Skip to content

Networking - 4. page

This related to networking in general.

How To Enable SSH on VMware ESXi 5 / 5.5 / 6 & All Other Versions

Many necessary administrative functions on ESXi requires SSH access. For example, offline bundles, third party management utilities, backup utilities, and many other tasks require you to log in to the ESXi console, via SSH or physically. This post will guide you through the process of enabling the SSH service, and opening up the firewall to allow access. This process works on all versions of ESXi, including the newer versions such as 5, 5.5, and 6. Lets get started.

Enabling SSH on an ESXi host

There are two steps involved in getting SSH access set up on an ESXi host.

  • Enabling the SSH service
  • Opening port 22 (SSH port) on the firewall

First, log into the VMware vSphere Client. You can login directory to the host, or to a vSphere server, it doesn’t matter. Select the host in the left panel, then navigate to Configuration > Security Profile, once you are there, click on the Properties option to the right of Services.

Screen-Shot-2015-05-19-at-11.31.26-AM

Now, select SSH, then Options.

Screen Shot 2015-05-19 at 11.34.29 AM

Click Here To Read The Entire Post!

How To Enable SNMP On ESXi 5 / 5.5 / 6 For Remote Monitoring

SNMP isn’t exactly new technology, but it’s pretty reliable and just about every monitoring system out there supports it. There are definitely more in-depth monitoring solutions for ESXi out there, but if you are looking for a quick and dirty monitoring solution for an ESXi host to integrate into a platform you already have, SNMP will do the trick. This post describes how to setup SNMP on ESXi 5, 5.5, and 6. I’m fairly certain it will work on older versions of ESXi as well, but i have not tested that theory.

How to enable SNMP on ESXi 5 / 5.5 / 6

There are a few steps involved in getting SNMP functional on ESXi. They go something like this.

  • Set the SNMP community string
  • Enable the SNMP service
  • Add necessary firewall rules
  • Enable the added firewall rule
  • Restart the SNMP daemon

It’s a pretty straight forward process. Let’s getting started. First, you need to connect to your ESXi host via SSH, If you don’t know how to do this, click here to read my post on how to enable SSH on ESXi. After logging in to your ESXi host via SSH, run the following commands.

#  esxcli system snmp set --communities YOUR_STRING
#  esxcli system snmp set --enable true

You will need to change YOUR_STRING to the name of your SNMP community. Many times this is PUBLIC or PRIVATE, but I suggest you use something different and unique for security purposes.

Screen Shot 2015-05-19 at 11.10.33 AM

Next, we need to add a firewall rule to allow the SNMP inbound port, and then enable it.

Click Here To Read The Entire Tutorial!

Step By Step Guide On How To Create A Site To Site VPN With PFsense Using OpenVPN With A Pre Shared Key

PFsense is one of the the greatest Open Source packages out there. It is an extremely reliable enterprise grade routing platform. For me, it has been incredibly useful in virtualized scenarios. A common usage scenario for me goes like this. Someone wants to deploy a single ESXi host to a datacenter for backup, as a web server, mail server, spam filter, and/or various other tasks. One network interface on the server connects directly to the datacenter network. This NIC is assigned to a network on the ESXi host named “WAN.” Another network (vswitch) is created on the ESXi host called “Internal Network.” A pfsense virtual machine is created with two NICs. One assigned to WAN, and one assigned to Internal Network. This pfsense virtual machine takes care of all routing and firewall functions for each virtual machine set up on the ESXi host. PFsense can handle multiple WAN IP addresses, firewall functionality and NAT capability. It provides all needed mechanisms to give access and lock down all virtual machines on the ESXi host. This is just an example.

This step by step how to will help you create a site to site VPN on any virtual machine or physical machine running pfsense. The steps are the same for both. This assumes you have pfsense running on each end of the VPN. My particular scenario has pfsense running on a virtual machine at a datacenter, and another running on my home network. My goal is to allow access to the private network at the datacenter from my home network. So lets get started.

How To Setup A Site To Site VPN On PFsense

First thing’s first. Here is the addressing scheme of both of my pfsense routers and their subnets. I have substituted my public WAN ip addresses for security.

Router A, (setup as OpenVPN server, located at datacenter)

  • WAN IP Address: 74.51.1.1
  • LAN IP Address: 10.0.0.1
  • LAN Subnet: 10.0.0.0/8

Router B (setup as OpenVPN client, located at home)

  • WAN IP Address: 108.50.10.5
  • LAN IP Address: 192.168.1.1
  • LAN Subnet: 192.168.1.0/24

One side will be configured as a client, and the other as a server. It doesn’t really matter which is which, but if you are connecting more than two sites, it would probably be a good idea to put the “server” on the fastest, most reliable connection. In my scenario, that would be the system at the datacenter. The pfsense documentation recommends shared key mode for site to site VPNs, unless there are more than 6 sites.

