This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Brocade IronStack configuration
aaa authentication web-server default local
aaa authentication login default tacacs+ enable local
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host 10.14.14.55
tacacs-server host 10.18.15.145
tacacs-server key NASKEYHERE
tacacs-server timeout 10
ip tacacs source-interface ve 998

reference: http://www1.brocade.com/downloads/documents/html_product_manuals/FI_ICX6650_07500_SCG/wwhelp/wwhimpl/common/html/wwhelp.htm#context=Security-converted&file=FI_Security.03.6.html

This post shows how to configure a TACACS+ server for system authentication in Juniper Netscreen SSG with open source tac_plus software.

Juniper Netscreen SSG Configuration
set auth-server TACACS id 1
set auth-server TACACS server-name 192.168.1.100
set auth-server TACACS backup1 192.168.1.200 (optional)
set auth-server TACACS account-type admin
set auth-server TACACS type tacacs
set auth-server TACACS tacacs secret Tacacssecret1
set auth-server TACACS tacacs port 49
set admin auth server TACACS
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

tac_plus configuration
key = Tacacssecret1
group = netscreen
{
service = netscreen
{
vsys = root
privilege = root
}
}
user = nmsns {
default service = permit
login = file /etc/passwd
member = netscreen
}

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Juniper SRX configuration
Connect to SRX and enter configure mode
[email protected]% cli
{primary:node1}
[email protected]> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode{primary:node1}[edit]
[email protected]#

Add a new TACACS+ server and set its IP address.
[email protected]#set tacplus-server address 172.16.98.24

Specify the shared secret (password) of the TACACS+ server.
[email protected]#set tacplus-server 172.16.98.24 secret Tacacssecret1

Specify the device’s loopback address as the source address.
[email protected]#set tacplus-server 172.16.98.24 source-address 10.0.0.1

Set for single connection authentication
[email protected]#set tacplus-server 172.16.98.24 single-connection

Set authentication order
[email protected]# set system authentication-order tacplus
[email protected]# set system authentication-order password

Set accounting logging
[email protected]# set system accounting events login
[email protected]#set system accounting events change-log
[email protected]#set system accounting events interactive-commands
[email protected]#set system accounting destination tacplus

Verify configuration
[email protected]# show system tacplus-server
[email protected]# show system accounting

tac_plus configuration
key = Tacacssecret1
group = srx {
service = junos-exec
{
local-user-name = root
}
}

user = srxadmin {
default service = permit
login = file /etc/passwd
member = srx
}

Incoming search terms:

  • how to add tacacs to junos
  • tacacs accounting
  • tacacs logs juniper

The purpose of the tutorial is to setup an ads blocking using Bind9 DNS Server. Tutorial is divided into 2 section: Setup Pixelserv and Setup AdBlock script for Bind9.
adblock

1. Setup Pixelserv

Pixelserv is a super minimal webserver, it’s one and only purpose is serving a 1×1 pixel transparent gif file. We will redirect web requests, for adverts, to our pixelserv (running in the same bind9 server).

Install Pixelserv

cd /usr/local/bin/
curl http://proxytunnel.sourceforge.net/files/pixelserv.pl.txt > pixelserv
chmod 755 pixelserv

We now need a simple init script for starting/stopping pixelserv, as /etc/init.d/pixelserv.

#! /bin/sh
# /etc/init.d/pixelserv
#
# Carry out specific functions when asked to by the system
case "$1" in
start)
echo "Starting pixelserv "
/usr/local/bin/pixelserv &
;;
stop)
echo "Stopping script pixelserv"
killall pixelserv
;;
*)
echo "Usage: /etc/init.d/pixelserv {start|stop}"
exit 1
;;
esac

exit 0
chmod 755 /etc/init.d/pixelserv

Add pixelserv to startup

update-rc.d pixelserv defaults

Run pixelserv

/etc/init.d/pixelserv start

bind9

2. AdBlock for Bind9

Create new file, /etc/bind/update.sh

curl "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig&showintro=0&mimetype=plaintext" | sed 's/null.zone.file/\/etc\/bind\/nullzonefile.txt/g' > ad-blacklist

Make it executable

chmod +x update.sh

Execute update.sh to download adservers file

./update.sh

Verify file content, make sure the path is changed from:

zone "24pm-affiliation.com" { type master; notify no; file "null.zone.file"; }; to zone "24pm-affiliation.com" { type master; notify no; file "/etc/bind/nullzonefile.txt"; };

Create adblock zone file, we named it as nullzonefile.txt

$TTL    86400   ; one day  
@       IN      SOA     ads.example.com. hostmaster.example.com. (
               2014090102
                    28800
                     7200
                   864000
                    86400 )          
                NS      my.dns.server.org          
                A       $YOUR_DNS_SERVER_IP 
@       IN      A       $YOUR_DNS_SERVER_IP
*       IN      A       $YOUR_DNS_SERVER_IP

Reload bind9 configuration

rndc reload

Test your DNS Server

dig @localhost 24pm-affiliation.com

Should returned your own server ip address.

Reference:
https://charlieharvey.org.uk/page/adblocking_with_bind_apache
The Best Ad Blocking Method
http://box.matto.nl/dnsadblok.html
http://www.deer-run.com/~hal/sysadmin/dns-advert.html

Using BIND to reduce ad server content

Incoming search terms:

  • bind9 block ads
  • ad block DNS ipv6 server
  • ad blocking with your own dns
  • adblock bind hosts
  • bind adblock
  • ipv6 dns server adblock

This article will guide you step by step to get Bind DNS running.

