Thursday, 27 October 2016

Installing Foreman on CentOS 7 / Debian 8

Foreman provides a feature rich frontend for Puppet - that allows you to easily deploy, manage and monitor your puppet infrastructure. Note: It is highly recommended that you use the official Puppet packages from the official Puppet repository when using t in conjunction with Foreman. So - lets firstly add the Foreman repository with: yum install epel-release http://yum.theforeman.org/releases/1.7/el7/x86_64/foreman-release.rpm yum -y install foreman-installer or for Debian 8: echo "deb http://deb.theforeman.org/ jessie 1.13" > /etc/apt/sources.list.d/foreman.list echo...

Tuesday, 25 October 2016

Locking down a linux system with the help of Puppet

Puppet as well as a great deployment tool is brilliant for ensuring that your systems configuration is as it should be. When working with Linux (well any operating system really) I like to create a security baseline that acts as an applied standard accross the organization. I am going to base the core configuration (while ensuring that the configuration is compatible with the vast majority of Linux distributions.): puppet module install hardening-ssh_hardening puppet module install hardening-os_hardening puppet module install puppetlabs-accounts puppet...

Monday, 24 October 2016

Quickstart: Installing and configuring puppet on CentOS 7 / RHEL

For the puppet master we will need a VM with at least 8GB of RAM, 80GB of disk and 2 vCPU. The topology will comprise of two nodes - MASTERNODE (The puppet server) and the CLIENTNODE (the puppet client). Firstly we should ensure that NTP is configured on both the client and server. We'll now install the official Puppet repository: sudo rpm -Uvh https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm yum install puppetserver puppetdb puppetdb-termini sudo systemctl enable puppet sudo systemctl start puppetserver We should then set...

Wednesday, 19 October 2016

Retrieving the top requesting hosts from the nginx access logs

We will fristly inspect the log format: tail -f /var/log/nginx/access.log.1 89.248.160.154 - - [18/Oct/2016:21:58:38 +0000] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-" 89.248.160.154 - - [18/Oct/2016:21:58:38 +0000] "GET //myadmin/scripts/setup.php HTTP/1.1" 301 178 "-" "-" Fortunately apache has a standardized format so we can parse the logs pretty easily - we will firstly use a regex to extract the requester IP from the log file (note the '^' is present to ensure we don't pickup the IP anywhere else e.g. the requested URL.): grep...

Tuesday, 18 October 2016

Customer - ISP BGP Lab (Removing private ASN's)

For this lab we will have a customer site (ASN 16500) that connects to an ISP over over BGP. The customer has an inner core consisting of 3 routers (R1, R2 and R3) running OSPF as an IGP. The customer's edge has a border router that is running BGP and will peer with the ISP's router R5. The goal here is to ensure that when clients within the core network attempt to access the internet - will be directed towards are edge router and in turn the IPS's...

Monday, 17 October 2016

Tip: Debugging with 'debug ip packet'

The 'debug ip packet' command is a brilliant way to help diagnose problems with traffic traversing the router - although there are a few drawbacks - one being that only packets that are switched using process switching (i.e. switched with the help of the CPU) will be visible in the 'debug ip packet' output - other switching mechanisms like Fast Switching and CEF will not. Although we can use the 'no ip route-cache' within interface mode to force packets to be switched with process switching - although note that this can have an adverse affect...

Friday, 14 October 2016

Simple eBGP / iBGP Topology

In this topology we will have two service providers (Customer 1,2) who have thier own ASN. Each customer has connectivity to a single ISP (ISP1,2.) In order for one customer to reach the other packets must be routed over eBGP - hence traversing ISP 1 and 2's ASN over BGP. So we'll start by configuring eBGP between R2 (ASN 100) and R3 (ASN 100): R3> enable conf t int e0/1 ip address 10.254.0.1 255.255.255.252 no shutdown router bgp 200 neighbor...

