Juniper BNG debugging commands

show subscribers show subscribers summary show subscribers detail show subscribers vlan-id 29 stacked-vlan-id 22 extensive show subscribers user-name vallejo.ps1:22-29 extensive

Show incoming DHCP traffic

monitor traffic interface ps1 no-resolve size 1500

Restarting services

restart dhcp-service restart general-authentication-service restart smg-service

Enable debug logging

set system processes general-authentication-service traceoptions file RADIUS.log set system processes general-authentication-service traceoptions file size 100m set system processes general-authentication-service traceoptions file files 3 set system processes general-authentication-service traceoptions flag all set system processes smg-service traceoptions file SMGD.log set system processes smg-service traceoptions file size 100m set system processes smg-service traceoptions file files 3 set system processes smg-service traceoptions level all set system processes smg-service traceoptions flag all set system processes dhcp-service traceoptions file DHCP.log set system processes dhcp-service traceoptions file size 100m set system processes dhcp-service traceoptions file files 3 set system processes dhcp-service traceoptions level all set system processes dhcp-service traceoptions flag all set system processes dhcp-service traceoptions flag interface set system processes dhcp-service traceoptions flag auth set system processes dhcp-service traceoptions flag flow set system processes dhcp-service traceoptions flag general

Find per log

grep "ERR:" /var/log/SMGD.log tail -f /var/log/RADIUS.log

All logs

show shmlog entries logname all | last 500

Show radius traffic with attributes

tshark -nVi eth0 port 1812

Zero Touch Provisioning for Cisco

When provisioning Cisco switches with Kea, you need to create a custom vivso-suboption and create a tftp-server-name option with code 150. This works with Kea >= 1.6.0.

For those who don’t know Kea yet: It’s an open source DHCP server that is API driven and higly customizable.

Here is a config snippet. I hope it helps somebody out.

// Kea supports vendor options (see Section 7.2.10) and allows users // to define their own custom options (see Section 7.2.9). "option-def": [ { "name": "cisco-tftp-server-name", "code": 150, "type": "ipv4-address" }, { "name": "cisco-image-file-name", "code": 5, "space": "vendor-9", "type": "string", "record-types": "", "array": false } ], "client-classes": [ { "name": "Cisco_3560CX", "test": "substring(option[60].hex,0,12) == 'ciscopnp'", "option-data": [ { "name": "boot-file-name", "data": "config/cisco_3560cx.conf" }, { "name": "cisco-tftp-server-name", "data": "172.28.202.27" }, { "name": "vivso-suboptions", "data": "9" }, { "name": "cisco-image-file-name", "space": "vendor-9", "data": "images/c3560cx-universalk9-mz.152-4.E8.bin", "always-send": true } ] } ], "subnet4": [ { // "name": "ZTP VLAN 100", "option-data": [ { "name": "routers", "data": "172.16.0.1" }, { "name": "domain-name-servers", "data": "8.8.8.8, 4.2.2.2" }, { "name": "tftp-server-name", "data": "172.16.0.2" } ], "pools": [{"pool": "172.16.0.20 - 172.16.0.254"}], "reservations": [], "subnet": "172.16.0.0/24", "relay": { "ip-addresses": [ "172.16.0.3" ] } } ]

How to: Zero Touch Provisioning (ZTP) for Juniper with Kea DHCP server

When doing Zero Touch Provisioning (ZTP) for Juniper with Kea, you have to create some special vivso-suboptions. You need Kea >= 1.6.0 for this.

For those who don't know Kea yet: It's an open source DHCP server that is API driven and higly customizable.

Here is a config snippet. I hope it helps somebody out.

