Wednesday, 29 October 2008

How To Set Up A Cisco Lab On Linux (CentOS 5.2)

Background

I recently decided to study for the Cisco CCSP certification. My main concern in the beginning was the fact that most of the lab simulation software that I found out there could only run on Windows, this was a problem for me given the fact that I do not own a windows computer.

After a quick search I found the wonderful Dynamips project that goes beyond what other simulators do by running actual Cisco IOS images, as well as the PEMU project which allows for running of Cisco PIX images. To integrate the various pieces of software and provide an interface for interaction with the devices I used dynagen.

Prerequisites

You will need Linux command line skills as well as working knowledge of Cisco IOS/PIX. Please NOTE that you will have to provide your own Cisco IOS/PIX images, do not send me any messages requesting images.

Software Installation

These instructions are based on Centos 5.2 but can easily be adapted for use on other Linux systems. Given the fact that we are using an rpm based system we will install all our packages as rpm's instead of source given the advantages of package management. All the above mentioned projects (Apart from pemu) have source rpm's which can be obtained and compiled. I obtained and compiled the source rpm's which you can download from my site, you can how ever obtain the source rpm's and compile on your own should you want to. I built my own rpm for PEMU which you can download.

The above rpms are signed using my key so you will be able verify them.

wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
rpm --import andrew_topdog-software.com_key.txt

Now on to the installation.

Dynamips

This is the main component that provides the Cisco IOS emulator as well as PEMU wrapper

rpm -Uvh http://www.topdog-software.com/oss/dynamips/dynamips-0.2.8RC2-1.i386.rpm

Dynagen

This is the interface to the dynamips software, it provides a simplified ini type configuration, frame-relay, built in switch, bridge as well as a management CLI.

rpm -Uvh http://www.topdog-software.com/oss/dynagen/dynagen-0.11.0-1.noarch.rpm

PEMU

This is the Cisco PIX / ASA emulator which allows you to run the PIX images.

rpm -Uvh http://www.topdog-software.com/oss/pemu/pemu-0.0.1-20070420.i386.rpm

Sample Lab

For our sample lab I will set up a LAB from the SNPA module as this will enable us to see both IOS and PIX in action. But first let's start the services:

service dynamips start
service pemu start

Extract the images as they will boot faster.

unzip snrs.bin
cp C3640-JK.BIN /var/lib/pemu/images/snrs.bin
unzip asa722-k8.bin
cp target/f1/pix /var/lib/pemu/images/pix

For this lab we will use this dynagen ini file so create a file /tmp/snpa.net with the following content:

autostart = false
model = 3640
ghostios = true
sparsemem = true
[localhost]
workingdir = /var/lib/pemu
[[3640]]
image = /var/lib/pemu/images/snrs.bin
#idlepc = 0x60ba8df4
[[router inside]]
# This router will be on the "inside" of the firewall
# Connect this router's e0/0 interface to fw1's e1 interface
e0/0 = fw1 e1
[[router outside]]
# This router will be on the "outside" of the firewall
# Connect this router's e0/0 interface to fw1's e0 interface
e0/0 = fw1 e0
[[ethsw s1]]
1 = access 1
# Bridge the below interface to allow fw1's e2 interface access to real networks
# e.g. for using ASDM from a PC to manage the firewall, change the interface to
# reflect your system
2 = access 1 NIO_gen_eth:eth1
[pemu localhost]
[[525]]
#for pix 7 & 8
serial = 0x1234568
key = 0xffffffff,0xffffffff,0xffffffff,0xffffffff
image = /var/lib/pemu/images/pix
[[fw fw1]]
# Connect the firewall's e2 interface to the virtual switch, which will bridge it
# to the real network
e2 = s1 1

Now that we have everything in place let's connect to the dynagen console and interact with our lab environment.

dynagen /tmp/snpa.net

You will be presented with the following prompt:

Reading configuration file...
Network successfully loaded
Dynagen management console for Dynamips and Pemuwrapper 0.11.0
Copyright (c) 2005-2007 Greg Anuzelli, contributions Pavel Skovajsa
=>

Let's look at the options that are available on the dynagen console, type the familier ? command

=> ?
Documented commands (type help ):
========================================
capture confreg cpuinfo export hist list py save show suspend
clear console end filter idlepc no reload send start telnet
conf copy exit help import push resume shell stop ver
=>

Let's list the devices available in our lab environment using the list command:

=> list
Name Type State Server Console
inside 3640 stopped localhost:7200 2000
outside 3640 stopped localhost:7200 2001
fw1 525 stopped localhost:10525 4000
s1 ETHSW always on localhost:7200 n/a
=>

Let's start the devices:

=> start outside
100-VM 'outside' started
=> start inside
100-VM 'inside' started
=> start fw1
100-PEMU 'fw1' started
=>

To improve performance of our devices, we set the idlepc values for the various devices:

=> idlepc get inside
Please wait while gathering statistics...
1: 0x605a39c8 [61]
2: 0x605a3a40 [25]
3: 0x604fd014 [78]
4: 0x604fd044 [64]
5: 0x6048daa0 [80]
6: 0x604fe168 [75]
* 7: 0x604fe584 [59]
8: 0x604fe734 [46]
9: 0x604fe75c [49]
Potentially better idlepc values marked with "*"
Enter the number of the idlepc value to apply [1-9] or ENTER for no change: 7

Repeat the above for all the devices you want to set idlepc values for.

Other sample labs

You can find other sample labs in the /usr/share/doc/dynagen-0.11.0/sample_labs directory.

Console Access

Okay we are up and running, but I bet you are asking well and good but how do I console in and begin working with the device? Each of the devices you started will provide you with console access on a port, to see which device is on which port use the list command in the dynagen console.

