AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

19. Dezember 2008

NTP security as in RFC 958/1305

Filed under: IP and IOS Features,services — ocsic @ 13:42

When devices should be synced, it’s time to configure ntp with sources, servers and clients/peers.

Every cisco router can act as the ntp master.

ntp master 1

is just everything you need to configure the router as an ntp source. The router will use 127.127.7.1 address as the local source for ntp updates. This is a reference clock for the NTP protocol to be used as the source of time. This is mostly a radio clock or some other kind of clock sometimes even attached directly to the router.

R1#show ntp associations detail
127.127.7.1 configured, our_master, sane, valid, stratum 0

As of IOS 12.1 there are two reference clock drivers for ntp:

R1(config-line)#ntp refclock ?
telecom-solutions Telecom Solutions GPS

When devices should be synced, it’s time to configure ntp with sources, servers and clients/peers.

Every cisco router can act as the ntp master (here with stratum 1).

ntp master 1

is just everything you need to configure the router as an ntp source. The router will use 127.127.7.1 address as the local source for ntp updates. This is a reference clock for the NTP protocol to ne used as the source of time. This is mostly a radio clock or some other kind of clock sometimes even attached directly to the router.

R1#show ntp associations detail
127.127.7.1 configured, our_master, sane, valid, stratum 1

As of IOS 12.1 there are two reference clock drivers for ntp:

R1(config-line)#ntp refclock ?
telecom-solutions Telecom Solutions GPS
trimble Trimble Navigation TSIP Protocol

So it’s possible to have an external clock hooked up to the aux port. Trimble has a „Acutimeâ„¢ Gold GPS Smart Antenna“ with an RS422 port. Don’t know if it’s still possible to use this antenna with the 7200.

So if you use the 127.127.7.1, the local ntp timer, as the master with

ntp master 1

you can also configure the stratum for this clock. In the hierarchal ntp model, where server and clients distribute time to another, the stratum value will give information on how far the original clock is away. Stratum 0 is a real time source, like an external gps or dcf77 receiver. Stratum 1 is normaly a host which uses it’s local clock as a time source, like the „ntp master“ command does. Every client in between adds a stratum and inaccuracy with about 10-100 ms. So the higher stratum values indicate a better time source regarding accuracy.

Access to the NTP service is controlled with the

„ntp access-group“

command.

ntp access-group knows the following options (from the documentation).

The access group options are scanned in the following order, from least restrictive to most restrictive:

1. peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.

2. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.

3. serve-only—Allows only time requests from a system whose address passes the access list criteria.

4. query-only—Allows only NTP control queries from a system whose address passes the access list criteria.

If you want to update from a local router (software) clock, you have to include the 127.127.7.1 address in the access-list statement also.

ntp master 1

ntp access-group peer 10

access-list 10 permit 127.127.7.1

Otherwise the local clock will not be able to synchronize.

If you want to get time from a remote server 1.1.1.1 and allow only 2.2.2.2 to get time from you:

ntp server 1.1.1.1

ntp access-group peer 1

access-list 1 permit 2.2.2.2

Source:

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dtrimble.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_tech_note09186a008015bb3a.shtml

http://en.wikipedia.org/wiki/Network_Time_Protocol

http://www.ntp.org

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1034942

29. November 2008

How to receive logging/traps with Linux from your dynamips with syslog-ng/snmptrapd

Filed under: Allgemein,IP and IOS Features,services — ocsic @ 20:06

What are traps and informs and is it possible to have a NMS (Network Managment System) on your Linux box to receive those messages? Cisco Works is also NMS, you might try this also, it’s possible to install it under VMWare, i had some trouble with 3.1 on Windows 2003 Server Enterprise SP2 though. Complaining always about not enough space on drive c:, however i expanded the disc to have more than 25GB of free space. Still no success. So i got to the point, where i dropped LMS and tried to use already present programs on my Linux box. Would like to see LMS also on my VMWare maybe later.

