The Certified Geek

November 23, 2009

Caveats in Deploying Open Wifi Network

Deploying an Open Wireless network for public users can be a bit a pain if you don’t know what is coming. Here are the things I have learned (the hard way) when you deploy such network.

Effective spacing between Access Points using the twice the effective range as the distance between them
- Use recommended channel spacing (Channel 1,6,11 or Frequency 2412MHz,2437MHz,2462MHz)

Minimize (or even remove) all security settings on the network interfaces on the switches where the APs connects
- Port-security (particularly Cisco IOS) settings are good but need to consider which settings are appropriate as a number of MAC address will be identified on the same port.
- User roaming with same IP over different APs can trigger these port-security settings (APs space overlapping can cause this problem)
- DHCP snooping should be activated with care as it can block valid multiple DHCP request originating from the Access Points

Consider that not only the laptops connects to the network, you should also consider now mobile devices!
- These can easily exhaust all DHCP leases in just a day (how many users have iPhone, Blackberries, and any mobile with WiFi capabilites)

Recommend to shorten the DHCP server lease time to say 10mins upto 30mins.
- This will release IP address very quickly on the DHCP but will increase the number DHCP broadcast traffic
- Multiple IP address space should be considered in the design while determining the number of concurrent users in the wireless area

November 10, 2009

Nagios Installation Whoops!

While installing Nagios, you might encounter this error message in the web interface:
Nagios web interface error

Reading the recommended steps are rather vague and not straightforward. Here are direct steps to check what causing the errors on Nagios installation.

1) Make sure Nagios is running in the background

# ps ax | grep nagios
6722 ? Ssl 0:14 /usr/local/nagios/bin/nagios -d /usr/local/nagios/etc/nagios.cfg

If it is not running, execute the command

# usr/local/nagios/bin/nagios -d /usr/local/nagios/etc/nagios.cfg

Since I use Debian, I executed this command,

# /etc/init.d/nagios start

2) Execute pre-flight check commands to check the configuration file

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
...snipped...
Total Warnings: 0
Total Errors: 0

Things look okay - No serious problems were detected during the pre-flight check

The output should give you indications of any problems in the configuration file

3) Lastly, check the Nagios logs which are normally located in /usr/local/nagios/var/nagios.log (use tail command if log file is very long)

From these steps, you can properly diagnose the problem and correct them (if ever :) )

October 28, 2009

Cisco Quickie: Locating a Cisco Access Point physically using flashing LED

Imagine you have a number of Cisco Wireless Access Points, say 10 spread across your office functioning as some wireless mesh. You need to replace an access point (AP) which giving some problem on the wireless infrastructure. However, you currently dont have any documentation on which APs are mounted on the ceiling. There are also no proper labelling. So, how would you determine which physically is the device?

Cisco IOS has a command which make the LED of the AP to blink in order to be identified from the pack.

ap#led flash ?
<1-3600> number of sec to flash
disable stop flashing the LEDs

ap#sh led flash
LED Flash is disabled

ap#led flash
ap#sh led flash
LED Flash is enabled

With this command, you can physically locate the APs from the ceiling.

September 24, 2009

Iptables loop script for Samba

Sometimes Linux administrator/owners wants to restrict access to the Samba server to specific IP addresses since user authentication is not enabled (because of so reasons). Here is a bash script to use iptables to restrict specific hosts via loop statement.


# Define the interface where Samba listens
IF_INT=eth0
# Define the list of host allowed to connect to the server separate by space and note the /32 subnet
HOSTS="192.168.1.100/32 192.168.1.200/32 192.168.1.201/32"


# This is the FOR loop
for SOURCE in $HOSTS;
do
iptables -A INPUT -i $IF_INT -s $SOURCE -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -i $IF_INT -s $SOURCE -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -i $IF_INT -s $SOURCE -p udp --dport 137 -j ACCEPT
iptables -A INPUT -i $IF_INT -s $SOURCE -p udp --dport 138 -j ACCEPT
done;

Add this to your existing iptables script and your good to go.

September 14, 2009

Sudo and Environment Variables

I have always been scratching my head whenever I used sudo and the environment variables (env) keep on changing. In my case, I have learned there are two ways to keep/preserve the environment or retain some them when moving into a privilege account (sudo -s).

First method, run

#sudo -s -E

where the -E parameter is meant to presserve the environment.

Second method, save all necessary variables in the current user (not root) shells profile (i.e. for bash its ~/.bashrc) and save these environment variables.

#vi ~/.bashrc
export param1=value1
export param2=value2
#

That’s all to it.

October 13, 2008

Cisco Quickie: Promoting a switch into a master in switch stack

Filed under: Cisco Quickie

In a normal switch stack of Cisco Catalyst 3750 (several switches connected with each other functioning as one virtual switch), one switch will make itself the master switch (the one which controls the operations of the stack). In order to make the switch elect itself as master, it needs to have the highest priority number.