So as we see the inside router can be consoled to on port 2000 so let's go ahead and check it out.

telnet localhost 2000

The first time you should be presented with the following screen:

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
Connected to Dynamips VM "inside" (ID 0, type c3600) - Console port

% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]:

Next let's connect to the PIX console:

telnet localhost 4000

Press enter and you should be presented with the following screen:

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
pixfirewall>

GUI version

For those who prefer using a GUI to setup the labs, you can take a look at the GNS project, I have not used it personally as I prefer using the command line.

Acknowledgements

Thanks to the developers of these helpful projects; please consider making donations to these projects if you can.

Use Zebra to set up a Linux BGP/OSPF router

With GNU Zebra, your Linux box can act as a router supporting TCP/IP protocols such as RIPv1, RIPv2, RIPng, OSPFv2, OSPFv3, BGP-4, and BGP-4+. I’m going to show you how to install, configure, and use Zebra to turn a Linux box into an OSPF and BGP router.

zebralogo.jpg

Building an advanced router
If you have set up a Linux box as a firewall, you have already built a simple Linux router. However, we’re going to look at using Linux to build an advanced router that can communicate using dynamic routing protocols. These protocols allow routers to speak to each other and share information of paths through a network. This is incredibly important in large networks (such as the Internet), where static routing is impractical.

For example, even with route summarization (where only the largest possible block is advertised), a single Border Gateway Protocol (BGP) routing table still contains over 100,000 entries. The sheer number of entries, combined with the rate of change, makes static route assignment impossible. The need for dynamic routing protocols is obvious, even with networks smaller than the Internet, such as large corporate networks.

While BGP, an External Gateway Protocol (EGP), is the workhorse of the Internet, others are better suited for use on smaller internetworks. The Open Shortest Path First (OSPF) protocol is an Internal Gateway Protocol (IGP) and is one of the most widely used. GNU Zebra is an open source software package that allows you to run BGP and/or OSPF on Linux.

Installing Zebra
You can download the latest source version of Zebra from Zebra.org. Distribution-specific packages are also available from a number of sources, including Redhat and Debian. If you’re installing from source, you will find that the standard installation procedure is applicable. Simply extract the package and run:
./configure

make

make install

The configuration script will detect what IP stacks are installed on your system and automatically configure support for them. In today’s environment, this will most likely mean just IPv4, but IPv6 users will be pleased to know that Zebra will detect and support it as well.

Once you have installed the program, it may be necessary to add some lines to /etc/services. Zebra’s daemons operate on their own virtual terminal lines (VTYs), so your system needs to know what they are. Here are the lines you should add:
zebrasrv 2600/tcp # zebra service

zebra 2601/tcp # zebra vty

ripd 2602/tcp # RIPd vty

ripngd 2603/tcp # RIPngd vty

ospfd 2604/tcp # OSPFd vty

bgpd 2605/tcp # BGPd vty

ospf6d 2606/tcp # OSPF6d vty

Configuring Zebra
If you’re familiar with the Cisco IOS, you shouldn’t have any problems getting Zebra up and running in a short amount of time. Each of Zebra’s daemons uses a separate VTY to allow dynamic configuration through a Telnet session. So, if you need to configure OSPF, simply Telnet to port 2604 on the Linux box. To modify the kernel’s routing table or to configure redistribution between routing protocols, you should Telnet to port 2601. This is the Zebra daemon, which acts as a kernel manager handling communication between the other daemons and the system itself.

Let’s take a look at how we would get OSPF and BGP up and running on a test server. Zebra’s daemons use plain text files to store their configurations. For our OSPF/BGP router there will be three files used: zebra.conf, ospfd.conf, and bgpd.conf. The zebra.conf file, for instance, will look something like this:
! Zebra configuration saved from vty

! 2002/02/28 01:46:12

!

hostname LinuxRouter

password zebra

enable password z3bRa

log file /var/log/zebra/zebra.log

!

interface eth0

description Interface to External Network

ip address 10.0.0.1/24

!

interface eth1

description Interface to Internal Network

ip address 192.168.66.1/24

The exclamation points serve as comment markers or spacers. The rest of the configuration should be more or less self-explanatory. There are a number of different types of network interfaces (Ethernet, ISDN, etc.), and Zebra can use any that are recognized by the Linux kernel.

Subnet masking is done with network bits (e.g., /24) as opposed to the full mask, which in this case would be 255.255.255.0. Also note that there are two passwords, one for user mode and one for privileged mode. This is useful for providing access to nonadministrators, and it’s critical if you are creating a route server or looking glass. Any BGP admin will tell you that looking glasses are a key to troubleshooting routing issues, as they allow you to view routes as seen from an outside AS’s point of view. (AS stands for Autonomous System—basically, a group of devices under the same policy or administration.) BGP routing is done by AS numbers, which are registered numbers controlled by the American Registry for Internet Numbers (ARIN). For more on BGP, read “How to use BGP to achieve Internet redundancy.”

The next step is to start the necessary programs. You can do this with the following commands:
/usr/sbin/zebra –dk

/usr/sbin/ospfd –d

/usr/sbin/bgpd –d

In the first command, we start zebra, the daemon that will actually update the kernel’s routing table. The –dk tells the program to run as a daemon (the d), basically keeping it in the background. The k is an additional option that tells Zebra to keep any routes that are already configured on the box. This is useful if you are testing Zebra and do not want to wipe out your routing table accidentally. Normally, routes and interfaces are configured with a combination of the ifconfig and route commands. Zebra is a complete replacement for this form of route management.

Setting up OSPF
Now that the necessary services are running, Telnet to port 2604 on the local machine to begin the OSPF configuration. Enter privileged mode by typing enable (just as you would in the Cisco IOS) and then enter the privileged mode password. Next, configuration mode is accessed with the configuration terminal command. Zebra will also accept abbreviations in keeping with its similarity to Cisco. Also accepted are the list and ? entries, which provide a menu of possible commands and a short explanation.

You will also be pleased to see that tab completion is supported. This is a nice feature, especially if you are accustomed to using it. Next, we will need to tell the daemon what networks are going to be advertised via OSPF, along with the associated area. OSPF supports multiple areas to provide scalability. Enter the OSPF configuration by typing router ospf and then network 192.168.66.0/24 area 0. This tells the router that we are going to use OSPF to advertise the 192.168.66.0 network with a subnet mask of 255.255.255.0.

