http://www.theitmachine.com/ en-us Nucleus CMS v3.24 © Weblog http://backend.userland.com/rss http://www.theitmachine.com//nucleus/nucleus2.gif http://www.theitmachine.com/ http://www.theitmachine.com/index.php?itemid=15
But after I calm down and they give me a twenty, I tell them, no matter what you do, you're pretty much hosed. The fact is, you probably did it to yourself, although that is nothing to be ashamed of. Some sites you just need to visit to get the pop-up, and they come up fast, so you may even accidentally click on a naughty bit. Or, you get duped into thinking it is really from your antivirus, or from Windows itself.

Well, Bob Sullivan posted a nice piece on his top 5 internet scams recently. If it is still up, check out his blog here.

If the link is broken, here are my two favorite parts:

Fake or "rogue" anti-virus software
We've all seen the pop-ups: "Your computer is infected! Get help now!"
If you've ever clicked through such an ad (really, a hijacking), you know that the price for freedom is $20 or $30 a month. At first, the ads were clunky and the threats idle. But now, many pop-ups are perfect replicas of windows you would see from Windows or an antivirus product. Some sites actually employ so-called ransomware, which disables your PC until you pay up or disinfect it with a strong antivirus product. That's why consumers forked over hundreds of millions of dollars to fake antivirus distributors in 2009, according to the Federal Trade Commission.

Your best bet? Make a plan now. This is the one scam that just about anyone can fall for. The best protection of all is to back up your important files, so the day your computer is hacked, your digital life won't be on the line. It's also important to have a fire extinguisher nearby. A second PC or laptop is often your best help when disaster strikes. Many viruses disable Internet access, so you'll need a second computer to research your infection and download disinfectant software. Have a flash drive nearby, too, so you can move the inoculation from one computer to the other.

Meanwhile, if you aren't paying for antivirus software, at least employ one of the popular free products like AVG or Windows Defender
Becoming a bot
You may not know it, but your computer might be a criminal. Botnets -- armies of hijacked home computers that send out spam or commit other crimes -- remain the biggest headache for security professionals. The various botnets ebb and flow in size, but at any given time, tens of millions of computers on the Web are under the influence of a criminal. No one thinks it's their PC, of course, but look at the odds. If one estimate claiming 100 million infections is accurate, then about one out of every 20 computers in the world is infected. In other words, someone in your extended family is aiding and abetting a spammer.

How can this be? Victims typically don’t notice the criminal activity. Cyberthieves can easily use your machine without leaving a trace or slowing down your PC performance. They do not deposit e-mails in your sent items folder. Instead of sending 1 million e-mails from your machine, they send one e-mail every hour from 1 million infected machines.

Any honest antivirus company will tell you that there is so much new malicious software created every day that the good guys simply can't keep up. The Web is jammed full of e-mails and Web sites that can turn your home computer into a bot. Your PC could very easily be safe today but at risk tomorrow. That's why it's so important to keep your computer's security tools up to date. But you shouldn't assume that this will keep you 100 percent safe. Avoid the Web's seedier side, and don't let the kids download illegal music or games, a main source of infections. And always keep on the lookout for strange programs, files or surprising hiccups from your machine.


Now, the thing to note in the second one is the part about antivirus companies not keeping up. It's true. And when you find one that is best, most likely in 6 months to a year, it won't be any more. And the bots are tricky. Qwest keeps shutting down a client of ours, and we have run full tests with Symantec Antivirus, MalwareBytes and ComboFix on every machine and find nothing. Sure, any geek can say 'whu-hay! that's crappy software and you should be using blahblahblah...' but that's not very helpful, now, is it? For this client, being a non-profit meant getting Symantec for like $50 for their whole server environment - too good to pass up. It is not realistic to say that what is likely the market leader is not good enough, even if it's true. I.T. guys can hardly keep up with what product work which week and how well, much less your average business owner.

So what is the take-away?

Get smart. You have to pay more attention to your computer if you want to avoid this stuff. Know what antivirus you have, so you are not fooled by the fakery. Buy your kids an xbox - it's cheaper than cleaning off your PC. Honestly, I would keep kids off your PC for anything but homework until they can afford to FIX the computer you are likely going to give them. Seriously. Teach them that responsibility early. Clicking on the link their idiot friend sent them will be less appealing if they think about having to fork over $150 or more to have a decent technician remove their crapware.

