Saturday, 5 October 2013

Crete Partitions larger than 2TB


Crete Partitions larger than 2TB


Create a partition on Linux using parted and labelling it with gpt

1.dmesage |grep sd
2.parted /dev/sdb
3.(parted) mklabel gpt
4.(parted) unit TB
5.(parted) mkpart primary 0.00 4.95TB
6.(parted) print
7.(parted) quit
8.mkfs.ext4 /dev/sdb1

9.vi /etc/fstab (add)
   /dev/sdb1 /local ext4 defaults 1 2

 

Add New Volume

1. Added physical disks
2. Created RAID 1 Volume
3. umount /local/
5. # vgdisplay
6. dmesg | grep sd

      sd 0:0:0:2: [sdb] 1172058032 512-byte logical blocks: (600 GB/558 GiB)
7. # pvcreate /dev/sdb
8. # pvdisplaycheck if it has been created
 
"/dev/sdb" is a new physical volume of "558.88 GiB"
  --- NEW Physical volume ---
  PV Name               /dev/sdb
  VG Name
  PV Size               558.88 GiB
  Allocatable           NO
  PE Size               0
  Total PE              0
  Free PE               0
  Allocated PE          0
  PV UUID               SX1ekz-o4Aj-5yXO-QbIF-AdPw-L3Iq-kewNFQ

9. find out the existing name for the existing volume group: 
# vg_local

# vgdisplay

 10. vgcreate vg_local600 /dev/sdb

 
11. check if group has been created:
#  vgdisplay | grep 600
12. lvcreate -L 550G -n lv0_local600 vg_local600

 

13. Find the File system type:
# cat /etc/fstab | grep ext = ext4

 14. Create file system
mkfs.ext4 /dev/vg_local600/lv0_local600


15. # mount new file system
mount /dev/vg_local600/lv0_local600 /local

Monday, 30 September 2013

Penetration Test results (interpreting results) Open-Filtered Ports


Penetration Test results (interpreting results) Open-Filtered Ports

 

Recently we had a penetration test done. I am not going to mention company names here, I’ll write just about the results.

 

I asked them to check out Public IPs and all services which face the Internet, I also asked them to check our WIFI and finally our internal office Windows domain.

 

I knew there were many problems and potentially many holes. I have inherited this network and I don’t think things were set with security in mind. But something also important to note is; if the any company is not willing to participate and embrace security there is very little which can be done, directories and all managers at the top need to accept security as an important step. Security is not for preventing anyone from working, but to give companies a degree of digital/online stability. Knowing where the holes are surely is better than not knowing; at least you won’t be caught by surprises.

 

The test took around three days and literally the only information I provided was the public IP addresses.

 

Port 445 Open-Filtered

One thing in specific I want to talk about is; our office firewall has been diagnosed with port 445 (SMB) Open-Filtered.

I asked the security team which did the pen test and they said; “if the port is filtered, it does mean it is open. Maybe nothing is listening but the port is definitively opened”.

 

This is a serious discovery and it needs a full investigation. My boss and Operations pushed me to dig this out and get it sorted.

 

Action Plan

Review the firewall configuration thoroughly and check any references to port 445.

Disabled all unnecessary rules and checked open ports once again with nmap. Once again, this time I could verify myself, the result was Port 445 Open-Filtered. I could not believe it.

I could not find anywhere in the firewall a rule which explicitly opened, forward, or NATTED port 445.

 

I downloaded a program called Nipper see: https://www.titania-security.com/, exported the configuration from the firewall, parsed the config and I did not find any indication port 445 was actually opened.

 

Block Port 445

I decided to explicitly create a rule to block port 445. Rule in place, once again I used nmap to check for open ports and, once again for my surprise, nmap showed port 445 Open-Filtered.

 

There is no way port 445 was open! I decided to Google and I vaguely remember this, something to do with ISPs filtering port 445.

In 2004 there was an outbreak of a virus which propagated itself through exploiting port 445 (SMB). This is how Microsoft Windows for communicate with each other on a network and access shares.