In this example, we are also going to make interface eth0 a passive interface so that routing updates will not be sent out of it. This is important for testing purposes when other routers in that direction may be listening. You can do this with the command passive-interface eth0. Once you have made your changes, exit out of configuration mode by typing end and then save it with the write file command. Here is a snapshot of what this will look like:
labrat:~# telnet 0 2604

Trying 0.0.0.0…

Connected to 0.

Escape character is ‘^]’.

Hello, this is zebra (version 0.84b)

Copyright 1996-2000 Kunihiro Ishiguro

User Access Verification

Password:

ospfd> enable

Password:

ospfd# configure terminal

ospfd(config)# router ospf

ospfd(config-router)# network 192.168.66.0/24 area 0

ospfd(config-router)# passive-interface eth0

ospfd(config-router)# end

ospfd# write file

Configuration saved to /etc/zebra/ospfd.conf

Remember that for OSPF or BGP to operate over an interface, that interface needs to be up. To manually bring up an interface, log in to port 2601 and execute a no shut command on the appropriate interface.

Setting up BGP
BGP is configured in much the same way as OSPF. To begin, open a Telnet session to port 2605. After executing configure terminal, enter BGP configuration mode by typing router bgp . As mentioned previously, BGP uses AS numbers to establish neighbor relationships and route traffic. In our test environment, we will be using a private AS number, which can range from 64512 to 65534. The networks to be advertised by BGP are then installed with the network command. There are no trailing area options in BGP, so our command would be network 192.168.66.0/24. Unlike OSPF, BGP neighbors need to be statically assigned. You do this as follows: neighbor remote-as . Here is an example of what this will look like:
labrat:~# telnet 0 2605

Trying 0.0.0.0…

Connected to 0.

Escape character is ‘^]’.

Hello, this is zebra (version 0.84b)

Copyright 1996-2000 Kunihiro Ishiguro

User Access Verification

Password:

bgpd> enable

Password:

bgpd# configure terminal

bgpd(config)# router bgp 65530

bgpd(config-router)# network 192.168.66.0/24

bgpd(config-router)# neighbor 10.0.0.5 remote-as 65531

bgpd(config-router)# end

bgpd# write file

Configuration saved to /etc/zebra/bgpd.conf

With both OSPF and BGP, there are a great number of options—enough to be outside the scope of this article. I recommend doing a little studying about each protocol prior to working with it in a production environment. The GNU Zebra documentation can also help in this regard.

Summary
Networking includes a variety of options for routing traffic. When it comes to routers, many hardware options are available, but they can be expensive—reason enough to look at turning a Linux system into a fully functional router. The Zebra suite of routing daemons makes this a possibility. With support for IPv4, IPv6, and a wide variety of protocols, Zebra can address all your routing needs. It also takes advantage of the experience and knowledge that many admins have already gained in working with Cisco IOS-based routers.

Friday, 24 October 2008

Emacs Help

Introduction

Emacs is perhaps world's most powerful text editor.you can do lot's of stuff using emacs in a very powerful way.I will just try to list out few tasks that you can accomplish with help of emacs:

  • Editing text files
  • Programming
  • Searching and replacing patterns in a text file
  • Checking mail
  • Reading news
  • Listening to Songs
  • Executing commands
  • Can also work as a file manager
Environment

When you start emacs(using command emacs &)..you can see a menu bar on the top of the emacs window,a tool bar just below the menu bar.And then most of the remaining space is occupied by the editing buffer(where actual editing is performed).You can see a scroll bar in the left side of window.

Another thing that you will observe that at the end of editing buffer there exists some sort of seperator..and below it exists another small area.

Well this area is very important..
Seperator is called ---> Modeline
Area below is called ---> Message Area
Commands typed by you will be echoed in the message area, as well as response from emacs and messages from emacs will be also shown there.

Commands Conventions

All of the emacs commands are basically in the form of some special key bindings.These key bindings may initially appear a bit daunting but are very convenient. Usually all of the emacs commands start with either with control or alt key.Rest of the printable characters are sent to the editing buffer and are not considered as command.

For Example:
To open a new file:
ctrl-x,ctrl-f
To undo changes:
ctrl-x,u
To browse through info pages:
alt-x-info
ctrl-x,ctrl-f:
Press x and f key respectively while ctrl key is pressed.br> ctrl-x,u:
Press x while ctrl key is pressed and now leave ctrl key(as well as x)and press u.br> alt-x-info:
press x while alt key is pressed and now leave alt(as well as x) and type info manually in the message area.br> -:
One impotant thing is all the hyphen's are used for illustration purpose only. They are not to be included in commands.

Commands

Here i will try to give all the essential commands with help of which you can easily work with emacs. One thing you should keep in mind is that you need not to remember all the commands. You can work with emacs very easily using a limited list of commands. The method to enter the command has been explained in the earlier section.

ctrl-x,ctrl-f:
To open a new/existing file.when you press this command you can see a message ">


ctrl-x,ctrl-s:
To write the file to disk(or in other words to save the file.)


ctrl-x,ctrl-c:
To quit emacs.If you have any running processes(let us say shell) or any unsaved buffer it will ask you either to save the changes or discard them and then quit emacs.

ctrl-a:
Go to the beginning of line.

ctrl-e:
Go to the end of line.

ctrl-p:
Go to previous line.

ctrl-n:
Go to next line.

ctrl-home:
Go to the beginning of buffer.

ctrl-end:
Go to the end of buffer.

ctrl-k:
Kill line. This command will kill one line starting from current cursor position.

ctrl-f:
Move one character forward.

ctrl-b:
Move one char backward.

ctrl-w:
To write the existing buffer with a different file name.

alt-d:
To delete one word to the right of cursor.

alt-f:
To move one word forward.

alt-b:
to move one word backward.

