The documentation provided by Netgear about SNMPv3 is fairly incomplete. The GS728TP is only supposed to be managed using its web interface. In one of my previous posts, I showed that there is actually a decently powerful CLI hidden from the average consumer. This is one of the big differences between “Smart Managed” and “Fully Managed” switches.
Why SNMPv3?
SNMPv3 allows for the secure collection of monitoring data. With previous iterations of SNMP (1, 2c), all traffic was unencrypted. You can read more on the SNMP Wikipedia page.
Settings
The settings that Netgear advertises are located under System > SNMP > SNMPv3 > User Configuration. Most of the settings are represented here, but there is no mention of the Authentication Password. What confused me was the fact that didn’t say what the Authentication Password (authPassword) was.
I was eventually able to figure out that the authPassword shared the same password needed to log in to the switch. What a terrible implementation. Unable to find any solutions to this online, I consulted some of the other manuals I used to figure out the SSH configuration.
The Better Solution
Here are instructions to create an additional SNMP user using the command line, allowing you to keep your switch’s login password secret.
For the purposes of this post, I will be using the following settings:
Username: myuser
Group: default (I picked this because its what group the admin user is in)
Authentication Protocol: SHA, and key: secretauthkey
Privacy Protocol: DES, key: secretprivkey
Connect to the command line of the switch
Get a printout of the current snmp users using show snmp users. You should see your login password next to Auth.
Add a new snmp user
Enter configuration mode by typing configure
Create the new user using: snmp-server user myuser default v3 auth sha secretauthkey priv secretprivkey
You can also restrict the switch to only listen to requests from a particular IP address using remote at the end of the previous command. Use “?” to see details.
Exit configuration mode using exit
Verify proper settings using show snmp users
Remember, you can always send a question mark (?) to have the switch show any available documentation.
Currently, I have all my dotfiles hosted in a private repo on Github. Unfortunately, the way I have them setup is not very straightforward, and since it has sensitive information in it, I haven’t been able to make it public. I know I could sanitize it, but I’m sure there are better ways to handle dotfiles out there.
I’ve pondered writing my own setup, but I’ve also found some pretty solid setups on Github. One in particular by skwp is very extensive. He refers to is as YADR, or Yet Another Dotfile Repo. According to the repo, he’s been working on it since 2011 and it really shows. I’m going to fork it and test it for a week or so.
Installation
The YADR repository is setup to be installed on Mac OS, however, I plan to run it on Linux — specifically Ubuntu 16.04. I will also try it on Centos 7 as we run RHEL and Centos at work. I’ll also try to post any hiccups encountered with using Terminator.
I found this web page that talks about changes that need to be made for YADR’s repo to work on Linux. It was posted back in 2014, so I don’t know if the information is still current. So far I know I had to do most of the things he outlined in the After installing YADR section (setting Terminator background, fonts).
Missing prereqs
Maybe I overlooked it, but I think there were some prerequisites that skwp assumed you had installed. While the script did a lot, I don’t think it checked if zsh was installed — I had to install it manually. Also, ruby and rake might not be installed on your distro.
A few months ago a friend contacted me about ransomware that infected his parents’ desktop computer. This particular ransomware was a variant of Locky named Osiris. In addition to encrypting the files, it scrambled the filenames making it impossible to identify files.
Fortunately for them, they had fairly recent backups of most of their files. Unfortunately, they didn’t have backups of files in their Google Drive. All hope was not lost, however. While Google Drive doesn’t have a restore entire account to a previous state in time feature, they do keep a revision history for each of your files. Thankfully we verified that the files did, in fact, have previous versions containing the unencrypted and originally named files.
Automating the Removal
Now that we knew remediation was possible, we needed to find a way to automate the recovery of hundreds of files. Luckily I found a repository on Github with a script that Catalysts wrote to do this process. The only problem was that it was written for a different variant of ransomware.
