Configure SSH v2 in Cisco IOS

Set the device’s hostname
hostname hercules

Set the device’s membership to a domain. Generating an RSA key requires a domain name.
ip domain-name routers.eltonoverip.com

Check to see if SSH is already running
show ip ssh

Generate an RSA key
crypto key generate rsa

You will get something like the following:


hercules(config)#crypto key generate rsa
The name for the keys will be hercules.routers.eltonoverip.com
Choose the size of key modules in the range of 360 to 4096 for your
General Purpose Keys.  Choosing a key modulus greater than 512 may take a few minutes

How many bits in the modulus [512]: 2048
%Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

hercules(config)#

If you skipped the ip domain-name whateverdomain.com, you will get the following:
% Please define a domain-name first.

Or you could do a more specific command
crypto key generate rsa general-keys modulus 2048


hercules(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: hercules.eltonoverip.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

*Apr 12 05:12:36.775: %SSH-5-ENABLED: SSH 2.0 has been enabled

At this point, when you check the output of show ip ssh and it shows version 1.99, that means that it is supports or run both versions 1 and 2. Note that 1.99 is not an actual version but a method to identify backwards compatibility.

http://en.wikipedia.org/wiki/Secure_Shell#Version_1.99

To run only version 2
ip ssh version 2

Set up a local user
username elton privilege 15 secret cisco

Few more commands


line vty 0 4
  login local

Allow only SSH
transport input ssh

Allow both SSH and telnet
transport input ssh telnet

Few ways to verify

Check if the SSH service is running on the device
show ip ssh

Check who are logged in
who

Check the SSH port
show control-plane host open-ports


hercules#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN

Check active TCP sessions. These are not TCP traffic through the router but those terminated at this router.
show tcp


hercules#show tcp

tty194, virtual tty from host Achilles
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host: 10.42.21.109, Local port: 22
Foreign host: 10.42.21.81, Foreign port: 2326
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x1838E4):
Timer          Starts    Wakeups            Next
Retrans            13          0             0x0
TimeWait            0          0             0x0
AckHold             9          0             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0
Linger              0          0             0x0
ProcessQ            0          0             0x0

iss: 1184651233  snduna: 1184653125  sndnxt: 1184653125     sndwnd:  17104
irs: 3330383746  rcvnxt: 3330385707  rcvwnd:       3800  delrcvwnd:    328

SRTT: 247 ms, RTTO: 663 ms, RTV: 416 ms, KRTT: 0 ms
minRTT: 4 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, active open
Option Flags: 0x1000000
IP Precedence value : 6

TCB is waiting for TCP Process (55)

Datagrams (max data segment is 1460 bytes):
Rcvd: 20 (out of order: 0), with data: 12, total data bytes: 1960
Sent: 17 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 14, total data bytes: 1891
 Packets received in fast path: 0, fast processed: 0, slow path: 0
 fast lock acquisition failures: 0, slow path: 0
hercules#
Filed under: Cisco, IOS

Cleaning your Apt

My 16 GB Ubuntu partition has ran of out space. Disk usage analyzer claims that /var/cache/apt is using 669 MB. Time to clean it up my apt with apt-get clean! Basically, apt-get clean removes .deb packages that apt caches when you install or update programs.

elton@laptop:/var/cache$ du -hs
 du: cannot read directory `./ldconfig': Permission denied
 du: cannot read directory `./lightdm/dmrc': Permission denied
 743M .
 elton@laptop:/var/cache$ sudo !!
 sudo du -hs
 743M .
 elton@laptop:/var/cache$ sudo apt-get clean
 elton@laptop:/var/cache$ sudo du -hs
 105M

A few other options:

apt-get autoclean
to remove partial packages from the system
apt-get autoremove to remove packages installed as dependencies after the original package is removed

Filed under: Debian, Linux, Ubuntu

SNMPd in Ubuntu/Debian

Install the SNMP daemon.

aptitude install snmpd

To check which version of SNMP daemon that was installed, run the following

aptitude show snmpd

Make a backup of the original SNMP daemon configuration file.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf_ORIGINAL

Modify the SNMP daemon configuration file

vim /etc/snmp/snmpd.conf

The above command should also create the same file, if the configuration file does not exist. Append the following lines. Adjust the values to the SNMP community string that you use. This assumes SNMP version 2


rocommunity public
syslocation "Your Location"
syscontact admin@domain.com

Modify the /etc/default/snmpd file. Duplicate the the following line then uncomment it (the original line). You always want to make a copy of the original line.

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'

Append the following to the duplicate line. Basically, point to the SNMP configuration file.