alt-a:
To move one sentence backward. But in this case cursor doesn't stop at the blank lines.

alt-e:
To move one sentence forward.

alt-x-shell:
To start shell from emacs.

ctrl-x,b:
To switch to buffer. This command ask the name of the buffer you want to switch.

ctrl-x,ctrl-b:
List all the existing buffers.

alt-x-man:
This command Will ask for what command you want to see manual pages. Thus a message related to it will appear in the message area.

alt-x-info:
To browse through info pages.

alt-x-w3m:
To check mail

alt-x-mpg123:
To start play mp3 songs from emacs. This packages doesn't come by default on the Red Hat releases, so you have to download a package called mpg123.el.

alt-x-TAB:
By pressing this command you can see the list of available commands in emacs.

alt-x-ispell:
To start spell checking from emacs.

ctrl-/:
To undo your last set of changes.

alt-x-set-background-color:
To change the background color of emacs buffer.

Now many of the commands has been described below and a description of how to bind keys with these commands is also given below.

Ispell

You can check spelling of a buffer using the command `alt-x-ispell-buffer`. You can use 'r' to enter a mis-spelled word for yourself.
'a': emacs will accept the word as correct for present session.
'A': emacs will accept the word as correct for all session.
spacebar: ignore the error.
ctrl-r: enter in to recursive editing.

Flyspell

Can be also used for spelling checking..thus in this mode the spelling of the word will be checked on the fly and highlighted if there is an error. So either you can edit the word yourself or else left click on the word and let emacs suggest options.

Completing The Text From Another Part of the Buffer

Let's say you are editing a text file and you are typing several words lot's of times then you can use this thing. We can use keystroke "alt-/" to auto complete a word that you have typed before.

Some Very Important Keystrokes for Moving Around

alt-e: to end of the paragraph.
alt-a: to the beginning of the paragraph.
alt-}: to move forward one paragraph
alt-{: backward one paragraph.
alt-<: go to the beginning of buffer alt->: go to the end of buffer

Customization of Emacs

Emacs can be very easily customized this is one of the reasons it is such a powerful editor.If you try command "alt-set-background-color" then you will find that you can change the background color of the current face. But the settings won't be saved thus next time you will start emacs your changes will be lost. Emacs reads a file called $HOME_DIR/.emacs(~/.emacs) on startup. By editing this file you can customize emacs very easily and your changes will saved. Here i am giving contents of my .emacs file. By looking at the comments itself you can guess what is the function of that line. Even of you don't, relax and simply use it for the time being. Just simply copy following lines and paste it to a file called .emacs(if something is already there in that file then you make sure it should be deleted).

Sample .emacs File

;; Set up the keyboard so the delete key on both the regular keyboard
;; and the keypad delete the character under the cursor and to the right
;; under X, instead of the default, backspace behavior.
(global-set-key [delete] 'delete-char)
(global-set-key [kp-delete] 'delete-char)

;; turn on font-lock mode
(global-font-lock-mode t)

;; enable visual feedback on selections
(setq-default transient-mark-mode t)

;; always end a file with a newline
(setq require-final-newline t)

;; stop at the end of the file, not just add lines
(setq next-line-add-newlines nil)

;;to display time
(display-time)

;;to set the cursor color
(set-cursor-color "red")

;;to set the font
(set-frame-font "-*-fixedsysttf-*-*-*-*-15-*-*-*-*-*-*-*")

;;to set foreground color to white
(set-foreground-color "white")

;;to set background color to black
(set-background-color "black")

;;to manage the geometric size of initial window.
(setq initial-frame-alist '((width . 87) (height . 42)))

;;set the keybinding so that you can use f4 for goto line
(global-set-key [f4] 'goto-line)
;;set the keybinding so that f3 will start the shell
(global-set-key [f3] 'shell)
;;set the keybinding so that f5 will start query replace
(global-set-key [f5] 'query-replace)
(global-set-key [f6] 'switch-to-buffer)
(global-set-key [f7] 'hippie-expand)
(global-set-key [f8] 'ispell)

(setq load-path (cons "/home/hemant/elisp" load-path))

(when window-system
;; enable wheelmouse support by default
(mwheel-install)
;; use extended compound-text coding for X clipboard
(set-selection-coding-system 'compound-text-with-extensions))
(autoload 'mpg123 "mpg123" "A Front-end to mpg123" t)



(custom-set-variables
;; custom-set-variables was added by Custom -- don't edit or cut/paste it!
;; Your init file should contain only one such instance.
'(auto-save-default nil)
'(backup-directory-alist (quote (("." . "/home/hemant/backup"))))
'(default-frame-alist (quote ((tool-bar-lines . 1) (menu-bar-lines . 1) (width . 87) (height . 42)))))
(custom-set-faces
;; custom-set-faces was added by Custom -- don't edit or cut/paste it!
;; Your init file should contain only one such instance.
'(font-lock-comment-face ((((class color) (background dark)) (:foreground "chocolate1" :slant italic :family "-*-lucida-medium-r-*-*-14-*-*-*-*-*-*-*"))))
'(fringe ((((class color) (background dark)) (:background "grey10" :width ultra-condensed))))
'(scroll-bar ((t (:background "Dark slate gray")))))
Miscellaneous Commands

Some keystrokes set by me:
f4: goto line //go to some line
f3: to start shell
f5: to start query replace
f6: switch to buffer //switch to different open buffer
f7: hippie expand //auto completion even from other buffer.
f8: to start spell check

Customizing key bindings in emacs:
Put following lines in to your .emacs file and those keystrokes will work for you as well.

(global-set-key [f4] 'goto-line)
(global-set-key [f3] 'shell)
(global-set-key [f5] 'query-replace)
(global-set-key [f6] 'switch-to-buffer)
(global-set-key [f7] 'hippie-expand)
(global-set-key [f8] 'ispell)

Commands Helpfull During Programming

1.to jump to newline automatically after termination of an statement:
ctrl-c,ctrl-a: enables addition of newline.

