Bash for sending and receiving raw IP packets

I stumbled across this feature during my bachelor studies:

echo "Hello World" > /dev/tcp/127.0.0.1/5000
echo "Hello World" > /dev/udp/127.0.0.1/5000

You need to be root (obviously) and its supported in bash environment - but not on all systems. You can also cat on the ports and use dns adresses. Its neat to just get a byte out :).

And if you need something more sophisicated, be sure to use the good old netcat ("nc")

[Dell] T30 Intel AMT Blank Screen on Ubuntu Fix

The Dell T30 is an awesome little Homeserver, packing a punch with the Xeon E3-1225 V5 - and being affordable at about 399 €. It also comes with Intels Active Management Technology / AMT which is an extension of the horrible Intel Mangement Engine (which was all over the place months ago when some genius figured out how to stop that Man-in-the-Middle-always-on chip with some simple commands) - but quite useful - nonetheless. The good thing about this, is that it acts like an DRAC (Dell) / ILOM (Sun) / IPMI (Supermicro) card - so it is an KVM (Keyboard Video Mouse, not the virtualization thingy this time, sorry ;)) extension which allows you to control the server via network as if you were plugged in directly.

There is an awesome guide from Christian on goNeuland, written in German on howto setup that thing without the need to buy VNC Viewer Plus.

However, my Ubuntu instance came in as blank screen after successfully connecting to the system. In the end, that turned out to be that way, as Ubuntu decided to deactivate the graphics unit - due to no monitor being attached.

Different solutions were talked about herehere and here.

In my case, following helped:

1.) Open your grub, i.e. sudo vi /etc/default/grub file

2.) Add nomodeset to your GRUB_CMDLINE_LINUX_DEFAULT line, so that it would read i.e. GRUB_CMDLINE_LINUX_DEFAULT="reboot=force bootdegraded=true nomodeset" (your commands will vary!)

3.) Save and close the file

4.) Update grub via sudo update-grub

And after a quick reboot, everything worked out :)!

[Dell] PowerConnect 2824 Switch

The Dell PowerConnect 2824 is an oldie but goldie 24 port Gigabit Managed Switch (with ports 23/24 being shared ports like on the Cisco 3560 PoE 8 - which have Gigabit Cooper Ports as well as SFP ports - but you can only use one at  a time :)).

You can get them for about 80€ / delivered on eBay as used products and they are qualitywise very good and got an reasonable (although ugly) webinterface as well as SNMP and the usual stuff. They can work as managed or unmanaged switch, which can be switched via the "Mode" port on the front (holding it for less than 7 seconds during operation, it switches the Mode, longer than that -> reset).

To clean a newly acquired switch:

  • Connect to Serial port via Null Modem Cable, 9600, 8, None - the usual
  • Powercycle switch
  • An "Autoboot in 2 seconds" will show up. Press ESC during that time to enter a special menu
  • Enter 2 to "Erase flash file" and enter config to delete the config file. Press ESC to exit and boot
  • You will see that the switch will be boot in Unmanaged Mode, and the "Managed" LED will turn off. Now Press the Mode switch for about 5 seconds, and it will turn to Managed Mode
  • You can now setup the switch via Serial Console, or just wait 60 seconds for it to start up with the default values: 192.168.2.1 as HTTP Interface and admin as username - no password

The latest Firmware for this Switch 1.0.0.45, A07  (more exactly Software Version 1.0.0.45 / Boot Version 1.0.0.13) can be downloaded here: http://www.dell.com/support/home/us/en/04/product-support/product/powerconnect-2824/drivers - you can update this Firmware via TFTP or Web Interface, you will find the option under System -> File Management -> File Download and need to switch to "Download via HTTP" to Upload the Firmware files (Boot Code = rfb, Software Image = ros) via the Web Interface and then reboot / reset the Switch (System -> General -> Reset)

On word of advise if you want to use this system with VLANs - which works a treat: Switch -> VLAN -> VLAN Membership. Chose you VLAN ID, give it a name and then click on the Switch Picture the Ports to the correct mode. Just a grey field means nothing, T means the VLAN comes on this port as VLAN tagged, U means untagged.

To put this into perspective: Grey - No connection, U - this port can directly be connected to a PC or other equipment and got the VLAN as native / vanilla LAN on its port, T - it is tagged and good to transport of multiple VLANs / i.e. trunks.