// Kea supports vendor options (see Section 7.2.10) and allows users // to define their own custom options (see Section 7.2.9). "option-def": [ { "name": "image-file-name", "code": 0, "space": "ZTP", "type": "string", "record-types": "", "array": false }, { "name": "config-file-name", "code": 1, "space": "ZTP", "type": "string", "record-types": "", "array": false }, { "name": "image-file-type", "code": 2, "space": "ZTP", "type": "string", "record-types": "", "array": false }, { "name": "transfer-mode", "code": 3, "space": "ZTP", "type": "string", "record-types": "", "array": false }, { "name": "alt-image-file-name", "code": 4, "space": "ZTP", "type": "string", "record-types": "", "array": false }, { "name": "http-port", "code": 5, "space": "ZTP", "type": "string", "record-types": "", "array": false }, { "name": "ftp-timeout", "code": 7, "space": "ZTP", "type": "string", "record-types": "", "array": false } ], "client-classes": [ { "name": "juniper_ex2300", "test": "substring(option[60].hex,0,14) == 'Juniper-ex2300'", "option-def": [ { "name": "vendor-encapsulated-options", "code": 43, "type": "empty", "encapsulate": "ZTP" } ], "option-data": [ { "name": "config-file-name", "space": "ZTP", "data": "config/default-ex2300.conf" }, { "name": "image-file-name", "space": "ZTP", "data": "images/junos-arm-32-19.4R1.10.tgz" }, { "name": "transfer-mode", "space": "ZTP", "data": "http" }, { "name": "vendor-encapsulated-options" } ] } ] "subnet4": [ { // "name": "ZTP VLAN 100", "option-data": [ { "name": "routers", "data": "172.16.0.1" }, { "name": "domain-name-servers", "data": "8.8.8.8, 4.2.2.2" }, { "name": "tftp-server-name", "data": "172.16.0.2" } ], "pools": [{"pool": "172.16.0.20 - 172.16.0.254"}], "reservations": [], "subnet": "172.16.0.0/24", "relay": { "ip-addresses": [ "172.16.0.3" ] } } ]

Other ZTP tricks for Juniper can be found in our open source repository.

Enabling serial console redirecting on Supermicro with EFI

Go to the BIOS:

Advanced -> Serial Port Console Redirection -> COM1 -> Console Redirection: Enabled

IPMI -> BMC Network Configuration: Update Static or DHCP

Edit /etc/default/grub:

GRUB_TERMINAL="console serial" GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb" GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS1,115200"

Create a new grub.cfg file for EFI:

grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

Start ttyS1 with Systemd:

systemctl enable [email protected]

Reboot the system:

sudo reboot

Activate SOL via ipmitool:

#!/bin/bash ipmitool -H $1 -I lanplus -U ADMIN sol activate

Replacing Logstash with Heka

I'm playing with Heka (v0.9.0) to replace logstash + logstash forwarder. Logstash adds way too much overhead to be performing well. So far, Heka has been very lean and configurable. But there are not enough howto's online. So I'm starting with this example that I use.

It reads /var/log/auth.log and /var/log/syslog, decodes them using the rsyslog format, encodes them to logstash format and sends it to elastic search.

Pro-tip: run elastic search behind a ssl proxy to ship logs securely. Just change server to https://elasticsearch.example.com:9201 or whatever port you are running your SSL proxy on.

https://hekad.readthedocs.org/en/latest/config/inputs/logstreamer.html https://hekad.readthedocs.org/en/latest/config/decoders/rsyslog.html https://hekad.readthedocs.org/en/latest/config/encoders/eslogstashv0.html https://hekad.readthedocs.org/en/latest/config/outputs/elasticsearch.html https://hekad.readthedocs.org/en/latest/config/encoders/rst.html

[AuthlogInput] type = 'LogstreamerInput' log_directory = '/var/log' file_match = 'auth\.log' decoder = 'RsyslogDecoder' [SyslogInput] type = 'LogstreamerInput' log_directory = '/var/log' file_match = 'syslog' decoder = 'RsyslogDecoder' [RsyslogDecoder] type = "SandboxDecoder" filename = "lua_decoders/rsyslog.lua" [RsyslogDecoder.config] type = "RSYSLOG_TraditionalFileFormat" template = '%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n' tz = "UTC" [ESLogstashV0Encoder] es_index_from_timestamp = true type_name = "%{Type}" [ElasticSearchOutput] message_matcher = "Logger != 'hekad'" server = "http://elasticsearch.example.org:9200" encoder = "ESLogstashV0Encoder" #[RstEncoder] #[debug] #type = "LogOutput" #encoder = "ESLogstashV0Encoder" or encoder = "RstEncoder" #message_matcher = "Logger != 'hekad'"

Update dell service tag

Reminder to self:

http://linux.dell.com/repo/community/ubuntu/

smbios-sys-info --service-tag --set=7AB3YX1

Hee Arnoud, Ik ben voor een schoolproject op zoek naar dezelfde soort setup die jij bij je had in dwdd. In deze aflevering liet jij zien hoe makkelijk je data van laptops kan zien die met jouw netwerk verbonden waren. Zou je mij misschien kunnen vertellen hoe je dat gedaan hebt? Ik hoor het graag van je, Remco de Bont,

Hoi Remco,

Het tooltje wat ik gebruikte heet driftnet en is op de meeste linux distributies wel te vinden. Als je zoekt naar "linux man in the middle" krijg je een boel resultaten die je op weg kunnen helpen.