Install Dependencies:

[email protected]:~# apt-get update
[email protected]:~# apt-get upgrade
[email protected]:~# apt-get install build-essential openssl libssl-dev libdb5.1-dev

Download Bind:

[email protected]:~# wget ftp://ftp.isc.org/isc/bind9/9.9.7/bind-9.9.7.tar.gz

Unpack Bind:

[email protected]:~# tar zxvf bind-9.9.7.tar.gz

Configure and then compile Bind9 source pre:

[email protected]:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var --enable-threads --enable-largefile --with-libtool --enable-shared --enable-static --with-openssl=/usr  --with-gnu-ld --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes --with-dlz-filesystem=yes  --with-dlz-stub=yes  CFLAGS=-fno-strict-aliasing --enable-rrl --enable-newstats

If compile success, you will see below screen:

========================================================================
Configuration summary:
------------------------------------------------------------------------
Optional features enabled:
Multiprocessing support (--enable-threads)
Response Rate Limiting (--enable-rrl)
New statistics (--enable-newstats)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
Berkeley DB (--with-dlz-bdb)
Filesystem (--with-dlz-filesystem)
Stub (--with-dlz-stub)

Features disabled or unavailable on this platform:
GSS-API (--with-gssapi)
PKCS#11/Cryptoki support (--with-pkcs11)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
Automated Testing Framework (--with-atf)
XML statistics (--with-libxml2)
========================================================================

Compile and install bind9:

[email protected]:~# make install

Last step, we need to manually create the /var/cache/bind directory:

[email protected]:~# mkdir /var/cache/bind

Start the service:

[email protected]:~# sudo /etc/init.d bind9 start

Hopefully, bind9 will start just fine.

Explanation:

Tell Bind9 to utilize DLZ (Dynamically Loadable Zones) using BDB.

--with-dlz-postgres=no
--with-dlz-mysql=no
--with-dlz-bdb=yes
--with-dlz-filesystem=yes

Enable Response Rate Limiting, to limit DNS answer and help mitigate DNS amplification attacks

--enable-rrl

Readings:
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
https://nlnet.nl/project/bind-dlz/200205-sane/paper.html
http://bind-dlz.sourceforge.net/

Incoming search terms:

  • Bind dlz mysql configuration
  • debian bind9
  • enable-largefile bind

Option 1 – Quick and Dirty

You can quickly turn on logging by typing in the following into the server shell:

rndc querylog

Then you can follow the information in the standard syslog.

tail -f /var/log/syslog

You should see output like the following letting you know that queries are now logged:

Sep 14 22:23:20 ns01.companya.local named[7896]: query logging is now on

<h3>Option 2 – Full and Stored Logs</h3>
If you want to store full logs that you can go back to at a later date you’ll need to make some changes to the BIND configuration.

Logon to your shell as usual, and type the following:
nano /etc/bind/named.conf

Put in the following code at the bottom:

logging {
channel query.log {
file “/var/log/query.log”;
severity debug 3;
};
category queries { query.log; };
};

Now we need to create the log:

touch /var/log/query.log

Make it writable by the BIND process:

chown named.named /var/log/query.log

Give BIND a reboot:

service bind9 restart

And now you should be able to follow the queries as any other log:

tail -f /var/log/query.log

References:
http://www.gypthecat.com/how-to-log-bind-queries-on-ubuntu-12-10
http://linuxmantra.com/2011/04/logging-bind-queries.html

Incoming search terms:

  • logging { channel querylog{
  • named queries log

0805_transmission_587

Connect to xbian using ssh

Default username xbian password raspberry

Perform package update and upgrade

[email protected]:/home/xbian#apt-get update
[email protected]:/home/xbian#apt-get upgrade –y

Install xbian optimized transmission binary

[email protected]:/home/xbian#apt-get install -y -o Dpkg::Options::=”–force-confdef” -o Dpkg::Options::=”–force-confold” xbian-package-transmission

Notes:

1. Default download location is at /home/xbian
2. Access webui via http://xbianip:9091
3. Default webui login admin password raspberry

It seems that Ubuntu/Debian (or perhaps other distros as well) prefer IPv6 DNS records instead of IPv4 when applicable and some times this results in loss of connectivity or similar problems.
I ran into this issue today while trying to update an old VPS with apt-get/aptitude. Specifically, security.ubuntu.com was being resolved in an unreachable IPv6 address and I had to wait some minutes for timeout every time.
Fortunately, there is an easy fix for this; you just have to edit the file located at: /etc/gai.conf which is the configuration for getaddrinfo(). There you have to uncomment line ~54 which reads: “precedence ::ffff:0:0/96 100″, and you are all set! (assuming that every other option is commented out by default as in my case).

gai

Reference: http://bruteforce.gr/make-apt-get-use-ipv4-instead-ipv6.html

What is SSL Cipher Suite?
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol

Below bash script gets a list of supported cipher suites from OpenSSL and tries to connect using each one. If the handshake is successful, it prints YES. If the handshake isn’t successful, it prints NO, followed by the OpenSSL error text.

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=192.168.1.11:443
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

Here’s sample output showing 3 unsupported ciphers, and 1 supported cipher:


[@linux ~]$ ./test_ciphers
Obtaining cipher list from OpenSSL 0.9.8k 25 Mar 2009.
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES

Reference:
http://en.wikipedia.org/wiki/Cipher_suite
http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of
https://www.ssllabs.com/ssltest/index.html

Posted in OS.

Problem

Received error “Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Address already in use” when adding log input using UDP 514 (default syslog port).

Explanation

In UNIX/LINUX, assigned port 1024 and below require root privilege. Either you run graylog2 as root (not recommended) or follow below workaround.

Solution

1. Create new Syslog UDP inputs and listen to any port (ex: 5514).
2. Manipulate traffic using iptable:
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5514

Incoming search terms:

  • graylog input failed to bind