Target:

Install iSCSI Utils if not available

Edit targets.conf

vi /etc/tgt/targets.conf

Paste the configuration below, change target name based on your needs

backing-store /dev/sdc1 
initiator-address 172.100.100.2 
# add more initiators if you need 
#initiator-address 172.50.50.2 
#incominguser username password

Enable tgtd service

chkconfig tgtd on

Start the service

service tgtd start

Note: If you don’t want any volume group to be automatically recognized by the operating system of the target, please filter the volume group to be seen on boot.
Edit /etc/lvm/lvm.conf and add this global_filter

global_filter = [ "a|^/dev/sdc1$|", "r/.*/" ]

The post Shared LVM iSCSI Server and Client configuration for CentOS appeared first on VeriTeknik.

The first step of the configuration is on the nameserver, BIND on our case.

Create the relevant reverse DNS file on /var/named/rev and then edit the file:

cd /var/named/rev
touch 123.234.12
vim 123.234.12

The file contents should be like the following:

$TTL 3D
@       IN      SOA     ns1.rackdc.com. postmaster.rackdc.com. (
                        2018112201   ; Serial, todays date + todays serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                                ; Created on http://root0.net 2005-10-27
                 NS             ns1.rackdc.com.
                 NS		ns2.rackdc.com.
                 
$ORIGIN 12.234.123.in-addr.arpa.


12		PTR		rackdc.com.

After configuring this file with correct details, edit the file /etc/named.conf to include the file you’ve just created.

vim /etc/named.conf

Add the following line in the file:

zone "12.234.123.in-addr.arpa" { notify yes; type master; file "/var/named/rev/123.234.12";allow-query { any; };};

Finally, restart the DNS service.

service named restart

It is important to complete this step before creating an object in RIPE.

The post How to add reverse DNS delegation for RIPE appeared first on VeriTeknik.

First thing to do is, create an access-list based on your requirements:

conf t
ip access-list extended HTTP_TEST
	permit tcp any any eq www
end

Now on the enable mode “type en” type the following to create your capture related to the access-list you created

monitor capture buffer HTTP_BUFFER
monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST

Select the desired interface you want your capture to collect packets

monitor capture point ip cef HTTP_POINT GigabitEthernet0/2 both

Now start collecting packets

monitor capture point associate HTTP_POINT HTTP_BUFFER

monitor capture point start HTTP_POINT

Type “sh monitor capture buffer all parameters” to get if a packet collected or not

Capture buffer HTTP_BUFFER (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 5
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : HTTP_POINT, Status : Inactive
Configuration:
monitor capture buffer HTTP_BUFFER 
monitor capture point associate HTTP_POINT HTTP_BUFFER
monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST

don’t forget to stop the capture with the command:

monitor capture point stop HTTP_POINT

to export the packets type the following and don’t forget to delete the capture buffer, install a tftp server to your client and change the IP below to your client’s IP address.

monitor capture buffer HTTP_BUFFER export tftp://192.168.1.2/HTTP.pcap
!and delete the capture buffer
no monitor capture buffer HTTP_BUFFER

and as a summary of the commands all together:

conf t
ip access-list extended HTTP_TEST
	permit tcp any any eq http
end

monitor capture buffer HTTP_BUFFER
monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST


monitor capture point ip cef HTTP_POINT GigabitEthernet0/2 both

monitor capture point associate HTTP_POINT HTTP_BUFFER

monitor capture point start HTTP_POINT

sh monitor capture buffer all parameters

monitor capture point stop HTTP_POINT

monitor capture buffer HTTP_BUFFER export tftp://192.168.1.2/HTTP2.pcap

no monitor capture buffer HTTP_BUFFER

show monitor capture buffer HTTP_BUFFER dump

The post Finally Cisco Routers to have a packet capture mechanism appeared first on VeriTeknik.

To check the active zones:

[root@rh7 ~]# firewall-cmd --get-active-zones
public
  interfaces: enp1s0f0

To get available service names:

[root@rh7 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

If the service you want to enable listed with the command above, you don’t have to write explicit port number, to allow a service permanently:

[root@rh7 ~]# firewall-cmd --zone=public --add-service=https --permanent
success

If the desired service is not available such as POP3 use the following command:

[root@rh7 ~]# firewall-cmd --zone=public --add-port=110/tcp --permanent
success

When you finish adding/removing rules, apply them with the command:

[root@rh7 ~]# firewall-cmd --reload
success

To check the services enabled on the zone public:

[root@rh7 ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp1s0f0
  sources: 
  services: dhcpv6-client http https imaps pop3s smtp ssh
  ports: 7071/tcp 110/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

The post CentOS 7 Firewall Sheet appeared first on VeriTeknik.