I have to get back to work now, but I thought Bob's blog post was too good not to reproduce without his consent.



]]> General http://www.theitmachine.com/index.php?itemid=15 Fri, 26 Mar 2010 16:11:36 -0500 http://www.theitmachine.com/index.php?itemid=14
My client had me set up a basic FTP-Replacement-Style SharePoint site for one of their clients. Easy. Just created a bunch of Document Libraries in a basic site and away we went. End user contacts me with the question, 'how do I copy my 24 subfolders to my 155 patient folders?' That was a good question. I did not create templates, as I had no idea what the end structure would dictate, and I am not inclined to spend to much time planning out this site, which is needed right away, and is simply a way for multiple groups to get to some pdf files.

So, I figured, let's just use Explorer View to copy and paste into the other folders. Sure enough, that worked. Sort of. The folders all showed up, but in the Hierarchical view that we prefer, over in the left column, I saw no little + sign to expand the folder structure. Hmmpf. That + sign is one of the reasons I like the Hierarchical view to begin with.

Logged out, back in, as different user - nothing. So I tried saving the whole DocLib (which in this case was really more than I wanted) as a template and then using it for a new DocLib. That put back the little + signs. So I thought about it, and figured now I would have to give the end users even more rights than I already had given them, and teach them how to use templates.

This was not excellent.

I did some quick looking on the electronic inter-webs, and found not so much, mainly because I could not figure out a decent set of search criteria.

But then I thought about the fact that, when converting a project that lives on a traditional server file structure, I use Explorer View to drag entire file structures over, I thought, let's try that.

And sure enough, that worked. So here it is, for any odd soul who ends up here at a blog I update every eon:

1. Create the proper subfolder structure in SharePoint one time (assuming you do not have a structure built on your computer or network already)
2. Switch to Explorer View, and copy all folders, and then paste them into some temporary location on your desktop.
3. Select all the files in that temporary location and copy them.
4. Move to the next location in SharePoint that needs the subfolder structure making sure you are still in Explorer View, then paste them back.
5. When you switch back to your normal view, the + signs will be there.

When I instructed the end user on this procedure, I had them open the temporary folder next to the IE window running SharePoint so they could just drag and drop. Come to think of it, I never really actually used cut and paste - I only did the drag and drop, but I assume cut and paste would work as well.

This seems odd to me that it works in such a way, but it is actually not all that hard to do this, and allows for creating desired structures "offline" as it were, and then dragging things into SharePoint.

I know that there is likely a more SharePointy way of doing this using command lines and templates and whatnot, as well as a whole community of nerds who will say that the whole point of SharePoint is to get rid of traditional file storage structures, but I don't care. This needed to be quick becuase of the immediacy of the need. And for those "flat-file-structure" nerds... get real. You are most likely the kind of I.T. people that regular folks dislike.

Nick Burns, I'm talking about you...]]> General http://www.theitmachine.com/index.php?itemid=14 Fri, 22 Jan 2010 12:40:10 -0600 http://www.theitmachine.com/index.php?itemid=13
Here is a tip for anyone out there: don't say yes to anything, ever. Well, that might be a little harsh, but it will help you avoid some headaches. Today, we had about three clients who seem to have gotten themselves some Internet Security 2010 action, and that's not great.

I think a key for everyone is to know what products they have installed that relate to all things virus-y. So, if you have Norton, never say yes to anything but Norton. Same for AVG, McAfee, TrendMicro, Kaspersky, etc., etc.

Also, be careful of the Windows Security Center. I actually tell that thing to never alert anyone about anything, as some of the most prevalent malware spoofs the look of this legit Windows control panel and causes all sorts of trouble, getting people to think they are unprotected and whatnot.

And becuase it is kind of my 'thing,' I also want to put a word out there about buying comprehensive antivirus/antimalware/antirootkit/antispyware/antimycomputerbootsinlessthan60minutes: No matter what you have installed to 'protect' yourself, the best way is to have a little knowledge. When you take time to understand what your computer is doing, and what is installed on it, you can avoid almost all spyware and malware. Certainly, some can find its way to your computer in a sort of drive-by way, but most for most, it is you who installs it to your machine. Yes, likely unintentionally as a result of evil malicious trickery, but it is likely you who put it there.