 

Because of this outbreak Firewall vendors decided it was a good approach to just filter this port, instead of blocking it. This is because by blocking it the firewall has to use more CPU and memory.

 

So finally I got to the bottom and I understand the real result. Port 445 was actually being filtered at a higher level by our ISP, which is good.

 

So if you come across ports being Open-filtered, I would recommend the following:

1.    Review your firewall configuration

2.    Check with your ISP

3.    Get in touch with your Firewall vendor and ask them to clarify it for you

 

Some links for you to research


 


 

By Renato Oliveira

How to compress on the fly with maximum compression (Linux)

How to compress on the fly with maximum compression

for example

# tar cvf - /etc | gzip -c -9 > etc.tar.gz

Explain what the command above is doing.

TAR - Command to pack files and directories into a single package.
CVF are flags passed to the tar command to: Create, Verbose, File
/ETC is the folder to be tarred-up
| (Pipe) symbol to pass result to another command
GZIP is a compressing tool
-C flag to compress
-9 is a flag to use maximum compression
> this symbol is used to redirect output to a file, in this case "etc.tar.gz"

I hope this will be helpful to you and the explanation makes sense.

by Renato de Oliveira

Red Hat CDRom repository

How to setup a local repository to fetch packages from CDRom

Sometimes you want to install a package and want the dependencies to be resolved automatically. If you don't have a server which can be used as a repository. You can use your media or install CD as a repository.

# mkdir /media/cdrom
# mount /dev/cdrom /media/cdrom
# vi /etc/yum.repos.d/cdrom-repo


Now type in the following text and save the file:

 [cdrom-repo]
 name=CDRom-Repo
 baseurl=file:"///media/cdrom/"
 enabled=1
 gpgcheck=0


# yum repolist

Melado de Branco

Melado de Branco

Hoje eu acordei
Olhei pela janela
Vi tudo melado de branco
Tudo parecia adormecido
Tudo parecia, calmo e tranquilo
O chao, as arvores, o ceu
Tudo tava pintado de branco
a visao e diferente da realidade
Onde a Natureza se acalma
e tempo passa de vagar
Cada animal se agasalha
e se prepara pra descansar
As arvores perdem as folhas
pra nao desperdicar energia
O sol diz um oi timidamente
desaparece rapidamente
e a noite toma conta do dia
Animais se agasalham
Se escondem e se preparam
para mais um ciclo da vida
Vida que nos seguimos num ritmo differente
Um passo acelerado
Pensamento apressado
Muitas vezes atormentado
Pela rapidez do progresso
esquecemos a natureza
Ignoramos a beleza
Ignoramos o nosso ciclo
e apressamos o passo
Nem sabemos aonde vamos
Ou onde queremos chegar
Carros, transito, bozinas
Trabalho, estress, vida!
Vida?! O que e vida?
Sera a natureza melada
e pintada de branco
Com seu ciclo calmo
e seu passo lento
Ou essa modernidade
Com pressa de chegar a nenhum lugar
essa obssessao de ter
de possuir
De sair por ai
Ver o que nao se conhece
Quando nao se conhece a si mesmo
Tudo ta melado de branco
sao dois mundos
Sao tao desiguais
Um cultiva o caaos
o outro cultiva a paz
Eu queria ta melado de branco
Como as arvores la fora
queria seguir o ciclo da vida
e me sentir em harmonia com a natureza

A young Linux consultant on the Newspaper



 
Back in 1998 I migrated around 100 NT servers and workstations to Linux. This was a big achievement in my career, but it was just 2 years away of moving to England.
It was on first page of  IT news of major papers in my city, see below:

Set-UP a LAB with Juniper SRX


Set-UP a LAB with Juniper SRX
Recently I had to setup a Lab environment and our Firewall is a Juniper SRX 240.
These devices have 16 Giga Bit Interfaces and believe it or not you can set each interface with its own IP and in a completely separate network. I think it is great!
 

In my LAB I am using an SRX100 which comes with 8 Fast Ethernet Interfaces. This is a very good, cheap and reliable device for branch offices and also very suitable or LAB environment.