Here we have a switch with a priority “1″

Switch#show switch
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0023.344b.de80 1 0 Ready

We need to increase its priority number in order to force it to become the master when it joins the switch stack

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#switch 1 ?
priority Set the priority of the specified switch
provision Configure Switch provision / offline config
renumber Renumber the specified switch number

Switch(config)#switch 1 priority ?
<1-15> Switch Priority

Switch(config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
Do you want to continue?[confirm]
New Priority has been set successfully

For here, we can check the switch status and priority number set to “15″

Switch#sh switch
Switch/Stack Mac Address : 0023.344b.de80
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0023.344b.de80 15 0 Ready

When this stack is joined in a switch stack, it will elect itself as the switch master (check the Master LED after booting). Note that the switch stack can only handle only 9 stacked switches, so priority number 15 should be more than enough. Then the only problem if somebody set another switch with priority number 15 too, we will check on that later :)

June 24, 2008

How to brick a Cisco Wireless (AP1131AG) A.K.A Downgrading from lightweight mode to autonomous mode

It has been a while I manage to write new stuff given with the new work I am currently dealing but here is the first for this year :)

We just bought some Cisco Wireless Access Point (model 1131AG) but unfortunately these are already in lightweight mode. In this mode, you would need a Wireless LAN Controller to utilize them. There a documentation to how to upgrade an autonomous Cisco Aironet Access Point to lightweight mode only a small section discusses the reversing the process. This blog discusses how I managed to brick errm reverse the process which is not recommended by Cisco.

1. Download the appropriate Cisco IOS from the cisco website (You need to have a valid Cisco account to do this :) )

For this I downloaded c1130-rcvk9w8-tar.124-10b.JA3

2. Install a TFTP Service (recommend SolarWinds free TFTP server)

3. Rename the image to c1130-k9w7-tar.default and place the image in the TFP source directory

4. Change to IP address of the TFTP Server to any IP address between 10.0.0.2 to 10.0.0.30 (I used 10.0.0.2 on my laptop where the TFTP service is running)

5. Connect the access point on the same switch where the TFTP service is connected. Note: Ensure there is no DHCP service running on the this device.

6. Press the mode button of the access point while pluggin in the power (wait for about 20-25 seconds). Wait for the one of the LED to turn RED (one them becomes Amber first) then release the mode button.

If everything goes well, the process will take around 10 to 15 minutes.

Here are the screenshots from the console of the access point, the sniffer on my laptop and the TFTP server activity.

On the final outcome, the access point can now operate in autonomous mode with a full fledge IOS that enables it to function in stand alone.

Enjoy!

November 2, 2007

Hackvertor

While updating my knowledge with security tools, I manage to stumble upon this “Hackvertor”. It kinda sounded like a convertor in a more hacker term.

For you guys to appreciate this, you should try doing this challenge manually from the Spanner. Then try watching the this video in order to appreciate how it is done with the Hackvertor. Enjoy!

hackvertor

October 31, 2007

Free Cisco Webcasts

Interested in watching FREE webcasts from Cisco, check these featured webcasts from them. I know some of you might be taken off since these are vendor centric webcasts but we can’t deny Cisco has been and will be around setting the trends of networking and security…. well for the latter part I might think twice :D

October 30, 2007

Remote Desktop support without the hassle

Ever wondered how to provide remote desktop support to one of your non-techie friends who have a problem using their computer. If they are directly connected to the Internet meaning have public IP address assigned to them then this should be a cinch. We have Windows Remote Desktop and a plethora of VNC program to support this.

But how about if they are connected in an internal network where private network address is used as well NATting their environment prior to reaching the Internet. There are also some ISP out there still providing users in the private addressing space. How do you go about supporting them in case they need your help? Their network administrator as well as security guys would not allow any special treatment for these machines being accessed from the Internet. Now we have a bit of a problem.

But not long ago, programs have been developed to address these concerns. Without disturbing the current infrastructure, clients can be remote accessed and controlled by users outside the network. One particular program I have recently used and liked is theTeamviewer.

One good this about this program is that it is free for non-commercial use meaning normal users like you and I can use the program to be able to provide free remote desktop sharing. Simply downloading and installing the program is fairly straightforward. It has also a light version called Teamviewer Quick Support which does not require any installation and can be run in order to allow users to connect to the user’s desktop.

One the program is installed, running it will show you the main interface:

Teamviewer

One the main interface, one can see the “Your Details” section which has the ID and Password (numeric password). These are the credentials required to be sent over to the user requiring remote desktop access to the client. This can be sent via IM or voice call. The Teamviewer mode below explains the type of access allowed for the remote user. Another in the main interface is the “Partner Details” which is used as entry for the ID of the remote client which will be connected if this host will act as the machine that is going to connect. Nifty aint it :D

One thing people should notice why this program works even if it is inside an internal network is because of a small program called DynGate which runs in the background. It is mainly responsible for the connectivity for the remote desktop access. This program requires outbound access via port 80 to an external IP address which is normally the case for every hosts requiring Internet access. Using the program tcpview, we can see how the program connected to the Internet.

tcpview-dyngate.

Though they state in their clause once the connection is established between the hosts, the line is secured using an encrypted channel and Teamviewers systems cannot decipher this traffic. Some people will raise security and privacy concerns on this. However, since its free and you only utilized it in certain occassions it would not be an issue to me. I would just terminate the program once done.