Linux

Sep 12 2009   7:34AM GMT

How to capture a text using PuTTY client?

Posted by: Yasir Irfan
PuTTY, Telnet, SSH, Telnet Client, Backup, running config, Startup config, Cisco Router, Cisco Switch, Cisco Tips, Cisco backup

 

PuTTY doesn’t need any introduction as its one of the widely used for remote console utility. PuTTY is an SSH and telnet client.

In day to day operational activities we do telnet or SSH to our Cisco routers or Switches, at times we need to backup a running or startup config or   a Cisco router or a switch or even some times we need to capture the terminal session logs for technical information etc.  This is can be easily done by using the PuTTY client.

I will show you how to capture a text using PuTTY client.

Once you have established a remote session with a Cisco router or a Switch, follow the following steps

 

Step 1: Right Click on the menu bar and select “Change Settings”

 

Step 2: Click logging under the icon Session.

 

Step 3: Then select “All Session Output”.

 

Step 4: Select the location using the browse button and enter the desired file name and click apply.

 

These steps will create the log file in the specified location and it will log everything you did in that particular telnet or SSH session.

Sep 8 2009   9:45AM GMT

Remote Telnet useful tips!

Posted by: Yasir Irfan
Switches, Cisco, Cisco Tips, Cisco 3560, Cisco Learning, Network Troubleshooting, IOS commands, Cisco Routers, reload, Cisco Switch, Cisco Troubleshooting, Router Troubleshooting, Telnet, SSH

 

We all work remotely with Cisco routers and Switches, we often do login to do some configuration changes in the Cisco routers and Switches. What if we configured wrongly in the live Cisco routers and Switches which are located in the remote sites, we don’t enjoy the liberty of resetting the devices unless we have control over the power distribution.

 

In this scenario the “reload” command proves to be very handy and useful. Just before making any changes to the configuration we can use the “reload” command as demonstrated below

 

ITKE-Cisco#reload in ?

Delay before reload (mmm or hhh:mm)

 

ITKE-Cisco#reload in 10

 

System configuration has been modified. Save? [yes/no]: no

Building configuration…

[OK]

Reload scheduled in 10 minutes by yasir on vty0 (10.0.0.5)

Proceed with reload? [confirm]

ITKE-Cisco#

ITKE-Cisco#

 

 

***

*** — SHUTDOWN in 0:05:00 —

***

 

The above demonstrated command will reload the device in 10 minutes. After applying the “reload” command we can proceed with the configuration changes. If things go wrong and we lost connectivity

to the device, then try back after 10 minutes as the device will get reloaded with the original startup-configuration which can helps us to restore the connectivity to the device.

 

Once we are sure about the new configuration and its working properly without any hassles there is always a way  “reload cancel” command is there to cancel the reload.

 

ITKE-Cisco#reload cancel

 

I find this command to be very handy and useful especially when we have to telnet or SSH to remote Cisco router or a Switch.

Jun 15 2009   6:08AM GMT

Opensource Network Graphing Solution - VMware Cacti Built on FreeBSD UNIX,

Posted by: Yasir Irfan
Cacti, VMware, Freebsd, UNIX, RRDTool, PHP, LAN, open source software, Perl, Apache, Net-SNMP, MySQL, OpenSSL, OpenSSH, GD, Ntop, Tripwire, VMware Cacti Appliance, VMware Appliance, Cacti Guide, Cacti Support, Download Cacti, Download Vmware Appliance

Other day I was looking for an upgrade for the Cacti in Google, while searching I came across this wonderful ready to use virtual appliance based on FreeBSD UNIX.

To brief about the Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality. Cacti provide a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices.

The creator of this appliance Ernie did a great job by including nice collection of pre- configured open source software’s which includes the following

 

    - FreeBSD UNIX v6.2 RELEASE built to Ernie’s specifications
    - PERL v5.8.8 and many carefully selected modules
    - PHP v5.2.4 that I custom compiled from source
    - Apache v2.2.6 that I custom compiled from source
    - Net-SNMP v5.4 that I custom compiled from source
    - MySQL v5.45 that I custom compiled from source
    - RRDTool v1.23 that I custom compiled from source via FreeBSD’s Ports
    - Cacti and Many Plugins:
    - Various other key ingredients compiled from source with the help of the FreeBSD Ports Collection
        - OpenSSL
        - OpenSSH
        - GD
        - NTop
        - Tripwire
    And even more!

This VMware Cacti Appliance is really helpful, easy to install and manage. More over you will find the installation guide with illustrations as well Wow.  Download the VMware Cacti Appliance here.