Be careful out there. And, if you like history, go out and buy a new computer, load a copy of Norton Anti-Everything, and feel the equivalent power of a good old 486DX2 running the newest WordPerfect. Feel the burn!]]> General http://www.theitmachine.com/index.php?itemid=13 Fri, 15 Jan 2010 16:59:31 -0600 http://www.theitmachine.com/index.php?itemid=12
Well, it would seem that you have to just let Acrobat sit open for a minute or two, and then the option is available. Since I usually am booting the machine one last time just to deactivate Acrobat, I have never waited the seemingly long minute it takes before a couple days ago. At first I thought, maybe I had to have it check for updates or something to "wake it up." But no, you just need to wait about 60 seconds.

How about that?]]> General http://www.theitmachine.com/index.php?itemid=12 Tue, 24 Nov 2009 15:40:56 -0600 http://www.theitmachine.com/index.php?itemid=11 So I'm pricing a new server for the first time since the Dow Jones lost six hundred million points and I had to put off retirement until just before the Y3K bug gets fixed, and I go to start adding my hard drives. Then I see some words I did not see the last time I did this. What in von Neumann's ghost is a "Near Line SAS" drive, and should I buy a bunch of them for my client?

A quick search of Google turned up the following article, which is just so super-terrific that I am not only going to link to it, but just cut and paste it right here, because this is the Internet and there are no rules.

It does not really compare performance, but it does a good job of placing it right in between SATA and SAS, which I guess I already knew based on price, but it was nice to read some facts and all.

-Mike

Seagate’s definition of nearline drives
Posted in Storage Interconnects & RAID, Advisor - Tom by Tom Treadway

A few days ago I sat through an SNW session presented by the venerable Scottsman Willis Whittington of Seagate. He even had a “beam me up Scotty joke”. A great time was had by all.

Willis went through a good comparison of desktop drives and enterprise drives. I think a lot of these differences are well understood, but just for some quick background: ATA has historically been used in the desktop and SCSI/FC in the enterprise. Recently the ATA interface has migrated to SATA and SCSI has migrated to SAS. Desktop drives are big (capacity-wise), cheap and fail often. Enterprise drives are smaller, expensive and fail less often. That’s a gross over-simplification, but I think it works.

(BTW, those characteristics have nothing to do with the drive interface. They’re just arbitrary differences created by the drive industry. But enough about that…)

I’m not going to bore you with another discussion of the differences in desktop and enterprise drives. Instead, I will bore you with a discussion of a new type of drive called “nearline”. These nearline drives have actually been around for a year or two, but their actual definition has been debatable. I think everyone would agree that nearline drives have the low cost and high capacity of desktop drives but with the higher reliability of enterprise drives. They’re typically used for storing large amount of data that doesn’t have to be as fast as the local enterprise drives but they do need to be reliable and always online.

Well, Willis presented a very good overview of how Seagate’s nearline drives are different from their desktop and enterprise drives. Of course other vendors are free to choose their own definition of nearline drives. But I like Seagate’s definition.

The first difference that jumps out is the Mean Time Before Failure (MTBF), or the total lifetime of an average drive. Note that the MTBF of a drive comes from the manufacturer and the numbers have somewhat of a marketing slant to them, so take them with a small grain of salt.

Desktop drives are spec’ed to have an MTBF of 0.6MHours while enterprise drives are spec’ed to have 1.6MHours. Note that the desktop MTBF is not for a 24×7 duty cycle like enterprise. Desktop typically has a duty cycle of 8×5, or something similar. Nearline drives are somewhere in the middle at 1.2MHours.

The next difference is Rotational Vibration (RV) tolerance, or the tolerance of the drive to external vibration from other drives in the cabinet. RV is measured in radians/sec, but don’t bother trying to understand what that means. All that matters is that bigger numbers are better than smaller numbers.

So a desktop drive is spec’ed to run up to 6 rad/s, while an enterprise drive is spec’ed for up to 20 rad/s and often much higher. So what the heck does that mean?

Assume that a drive with no external vibration will run at 100% of its spec’ed performance. In the Seagate world of desktop drives that same drive will run at 80% performance if presented with an RV of 6 rad/s. It’s interesting to note that there is a quick drop-off beyond the rated 6 rad/s, with a desktop drive getting 10% performance at 20 rad/s.

In comparison, an enterprise drive gets 100% performance at 0 rad/s and 99% at 20 rad/s. There’s hardly any dropoff. In fact, the enterprise performance only drops to around 95% at 60 rad/s.