Setting up Interface - Separate Network on Juniper SRX
I decided to use the interface fe-0/0/3 which is free, so we need to check if there is any existing configuration already applied to that specific interface.
To configure a Giga Bit interface you will need to replace fe-0/0/3 with ge-0/0/3 for example.
 

Check existing config
admin@srx100-01# run show configuration | display set | match fe-0/0/3
 

You should see the following output:
set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
 

Delete existing configuration
delete interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
delete interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
delete security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
delete security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all

 

Save Config
admin@srx100-01# commit

 
Check interface config once more
admin@srx100-01# run show configuration | display set | match fe-0/0/3


You should see the following output:
set interfaces fe-0/0/3 unit 0 family ethernet-switching
set security zones security-zone trust interfaces fe-0/0/3.0


Delete the config once more
admin@srx100-01# delete interfaces fe-0/0/3 unit 0 family ethernet-switching
admin@srx100-01# delete security zones security-zone trust interfaces fe-0/0/3.0
 

Save Config
admin@srx100-01# commit

Check the config for once more
admin@srx100-01# run show configuration | display set | match fe-0/0/3
 

You should see the following output:
set interfaces fe-0/0/3 unit 0
 

Delete the config once more
admin@srx100-01# delete interfaces fe-0/0/3 unit 0


Save config
admin@srx100-01# commit

Finally let’s config our Interface for our LAB

Set an IP for the Interface
admin@srx100-01# set interfaces fe-0/0/3 unit 0 family inet address 192.168.20.1/24

Set a Security ZONE for the Interface

Set a security ZONE called LAB
set security zones security-zone LAB interfaces fe-0/0/3.0
admin@srx100-01# set security zones security-zone LAB interfaces fe-0/0/3.0

Create Security POLICY to allow Internet Access or any other ZONE you need access
set security policies from-zone LAB to-zone untrust policy LABPol match source-address any
set security policies from-zone LAB to-zone untrust policy LABPol match destination-address any
set security policies from-zone LAB to-zone untrust policy LABPol match application any
set security policies from-zone LAB to-zone untrust policy LABPol then permit

Create a NAT Policy to allow Access from Zone LAB to Untrust

set security nat source rule-set LABNatOut from zone LAB
set security nat source rule-set LABNatOut to zone untrust
set security nat source rule-set LABNatOut rule LABNatrule match source-address 0.0.0.0/0
set security nat source rule-set LABNatOut rule LABNatrule match destination-address 0.0.0.0/0
set security nat source rule-set LABNatOut rule LABNatrule then source-nat interface

Save config
admin@srx100-01# commit

Once the configuration has been commited, you are ready to start using it. You can plug a server directly to the new Interface you have just set-up or plug it to a switch, to give you more available ports.

Just set any server or PC connected to with any IP within the same range 192.168.20.0/24, the gateway will be 192.168.20.1.

 

That is it you should have a brand new isolated network within your Juniper SRX.

 

 

Monday, 20 May 2013

How to setup a DHCP server on a Juniper SRX

Today I am going to write about how to turn your Juniper SRX onto a DHCP server. It is quite easy and quick.



root@srx100-01> configure
Entering configuration mode
[edit]

root@srx100-01# set system services dhcp router 192.168.1.1
root@srx100-01#set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
root@srx100-01#set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
root@srx100-01#set system services dhcp propagate-settings fe-0/0/0.0
root@srx100-01#set interfaces fe-0/0/0 unit 0 family inet dhcp
root@srx100-01#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp

Saturday, 18 May 2013

Setting up Bind DNS for your Network (Red Hat/Centos)

I just bought a new domain for me and I am going through the process of setting up my own DNS server. I want to share with you the experience and also the knowledge.


Package Requirements
bind
bind-libs
bind-utils

Install all packages

[root@centos63 named]yum install bind bind-libs bind-utils -y

Make sure Bind starts at boot time
[root@centos63 named]#  chkconfig --level 2345 named on
Note: On Red Hat based systems Bind damon is called named.