Jul 13 2008   6:03AM GMT

Sample I.T. Security Policy - Internet Security

Posted by: Yasir Irfan
Networking, Security, Servers, Microsoft Windows, Linux, Switches, Cisco, Routers, Policies, Mobile, Internet Security, Network Documentation, Exchange, Network Documentation Policy, Network Policies

Finally we are completing this series; here we go with the last topic. It’s Internet Security Policy which is very important to have for any organization. I would welcome your comments which may encourage me to come up with more interesting stuff.

 

 

INTERNET POLICY

 

“IS” CONSIDERED THE FOLLOWING:

1. Dedicate a firewall device. Don’t run other services on it, and disable all unnecessary service features that may be included in the firewall package.

2. Disallow all connection attempts to hosts inside the network. Allowing any inbound connections provides a mechanism hackers might be able to exploit to establish connections to Trojan horses or by exploiting bugs in service software.

3. Divide provided services using Internet tools into public services and private (organizational) services. Place the public services on an Internet site (or sites) external to the Internet firewall and provide the private services on an intranet site (or sites) on the protected LAN.

4. Do not rely upon packet filtering alone to protect the network.

5. Do not rely upon Windows ISA Server built-in filtering alone to protect the network.

6. Do not use simple packet filtering or packet-filtering services from the Internet service provider as a replacement for application-layer firewalls. They are not as secure.

7. Don’t rely solely on packet filters for security protection from the Internet. Drop all external routing protocol (EIGRP) updates bound for internal routers. No one outside the network should be transmitting RIP updates to internal routers.

8. Filter out and do not respond to ICMP redirect and echo (ping) messages.

9. Limit the number of external hosts allowed to connect through the firewall to the absolute minimum possible. Take measures to make sure the IP addresses of those hosts are difficult to determine using proxy servers, Firewall or IP masquerades.

10. Make sure there’s no way for a hacker to tell which firewall product is in use.

11. Never publish a list of user or employee names on the Web site. Publish job titles instead.

12. Reduce the number of connections to the Internet to the minimum number possible: one per campus. Many large organizations allow only a single link to the Internet at headquarters and then route all remote offices to that point using the same frame relay lines used to connect internal networks. Respond immediately to intrusion attempts when they are detected. Collect as much information about the attacker as possible. Use their IP domains to determine who the higher-level service providers are.

13. Set up the firewall to discard ICMP echo and to redirect messages to interior hosts.

14. Unbind NetBIOS from all servers outside the firewall. Set the TCP/IP stacks on those machines to accept connection only on ports for services that machine specifically provides.

15. If there is only one connection to the Internet, hard code that connection in the router connected to the service provider’s network. Use RIP, EIGR, OSPF or other automated routing protocols to manage routing inside the network.

16. Do not allow SNMP to travel into or out of the network.

17. Use operating system software on Internet accessible machines that are not susceptible to the Ping of Death.

18. Configure the gateway not to pass Ping packets.

19. Install the latest version of the operating system software.

20. Log network activity and to have the log software signal an alert when a SYN attack or and ICMP flood is in progress. Deny access to the computer or network that originates the attack, and take measures (such as calling or sending an Email message to the administrator of the offending network) to stop the malicious behavior.

21. Un-bind NetBIOS from Internet-accessible network adapters. Allow only authorized hosts outside the network to connect to the DNS servers.

22. Configure the gateway or packet filter to discard all IP packets that use the source routing feature.

23. Disallow services for which there are no proxy servers.

24. Do not allow clear text-password authentication.

25. Do not use RIP or other automated routing protocols. Statically assign the routing tables and disable RIP updates unless the network is too large to manage manually. This makes them impervious to RIP -based denial-of service or spoofing attacks.

26. Don’t allow dial-up connections to the Internet. Remove modems and all other uncontrolled network access devices. Disable free COM ports in the BIOS settings of client computers and password protect the BIOS to prevent users from overriding the security settings.

27. Drop all packets that are TCP source routed. Source routing is rarely used for legitimate purposes.

Log all public access to servers, and check the logs often. Use alerting software to detect hacking attempts against the exposed machines.

28. Set up monitoring software that can alert on flood attacks against the network. Record the IP addresses of the source computers (assuming they look valid) and try to determine the source of the attacks so legal measures can be taken to stop the problem.

29. Set up the own firewall. Place Web and FTP servers outside it and mail servers on the inside. Pass only SMTP and POP3 traffic from external sources. Run no other services or software on mail, Web, FTP, or firewall servers.

30. Use a port scanner periodically (about once a month) from outside the network to check the status of the firewall, packet filter, and NetBIOS bindings. This is especially important when servers are maintained by more than one person or when retaining outsourced security services.