First make sure you have connectivity to the outside world from your dynamips. Here is a link to an more detailed description http://blog.sazza.de/?p=355. In short you need a local interface that can be bridged. You create a bridged interface and setup this with IP adressing. I use a VMWare interface for this bridged interface. Here is my script:

ifconfig vmnet7 0.0.0.0
ifconfig vmnet7 down
brctl addbr br0
ifconfig br0 10.0.0.1 netmask 255.255.255.0
brctl addif br0 vmnet7
brctl addif br0 tap0
ifconfig br0 up
ifconfig tap0 up
ifconfig vmnet7 up
The tap0 is created from your dynamips.net file. Is use Router1’s secound FastEthernt Interface:

[[Router R1]]
model = 3725
console = 2001
autostart = False
slot2 = NM-1FE-TX
slot1 = NM-4T
F0/0 = SW1 F1/1
F0/1 = NIO_tap:tap0
Now i can use R1 F0/1 for connections to the outside world.

Check your syslog-ng configuration file, to enable a socket your syslog server listens to port 514/udp:

/etc/syslog-ng/syslog-ng.conf

source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();

#
# the default log socket for local logging:
#
unix-dgram(„/dev/log“);

#
# uncomment to process log messages from network:
#
udp(ip(„0.0.0.0“) port(514));
};

Then restart your syslog daemon by issuing „/ect/init.d/syslog restart“. Make sure you can see the socket listening with

hostname:/usr/share/snmp/mibs # netstat -lun
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:162 0.0.0.0:*
udp 6624 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*

You might want do add port 514/tcp for syslog also listening to tcp logging messages. You can also log from your cisco router to any tcp port with:

R2(config)# logging host 10.0.0.1 transport tcp port 514

After this your system is able to recieve syslog messages und will log it into /var/log/messages for example. Check with „tail -f /var/log/messages“. Configure logging from a router with:

R2(config)# logging host 10.0.0.1

and produce some logging messages.

Next make sure that your local firewall does not block logging packets to your host.

You need at least ports:

514/udp

514/tcp

162/udp

At this point on your linux box start your

# snmptrapd -fa

You should have net-snmp-5.x.x installed (check with „rpm -qa | grep net-snmp“). This daemon also needs some kind of access configuration:

cat /etc/snmp/snmptrapd.conf

authCommunity log,execute,net CISCO
logoption f /var/log/snmptrapd.log
logoption s 2

/etc/snmp/snmpd.conf

mibs +ALL

Where CISCO is your community string. This is for SNMP v1 and v2c.

But you might want to download a list of MIBS from cisco first, to have snmptrapd support all kinds of cisco mibs. You can download them from ftp://ftp.cisco.com/pub/mibs/v1/v1.tar.gz and ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz.

Just copy them to /usr/share/snmp/mibs (find out your mibs directory with „net-snmp-config –snmpconfpath“, where mibs should be a subdirectory, under your path for example /usr/share/snmp).

You should now be able to receive those mibs in your logfile /var/log/snmptrapd.log.

for example:

Nov 29 17:19:12 hostname snmptrapd[5824]: 10.0.0.2: Enterprise Specific Trap (.1) Uptime: 0:26:44.80, SNMPv2-SMI::enterprises.9.9.43.1.1.6.1.3.18 = INTEGER: 1, SNMPv2-SMI::enterprises.9.9.43.1.1.6.1.4.18 = INTEGER: 2, SNMPv2-SMI::enterprises.9.9.43.1.1.6.1.5.18 = INTEGER: 3

Or do an snmpwalk:

# snmpwalk -v2c -c CISCO 10.0.0.2

Reload your Cisco router with snmpset:

First enable system-reload:

snmp-server community CISCO RW
snmp-server system-shutdown

Then set the router ro reload (note dynamips router instance will crash, since reloading the router is only supported by dynagen console):

snmpset -c CISCO -v 2c 155.1.0.2  .1.3.6.1.4.1.9.2.9.9.0 i 2

Source:

http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd

http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_receive_SNMPv3_notifications

http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_parse_MIBS_from_3rd_party_Vendors

http://www.net-snmp.org/wiki/index.php/TUT:Using_and_loading_MIBS

http://tools.cisco.com/ITDIT/MIBS/servlet/index

15. Oktober 2006

FTP passive and active mode

Filed under: Security,services — ocsic @ 10:45

FTP supports two tranfer mode. With the first active mode, the client initiates the connection to the server on port 21 and the server then binds his on port 20 and opens  a connection to a port above  1023 to the client.

While using passive FTP both connections are established from the client to port tcp 21 and 20 to the  server.

FTP connections

Powered by WordPress