marquk01 p2       10.1.0.17                        1:24PM      - -cli (cli)

The other method would be to clear the user’s pid number. You can find their pid either; in Operational mode, by using the TTY session number running the command show system processes | match {TTY session} (you will need to look for the pid with mgd process) or in Configuration mode, by running the command status:

[email protected]> show system processes | match p1 
41299  ??  Is     0:00.17 sshd: [email protected] (sshd)
41306  ??  Is     0:00.06 mgd: (mgd) (marquk01)/dev/ttyp1 (mgd)
41307  p1  Ss+    0:00.47 -cli (cli)

{master:0}
[email protected]> edit 
Entering configuration mode

{master:0}[edit]
[email protected]# status 
  marquk01 terminal p1 (pid 41306) on since 2015-05-04 12:02:30 UTC, idle 01:20:58
      {master:0}[edit]

Once I found the pid number, I ran the command request system logout pid {pid number} to disconnect the second idle session.

[email protected]> request system logout pid 41306

{master:0}
[email protected]> show system users no-resolve       
fpc0:
--------------------------------------------------------------------------
 1:32PM  up 33 days,  7:02, 1 user, load averages: 0.00, 0.02, 0.00
USER     TTY      FROM                              [email protected]  IDLE WHAT
marquk01 p2       10.1.0.17                        1:24PM      - -cli (cli)

And that’s how you clear idle TTY connections in Junos 🙂

Share this:
Share

SSH login with 2-Factor Authentication

Reading Time: 3 minutes

During the holiday time, I was discussing with a mate on ways I could make my server more secure and he said why don’t I have 2-Factor Authentication. Of course, I dismissed him as a crazy man saying you can do that on SSH! When I actually looked I saw it could be done and it is a common place to have it done as well. I found a super page that explains how 2-Factor Authentication all works! With this in mind, this post will show how you can enable a SSH server with 2-Factor Authentication.

As always, I’ll be using Ubuntu 14.04 LTS. Because I use Google Authenticator for other things, I was happy to see that you can install Google Authenticator’s time-based one-time password (TOTP) via the apt-get repository. To install 2-factor authentication with Google Authenticator, we’ll need the open-source Google Authenticator PAM module. PAM stands for Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux. Essentially, it’s a way to easily plug different forms of authentication into a Linux system.

Firstly you will need to have Google Authenticator or Authentication App installed on your phone before doing anything. Personally I use Google’s Authenticator, for iOS App Store, for Android Google Play. Microsoft has their own Authenticator App for Windows Phones.

With the Authenticator installed on your phone, next you will need to install the Google package. You will need to have root and/or sudo access to the server and apt-get libpam-google-authenticator

sudo apt-get install libpam-google-authenticator

With the Module installed, you can set up your users with their OTP token. Run the google-authenticator utility, once ran you will be asked a series of questions that you can answer however best for you environment.

[email protected]:~$ google-authenticator 

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DXYC73MOQV7SMPOSJ
Your new secret key is: XYC73MOQV7SMPOSJ
Your verification code is 194186
Your emergency scratch codes are:
  28140794
  43020525
  41649070
  99131075
  14555358

Do you want me to update your "/home/marquk01/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[email protected]:~$ 
Important Notes
You will need to keep safe the Emergency Scratch codes, just in case you lose access or have an issue with your OTP token. Your secret key will be used on the Authenticator app to generate your verification code. You can either manual enter the code or you can use scan QR-code that is generated on the cli to your phone. This is what you should expect to see when you run the google-authenticator utility. Once that’s has been done you will you should get something like this on your app

Next we will need to activate Google Authenticator within the sshd daemon. Firstly you will need to edit /etc/pam.d/sshd file by adding following lines below:

[email protected]:~$ sudo nano /etc/pam.d/sshd 
{...}
# To allow Google Authenticator for 2 factor authentication 
auth required pam_google_authenticator.so

Then you will need to edit the /etc/ssh/sshd_config file. Look for the ChallengeResponseAuthentication and ensure that this is yes

[email protected]:~$ sudo nano /etc/ssh/sshd_config 
{...}
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

The full files should look something like this sshd and sshd_config

Now we need to restart the sshd daemon.

[email protected]:~$ sudo service ssh restart

Now that the ssh daemon has been restarted when you try and ssh back onto the server, you will be asked for your password and the OTP verification code

[[email protected] ~]$ ssh 10.1.0.137
Password: 
Verification code: 

It also worked with Secure Copy Protocol (SCP), which allows transfer files via Secure Shell (SSH)

[[email protected] ~]$ scp bird.conf.oringial [email protected]:/home/marquk01
Password: 
Verification code: 
bird.conf.oringial                            100% 6222     6.1KB/s   00:00
NOTES
ALL Users will need to be configured to have 2-factor authentication before editing the ssh daemon. When I tried this the first time, I assumed it was pre-user enabled the everything to find out my main account was locked out… #GenuisAtWork! In addition, if you have a key-based authentication, they will take supersede 2-Factor Authentication and this will be ignored
Share this:
Share

Installing and Configuring OpenSSH

Reading Time: 2 minutes

Made the fantastic error of not installing OpenSSH, when creating a new VM for test… Genius at work!!!

This will be a quick post on how you install and enable ssh on Ubuntu, so lets get started!

Installing OpenSSH Server

As this is a fresh install, your user should have sudo permission. You will need to install the OpenSSH package, which is easily available from the Ubuntu repositories. You can will use following command:

sudo apt-get install openssh-server

Or you can run the command

sudo tasksel

This will give you the screen below and you can select SSH server or whatever defined package you like (I just learnt this myself!!)

Screenshot 2015-07-31 09.52.12

Configuring OpenSSH

Now that the package has been installed, we will need to edit the config file. First create a backup of the original file, just in case something going terrible wrong, it will be an easier rollback!

sudo cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

Now let’s make the magic happen 😀

sudo nano /etc/ssh/sshd_config

Firstly thing to consider is changing the port that your SSH server listens. By default SSH servers listen on port 22, as this is the default everyone will know what port to attack if they want to illegally access your machine. By changing this to a non-standard port you will be securing your server from kiddie scripts and bots.

# What ports, IPs and protocols we listen for
Port 2222

Next you would want to disable SSH access for the root user. As root is the super user, if your root password gets hacked, you will be screwed royally! So with that in mind, we need to look for PermitRootLogin and set this no to disable anyone from logging in as root.

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

Finally, you can list specific users that you want to have SSH access to your server. By adding this line to the end of ssh_config file, you will allow selected users:

AllowUsers bob bill jack millie

Once you have happy with everything, you can save and exit the file and you will need to restart the daemon for the changes to take affect Use the following to restart SSH:

sudo service ssh restart

Job done 😀

Share this:
Share