Notes

My .emacs file assumes you have fixedsys and lucida fonts installed.(though lucida comes with any standard installation of GNU/Linux..fixedsys won't be installed on your system.Also i have created a directory called ~/elisp where additional elisp packages are stored ,so you must have a directory of that name.Now if you don't have fixedsys and any packages that has to be stored in ~/elisp better remove those lines).Another important thing..by default emacs creates backup of files while editing and saves it in current directory with prefix ~.But i have customized emacs so that all the backup files will redirected to ~/backup directory.So you should also create a directory called ~/backup.

Setting Up .htaccess

htaccess can be used in co-ordination with the Apache web server to password protect certain files and directories on your web server.

This document assumes that you have Apache already set up and running correctly. If this is not the case please visit http://www.linuxhelp.ca/guides/apache/ for help with installing and configuring Apache.

For my own sanity I'm going to assume that you followed the Apache Setup Guide on our site and that you have apache installed at /usr/local/apache and your HTML documents are located in /usr/local/apache/htdocs. Now let's say you have a directory called admin in /usr/local/apache/htdocs and you would like to password protect it and give certain users access. The first thing you need to do is open up your httpd.conf file and find the section that looks similar to this:


Options FollowSymLinks
AllowOverride None

Once you've found the similar lines in your httpd.conf you can add the following section underneath it:


AllowOverride AuthConfig
Options Indexes FollowSymLinks Includes
Order allow,deny
Allow from all

Once you've added the new section, save the httpd.conf file and restart apache. You can normally do this by running killall -HUP httpd as root. Now that the admin directory is properly configured for htaccess you'll need to set up the .htaccess and .htpassword files.

Change into the directory you want to protect (for this guide we are using /usr/local/apache/htdocs/admin) and create a file called .htaccess. To do this you can run touch .htaccess in the directory. Now open up the file with a text editor (nano, pico, vi, joe etc) and enter in the following lines:

AuthUserFile /usr/local/apache/htdocs/admin/.htpasswd
AuthName "Authorization Required"
AuthType Basic
require valid-user

The AuthUserFile directive containts the path to the password file that users will be authenticated against.

AuthName is the message that will appear on the login prompt. The default is Authorization Required but you can change this to whatever you like.

AuthType selects the type of user authentication that will be used. You can leave this as Basic

require let's all the valid users in the .htpasswd file access the directory.

Once your .htaccess file is set up, save and exit the file. You must now create the .htpasswd file. To do this you can use the htpasswd program that comes Apache. If you followed the Apache Guide, htpasswd should be located in /usr/local/apache/bin. If not you can run updatedb as root and then type locate htpasswd to find it.

To create the initial .htpasswd file you must use the -c flag. As root run:

htpasswd -c /usr/local/apache/htdocs/admin/.htpasswd username

Don't forget to change the directory .htpasswd will be located in. The above is set up for securing /usr/local/apache/htdocs/admin. As well change username to whatever username you want to use to log in. It will then prompt you for a password. The next time you add a user you can drop the -c flag since it is only used for the inital creation of the file.

If you haven't already restarted your Apache web server now is the time to do so. Once that has been taken care of, open up a web browser and try to access http://www.yourdomain.com/admin/ and see if it prompts you for a password. If something goes wrong check the Apache error log file.

Thursday, 23 October 2008

Run remote commands on a Cisco router from your PC

Can you go to a Windows command prompt and run a command on your router? Usually, you would have to Telnet or SSH to the router first to run the command, right?

While this approach works, you can also run router commands without leaving the Windows command prompt, which can come in handy for scripting and automating router management. Let’s take a closer look.

What is remote shell (rsh)?

Remote shell (rsh) is a command-line program commonly found in UNIX and Linux systems. Using rsh, you can remotely execute command-line programs on a remote system. This could be another UNIX or Linux system, or it could be a Cisco router or switch. Rsh was part of the BSB UNIX operating system and included with rcp (remote copy) and rlogin (remote login).

While most Linux administrators are already familiar with rsh, some Windows administrators might not be. In fact, Windows XP and Windows Server 2003 both include rsh. Figure A shows a screenshot of using rsh at the command prompt.

Figure A

Figure A

However, when working with rsh, it’s important to remember that rsh is insecure — it does not encrypt the communications between the remote device and the system. You should always configure rsh as securely as possible on the router by locking down the IP address of the management machine and the username.

However, even when taking such precautions, rsh is still very insecure compared to SSH. It’s a good idea to use rsh only on a protected, secured, internal network. (By the way, if you’re allowing rsh through a firewall, it uses TCP port 514.)

How do I configure rsh on my router?

To be able to run a command on a Windows PC, have it go to the router, execute the command, and then return the output to you, all you need to do is enter two commands. Let’s walk through the process.

First, you need to enable the remote shell services on the router. The Cisco IOS calls the remote shell service ip rcmd. To enable this service, enter the following command when in Global Configuration Mode:

Router(config)# ip rcmd rsh-enable

Second, you need to configure the permissions for your workstation and your user to be able to perform these remote shell commands. Here’s an example of this command:

Router(config)# ip rcmd remote-host root 192.168.1.45 ddavis enable

Let’s take a closer look at this command. The ip rcmd remote-host part is required. Next, you enter the local username on this router of the user that the remote shell will log in under when it runs commands. In this case, we used the local user root.

Next, 192.168.1.45 is the IP address of the management workstation that we want to allow to execute these remote shell commands — in other words, the IP address of the PC. Next, you see my local Windows username: ddavis. In this case, that’s the name of the user logged into the Windows XP machine as well as the user who will be executing the rsh command in Windows. If I were running a batch job script that executed the Windows rsh command, I would need to enter the Windows username of the user that the batch job was running under.

Finally, the command contains the enable keyword. This allows the remote shell user access to enable the mode on the router. I could take this a step further and specify the level of access allowed (i.e., levels 1 through 15).