Type on your asterisk:

asterisk -rvvvvv

and check sip peers:

sip show peers

Now you should see the extension as UNKNOWN, if this is the case for you apply these steps on your Cisco IOS:

conf t
no ip nat service sip udp port 5060
exit
clear ip nat translation

To see the results, simply type:

sh ip nat translations

Have fun!

The post SIP NAT on Cisco IOS stop working appeared first on VeriTeknik.

Let’s say you have two networks,
192.168.80.128/25
192.168.90.128/25

This means your gateways are 192.168.80.129, 192.168.90.129 and you have these IP addresses respectively : 192.168.80.130-254, 192.168.90.130-254

Lets assign the 192.168.80.x IP’s to eth0 and 90.x to eth1.
Then we’ll have to edit our /etc/network/interfaces file accordingly:

auto lo
iface lo inet loopback

auto eth0 eth0:1 eth1 eth1:1

iface eth0 inet static
    address 192.168.80.130
    netmask 255.255.255.128
    gateway 192.168.80.129

iface eth0:1 inet static
    address 192.168.80.131
    netmask 255.255.255.128

iface eth1 inet static
    address 192.168.90.130
    netmask 255.255.255.128

iface eth1:1 inet static
    address 192.168.90.131
    netmask 255.255.255.128

post-up ip route add default via 192.168.90.129 dev eth1 table 101

As you can see, we did not specify any gateways for other devices than eth0. This is because, we will route the 192.168.90.x IP addresses through 192.168.90.129 but the system will not know it as a default gateway. That’s why we added the last line to interfaces, we tell to route 192.168.90.129 using table 101. Well, you’ll say “We haven’t defined that table yet, what’s this 101?”, that’s true, normally you have to define it in your shell, but we’ll add it to our rc.local so that it will be there all the time (after a reboot).

In order to achieve this, we add the following line to /etc/rc.local (add it before the “exit 0”)

ip rule add from 192.168.90.128/25 lookup 101

Now write the ip rule to your shell too (so you won’t need a reboot) then restart your networking service.

/etc/init.d/networking stop && /etc/init.d/networking start

Here you go, route -n will show you only one gateway, yet you’ll be able to use both IP classes on both devices. So technically we did not add two gateways, but we’re using both of them.

Don’t forget that we only added 4 IP’s here, if you want to add all of them in the block, you better write a script to generate it.

Ok you don’t have to cry about it, below is a Python script I wrote for you, edit it accordingly 🙂

#/usr/bin/python

#ip generator script - plugged.in

IP_c1 = 80
IP_c2 = 90

print "auto lo"
print "iface lo inet loopback"

print "auto eth0"
print "iface eth0 inet static"
print "\taddress 192.168.%i.130" % IP_c1
print "\tnetmask 255.255.255.128"
print "\tgateway 192.168.%i.129" % IP_c1

print "auto %s %s" % (" ".join(["eth0:%i" % i for i in range(1,124)])," ".join(["eth1:%i" % i for i in range(1,128)]))

for c in [IP_c1,IP_c2] :
    if c == IP_c1 :
        for i in range(131,255) :
            print "iface eth0:%i inet static" % (i-130)
            print "\taddress 192.168.%i.%i" % (c,i)
            print "\tnetmask 255.255.255.128"
    else :
        for i in range(130,255) :
            print "iface eth1:%i inet static" % (i-129)
            print "\taddress 192.168.%i.%i" % (c,i)
            print "\tnetmask 255.255.255.128"

print "post-up ip route add default via 192.168.90.129 dev eth1 table 101"

The post Add Multiple Gateways to Multiple NICs on Ubuntu Server appeared first on VeriTeknik.

Edit the file /etc/postfix/master.cf

It probably looks like this

# =============================================================
    # service type  private unpriv  chroot  wakeup  maxproc command
    #               (yes)   (yes)   (yes)   (never) (100)
    # =============================================================
    smtp      inet  n       -       -       -       -       smtpd

Change it to

# =============================================================
    # service type  private unpriv  chroot  wakeup  maxproc command
    #               (yes)   (yes)   (yes)   (never) (100)
    # =============================================================
    smtp      inet  n       -       n       -       -       smtpd

Now restart and reload the postfix mail server and you’re good to go.

