การ limit traffic การใช้งานของ Vyatta
shaper = outbount
limiter = inbound
ตัวอย่าง
set traffic-policy limiter 15m default bandwidth '15mbit'
set traffic-policy shaper 20m default bandwidth '20mbit'
commit
set interfaces ethernet eth0 traffic-policy in '15m'
set interfaces ethernet eth0 traffic-policy out '20m'
commit
ตรวจสอบ config
ruamit@core-bkk01# show traffic-policy limiter
15m {
default {
bandwidth 15mbit
}
}
[edit]
ruamit@core-bkk01# show traffic-policy shaper
20m {
default {
bandwidth 20mbit
}
}
[edit]
ruamit@core-bkk01# show interfaces ethernet eth0
address 192.168.1.100/24
address 172.16.0.1/24
hw-id 00:1c:23:00:69:4b
traffic-policy {
in 15m
out 20m
}
การตรวสอบว่า ตรงหรือไม่อาจจะต้องใช้ program STG เพื่อจับ traffic หรือ ลง iptraf เพื่อ monitor traffic อีกที เนื่องจาก กรณี show interface จะไม่บอก bitrate ที่วิ่ง จะแสดงเฉพาะ packet เนื่องจากเป็น base linux
Thursday, December 30, 2010
Wednesday, December 29, 2010
port forword on juniper SRX with adsl
ตัวอย่างการ set port fwd สำหรับ adsl เช่น remote เข้ามาที่ wan pp0.0 port 23ให้ forword ไปที่ 172.16.0.99 port 23
set security nat destination pool telnet-host address 172.16.0.99/32
set security nat destination pool telnet-host address port 23
set security nat destination rule-set nat-static from interface pp0.0
set security nat destination rule-set nat-static rule port-forword match destination-address 0.0.0.0/0
set security nat destination rule-set nat-static rule port-forword match destination-port 23
set security nat destination rule-set nat-static rule port-forword then destination-nat pool telnet-host
หมายเหตุ destination-address 0.0.0.0/0 เนื่องจาก adsl เป็น dynamic ip จึงไม่สามารถระบุ ip ที่แน่นอนได้ จึงระบุเป็น class ใหญ่
อย่าลืม allow zone policy ด้วยน่ะครับ
set security policies from-zone untrust to-zone trust policy port-fwd match source-address any
set security policies from-zone untrust to-zone trust policy port-fwd match destination-address ip_172.16.0.99
set security policies from-zone untrust to-zone trust policy port-fwd match application junos-telnet
set security policies from-zone untrust to-zone trust policy port-fwd then permit
set security nat destination pool telnet-host address 172.16.0.99/32
set security nat destination pool telnet-host address port 23
set security nat destination rule-set nat-static from interface pp0.0
set security nat destination rule-set nat-static rule port-forword match destination-address 0.0.0.0/0
set security nat destination rule-set nat-static rule port-forword match destination-port 23
set security nat destination rule-set nat-static rule port-forword then destination-nat pool telnet-host
หมายเหตุ destination-address 0.0.0.0/0 เนื่องจาก adsl เป็น dynamic ip จึงไม่สามารถระบุ ip ที่แน่นอนได้ จึงระบุเป็น class ใหญ่
อย่าลืม allow zone policy ด้วยน่ะครับ
set security policies from-zone untrust to-zone trust policy port-fwd match source-address any
set security policies from-zone untrust to-zone trust policy port-fwd match destination-address ip_172.16.0.99
set security policies from-zone untrust to-zone trust policy port-fwd match application junos-telnet
set security policies from-zone untrust to-zone trust policy port-fwd then permit
Tuesday, December 28, 2010
Juniper and tacac+
config บน Juniper เพื่อคุยกับ tacacs+ server
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server 192.168.26.4 port 49
set system tacplus-server 192.168.26.4 secret "$9$G-Uqf3nC0BEz3A0O1rlxNds4ZjHmQ39"
set system tacplus-server 192.168.26.4 single-connection
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
account สำหรับ tacacs+ คุยกับ router
set system login user view full-name TACACS_ACCOUNT_OPERATOR
set system login user view uid 2002
set system login user view class operator
set system login user admin full-name TACACS_ACCOUNT_ADMIN
set system login user admin uid 2001
set system login user admin class super-user
ตัวอย่าง config บน tacac+ server เพื่อคุยกับ juniper หมายเหตุ version tacacs+ F4.0.4.19 บน linux
# Group Account
group = admin {
default service = permit
service = junos-exec {
local-user-name = admin
allow-commands = "all"
}
group = viewer {
default service = deny
service = junos-exec {
local-user-name = view
deny-commands = "clear|rquest|restart|"
}
}
#user admin
user = nmc {
login = cleartext "nmc1234"
member = admin
}
#user operator
user = test01 {
login = cleartext "test1234"
member = viewer
}
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server 192.168.26.4 port 49
set system tacplus-server 192.168.26.4 secret "$9$G-Uqf3nC0BEz3A0O1rlxNds4ZjHmQ39"
set system tacplus-server 192.168.26.4 single-connection
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
account สำหรับ tacacs+ คุยกับ router
set system login user view full-name TACACS_ACCOUNT_OPERATOR
set system login user view uid 2002
set system login user view class operator
set system login user admin full-name TACACS_ACCOUNT_ADMIN
set system login user admin uid 2001
set system login user admin class super-user
ตัวอย่าง config บน tacac+ server เพื่อคุยกับ juniper หมายเหตุ version tacacs+ F4.0.4.19 บน linux
# Group Account
group = admin {
default service = permit
service = junos-exec {
local-user-name = admin
allow-commands = "all"
}
group = viewer {
default service = deny
service = junos-exec {
local-user-name = view
deny-commands = "clear|rquest|restart|"
}
}
#user admin
user = nmc {
login = cleartext "nmc1234"
member = admin
}
#user operator
user = test01 {
login = cleartext "test1234"
member = viewer
}
PPPOE on Juniper SRX
การ set PPPoE บน juniper SRX
interface ge-0/0/1 ผมเลือกเป็น uplink เชื่อมกับ modem โดยให้ modem เป็น bridge
set interfaces ge-0/0/1 description PPPOE_INTERFACE
set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