After making some modifications, I was able to get it to work! Because the malware scrambled the original filename, I had to add logic to retrieve the original filename from its revision history.
Since my first post on this subject, I found a better way of doing it.
There is a feature called task-scheduler, which seems to be a wrapper for cron. The benefit to using it, however, is that your commands get saved in /config which ensures that they get copied over during firmware upgrades.
As usual, Ubiquiti’s community forums were very helpful in figuring this out. This post got me started.
These commands should be all you need to setup the task-scheduler similarly to how I had cron setup in the first post.
configure
set system task-scheduler task ddnsupdate
set system task-scheduler task ddnsupdate crontab-spec '0 20 * * 0'
set system task-scheduler task ddnsupdate executable path '/config/scripts/'
commit
save
That’s it!
Bonus
If you noticed earlier, I moved the actual ddnsupdate script to /config/scripts/ which ensures that it gets copied after a firmware upgrade.
Also, you can check that those commands actually created the cronjob in /etc/cron.d/vyatta-crontab
Recently I found myself locked out of a VM that I have hosted using KVM. Unfortunately, I could no longer remember my account’s password, and I hadn’t saved it in my password locker.
The VM (domain) is running Ubuntu Xenial 16.04.1, and the image type is a qcow2. KVM is running on Debian Jessie 8.6.
Mounting the VMs Image
After searching for someone with a similar problem, I found this page which got me started.
Important: Be sure that your VM (domain) is shutdown before proceeding. (Follow steps 2-4 on that guide)
Once I got to step 6, I realized that they were using .img images instead of qcow2. Next, I found this page which showed me how to mount a qcow2 image to my host. Not knowing exactly how my images were set up, I started following the guide from the 4th paragraph “To mount qcow2 images …”
Here’s an example of the commands I ran
modprobe nbd max_part=63
qemu-nbd -c /dev/nbd0 <path to qcow2 image>
mkdir -p /mnt/image
mount /dev/nbd0p1 /mnt/image
Once I got to the next paragraph which talked about LVM, none of the commands worked, and I realized I wasn’t using LVM. At this point, I tried browsing to /mnt/image/ and saw that it had, in fact, mounted the image properly.
Editing /etc/shadow
So I went back to the original guide I found. Step 13 shows how to edit /etc/shadow to remove an account’s password.
Basically just remove the encrypted password. You can read more about /etc/password on this nixCraft page.
Example:
Old:
root:$8$gbwrd7.g/:5345:0:99999:7:::
New:
root::5345:0:99999:7:::
Important: To allow you to SSH into the machine, you’ll either need to go into /etc/ssh/sshd_config and enable empty passwords, or copy a public key into the user’s ~/.ssh/authorized_keys file. (I chose the latter.)
Unmount and cleanup
Now it’s time to unmount the disk from the system and qemu-nbd. To do that, run these two commands. In the second guide that I linked to, they mention running killall qemu-nbd instead of qemu-nbd -d /dev/nbd0. I don’t think that’s a good idea. Someone in the comments mentioned using the qemu-nbd -d command, which seems to properly disconnect the image.
umount /mnt/image
qemu-nbd -d /dev/nbd0
Start the VM and Set a New Password
You can now start the VM using virsh start <domainname>
Once you are logged in, you can use the passwd command with no arguments to set a password for your account.
Earlier this summer when I was working more on the new church networking equipment, I decided that they needed a hostname for external access. Since their website is hosted somewhere else, there’d been no need for a real domain name to point at the router.
Currently, I am using No-IP’s free Dynamic DNS (DDNS). The inconvenience of No-IP is that they require you to update or refresh your hostname every month to keep them from expiring. There are a number of different ways to do that, but in this case, I wanted my EdgeRouter Lite to update No-IP with my current external IP address.
