TFTP server on Debian

Setting up a TFTP server in Linux is easy. In this case example, I am using Debian. We’re going to install HPA’s TFTP server.

Before installing anything, you should always check if there are existing packages installed. The example below uses aptitude to find out if packages have been installed and it looks like I have tftpd installed with the “i” indicator.


root@tftp-server:~# aptitude search tftpd
p   atftpd                                                                      - advanced TFTP server
p   libnet-tftpd-perl                                                           - Perl extension for Trivial File Transfer Protocol Server
p   tftpd                                                                       - Trivial file transfer protocol server
i   tftpd-hpa                                                                   - HPA's tftp server

Another way is checking the /etc and /etc/default directory if there is anything related to TFTP. Next, check if you have a service related to tftp that is running. If you do, stop the service so you can uninstall it.


root@tftp-server:~# ps aux | grep tftp
root 4390 0.0 0.3 7832 884 pts/0 S+ 20:39 0:00 grep tftp

Tftpd did not work for me so I’m going to remove it.


root@tftp-server:~# aptitude remove tftpd
The following packages will be REMOVED:
libfile-copy-recursive-perl{u} openbsd-inetd{u} tftpd update-inetd{u}
0 packages upgraded, 0 newly installed, 4 to remove and 30 not upgraded.
Need to get 0 B of archives. After unpacking 302 kB will be freed.
Do you want to continue? [Y/n/?] Y
(Reading database ... 38720 files and directories currently installed.)
Removing tftpd ...
Removing openbsd-inetd ...
[ ok ] Stopping internet superserver: inetd.
Removing update-inetd ...
Removing libfile-copy-recursive-perl ...
Processing triggers for man-db ...

Let’s proceed with the install.


root@tftp-server:~# apt-get install tftpd-hpa
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  pxelinux
The following NEW packages will be installed:
  tftpd-hpa
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 50.7 kB of archives.
After this operation, 145 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ jessie/main tftpd-hpa amd64 5.2+20140608-3                                                                                        [50.7 kB]
Fetched 50.7 kB in 0s (403 kB/s)
Preconfiguring packages ...
Selecting previously unselected package tftpd-hpa.
(Reading database ... 31430 files and directories currently installed.)
Preparing to unpack .../tftpd-hpa_5.2+20140608-3_amd64.deb ...
Unpacking tftpd-hpa (5.2+20140608-3) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u5) ...
Setting up tftpd-hpa (5.2+20140608-3) ...
Processing triggers for systemd (215-17+deb8u5) ...
root@tftp-server:~# 

Check if the directory /srv/tftp is created. It should look like this:


root@tftp-server:~# ls -al /srv/
total 12
drwxr-xr-x  3 root root    4096 Nov 11 12:04 .
drwxr-xr-x 22 root root    4096 Nov  9 13:03 ..
drwxr-xr-x  2 root nogroup 4096 Nov 11 12:04 tftp
root@tftp-server:~#

If /srv/tftp directory does not exist or if it does but not does not have the right permissions, you can follow these steps

If /srv/tftp does not exist, create the TFTP root directory for your TFTP server


root@tftp-server:~# cd /srv
root@tftp-server:~# mkdir tftp

Adjust the permissions for the new directory. Open it for everyone.

root@tftp-server:~# chmod 777 /srv/tftp

I’m logged in as root when I created the directory or when I installed the package. This makes the owner root by default. Change the owner of the directory to nobody.


root@tftp-server:/srv# chown nobody:nogroup tftp
root@tftp-server:/srv# ls -al
total 12
drwxr-xr-x  3 root   root    4096 Nov 11 12:04 .
drwxr-xr-x 22 root   root    4096 Nov  9 13:03 ..
drwxrwxrwx  2 nobody nogroup 4096 Nov 11 12:28 tftp

Verify if the TFTP service is running.


root@tftp-server:~# ps aux | grep tftp
root 5847 0.0 0.0 14860 148 ? Ss 20:39 0:00 /usr/sbin/in.tftpd --listen --user tftp --address 0.0.0.0:69 --secure /var/lib/tftpboot
root 5877 0.0 0.3 7832 880 pts/0 S+ 20:41 0:00 grep tftp
root@tftp-server:/etc/default# service tftpd-hpa
Usage: /etc/init.d/tftpd-hpa {start|stop|restart|force-reload|status}
root@tftp-server:~t# service tftpd-hpa status
[ ok ] in.tftpd is running.

The installation of tftpd-hpa created a configuration file located in /etc/default.