กำ profile ppp และ interface ppp เพื่อเชื่อมต่อกับ DSLAM
set access profile ppp authentication-order password
set interfaces pp0 unit 0 description PPP_TO_TRUE_ADSL
set interfaces pp0 unit 0 ppp-options pap access-profile ppp
set interfaces pp0 unit 0 ppp-options pap local-name "adslaccout@truehisp"
set interfaces pp0 unit 0 ppp-options pap local-password "$9$P5T3CA0EclFnEy"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 30
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet no-redirects
set interfaces pp0 unit 0 family inet negotiate-address
เปิด ping กับ telnet สำหรับ ทดสอบและ remote หรือจะ on service ssh ก็ได้ตามสะดวก แต่ว่า WAN อยู่ใน zone untrust น่ะครับ
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ping
หลัง config เสร็จ interface pp0.0 ได้รับ IP แต่ทำไม default route ไม่มา แก้ไขโดย กำหนด default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0
หลังจากปรับ เสร็จ พบว่า เปิดเว็บไม่ได้บางเว็บ งง สิหล่ะงานนี้ แก้ไขโดย ปรับ tcp adjust mss สูตร mtu ลบ header 40 byte
set security flow tcp-mss all-tcp mss 1452
ตัวอย่าง show config บางส่วนข้างต้น
test@srx# show interface ge-0/0/1
description PPPOE_INTERFACE;
unit 0 {
encapsulation ppp-over-ether;
}
}
test@srx# show interface pp0
unit 0 {
description PPP_TO_TRUE_ADSL;
ppp-options {
pap {
access-profile ppp;
local-name "adslaccout@truehisp";
local-password "$9$P5T3CA0EclFnEy"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
auto-reconnect 30;
client;
}
family inet {
mtu 1492;
no-redirects;
negotiate-address;
}
}
}
test@srx# show security-zone untrust
screen untrust-screen;
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
}
}
}
test@srx# show routing-options
static {
route 0.0.0.0/0 {
next-hop pp0.0;
}
}
}
test@srx# show security flow
tcp-mss {
all-tcp {
mss 1452;
}
}
interface ge-0/0/1 ผมเลือกเป็น uplink เชื่อมกับ modem โดยให้ modem เป็น bridge
set interfaces ge-0/0/1 description PPPOE_INTERFACE
set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
กำ profile ppp และ interface ppp เพื่อเชื่อมต่อกับ DSLAM
set access profile ppp authentication-order password
set interfaces pp0 unit 0 description PPP_TO_TRUE_ADSL
set interfaces pp0 unit 0 ppp-options pap access-profile ppp
set interfaces pp0 unit 0 ppp-options pap local-name "adslaccout@truehisp"
set interfaces pp0 unit 0 ppp-options pap local-password "$9$P5T3CA0EclFnEy"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 30
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet no-redirects
set interfaces pp0 unit 0 family inet negotiate-address
เปิด ping กับ telnet สำหรับ ทดสอบและ remote หรือจะ on service ssh ก็ได้ตามสะดวก แต่ว่า WAN อยู่ใน zone untrust น่ะครับ
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ping
หลัง config เสร็จ interface pp0.0 ได้รับ IP แต่ทำไม default route ไม่มา แก้ไขโดย กำหนด default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0
หลังจากปรับ เสร็จ พบว่า เปิดเว็บไม่ได้บางเว็บ งง สิหล่ะงานนี้ แก้ไขโดย ปรับ tcp adjust mss สูตร mtu ลบ header 40 byte
set security flow tcp-mss all-tcp mss 1452
ตัวอย่าง show config บางส่วนข้างต้น
test@srx# show interface ge-0/0/1
description PPPOE_INTERFACE;
unit 0 {
encapsulation ppp-over-ether;
}
}
test@srx# show interface pp0
unit 0 {
description PPP_TO_TRUE_ADSL;
ppp-options {
pap {
access-profile ppp;
local-name "adslaccout@truehisp";
local-password "$9$P5T3CA0EclFnEy"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
auto-reconnect 30;
client;
}
family inet {
mtu 1492;
no-redirects;
negotiate-address;
}
}
}
test@srx# show security-zone untrust
screen untrust-screen;
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
}
}
}
test@srx# show routing-options
static {
route 0.0.0.0/0 {
next-hop pp0.0;
}
}
}
test@srx# show security flow
tcp-mss {
all-tcp {
mss 1452;
}
}
Zone policy Vyatta
zone policy ของ Vyatta คล้ายๆ กับของ juniper SRX แฮะ 555
ruamit@vyatta# show zone-policy
zone DMZ {
interface eth3
}
zone local {
default-action drop
from trust {
firewall {
name from_internal
}
}
from untrust {
firewall {
name to-router
}
}
local-zone
}
zone trust {
default-action drop
description LAN_interface
interface eth2
}
zone untrust {
default-action drop
description WAN
from trust {
firewall {
name tcp-out
}
}
interface eth0
}
[edit]
ruamit@vyatta# show zone-policy
zone DMZ {
interface eth3
}
zone local {
default-action drop
from trust {
firewall {
name from_internal
}
}
from untrust {
firewall {
name to-router
}
}
local-zone
}
zone trust {
default-action drop
description LAN_interface
interface eth2
}
zone untrust {
default-action drop
description WAN
from trust {
firewall {
name tcp-out
}
}
interface eth0
}
[edit]
Sunday, December 26, 2010
Vyatta PPPOE VPN and NAT with firewall protect wan
PPPOE interface WAN to internet
set interfaces ethernet eth0 address '192.168.1.100/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:1c:23:00:69:4b'
set interfaces ethernet eth0 pppoe 0 default-route 'auto'
set interfaces ethernet eth0 pppoe 0 mtu '1492'
set interfaces ethernet eth0 pppoe 0 name-server 'auto'
set interfaces ethernet eth0 pppoe 0 password 'admintest'
set interfaces ethernet eth0 pppoe 0 user-id 'testpppoe@truehisp'
ruamit@vyatta# show interfaces
ethernet eth0 {
address 192.168.1.100/24
hw-id 00:1c:23:00:69:4b
pppoe 0 {
default-route auto
password admintest
user-id testpppoe@truehisp
}
NAT
set service nat rule 2 outbound-interface 'pppoe0'
set service nat rule 2 source address '172.16.0.0/24'
set service nat rule 2 type 'masquerade'
set service nat rule 20 description 'Port-Forword-PPTP_1723'
set service nat rule 20 destination port '1723'
set service nat rule 20 inbound-interface 'pppoe0'
set service nat rule 20 inside-address address '172.16.0.1'
set service nat rule 20 inside-address port '1723'
