Installing Cacti for network monitoring

2016.09.25

Short form install instructions for Debian-based Linuxes:

 apt-get install cacti

You may be prompted to install Apache and MySQL if you don’t have them installed.

You will prompted to select the webserver for which Cacti should be configured; select the appropriate one and then if MySQL is being installed, you’ll be prompted to set the MySQL ‘root’ user password.

The next prompt will be:

 The cacti package must have a database installed and configured before it can be used. 
 This can be optionally handled with dbconfig-common.
 Configure database for cacti with dbconfig-common?

Select yes and then enter the MySQL ‘root’ password when prompted. This will create the MySQL db and db user for cacti. You’ll be prompted for a password to set for that db user:

 Please provide a password for cacti to register with the database server. If left blank, a random password will be generated.
 MySQL application password for cacti:

Put a password in and then open your browser to http://$_the_server_you_installed_cacti_on/cacti ($_the_server_you_installed_cacti_on is either the FQDN or IP address of the server), select New Installation and click next: http://i.imgur.com/yI4sfm1.png

Configure the options and paths, if any paths are not filled in, do a “which” on the command line of the server you’re installing on, and it should give you the full path.

$ which php /usr/bin/php

If it’s not installed, install it with apt-get.

Log in with the username admin and password admin and you will be prompted to change the password.

Short form install for Redhat-based distributions:

Install the required packages: yum install httpd httpd-devel mysql mysql-server php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp net-snmp-utils net-snmp-libs rrdtool

MariaDB can be used instead of MySQL if you’ve already transitioned to it from mysql.

Start the www, db and snmp services:

 systemctl start httpd.service
 systemctl start mariadb.service
 systemctl start snmpd.service

and enable the services to autostart (chkconfig if you’re on older systems):

 systemctl enable httpd.service
 systemctl enable mariadb.service
 systemctl enable snmpd.service

Create a cacti database in your mysql:

 # mysql -u root -p -e 'create database cacti'

Create a cacti user with password ‘12345whatacoincidence’:

 # mysql -u root -p
 mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY '12345whatacoincidence';
 mysql> FLUSH privileges;
 mysql> \q

Installing cacti is made easier if you have the EPEL repo enabled, because then it’s just:

 yum install cacti

More info on EPEL repo: http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/

The other (slightly more finicky) method is the tried and true compile-it-yourself method: http://www.cacti.net/download_cacti.php

In any case, when you have it installed, you’ll want to import the cacti tables from cacti.sql, so first, find ‘cacti.sql’:

 # rpm -ql cacti | grep cacti.sql

and then (assuming it told you the file is in “/opt/cacti/cacti-0.8.7d/cacti.sql”,) import the file:

 # mysql -u cacti -p cacti < /opt/cacti/cacti-0.8.7d/cacti.sql

Then you will need to edit your /etc/cacti/db.php file, using your actual values:

 $database_type = "mysql";
 $database_default = "cacti";
 $database_hostname = "localhost";
 $database_username = "cacti";
 $database_password = "12345whatacoincidence";
 $database_port = "3306";

Update your httpd config (probably /etc/httpd/conf.d/cacti.conf) to allow traffic to your cacti site and then restart httpd (or setup .htpasswd for that directory)

Edit the file /etc/cron.d/cacti to uncomment the cacti line.

Finally you’re able to open your browser to http://$_the_server_you_installed_cacti_on/cacti ($_the_server_you_installed_cacti_on is either the FQDN or IP address of the server), select New Installation and click next:http://i.imgur.com/yI4sfm1.png

 

 

 

 

 

Configure the options and paths, if any paths are not filled in, do a “which” on the command line of the server you’re installing on, and it should give you the full path. If it’s not installed, install it with yum:

$ which php /usr/bin/php

Log in with the username admin and password admin and you will be prompted to change the password.

Installing Cacti in Windows

If you have a WAMP install (because no one will give you a nickel to get a real computer), then you can still install cacti: http://myconfigure.blogspot.com/2013/02/the-easiest-way-to-install-cacti-on.html

Followup

  1. login to cacti and set up your systems/switches/routers/firewalls to be monitored
  2. install and configure Network Weathermap and tell it to use your cacti (or mrtg etc) data so you can get a nice realtime(-ish) graph of your speeds and feeds.
  3. install and configure the thold plugin to alert you if the systems you’re monitoring are dropping below a particular threshold

 

Categories : HowTo  Networking

MACSec Redux

2016.09.15

Good ol’ MACSec.

First, I posted a quick and dirty notes-for-myself, MACSec how-to for Juniper.

Then, I posted a similar MACSec howto for Cisco. So here’s a miscellany of different macsec implementations.