To allow upload of new files to the tftp-server, adjust the configuration file /etc/default/tftpd-hpa. Basically, insert -c into TFTP_OPTIONS and set the TFTP_DIRECTORY to point to the directory you created earlier. The configuration should look more like:


# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure -c"

Restarting is done with service tftpd-hpa restart.


root@tftp-server:~# service tftpd-hpa restart
[ ok ] Restarting HPA's tftpd: in.tftpd.

Check the status again


root@tftp-server:/etc/default# service tftpd-hpa status
● tftpd-hpa.service - LSB: HPA's tftp server
   Loaded: loaded (/etc/init.d/tftpd-hpa)
   Active: active (running) since Fri 2016-11-11 12:14:57 CST; 28s ago
  Process: 3466 ExecStop=/etc/init.d/tftpd-hpa stop (code=exited, status=0/SUCCESS)
  Process: 3471 ExecStart=/etc/init.d/tftpd-hpa start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/tftpd-hpa.service
           └─3477 /usr/sbin/in.tftpd --listen --user tftp --address 0.0.0.0:69 --secure -c /srv/tftp

Nov 11 12:14:57 tftp-server tftpd-hpa[3471]: Starting HPA's tftpd: in.tftpd.
Nov 11 12:14:57 tftp-server systemd[1]: Started LSB: HPA's tftp server.
root@tftp-server:/etc/default#

Most of your questions can be answered by checking the manual

root@tftpd-server:~# man tftpd

If you are using iptables for your firewall, you will need to add support for TFTP. Following is a simple example


IPTABLES=/sbin/iptables

#Load the modules that support TFTP
modprobe ip_conntrack_tftp
modprobe  ip_conntrack_ftp

#Allow TFTP requests from 192.168.1.0/24 network
$IPTABLES -A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 69 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -m tcp -p udp --dport 69 -j ACCEPT

Try testing by creating a test.txt file and see if you can download that from your Cisco router and upload its IOS image, for example.

TCP header compression on a Cisco router

TCP header compression is used to compress TCP headers in a network to save bandwidth on a link. However, TCP header compression comes at a cost in terms of processor time (delay/serialization delay).

Conditions: must be configured on both ends of the network to compress and decompress packets.

cisco_router1(config)# interface serial0/1
cisco_router1(config-if)# ip address 172.16.10.1 255.255.255.252
cisco_router1(config-if)# ip tcp header-compression

cisco_router2(config)# interface serial0/0/1
cisco_router2(config-if)# ip address 172.16.10.2 255.255.255.252
cisco_router2(config-if)# ip tcp header-compression

cisco_router1# show ip tcp header-compression

cisco_router2# show ip tcp header-compression

efficiency improvement factor = (bytes saved + bytes sent) / (bytes sent)

Written by Comments Off on TCP header compression on a Cisco router Posted in Cisco, IOS, QoS

Check Debian version

There are a few ways to check what version of Debian or Debian-based Linux (Ubuntu, etc) that you are using.

cat /etc/debian_version

cat /etc/issue

lsb_release -a

This file may not be available.
cat /etc/lsb-release

Output will look like this

root@unknown_server:~# cat /etc/debian_version
7.5

root@unknown_server:~# cat /etc/issue
Debian GNU/Linux 7 \n \l

root@unknown_server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 7.5 (wheezy)
Release:        7.5
Codename:       wheezy

Disconnect SSH session on a Cisco ASA


asa# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
2   192.168.35.6    2.0     IN   aes256-cbc sha1     SessionStarted   elton
                            OUT  aes256-cbc sha1     SessionStarted   elton
3   204.16.58.6     2.0     IN   aes256-cbc sha1     SessionStarted   admin
                            OUT  aes256-cbc sha1     SessionStarted   admin


Notice the SID 2 and 3. Session ID 3 belongs to the one logged in as admin. Let’s drop the hammer.


asa# ssh disconnect 3

Verify.


asa# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
2   192.168.35.6    2.0     IN   aes256-cbc sha1     SessionStarted   elton
                            OUT  aes256-cbc sha1     SessionStarted   elton

asa# show logging
Oct 03 2014 11:22:00: %ASA-5-111008: User 'enable_15' executed the 'ssh disconnect 3' command.
Oct 03 2014 11:22:00: %ASA-5-111010: User 'enable_15',running 'CLI' from IP 199.48.158.6, executed 'ssh disconnect 3'
Oct 03 2014 11:22:00: %ASA-5-611103: User logged out: Uname: admin

Yeah, fuck that guy. If that wasn’t anyone you know, time to change your passwords.