set service nat rule 20 protocol 'tcp_udp'
set service nat rule 20 type 'destination'
ruamit@vyatta# show service nat
nat {
rule 2 {
description NAT_POOL
outbound-interface pppoe0
source {
address 172.16.0.0/24
}
type masquerade
}
rule 20 {
description Port-Forword-PPTP_1723
destination {
port 1723
}
inbound-interface pppoe0
inside-address {
address 172.16.0.1
port 1723
}
protocol tcp_udp
type destination
}
}
Limit Bandwidth
set traffic-policy shaper 10m default bandwidth 10mbit
set traffic-policy limiter 5m default bandwidth 5mbit
set interfaces ethernet eth1 traffic-policy out 10m
set interfaces ethernet eth1 traffic-policy in 5m
ruamit@vyatta# show traffic-policy
limiter 5m {
default {
bandwidth 5mbit
}
}
shaper 10m {
default {
bandwidth 10mbit
}
}
[edit]
ruamit@vyatta# show interfaces ethernet eth1
address 172.16.0.1/24
description internal_network
hw-id 00:0c:29:00:9e:07
traffic-policy {
in 5m
out 10m
}
[edit]
ruamit@vyatta#
VPN PPTP
set vpn pptp remote-access authentication local-users username vyattaadmin password 'cisco123'
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start '172.16.0.100'
set vpn pptp remote-access client-ip-pool stop '172.16.0.110'
set vpn pptp remote-access dns-servers server-1 '203.144.207.49'
set vpn pptp remote-access outside-address '172.16.0.1'
ruamit@vyatta# show vpn
pptp {
remote-access {
authentication {
local-users {
username vyattaadmin {
password cisco123
}
}
mode local
}
client-ip-pool {
start 172.16.0.100
stop 172.16.0.110
}
dns-servers {
server-1 203.144.207.49
}
outside-address 172.16.0.1
}
}
}
set snmp
set service snmp community public authorization 'ro'
set service snmp community public client 172.16.0.100
ruamit@vyatta# show service snmp
snmp {
community public {
authorization ro
client 172.16.0.100
}
telnet ssh
ruamit@vyatta# set service telnet
ruamit@vyatta# set service ssh
login
set system login user nmc authentication plaintext-password nmc1234
set system login user nmc level 'operator'
set system login user ruamit authentication plaintext-password admin1234
set system login user ruamit level 'admin'
ruamit@vyatta# show system login
user nmc {
authentication {
encrypted-password $1$uaLO3jod$Dnzwb7CeYPvviNnjZTNgV0
plaintext-password ""
}
level operator
}
user ruamit {
authentication {
encrypted-password $1$KeWhiX1f$s2bnIdWba6bYDT8X8eVEa0
plaintext-password ""
}
}
NTP & timezone
set system time-zone 'Asia/Bangkok'
set system ntp-server 'time.navy.mi.th'
set system name-server '8.8.8.8'
set system name-server '8.8.4.4'
webproxy (only cache no filter)
set service webproxy cache-size '200'
set service webproxy default-port '8080'
set service webproxy 'disable-access-log'
set service webproxy listen-address '172.16.0.1'
ruamit@vyatta# show service webproxy
cache-size 200
default-port 8080
disable-access-log
listen-address 172.16.0.1 {
}
dynamic dns
set service dns dynamic interface pppoe0 service dyndns host-name 'ssl-vpn.dyndns-ip.com'
set service dns dynamic interface pppoe0 service dyndns login 'abcsd'
set service dns dynamic interface pppoe0 service dyndns password 'xxxxxx'
ruamit@vyatta# show service dns
dynamic {
interface pppoe0 {
service dyndns {
host-name ssl-vpn.dyndns-ip.com
login adscd
password xxxxx
}
}
}
firewall filter on wan PPPOE
set firewall name to-external default-action 'accept'
set firewall name to-external rule 1 action 'drop'
set firewall name to-external rule 1 destination port '600-65535'
set firewall name to-external rule 1 protocol 'udp'
set firewall name to-external rule 1 source address '0.0.0.0/0'
set firewall name to-external rule 2 action 'drop'
set firewall name to-external rule 2 destination port '135,137-139,445'
set firewall name to-external rule 2 protocol 'tcp_udp'
set firewall name to-router default-action 'drop'
set firewall name to-router rule 1 action 'accept'
set firewall name to-router rule 1 destination port '22'
set firewall name to-router rule 1 protocol 'tcp'
set firewall name to-router rule 1 source address '117.121.208.0/24'
set firewall name to-router rule 2 action 'accept'
set firewall name to-router rule 2 description 'SSH'
set firewall name to-router rule 2 destination address '0.0.0.0/0'
set firewall name to-router rule 2 protocol 'icmp'
set firewall name to-router rule 2 source address '0.0.0.0/0'
set firewall name to-router rule 3 action 'accept'
set firewall name to-router rule 3 log 'disable'
set firewall name to-router rule 3 protocol 'all'
set firewall name to-router rule 3 state established 'enable'
set firewall name to-router rule 3 state invalid 'disable'
set firewall name to-router rule 3 state new 'disable'
set firewall name to-router rule 3 state related 'enable'
set firewall name to-router rule 4 action 'accept'
set firewall name to-router rule 4 description 'SNMP'
set firewall name to-router rule 4 destination port '161-162'
set firewall name to-router rule 4 protocol 'udp'
set firewall name to-router rule 4 source address '0.0.0.0/0'
set firewall name to-router rule 5 action 'accept'
set firewall name to-router rule 5 description 'PPTP'
set firewall name to-router rule 5 destination port '1723'
set firewall name to-router rule 5 protocol 'tcp_udp'
set interfaces ethernet eth0 pppoe 0 firewall local name 'to-router'
set interfaces ethernet eth0 pppoe 0 firewall out name 'to-external'
ruamit@vyatta# show firewall
name to-external {
default-action accept
rule 1 {
action drop
destination {
port 600-65535
}
protocol udp
source {
address 0.0.0.0/0
}
}
rule 2 {
action drop
destination {
port 135,137-139,445
}
protocol tcp_udp
}
}
name to-router {
rule 1 {
action accept
destination {
port 22
}
protocol tcp
source {
address 117.121.208.0/24
}
}
rule 2 {
action accept
description SSH
destination {
