Understanding OSPF stub, NSSA, totally stub and totally NSSA's

Stub Areas OSPF makes use of stub areas to control the advertisements of routes into an area - it does this by designating a stub interface on an ABR (Area Border Router.) By doing this you are able to supress external route advertisements through the ABR (keeping LSA flooding to a minimum) otherwise the routing table could get very large - instead of advertising the external routes the ABR will advertise itself as a default route instead. For...

Read more

HAProxy Remote Desktop Services Example Configuration

The below configuration load balances between two RDS servers - one used for trusted clients (defined in untrustedservers.lst) and another for trusted clients (defined in trustedservers.lst) - anything else attempting to connect to the RDS server is rejected. frontend localnodes    bind *:3389    mode tcp    default_backend restricted    timeout client          1h    option tcpka    acl trustedclients src -f /etc/haproxy/trustedservers.lst    acl untrustedclients...

Read more

What is SPF and how to set it up for your domain

SPF (Sender Policy Framework) is used as an anti-spoofing system that provides a way for an administrator of a domain to authorize mail servers that can send mail on behalf of the domain. The list of authorized hosts / mail servers are published as TXT records on the domains DNS zone. For example if mail server 123.456.789.123 sends mail on behalf of domain.com and the mail server that receives the email is able to perform an SPF lookup on domain.com it will verify that 123.456.789.123 is present within the authorized hosts - if it is not it will...

Read more

Enabling access to legacy public folders from Exchange Online

This topic - although there is a lot of information available; can be quite overwhelming since there are so many potential scenarios and the sheer amount of documentation available. This post is a quick summary of the steps I performed to provide access to Exchange Online users (who were part of a hybrid Exchange setup) to an on-premis Exchange 2010 (SP3) organization. In my experience after I completed the initial hybrid wizard when first setting up the hybrid environment I found that users within Exchange Online did not have any access to public...

Read more

RDP re-connection / disconnection events when running behind haproxy

In my case client's were being disconnected during RDP sessions and although appeared to be random - sometimes there was a noticeable pattern e.g. disconnection occurs ever x minutes - which led to me believe that the problem might be related to server / client configuration (e.g. keep alive / timeout issues). This kind of issue could also be related to problems such as an unreliable network connection somewhere between the backend server. We should firstly verify whether RDP server keep alive / timeout configuration is setup as needed on the...

Read more

Anti-DDoS Setup for IPTables and Linux Kernel (CentOS 7)

Fornote: This article is for my reference - full credit goes to the source found here: https://javapipe.com/iptables-ddos-protection. The below has been tested on CentOS 7 - although different OS's / kernel version might not be completely compatible with everything below. Kernel Tweaks: kernel.printk = 4 4 1 7 kernel.panic = 10 kernel.sysrq = 0 kernel.shmmax = 4294967296 kernel.shmall = 4194304 kernel.core_uses_pid = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 vm.swappiness = 20 vm.dirty_ratio = 80 vm.dirty_background_ratio = 5 fs.file-max...

Read more

Protection against SYN Flooding with SYNPROXY

The problem: SYN Flood attacks (while quite unsophisticated in nature) can be devastating to systems that do not have the relevant protection mechanisms in place - the basic premis behind a SYN flood attack is to exhaust the connection state table with invalid (or partially established handshakes) from (more often than not) spoofed sources. For example A synproxy is a mechanism for protection against SYN flooding and is built into (or implemented rather) many popular firewalls like iptables / pfsense (pf) and so on. The basic principle of a...

Read more