Call Forward All “Your call cannot be completed as dialed.” in Call Manager

Consider the scenario:
Long distance route pattern is 9.1[2-9]XX[2-9]XXXXXX
User has a Cisco IP Phone 7975 and wants to divert or forward all incoming calls to a mobile number.
IP phone is configured with a CSS that has access to long distance calls
IP phone’s line configuration has CSS set to

Problem: When the user attempts to set up CFwdAll, after dialing 9 then 1, it immediately yields “Your call cannot be completed as dialed.”

Troubleshooting: Updated line configuration to CSS that can access long distance calls.
Result: Still not able to setup CFwdAll.

Resolution:
Under System, go to Service Parameters and select your server.
For Service, select Cisco Call Manager (Active) from the drop-down menu.
Scroll down to Clusterwide Parameters (Feature – Forward)
By default, the CFA CSS Activation Policy is set to With Configured CSS. Change that to With Activating Device/Line CSS.

Explation: Excerpt from https://supportforums.cisco.com/discussion/11948691/callfwdall-activating-deviceline-css
Three possible values exist for this option:

  • Use System Default
  • With Configured CSS
  • With Activating Device/Line CSS

If you select the With Configured CSS option, the Forward All Calling Search Space that is explicitly configured in the Directory Number Configuration window controls the forward all activation and call forwarding. If the Forward All Calling Search Space is set to None, no CSS gets configured for Forward All. A forward all activation attempt to any directory number with a partition will fail. No change in the Forward All Calling Search Space and Secondary Calling Search Space for Forward All occurs during the forward all activation.

If you prefer to utilize the combination of the Directory Number Calling Search Space and Device Calling Search Space without explicitly configuring a Forward All Calling Search Space, select With Activating Device/Line CSS for the Calling Search Space Activation Policy. With this option, when Forward All is activated from the phone, the Forward All Calling Search Space and Secondary Calling Search Space for Forward All automatically gets populated with the Directory Number Calling Search Space and Device Calling Search Space for the activating device.

With this configuration (Calling Search Space Activation Policy set to With Activating Device/Line), if the Forward All Calling Search Space is set to None, when forward all is activated through the phone, the combination of Directory Number Calling Search Space and activating Device Calling Search Space gets used to verify the forward all attempt.

If you configure the Calling Search Space Activation Policy to Use System Default, then the CFA CSS Activation Policy cluster-wide service parameter determines which Forward All Calling Search space will be used. If the CFA CSS Activation Policy service parameter gets set to With Configured CSS, then Forward All Calling Search Space and Secondary Calling Search Space for Forward All will be used for Call Forwarding. If CFA CSS Activation Policy service parameter gets set to With Activating Device/Line CSS, then Forward All Calling Search Space and Secondary Calling Search Space for Forward All will be automatically populated with the Directory Number Calling Search Space and Device Calling Search Space for the activating device.

Written by Comments Off on Call Forward All “Your call cannot be completed as dialed.” in Call Manager Posted in Call Manager, Cisco

Call Manager LDAP new user ID not synced

Recently changed a user ID in Microsoft Active Directory and performed a full sync but the old user ID has not updated. It was noticed that while performing a full sync, it was done within 5 seconds. With both LDAP synchronization and LDAP authentication set in Call Manager, a user will not be able to log in to Extension Mobility.

To fix the issue:

Navigate to Cisco Unified Serviceability
Under Tools, select Control Center - Feature Services
Under Directory Services, select the Cisco DirSync radio button and click restart.

Navigate back to Cisco Unified CM Administration
Under LDAP, LDAP Directory, select your server and click Perform Full Sync Now
You should notice that synchronization process is taking a bit longer because the Cancel Sync Process button is available.
After the sync process is complete, check if the new user ID is reflected.

If this issue affects Cisco Unified Presence, the service that you need to restart is the Cisco UP Sync Agent.

Requirements for installing VMware Tools on Linux guests

If you’re running a Linux guest OS with a desktop environment (X-Windows) in ESXi or Workstation, it is beneficial that you install VMware Tools.

A minimal Linux installation with no desktop environment does not enjoy all the benefits of having VMware Tools; simply because there is no X Window System installed. Most of the time, you just SSH into the Linux guest and your client or terminal such as PuTTY, has the features that you need.

However, If you need to, you need the following installed before running vmware-install.pl

gcc
make
linux-headers-$(uname -r)

Installation: VMware Tools for Linux Guests