Verder wil ik je er op wijzen dat het afluisteren van internet verkeer zonder expliciete toestemming van je 'target' niet is toegestaan en strafbaar is onder de computervredebreuk wetgeving.

Dat gezegd hebbende, is het een leuke demo om aan te geven hoe kwetsbaar internet gebruikers zijn. Dan moet je er wél bij aangeven wat gebruikers kunnen doen om zich tegen dit soort man in the middle aanvallen te kunnen beschermen. Bijvoorbeeld door gebruik te maken van SSL of een VPN oplossing.

Arnoud

Today’s the day. The day you help save the internet from being ruined.

Ready? 

Yes, you are, and we’re ready to help you.

(Long story short: The FCC is about to make a critical decision as to whether or not internet service providers have to treat all traffic equally. If they choose wrong, then the internet where anyone could start a website for any reason at all, the internet that’s been so momentous, funny, weird, and surprising—that internet could cease to exist. Here’s your chance to preserve a beautiful thing.)

Ahhh science!

Chef's special rocking the stage (turn off your audio).

More pics: here

Setting up butterfly labs bitcoin miner with CentOS on BFGminer

Modprobe the serial driver

sudo /sbin/modprobe ftdi_sio vendor=0x403 product=0x6014

Make it load on boot

sudo -i cat << EOF > /etc/sysconfig/modules/ftdi_sio.modules #!/bin/sh /sbin/lsmod | grep ^ftdi_sio > /dev/null if [ $? -eq 1 ] then exec /sbin/modprobe ftdi_sio vendor=0x403 product=0x6014 >/dev/null 2>&1 fi EOF

Needs to be executable

sudo chmod +x /etc/sysconfig/modules/ftdi_sio.modules

Add the repository for BFGMiner

sudo -i cat << EOF > /etc/yum.repos.d/bfgminer.repo [bfgminer] name=bfgminer for RHEL 6 and clones - $basearch - Base baseurl=http://vps.us.freshway.biz/CentOS-6-Production-x86_64/RPMS.bfgminer/ failovermethod=priority enabled=1 gpgcheck=0 EOF

Install BFGMiner

sudo yum -y install bfgminer screen

Add your (mining) user to the dialout group to get access to usb serial devices.

sudo usermod -a -G dialout $(whoami)

Copy the default config and edit it.

cp /usr/share/doc/bfgminer/example.conf ~/bfgminer.conf

Add pools and settings.

vi ~/bfgminer.conf

Start your bfgminer in a screen

screen bfgminer -c ~/bfgminer.conf

Profit.

Looks like a hard problem.

Replacing Dropbox with BitTorrent Sync (for 1password)

I use 1password for managing all my passwords.

I need to be able to access these passwords on all platforms (mac/phone/tablet/pc).

And I need to be able to keep these passwords in sync across these devices.

The 1password app natively supports Dropbox, so I have been using that for a year or so.

But the thought of having my sensitive information on a third party service like Dropbox bugged me. 1password stores my passwords in an encrypted format, but I don't want it to be available to "third parties" at all.

So I set out to find an alternative. Preferably one that doesn't include a cloud storage provider.

My first consideration was to run my ownCloud somewhere, but I already run a bunch of infrastructure, and I really don't want to manage more.

The thing is: my 1password file only changes ones a day or so. So running a service full time, to only manage a ones a day sync, is a bit excessive.

My next option, was to hack something using rsync and push out a change to my devices once every so often. But I travel a lot, and my mobile phones / tablets don't have a static IP and/or are behind NAT/Firewall. All these things can be overcome, but it would become a pretty hacky project.

Then I came across BitTorrent Sync. It uses the Bittorrent protocol to sync my files, without requiring central storage or a cloud provider. And it has support for all the platforms I require. I decided to try it out.

I started by installing Bittorrent Sync on my mac and phone. I created a folder to sync called "BTSync" and copied my 1Password.agilekeychain in there.

Now it's time to couple my devices. Open BitTorrent Sync ->

Ctrl + Click (right click) the folder you want to sync ->

Connect Mobile Device -> Full access

On your android device, choose add folder, scan the QR code and you are set! Just wait a little while for your keychain to propagate. When that is done, it is time to point the 1password app where to go.

Open the 1Password app on Android -> Press the ... in the right bottom corner -> More -> Update Sync Settings ->

SD Card -> Select the directory that you "BTSync" -> Select the 1Password.agilekeychain ->

Set Data File Location. And you are good to go! Cloudless, synced 1password keychains!