Configure SNMPv3 on Netgear GS728TP

Intro

The documentation provided by Netgear about SNMPv3 is fairly incomplete.  The GS728TP is only supposed to be managed using its web interface.  In one of my previous posts, I showed that there is actually a decently powerful CLI hidden from the average consumer.  This is one of the big differences between “Smart Managed” and “Fully Managed” switches.

Why SNMPv3?

SNMPv3 allows for the secure collection of monitoring data.  With previous iterations of SNMP (1, 2c), all traffic was unencrypted.  You can read more on the SNMP Wikipedia page.

Settings

The settings that Netgear advertises are located under System > SNMP > SNMPv3 > User Configuration. Most of the settings are represented here, but there is no mention of the Authentication Password. What confused me was the fact that didn’t say what the Authentication Password (authPassword) was.

I was eventually able to figure out that the authPassword shared the same password needed to log in to the switch.  What a terrible implementation.  Unable to find any solutions to this online, I consulted some of the other manuals I used to figure out the SSH configuration.

The Better Solution

Here are instructions to create an additional SNMP user using the command line, allowing you to keep your switch’s login password secret.

For the purposes of this post, I will be using the following settings:
Username: myuser
Group: default (I picked this because its what group the admin user is in)
Authentication Protocol: SHA, and key: secretauthkey
Privacy Protocol: DES, key: secretprivkey

  1. Connect to the command line of the switch
  2. Get a printout of the current snmp users using show snmp users. You should see your login password next to Auth.
  3. Add a new snmp user
    1. Enter configuration mode by typing configure
    2. Create the new user using:
      snmp-server user myuser default v3 auth sha secretauthkey priv secretprivkey
    3. You can also restrict the switch to only listen to requests from a particular IP address using remote at the end of the previous command. Use “?” to see details.
  4. Exit configuration mode using exit
  5. Verify proper settings using show snmp users

Remember, you can always send a question mark (?) to have the switch show any available documentation.

Posted in WPPC Networking Project | 1 Comment

Time for a New Dotfile Setup

Time for a New Dotfile Setup

Currently, I have all my dotfiles hosted in a private repo on Github. Unfortunately, the way I have them setup is not very straightforward, and since it has sensitive information in it, I haven’t been able to make it public. I know I could sanitize it, but I’m sure there are better ways to handle dotfiles out there.

I’ve pondered writing my own setup, but I’ve also found some pretty solid setups on Github. One in particular by skwp is very extensive.  He refers to is as YADR, or Yet Another Dotfile Repo. According to the repo, he’s been working on it since 2011 and it really shows.  I’m going to fork it and test it for a week or so.

Installation

The YADR repository is setup to be installed on Mac OS, however, I plan to run it on Linux — specifically Ubuntu 16.04.  I will also try it on Centos 7 as we run RHEL and Centos at work.  I’ll also try to post any hiccups encountered with using Terminator.

I found this web page that talks about changes that need to be made for YADR’s repo to work on Linux.  It was posted back in 2014, so I don’t know if the information is still current. So far I know I had to do most of the things he outlined in the After installing YADR section (setting Terminator background, fonts).

Missing prereqs

Maybe I overlooked it, but I think there were some prerequisites that skwp assumed you had installed.  While the script did a lot, I don’t think it checked if zsh was installed — I had to install it manually. Also, ruby and rake might not be installed on your distro.

To be continued

I will be adding more to this soon…

 

Posted in Linux | Leave a comment

Osiris Ransomware Removal from Google Drive

Intro

A few months ago a friend contacted me about ransomware that infected his parents’ desktop computer. This particular ransomware was a variant of Locky named Osiris. In addition to encrypting the files, it scrambled the filenames making it impossible to identify files.

Fortunately for them, they had fairly recent backups of most of their files. Unfortunately, they didn’t have backups of files in their Google Drive. All hope was not lost, however. While Google Drive doesn’t have a restore entire account to a previous state in time feature, they do keep a revision history for each of your files. Thankfully we verified that the files did, in fact, have previous versions containing the unencrypted and originally named files.

Automating the Removal

Now that we knew remediation was possible, we needed to find a way to automate the recovery of hundreds of files. Luckily I found a repository on Github with a script that Catalysts wrote to do this process. The only problem was that it was written for a different variant of ransomware.

After making some modifications, I was able to get it to work! Because the malware scrambled the original filename, I had to add logic to retrieve the original filename from its revision history.

You can find my fork of the repository here.

Posted in Uncategorized | Leave a comment

Part 2: Updating DDNS on EdgeRouter Lite Using Crontab

Since my first post on this subject, I found a better way of doing it.