address 0.0.0.0/0
}
protocol icmp
source {
address 0.0.0.0/0
}
}
rule 3 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 4 {
action accept
description SNMP
destination {
port 161-162
}
protocol udp
source {
address 0.0.0.0/0
}
}
rule 5 {
action accept
description PPTP
destination {
port 1723
}
protocol tcp_udp
}
}
send-redirects disable
syn-cookies disable
}
ruamit@vyatta# show interfaces ethernet eth0
address 192.168.1.100/24
hw-id 00:1c:23:00:69:4b
pppoe 0 {
default-route auto
firewall {
local {
name to-router
}
out {
name to-external
}
}
password admintest
user-id testpppoe@truehisp
}
Tuesday, October 19, 2010
How to install snmpd service for Ubuntu 10.04
How to install snmpd service for Ubuntu 10.04
root@localhost:~# apt-get install snmpd
then edit snmpd to bind on interface on linux by command
root@localhost:~# vi /etc/default/snmpd
change line
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
to
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
edit snmpd config
root@localhost:~# vi /etc/snmp/snmpd.conf
from line
# sec.name source community
com2sec paranoid default public
#com2sec readonly default public
#com2sec readwrite default private
####
# Second, map the security names into group names:
# sec.model sec.name
group MyROSystem v1 paranoid
group MyROSystem v2c paranoid
group MyROSystem usm paranoid
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
group MyRWGroup v1 readwrite
group MyRWGroup v2c readwrite
group MyRWGroup usm readwrite
To
Sample for allow ip from network 192.168.0.0/24 to access snmpd on this server
# sec.name source community
#com2sec paranoid default public
com2sec readonly 127.0.0.1/32 public
com2sec readonly 192.168.0.0/24 public
#com2sec readwrite default private
####
# Second, map the security names into group names:
# sec.model sec.name
#group MyROSystem v1 paranoid
#group MyROSystem v2c paranoid
#group MyROSystem usm paranoid
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
#group MyRWGroup v1 readwrite
#group MyRWGroup v2c readwrite
#group MyRWGroup usm readwrite
save config and restart service
root@localhost:~# /etc/init.d/snmpd restart
check snmp binding address
root@localhost:~# netstat -tuanp |grep :161
udp 0 0 0.0.0.0:161 0.0.0.0:* 26696/snmpd
root@localhost:~#
test snmp config
root@localhost:~# snmpwalk -v1 -c public 127.0.0.1 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost 2.6.35-22-generic #34-Ubuntu SMP Thu Oct 7 14:15:41 UTC 2010 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (5788) 0:00:57.88
SNMPv2-MIB::sysContact.0 = STRING: Root (configure /etc/snmp/snmpd.local.conf)
SNMPv2-MIB::sysName.0 = STRING: localhost
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (configure /etc/snmp/snmpd.local.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (2) 0:00:00.02
root@localhost:~#
Have fun with Ubuntu Linux
root@localhost:~# apt-get install snmpd
then edit snmpd to bind on interface on linux by command
root@localhost:~# vi /etc/default/snmpd
change line
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
to
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
edit snmpd config
root@localhost:~# vi /etc/snmp/snmpd.conf
from line
# sec.name source community
com2sec paranoid default public
#com2sec readonly default public
#com2sec readwrite default private
####
# Second, map the security names into group names:
# sec.model sec.name
group MyROSystem v1 paranoid
group MyROSystem v2c paranoid
group MyROSystem usm paranoid
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
group MyRWGroup v1 readwrite
group MyRWGroup v2c readwrite
group MyRWGroup usm readwrite
To
Sample for allow ip from network 192.168.0.0/24 to access snmpd on this server
# sec.name source community
#com2sec paranoid default public
com2sec readonly 127.0.0.1/32 public
com2sec readonly 192.168.0.0/24 public
#com2sec readwrite default private
####
# Second, map the security names into group names:
# sec.model sec.name
#group MyROSystem v1 paranoid
#group MyROSystem v2c paranoid
#group MyROSystem usm paranoid
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
#group MyRWGroup v1 readwrite
#group MyRWGroup v2c readwrite
#group MyRWGroup usm readwrite
save config and restart service
root@localhost:~# /etc/init.d/snmpd restart
check snmp binding address
root@localhost:~# netstat -tuanp |grep :161
udp 0 0 0.0.0.0:161 0.0.0.0:* 26696/snmpd
root@localhost:~#
test snmp config
root@localhost:~# snmpwalk -v1 -c public 127.0.0.1 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost 2.6.35-22-generic #34-Ubuntu SMP Thu Oct 7 14:15:41 UTC 2010 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (5788) 0:00:57.88
SNMPv2-MIB::sysContact.0 = STRING: Root
SNMPv2-MIB::sysName.0 = STRING: localhost
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (configure /etc/snmp/snmpd.local.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (2) 0:00:00.02
root@localhost:~#
Have fun with Ubuntu Linux
Saturday, October 09, 2010
service SSH on Cisco router
วันนี้ยังไม่ง่วงเลย มาเขียนการเปิดใช้งาน service ssh บน cisco
แรกสุดก็ต้องเช็คว่า IOS ของ router รองรับ ssh version ไหนบ้าง เช่น 1 หรือ 2 หรือว่าไม่รองรับเลยโดยใช้คำสั่ง
cisco#sh ip ssh
หากตอบมา error แสดงว่าไม่รองรับ
หากตอบมาเป็น V1.5 แสดงว่ารองรับเฉพาะ version 1
หากตอบมาว่าเป็น V.199 แสดงว่าสามารถเปิด SSH version 2 ได้
ต่อมาขั้นตอนการ เปิดใช้งาน service ip ssh
1. กำหนด domain name บน router ตัวอย่าง
cisco(config)#ip domain-name cisco.com
2 . generate key rsa เพื่อให้ router เปิด service ssh เช่น
cisco(config)#crypto key generate rsa
หลังจาก enter ก็จะขึ้นถามจำนวน key bit แนะนำเป็น 1024 กำลังดี
3. เปิด line VTY บน router ให้รับเฉพาะ SSH เช่น
cisco(line-vty)#transport input ssh
เป็น อันว่าเสร็จ
