This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Brocade IronStack configuration
aaa authentication web-server default local
aaa authentication login default tacacs+ enable local
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host
tacacs-server host
tacacs-server key NASKEYHERE
tacacs-server timeout 10
ip tacacs source-interface ve 998


Incoming search terms:

  • https://rndc box com/shared/static/ndhbqk7wa97kiodf1hevcl9q221qy3ji pd

This post shows how to configure a TACACS+ server for system authentication in Juniper Netscreen SSG with open source tac_plus software.

Juniper Netscreen SSG Configuration
set auth-server TACACS id 1
set auth-server TACACS server-name
set auth-server TACACS backup1 (optional)
set auth-server TACACS account-type admin
set auth-server TACACS type tacacs
set auth-server TACACS tacacs secret Tacacssecret1
set auth-server TACACS tacacs port 49
set admin auth server TACACS
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

tac_plus configuration
key = Tacacssecret1
group = netscreen
service = netscreen
vsys = root
privilege = root
user = nmsns {
default service = permit
login = file /etc/passwd
member = netscreen

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Juniper SRX configuration
Connect to SRX and enter configure mode
[email protected]% cli
[email protected]> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode{primary:node1}[edit]
[email protected]#

Add a new TACACS+ server and set its IP address.
[email protected]#set tacplus-server address

Specify the shared secret (password) of the TACACS+ server.
[email protected]#set tacplus-server secret Tacacssecret1

Specify the device’s loopback address as the source address.
[email protected]#set tacplus-server source-address

Set for single connection authentication
[email protected]#set tacplus-server single-connection

Set authentication order
[email protected]# set system authentication-order tacplus
[email protected]# set system authentication-order password

Set accounting logging
[email protected]# set system accounting events login
[email protected]#set system accounting events change-log
[email protected]#set system accounting events interactive-commands
[email protected]#set system accounting destination tacplus

Verify configuration
[email protected]# show system tacplus-server
[email protected]# show system accounting

tac_plus configuration
key = Tacacssecret1
group = srx {
service = junos-exec
local-user-name = root

user = srxadmin {
default service = permit
login = file /etc/passwd
member = srx

Incoming search terms:

  • tac_plus juniper

The purpose of the tutorial is to setup an ads blocking using Bind9 DNS Server. Tutorial is divided into 2 section: Setup Pixelserv and Setup AdBlock script for Bind9.

1. Setup Pixelserv

Pixelserv is a super minimal webserver, it’s one and only purpose is serving a 1×1 pixel transparent gif file. We will redirect web requests, for adverts, to our pixelserv (running in the same bind9 server).

Install Pixelserv

cd /usr/local/bin/
curl > pixelserv
chmod 755 pixelserv

We now need a simple init script for starting/stopping pixelserv, as /etc/init.d/pixelserv.

#! /bin/sh
# /etc/init.d/pixelserv
# Carry out specific functions when asked to by the system
case "$1" in
echo "Starting pixelserv "
/usr/local/bin/pixelserv &
echo "Stopping script pixelserv"
killall pixelserv
echo "Usage: /etc/init.d/pixelserv {start|stop}"
exit 1

exit 0
chmod 755 /etc/init.d/pixelserv

Add pixelserv to startup

update-rc.d pixelserv defaults

Run pixelserv

/etc/init.d/pixelserv start


2. AdBlock for Bind9

Create new file, /etc/bind/

curl "" | sed 's/\/etc\/bind\/nullzonefile.txt/g' > ad-blacklist

Make it executable

chmod +x

Execute to download adservers file


Verify file content, make sure the path is changed from:

zone "" { type master; notify no; file ""; }; to zone "" { type master; notify no; file "/etc/bind/nullzonefile.txt"; };

Create adblock zone file, we named it as nullzonefile.txt

$TTL    86400   ; one day  
@       IN      SOA (
                    86400 )          
                A       $YOUR_DNS_SERVER_IP 
@       IN      A       $YOUR_DNS_SERVER_IP
*       IN      A       $YOUR_DNS_SERVER_IP

Reload bind9 configuration

rndc reload

Test your DNS Server

dig @localhost

Should returned your own server ip address.

The Best Ad Blocking Method

Using BIND to reduce ad server content

Incoming search terms:

  • bind9 block ads
  • adblock dns server image
  • adblocking dns
  • adblock dns ip address
  • adblock with bind9
  • dns bind adblock

This article will guide you step by step to get Bind DNS running.