Keep in mind that these two commands assume you already have the router configured and you already have a local user called root. If you don’t have a root user, you can use the following command to do so:

Router(config)# username root privilege 15 password C1sCo!

How do I use rsh from my Windows workstation?

Once you’ve configured the above commands, you can easily run a remote shell command from the Windows command prompt. Figure B offers an example.

Figure B

Figure B

Here’s the actual command I used:

Z: rsh Router1 -l root sh ver

Here’s how the command works:

  • The hostname is the first thing specified (in this case, Router1).
  • Next, I used -l (i.e., the letter L) to specify the remote username that I will use to log in. (Keep in mind that I still have to be user ddavis on the local Windows PC for the security to work. Also, I have to come from the IP address that I’ve specified — in other words, this wouldn’t work from another workstation.)
  • Finally, specify the command. In this case, I ran the show version command (or sh ver).

What can I do with the rsh command?

In addition to using the show version command, you can also run the show running-configuration (sh run) command or any other privileged level command. Here are some more examples:

  • show ip interface brief
  • show ip route
  • show ip ospf neighbors
  • show ip bgp summary
  • show log

What you can’t do is run a Global Configuration Mode command, such as enabling an interface or configuring an IP address. This usually limits you to the show commands.

However, one very useful thing you could do is copy your current configuration to a TFTP server and do it inside a script initiated on the Windows server. For example, you would use the copy running-configuration tftp:/1.1.1.1 command.

What else can I do with remote commands?

If you check out the Cisco IOS documentation that covers remote commands, you’ll find that there are a number of options you can use with the remote shell commands. One of the latest features in the Cisco IOS is that you can authenticate incoming rsh and rcp commands using a Cisco IOS access control list.

One of the more interesting variations is that you can use remote copy (rcp). So, I could copy a file using the Windows rcp command from my PC to the router or from the router to the PC — without ever using TFTP or FTP. (You can enable rcp with the ip rcmd rcp-enable command.

Conclusion

The remote shell (rsh or rcmd) commands can be very useful for remotely administering your router. This is especially true if you want to create a Linux or Windows script that goes out to all routers on your network and performs some show command.

Wednesday, 22 October 2008

Installing a VPN with OpenVPN

Introduction

With OpenVPN, it is easy to set up a virtual private network between Windows clients using a dialup connection and a Linux server. The clients can do ftp and telnet securely and Windows clients can securely browse the intranet running Samba.

This document describes how to set up OpenVPN between a host computer running Linux and remote Windows clients. The Linux host acts as a secure gateway to the intranet, which consists of a number of Windows computers and Linux machines running Samba. Both ends of the link receive virtual IP addresses. OpenVPN is much easier to set up than OpenSWAN. The downside is that OpenVPN does not prevent unencrypted traffic from flowing along the connection. To block this, OpenVPN must be used with a firewall to throw away the unwanted packets.

As with OpenSwan, it's essential to watch the traffic with tcpdump at every step. If set up incorrectly, a VPN may allow your computers to communicate without actually encrypting a single byte. Remember, being able to ping from both sides does not necessarily mean your VPN is working!

What is a VPN

Here's the blurb I give to our end users:

A VPN (virtual private network) is client/server software that allows you to connect securely to a remote network from anywhere, including over a modem or a broadband connection. Our VPN will allow you to browse computers on the network as if you were at work. You can drag files from your computer at work to your home PC, send email through our server, and everything else you can do at work. This lets you do work at home at night, on weekends, and on holidays as if you were in the office 24 hours a day, working continuously!

Our VPN gateway is named "endive". Once you are connected to endive, you will have complete access to our internal network. However, all your communications will be encrypted so that hackers on your remote network can't read any of your information. Access to our network is controlled by a certificate, which is a special encryption code that is different for each user. No one else can access our VPN unless they have a valid certificate. If you lose your computer, or someone steals your certificate, please let me know and I will give you a new one.

Installation on server

  1. Install openssl, lzo, and pam if you don't have it already. If you're building your own RPM, you may also need openssl-devel, lzo-devel, and pam-devel.
  2. Configure openssl if desired by editing the file
    /usr/share/ssl/openssl.cnf  
  3. If necessary, install the lzo real-time data compression library (liblzo.a) from http://oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz
    ./configure
    
    make
    make check
    make test
    su
    make install
  4. Install OpenVPN on the linux server.
    tar -xzvf openvpn-2.0.2.tar.gz
    
    cd openvpn-2.0.2
    ./configure
    make
    su
    make install

Installation on client

Click on openvpn-2.0.2-install.exe and click "Next" to begin the installation. After installing, reboot the computer. OpenVPN will install itself in C:\Program Files\OpenVPN and create a directory there called "config". The Windows version of OpenVPN will only run on W2K or later. Normally, you must have administrator privileges to install or run OpenVPN (but there are ways around this).

Create Keys on Server

Generate keys for the server and for each client manually using SSL. Version 2 of OpenVPN includes some scripts that make this easier. If you use SuSE Linux Enterprise server, it is also possible to use PKCS #12 formatted key files created by YaST2 (see "pkcs12" directive in OpenVPN man page).