Configuring Bind
My domain name is e-networks.co.uk and this is domain I will use as an example.
The Server IP address will be: 192.168.1.34
Configure /etc/named.cof

[root@centos63 named]# cd /etc
[root@centos63 named]# mv named.conf named.back


##################################################################################################
[root@centos63 named]# vi named.conf
Note: Add the lines below

# This file is the main config for e-networks.co.uk domain
options {
        listen-on { 192.168.1.34; };  //Change it to your servers IP address
        version "This is not a public Server";
        directory "/var/named";
        pid-file "/var/run/named/pid";
        hostname "centos63.e-networks.co.uk"; //Change it to your Servers name and domain
        notify yes;

        forward first; // the default
        fetch-glue no; // only fetches requested records, not everything

// DNS server for your ISP, its IP address should be set below,
// This will make you resolution faster by using its cache.

        forwarders {
                194.168.4.100;  // this IP is for NTL resolver 1 (change it to your ISP Nameserver)
                194.168.8.100;  // This IP is for NTL resolver 2 (change it to your ISP Nameserver)
        };

        /*
         * Uncomment the line below if you or the name servers are behind a firewall
         */
        // query-source address * port 53;

        /*
         * If running in a chroot, you will need to specify a different
         * folder to save the dump files.
         */

        // dump-file "s/named_dump.db";
// SORT LIST
  sortlist { { localhost; localnets; };
             { localnets; };
  };
};


// SECONDARY ZONES
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.

zone "." {
        type hint;
        file "named.root";
};

zone "e-networks.co.uk" { // change it to your domain name
        type master;
        allow-update { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow updates
        allow-transfer { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow transfers
        notify yes;
        file "e-networks.co.uk"; // change it to you domain name
};

zone "localhost"  {
        type master;
        file "named.localhost";
        allow-transfer { localhost; };
        notify no;
};


# reverse zones
zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost.rev";
};

zone "1.168.192.in-addr.arpa" { // Change it to to match your network or range assigned to you
        type master;
        file "1.168.192.in-addr.arpa"; // Change it to to match your network or range assigned to you
        allow-update { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow updates
        allow-transfer { 192.168.1.0/24; }; // change it to your IP range or any server you wish to allow transfers
};


###################################################################################

[root@centos63 named]# cd /var/named
[root@centos63 named]# mv named.localhost named.localhost.bak


[root@centos63 named]# vi e-network.co.uk
Note: Add the lines below


$TTL 3600

e-networks.co.uk. IN SOA centos63.e-networks.co.uk. root.centos63.e-networks.co.uk. (
                        2013051801      ; Serial YYYYMMDDnn
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL

; DNS Servers
@       IN NS           centos63.e-networks.co.uk.

; Machine Names
localhost       IN A    127.0.0.1
centos63        IN A    192.168.1.34
; mail server (use this if you have a mail server running)
mail            IN A    192.168.1.34
@               IN A    192.168.1.34

; Aliases (use this if you have a web server here, www.e-networks.co.uk.)
www             IN CNAME        @

; MX Record (use this if you have a mail server running)
@               IN MX   10      mail.e-networks.co.uk.


#########################################################################################
[root@centos63 named]# vi named.localhost
Note: Add the lines below

$ORIGIN localhost.
$TTL 6h
@   IN  SOA localhost. postmaster.localhost. (
            1   ; serial
            3600    ; refresh
            1800    ; retry
            604800  ; expiration
            3600 )  ; minimum
    IN  NS  localhost.
    IN  A       127.0.0.1

##########################################################################################
[root@centos63 named]# vi localhost.rev
Note: Add the lines below

$TTL    3600
@       IN      SOA     centos63.e-networks.co.uk. root.centos63.e-networks.co.uk.  (
                                2013051801      ; Serial YYYYMMDDnn
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      centos63.e-networks.co.uk.
1       IN      PTR     localhost.e-networks.co.uk.