There is a feature called task-scheduler, which seems to be a wrapper for cron. The benefit to using it, however, is that your commands get saved in /config which ensures that they get copied over during firmware upgrades.

As usual, Ubiquiti’s community forums were very helpful in figuring this out. This post got me started.

These commands should be all you need to setup the task-scheduler similarly to how I had cron setup in the first post.

configure
set system task-scheduler task ddnsupdate
set system task-scheduler task ddnsupdate crontab-spec '0 20 * * 0'
set system task-scheduler task ddnsupdate executable path '/config/scripts/'
commit
save

That’s it!

Bonus

If you noticed earlier, I moved the actual ddnsupdate script to /config/scripts/ which ensures that it gets copied after a firmware upgrade.

Also, you can check that those commands actually created the cronjob in /etc/cron.d/vyatta-crontab

### Added by /opt/vyatta/sbin/vyatta-update-crontab.pl ###
0 20 * * 0 root /config/scripts/ddnsupdate
Posted in WPPC Networking Project | Tagged , | 3 Comments

Breaking Into My Own VMs

Intro

Recently I found myself locked out of a VM that I have hosted using KVM. Unfortunately, I could no longer remember my account’s password, and I hadn’t saved it in my password locker.

The VM (domain) is running Ubuntu Xenial 16.04.1, and the image type is a qcow2. KVM is running on Debian Jessie 8.6.

Mounting the VMs Image

After searching for someone with a similar problem, I found this page which got me started.

Important: Be sure that your VM (domain) is shutdown before proceeding. (Follow steps 2-4 on that guide)

Once I got to step 6, I realized that they were using .img images instead of qcow2. Next, I found this page which showed me how to mount a qcow2 image to my host. Not knowing exactly how my images were set up, I started following the guide from the 4th paragraph “To mount qcow2 images …”

Here’s an example of the commands I ran

modprobe nbd max_part=63
qemu-nbd -c /dev/nbd0 <path to qcow2 image>
mkdir -p /mnt/image
mount /dev/nbd0p1 /mnt/image

Once I got to the next paragraph which talked about LVM, none of the commands worked, and I realized I wasn’t using LVM. At this point, I tried browsing to /mnt/image/ and saw that it had, in fact, mounted the image properly.

Editing /etc/shadow

So I went back to the original guide I found. Step 13 shows how to edit /etc/shadow to remove an account’s password.

Basically just remove the encrypted password. You can read more about /etc/password on this nixCraft page.

Example:
Old:

root:$8$gbwrd7.g/:5345:0:99999:7:::

New:

root::5345:0:99999:7:::

Important: To allow you to SSH into the machine, you’ll either need to go into /etc/ssh/sshd_config and enable empty passwords, or copy a public key into the user’s ~/.ssh/authorized_keys file. (I chose the latter.)

Unmount and cleanup

Now it’s time to unmount the disk from the system and qemu-nbd. To do that, run these two commands. In the second guide that I linked to, they mention running killall qemu-nbd instead of qemu-nbd -d /dev/nbd0. I don’t think that’s a good idea. Someone in the comments mentioned using the qemu-nbd -d command, which seems to properly disconnect the image.

umount /mnt/image 
qemu-nbd -d /dev/nbd0

Start the VM and Set a New Password

You can now start the VM using virsh start <domainname>

Once you are logged in, you can use the passwd command with no arguments to set a password for your account.

Posted in Linux | Tagged , , , , | Leave a comment

Updating DDNS on EdgeRouter Lite Using Crontab

Backstory

Earlier this summer when I was working more on the new church networking equipment, I decided that they needed a hostname for external access. Since their website is hosted somewhere else, there’d been no need for a real domain name to point at the router.

Currently, I am using No-IP’s free Dynamic DNS (DDNS). The inconvenience of No-IP is that they require you to update or refresh your hostname every month to keep them from expiring. There are a number of different ways to do that, but in this case, I wanted my EdgeRouter Lite to update No-IP with my current external IP address.

Configuring ERLite for No-IP

As of firmware 1.8.5, the ERLite natively supports No-IP, and I configured it from the command line as follows:

configure
set service dns dynamic interface eth0 service noip host-name **myhostnane.com**
set service dns dynamic interface eth0 service noip login **mynoipemail**
set service dns dynamic interface eth0 service noip password **mynoippassword**
set service dns dynamic interface eth0 service noip protocol noip
commit
save
exit

See this page for more details. (Note that the page is old, and doesn’t show noip as a protocol, but per this forum post, it’s available in firmware 1.8.5 and later)

The Problem

To my surprise, however, the ERLite does not send an update to the DDNS provider unless the external IP address changes. (See the last paragraph of this page) While we don’t have a static IP address from our ISP, it doesn’t tend to change. So this was becoming a problem.