  1. Edit the vars file and replace KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL with local values. Then source the vars file and create a master certificate and key for the CA (certificate authority) on the server.
    cd easy-rsa
    
    vi vars
    . ./vars
    ./clean-all
    ./build-ca
    For "common name" enter the hostname of the server, e.g., "diphtheria".
  2. Create certificate and key for the server.
    ./build-key-server server
  3. Create keys for your clients
    ./build-key ensit
    
    ./build-key siraj
    If you want the keys to be password-protected, use ./build-key-pass instead. Make sure the common name is different for each client, otherwise clients will bump each other off. Hmmm ... on second thought....
  4. Generate Diffie-Hellman parameters
    ./build-dh 
  5. Copy the client key and certificate and the CA certificate to the client's computer, or give it to the client Computer By using winscp or Flopy or any other way.

for Windows XP.
  1. smb: \> cd "Program Files\OpenVPN\config"
    
    put ensit.key (the key)
    put ca.crt (the CA certificate)
    put ensit.crt (the certificate)
    exit
  2. Copy the keys to /etc/openvpn/keys
    su
    
    cd easy-rsa/keys
    mkdir /etc/openvpn/keys
    cp * /etc/openvpn/keys

Adjust Firewall and Server Access Rules

  1. Open ports 1194/UDP (the new, official OpenVPN port) and 5000/UDP (the old OpenVPN port) in your firewall for both directions.
  2. Temporarily modify the ``hosts allow'' line in the /etc/samba/smb.conf file on the VPN server with a line that allows the IP range specified by OpenVPN to connect.
      hosts allow = 10.1.0.0/255.255.255.0
    and restart smbd and nmbd. Notice that this address should be non-routable.
  3. Edit your /etc/hosts.allow file on the server to allow the 10.1.0.0/24 network to have access.
      ALL : LOCAL  10.1.0.    
  4. Make sure you can connect to the VPN port by typing
     telnet my-vpn-server 1194
    It should say "Connection refused", not "No route to host".

Configure the server

  1. Copy a sample-config-files/server.conf to ./server.conf. Note that default port is now 1194. Port 1194/UDP must be opened on the firewall in both directions.

    Set the virtual IP address range to a private range that is not currently used by your network. A private address is in the range
    10.0.0.0 - 10.255.255.255
    
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255
    Also, IP addresses in the range of 169.254.0.0 -169.254.255.255 are reserved for Automatic Private IP Addressing, which is used by Windows. Since these addresses aren't part of your network, you will also have to set up NAT on the server. Use "dev tun" unless you are using bridging (but see below). More options are needed if the client has their own network that needs access.

    Here is an almost-minimal server.conf file:
    port 1194
    
    proto udp
    dev tun
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt # THIS IS THE LOCATION OF CERTIFICATE
    key /etc/openvpn/keys/server.key # This file should be kept secret
    dh /etc/openvpn/keys/dh1024.pem # THIS IS THE LOCATION OF CERTIFICATE
    client-to-client # To allow clients to see each other
    server 10.1.0.0 255.255.255.0 # Set to virtual network and subnet mask
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    cipher AES-128-CBC # AES
    comp-lzo
    persist-key
    persist-tun
    user nobody
    group nobody
    status openvpn-status.log
    verb 3
    When "server" is set to 10.1.0.0 255.255.255.0, the server will listen on that subnet and take 10.1.0.1 as its virtual IP address.
  2. Make sure tun/tap driver is configured.
    ls -l /dev/net/tun
    
    crw------- 1 root root 10, 200 Mar 23 2002 /dev/net/tun
    If not, activate CONFIG_TUN=y in your kernel configuration, recompile your kernel, and reboot into new kernel. It should create the device node automatically. If not, type
    mknod /dev/net/tun c 10 200
  3. Enable IPv4 IP forwarding on the Linux server:
    echo 1 > /proc/sys/net/ipv4/ip_forward    
    This needs to be done every time the computer reboots. If you are using modules, put modprobe tun in the startup script as well.

Configure the Windows client

In C:\Program Files\OpenVPN\, copy sample-config\client.ovpn to config\client.ovpn and edit it with Notepad to make it consistent with server.conf.

Here is an almost-minimal client.conf file for "bruce":

client

dev tun
proto udp
remote carbon 1194 # use real name or IP address of the server
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert bruce.crt
key bruce.key
cipher AES-128-CBC # AES
comp-lzo
verb 3
For other options, see the OpenVPN2.0-HOWTO.

For Windows XP, you may have to manually disable the firewall for the tap adapter.

Start server and test the connection

  1. Start server:
    su
    
    ./openvpn server.conf
  2. On Windows client, right click on client.ovpn. A console window will open and messages should appear on both computers indicating glorious success, or not.
    vpn screenshot

    vpn screenshot
    Client console window of OpenVPN in glorious success mode.

    Open a DOS box and ping the virtual IP address of the swerver
     ping 10.1.0.1
    If you later decide to remove the VPN, click on ``Add/remove hardware'' in the Control Panel and select ``Uninstall a device.'' If you do this, it is necessary to reinstall OpenVPN and reboot before it will work again. To stop the VPN, you can use the Task Mangler or press F4 in the OpenVPN console. Pressing F2 shows connection statistics.
  3. Test the connections in both directions by pinging to all four addresses:
       ping 10.1.0.1
    
    ping 10.1.0.3
    ping 192.168.100.1
    ping 192.168.100.4
    All pings should still work. This behavior is different from most other VPNs, such as OpenSwan.
  4. Click on "My Network Places" on the client and type \\10.1.0.1 in the address box. You should see a list of Samba shares.
    vpn screenshot
    Screen shot of the software actually working, sort of

  5. Start tcpdump -n on the server and observe the traffic when the client sends a ping or initiates a telnet or ftp session. Both telnet and ftp should still work.
    C:\vpn>ftp 10.1.0.1
    
    Connected to 10.1.0.1.
    ...
    All packets in both directions should be on port 1194/UDP. However, if the client uses the Windows browser, the server will also send some traffic on ports 137. The only way to stop this is by blocking it with a firewall. In most cases, it is sufficient to block the users using the "hosts allow" command in smb.conf, for example:
    hosts allow = 10.1.0.0/255.255.255.0
    which will prevent unauthenticated users from connecting. They should get a message like this:

    <span class=vpn screenshot">

  6. Check the routing table on the server
    Before starting OpenVPN:
    route
    
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
    After:
    route
    
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.1.0.2 * 255.255.255.255 UH 0 0 0 tun0
    192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
    10.1.0.0 10.1.0.2 255.255.255.0 UG 0 0 0 tun0

PART 2 - Real World Setup

With this setup, we could also connect to 10.1.0.1 (the VPN server) over a commercial 64k dialup from our ISP. However, tcpdump showed that Windows browsing packets were going around the VPN (i.e., not through port 1194) and were being dropped by the server. To fix this, all that was necessary was to make some minor configuration changes and activate NAT on the VPN server. Now we could get to the Samba servers in the intranet behind VPN server and browse their shares by typing something like "\\diphtheria" in Explorer on the Windows PC named Cholera.