Let’s say you want to run your own router, because your Layer 8 & 9 specialists mandate it, here MACSec on linux.

Here’s a guy who did cisco-switch-to-cisco-switch macsec over an mpls link between a cisco and juniper router (because macsec works at layer 1 and thus you need to fake layer 1 via MLPS). So that’s a thing.

Here’s the Extreme Network’s MACSec implementation:

set macsec port mka enable tg.1.1
set macsec pre-shared-key port tg.1.1 ckn foo cak passphrase bar

HP switches macsec config

Brocade MACSec details and also a Brocade sample config of MACSec.

Cisco MACSec Notes

2015.11.05

A while back I did notes for MACSec on Juniper devices and here’s the Cisco equivalent of the 802.1AE (“MAC Sec”) implementation

  1. Your Cisco device needs to be running either an IP Base or IP Services image. MACSec is not happening otherwise.
  2. switch# cts credentials id trustsec password mypassword
  3. en then, conf t, then int Gig1/1 (or whatever)
  4. switch(config-if)# cts man
    % Enabling macsec on Gi1/1 (may take a few seconds)…
    switch(config-if-cts-manual)#no propagate sgt
    switch(config-if-cts-manual)#sap pmk abc123 mode-list gcm-encrypt
    switch(config-if-cts-manual)#no shut

Where abc123 is your shared secret. I believe this is analogous to Juniper’s cak. You can do this to aggregated links (“port-channel” for you Cisco folks) but you have to do it before you aggregate the trunks together into a single logical interface. E.g., do this on Gig1/1 and Gig1/2 and then create int Port-channel1 (channel-group 1 mode on in the interface config)

Notes:

mode-list options are:

  • gcm-encrypt (authentication and encryption)
  • gmac (auth, no encrypt)
  • null (encapsulation only; no auth, no encryption)

 

Gotchas:

  • to use 802.1x (cts dot1x) as opposed to cts man above, you have to enable 802.1x globally on each device.
  • if you select gcm as the sap mode, you need an additional macsec license from cisco (as well as the ipbase or ipservices image/license). if you select gcm without the license, the interface goes into link-down state.

Debugging:

show cts credentials

show macsec summary

show macsec interface

show authentication sessions interface gigabitethernet1/1

 

Additional reading:

The actual Cisco doc (this is for a cat4500 but translates well most places) http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/swmacsec.html (here’s one for 3750/3560)

http://www.petenetlive.com/KB/Article/0001000.htm

http://www.virtualpackets.com/cisco-trustsec-switch-to-switch-link-security-manual-mode/

 

Xwindows and Windows

2015.06.19

Exceed is the best. Unfortunately, it is pricey: http://connectivity.opentext.com/buy-online.aspx

Your other options are:

MobaXterm: in free and pay versions, pretty simple to install/setup and use.

Xming: free (old version) or pay (current version), also pretty simple to use.

Cygwin/X: complicated, kludgey and you should probably avoid it.

 

http://stackoverflow.com/questions/40453/what-is-a-good-and-free-x-server-for-windows

Tags :             

Inconvenient Message Detection

2015.03.02

via http://topchicksdigengineeringguys.blogspot.com/2015/03/the-inconvenient-message-detection-imd.html

Steganography that requires computing effort. Steganography is the idea of hiding data in the unimportant bits of an image. This is an old idea. The new twist is that with ‘Inconvenient Message Detection’ (IMD) that data can only be found if the decoder does an amount of computational work that’s decided by the encoder.

Let’s look at how this solved our problem: If some people use IMD, it makes every image suspect. When a mass-observer wants to see what communication is going on, they must use compute power to check every image. Furthermore, because the compute effort needed to find an image is set by the encoder, it is uncertain to the mass-observer; they never knows for certain if they’ve worked hard enough. By contrast, the intended recipient of a message presumably got the single datum that a message exists in some public image and will put in as much compute effort as is needed to find the data in that single image. Having every image on the internet be a potential carrier of secrets makes the mass observation of communication meta-data expensive and uncertain.

Furthermore, even a individual under direct observation can increase their protection with IMD. An individual may own thousands of images of which only one contains an secret. Until the secret is found by an observer, the individual has plausible denyability of the secret’s existence. The observer may even give up before spending the necessary compute effort to find it. This increases their resistance to coercion.

Automatically reverting configuration mistakes in JunOS and IOS

2015.01.09

The old joke goes: I don’t make mistakes. I thought I did once, but I was wrong.

But here’s how to save yourself from mistakes when configuring a JunOS or IOS device:

JUNOS is easy, “commit check”, “commit confirmed” and the handy “rollback”. Frankly, if you’re on a JUNOS device, you should already know about these.