Of course the purpose of this post is to talk about nearline drives, and they are rated at 12.5 rad/s – again somewhere in between desktop and enterprise.

The next difference in desktop and enterprise is the amount of data protection (or error correction) in the datapath. Desktop drives have next to none, while enterprise drives have various types of protection including IOECD. IOEDC is used to protect the data in the drive buffer via parity or ECC. This enterprise feature has been incorporated into nearline drives.

Error recovery is probably the most well known feature of nearline drives. Typically a desktop drive is used in a solitary, non-RAID environment. Often this drive contains the only copies of your mother-in-law’s Orlando vacation photos, and you better not lose them! So a desktop drive will do whatever it takes to recover data. This can mean 30-60 seconds of retries. For a home user, that’s no big deal – just sit there and wait.

But if these drives are used behind RAID controllers, the controller will probably give up long before the drive – typically closer to the 10-15 seconds that are common on enterprise drives. Since nearline drives are often used in large disk farms that contain critical data it’s common to use them with RAID controllers. Therefore nearline drives have error recovery timeouts similar to enterprise drives.

Workload management is a new feature that is typically found only in nearline drives. These drives are often used in very densely packed disk farms where heat can be a major problem. So nearline drives will detect a specific temperature threshold and will enter a mode where every write command is turned into a read-after-write command. This simply means that after every host write the drive will read the data back to make sure it was written correctly.

This read-after-write does two things. First, it interjects a full disk rotation delay (4-8ms) into every host write. Since seeks are the major cause of heat, this delay significantly reduces temperature. A second benefit is that write data often becomes corrupted in high temp conditions, and the read-after-write will verify that the data was written correctly. If not, it’s re-written.

Next there’s the issue of power management. Desktop drives aren’t accessed as often, and therefore automatically spin down to save power and reduce noise. Enterprise drives have a much higher duty cycle and can’t typically be spun down, unless they’re spun down by command from the RAID controller or OS. Unexpected delays due to spin-up can cause undesirable latencies in accessing data.

So nearline drives do something in between. They power down certain circuitry but they don’t actually spin down the drive. This circuitry can be re-powered in almost unnoticeable timeframes.

Microcode download is important with enterprise drives. SCSI, SAS and FC drives have always had well-known commands for flashing new code to the drives. Enterprise drive users always expect the utmost in reliability, and unfortunately this is often achieved by upgrading the drive firmware.

On the other hand, expectations are low for desktop drives and therefore it’s very rare for anyone to upgrade the firmware. If a drive doesn’t work it’s easier to throw it away and buy a new one. These drives are practically free compared to the price of an enterprise drive.

Nearline drive are used in a manner more similar to enterprise drives, therefore they need the firmware download capability. And since there are often so many of these drives in the disk farm, it’s impractical to flash and reboot them one at a time. Therefore nearline drives typically support a feature where the new microcode image is staged to a reserved section of the disk, and is then read and flashed during the next restart. This allows all of the drives (dozens or hundreds, perhaps) to be flashed in unison.

Lastly, there’s the Write Same command. This is a command used by RAID controllers to more efficiently initialize an array – for example writing all zero’s to the drives. Again, nearline drives are often used in arrays so this is a useful command.

So, that’s the story of nearline – at least according to Seagate. But it’s a good story, and I buy it. Of course when you’re looking at other vendor’s nearline drives not all of these features may exist. But they’re probably pretty close.

Enjoy,
TT


]]> General http://www.theitmachine.com/index.php?itemid=11 Mon, 2 Nov 2009 14:13:53 -0600 http://www.theitmachine.com/index.php?itemid=10
That means, backup of your data is more important now than it has been in the past. Way back in 2001 or 2002, we met with the folks at Ontrack Data Recovery about a partnership of sorts. We even toured their facility. Thing was, we never needed their services.

That was then. Since January, I have had three systems needing their disaster recovery service. Only two ended up using the service, at the DISCOUNTED cost of around $1500. And in one case, that was not for total data recovery - some stuff was irretrievable.

In addition, we have had maybe 4 more systems that needed our help, which ends up costing only about $300, which is still more than you want to have to pay to get data that was available just the day before.

Reason? I expect that hard drive manufacturers are shaving quality in order to meet our own price expectations, as well as their own profit margins. It was not so long ago that Dell said they were not interested in the sub-$1000 PC arena. I would not be suprised if the bulk of their business is now close to the sub-$500 computer.