-c /etc/snmp/snmpd.conf'

It should look like the following:

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'

Two ways to restart the snmpd service

service restart snmpd

or

/etc/init.d/snmpd restart

While you poll the machine, run this on the server to check the status

tcpdump -i eth0 "src or dst [ip address of SNMP polling server]"

Filed under: Debian, Linux, Ubuntu

Check loaded Jabber XML configuration

Simply browse to http://CUCM-IP-address:6970/jabber-config.xml

Remember that TFTP files are not configuration changes to the configuration database replicated by the publisher to the subscriber. Likely, your publisher or the server you are checking is not a TFTP server. You need to upload jabber-config.xml to all TFTP servers.

If it does exist when you check in OS Administration > Software Upgrades > TFTP File Management, then you need to restart Cisco Tftp for the change to take effect.

Check the installation and configuration guide for more information:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/JABW_BK_C4C679C9_00_cisco-jabber-for-windows-97.pdf

Filed under: Cisco, Unified Communications

TFTP server on Debian

Setting up a TFTP server in Linux is easy. In this case example, I am using Debian. We’re going to install HPA’s TFTP server.

Before installing anything, you should always check if there are existing packages installed. The example below uses aptitude to find out if packages have been installed and it looks like I have tftpd installed with the “i” indicator.


root@tftp-server:~# aptitude search tftpd
p   atftpd                                                                      - advanced TFTP server
p   libnet-tftpd-perl                                                           - Perl extension for Trivial File Transfer Protocol Server
p   tftpd                                                                       - Trivial file transfer protocol server
i   tftpd-hpa                                                                   - HPA's tftp server

Another way is checking the /etc and /etc/default directory if there is anything related to TFTP. Next, check if you have a service related to tftp that is running. If you do, stop the service so you can uninstall it.


root@tftp-server:~# ps aux | grep tftp
root 4390 0.0 0.3 7832 884 pts/0 S+ 20:39 0:00 grep tftp

Tftpd did not work for me so I’m going to remove it.


root@tftp-server:~# aptitude remove tftpd
The following packages will be REMOVED:
libfile-copy-recursive-perl{u} openbsd-inetd{u} tftpd update-inetd{u}
0 packages upgraded, 0 newly installed, 4 to remove and 30 not upgraded.
Need to get 0 B of archives. After unpacking 302 kB will be freed.
Do you want to continue? [Y/n/?] Y
(Reading database ... 38720 files and directories currently installed.)
Removing tftpd ...
Removing openbsd-inetd ...
[ ok ] Stopping internet superserver: inetd.
Removing update-inetd ...
Removing libfile-copy-recursive-perl ...
Processing triggers for man-db ...

Let’s proceed with the install.


root@tftp-server:~# apt-get install tftpd-hpa
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  pxelinux
The following NEW packages will be installed:
  tftpd-hpa
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 50.7 kB of archives.
After this operation, 145 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ jessie/main tftpd-hpa amd64 5.2+20140608-3                                                                                        [50.7 kB]
Fetched 50.7 kB in 0s (403 kB/s)
Preconfiguring packages ...
Selecting previously unselected package tftpd-hpa.
(Reading database ... 31430 files and directories currently installed.)
Preparing to unpack .../tftpd-hpa_5.2+20140608-3_amd64.deb ...
Unpacking tftpd-hpa (5.2+20140608-3) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u5) ...
Setting up tftpd-hpa (5.2+20140608-3) ...
Processing triggers for systemd (215-17+deb8u5) ...
root@tftp-server:~# 

Check if the directory /srv/tftp is created. It should look like this:


root@tftp-server:~# ls -al /srv/
total 12
drwxr-xr-x  3 root root    4096 Nov 11 12:04 .
drwxr-xr-x 22 root root    4096 Nov  9 13:03 ..
drwxr-xr-x  2 root nogroup 4096 Nov 11 12:04 tftp
root@tftp-server:~#

If /srv/tftp directory does not exist or if it does but not does not have the right permissions, you can follow these steps

If /srv/tftp does not exist, create the TFTP root directory for your TFTP server


root@tftp-server:~# cd /srv
root@tftp-server:~# mkdir tftp

Adjust the permissions for the new directory. Open it for everyone.

root@tftp-server:~# chmod 777 /srv/tftp

I’m logged in as root when I created the directory or when I installed the package. This makes the owner root by default. Change the owner of the directory to nobody.


root@tftp-server:/srv# chown nobody:nogroup tftp
root@tftp-server:/srv# ls -al
total 12
drwxr-xr-x  3 root   root    4096 Nov 11 12:04 .
drwxr-xr-x 22 root   root    4096 Nov  9 13:03 ..
drwxrwxrwx  2 nobody nogroup 4096 Nov 11 12:28 tftp

Verify if the TFTP service is running.


root@tftp-server:~# ps aux | grep tftp
root 5847 0.0 0.0 14860 148 ? Ss 20:39 0:00 /usr/sbin/in.tftpd --listen --user tftp --address 0.0.0.0:69 --secure /var/lib/tftpboot
root 5877 0.0 0.3 7832 880 pts/0 S+ 20:41 0:00 grep tftp
root@tftp-server:/etc/default# service tftpd-hpa
Usage: /etc/init.d/tftpd-hpa {start|stop|restart|force-reload|status}
root@tftp-server:~t# service tftpd-hpa status
[ ok ] in.tftpd is running.