But how to do the same on IOS? Cisco’s configurations happen as soon as you hit enter on the config, right?

Here’s how:

  • The brute force method: “reload in 5”. Write your proposed changes in notepad++ (or notepad.exe if you insist). Login to the device that you’re going to change, and before you do any of your changes, run “reload in 5”. Then, make your changes. If you did something boneheaded that will disable the device or your connection to it, the device will reload from it’s start-config in 5 minutes, effectively erasing your running-config.

Of course, if this is a shared device, you’ve taken everyone offline for the time it takes the device to reboot. Or maybe you don’t want your config saved to start-config as a security measure*. So what do you do in order to prevent a reboot and still maintain the ability to revert a recently made change? Ah, you’ll be wanting the somewhat more sophisticated method 2:

  • First, turn on archive:

cisco-router#configure terminal
cisco-router(config)#archive

then configure a path for where it’ll be stored and save that:

cisco-router(config-archive)#path usbflash0:backup-config
cisco-router(config-archive)#end
cisco-router#write mem

Now you should be able to use “configure terminal revert time 5” which is IOS’ functional equivalent of JUNOS’ “commit confirmed 5”:

cisco-router#conf t revert time 5

Here it will tell you that your config is being backed up to where you told it to and that the config will be rolled back in 5 minutes. So make your changes:

cisco-router(config)#int gig 0/0

cisco-router(config-if)# shutdown

If everything is good, “configure confirm” to keep the change:

cisco-router(config-if)#configure confirm

For the truly worried, use both methods: “reload in 10” and “revert in 5”. If the revert doesn’t work, the reload will (this will still take down the router, but hey…)

Categories : HowTo  Networking  Security

Configuring cacti for 1-minute polling

2014.10.24

Trickier than it sounds, just because there’s lots of moving parts. Here is a handy guide that gets all the notes right: http://www.tolaris.com/2013/07/09/cacti-and-1-minute-polling/

Categories : HowTo

Juniper MACSec Notes

2014.10.16

MACSec is kind of neat (TL;DR for the impatient: layer-1 crypto on links).

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

CLI config:

#create an association:
set security macsec connectivity-association ca1

#choose a mode (static cak recommended — see here for why)
set security macsec connectivity-association ca1 security-mode static-cak

#ckn needs to be a 64-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key ckn deadbeef99

#cak needs to be a 32-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key cak deadbeef11

# set to 255 to make it “less likely” to be chosen as key server, 0 for “more likely”
set security macsec connectivity-association ca1 mka key-server-priority 0

# set to 6000 for high-traffic environment. default to 2000.
set security macsec connectivity-association ca1 mka transmit-interval 6000

#this leaves headers unencrypted for troubleshooting, set to 0 for full encryption, set to 50 for unencrypted ipv6 headers
set security macsec connectivity-association ca1 offset 30

# replay protection, set to 0 to enforce all packets coming in order
set security macsec connectivity-association ca1 replay-protect replay-window-size 5

# exclude a protocol
set exclude-protocol lldp

#enable macsec
set security macsec interfaces xe-0/1/0 connectivity-association ca1

Troubleshooting:
show security macsec statistics interface xe-0/1/0 detail

additional reading:
http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/macsec.html
http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/command-summary/show-security-macsec-statistics.html
(Cisco version: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf)

 

There’s a Cisco version of this here: http://david.piniella.net/2015/11/cisco-macsec-notes/

Categories : HowTo  Networking  Security

Linux / Unix / VMS equivalencies

2014.10.02

So you’re dumped in Brazil (VMS) and all you speak is English (Windows) and Spanish (Linux), how do you get by?

A universal translator, of course: http://bhami.com/rosetta.html

VMS

There’s also a VMS to Unix cheat-sheet: http://www.physnet.uni-hamburg.de/physnet/vms-unix-commands.html

and another: https://www.mpp.mpg.de/~huber/vmsdoc/unix_vms_cmd_xref.html

setting security/ownership in VMS: http://labs.hoffmanlabs.com/node/1806

tiny gotchas that you might not expect:

  • case insensitive
  • no
  • VMS has no set mount points, so you have to explicitly state which disk is being referenced in a command:
$ create/directory [.tmp]
$ copy dsa0: [.tmp]x.tmp
$ copy dsa0: [.tmp]y.tmp
$ copy dsa0: [.tmp]z.tmp

This creates a directory, .tmp, and three files inside it, x.tmp, y.tmp, z.tmp.