31. Use high-level proxies capable of stripping executable content like ActiveX and Java from Web pages.

32. Use IP masquerades to hide the identity of hosts inside the network.

33. Whenever possible, use proxy servers for all application protocols.

34. Use IP address assignment, in combination with an internal firewall and IP selection on servers, to further control and partition the access allowed to remote users.

35. Use a Web and FTP hosting service rather than computers on the own network to provide the customers with information about the Organization. This puts the Web hosting agency at risk rather than the own network, and allows the provision of no public services from internal servers.

36. As a part of security training, make sure users know to report all instances of denial of service whether they seem important or not. If a specific denial of service can’t be correlate to known downtime or heavy usage, or if a large number of service denials occur in a short time, a siege may be in progress.

37. Great care must be taken when downloading information and files from the internet to safeguard against both malicious code and also inappropriate material.

38. Avoid using one of the smaller Internet service providers. Hackers frequently target them as potential employers because they often have less security awareness and may use UNIX computers, rather than dedicated machines, as gateways and firewalls-making spoof attacks easy to perpetrate. Ask the service provider if they perform background checks on technical service personnel, and reject those that say they do not.

39. Consider using the disconnected Internet security model if the services required by the users can be made available from a single machine.

40. Manually assigning IP addresses if the Organization is a potential espionage target.

41. Apply the anti-spoofing filter.

42. Plans are to be prepared maintained and regularly tested to ensure that damage done by possible external cyber crime attacks can be minimized and that restoration takes place as quickly as possible.

43. In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times.

44. Contingency plans for a denial service attack are to be maintained and periodically tested to ensure adequacy

45. Procedures to deal with hoax virus warnings are to be implemented and maintained.

46. Antivirus software is to be deployed across all PCs with regular virus defining updates and scanning across servers, PCs and laptop computers.

47. E-commerce processing systems including the e-commerce Web site(s) are to be designed with protection from malicious attack given the highest priority.

48. E-commerce related Web Site(s) and their associated systems are to be secured using a combination of technology to prevent and detect intrusion together with robust procedures using dual control, where manual interaction is required.

49. Personnel should understand the rights granted to them by the Organization in respect of privacy in personal e-mail transmitted across the Organization systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

50. Confidential and sensitive information should not be transmitted by-mail unless it is secured through encryption or other secure means.

51. E-mail should be considered as an insecure communications medium for the purposes of legal retention for record purposes. With the usage of digital signatures and encryption, reliance upon e-mail may soon be available; however, if in any doubt, treat e-mail as transient.

52. External e-mail messages should have appropriate signature footers and disclaimers appended (E-mail Signature File). A disclaimer is particularly important where, through a miss-key, the email is sent to an inappropriate person. The disclaimer should confirm the confidential nature of the email and request its deletion if the addressee is not, in fact, the intended recipient.

53. Personnel should not open e-mails or attached files without ensuring that the content appears genuine. If you are not expecting to receive the message or are not absolutely certain about its source do not open it.

54. Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E -mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

55. Use standard TEXT (ASCII) messages where possible; these are both smaller (in terms of file size) and are less able to ‘hide’ executable code e.g. HTML based e-mails which can ‘run’ upon opening.

56. The sending of inappropriate messages should be prohibited including those which are sexually harassing or offensive to others on the grounds of race, religion or gender.

Jul 9 2008   12:03PM GMT

Open Source Network Gateway

Posted by: Yasir Irfan
Networking, Linux, VMware, Content Filtering, Open Source, Gateway, Spam Blocker, Protocol Control, Open VPN, Network Gateway, Untangle

In our organization internet management was a big issue, since we had no budget allocated to Internet management I was worried? How should I control our internet usage? Tried to convince the management to buy content filtering appliances, unfortunately they had no budget and our users had no control and they were enjoying the freedom of internet. I started looking for open source appliances and came across Untangle. Which proved to be great for us to control our users? (Who were not happy)? By installing this open source network gateway we could manage to block most of the unwanted contents, P2P applications and much more.

What is Untangle?

Untangle is a privately held company that provides an open source network gateway for small businesses. Untangle provides many gateway applications, such as blocking spam, blocking malware, web filtering, phishing protection, intrusion prevention, and more [1] on the Untangle Gateway Platform.