And I have to tell you, that HAS to come at a cost. Yes there is economy of scale, but you know they have to push their vendors to get better pricing, and cut costs wherever they can. We see evidence of this all over the place - systems now come in DOA, which has not happened in years. CD drives fail at an alarming rate. Internal cables are unplugged on brand new systems.

But, there is no more serious issue than the quality of hard drives, because that is where your data lives, and that is what you are likely choosing NOT to back up very regularly if at all. Digital cameras allow us to take more pictures than any human has ever needed, but we store them on devices apparently made of aluminum foil and rarely back them up. Might as well skip even buying the camera.

Everyone needs to stop and think, 'if my computer was hit by a bus tomorrow, would I care about what was on it?' If the answer is "YES," then it is time to start thinking about the insurance of having a backup process that works. Now. Tick tick tick tick tick....]]> General http://www.theitmachine.com/index.php?itemid=10 Wed, 29 Jul 2009 14:22:30 -0500 http://www.theitmachine.com/index.php?itemid=9
A number of years ago, we came up with a combination username and password that we could use at almost any site. We did this so that if one of use needed access to a tech site that the other one had set up, we would already know the credentials. And it was great - many a time I would get to a site that I needed to log in to use, and I would never have to wonder what either of us entered way-back when the account was set up.

The problem came when I used the same credentials to set up a PayPal account that I needed in order to buy an old microprocessor off eBay. I only used it once, and that was about two years ago.

Then, about two months ago, I got up on a Sunday morning to find I had made three online purchases while I slept! PayPal froze my account right away, thankfully, and after about two hours, I had filled out the forms saying they were not legit. Within the next several weeks, PayPal reversed all the charges and credited my credit card account. They did a great job.

However, I was now stuck with a whole bunch of spam, as the perp began using my credentials to sign up for all sorts of non-legit crud. Kind of stupid, being that he had no access to my email, which is where all the communications were going, so I was able to sign into all the skeezy sites and pull the email off the lists. I did relatively well, but still get a bit more spam than I used to. (Someone REALLY wants me to be a part of the Avandia lawsuit.)

Then, about two weeks ago, eBay itself said they found someone trying to buy something as me. They saw it as fishy, and the transaction never even happened. I was able to figure out that the attempted purchase originated from an IP address out of Chicago. They even went in and requested a password change to my account. Again, eBay did a good job of preventing the fraud, and I was able to jump through a minimum of hoops to secure my account again.

So, it was really my own fault for picking a combination of username and password that were too easy to guess. In my case, it had nothing to do with personal info or anything, it was that the password and username were similar enough as to be easy to guess.

Clearly, I have changed this since the incident, but now I really should go back to ALL the places we set up using the unsecure credentials, and that is not an easy task.

The moral of the story is, don't blow off experts that tell you to use passwords that are complex, especially when money is involved. The moral for us is, don't think we are above taking our own advice!

Mike K]]> General http://www.theitmachine.com/index.php?itemid=9 Wed, 29 Jul 2009 14:02:56 -0500 http://www.theitmachine.com/index.php?itemid=6
In the attack the script uses common user name password combinations to try and find open accounts and thus gain access. Irritating and a security problem that needs to be resolved.

Digging around I found various methods to deal with this, one involves generating restrictions based on firewall rules, the other uses a mechanism to scan log files for invalid attempts and block the host all together. I use both, and this is how you do it.
If your machine is not a firewall you'll need to use option 1. The script I stole from here: http://mandrake.vmlinuz.ca/bin/view/Main/SSH

I modified it to work with my Gentoo Box, that script is below:

#!/bin/sh
cd /usr/local/sbin
#remove old file entries
rm ./sshd_block/block.txt
rm ./sshd_block/new_block.txt
#This will parse the messages file and extract the sshd lines
grep sshd /var/log/auth.log | grep sshd | grep Invalid >> ./sshd_block/block.txt
#This line will cut only the IP addresses out of that file
cut -d \ -f 11 ./sshd_block/block.txt | uniq >> ./sshd_block/new_block.txt
#This line will add The references from new_block.txt to the ssh.blacklist
target=`cat /usr/local/sbin/sshd_block/new_block.txt`
for i in $target; do
echo ALL:$i >> /etc/hosts.deny
done
#remove duplicate entries from ssh.blacklist
cat /etc/hosts.deny | sort | uniq > /etc/hosts.deny.new
mv /etc/hosts.deny.new /etc/hosts.deny

For this to work you need to create a directory,
mkdir /usr/local/sbin/sshd_block

put the script in /usr/local/sbin and run it manually or create a crontab entry. For example I run this script every 2 minutes so my crontab looks like:

*/2 * * * * /usr/local/sbin/sshd_blocker

(Note the script is called sshd_blocker)

That's all well and good, any TCP app that checks /etc/hosts.deny will be protected from a given offending ip address.