Road Warrior (Cholera) <-> Telephone <-> ISP <-> Internet <-> Router <-> VPN Server <-> Intranet <-> Windows PC (Diphtheria)
Running tracert on the Windows client tells you what's happening. In our real-world case, we have:
tracert 10.1.0.1  = 1 hop 1179 ms directly to the VPN server [10.1.0.1]

tracert 63.127.146.199 = 10 hops through various servers.
Packets sent to your intranet are taking the wrong path. The fix involves a lot of pushing and shoving. You also need to activate a NAT proxy service on the VPN gateway.

Changes on server:

  1. Install iptables(www.iptables.org) if necessary.
  2. In most Linux distributions, kernel iptables support is already enabled. If not, see "problems" below. Otherwise, on the gateway, enter the following commands:
          iptables -F
    
    iptables -F -t nat (gets rid of previous iptables entries)
    iptables -X

    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 63.127.146.199
    iptables -A FORWARD -j ACCEPT
    iptables -L -t nat (list all rules)
    Alternatively, just forward packets on the TUN interface as the manual recommends (I did not try this):
          iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A FORWARD -i tap+ -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
    The goal is to perform NAT proxying on the packets before they are sent out the eth0 interface. In this example, 65.198.102.199 is the static IP address of the VPN server. All packets coming in from the road warrior have their IP address rewritten before they leave the server so that their source address is that of the server.

    SNAT is used instead of MASQUERADE because the VPN gateway has a static IP address.
  3. Enable IPv4 IP forwarding on the Linux server:
    echo 1 > /proc/sys/net/ipv4/ip_forward    
  4. This should be put in /etc/rc.d/boot.local (or wherever) along with the iptables commands described earlier so they are automatically issued after a reboot.
  5. Add the following lines to server.conf on the server:
    # Advertise name server - change this number to your DNS server
    
    push "dhcp-option DNS 11.111.111.66"
    # Advertise WINS server - change this number to your WINS server
    push "dhcp-option WINS 11.111.111.196"
    push "redirect-gateway"
  6. Change from "tun" to "tap" in server.conf. With tun, the Windows browser packets try to bypass the VPN, using port 137. The server then rightfully rejects them (if they even reach the server). Because of stuff like this, it's critical to test the VPN with tcpdump to make sure it's actually encrypting all your packets. With the tap interface, browsing packets are sent through port 1194. There is no need to actually set up bridging on the server if you use NAT to rewrite the packets.

Changes on Windows client:

  1. Change from "tun" to "tap" in client.ovpn file.
  2. Right-click on the Local Area Connection icon for the TUN/TAP adapter and change the properties to "Enable NetBIOS over TCP/IP".

Results

For the skeptical, here is a screen dump of our intranet Samba server as seen from a Windows 2000 computer using OpenVPN. The Windows computer is connected over a dialup and has a dynamically-assigned IP address.
vpn screenshot

My work here is done.

Configuration files

Server configuration file (server.conf):

port 1194

proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.1.0.0 255.255.255.0
push "redirect-gateway"
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 6
push "dhcp-option DNS 11.111.111.11" # add your own DNS server here
push "dhcp-option WINS 11.111.111.12" # add your own WINS server here

Windows client configuration file (client.ovpn):
client

dev tap
proto udp
remote 11.111.111.12 1194 # add real IP of your own openvpn server here
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cholera.crt
key cholera.key
cipher AES-128-CBC
comp-lzo
verb 3

Problems

  • TLS errors
    TLS Error: TLS key negotiation failed to occur within 60 seconds.
    
    TLS Error: TLS handshake failed
    This could mean your packets are being blocked by a firewall, your certificates on both ends don't match, or the IPs or subnet masks are wrong in your config files. A common problem is that users forget that Windows XP now comes with its own firewall enabled by default. Check to make sure Norton Security or some other security program is not running on the Windows client. It may be necessary to log out of Windows and login again before the changes take effect.
  • If your kernel does not support iptables, recompile and install a kernel on the gateway to include the following:
          CONFIG_PACKET
    
    CONFIG_NETFILTER
    CONFIG_IP_NF_CONNTRACK
    CONFIG_IP_NF_FTP
    CONFIG_IP_NF_IPTABLES
    CONFIG_IP_NF_IRC
    CONFIG_IP_NF_MATCH_LIMIT
    CONFIG_IP_NF_MATCH_MAC
    CONFIG_IP_NF_MATCH_MARK
    CONFIG_IP_NF_MATCH_MULTIPORT
    CONFIG_IP_NF_MATCH_TOS
    CONFIG_IP_NF_MATCH_TCPMSS
    CONFIG_IP_NF_MATCH_STATE
    CONFIG_IP_NF_MATCH_UNCLEAN
    CONFIG_IP_NF_MATCH_OWNER
    CONFIG_IP_NF_FILTER
    CONFIG_IP_NF_TARGET_REJECT
    CONFIG_IP_NF_TARGET_MIRROR
    CONFIG_IP_NF_NAT
    CONFIG_IP_NF_TARGET_MASQUERADE
    CONFIG_IP_NF_TARGET_REDIRECT
    CONFIG_IP_NF_TARGET_LOG
    CONFIG_IP_NF_TARGET_TCPMSS
    CONFIG_IP_NF_COMPAT_IPCHAINS
    CONFIG_IP_NF_COMPAT_IPFWADM


I get 1 error when i am configuring it.


Error ::


Certificate is to be
certified until Jun 3
16:09:50 2017 GMT (3650 days)

Sign the certificate? [y/n]:y

failed to update database
TXT_DB error number 2


Solution ::


The commonName for Certificate authority
and client certificate must not be the same.