AIX

AIX Cheat-sheet: http://bigcalm.tripod.com/aix/handycommands.htm

AIX Cheat-sheet: http://www.tablespace.net/quicksheet/aix-quicksheet.pdf [PDF]

AIX Cheat-sheet: http://www.vmexplore.com/aix-commands-cheat-sheet/

AIX documentation: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp 

AIX Admin’s blog, full of AIX tips and tricks: http://nixys.fr/blog/?tag=aix (I haven’t used it but it’s the type of quick and to-the-point howto that I find most useful.)

a text file cheat-sheet — quick and dirty, no-nonsense: http://www.pimpworks.org/ibm/aix.txt

 

SOLARIS

The biggest caveat when going to Solaris from Linux is that a lot of the tools you expect are missing (ie, not installed by default) or different (ie, you’re expecting GNU versions). The easiest way to deal is to install the gnu tools and set them in your path. That said, Solaris 10 is less of a PITA than older versions (9, 8….or heaven forfend: SunOS).

Here is a fast and dirty “why doesn’t this work / how do I do this?” for Solaris: http://sysunconfig.net/unixtips/solaris.html

IBM redbooks, learn it, love it: http://www.redbooks.ibm.com/redbooks/pdfs/sg247186.pdf [PDF]

Lesser Known Solaris Features: http://www.c0t0d0s0.org/pages/lksfbook.html

 

Tags :           

IPSec Site-to-Site between a Palo Alto firewall and Cisco Router

2014.09.26

Palo Alto side:

1. create a tunnel interface:

Network Tab > Interfaces > Tunnels
new tunnel: name it, assign it to a Virtual Router(cisco parlance: VRF) and Security Zone

2. create IKE phase 1: (cisco calls it isakemp)

Network > Network Profiles > IKE Crypto
create a new profile, name it: assign a DH Group, authentication, encryption and lifetime (DH group 2, sha1, aes128, 1 day)

3. create IKE phase 2: (cisco: “transform set”)

Network > Network Profiles > IPSec Crypto
Create a new profile
DH group (pfs/no-pfs)
encryption
authentication

4. specify peer:

Network > Network Profiles > IKE Gateway
name it, interface, peer type, peer IP, pre-shared key, exchange mode, define which IKE Crypto profile (phase2)

5. Add an IPSec Tunnel:

Network > IPSec Tunnels

General Tab:
Add tunnel, name it, choose which tunnel interface to use
Autokey (since they’re defined in your gateway/phase1/phase2
Choose gateway
choose IPSec Crypto Profile (phase2)

Proxy ID tab:
add the IP address/network

Cisco router side:

1. Configure Phase-1 (“isakmp”)

# conf t
(config)# crypto isakmp policy 1
(config-isakmp)# authentication pre-share
(config-isakmp)# encrypt aes128
(config-isakmp)# hash sha1
(config-isakmp)# group 2
(config-isakmp)# lifetime 86400
(config-isakmp)# exit
(config)# crypto isamp key <<key>> address <<peer address>>

Change <<key>> to your preshared key and <<peer address>> to the other system’s IP address (e.g. the public address on the interface of the palo alto FW)

NB: note that ISAKMP Phase 1 policy is defined globally. So if you have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.

2. configure phase-2 (“transform-set”, ACLs, crypto map)

2a. set an ACL to match the traffic that will be encrypted in the tunnel:

The format is:
(access-list ### permit ip <<source-network>> <<source-netmask>> <<destination-network>> <<destination-netmask>>)
example:

(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

NB: If you’re NAT’ing outbound traffic, you need to disable NAT for the traffic that you want encrypted through the tunnel; deny via ACL, like so:

(config)# ip nat inside source list 100 interface fastethernet0/2 overload
(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
(config)# access-list 100 permit ip 10.0.0.0 0.255.255.255 any

The deny applies specifically to traffic from 10./8 to 192.168.1./24 and then permits 10./8 going anywhere else.

2b. set the transform set (aka phase 2)

(config)# crypto ipsec transform-set IPSECSET esp-sha-hmac esp-aes
(cfg-crypto-trans)# exit

2c. set the crypto map to tie the elements together:

(config)# crypto map IPSECMAP 1 ipsec-isakmp
(config-crypto-map)# set transform-set IPSECSET
(config-crypto-map)# set peer <<peer address>>
(config-crypto-map)# match address 100
(config-crypto-map)# exit

3. Apply the crypto map to your outbound interface:

(config)# interface FastEthernet0/2
(if-config)# crypto map IPSECMAP

And you’re done.

useful commands:

show crypto isakmp policy
show crypto isakmp
show crypto isakmp detail
show crypto ipsec transform-set — shows you phase 2
show crypto map — shows complete crypto map
show crypto ipsec sa — shows how many packets encrypted/decryted/going through the tunnel

Categories : HowTo