Click Here To Read The Entire Tutorial!

How To Install & Configure Fail2Ban On Ubuntu 14.04 LTS To Block Brute Force Attacks Against SSH and Apache Web Server

As you’ve probably heard me say before, if you have a public facing Linux server, meaning one or more open or forwarded ports, Fail2Ban absolutely must be installed. Fail2Ban monitors log files for excessive login attempts, also called Brute Force attacks. They are extremely common place on the internet. I have never had a public facing server that has gone more than a few days without some hacker trying to brute force it. These attacks go like this. Someone writes a script, or uses a program, that reads a bunch of possible usernames from a text file that has nothing but millions of usernames. There is also a text file with millions of passwords. The script will attempt to go through all username and password combinations until it finds one that can login successfully. Obviously, if you get a hundred or more login attempts from one IP address, nothing good will ever come from that IP so it pretty safe to assume it should be blocked, at least for some period of time.

Fail2Ban does precisely this. It constantly watches any log file you tell it to watch, and when a certain number of login attempts are logged from an IP address, Fail2Ban will automatically create an iptables rule to block all traffic from that IP address for a given period of time. Because brute force attacks take a long, long time, blocking one early on pretty much eliminates the possibility of a successful attack. SSH is the most common service / port for brute force attacks, from my experience. With FTP and POP3 (email) coming in second and third. It’s a no-brainer to set up Fail2Ban to automatically block attacks. It gives you much needed protection and security for your servers. So, here we go.

How to Install Fail2Ban on Ubuntu 14.04 LTS (Trusty)

First and foremost, let’s make sure apt is updated.

#  sudo apt-get update

Now we can install Fail2Ban. Since there is an aptitude package already, we will use that to install.

#  sudo apt-get install fail2ban

Surprisingly, that’s all you need to do to install it. You do, however, need to edit the main configuration file for Fail2Ban, which is jail.conf. Lets go ahead and open it up with nano and take a look.

#  sudo nano /etc/fail2ban/jail.conf

Click Here To Read The Entire Tutorial

How To Disable Firewalld and Get Old School IPTables Back In CentOS 7 and RHEL 7

When CentOS 7 was released, it was quickly obvious that CentOS and Red Hat had switched over to firewalld for its firewall control. Although its syntax is a bit easier to work with than iptables, some software out there has issues with it, such as Docker. Some just prefer to stick with the standard iptables syntax because it is what they know and what they are comfortable with. So, if you have CentOS 7 or RHEL 7 installed and want the old iptables back, this guide is for you.

First thing’s first, disable firewalld

#  systemctl mask firewalld

Now, lets stop firewalld

#  systemctl stop firewalld

It would be a good idea to go ahead and make sure that firewalld is masked and inactive, so lets do just that.

#  systemctl status firewalld

firewalld.service
   Loaded: masked (/dev/null)
   Active: inactive (dead)

Click Here to Read The Entire Tutorial!

How to Run Bandwidth Speed Tests From the Linux Command Line With Speedtest.net

Believe it or not, there is a way to use Speedtest.net’s speed test service from a Linux command line. Usually, one would fire up a web browser and just go to Speedtest.net and the flash utility would load. Obviously, this is impossible from a command line. If you have a cloud instance or virtual private server (VPS), you don’t have a gui or a web browser. So, here is how to run an Internet speed test from the Linux command line.

To achieve this, there is a package called speedtest-cli. It is a python based utility that more or less has the same functionality as the gui. When ran with defaults, it will locate the closest server and run a download test, then an upload test, and display the results when it’s finished. You can do this by running:

#  wget -O - https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py | python

After the script downloads and runs, you’ll see something like this:

Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from AT&T U-verse (108.238.104.79)...
Selecting best server based on latency...
Hosted by TekLinks (Birmingham, AL) [103.61 km]: 30.383 ms
Testing download speed........................................
Download: 98.96 Mbit/s
Testing upload speed..................................................
Upload: 56.06 Mbit/s

Personally, I like to select a specific server from a specific location when I run a speed test. I’ve found that the closest server, isn’t always the fastest. Just because a speed test server is located a couple hundred miles from you, it does not mean the path to it is linear, and it doesn’t mean their connection is fast enough to saturate your own. Not to worry, you can also select a server to your liking. There are two ways to approach this. You can either install the speedtest-cli package using your package manager, or you can download the script manually. I’ll cover both.

