Clear Cisco VTY via SNMP

In this lazy IT world it can happen often, that somebody forget to log out from a device. If all VTY will be busy, you will not able to log into the device anymore, you’ll get the following output back:

telnet kcorp_lab_r1
Trying 10.210.8.51...
telnet: Unable to connect to remote host: Connection refused

This error message can mean different things:

  • telnet is not enabled
  • your IP has been filtered by an ACL
  • all VTY is full

Then what can we do?
If we can connect to the device earlier, it’s almost 100% sure that it’s a VTY issue. All lines are busy.

Here is the solution! If we have read/write snmp community configured on the device, we can use our snmp server to clear the line.

Check the lines

snmpwalk -v 2c -c <RO community> <destination_ip> 1.3.6.1.4.1.9.2.9.2.1.2

The results of the command will display all lines on the device.

Integer values:

1 = unknown
2 = console
3 = terminal
4 = line-printer
5 = virtual-terminal
6 = auxiliary

Example:

SNMPv2-SMI::enterprises.9.2.9.2.1.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.2.9.2.1.2.1 = INTEGER: 6
SNMPv2-SMI::enterprises.9.2.9.2.1.2.2 = INTEGER: 5
SNMPv2-SMI::enterprises.9.2.9.2.1.2.3 = INTEGER: 5
SNMPv2-SMI::enterprises.9.2.9.2.1.2.4 = INTEGER: 5
SNMPv2-SMI::enterprises.9.2.9.2.1.2.5 = INTEGER: 5
SNMPv2-SMI::enterprises.9.2.9.2.1.2.6 = INTEGER: 5

 Check to see if these lines are active.

snmpwalk -v 2c –c <RO community> <destination_ip> 1.3.6.1.4.1.9.2.9.2.1.1

The results of the command will display the status of the lines.

Integer values:

0 = Idle Line
1= Active Line

Example:

SNMPv2-SMI::enterprises.9.2.9.2.1.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.2.9.2.1.1.1 = INTEGER: 0
SNMPv2-SMI::enterprises.9.2.9.2.1.1.2 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.3 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.4 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.5 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.6 = INTEGER: 1

Pick one of the active vty lines to clear

snmpset -v2c -c <R/W community> <destination_ip> .1.3.6.1.4.1.9.2.9.10.0 integer 2

Example:

SNMPv2-SMI::enterprises.9.2.9.2.1.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.2.9.2.1.1.1 = INTEGER: 0
SNMPv2-SMI::enterprises.9.2.9.2.1.1.2 = INTEGER: 0
SNMPv2-SMI::enterprises.9.2.9.2.1.1.3 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.4 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.5 = INTEGER: 1
SNMPv2-SMI::enterprises.9.2.9.2.1.1.6 = INTEGER: 1

After then you’ll be able to log in to the router/switch.

If you have no RW community configured on your router, the last solution would be to set up a console connection to the router.
Or just reboot the device if it’s possible.

Install Exim4 to Raspberry Pi to use google account

Create a new gmail account for the server first and follow the instructions.

Install the daemon:

apt-get install exim4

After installing exim4 we need to configure it. This is done by the following command:

dpkg-reconfigure exim4-config

There should appear a blue screen and we have to answer a few questions:

  • Mail server type: “mail sent by smarthost; received via SMTP or fetchmail”
  • System mail name: Set to the hostname
  • IPs should be allowed by the server: I prefer to delete the IPv6 section and leave the 12.0.0.1 in it.
  • Other destinations for which mail is accepted: hostname
  • Machines to relay mail for: Leave empty
  • IP address or host name of outgoing smarthost: smtp.gmail.com::587
  • Hide local mail name in outgoing mail: No
  • Keep number of DNS-queries minimal: No
  • Delivery method: Select: “Maildir format in home directory”
  • Split configuration into small files: No

If we answered all questions correctly we need to open the /etc/exim4/passwd.client and add the next three lines at the end of the file.

gmail-smtp.l.google.com:<new_mail>@gmail.com:<passwd>
*.google.com:<new_mail>@gmail.com:<passwd>
smtp.gmail.com:<new_mail>@gmail.com:<passwd>

 

Then please update the exim4 config and restart the daemon:

 

update-exim4.conf
service exim4 restart

 

Cosmetics

 

To make exim4 100% ready, we have to edit the /etc/aliases file. This alias will be used by some system processes like cron.