Ever since I set this up, I’ve been getting emails every month saying “Your hostname is expiring, click here to renew”. The would always catch me at a busy moment, but I’d click the button and promptly forget about it.

Today was the day that I was finally going to solve this issue.

A Solution

I knew that the No-IP configuration in the ERLite was correct, because if I clicked the Force Update button from the web interface, or issued update dns dynamic interface eth0 from the CLI, No-IP would show it as being refreshed. (If you go to No-IP’s website, you can see the last time that your hostname was refreshed.)

Now I just needed to find a way to script this.

Being a small Linux box, the ERLite has cron functionality. If I could just add the above command to root’s crontab, this would be an easy fix. I tried that, but it didn’t work. At the time I didn’t realize that the update command was actually alias update='_vyatta_op_run update. After some more digging, I found that this pointed to this Perl script:

sudo /opt/vyatta/bin/sudo-users/vyatta-op-dynamic-dns.pl --update-ddns --interface "$IFNAME"

My first reaction was to add this to root’s crontab, and it worked! But I wasn’t satisfied. I am usually a little leery of bypassing wrappers that are written by the devs.

The Better Solution

I then stumbled on this page on How to Run Operational Mode Command From Scripts. This was exactly what I was looking for. The vyatta-op-cmd-wrapper is what I needed to be able to properly call the update dns dynamic interface eth0.

Here is the script I now have called from root’s crontab.


#!/bin/bash
# Author: Hans Guthrie
# Date: 11/5/2016
# Purpose: Updates dynamic dns (ddns) on eth0.
# This is needed because our current ddns supplier, noip, expires your hostname after 28 days of inactivity.
# Surprisingly there's no better way to accomplish this than to use a cron job.
# Takes advantage of the operational command wrapper that is documented here:
# https://help.ubnt.com/hc/en-us/articles/204976164-EdgeMAX-How-to-run-operational-mode-command-from-scripts-
# Load the operational command environment variables
run=/opt/vyatta/bin/vyatta-op-cmd-wrapper
# Update the ddns on eth0
$run update dns dynamic interface eth0

view raw

ddnsupdate

hosted with ❤ by GitHub

Note that this is also why my original attempts at just adding update dns dynamic interface eth0 to root’s crontab failed.

Bonus Tidbits

Here are a couple commands I found useful for troubleshooting.

$ show dns dynamic status
  interface : eth0
  ip address : XXX.XXX.XXX.XXX
  host-name : myhostname.ddns.net
  last update : Sat Nov 5 15:13:05 2016
  update-status: good

This one shows the ERLite’s configuration for the DDNS provider.

$ configure
# show service dns dynamic
  interface eth0 {
      service noip {
          host-name **myhostnane.com**
          login **mynoipemail**
          password **mynoippassword**
          protocol noip
      }
  }
Posted in WPPC Networking Project | Tagged , | 3 Comments

Syncing Google Drive Folder to a Network Drive on Windows

Intro

A friend asked me if it was possible to sync a particular folder he had on Google Drive to a network drive.  Apparently, the official Google Drive client only allows you to sync to NTFS partitions, and the network drive was a samba mounted ZFS share.  Upon researching, I found conflicting info. Some people said symbolic links worked, and others said to use hard links or even NTFS junctions.

Here’s what I ended up doing. I wouldn’t be surprised if there’s a better way, but this worked for me.

Install Google Drive

You’ll need to install the Google Drive application if you haven’t done so already. If you only want to download one folder (like me), be sure to uncheck all the other folders in the sync options.

For this example, I will assume two things:

  • The network drive is mounted to Z:\
  • Google Drive was set to sync to the default path of C:\Users\<username>\Google Drive

Create the link

Open a command prompt as administrator. We will be using the mklink command to create a directory symbolic link.  The basic syntax for this is as follows: <link> is where it is going to put the new link, and <target> is the destination of the link, or in this case the folder on the network drive.

mklink /D <link> <target>

Here’s an example of the command I used:

mklink /D  "C:\Users\<username>\Google Drive\DownloadThisFolder" Z:\<NetworkFolder>

Notes:

  • Be sure you don’t have a folder named “DownloadThisFolder” in your Google Drive
  • Ensure that <NetworkFolder> already exists
  • Use quotes around paths that include spaces

Move Files Into Link

Once the link is created, it should show up on the Google Drive web interface as a folder. From the web interface, move whatever folder you want to download into the newly created folder.  You should start to see Google Drive sync down the contents to your local network drive.

