Sunday, April 25, 2010

How to : Quagga Routing Suite

Quagga, a routing software that run on Linux based on Zebra router, the last Zebra release was 2005. Quagga is able to act as your open-source BGPv4+, OSPFv2, OSPFv3, RIP router installed on Linux system with kernel 2.4 or higher. The best part is you can own a Cisco-IOS look alike router less than RM5K !! Strongly recommend this for your personal study and experimental use.

There’re few daemons that built-up this router :

  • zebra – routing manager
  • ospfd - implementing OSPFv2
  • ripd - implementing RIP v1 and V2
  • ospf6d - implementing OSPFv3 (IPv6)
  • ripngd - implementing RIPng (IPv6)
  • bgpd - implementing BGPv4+ (including address family support for multicast and IPv6)

Download the package from Quagga website, HERE or use Aptitude :

#apt-get install quagga

Here’re some good tips on configuring Debian/Kubuntu based Quagga upon completion of package installation.

To start/stop/restart Quagga service

#/etc/init.d/quagga <start|stop|restart>

To enable/disable the daemons:

#vim /etc/quagga/daemons

zebra=yes
bgpd=no
ospfd=yes
ospf6d=no
ripd=no
ripngd=no

To create configuration files

Firstly, you must create a configuration file, even it is not exist, and each daemons are associated with different configuration files. For example :

    • zebra – zebra.conf
    • ospfd – ospfd.conf
    • bgpd – bgpd.conf

Copy the template or sample configuration files from /usr/share/doc/quagga/examples/.. to /etc/quagga/..

#cp /usr/share/doc/quagga/examples/zebra.conf.sample /etc/quagga/zebra.conf
#cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf
#cp /usr/share/doc/quagga/examples/bgpd.conf.sample /etc/quagga/bgpd.conf

Add a password to all the newly copied files :

# echo 'password YourPassHere' > /etc/quagga/bgpd.conf
# echo 'password YourPassHere' > /etc/quagga/ospfd.conf
# echo 'password YourPassHere' > /etc/quagga/zebra.conf

You must always ensure the file permissions are correct, it may be vary from your machine/permission settings :

#chown quagga.quaggavty /etc/quagga/*.conf
#chmod 640 /etc/quagga/*.conf

Then, try to restart the Quagga.

debian.conf Configuration Guide

By default, the Quagga daemons are listening to the loopback interface 127.0.0.1 only with different ports for bgpd, ospfd, and zebra respectively, and cannot access remotely. For example, bgpd daemon is using port 2605. Which also means that you can access to the BGP router by executing the following command :

#telnet localhost 2605

If you want to access the Quagga routers remotely from specific IP address, then you may need to modify the /etc/quagga/debian.conf file.

If you want your OSPF router listen to loopback interface and 10.10.10.1, then your configuration will be like :

ospfd_options=" --daemon -A 127.0.0.1 10.10.10.1"

If you wish to let your BGP router to be access from all interfaces IP address, the configuration will be as below :

*For security measurement, I recommend you shouldn’t not allow this.

bgpd_options=” –daemon”

You may need to restart your Quagga services to take effective.

How to configure VTYSH, an integrated shell for Quagga

By instance, if you wish to access to your BGP router :

#telnet localhost 2605

If you found it is not practical or troublesome to telnet into the zebra, ospf and bgp routers separately, you can enable this feature, VTYSH. It has created an interface to access and save the configuration using a single UI, and it looks like your Cisco router!

To use this feature, you need to create the configuration by copy the sample :

#cp /usr/share/doc/quagga/examples/vtysh.conf.sample /etc/quagga/vtysh.conf

Then, edit the configuration /etc/quagga/vtysh.conf and here’s the sample configuration :

 
!
! Sample
!
! service integrated-vtysh-config
hostname quagga-router
username root nopassword
!

In the sample above, “service integrated-vtysh-config” is remarked and disabled. It would save your configuration separately into the protocol you have updated. Let’s see the example below when OSPF and BGP routers configuration are changed and saved :

#vtysh
quagga-router#write
Configuration saved to /etc/quagga/ospfd.conf
Configuration saved to /etc/quagga/bgpd.conf

If you have enabled “service integrated-vtysh-config” in the config, the configuration will be saved into another file namely, /etc/quagga/quagga.conf. By using this configuration, you will look into quagga.conf first followed by it own protocol files i.e. ospfd.conf when you telnet into it. My recommendation is to disable this feature for easier maintenance and avoid confusion.

#vtysh
quagga-router#write
Configuration saved to /etc/quagga/quagga.conf

Make sure you have enabled “vtysh_enable=yes” settings in the /etc/quagga/debian.conf.

In addition, it’s recommended to add “VTYSH_PAGER=more” in your /etc/environment file, or else you will be annoying by the blinking “END” at the left down corner & requires you to type “q” to continue.

Some of the machine may not works by adding the abovementioned, then you shall need to it in your /home/username/.profile

Ensure the file permission and restart the Quagga service :

#chown quagga.quaggavty /etc/quagga/*.conf
#chmod 640 /etc/quagga/*.conf
#/etc/init.d/quagga restart

Additional Info, IP Forwarding

By default, Linux does not allowed IP forwarding between interfaces. It’s required to enable this by executing the following configurations :

#echo "1" > /proc/sys/net/ipv4/ip_forward

Tuesday, April 20, 2010

How to change date/time in Ubuntu?