##########################################################################################
[root@centos63 named]# vi 1.168.192.in-addr.arpa
Note: Add the lines below

$TTL    3600
@       IN      SOA     centos63.e-networks.co.uk. root.centos63.e-networks.co.uk.  (
                                2013051801      ; Serial YYYYMMDDnn
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      centos63.e-networks.co.uk.
1       IN      PTR     centos63.e-networks.co.uk.

##########################################################################################
[root@centos63 named]# vi named.root
Note: Add the lines below

# This is the named.root file for all Root Name Servers

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90

;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803f:235
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30

J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of File


##########################################################################################
Reminder:
1. Change the forwarders
2. Change the line: "listen on"
3. Change the line "hostname"
4. Change the zone "e-networks"
5. Change the line "Allow updates"
6. Change the line "Allow transfers"
7. Change the line "1.168.192.in-addr.arpa"
8. Change the line "Allow updates"
9. Change the line "Allow transfers"

Remember when Creating the files to represent the zones, make sure you also change the names
to suit your environment.

Review the whole configuration and double check for typos and names.

Starting DNS

[root@centos63 named]# service named start
Note: If the named service does not start check for errors on /var/log/messages

[root@centos63 named]# tail /var/log/messages

Check if the named service is running
[root@centos63 named]# ps -eaf | grep named
named     1061     1  0 07:49 ?        00:00:00 /usr/sbin/named -u named
root      1471  1415  0 08:23 pts/0    00:00:00 grep named


Last Note
When you start the named service for the first type the script will try and generate the rndc.key for your server. This will take some time.

I hope you enjoy folks
by Renato de Oliveira

Thursday, 16 May 2013

Data Center Design (A new Look)

I have Built a New Data Centre for the company I work for and I am going to give you some insight on the design and the cool look I gave to it.

I had literally 2 months to build a whole new Data Centre, but even with the time constraints I manage to deliver it on time and it is not only beautiful, but it has great features and as far as I am concerned ticks all the boxes.

Some of the requirements to meet:
  1. It must look presenteable to customers
  2. It must have space for growth
  3. It must have the cooling capacity for existing heating load and future growth
  4. It must have the power capacity for existing load and future growth

See some picture below:

Below you can see the front is all glass pannels, there are seven Server Racks in total. At the front  of the racks you can see there are three glass panels on the floor, and under the each pannel there is a light which is remote controlled and changes colours (it is currently in blue).
On each side of the room we have a 14Kwatts Air-con at the back we have a heat extraction system, to extract the heat generated by all the servers.

Below you can see I have used a 20KVA UPS for holding the servers, and there is a by-bass just in case we need to maintain the UPS.
I have a smaller UPS 10KVA for Comms equipment, the air-cons are also UPS protected.

 
The comms racks at at the back and they host all switches, patch pannels and firewalls.
The links between the server cabinets and the patch pannels are two looms of 24 CAT6a cables for each rack, one at the top and another at the bottom.
 
I paid a lot of attention to the detail, functionality and also to easy of maintenance.
I'll take some pictures of the patch pannel to show you another time.
 
If you need help with your Data Center or Server Room, I can help you with ideas.
 
Renato Oliveira
 


Wednesday, 15 May 2013

Setting up DFS (Distributed File System) on Windows 2008 R2

I think DFS is one of the best product Microsoft has. The possibilities are just imense.
If you need a global, distributed file system with high availibility DFS is for you. You can share a folder and make it high available across the WAN. It is simple to set up, easy to use and very quick to replicate.

Today I am going to show you how to set it up. I am going to have a text version and once I have a bit more time I will give you a screenshot version.

I have two Windows 2008 R2 servers, one as my domain controller and a second one just as a member server.

You will need to install DFS Role on two servers, otherwise you won't be able to configure it.

Installing DFS (Follow these steps on both Servers)
  1. Click on [Start]
  2. Click on "Administrative Tools"
  3. Click on "Server Manager"
  4. Click on "Roles"
  5. Click on "Add Roles"
  6. Click on <Next>
  7. Select "File Services" then click on <Next>
  8. Click on <Next> once again
  9. Tick the boxes:
    • File Server
    • Distributed File System
    • DFS Namespace
    • DFS Replication
  10. After selecting the options above, click on <Next>
  11. Select "Create a namespace later" and click <Next>
  12. Click "Intall"
  13. Once the installation has been complete, click on <Close>
Follow the steps above on both servers ti host the DFS role. Once this is done we can move on to configure it.