แต่ทั้งนี้ทั้งนั้น แนะนำควรมี access-class in เพื่อ filter ip ที่สามารถเข้ามาอีกครั้ง เพื่อความปลอดภัย
เช่น allow ip 8.8.8.8 port 22 ให้เข้า router ได้ IP เดียว
cisco(config)#access-list 101 permit tcp host 8.8.8.8 any eq 22
cisco(line-vty)#access-class 101 in
แรกสุดก็ต้องเช็คว่า IOS ของ router รองรับ ssh version ไหนบ้าง เช่น 1 หรือ 2 หรือว่าไม่รองรับเลยโดยใช้คำสั่ง
cisco#sh ip ssh
หากตอบมา error แสดงว่าไม่รองรับ
หากตอบมาเป็น V1.5 แสดงว่ารองรับเฉพาะ version 1
หากตอบมาว่าเป็น V.199 แสดงว่าสามารถเปิด SSH version 2 ได้
ต่อมาขั้นตอนการ เปิดใช้งาน service ip ssh
1. กำหนด domain name บน router ตัวอย่าง
cisco(config)#ip domain-name cisco.com
2 . generate key rsa เพื่อให้ router เปิด service ssh เช่น
cisco(config)#crypto key generate rsa
หลังจาก enter ก็จะขึ้นถามจำนวน key bit แนะนำเป็น 1024 กำลังดี
3. เปิด line VTY บน router ให้รับเฉพาะ SSH เช่น
cisco(line-vty)#transport input ssh
เป็น อันว่าเสร็จ
แต่ทั้งนี้ทั้งนั้น แนะนำควรมี access-class in เพื่อ filter ip ที่สามารถเข้ามาอีกครั้ง เพื่อความปลอดภัย
เช่น allow ip 8.8.8.8 port 22 ให้เข้า router ได้ IP เดียว
cisco(config)#access-list 101 permit tcp host 8.8.8.8 any eq 22
cisco(line-vty)#access-class 101 in
Friday, October 08, 2010
การใช้ command line สำหรับ ufw firewall
การใช้ command line สำหรับ ufw firewall
เปิดใช้งาน
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~#
ปิด ใช้งาน
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~#
ปรับ policy inbound เป็น deny
root@localhost:~# ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
root@localhost:~#
เพิ่ม policy inbound เป็น IP
root@localhost:~# ufw allow in from 8.8.8.8 to any
Rule added
root@localhost:~#
กำหนด inbound เป็น port
root@localhost:~# ufw allow in proto tcp from any to any port 22
root@localhost:~# ufw allow in proto udp from any to any port 53
กำหนด outbound บาง port
root@localhost:~# ufw allow out proto udp from any to any port 53
root@localhost:~# ufw allow out proto tcp from any to any port 22,22,23,25,80,110,443
root@localhost:~# ufw deny out from any to any
insert policy กรณีมีอยู่แล้ว
แรกสุดต้องเช็ค ลำดับของ policy
root@localhost:~# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 8.8.8.8
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 53/udp ALLOW IN Anywhere
[ 4] 53/udp ALLOW OUT Anywhere (out)
[ 5] 161:162/udp ALLOW OUT Anywhere (out)
[ 6] 20,21,22,22,23,25,80,110,443/tcp ALLOW OUT Anywhere (out)
[ 7] Anywhere DENY OUT Anywhere (out)
เพิ่ม policy
root@localhost:~# ufw insert 7 allow out proto tcp from any to any port 1024:65535
ตรวจสอบ policy
root@localhost:~# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 8.8.8.8
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 53/udp ALLOW IN Anywhere
[ 4] 53/udp ALLOW OUT Anywhere (out)
[ 5] 161:162/udp ALLOW OUT Anywhere (out)
[ 6] 20,21,22,22,23,25,80,110,443/tcp ALLOW OUT Anywhere (out)
[ 7] 1024:65535/tcp ALLOW OUT Anywhere (out)
[ 8] Anywhere DENY OUT Anywhere (out)
เปิดใช้งาน
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~#
ปิด ใช้งาน
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~#
ปรับ policy inbound เป็น deny
root@localhost:~# ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
root@localhost:~#
เพิ่ม policy inbound เป็น IP
root@localhost:~# ufw allow in from 8.8.8.8 to any
Rule added
root@localhost:~#
กำหนด inbound เป็น port
root@localhost:~# ufw allow in proto tcp from any to any port 22
root@localhost:~# ufw allow in proto udp from any to any port 53
กำหนด outbound บาง port
root@localhost:~# ufw allow out proto udp from any to any port 53
root@localhost:~# ufw allow out proto tcp from any to any port 22,22,23,25,80,110,443
root@localhost:~# ufw deny out from any to any
insert policy กรณีมีอยู่แล้ว
แรกสุดต้องเช็ค ลำดับของ policy
root@localhost:~# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 8.8.8.8
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 53/udp ALLOW IN Anywhere
[ 4] 53/udp ALLOW OUT Anywhere (out)
[ 5] 161:162/udp ALLOW OUT Anywhere (out)
[ 6] 20,21,22,22,23,25,80,110,443/tcp ALLOW OUT Anywhere (out)
[ 7] Anywhere DENY OUT Anywhere (out)
เพิ่ม policy
root@localhost:~# ufw insert 7 allow out proto tcp from any to any port 1024:65535
ตรวจสอบ policy
root@localhost:~# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 8.8.8.8
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 53/udp ALLOW IN Anywhere
[ 4] 53/udp ALLOW OUT Anywhere (out)
[ 5] 161:162/udp ALLOW OUT Anywhere (out)
[ 6] 20,21,22,22,23,25,80,110,443/tcp ALLOW OUT Anywhere (out)
[ 7] 1024:65535/tcp ALLOW OUT Anywhere (out)
[ 8] Anywhere DENY OUT Anywhere (out)
Monday, July 05, 2010
remove IPV6 ubuntu 10.04
remove IPV6 ubuntu 10.04
Make it's easy to do. eiei
root@ubuntu10:~#echo "#disable ipv6" | sudo tee -a /etc/sysctl.conf
root@ubuntu10:~#echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
root@ubuntu10:~#echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
root@ubuntu10:~#echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
and last command to active without reboot
root@ubuntu10:~#sysctl -p
Check with ifconfig / ip a /ip r to check ip and route for IPV6
Make it's easy to do. eiei
root@ubuntu10:~#echo "#disable ipv6" | sudo tee -a /etc/sysctl.conf
root@ubuntu10:~#echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
root@ubuntu10:~#echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
root@ubuntu10:~#echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
and last command to active without reboot
root@ubuntu10:~#sysctl -p
Check with ifconfig / ip a /ip r to check ip and route for IPV6
Tacacs Installation
Tacacs installation and setting
Download file จาก site shrubbury.net
root@ubuntu10:~# wget -q ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz
แตก file tacacs ที download มา
root@ubuntu10:~# tar zxvf tacacs+-F4.0.4.19.tar.gz
...