Linux always have two types of clocks, which are Hardware Clock and System Clock. Hardware Clock, also known as CMOS Clock or Real-time Clock (RTC). System Clock is the software clock used by Linux.

When the system boots up, it would get the time/date from Hardware Clock and set it to System Software Clock. This System Clock may not often accurate, and will experience some clock slipping especially high hardware resources during too many processes running. There’re only two ways to ensure the clock is accurate according NTP, either reboot your system or perform manual synchronization.

ntp_time

To check your current date & time

root:/home# date
Tue Apr 20 07:45:44 PDT 2010

To change the system software clock manually

root:/home# date 042022462010.00
Tue Apr 20 22:46:00 PDT 2010

Format : date <MMDDHHmmYYYY.ss>

To ensure if your system time zone is configured correctly

( Only perform these steps if time/date is NOT CRITICAL on your system, else skip this step )

root:/home# /etc/network/if-up.d /ntpdate
root:/home#  date
Tue Apr 20 07:50:41 PDT 2010

It seems like the time zone is not configured properly, change your folder to /usr/share/zoneinfo and select the most appropriate region in the following steps

To change the system time zone

root:/home# ln -sf /usr/share/zoneinfo/Asia/Kuala_Lumpur /etc/localtime

To perform synchronization to NTP using rdate

The time server can be any public NTP server that comply to RFC868

root:/home# /usr/bin/rdate -s time-a.nist.gov

To set your hardware clock time and verify

root:/home# /sbin/hwclock --show
Tue 20 Apr 2010 03:59:03 PM MYT  -0.987237 seconds
root:/home# /sbin/hwclock --systohc
root:/home# /sbin/hwclock --show
Tue 20 Apr 2010 10:58:26 PM MYT  -0.782410 seconds
root:/home# /etc/network/if-up.d /ntpdate

Refers : Man Page for hwclock

Cesium Atomic Clock, maintain an accuracy of 10−9 seconds per day!!  beamtube

Monday, April 5, 2010

Good Password Practices

The recommendation outlined here are solely based on my current understanding and knowledge, and it is not claimed to be comprehensive or necessary correct.

password

Password, is a string of secret word or phrase known only to the restricted users or groups that is used for authentication, to prove the identity and to grant the access.

Password policy or password security, is vary from the organization. Many policies require a minimum length of characters, typically of 8 characters and some may also impose a combination of upper and lower case of alphanumeric and special characters i.e. @#$^.  Some may also insist on prohibit to use words found from dictionary or user’s personal information e.g. D.O.B. or Identity Card No. (NRIC). The more strict administrator may also prohibits the users to have the same words as the user’s login username or user’s real name.

password-lock In addition, there’s some policies may require the users to change their password periodically e.g. 60 days. Based on my own experience, by implementing such a policy may often makes the users unable to remember their password or always create a weaker password as a result that user unable to come up with many passwords or even encourage the users the write down their password! My own recommendation is rather than having a frequent password change policy, the administrator shall insists the users to create a Strong password on the very first place.

According to some unofficial statistics, there’re about 20% of the users are using very simple or “easy-to-guess” password e.g. “password”, date-of-birth, “123456”, “secret”, your city name. last 4-digits of your NRIC etc.

Here’s the password hacking time based on a ordinary user’s workstation :

Password Hacking

If the hacker were to use a powerful workstation, it may be faster up to 1000 times!!!

Here’re some good practices :

  1. Always use the strong password.
  2. Do not share or reveal the password to anyone.
  3. Never share a computer account if possible.
  4. Never use the same password for more than one account. Or grouped them in category.
  5. Never write down the password.
  6. Never communicate your password over SMS, telephone, email or even instant messaging.
  7. Always logoff the account and clear the Cache.
  8. Immediately change the password once there is any suspicion that it may have been compromised.
  9. Never use the same password for OS password, application password and account password.
  10. Make sure it is not easy to guess.

What’s strong password ?

  • strongpasswordAt least 8 characters.
  • Combination of upper and lower case alphanumeric.
  • Use special character e.g. @#%$^ if possible.
  • Never use a dictionary word
  • Never use your special number e.g. date of birth, identity card number etc.
  • Never use easily guess word based on your personal information e.g. your dog’s name, car number plate etc.
  • Use a Random Password Generator

Saturday, April 3, 2010

Cannot open the Outlook window?!!!

outlook

It shocked me when I first got this message pop-up when I try to start my Microsoft Office Outlook 2007!!! Especially when I have tried several times and even reboot my laptop…it’s still showing the same message….Damm!! I must lost all my emails… Tried to “google” around, and all the resolutions suggested especially from Microsoft support website seem doesn’t really helps…

Reminder: Always backup a copy of all PST files, and running at your own risks!

The solution is very simple, just execute the following command in your “Run..”

outlook.exe /resetnavpane

This command is actually just clear and regenerates the Navigation Pane for the current Profile.