Configuring ERLite for No-IP
As of firmware 1.8.5, the ERLite natively supports No-IP, and I configured it from the command line as follows:
configure
set service dns dynamic interface eth0 service noip host-name **myhostnane.com**
set service dns dynamic interface eth0 service noip login **mynoipemail**
set service dns dynamic interface eth0 service noip password **mynoippassword**
set service dns dynamic interface eth0 service noip protocol noip
commit
save
exit
See this page for more details. (Note that the page is old, and doesn’t show noip as a protocol, but per this forum post, it’s available in firmware 1.8.5 and later)
The Problem
To my surprise, however, the ERLite does not send an update to the DDNS provider unless the external IP address changes. (See the last paragraph of this page) While we don’t have a static IP address from our ISP, it doesn’t tend to change. So this was becoming a problem.
Ever since I set this up, I’ve been getting emails every month saying “Your hostname is expiring, click here to renew”. The would always catch me at a busy moment, but I’d click the button and promptly forget about it.
Today was the day that I was finally going to solve this issue.
A Solution
I knew that the No-IP configuration in the ERLite was correct, because if I clicked the Force Update button from the web interface, or issued update dns dynamic interface eth0 from the CLI, No-IP would show it as being refreshed. (If you go to No-IP’s website, you can see the last time that your hostname was refreshed.)
Now I just needed to find a way to script this.
Being a small Linux box, the ERLite has cron functionality. If I could just add the above command to root’s crontab, this would be an easy fix. I tried that, but it didn’t work. At the time I didn’t realize that the update command was actually alias update='_vyatta_op_run update. After some more digging, I found that this pointed to this Perl script:
My first reaction was to add this to root’s crontab, and it worked! But I wasn’t satisfied. I am usually a little leery of bypassing wrappers that are written by the devs.
The Better Solution
I then stumbled on this page on How to Run Operational Mode Command From Scripts. This was exactly what I was looking for. The vyatta-op-cmd-wrapper is what I needed to be able to properly call the update dns dynamic interface eth0.
Here is the script I now have called from root’s crontab.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Note that this is also why my original attempts at just adding update dns dynamic interface eth0 to root’s crontab failed.
Bonus Tidbits
Here are a couple commands I found useful for troubleshooting.
$ show dns dynamic status
interface : eth0
ip address : XXX.XXX.XXX.XXX
host-name : myhostname.ddns.net
last update : Sat Nov 5 15:13:05 2016
update-status: good
This one shows the ERLite’s configuration for the DDNS provider.
$ configure
# show service dns dynamic
interface eth0 {
service noip {
host-name **myhostnane.com**
login **mynoipemail**
password **mynoippassword**
protocol noip
}
}
A friend asked me if it was possible to sync a particular folder he had on Google Drive to a network drive. Apparently, the official Google Drive client only allows you to sync to NTFS partitions, and the network drive was a samba mounted ZFS share. Upon researching, I found conflicting info. Some people said symbolic links worked, and others said to use hard links or even NTFS junctions.
Here’s what I ended up doing. I wouldn’t be surprised if there’s a better way, but this worked for me.
Install Google Drive
You’ll need to install the Google Drive application if you haven’t done so already. If you only want to download one folder (like me), be sure to uncheck all the other folders in the sync options.
For this example, I will assume two things:
The network drive is mounted to Z:\
Google Drive was set to sync to the default path of C:\Users\<username>\Google Drive
Create the link
Open a command prompt as administrator. We will be using the mklink command to create a directory symbolic link. The basic syntax for this is as follows: <link> is where it is going to put the new link, and <target> is the destination of the link, or in this case the folder on the network drive.
Be sure you don’t have a folder named “DownloadThisFolder” in your Google Drive
Ensure that <NetworkFolder> already exists
Use quotes around paths that include spaces
Move Files Into Link
Once the link is created, it should show up on the Google Drive web interface as a folder. From the web interface, move whatever folder you want to download into the newly created folder. You should start to see Google Drive sync down the contents to your local network drive.