Trunk config would be like that, i.e. Port 3 of the switch. With 3 vlans, I would go to my native VLAN 1 and set it to U, VLAN 2 to T and VLAN 3 to 3. From then on, I got VLAN 1 as native VLAN on the port and 2 and 3 tagged - and with that a nice little trunk to my i.e. Server.

Configurationwise, the Switch has some sensible defaults like Rapid Spanning Tree on all ports, Green Ethernet enabled. You should maybe remove all Community Strings from SNMP and disable it, if you would not use it and set some secure password. Other than that, good to go :)!

[Freifunk] Upgrade Virtual Freifunk Router on VMWare ESXi 6.5

As I mentioned earlier, I use a virtual Freifunk Router as part of my mobile Infrastructure / Server. With this little VM, I can actually run a big-area Freifunk Network with lots of users without having to invest in new TP-Link accesspoints: I am running the VM, outputing the Freifunk LAN to a designated VLAN and use old spare Accesspoints as dumb "Media-Converters" (LAN to WIFI ;)).

But, as I only use this appliance every now and then for different kind of conventions and conferences, I need to upgrade that Appliance manually, to get it straight to the latest version without waiting or reinstalling (and droping the VPN key...).

Actually, that is quite simple in VMWare: Just go to the terminal of said VM and get started. Well. Ok, stop! Before you're doing that, just remember: You're on a VM. You got no excuse at all for not making a backup - so just shutdown your VM, make a snapshot, then turn it back on - and get started. Better safe than sorry ;)!

First, we're going to install wget with SSL support

opkg update
opkg install wget

Then we need to find the latest version of our Freifunk Firmware - as sysupgrade package. I used the gluon-fftr-0.8.4-x86-vmware.vmdk to install the VM, so I need an x86-generic-sysupgrade.img.gz :). I found that thing here: https://github.com/freifunktrier/firmware_store/tree/master/firmware/stable/sysupgrade . However, please bear in mind to use the image from YOUR Freifunk Provider ;). Try to download the image and get to the "RAW FILE" link on Github and use it to download the file to your VM:

cd /tmp
wget -O sysupgrade.img.gz  https://github.com/freifunktrier/firmware_store/blob/master/firmware/stable/sysupgrade/gluon-fftr-0.8.6+jenk_tackin-x86-generic-sysupgrade.img.gz?raw=true

After that, apply the upgrade and reboot:

sysupgrade -v /tmp/sysupgrade.img.gz
reboot

And thats it :)!

Thanks a lot again to Freifunk Trier for supporting my project :).

[Ubuntu / Proxmox] Hosting NFSv3 Server on Ubuntu for Proxmox Server

So, yesterday evening y0sh came to me with following problem: "I got an real nice proxmox server with loads of CPU and RAM - and nearly no storage left. And I got an small little Atom Server with loads of Storage - but not very useful as VM Host - and yes, they are within the same network". Ok, so: Lets create an NFSv3 Server on the Atom system and mount it as disk storage within Proxmox 🙂

# Atom Server (Ubuntu)
# Install NFS v3 Server
sudo apt-get install nfs-kernel-server rpcbind
# Create Shared Directories
sudo mkdir -p /var/nfsshare
sudo chmod -R 777 /var/nfsshare
# Configure Server
sudo vi /etc/exports
# Insert the line into exports, with the IP Address of your NFS Client / Proxmox Server
/var/nfsshare 192.168.1.111(rw,sync,no_root_squash)
# save and exit, fine tuning:
sudo vi /etc/default/nfs-kernel-server
# change the line RPCMOUNTDOPTS to
RPCMOUNTDOPTS="--manage-gids --no-nfs-version 4"
# to use nfs v3 ...
# reload the nfs exports...
sudo exportfs -r
# ...or restart the server
sudo /etc/init.d/nfs-kernel-server restart
# show all share directorys
sudo exportfs -v

# Mount NFS in Proxmox
Go to Datacenter, Storage, Add, NFS
IP:

[Freifunk] Virtual Freifunk Router on VMWare ESXi 4.1

This post was planed a LONG TIME, however - due to the fact that I could not get it working back in 2015 (See: https://github.com/freifunk-gluon/gluon/issues/496) it had been delayed. However, as I have the need to get Freifunk working as VM on a central ESXi Server - I tried it again - and it worked! Basic instruction to get it working can be found here in german: https://www.it-kl.eu/2015/08/gluon-x86-unter-vmware/