The second method I run on my firewall. The additional rules check to see if a given ip address has tried to connect 5 times in 60 seconds to SSH. If so then we block that IP from trying again for another 600 seconds. These times are customizable.

Each SSH entry in your firewall script needs to look like this:

Assumptions: We are forwarding SSH to an internal host
$IPE1 is a variable name for the external IP that is listening for SSH connections
10.0.2.100 is the internal host that is the target for the SSH forward.

#Log a rejected IP attempt
$IPTABLES -t nat -A PREROUTING -m tcp -p TCP -d $IPE1 --dport 22 -m recent --rch
eck --hitcount 5 --seconds 600 -j LOG --log-prefix "SSH attack: "
#Drop a connection from a bad IP
$IPTABLES -t nat -A PREROUTING -m tcp -p TCP -d $IPE1 --dport 22 -m recent --rch
eck --hitcount 5 --seconds 600 -j DROP
#Let a good connection pass
$IPTABLES -t nat -A PREROUTING -m tcp -p TCP -d $IPE1 --dport 22 -m recent --set
-j DNAT --to-destination 10.0.2.100:22

Hope this helps, again this is only needed if you are offering up SSH services to the internet as a whole. Disabling password authentication, limiting IP that can connect in the first place by default are the more secure ways to protect this service. Also running SSH on another port can go a long way to help reduce the number of attempts.

If you are having trouble with the above methods please contact us and we can help you out.]]> General http://www.theitmachine.com/index.php?itemid=6 Sun, 9 Oct 2005 21:39:56 -0500 http://www.theitmachine.com/index.php?itemid=5
Recently I got the opportunity to help construct a wide spanning multi node VPN network. The setup has a primary OSPF network running over 10Megabit connection to each of the seven offices. The part I got to help build is the backup system which consists of linux boxes, T1's, DSLs, Cable Routers, or any broadband connection available in the given market.

The objective was to create multiple fail over routers to various nodes so in the event of a failure on the 10 megabit line there would be a seamless transition to the linux/broadband setup.

I'll include sample config files to help those setting this up for themselves.First things first, get yourself a working linux box. I use Slackware for these setups because I can strip it down to a clean running system, it's actively updated and I am just used to it. Be sure you have the following installed

--Tools Needed

ip route2
iptables
mod_gre (Your kernel Config I use the 2.6 series)
strongswan (your Ipsec package)
zebra (The daemon which handles OSPF)

--Assumptions

We have two firewalls both linux setup the same way, One is SIDEA the other is SIDEB. You can have as many sides as you want.
SIDEA is 1.1.1.1
SIDEB is 2.2.2.2

Behind SIDEA and SIDEB is a network and on that network our firewalls may or may not be the default gateway.

The firewalls also may have more than on external interface that can load balance. But the ip route statements to do that are beyond this document. Contact me if you need help there.

The internal networks or LAN networks for the firewalls can be any ip setup you like. However each firewall will be given a unique AREA ip address which in this sample will be 10.10.10.X/32 This ip is used in zebra to pass routing information between firewalls.

--Build a Tunnel

Once your firewall/routers are up and can ping the electronic-interweb you need to start connecting them.

We tunnel traffic between the firewalls to provide security and encryption. The ipsec config I uses for either side is:

conn sidea-sideb
left=1.1.1.1
leftnexthop=1.1.1.2
right=2.2.2.1
rightnexthop=2.2.2.2
keyingtries=%forever
compress=yes
type=transport
auth=esp
authby=secret
auto=start

The type=transport directive is important. Compress is there just to help.

It is important to note that when we do this MTU size can quickly become a problem.

Once the tunnel is up you should be able to ping from the firewall on sidea to the firewall on sideb. The traffic should be tunneled and encrypted.

--Create a GRE Tunnel to help move OSPF Helo's

Next we need to provide a transport for OSPF, we'll do this with GRE.