root@ubuntu10:~# cd tacacs+-F4.0.4.19
install packet สำหรับ install tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19#apt-get install flex bison libwrap0-dev gcc make libc6-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
config tacacs ก่อนติดตั้ง
root@ubuntu10:~/tacacs+-F4.0.4.19# ./configure --prefix /opt/tac-plus --with-acctfile=/var/log/tac_acc.log --with-logfile=/var/log/tac_plus.log --quiet
root@ubuntu10:~/tacacs+-F4.0.4.19# make install
...
ตรวจสอบ file หลัง install
root@ubuntu10:~/tacacs+-F4.0.4.19# ls -al /opt/tac-plus/bin/
total 276
drwxr-xr-x 2 root root 4096 2010-06-02 18:22 .
drwxr-xr-x 6 root root 4096 2010-06-02 18:22 ..
-rwxr-xr-x 1 root root 261484 2010-06-02 18:22 tac_plus
-rwxr-xr-x 1 root root 12264 2010-06-02 18:22 tac_pwd
root@ubuntu10:~/tacacs+-F4.0.4.19#
หลังจากติดตั้งอย่าลืม ldconfig
root@ubuntu10:~/tacacs+-F4.0.4.19#ldconfig
root@ubuntu10:~/tacacs+-F4.0.4.19# netstat -l 2>&1 | grep tac
tcp 0 0 *:tacacs *:* LISTEN
root@ubuntu10:~/tacacs+-F4.0.4.19#
สร้าง script file สำหรับ run tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19#vi /opt/tac-plus/bin/tac_plus.sh
#!/bin/sh
# script run file
/opt/tac-plus/bin/tac_plus -C /etc/tac_plus.conf
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19#chmod 755 /opt/tac-plus/bin/tac_plus.sh
สร้าง script สำหรับ start/stop program
root@ubuntu10:~/tacacs+-F4.0.4.19# vi /etc/init.d/tac_plus
#!/bin/sh
# Start/stop the TACACS+ daemon.
test -f /opt/tac-plus/bin/tac_plus || exit 0
case "$1" in
start) echo -n "Starting TACACS+ Daemon: tac_plus"
start-stop-daemon --start --quiet --exec /opt/tac-plus/bin/tac_plus.sh
echo "."
;;
stop) echo -n "Stopping TACACS+ Daemon: tac_plus"
start-stop-daemon --stop --quiet --exec /opt/tac-plus/bin/tac_plus
echo "."
;;
restart) echo -n "Restarting TACACS+ Daemon: tac_plus"
start-stop-daemon --stop --quiet --exec /opt/tac-plus/bin/tac_plus
start-stop-daemon --start --quiet --exec /opt/tac-plus/bin/tac_plus.sh
echo "."
;;
reload) echo -n "Reloading TACACS+ Configuration: tac_plus"
start-stop-daemon --stop --signal USR1 --quiet --exec /opt/tac-plus/bin/tac_plus
echo "."
;;
*) echo "Usage: /etc/init.d/tacacs start|stop|restart|reload"
exit 1
;;
esac
exit 0
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19# chmod 755 /etc/init.d/tac_plus
สร้าง link สำหรับ auto start program
root@ubuntu10:~/tacacs+-F4.0.4.19# ln -s ../init.d/tac_plus /etc/rc2.d/S92tac_plus
root@ubuntu10:~/tacacs+-F4.0.4.19# ln -s ../init.d/tac_plus /etc/rc3.d/S92tac_plus
สร้าง file config ของ tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19# touch /etc/tac_plus.conf
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19# chmod 600 /etc/tac_plus.conf
แก้ไข config file สำหรับ tacacs โดยสามารถ copy file ไปใช้งานได้เลย
root@ubuntu10:~/tacacs+-F4.0.4.19# vi /etc/tac_plus.conf
#key tac_plus
key = telnethost
# Daemon-Log --> /var/log/tac_plus.log
# Logging of priv-15 commands
accounting file = /var/log/tac_acc.log
#enable account default
#enable account default
user = $enable$ {
login = cleartext "cisco"
}
# Group Account
group = admin {
default service = permit
service = exec {
priv-lvl = 1
}
service = junos-exec {
allow-commands = "all"
}
}
group = user {
default service = deny
service = exec {
priv-lvl = 1
}
cmd = show {
permit .*
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
cmd = logout {
permit .*
}
cmd = configure {
permit "terminal"
deny .*
}
cmd = ip {
permit "route-cache flow |flow ingress |flow egress "
}
cmd = interface {
permit "FastEthernet|Multilink|BVI|Serial|GigabitEthernet|Vlan"
}
cmd = no {
permit "route-cache flow |flow ingress |flow egress "
}
cmd = telnet {
permit .*
}
cmd = clear {
permit "arp|counter|nat"
deny .*
}
cmd = do {
permit "run|sh|couter"
}
}
user = admindes {
login = des J6bHZh48sXJ3E
enable = des VC8o2ox/i5xMY
member = admin
}
# user group user
user = user {
login = cleartext "user"
member = user
}
ในส่วนของการสั่ง start/stop/restart program ทำได้ดังนี้
root@ubuntu10:~# /etc/init.d/tac_plus start
root@ubuntu10:~# /etc/init.d/tac_plus stop
root@ubuntu10:~# /etc/init.d/tac_plus restart
ตัวอย่าง config สำหรับ router
aaa new-model
!
!
aaa authentication login TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
!
tacacs-server host
tacacs-server directed-request
tacacs-server key
!
line con 0
exec-timeout 15 0
login authentication TACACS
line aux 0
line vty 0 4
exec-timeout 15 0
login authentication TACACS
Template for CatOS
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login tacacs disable http
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs disable http
!