Configuring DFS Role and Namespace
  1. Click on [Start]
  2. Click on "Administrative Tools"
  3. Click on "DFS Management"
  4. Click on "Replication"
  5. Click on "New Replication Group..."
  6. Select the option "Replication Group for data collection" and click on <Next>
  7. Within the field "Name of replication group" type a descriptive name i.e: MyReplication
  8. Within the field "Domain" type in your Windows domain name i.e: linuxad.int
  9. Click on <Next>
  10. Type in the destination server name i.e.: dfsrep01.linuxad.int
    1. Note: Remember that the DFS role needs to be installed on the destination server.
    2. Replace the server name with the name of your source server.
  11. Click on <Next>
  12. On "Replicated Folders" screen, click on [Add...]
  13. Choose the folder you wish to replicate for example: "C:\Data", then click on [OK]
  14. Click on <Next>
  15. Type in the destination Server Name i.e: dfsrep02.linuxad.int
    1. Note: Remember that the DFS role needs to be installed on the destination server.
    2. Replace the server name with the name of your source server.
  16. Click on <Next>
  17. Choose the destination foder for the replication data for example: "C:\Data", then click on <Next>
  18. Click on "Replicate Continuously using the specified bandwidth".
  19. Leave it in [Full] and click <Next>
  20. Click on [Create]
  21. then click on [OK]

This will give you a full DFS system with two servers, source and destination fully working.
There are some extra details, which need configuring, I will describe them later, keep posted.

by Renato Oliveira

Saturday, 4 May 2013

Retaking CCNA


Studying for CCNA

OSI Model

7 Layers (7 - Application, 6 - Presentation, 5 - Session, 4 - Transport, 3 - Network, 2 - Data Link, 1 - Physical)

 
Differences between HUB and Switch

HUB = 1 Single Collision Domain

HUB = 1 Single Broadcast domain

HUB = Half Duplex

HUB = Works at the Physical layer of the OSI model, sends signals

 
Switches = each port is a separate collision domain

Switches = have a single Broadcast domain if no VLANs are configured

Switches = Full Duplex

Switches uses ASICS chips allows

Switches = Creates a CAM (Content Accessible Memory) table where all MAC addresses is stored

Switches work at the Data Link Layer of the OSI model sends phases
 

Type of Communications

Unicast = One to one communication between source and destination

Broadcast = A communication which is sent to all devices connected to a Network segment

Multicast = A communication which is sent to a group of devices

 
ARP (Address Resolution Protocol) = Broadcast message


Connecting to switch to configure

Open putty

Click on "Serial"

Connection Settings

Baud Rate = 9600

Data Bits: 8

Parity: none

Stop bit: 1

Flo Control: none

 
Cisco Command modes:

User EXEC mode - Switch - > (BAsic mode)

Enable - Privileged EXEC mode - switch# (Full access)

Config terminal - Global Configuration Mode – Switch (config)# (Full Configuration Mode)

 
Configure Cisco Switch

Setup switch name:

# hostname switch1

 
Set Switch's IP address for Management

You need to setup the IP for the default VLAN, or VLAN interface 1

# interface vlan 1

# ip address 192.168.1.1 255.255.255.0

# no shutdown

 
Setup default gateway at Global Config Mode

# ip default-gateway 192.168.1.1
 

Saving Configuration

# copy running-config startup-config


How to show the version of IOS running

# show version

Protecting User Privileged mode

Note: this is not secure

# enable password cisco123
# enable secret cisco1234

Note: this password is encrypted within the configuration file

If you have enable password and enable secret, enable secret will override enable password

If you have enable password set, just remove it with

# no enable password

Password protect your Console mode

# line console 0

# password cisco123

# login


Set password for telnet

# line vty 0 4

# login

# password cisco123

# service password-encryption (to encrypt all passwords)

 
Setting up a Login banner

# banner motd C

#################

Private

################# C

 