For each tunnel I have a separate GRE script. I use variable names in the bash script to help me keep the configs clean. :

--
echo "Setting my GREname and GRE ip"
#Make sure ip_gre module is loaded
modprobe ip_gre


echo "Setting my Constant"
#This is the IP I set for each node to identify a #neighbor in OSPF. Each #node gets a uniq /32 ip
GREIP=10.10.10.2


##############
echo "Building Tunnel to sideb"
GRENAME=sideb
REMOTEIP=2.2.2.1
GREREMOTE=10.10.10.3

echo $GRENAME " - " $GREIP " - " $REMOTEIP " - " $GREREMOTE

#Delete any Current tunnel with GRENAME
ip tunnel del $GRENAME
#Make the tunnel $IPE2 is taken from my firewall script.
#This is the REAL ip address of your external networks
ip tunnel add $GRENAME mode gre remote $REMOTEIP local $IPE2 ttl 255
#LIMIT MTU
ip link set $GRENAME mtu 1350
#Allow Multicast
ip link set $GRENAME up multicast on
#Create our neighbor IP and specify a node on the other side of the tunnel
ip addr add $GREIP/32 peer $GREREMOTE/32 dev $GRENAME


#############
#MTU problems happen, it's best to just limit them
#on the external interfaces on the firewalls
echo "Setting External MTU to 1420"
ip link set eth1 mtu 1420

----
Our tunnel is up and you should be able to ping the 10.10.10.X ip on the other side. If so, we are doing good.

If not, play around with IPSEC and your firewall rules.

--Getting ZEBRA to start and running
You Cisco types will probably use Zebra in the telnet localhost 2604 method. I just modify the conf files in /usr/local/etc
Here is zebra.conf :

! -*- zebra -*-
!
! zebra sample configuration file
!
! $Id: zebra.conf.sample,v 1.14 1999/02/19 17:26:38 developer Exp $
!
hostname sideBrouter
password zebra
enable password zebra
!
! Interface's description.
!
!interface lo
! description test of desc.
!
!interface sit0
! multicast
! if you have a layer three switch on the LANside make Zebra listen there.
! remember this is a backup route, if this is your primary route
! then you can probably skip this. But why?
interface eth0
!
interface eth1
!
interface eth2
!Make sure we are running on our GRE interface
interface sidea
!
!log file /var/log/zebra/zebra.log
!
line vty
!
!log file zebra.log

--OSPF now we have the configuration file for ospfd.conf
!
! Zebra configuration saved from vty
! 2005/09/26 21:19:46
!
hostname sideBzebra
password zebra
log stdout
!
!
!
interface eth0
!
interface lo
!
interface eth1
!
interface gre0
!
interface sidea
!again make sure you specify the GRE tunnel
!make sure you have an entry for every GRE tunnel you got
!there can be more than one.
ip ospf authentication null
ip ospf cost 50
!
router ospf
ospf router-id 10.10.10.2
! tell OSPF to talk to sidea's router
neighbor 10.10.10.3
!Tell OSPF what routes to distribute
redistribute kernel
redistribute connected
!specify each node in our OSPF network
network 10.0.0.0/8 area 0.0.0.0
network 10.10.20.3/32 area 0.0.0.0
!
!
!log stdout
log file /var/log/zebra/ospfd.log
!
line vty


-- That's about it.

Remember to create a separate IPSEC,GRE tunnel for each node. Specify each neighbor a given OSPF router needs to talk to in the configs. Specify each GRE interface name that applies.

Modify the scripts for each side accordingly. I have given you a base layout and some tweaking will need to be done on each side.

-- Testing

Remember, the Linux side is a backup to a much faster 10Megabit setup. In our testing we started an FTP of a 500Meg file. Per default routes the traffic went over the 10Megabit link. We then pulled the plug out of that link. After a 12 second pause the transfer continued uninterrupted. We then plugged the link back in. There was another 12 second pause and the transfer again continued back over the faster route.

Yay us.

I am positive the above can be done better, if you have suggestions and comments I would be honored to hear them.

]]> General http://www.theitmachine.com/index.php?itemid=5 Thu, 6 Oct 2005 12:55:11 -0500 http://www.theitmachine.com/index.php?itemid=4 NIST Firewall Guidelines]]> General http://www.theitmachine.com/index.php?itemid=4 Fri, 13 May 2005 15:08:40 -0500