#tacacs+
set tacacs server *TACACS server IP* primary
set tacacs attempts 2
set tacacs directedrequest enable
set tacacs key *TACACS server key*
set tacacs timeout 5
Juniper set statements:
set system authentication-order [ tacplus password ]
set system tacplus-server secret ""
set system tacplus-server source-address
set system accounting events [ login change-log interactive-commands]
set system accounting destination tacplus
# local user, when TACACS+ fails
set system login user fallback_user uid 2000
set system login user fallback_user class superuser
set system login user fallback_user authentication encrypted-password ""
# user remote must exist. Otherwise tacacs auth won't work.
set system login user remote full-name tacacs_user
set system login user remote uid 9999
set system login user remote class super-user
Hierarchical:
system {
authentication-order [ tacplus password ];
tacplus-server {
{
secret "";
source-address;
}
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus;
}
}
login {
user fallback_user {
uid 2000;
class superuser;
authentication {
encrypted-password "";
}
}
user remote {
full-name tacacs_user;
uid 9999;
class super-user;
}
}
}
========================
#ตัวอย่าง log file ใน /var/log/tac_plus.log
Thu Mar 5 23:27:35 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:35 2009 [11912]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:40 2009 [11912]: login query for 'net_adm' tty0 from gate rejected
Thu Mar 5 23:27:40 2009 [11912]: login failure: net_adm gate (192.168.222.250) tty0
Thu Mar 5 23:27:42 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:42 2009 [11913]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:49 2009 [11913]: login query for 'net_admin' tty0 from gate accepted
Thu Mar 5 23:27:49 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:49 2009 [11914]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:52 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:52 2009 [11915]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:53 2009 [11915]: enable query for 'net_admin' tty0 from gate accepted
#ตัวอย่าง log account /var/log/tac_acc.log
Thu Mar 5 23:36:18 2009 gate net_admin tty0 async start task_id=24 timezone=UTC service=shell
Thu Mar 5 23:36:41 2009 gate net_admin tty0 async stop task_id=24 timezone=UTC service=shell priv-lvl=15 cmd=configure terminal
Thu Mar 5 23:36:54 2009 gate net_admin tty0 async stop task_id=25 timezone=UTC service=shell priv-lvl=15 cmd=logging buffered
Thu Mar 5 23:37:07 2009 gate net_admin tty0 async stop task_id=24 timezone=UTC service=shell disc-cause=1 disc-cause-ext=9 pre-session-time=19 elapsed_time=49 stop_time=1014975481
Command line parameters
debian:/opt/tac-plus/bin# /opt/tac-plus/bin/tac_plus
Usage: tac_plus -C [-GghiLPstv] [-B ] [-d ] [-l ] [-p ] [-u ]
-G stay in foreground; do not detach from the tty
-g single thread mode
-h display this message
-i inetd mode
-L lookup peer addresses for logs
-P parse the configuration file and exit
-s refuse SENDPASS
-t also log to /dev/console
-v display version information
Debug values
8 authorisation debugging
16 authentication debugging
32 password file processing debugging
64 accounting debugging
128 config file parsing & lookup
256 packet transmission/reception
512 encryption/decryption
1024 MD5 hash algorithm debugging
2048 very low level encryption/decryption
--> 248 = 128 + 64 + 32 + 16 + 8
Download file จาก site shrubbury.net
root@ubuntu10:~# wget -q ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.19.tar.gz
แตก file tacacs ที download มา
root@ubuntu10:~# tar zxvf tacacs+-F4.0.4.19.tar.gz
...
root@ubuntu10:~# cd tacacs+-F4.0.4.19
install packet สำหรับ install tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19#apt-get install flex bison libwrap0-dev gcc make libc6-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
config tacacs ก่อนติดตั้ง
root@ubuntu10:~/tacacs+-F4.0.4.19# ./configure --prefix /opt/tac-plus --with-acctfile=/var/log/tac_acc.log --with-logfile=/var/log/tac_plus.log --quiet
root@ubuntu10:~/tacacs+-F4.0.4.19# make install
...
ตรวจสอบ file หลัง install
root@ubuntu10:~/tacacs+-F4.0.4.19# ls -al /opt/tac-plus/bin/
total 276
drwxr-xr-x 2 root root 4096 2010-06-02 18:22 .
drwxr-xr-x 6 root root 4096 2010-06-02 18:22 ..
-rwxr-xr-x 1 root root 261484 2010-06-02 18:22 tac_plus
-rwxr-xr-x 1 root root 12264 2010-06-02 18:22 tac_pwd
root@ubuntu10:~/tacacs+-F4.0.4.19#
หลังจากติดตั้งอย่าลืม ldconfig
root@ubuntu10:~/tacacs+-F4.0.4.19#ldconfig
root@ubuntu10:~/tacacs+-F4.0.4.19# netstat -l 2>&1 | grep tac
tcp 0 0 *:tacacs *:* LISTEN
root@ubuntu10:~/tacacs+-F4.0.4.19#
สร้าง script file สำหรับ run tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19#vi /opt/tac-plus/bin/tac_plus.sh
#!/bin/sh
# script run file
/opt/tac-plus/bin/tac_plus -C /etc/tac_plus.conf
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19#chmod 755 /opt/tac-plus/bin/tac_plus.sh
สร้าง script สำหรับ start/stop program
root@ubuntu10:~/tacacs+-F4.0.4.19# vi /etc/init.d/tac_plus
#!/bin/sh
# Start/stop the TACACS+ daemon.
test -f /opt/tac-plus/bin/tac_plus || exit 0
case "$1" in
start) echo -n "Starting TACACS+ Daemon: tac_plus"
start-stop-daemon --start --quiet --exec /opt/tac-plus/bin/tac_plus.sh
echo "."
;;
stop) echo -n "Stopping TACACS+ Daemon: tac_plus"
start-stop-daemon --stop --quiet --exec /opt/tac-plus/bin/tac_plus
echo "."
;;
restart) echo -n "Restarting TACACS+ Daemon: tac_plus"
start-stop-daemon --stop --quiet --exec /opt/tac-plus/bin/tac_plus
start-stop-daemon --start --quiet --exec /opt/tac-plus/bin/tac_plus.sh
echo "."
;;
reload) echo -n "Reloading TACACS+ Configuration: tac_plus"
start-stop-daemon --stop --signal USR1 --quiet --exec /opt/tac-plus/bin/tac_plus
echo "."