The installation of tftpd-hpa created a configuration file located in /etc/default.

To allow upload of new files to the tftp-server, adjust the configuration file /etc/default/tftpd-hpa. Basically, insert -c into TFTP_OPTIONS and set the TFTP_DIRECTORY to point to the directory you created earlier. The configuration should look more like:


# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure -c"

Restarting is done with service tftpd-hpa restart.


root@tftp-server:~# service tftpd-hpa restart
[ ok ] Restarting HPA's tftpd: in.tftpd.

Check the status again


root@tftp-server:/etc/default# service tftpd-hpa status
● tftpd-hpa.service - LSB: HPA's tftp server
   Loaded: loaded (/etc/init.d/tftpd-hpa)
   Active: active (running) since Fri 2016-11-11 12:14:57 CST; 28s ago
  Process: 3466 ExecStop=/etc/init.d/tftpd-hpa stop (code=exited, status=0/SUCCESS)
  Process: 3471 ExecStart=/etc/init.d/tftpd-hpa start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/tftpd-hpa.service
           └─3477 /usr/sbin/in.tftpd --listen --user tftp --address 0.0.0.0:69 --secure -c /srv/tftp

Nov 11 12:14:57 tftp-server tftpd-hpa[3471]: Starting HPA's tftpd: in.tftpd.
Nov 11 12:14:57 tftp-server systemd[1]: Started LSB: HPA's tftp server.
root@tftp-server:/etc/default#

Most of your questions can be answered by checking the manual

root@tftpd-server:~# man tftpd

If you are using iptables for your firewall, you will need to add support for TFTP. Following is a simple example


IPTABLES=/sbin/iptables

#Load the modules that support TFTP
modprobe ip_conntrack_tftp
modprobe  ip_conntrack_ftp

#Allow TFTP requests from 192.168.1.0/24 network
$IPTABLES -A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 69 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -m tcp -p udp --dport 69 -j ACCEPT

Try testing by creating a test.txt file and see if you can download that from your Cisco router and upload its IOS image, for example.

Filed under: Debian, Linux, Ubuntu

TCP header compression on a Cisco router

TCP header compression is used to compress TCP headers in a network to save bandwidth on a link. However, TCP header compression comes at a cost in terms of processor time (delay/serialization delay).

Conditions: must be configured on both ends of the network to compress and decompress packets.

cisco_router1(config)# interface serial0/1
cisco_router1(config-if)# ip address 172.16.10.1 255.255.255.252
cisco_router1(config-if)# ip tcp header-compression

cisco_router2(config)# interface serial0/0/1
cisco_router2(config-if)# ip address 172.16.10.2 255.255.255.252
cisco_router2(config-if)# ip tcp header-compression

cisco_router1# show ip tcp header-compression

cisco_router2# show ip tcp header-compression

efficiency improvement factor = (bytes saved + bytes sent) / (bytes sent)

Filed under: Cisco, IOS, QoS

Check Debian version

There are a few ways to check what version of Debian or Debian-based Linux (Ubuntu, etc) that you are using.

cat /etc/debian_version

cat /etc/issue

lsb_release -a

This file may not be available.
cat /etc/lsb-release

Output will look like this

root@unknown_server:~# cat /etc/debian_version
7.5

root@unknown_server:~# cat /etc/issue
Debian GNU/Linux 7 \n \l

root@unknown_server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 7.5 (wheezy)
Release:        7.5
Codename:       wheezy

Filed under: Debian, Linux

Disconnect SSH session on a Cisco ASA


asa# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
2   192.168.35.6    2.0     IN   aes256-cbc sha1     SessionStarted   elton
                            OUT  aes256-cbc sha1     SessionStarted   elton
3   204.16.58.6     2.0     IN   aes256-cbc sha1     SessionStarted   admin
                            OUT  aes256-cbc sha1     SessionStarted   admin


Notice the SID 2 and 3. Session ID 3 belongs to the one logged in as admin. Let’s drop the hammer.


asa# ssh disconnect 3

Verify.


asa# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
2   192.168.35.6    2.0     IN   aes256-cbc sha1     SessionStarted   elton
                            OUT  aes256-cbc sha1     SessionStarted   elton

asa# show logging
Oct 03 2014 11:22:00: %ASA-5-111008: User 'enable_15' executed the 'ssh disconnect 3' command.
Oct 03 2014 11:22:00: %ASA-5-111010: User 'enable_15',running 'CLI' from IP 199.48.158.6, executed 'ssh disconnect 3'
Oct 03 2014 11:22:00: %ASA-5-611103: User logged out: Uname: admin

Yeah, fuck that guy. If that wasn’t anyone you know, time to change your passwords.

Filed under: ASA, Cisco, Firewall