I got following equipment: ESXi 4.1 Server with multiple NICs.
Start up with getting the right image from your Freifunk Team. I got the gluon-fftr-0.8.4-x86-vmware.vmdk from the Firmware Store of my trusted guys from FFTR (https://github.com/freifunktrier/firmware_store/tree/master/firmware/stable/factory [ Trier 0.8.4 is gluon 2016.1.6-3-g9300421, it's just 2016.1.6 + ee597c6 + Webinterface-color-patches ] )
After that, create a new VM on your VMWare ESXi Server. Choose an user definied configuration, "Other" OS and "Other (32-Bit)" Version. I gave the VM a 1 vCPU and 512 MB of RAM - but you can chose as you like. After that, you need to create two Network Devices / NICs. I chose two E1000 ones, and gave the first Interface the Freifunk LAN and added the second Interface to my common WAN (IMPORTANT!). After that, you're not going to create an HDD.
After the creation of the VM, upload your vmdk file to the folder, edit the VM and chose the downloaded VMDK as Harddrive.

On your ESXi Server, go to Configuration, Network and edit your vSwitch. Allow Promiscuous Mode, MAC Change and Fake Transmissions.

After that, go to Configuration, Software, Advanced Settings - to the "Net" section and change Net.ReversePathFwdCheckPromisc to 1 (thanks to FFS-Roland for helping out! :))

After that, you can start up your VM. You should get DHCP on your FFLAN Port - something like an 192.168.1.x address. Go to 192.168.1.1 via browser, give your Router a name, enable Mesh VPN (important!) and maybe change the bandwidth settings. Save and mail your VPN Key to your Freifunk Team. In some hours, you should be good to go (the Key added to their system - and after a quick reboot of your VM, you should be live :))

Thanks a lot to Draco and Ranlvor from Freifunk Trier for their tremendous help :)!

Cisco Prime Infrastructure 3.1 Cheat Sheet

A little cheat sheet for myself. All commands can be used via SSH or Shell:

Show Config: show run
Show Inventory: show inventory (Does show i.e. how many CPUs and RAM is installed. This does match normally to the Version of Cisco Prime. i.E. 8 vCPUs and 16 GB RAM -> Express Plus Type)

Show status of prime: ncs status

Backup OS and Application: backup PI311 repository defaultRepo
Backup Application only: backup PI311appOnly repository defaultRepo application NCS

Activate OS Shell: shell

Locations of different files
defaultRepo: /localdisk/defaultRepo
Config: /storedconfig
License Files: /opt/CSCOlumos/licenses

To transfer the backup files to a safe place, just use scp :).

[Ubuntu] Radsecproy for secure Radius over WAN

Chances are you going to need an radius Auth over WAN - because your Radius and Identity Mngmnt is hosted in the security of the local datacenter of your corp... but the client (i.e. an network switch) is somewhere over the rainbow WAN. You *could* just pipe the radius traffic over the internet - but there be dragons: radius communication is unencrypted. So... just no.

Enter radsecproxy: Radsecproxy is - as the name implies, an radius proxy - which needs to be installed on both servers (the local one in your company, now called SERVER, and the remote one with the switch attached, now called CLIENT) - and does encrypt the communication between both server parts (over WAN i.e.) via TLS.

1.) Install radsecproxy on Server ( sudo apt-get install radsecproxy )
2.) Create CA with generate-CA.sh (in /etc/radsecproxy/) [ https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh - please change keybits to 4096 bits, thanks! ]
3.) Create Certs (Server, Client) with generate-client.sh (in /etc/radsecproxy/) [ at the end of this post, http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt - please change keybits to 4096 bits as well! 🙂 ]
4.) Configure /etc/radsecproxy.conf [UPPERLETTERS are constants which you need to change]