When I got the GS728TP I was fairly surprised that Netgear claimed the only way to configure it was through their web management interface. While the web interface is fine for basic configuration, it is slow and freezes if you don’t let the page load completely before clicking. I was not satisfied with this being the only configuration option and luckily found an alternative.
Login
Once you have telnet enabled, connect to it using your favorite telnet client. (Putty works great on Windows). The password is whatever you use to login to the web interface.
Username: admin
Password: <web interface password> (default: password)
Enter Configuration Mode
Once you are logged in, you will be at a command prompt with the name of your switch followed by # symbol.
Type config to enter configuration mode.
Enable SSH
Type ip ssh server to enable ssh access. When you press enter, it will save the configuration immediately, and you will see something like 27-Jan-2016 16:16:41 %COPY-N-LOGGINGFILECOPYSTOP: stop log messages related to file copy operations
27-Jan-2016 16:16:43 %COPY-N-LOGGINGFILECOPY: start log messages related to file copy operations
Wait for this to finish before issuing another command.
Enable Password Auth
Next, enable password authentication by typing ip ssh password-auth. Again, you will see messages while it saves the configuration.
Change SSH Port (optional)
You can optionally change the SSH port by typing ip ssh port <port number>.
Change SSH Timeout You can view and change the SSH timeout (as well as other options) from the command line. Enter config mode and then type line ssh. The prompt will now show (config-line)#. Type do show line ssh to view the current configuration, and you’ll see that by default the SSH timeout is 10 minutes. You can increase it to 60 minutes with exec-timeout 60.
If you want to setup public key authentication, you can try following this guide I found. I have not verified that this works on the GS728TP, but I suspect that it would.
Recently I’ve been spending a lot of time upgrading the network at the church I attend. Our existing network consists of a simple router and a few access points. Anyone who has access to the WiFi has access to our wired church computers, copier, etc. We want to separate guests/members from our private network. In the mean time, we are continuing to use our existing setup until the new system is ready. We are not a huge church, and don’t have unlimited funds.
I plan to have multiple VLANs and subnets. New WiFi access points will be powered with PoE, and capable of SSID-to-VLAN tagging.
Hardware
A few months ago, after quite a lot of research, we purchased a Netgear GS728TP and two EnGenius EAP600 access points. Originally I was going to use pfSense as a firewall and router, but after using a Ubiquiti EdgeRouter Lite at home and considering power consumption, I opted to purchase one for this application.
Network Configuration
The VLANs and subnets we plan to have are shown in the table.
VLAN
Description
Subnet
10
Admin/Infrastructure/Management
192.168.10.0/23
20
Wired Computers
192.168.20.0/23
30
Guest WiFi
192.168.30.0/23
40
Separate, Internal Group
192.168.40.0/23
50
VPN
192.168.50.0/24
Currently I have the ERLite configured with this configuration. It has a dhcp server for each subnet and is set to masquerade traffic from all VLANs to the WAN. (I don’t think this is how I should have it setup.) I want VLANs 30 and 40 to be configured the same, and to only have internet access, and do not want clients to be able to see each other. As you can see from the config, VLAN 10 has access to all the other VLANs, but none of the other VLANs can access any hosts outside of their VLAN. I also plan to configure it to block hosts on VLAN 30 and 40 from communicating with other hosts even within their VLAN. Note: VLAN 40 is not a network that we plan to normally have active. The idea is that we can enable unencrypted access if we have a conference or election day at the church and will have many temporary users.
The GS728TP is connected to the ERLite on port 23, and passed traffic tagged with the four VLANs to the WiFi APs. The raw configuration for it is here.
Things that I am still trying to get figured out:
Potentially improve the design of the existing firewall rules
Block hosts from communicating with other hosts inside their VLAN/subnet
Allow DNS resolving from Admin VLAN to other VLANs/subnets
Port forwarding to specific hosts. I have been unable to successfully setup port forwarding to any hosts.
I will add more detail to this, but this is the basic overview. None of this is set in stone, and I welcome any suggestions/ideas/improvements you may have!