Untangle was founded in 2003 as Metavize, Inc. by John Irwin and Dirk Morris. Metavize officially launched in 2005 at Demo@15![3]. In 2006, Metavize raised a $10.5M series-A venture round from CMEA Ventures and Rustic Canyon Partners, named Bob Walters as CEO, and renamed to Untangle, Inc. In 2007, Untangle released the Untangle Gateway Platform as open source under the GPLv2 license .In 2007, Untangle also experienced significant growth and surpassed 100,000 users in 2,000 organizations

Some of the features available with Untangle are as follows 

·         Spam Blocker

·         Spyware Blocker

·         Web Filter

·         Virus Blocker

·         Firewall

·         OpenVPN

·         Phish Blocker

·         Protocol Control

·         Intrusion Prevention

·         Attack Blocker

·         Router

·         Untangle Reports

 

Untangle can be installed easily on any pc and its ready use. You can download Untangle from following link http://www.untangle.com/index.php?option=com_content&task=view&id=226&Itemid=739

The minimum hardware requirements to install untangle are as follows

Resource	Minimum	Recommended
CPU*:	1.0 GHz	2.0 GHz
Memory:	512 MB	1-2 GB
Hard Drive:	20 GB	40 GB
Network cards:	2	3 (for DMZ)

Untangle can also be installed in VMware platform do follow this link for more details http://wiki.untangle.com/index.php/Untangle_Virtual_Appliance_on_VMware

In order to know about the supported configurations do access http://wiki.untangle.com/index.php/Introduction#Supported_Configurations

Further details can be found at the following links

http://www.untangle.com/

http://wiki.untangle.com/index.php/Main_Page

Jul 5 2008   6:35AM GMT

Sample I.T Security Policy - Data Security

Posted by: Yasir Irfan
Networking, Security, Microsoft Windows, Linux, Switches, Routers, DataCenter, Data Security, Exchange, Backup, Network Documentation Policy, Network Policies

As we are proceeding ahead, and we have two more topics to be covered to complete this Sample I.T Security Policy, hope fully it will be good and useful to you all. I would like to have some comments which may boost my morale to take up more interesting things in future. Here we are with Data Security.

DATA SECURITY

“IS” CONSIDERED THE FOLLOWING:

1. Create a strong backup & Disaster recovery strategy and test backups regularly.
2. Create separate partitions for the Windows System files and the volume the server will share. Then don’t share the system boot partition, share only the empty volume created for file storage.
3. Implement strong permission-based security for all files stored on the server.
4. Never use the FAT file system on the hard disk of a Windows computer when security is a concern.
5. Remove default assignments to the everyone group.
6. Repair damaged drives in mirror or stripe sets as soon as possible.
7. Store backup tapes in a waterproof, flameproof safe in the server room. If tapes must be moved off site, be certain security measures are in place to prevent their being compromised while off site.
8. Use disk mirroring or duplexing for critical data. Use duplexing when possible.
9. Consider using hardware RAID, which is faster and is independent of the operating system.
10. Consider using SAN for huge amount of data.
11. If the server’s physical security could be compromised in any way, and the data on the disk warrants protection, use file system encryption.
12. Use file system encryption to protect sensitive data when operating system features are not effective (when the hard drive has been removed or the operating system has been replaced).
13. For extreme fault tolerance, consider using a third -party server replication system.
14. Access to information and documents is to be carefully controlled; ensuring that only authorized personnel may have access to sensitive information.
15. With poor or inadequate access control over your documents and files, information may be copied or modified by unauthorized persons, or become corrupted unintentionally or maliciously.
16. High risk systems require more stringent access control safeguards due to the confidentiality of the information that process and / or the purpose of the system e.g. the funds transfer used by banks. Ideally, the operating systems for such systems should be hardened for further enhance security.
17. Properly mark proprietary and confidential documents. The confidential markings can be minimized if they are seen on routine documents. Mark only proprietary documents, not everything.
18. Track printouts from any computer. Have confidential and proprietary markings automatically put on every printed proprietary document.
19. Limit access to source code; limit physical access to documents.
20. Access to data and information is at the heart of every set of Information Security Policies. Inappropriate access to data may contravene Organization policy and infringe legal regulations.
21. The right to access systems and data is based upon identified and approved business needs and should be withdrawn when the need ceases.
22. Denying unauthorized person’s access, both physical and logical, to the Organist ion systems is part of an effective Information Security process. Physical access to the data centre or computer room’ should always be restricted to authorized persons only.
23. However, data access goes beyond access to PCs and servers; it also includes access to written and printed information on the desks of personnel, notes pinned to notice boards etc. Access to such information must also be controlled. Traditionally, door locks and keys ensured security; nowadays, even greater security can be provided by electronic keys, biometrics with the additional benefit that they may also monitor and record access attempts.
24. Where user’s access rights and privileges are not documented, information security may be compromised.