Monday, 10 October 2016

firewalld / firewall-cmd quick start

We should firstly ensure that the service is running with: firewall-cmd --state We want to ensure any newly added interfaces will automatically be blocked before we explicitly define who can access them: firewall-cmd --set-default-zone=block and then configure our interface zones: firewall-cmd --permanent --zone=public --change-interface=eno333333 firewall-cmd --permanent --zone=internal --change-interface=eno222222 We must also define the 'ZONE' variable within our interface config: vi /etc/sysconfig/network-scripts/ifcfg-eno333333 and...

Friday, 7 October 2016

iBGP: Full mesh requirement

When implementing iBGP in your AS you are required to create a full mesh topology - that is - all routers need to be logically connected to every other device in the AS via a neighbor peer relationship - hence requiring you setup individual peering sessions between them all. The reasoning behind this while eBGP (or when routing between AS's) uses the AS_PATH field to avoid loops - by rejecting an advertised route if the AS_PATH contains it's own AS number, iBGP does not modify this field and hence can't detect loops. For example: Lets say we...

BGP (Border Gateway Protocol) Summary

(e)BGP is a type of EGP (Exterior Gateway Protocol) - in fact the only one in use today and is used to provide roouting information accross the internet (across AS's.) opposed to an IGP (Interior Gateway Protocol) such as EIGRP or OSPF that provides routing information accross nodes in a single AS (Aoutonomous System.) One of the fundamental differences between BGP and other routing procotols such as EIGRP, OSP etc. is that both parties (routers)...

Wednesday, 5 October 2016

Setting up JunOS 12.1 (Olive) with GNS3

For this setup I am presuming you have already installed GNS3. We will need to firstly ensure VirtualBox (https://www.virtualbox.org/wiki/Downloads) is installed and that you have downloaded the JunOS virtual appliance: https://drive.google.com/open?id=0BzJE2w8IRXVvX0U1Y0lSdndMWVk Note: The above you not be used for commercial purposes at all - as well as being outdated, it is not supported at all by Juniper and should be used for developmental and testing purposes only. From VirtualBox we do a: File >> Import Appliance, specifying our...

Route redistribution with OSPF and EIGRP

Route redistribution is simply the process of sharing information between two or more routing protocols - since by design OSPF and EIGRP (RIP etc.) are not compatible with each other - for example ODPF uses cost as a metric, while EIGRP uses K-Values. For this lab we will be redistributing routing information across a EIGRP and OSPF domain - we will be using the previous lab here as a starting point. With the addition of a EIGRP domain of which...

Tuesday, 4 October 2016

OSPF Route Summarization

Route summarization - as the name suggests allows you to summarize a group of networks - by specifying a single prefix - for example if we had the following subnets: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 we could summarize them as: 192.168.0.0/22 Route summarization in OSPF can only be performed on the ABR or ASBR - this is because the LSDB (Link State Database) must be exactly the same on all routers within the area. Note:...

Route Filtering with OSPF

Route filtering allows us to prevent routes from being distributed between other routers in our domain / area. One important thing to note about OSPF is that normal routers within thier area are unaware of where inter-networks reside (the other areas topology ) in that area and instead simply reference the area's ABR - i.e. for example in the topology above if we look at the Router1's OSPF database: do show ip ospf database ...    ...

Monday, 3 October 2016

Setting up OSPF Virtual Links

When setting up OSPF it is required that all areas (i.e. ABRs) are connected to the backbone area (0) - in some more complex topologies there might be (planned) areas that do not have a direct link to the backbone area - this is where virtual links come into play - they provide a way for these areas to tunnel through an adjacent area to the backbone area. In the (simplified) diagram above we can clearly see that although Area 1 has a direct...

Distance Vector, Link State, Split horizon and Poison Reverse Explained

Distance Vector routing boils down to two factors - the distance (metric) of the destination and the vector (direction it takes to get there.) Unlike link-state routing; distance vector only exchanges routing information between it's directly connected neighbors. This means that although a router knows who from whom a router was learnt - it does not know where the neighbor learnt that route from - this means that the router itself will not have a hierarchical view of other subnets and only knows which link / neighbor to use to get to that network. Examples...