;;
*) echo "Usage: /etc/init.d/tacacs start|stop|restart|reload"
exit 1
;;
esac
exit 0
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19# chmod 755 /etc/init.d/tac_plus
สร้าง link สำหรับ auto start program
root@ubuntu10:~/tacacs+-F4.0.4.19# ln -s ../init.d/tac_plus /etc/rc2.d/S92tac_plus
root@ubuntu10:~/tacacs+-F4.0.4.19# ln -s ../init.d/tac_plus /etc/rc3.d/S92tac_plus
สร้าง file config ของ tacacs
root@ubuntu10:~/tacacs+-F4.0.4.19# touch /etc/tac_plus.conf
กำหนด permission
root@ubuntu10:~/tacacs+-F4.0.4.19# chmod 600 /etc/tac_plus.conf
แก้ไข config file สำหรับ tacacs โดยสามารถ copy file ไปใช้งานได้เลย
root@ubuntu10:~/tacacs+-F4.0.4.19# vi /etc/tac_plus.conf
#key tac_plus
key = telnethost
# Daemon-Log --> /var/log/tac_plus.log
# Logging of priv-15 commands
accounting file = /var/log/tac_acc.log
#enable account default
#enable account default
user = $enable$ {
login = cleartext "cisco"
}
# Group Account
group = admin {
default service = permit
service = exec {
priv-lvl = 1
}
service = junos-exec {
allow-commands = "all"
}
}
group = user {
default service = deny
service = exec {
priv-lvl = 1
}
cmd = show {
permit .*
}
cmd = ping {
permit .*
}
cmd = traceroute {
permit .*
}
cmd = logout {
permit .*
}
cmd = configure {
permit "terminal"
deny .*
}
cmd = ip {
permit "route-cache flow |flow ingress |flow egress "
}
cmd = interface {
permit "FastEthernet|Multilink|BVI|Serial|GigabitEthernet|Vlan"
}
cmd = no {
permit "route-cache flow |flow ingress |flow egress "
}
cmd = telnet {
permit .*
}
cmd = clear {
permit "arp|counter|nat"
deny .*
}
cmd = do {
permit "run|sh|couter"
}
}
user = admindes {
login = des J6bHZh48sXJ3E
enable = des VC8o2ox/i5xMY
member = admin
}
# user group user
user = user {
login = cleartext "user"
member = user
}
ในส่วนของการสั่ง start/stop/restart program ทำได้ดังนี้
root@ubuntu10:~# /etc/init.d/tac_plus start
root@ubuntu10:~# /etc/init.d/tac_plus stop
root@ubuntu10:~# /etc/init.d/tac_plus restart
ตัวอย่าง config สำหรับ router
aaa new-model
!
!
aaa authentication login TACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
!
tacacs-server host
tacacs-server directed-request
tacacs-server key
!
line con 0
exec-timeout 15 0
login authentication TACACS
line aux 0
line vty 0 4
exec-timeout 15 0
login authentication TACACS
Template for CatOS
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login tacacs disable http
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs disable http
!
#tacacs+
set tacacs server *TACACS server IP* primary
set tacacs attempts 2
set tacacs directedrequest enable
set tacacs key *TACACS server key*
set tacacs timeout 5
Juniper set statements:
set system authentication-order [ tacplus password ]
set system tacplus-server
set system tacplus-server
set system accounting events [ login change-log interactive-commands]
set system accounting destination tacplus
# local user, when TACACS+ fails
set system login user fallback_user uid 2000
set system login user fallback_user class superuser
set system login user fallback_user authentication encrypted-password "
# user remote must exist. Otherwise tacacs auth won't work.
set system login user remote full-name tacacs_user
set system login user remote uid 9999
set system login user remote class super-user
Hierarchical:
system {
authentication-order [ tacplus password ];
tacplus-server {
secret "
source-address
}
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus;
}
}
login {
user fallback_user {
uid 2000;
class superuser;
authentication {
encrypted-password "
}
}
user remote {
full-name tacacs_user;
uid 9999;
class super-user;
}
}
}
========================
#ตัวอย่าง log file ใน /var/log/tac_plus.log
Thu Mar 5 23:27:35 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:35 2009 [11912]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:40 2009 [11912]: login query for 'net_adm' tty0 from gate rejected
Thu Mar 5 23:27:40 2009 [11912]: login failure: net_adm gate (192.168.222.250) tty0
Thu Mar 5 23:27:42 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:42 2009 [11913]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:49 2009 [11913]: login query for 'net_admin' tty0 from gate accepted
Thu Mar 5 23:27:49 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:49 2009 [11914]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:52 2009 [11865]: session.peerip is 192.168.222.250
Thu Mar 5 23:27:52 2009 [11915]: connect from gate [192.168.222.250]
Thu Mar 5 23:27:53 2009 [11915]: enable query for 'net_admin' tty0 from gate accepted
#ตัวอย่าง log account /var/log/tac_acc.log
Thu Mar 5 23:36:18 2009 gate net_admin tty0 async start task_id=24 timezone=UTC service=shell
Thu Mar 5 23:36:41 2009 gate net_admin tty0 async stop task_id=24 timezone=UTC service=shell priv-lvl=15 cmd=configure terminal
Thu Mar 5 23:36:54 2009 gate net_admin tty0 async stop task_id=25 timezone=UTC service=shell priv-lvl=15 cmd=logging buffered
Thu Mar 5 23:37:07 2009 gate net_admin tty0 async stop task_id=24 timezone=UTC service=shell disc-cause=1 disc-cause-ext=9 pre-session-time=19 elapsed_time=49 stop_time=1014975481
Command line parameters
debian:/opt/tac-plus/bin# /opt/tac-plus/bin/tac_plus
Usage: tac_plus -C
-G stay in foreground; do not detach from the tty
-g single thread mode
-h display this message
-i inetd mode
-L lookup peer addresses for logs
-P parse the configuration file and exit
-s refuse SENDPASS
-t also log to /dev/console
-v display version information
Debug values
8 authorisation debugging
16 authentication debugging
32 password file processing debugging
64 accounting debugging
128 config file parsing & lookup
256 packet transmission/reception
512 encryption/decryption
1024 MD5 hash algorithm debugging
2048 very low level encryption/decryption
--> 248 = 128 + 64 + 32 + 16 + 8
Subscribe to:
Posts (Atom)