Posted in Windows | Tagged , , | Leave a comment

Enable SSH on Netgear GS728TP

When I got the GS728TP I was fairly surprised that Netgear claimed the only way to configure it was through their web management interface.  While the web interface is fine for basic configuration, it is slow and freezes if you don’t let the page load completely before clicking. I was not satisfied with this being the only configuration option and luckily found an alternative.

  1. Enable Telnet
    In the manual, Netgear mentions that you can enable telnet “for diagnostic purposes.” To do this, go to Maintenance > Troubleshooting > Remote Diagnostics.
  2. Login
    Once you have telnet enabled, connect to it using your favorite telnet client. (Putty works great on Windows). The password is whatever you use to login to the web interface.
    Username: admin
    Password: <web interface password> (default: password)
  3. Enter Configuration Mode
    Once you are logged in, you will be at a command prompt with the name of your switch followed by # symbol.
    Type config to enter configuration mode.
  4. Enable SSH
    Type ip ssh server to enable ssh access. When you press enter, it will save the configuration immediately, and you will see something like
    27-Jan-2016 16:16:41 %COPY-N-LOGGINGFILECOPYSTOP: stop log messages related to file copy operations
    27-Jan-2016 16:16:43 %COPY-N-LOGGINGFILECOPY: start log messages related to file copy operations

    Wait for this to finish before issuing another command.
  5. Enable Password Auth
    Next, enable password authentication by typing ip ssh password-auth. Again, you will see messages while it saves the configuration.
  6. Change SSH Port (optional)
    You can optionally change the SSH port by typing ip ssh port <port number>.
  7. Change SSH Timeout
    You can view and change the SSH timeout (as well as other options) from the command line. Enter config mode and then type line ssh. The prompt will now show (config-line)#. Type do show line ssh to view the current configuration, and you’ll see that by default the SSH timeout is 10 minutes. You can increase it to 60 minutes with exec-timeout 60.

If you want to setup public key authentication, you can try following this guide I found. I have not verified that this works on the GS728TP, but I suspect that it would.

Posted in WPPC Networking Project | Tagged , , | 17 Comments

Upgrading Church Network

Overview

Recently I’ve been spending a lot of time upgrading the network at the church I attend. Our existing network consists of a simple router and a few access points.  Anyone who has access to the WiFi has access to our wired church computers, copier, etc.  We want to separate guests/members from our private network.  In the mean time, we are continuing to use our existing setup until the new system is ready. We are not a huge church, and don’t have unlimited funds.

I plan to have multiple VLANs and subnets.  New WiFi access points will be powered with PoE, and capable of SSID-to-VLAN tagging.

Hardware

A few months ago, after quite a lot of research, we purchased a Netgear GS728TP and two EnGenius EAP600 access points. Originally I was going to use pfSense as a firewall and router, but after using a Ubiquiti EdgeRouter Lite at home and considering power consumption, I opted to purchase one for this application.

Network Configuration

The VLANs and subnets we plan to have are shown in the table.

VLANDescriptionSubnet
10Admin/Infrastructure/Management192.168.10.0/23
20Wired Computers192.168.20.0/23
30Guest WiFi192.168.30.0/23
40Separate, Internal Group192.168.40.0/23
50VPN192.168.50.0/24

Currently I have the ERLite configured with this configuration. It has a dhcp server for each subnet and is set to masquerade traffic from all VLANs to the WAN. (I don’t think this is how I should have it setup.)  I want VLANs 30 and 40 to be configured the same, and to only have internet access, and do not want clients to be able to see each other. As you can see from the config, VLAN 10 has access to all the other VLANs, but none of the other VLANs can access any hosts outside of their VLAN. I also plan to configure it to block hosts on VLAN 30 and 40 from communicating with other hosts even within their VLAN.
Note: VLAN 40 is not a network that we plan to normally have active. The idea is that we can enable unencrypted access if we have a conference or election day at the church and will have many temporary users.

The GS728TP is connected to the ERLite on port 23, and passed traffic tagged with the four VLANs to the WiFi APs. The raw configuration for it is here.

Things that I am still trying to get figured out:

  • Potentially improve the design of the existing firewall rules
  • Block hosts from communicating with other hosts inside their VLAN/subnet
  • Allow DNS resolving from Admin VLAN to other VLANs/subnets
  • Port forwarding to specific hosts. I have been unable to successfully setup port forwarding to any hosts.

I will add more detail to this, but this is the basic overview.  None of this is set in stone, and I welcome any suggestions/ideas/improvements you may have!

 

Posted in WPPC Networking Project | 5 Comments

First Post!

Hello anyone who is reading my blog. I plan to use this to share things that I’m working on, or other technological stuff that I find interesting.

Posted in Uncategorized | Leave a comment