# Master config file for radsecproxy
sourceTLS IPADDR_OF_SERVER
listenTLS IPADDR_OF_SERVER:2083

LogLevel 3
LogDestination file:///var/log/radsecproxy/radsecproxy.log

LoopPrevention on

tls default {
CACertificateFile /etc/radsecproxy/ca.crt
CertificateFile /etc/radsecproxy/SERVER_NAME_FQDN.crt
CertificateKeyFile /etc/radsecproxy/SERVER_NAME_FAQN.key
}

client CLIENT_NAME {
host IPADDR_OF_CLIENT
type tls
certificatenamecheck off
secret PW_OF_CLIENT_RADSEC
}

server SERVER_NAME_auth {
host IPADDR_OF_SERVER:1812
type udp
StatusServer on
secret PW_OF_SERVER_FOR_RADIUS
}

server SERVER_NAME_acct {
host IPADDR_OF_SERVER:1813
type udp
StatusServer on
secret PW_OF_SERVER_FOR_RADIUS
}

realm * {
server SERVER_NAME_auth
accountingserver SERVER_NAME_acct
}

# example config for localhost, rejecting all users
client 127.0.0.1 {
type udp
secret TEST_SECRET
}

realm * {
replymessage "User unknown"
}

5.) sudo service radsecproxy restart

6.) Install radsecproxy on Client ( sudo apt-get install radsecproxy )
7.) Copy client cert and ca.crt to Client /etc/radsecproxy
8.) Configure /etc/radsecproxy.conf [UPPERLETTERS are constants which you need to change]

#sourceUDP 127.0.0.1
sourceUDP IPADDR_OF_CLIENT
listenUDP *:1812
listenUDP *:1813

LogLevel 3
LogDestination file:///var/log/radsecproxy/radsecproxy.log

LoopPrevention on

tls default {
CACertificateFile /etc/radsecproxy/ca.crt
CertificateFile /etc/radsecproxy/CLIENT_NAME_FQDN.crt
CertificateKeyFile /etc/radsecproxy/CLIENT_NAME_FQDN.key
}

client CLIENT_NAME {
#host 127.0.0.1
host IPADDR_OF_CLIENT
type udp
secret CLIENT_RADIUS_SECRET
}

client SWITCH_NAME {
host SWITCH_IP
type udp
secret SWITCH_RADIUS_SECRET
}

server SERVER_NAME {
certificatenamecheck off
host IPADDR_OF_SERVER
type tls
StatusServer on
secret PW_OF_CLIENT_RADSEC
}

realm * {
server SERVER_NAME
accountingserver SERVER_NAME
}

# example config for localhost, rejecting all users
client 127.0.0.1 {
type udp
secret TEST_SECRET
}

realm * {
replymessage "User unknown"
}

9.) sudo service radsecproxy restart
10.) If you now point your switches to the CLIENT_IP with the correct credential, it should go via the radsecproxy to your main radius server and get the connection working. Please pay attention that on your CLIENT site no radiusd daemon is allowed to run, as it would block the ports needed for radsecproxy / radius. Make use of the radsecproxy log files to see, wheter the two radsecproxy servers do connect and talk to each other :).

[Ubuntu] Freeradius: Improve Uptime

As a network admin, you're going to have at least one Freeradius running, mostly for 802.1x authentication. At my place the problem arised, that the service was down too often - for different reasons.

1.) Logrotate
If you're using logrotate, you should check out /etc/logrotate.d/freeradius:

/var/log/freeradius/*.log {
weekly
rotate 52
compress
delaycompress
notifempty
missingok
postrotate
invoke-rc.d freeradius reload >/dev/null 2>&1 || true
endscript
}

Logrotate does restart freeradius after it swapped the logs with reload, which often results in a crash or race condition (freeradius does not shutdown fast enough, and the restarting process thinks it already got one running process - and both terminate). So to change that, you should stop the process, wait, and start again.

/var/log/freeradius/*.log {
weekly
rotate 52
compress
delaycompress
notifempty
missingok
postrotate
invoke-rc.d freeradius stop >/dev/null 2>&1 || true
sleep 5
invoke-rc.d freeradius start >/dev/null 2>&1 || true
endscript
}

2.) Monit
monit is an monitoring programm which checks wheter a service is still running.
Install via: sudo apt-get install monit
Configure:

vi /etc/monit/conf.d/freeradius

check process freeradius with pidfile "/var/run/freeradius/freeradius.pid"
start program "/etc/init.d/freeradius start"
stop program "/etc/init.d/freeradius stop"
if failed host 127.0.0.1 port 1812 type udp protocol radius secret RADIUSSECRET then alert
if failed host 127.0.0.1 port 1813 type udp protocol radius secret RADIUSSECRET then alert
if 5 restarts within 5 cycles then timeout

sudo service monit restart

You should change the RADIUSSECRET to the one of your freeradius.