 

# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: <your local user name>
<your local user name>: <your-mail-address>@example.com

So now if you would like to send a mail to your own mailbox, you just need to type the following:

echo “test” | mail –s “Testmail” root

And that’s all! 🙂

Untitled

 

 

Install lightweight torrent server for Raspberry Pi

# Add picture at the end, + android howto

 

Hello and welcome,

This would be a short instruction how to set up Deluge WEB for your RPI / Linux machine, and then a client for android mobile.

Install the server:

Before downloading deluge, we need to create a user to run it as:

mkdir <download directory>
adduser --disabled-password --system --home <download directory> --group deluge 

Then we can go ahead and download the Deluge:

apt-get install deluged deluge-webui

Run as boot process

We need to generate an init.d sript to make the deluge daemon run during the boot process.
Luckily we don’t need to write the script on our own, because it’s already created:

vi /etc/default/deluge-daemon

Inside it, we’ll paste the following:

# Deluged config file
# The init.d script will run if this var is not empty.
DELUGED_USER="deluge"
RUN_AT_STARTUP="YES"

Save the file, and create an init.d script:

sudo nano /etc/init.d/deluge-daemon

Paste the script from here.

Make it executable and update the boot process:

sudo chmod a+x /etc/init.d/deluge-daemon
sudo update-rc.d deluge-daemon defaults

As a final touch, you should reboot the machine, and then your pretty new torrent server will be reachable via port 8112:

Deluge Log-in Screen

Please update the default passwd which is “deluge”.

 

If you want to use apache to proxy to connection(allow to reach the server via apache like expample.com/deluge instead of the connection to port 8112), you need to set that up.
First, issue the following commands:

a2enmod proxy
a2enmod proxy_html
a2enmod proxy_http
a2enmod header

Install this package:

apt-get install libapache2-mod-proxy-html

Then edit the file /etc/apache2/sites-enabled/default-ssl.conf:

ProxyPass /deluge/ http://127.0.0.1:8112/
<Location /deluge/>
        ProxyPassReverse /
        ProxyPassReverseCookiePath / /deluge/
        Order allow,deny
        Allow from all
</Location>

NOTE: You need to have https server enabled within apache2. To do this please read this article.

 

Install the client to android:

 

From the Google playstore you should download the following app:

If it’s done, we should add a new server:

 

Juniper initial configuration

Good afternoon,

I’d like to show you how to get the basic setup on your brand new Juniper device. This tutorial can be useful if you would like to enable tacacs+ or NTP on your device as well. So let’s get started:

Go to configuration mode

configure

Set up the hostname

set system host-name <Device_name>

Set the root authentication – plan-text-password means you have the type the new password. Of course our device will encrypt it, and put an MD5 hash to the config file. If you would like to use “encryped-password” option, you have the paste the hash itself.

set system root-authentication plain-text-password

Enable telnet

set system services telnet connection-limit 4 rate-limit 100

Or enable SSH + disable root login for remote connections:

set system services ssh root-login deny
set system services ssh protocol-version 2

Setting up syslog to remote host – Only the lvl5 messages will be sent to the server

set system syslog user * any emergency
set system syslog host <Server_IP> any info
set system syslog host <Server_IP> source-address <Source_int_IP>

Setting up timezone and NTP service – in case of Juniper, we sync the server only if the difference is small between the server time and our local time, so I prefer to use the boot-server option

set system time-zone Europe/Berlin
set date 201412081115.00
set system ntp boot-server <Server_IP>

Set up a local user to get access if the central authentication is not working

set system login user l_user authentication cleartext
set system login user l_user class super-user

Enable tacacs+

set system authentication-order tacplus
set system tacplus-server <Server_IP> secret mykey source-address <Loopback>

Create the 3 level group hierarchy

set system login class admin idle-timeout 30
set system login class admin permissions all
set system login class advanced idle-timeout 30
set system login class advanced permissions [ access admin clear configure firewall interface network routing secret security snmp system trace view view-configuration ]
set system login class rookie idle-timeout 30
set system login class rookie permissions [ access firewall interface network routing secret security snmp system trace view ]

Assing the roles to the user templates

set system login user rookie full-name "User for 1st lvl"
set system login user rookie uid 100
set system login user rookie class rookie
set system login user advanced full-name "User for 2nd lvl"
set system login user advanced uid 101
set system login user advanced class advanced
set system login user admin full-name "User for 3rd lvl"
set system login user admin uid 102
set system login user admin class admin

And finally, commit the changes

commit

And now if we set up the proper layer2 and layer3 enapsulation and the proper routing, we can reach the Juniper device, get logs, NTP will be synced.