Install Dependencies:

[email protected]:~# apt-get update
[email protected]:~# apt-get upgrade
[email protected]:~# apt-get install build-essential openssl libssl-dev libdb5.1-dev

Download Bind:

[email protected]:~# wget

Unpack Bind:

[email protected]:~# tar zxvf bind-9.9.7.tar.gz

Configure and then compile Bind9 source pre:

[email protected]:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var --enable-threads --enable-largefile --with-libtool --enable-shared --enable-static --with-openssl=/usr  --with-gnu-ld --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes --with-dlz-filesystem=yes  --with-dlz-stub=yes  CFLAGS=-fno-strict-aliasing --enable-rrl --enable-newstats

If compile success, you will see below screen:

Configuration summary:
Optional features enabled:
Multiprocessing support (--enable-threads)
Response Rate Limiting (--enable-rrl)
New statistics (--enable-newstats)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
Berkeley DB (--with-dlz-bdb)
Filesystem (--with-dlz-filesystem)
Stub (--with-dlz-stub)

Features disabled or unavailable on this platform:
GSS-API (--with-gssapi)
PKCS#11/Cryptoki support (--with-pkcs11)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
Automated Testing Framework (--with-atf)
XML statistics (--with-libxml2)

Compile and install bind9:

[email protected]:~# make install

Last step, we need to manually create the /var/cache/bind directory:

[email protected]:~# mkdir /var/cache/bind

Start the service:

[email protected]:~# sudo /etc/init.d bind9 start

Hopefully, bind9 will start just fine.


Tell Bind9 to utilize DLZ (Dynamically Loadable Zones) using BDB.


Enable Response Rate Limiting, to limit DNS answer and help mitigate DNS amplification attacks



Option 1 – Quick and Dirty

You can quickly turn on logging by typing in the following into the server shell:

rndc querylog

Then you can follow the information in the standard syslog.

tail -f /var/log/syslog

You should see output like the following letting you know that queries are now logged:

Sep 14 22:23:20 ns01.companya.local named[7896]: query logging is now on

<h3>Option 2 – Full and Stored Logs</h3>
If you want to store full logs that you can go back to at a later date you’ll need to make some changes to the BIND configuration.

Logon to your shell as usual, and type the following:
nano /etc/bind/named.conf

Put in the following code at the bottom:

logging {
channel query.log {
file “/var/log/query.log”;
severity debug 3;
category queries { query.log; };

Now we need to create the log:

touch /var/log/query.log

Make it writable by the BIND process:

chown named.named /var/log/query.log

Give BIND a reboot:

service bind9 restart

And now you should be able to follow the queries as any other log:

tail -f /var/log/query.log


Incoming search terms:

  • bind log result of queries


Connect to xbian using ssh

Default username xbian password raspberry

Perform package update and upgrade

[email protected]:/home/xbian#apt-get update
[email protected]:/home/xbian#apt-get upgrade –y

Install xbian optimized transmission binary

[email protected]:/home/xbian#apt-get install -y -o Dpkg::Options::=”–force-confdef” -o Dpkg::Options::=”–force-confold” xbian-package-transmission


1. Default download location is at /home/xbian
2. Access webui via http://xbianip:9091
3. Default webui login admin password raspberry

It seems that Ubuntu/Debian (or perhaps other distros as well) prefer IPv6 DNS records instead of IPv4 when applicable and some times this results in loss of connectivity or similar problems.
I ran into this issue today while trying to update an old VPS with apt-get/aptitude. Specifically, was being resolved in an unreachable IPv6 address and I had to wait some minutes for timeout every time.
Fortunately, there is an easy fix for this; you just have to edit the file located at: /etc/gai.conf which is the configuration for getaddrinfo(). There you have to uncomment line ~54 which reads: “precedence ::ffff:0:0/96 100″, and you are all set! (assuming that every other option is commented out by default as in my case).



What is SSL Cipher Suite?
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol

Below bash script gets a list of supported cipher suites from OpenSSL and tries to connect using each one. If the handshake is successful, it prints YES. If the handshake isn’t successful, it prints NO, followed by the OpenSSL error text.

#!/usr/bin/env bash

# OpenSSL requires the port number.
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
  echo YES
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
    echo $result
sleep $DELAY

Here’s sample output showing 3 unsupported ciphers, and 1 supported cipher:

[@linux ~]$ ./test_ciphers
Obtaining cipher list from OpenSSL 0.9.8k 25 Mar 2009.
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES


Posted in OS.


Received error “Could not bind UDP syslog input to address /, Failed to bind to: /, Address already in use” when adding log input using UDP 514 (default syslog port).


In UNIX/LINUX, assigned port 1024 and below require root privilege. Either you run graylog2 as root (not recommended) or follow below workaround.


1. Create new Syslog UDP inputs and listen to any port (ex: 5514).
2. Manipulate traffic using iptable:
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5514

Incoming search terms:

  • graylog Syslog UDP faild
  • syslog udp 514