[root@mail ~]# /etc/init.d/postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@mail ~]# /etc/init.d/postfix reload
Reloading postfix:                                         [  OK  ]

The post Fix Incoming Mail Delay With Postfix appeared first on VeriTeknik.

First of all, check that you DO have another ip address on another interface at the server. Either by ifconfig or anything else.

To change the outgoing IP on a postfix mail server, edit the file /etc/postfix/master.cf

Find this part in the file,

smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=

You should modify it to look like below

smtp      unix  -       -       -       -       -       smtp
        -o smtp_bind_address=192.168.1.1
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o smtp_bind_address=192.168.1.1
        -o smtp_fallback_relay=

Of course, change the IP address 192.168.1.1 to whatever your secondary IP is.

Then restart and reload the postfix server.

[root@mail ~]# /etc/init.d/postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@mail ~]# /etc/init.d/postfix reload
Reloading postfix:                                         [  OK  ]

That’s it!

The post Change Outgoing IP of Postfix Mail Server appeared first on VeriTeknik.

Finally we have found a solution to stop DNS Amplification Attacks using pfsense with snort.

The below codes are extracted from raw IP data, as a sample, you may check what we had done for ripe.net query:

0x0000: 4500 0042 6142 4000 7911 e7c3 9a23 a00b E..BaB@.y....#..
0x0010: 5e67 200f 0035 0035 002e 0000 03b8 0100 ^g...5.5........
0x0020: 0001 0000 0000 0001 0472 6970 6503 6e65 .........ripe.ne
0x0030: 7400 00ff 0001 0000 2910 0000 0080 0000 t.......).......
0x0040: 0000 ..

Use the code below to stop DNS Amplification attacks, you can paste the code to snort interface Advanced configuration pass through section:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS ripe.net UDP"; content:"|01 04 72 69 70 65 03 6e 65 74 00|";classtype:attempted-dos;sid:4000003;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org UDP"; content:"|01 03 69 73 63 03 6f 72 67|";classtype:attempted-dos;sid:4000003;)

The code is tested to have minimal overhead.

Please post your comment if you need additional DNS Amplification Attack rules.

The post Snort rules for isc.org and ripe.net DNS Amplification Attacks appeared first on VeriTeknik.

First of all, there are a couple of ways to edit the iptables infrastructure. One way is to use the /sbin/iptables binary file to append each line, or you can directly edit the /etc/sysconfig/iptables file.

There is basically no difference between the two methods, adding “THIS LINE” to the /etc/sysconfig/iptables file is the same thing by running the “/sbin/iptables THIS LINE” command. Just keep in mind that rules in iptables are respective, which means each rule is done in a chain order, the third line is only executed after the second line.

By default, when you install a CentOS system, the iptables will only allow connections to the 22nd port which is for obvious reasons : not to block your ssh connections. But if you change the ssh server port, or run httpd service, mail service or any other service, the default iptables rules will all incoming and outgoing connections.

The default settings a pretty much like this.

# Firewall configuration written by system-config-firewall
 # Manual customization of this file is not recommended.
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT

Let’s say you install apache (or equivalent) on your server, then iptables will keep blocking 80 and 443 ports. To make them available, we have to add them to the ACCEPT chain before the REJECTION.

-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Let’s say you want to block out a specific IP address, for any port, then you can add such line,

-A INPUT -s 192.168.16.29 -j DROP

If you’d like to log the access attempts of this IP address, before the DROP line you can add,

-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "

This line will log any attempt from the IP address 192.168.16.29 but will limit the logs. It will log any similar connection type as only two lines per minute, this way your log file won’t fill out the whole hdd. Also the “STAY AWAY!” will be on the log line, so that you can easily grep the relevant line from the log file. Don’t confuse this as a message, the line “STAY AWAY!” will NOT be sent to the blocked IP or anything, it will just be logged.

At the end our iptables file will be like this

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.16.29 -m limit --limit 2/min -j LOG --log-prefix "STAY AWAY! "
-A INPUT -s 192.168.16.29 -j DROP
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The post Firewall Settings With IpTables on CentOS and RedHat appeared first on VeriTeknik.