Change the default Crontab editor on Debian

Hi all,

I would be a short instruction, how to use the best editor(vi) to edit the crontab on Debian.

Only a simple command:

update-alternatives --config editor

 

Example:

root@server ~# update-alternatives --config editor
 There are 4 choices for the alternative editor (providing /usr/bin/editor).
Selection    Path               Priority   Status
 ------------------------------------------------------------
 * 0            /bin/nano           40        auto mode
 1            /bin/ed            -100       manual mode
 2            /bin/nano           40        manual mode
 3            /usr/bin/mcedit     25        manual mode
 4            /usr/bin/vim.tiny   10        manual mode
Press enter to keep the current choice[*], or type selection number: 4
 update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/editor (editor) in manual mode

 

apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName

Hi there,

When I faced with this issue first time, I had to search on the internet too much time. There are several “solution”, but for meonly this one was working:

echo ServerName $HOSTNAME > /etc/apache2/conf.d/fqdn

To check the result:

root@freya /var/log # more /etc/apache2/conf.d/fqdn
ServerName freya

Regular expressions in different languages/platforms

Bash:

Operator Effect
. Matches any single character.
? The preceding item is optional and will be matched, at most, once.
* The preceding item will be matched zero or more times.
+ The preceding item will be matched one or more times.
{N} The preceding item is matched exactly N times.
{N,} The preceding item is matched N or more times.
{N,M} The preceding item is matched at least N times, but not more than M times.
represents the range if it’s not first or last in a list or the ending point of a range in a list.
^ Matches the empty string at the beginning of a line; also represents the characters not in the range of a list.
$ Matches the empty string at the end of a line.
\b Matches the empty string at the edge of a word.
\B Matches the empty string provided it’s not at the edge of a word.
\< Match the empty string at the beginning of word.
\> Match the empty string at the end of word.

 

* Matches any string, including the null string (empty string)
? Matches any single character
X Matches the character X which can be any character that has no special meaning
\X Matches the character X, where the character’s special meaning is taken away using the backslash
\\ Matches a backslash
[…] Defines a pattern bracket expression (see below). Matches any of the enclosed characters at this position.

 

[XYZ] The “normal” bracket expression, matching either X, Y or Z
[X-Z] A range expression: Matching all the characters from X to Y (whatever that means in your current locale, it depends how the characters are sorted!)
[[:class:]] Matches all the characters defined by a POSIX® character class: alnum, alpha, ascii, blank, cntrl, digit, graph, lower, print, punct, space, upper, word and xdigit
[^…] A negating expression: It matches all the characters that are not in the bracket expression
[!…] Equivalent to [^…]
[]…] or [-…] Used to include the characters ] and – into the set, they need to be the first characters after the opening bracket
[=C=] Matches any character that is eqivalent to the collation weight of C (current locale!)
[[.SYMBOL.]] Matches the collating symbol SYMBOL

 

Cisco:

. Matches any single character.0.0 matches 0x0 and 020 

t..t matches strings such as test, text, and tart

\ Matches the character following the backslash. Also matches (escapes) special characters.172\.1\.. matches 172.1.10.10 but not 172.12.0.0\. allows a period to be matched as a period
[ ] Matches the characters or a range of characters separated by a hyphen, within left and right square brackets.[02468a-z] matches 0, 4, and w, but not 1, 9, or K
^ Matches the character or null string at the beginning of an input string.^123 matches 1234, but not 01234
? Matches zero or one occurrence of the pattern. (Precede the question mark with Ctrl-V sequence to prevent it from being interpreted as a help command.)ba?b matches bb and bab
$ Matches the character or null string at the end of an input string.123$ matches 0123, but not 1234
* Matches zero or more sequences of the character preceding the asterisk. Also acts as a wildcard for matching any number of characters.5* matches any occurrence of the number 5 including none18\..* matches the characters 18. and any characters that follow 18.
+ Matches one or more sequences of the character preceding the plus sign.8+ requires there to be at least one number 8 in the string to be matched
() [] Nest characters for matching. Separate endpoints of a range with a dash (-).(17)* matches any number of the two-character string 17([A-Za-z][0-9])+ matches one or more instances of letter-digit pairs: b8 and W4, as examples
| Concatenates constructs. Matches one of the characters or character patterns on either side of the vertical bar.A(B|C)D matches ABD and ACD, but not AD, ABCD, ABBD, or ACCD
_ Replaces a long regular expression list by matching a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, or a space.The characters _1300_ can match any of the following strings:^1300$