To install the speedtest-cli package on Ubuntu

#  sudo apt-get install speedtest-cli

After installing the package, you can simply run:

#  speedtest-cli

Now, if you’re using a distribution other than Ubuntu, or do not wish to install the package, you can simply download the script. To do that, do the following:

#  wget https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py

#  chmod +x speedtest_cli.py

The chmod command gives execute permission to the file. This is required to run it. Once you have downloaded the script, you can run it by doing this:

#  ./speedtest_cli

There are quite a few options you can use with the script. I’ll go over the few that I have used. First up is –share. This option gives you a web link to share you speed test results with others. You’ve probably seen the little png boxes before. They look like this:

speed test results

So to get a nice automatically generated results picture like this, just run this command:

#  ./speedtest_cli.py --share

or

#  speedtest-cli --share

It will run the speed test like normal, but the very last line will have a link to your results. Now, like I was saying earlier, I like to specify the server the speed test runs against. To do that you first need to know the ID of the server you want to use. To get a list of speed test servers available, and their ID, run this command:

#  ./speedtest_cli.py --list | more

or

#  speedtest-cli --list | more

My favorite servers ID is 3595, so I’ll use it in my example. Once you have the ID of the server you want to use, all you need to do is specify it with the –server option. Be sure to swap out 3595 with the ID of your prefered server. Like this:

#  ./speedtest_cli.py --server 3595

or

#  speedtest-cli --server 3595

There are some other pretty cool options available if you want to play around some more. You can display values in Bytes instead of Bits, use the URL of a Speedtest Mini server, and even select the source IP you want to bind to. If you want to check out the other options available, run this command.

#  ./speedtest_cli.py --help

or

#  speedtest-cli --help

That’s all there is to it. If you run into any troubles feel free to ask for help in the comments below. Thanks!

IP Address, CIDR Notation, ICMP, and Prefix Cheat Sheet

I’ve used this as a reference many times over the years. Keep this page bookmarked for reference.

Netmask              Netmask (binary)                 CIDR     Notes    
_____________________________________________________________________________
255.255.255.255  11111111.11111111.11111111.11111111  /32  Host (single addr)
255.255.255.254  11111111.11111111.11111111.11111110  /31  Unuseable
255.255.255.252  11111111.11111111.11111111.11111100  /30    2  useable
255.255.255.248  11111111.11111111.11111111.11111000  /29    6  useable
255.255.255.240  11111111.11111111.11111111.11110000  /28   14  useable
255.255.255.224  11111111.11111111.11111111.11100000  /27   30  useable
255.255.255.192  11111111.11111111.11111111.11000000  /26   62  useable
255.255.255.128  11111111.11111111.11111111.10000000  /25  126  useable
255.255.255.0    11111111.11111111.11111111.00000000  /24 "Class C" 254 useable

255.255.254.0    11111111.11111111.11111110.00000000  /23    2  Class C's
255.255.252.0    11111111.11111111.11111100.00000000  /22    4  Class C's
255.255.248.0    11111111.11111111.11111000.00000000  /21    8  Class C's
255.255.240.0    11111111.11111111.11110000.00000000  /20   16  Class C's
255.255.224.0    11111111.11111111.11100000.00000000  /19   32  Class C's
255.255.192.0    11111111.11111111.11000000.00000000  /18   64  Class C's
255.255.128.0    11111111.11111111.10000000.00000000  /17  128  Class C's
255.255.0.0      11111111.11111111.00000000.00000000  /16  "Class B"

255.254.0.0      11111111.11111110.00000000.00000000  /15    2  Class B's
255.252.0.0      11111111.11111100.00000000.00000000  /14    4  Class B's
255.248.0.0      11111111.11111000.00000000.00000000  /13    8  Class B's
255.240.0.0      11111111.11110000.00000000.00000000  /12   16  Class B's
255.224.0.0      11111111.11100000.00000000.00000000  /11   32  Class B's
255.192.0.0      11111111.11000000.00000000.00000000  /10   64  Class B's
255.128.0.0      11111111.10000000.00000000.00000000  /9   128  Class B's
255.0.0.0        11111111.00000000.00000000.00000000  /8   "Class A"

254.0.0.0        11111110.00000000.00000000.00000000  /7
252.0.0.0        11111100.00000000.00000000.00000000  /6
248.0.0.0        11111000.00000000.00000000.00000000  /5
240.0.0.0        11110000.00000000.00000000.00000000  /4
224.0.0.0        11100000.00000000.00000000.00000000  /3
192.0.0.0        11000000.00000000.00000000.00000000  /2
128.0.0.0        10000000.00000000.00000000.00000000  /1
0.0.0.0          00000000.00000000.00000000.00000000  /0   IP space

Click here to see the rest!