Yasir
Personel Website:www.yasirirfan.com

Jun 21 2008   5:42AM GMT

What is SSH ? and how it can be configured in a Cisco Switch.

Posted by: Yasir Irfan
Networking, Security, Switches, Cisco, SSH, Network Documentation Policy

Secure Shell (SSH) - TCP Port 22

SSH stands for “Secure Shell”. SSH commonly uses port 22 to connect your computer to another computer on the Internet. It is most often used by network administrators as a remote login / remote control way to manage their business servers. Examples would be: your email administrator needs to reboot the company email server from his home, or your network administrator needs to reset your office password while she is away at a conference.

If remote access to a switch is necessary, then consider using SSH instead of telnet. SSH provides encrypted connections remotely. However, only IOS versions that include encryption support SSH. Also, to include SSH capability the switch may need to have its IOS updated.

Before using SSH on the switch, the administrator must configure the switch with the following commands: hostname, ip domain-name, and crypto key generate rsa. The following example sets the hostname to Switch.

Switch(config)# hostname Switch
Refer to the previous subsection on DNS for an example using the ip domain-name command.
The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key.
The following example shows this crypto command, including the two parameters, the name for the keys
(e.g., switch.test.lab) and the size of the key modulus (e.g., 1024), that are prompted for.

Switch(config)# crypto key generate rsa
The name for the keys will be: switch.test.lab
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus[512]? 1024
Generating RSA keys…. [OK].

To restrict SSH access to the switch, configure an extended access-list (e.g., 101) that allows only the administrators’ systems to make these connections and apply this access-list to the virtual terminal lines. Allow only SSH connections to these lines by using the transport input ssh command. Set the privilege level to 0, and set the exec-timeout period to 9 minutes and 0 seconds to disconnect idle connections to these lines. Finally, use the login local command to enable local account checking at login that will prompt for a username and a password.

The following commands show the example configuration for SSH on the virtual terminal lines.

Switch(config)# no access-list 101
Switch(config)# access-list 101 remark Permit SSH access from
administrators’ systems
Switch(config)# access-list 101 permit tcp host 10.0.0.2 any eq 22 log
Switch(config)# access-list 101 permit tcp host 10.0.0.4 any eq 22 log
Switch(config)# access-list 101 deny ip any any log
Switch(config)# line vty 0 4
Switch(config-line)# access-class 101 in
Switch(config-line)# transport input ssh
Switch(config-line)# privilege level 0
Switch(config-line)# exec-timeout 9 0
Switch(config-line)# login local

The login local command cannot be used with AAA. Instead, use the login authentication command. Refer to the AAA section of this guide for more details.

Free SSH Clients
List of free SSH servers and Clients

Yasir

Personal Website: www.yasirirfan.com

Jun 18 2008   1:28PM GMT

Introduction to Free ware Bandwidth Monitoring software’s – Series 1

Posted by: Yasir Irfan
Networking, Cacti, Bandwidth monitoring

Cacti is one of the great free ware bandwidth monitoring software works with SNMP. It’s RRD based tool, which makes use of MySQL server as a database, and completely driven by PHP.

What is Cacti?
Cacti is a resource monitoring software which used RRDtool to store data & the data is used to create graphs. Cacti’s greatest strength is it provides complex graphs easily. Cacti come with fast poller to collect data from different resources simultaneously & do have many user management features. It’s very user-friendly that even a layman can accustomed to figure out how it works with less effort.

Why Cacti?
In a single sentence, “Cacti, because it’s easy”. Installing and using Cacti is a very simple task and does not require indepth knowledge in networking or resource management. You can install and configure it in simple steps, which makes it an ideal software for newbie network administrators. Never-the-less , its so powerful and scalable that you can use it even in large networks with hundreds of devices

Installation
Cacti can be installed on many platforms like unix, linux and windows. I am concentrating on Windows XP . In order install a Cacti download a full integrated package from following links http://www.disorder.com/~bsod/cacti-0.8….
 http://files.davehope.co.uk/cacti/ thanks to Rony and Dave Hope for hosting .
It’s pretty easy to install, make sure IIS is enabled and just follow the steps until you reached the final step where you are suppose to do some modifications which are attached with this post. Cacti Post Installation Instructions

Once you are done with installation then log on to the cacti local web port by following
http://IP Address of the PC/cacti/index.php with default username admin & password cactipw.

For Adding Devices and graphs access this link http://www.cacti.net/downloads/docs/html…

For further details do log in to cacti forums and cacti web site
http://forums.cacti.net
http://www.cacti.net/