^1300space

space1300

{1300,

,1300,

{1300}

,1300,

 

 

 

Perl:

^ beginning of string
$ end of string
. any character except newline
* match 0 or more times
+ match 1 or more times
? match 0 or 1 times; or: shortest match
| alternative
( ) grouping; “storing”
[ ] set of characters
{ } repetition modifier
\ quote or special
\t tab
\n newline
\r return (CR)
\xhh character with hex. code hh
\b “word” boundary
\B not a “word” boundary
\w matches any single character classified as a “word” character (alphanumeric or “_”)
\W matches any non-“word” character
\s matches any whitespace character (space, tab, newline)
\S matches any non-whitespace character
\d matches any digit character, equiv. to [0-9]
\D matches any non-digit character
[characters] matches any of the characters in the sequence
[x-y] matches any of the characters from x to y (inclusively) in the ASCII code
[\-] matches the hyphen character “-”
[\n] matches the newline; other single character denotations with \ apply normally, too
[^something] matches any character except those that [something] denotes; that is, immediately after the leading “[”, the circumflex “^” means “not” applied to all of the rest

 

Expect:

a A y 6 % @ Letters, digits and many specialcharacters match exactly
\$ \^ \+ \\ \? Precede other special characterswith a \ to cancel their regex special meaning
\n \t \r Literal new line, tab, return
\cJ \cG Control codes
\xa3 Hex codes for any character
^ Starts with
$ Ends with
[aAeEiou] any character listed from [ to ]
[^aAeEiou] any character except aAeEio or u
[a-fA-F0-9] any hex character (0 to 9 or a to f)
. any character at all(not new line in some circumstances)
[[:space:]] any space character (space \n \r or \t)
[[:alpha:]] any letter
[[:digit:]] any digit
[^[:space:]] any character that is NOT a space
+ 1 or more (“some”)
* 0 or more (“perhaps some”)
? 0 or 1 (“perhaps a”)
{4} exactly 4
{4,} 4 or more
{4,8} between 4 and 8
| either, or
( ) group for count and save to variable
(?: ) group for count but do not save

 

Grep:

. Matches any single character.
? The preceding item is optional and will be matched, at most, once.
* The preceding item will be matched zero or more times.
+ The preceding item will be matched one or more times.
{N} The preceding item is matched exactly N times.
{N,} The preceding item is matched N or more times.
{N,M} The preceding item is matched at least N times, but not more than M times.
Represents the range if it’s not first or last in a list or the ending point of a range in a list.
^ Matches the empty string at the beginning of a line; also represents the characters not in the range of a list.
$ Matches the empty string at the end of a line.
\b Matches the empty string at the edge of a word.
\B Matches the empty string provided it’s not at the edge of a word.
\< Match the empty string at the beginning of word.
\> Match the empty string at the end of word.

 

Juniper:

^ Matches the beginning of the input string.Alternatively, when used as the first character within brackets—[^ ]—matches any number except the ones specified within the brackets.
$ Matches the end of the input string.
. Matches any single character, including white space.
* Matches 0 or more sequences of the immediately previous character or pattern.
+ Matches 1 or more sequences of the immediately previous character or pattern.
? Matches 0 or 1 sequence of the immediately previous character or pattern.
() Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ?
[ ] Matches any enclosed character; specifies a range of single characters.
– (hyphen) Used within brackets to specify a range of AS or community numbers.
_ (underscore) Matches a ^, a $, a comma, a space, a {, or a }. Placed on either side of a string to specify a literal and disallow substring matching. Numerals enclosed by underscores can be preceded or followed by any of the characters listed above.
| Matches characters on either side of the metacharacter; logical OR.