Setup SSH

# username renato password cisco1234

# ip domain-name e-networks4real.co.uk

# crypto key generate rsa 1024

# ip ssh version 2

# line vty 0 4

# transport input ssh

 

Port Security

How many devices can be plugged onto each port? If anyone plugs a different device port is disabled

# Show ip interface brief

 

How to show all messages displayed on the terminal

# Terminal monitor

 

MAC address security

# switchport mode access

# switchport port-security

# switchport port-security maximum 1

# switchport port-security violation

 

# interface  fastEthernet 0

# show port-security interface fastethernet <port>

 

Duplex mismatch

# interface fastethernet 0/2

# speed 100

# duplex full

 

Fixing console text wrapping

# line console 0

# logging synchronous

# line vty 0 4

# logging synchronous

 

Setting IDLE time

# line console 0

# exec-timeout 30 0

# line vty  0 4

# exec-timeout 30 0

 

 

Fixing Domain resolution annoying problem

# no ip domain-lookup

 

Troubleshooting Cisco Switches

# Show ip interface brief

 

# show interface fastEthernet 0/2

tx load = Sending data

rx load = receiving data

5 min input rate

5 min output rate

 

High level of broadcast is considered to be 20%

Runt is a packet considered to be too small

Late collision means the cable length is greater than 100M

Check for duplex mismatch

 

# show run

 

Type of Wireless Networks

PAN - Personal Area Network

LAN - Local Area Network

MAN - Metropolitan Area Network

WAN - Wide Area Network

 

Wireless is shared and Half-Duplex

The more people connected the less Bandwidth available

Uses Unlicensed BANDS of Radio Frequency (RF)

WIFI operates at the Physical and Data Link layer of OSI model

WIFI uses CSMA/CA (Carrier Sense Multiple Access/Collision Avoidence

Interference is a problem and causes connectivity issues

 

WIFI Frequencies

·         900MHZ Range - 902 - 928

·         2.4-6GHz Range - 2.400 - 2.483

·         5-gGHz Range - 5.150 to 5350

 

The lower Frequency the bigger is the range but the bandwidth is also low

Higher frequency supports higher data rate

 

WiFi Standards

802.11B 1999

Up to 11Mbps

2.45GHz

Three channels

 

 

802.11A  1999

Up to 54Mbps

5.8GHz

12 - 23 Channels

 

802.11G 2003

54Mbps

2.4GHz

Three channels

 

802.11N

100+Mbps using MIMO and multiple antenas

 

WIFI Channels

Range of Frequencies

The channel defines a section of the 2.4GHz range of frequency

If AP are in the same channel they will cause conflict and

802.11B 3 Clean Channels

 

802.11A up to 23 Channels considered Clean or not overlapping

 

300Feet without obstructions on the way

 

ITU-R

IEEE

WI-FI Alliance

 

WIFI Security

Remember it is an open door to the world

 
Recommendations

Authentication

Encryption

Intrusion Prevention System

 
Pre-shared key WEP (Use the same key)

Pre-shared keys WPA1 using encryption methot called TKIP

WPA and 802.1x Authentication (standard to request username and



Password or pass-through to a server for checking the credentials)

WPA2 (802.11I) and 802.1x
 

SSID (Service Set Identifier)

* Multiple SSIDs

* Used for public

* used for internal or private

 

RF 10-15% overlaps in your frequency area

Repeaters should have around 50%

 

BSS Basic Service Set (Roaming with service drop)

ESS Extended Service Set (Roaming without service loss)

 
Setting up redundant links

We need to use spanning tree protocol
 

Ports

Well known ports are 1-1023
 

A socket is a combination of an IP address plus a port number:

192.168.20.22:80
 

Clients use ramdon ports above 1024 as their source ports for example:

192.168.33:55667

 
Important Port Numbers

20: FTP

21: FTP

22: SSH

23: TELNET

25: SMTP

53: DNS

80: HTTP

110: POP3

443: HTTPS

69: TFTP