 

Route distances Juniper/Cisco

Cisco:

Route Source

AD

Connected Interfaces

0

Static Routes

1

Enhanced Interior Gateway Routing Protocol (EIGRP) Summary Routes

5

External Border Gateway Protocol (eBGP) Routes

20

Internal Enhanced Interior Gateway Routing Protocol (EIGRP) Routes

90

Open Shortest Path First (OSPF) Internal and External Routes

110

Intermediate System-Intermediate System (IS-IS) Internal and External Routes

115

Routing Information Protocol (RIP) Routes

120

Exterior Gateway Protocol (EGP) Routes

140

On Demand Routing (ODR) Routes

160

External Enhanced Interior Gateway Routing Protocol (EIGRP) Routes

170

Internal Border Gateway Protocol (iBGP) Routes

200

Unreachable or Unknown Routes

255

 

Juniper:

Directly connected network

0

System routes

4

Static

5

MPLS

7

LDF

8

LDP

9

OSPF internal route

10

IS-IS Level 1 internal route

15

IS-IS Level 2 internal route

18

Default

20

Redirects

30

Kernel

40

SNMP

50

Router Discovery

55

RIP

100

RIPng

100

PIM

105

DVMRP

110

Routes to interfaces that are down

120

Aggregate

130

OSPF AS external routes

150

IS-IS Level 1 external route

160

IS-IS Level 2 external route

165

BGP

170

MSDP

175

Avoid Raspberry Pi SD card corruption

Hi,

I think this topic is a well-known problem to everyone who ever tried to use RPi for longer period of time.

So the truth is, there is no 100% sure mode to avoid the SD card corruption, if we are using it in writable mode.
And of course we are using it not only readable, because we have to delete/install packages, enable features, etc..

Step 1 – The most important option is to make the BOOT partition only readable, because we don’t need to edit it so often.

root@server ~ # more /etc/fstab
 proc            /proc           proc    defaults          0       0
 /dev/mmcblk0p5  /boot           vfat    ro,defaults          0       2

 

Step 2 – disable swapping (as root):

dphys-swapfile swapoff
dphys-swapfile uninstall
update-rc.d dphys-swapfile remove

We need to do that, to limit the writing to the SD card. Then we can decrease the risk of card-reading action when a power flap occurs.

And the Fsck will be our best friend:

Check device status

tune2fs -l /dev/XXX

Set the maximum mount count – if this count expires, fsck will run

tune2fs -c <Number_of_mounts> /dev/<Device>

Set the expire date in days.

tune2fs -i <Day>d /dev/<Device>

And finally make sure we’ve set the FSCKFIX value to YES:

root@xxxx ~ # more /etc/default/rcS | grep FSCK
 FSCKFIX=yes

Example:

#~logged in as root
tune2fs -c 3 /dev/mmcblk0p3
tune2fs -c 3 /dev/mmcblk0p6
tune2fs -i 30d /dev/mmcblk0p3
tune2fs -i 30d /dev/mmcblk0p6
root@server ~ # tune2fs -l /dev/mmcblk0p3
 tune2fs 1.42.5 (29-Jul-2012)
 Filesystem volume name:   SETTINGS
 Last mounted on:          /settings
 Filesystem UUID:          xxxx
 Filesystem magic number:  0xEF53
 Filesystem revision #:    1 (dynamic)
 Filesystem features:      has_journal ext_attr resize_inode dir_index filetype extent flex_bg sparse_super huge_file uninit_bg dir_nlink extra_isize
 Filesystem flags:         unsigned_directory_hash
 Default mount options:    user_xattr acl
 Filesystem state:         clean
 Errors behavior:          Continue
 Filesystem OS type:       Linux
 ...
 Last write time:          Fri Oct 17 19:52:04 2014
 Mount count:              6
 Maximum mount count:      1
 Last checked:             Thu Jan  1 01:00:13 1970
 Check interval:           2592000 (1 month)
 Next check after:         Sat Jan 31 01:00:13 1970
 ...
 Journal backup:           inode blocks

 

If you see something strange in the output, you need to run fsck to check and repair the errors. If it’s a non-system drive you just need to unmount it and run the fsck(as root):

umount /dev/<Device>
fsck -y /dev/<Device>

If it’s for example the /dev/root partition, you have to create the forcefsck file in the root directory and reboot the device. During the reboot, it will correct the file system errors. Be patient, it can take long time!

cd /
touch ./forcefsckreboot

Another method is the shutdown command with -F option. It will force the fsck run during the reboot:

shutdown -rF now

+1 advice: Be careful with munin daemon. It blew my Rpi lots of times, because it generates so many log files, and running the CPU ~100% in every 5 minutes. Or if it’s really necessary to use that, try to tune the timers, and minimize the number of plugins.

+1 advice: Be careful when you choose an SD card for your RPi device. Lot’s of cards are not compatible with Rpi. I’ve tried many cards in the past, now I’m using a TDK class10 32G SD card. With that card it looks stable now.