Thursday, 28 February 2013

Setup a Redhat Kickstart Server

Setup a Redhat Kickstart Server

During the Data Centre project, I had to install and configure quite few Linux servers and to make my file easier I configured a Redhat kickstart server.
What this server does is. it allows you to automate the install of multiple servers and replicate the same configuration multiple times. This will make your life much easier.

If you get your kiscksart server right in the end you will need to make very few changes to  all servers, thus reducing your support time and manual errors.

The first things is to install a Linux server. It can be Centos or Redhat. I'll use Centos so I don't need to buy a Redhat license.

I am going to describe first how to setup a kickstart using Apache to install servers using HTTP.

Once the server is fully up and running..

Necessary Software:
  • Apache (httpd package)
  • nfs-utils-lib
  • nfs-utils
  • nfs-utils-lib-devel
Step by Step
1. Create an Apache Virtual Host
# vi /etc/httpd/conf.d/kickstart.conf
NameVirtualHost 172.16.180.222 (replace with your server's IP)
<VirtualHost 172.16.180.222> (replace with your server's IP)
        ServerName 172.16.180.222 (replace with your server's IP)
        DocumentRoot /var/www/data/
</VirtualHost>
<Directory /var/www/data/install>
   Options +Indexes
   AllowOverride AuthConfig
   order allow,deny
   allow from all
</Directory>


2. Restart Apache
# service httpd restart

3. Create kickstart folder structure
# mkdir -p /var/www/data/install/RPM
# mkdir -p /var/www/data/source
# mkdir -p /var/www/data/ISO
4. Download Centos iso image
# cd /var/www/data/ISO
# wget http://mirrors.coreix.net/centos/6.3/isos/x86_64/CentOS-6.3-x86_64-bin-DVD1.iso

5. Mount the Centos ISO image
# mount -o loop /var/www/data/ISO/CentOS-6.3-x86_64-bin-DVD1.iso /var/www/data/source

Note: to make this change permanent. You need to edt /etc/fstab
# vi /etc/fstab
add the line below
 /var/www/data/install/ISO/CentOS-6.0-x86_64-bin-DVD1.iso /var/www/data/install/source/ iso9660 loop 0 0
6. Create the Kickstart script:
# vi /var/www/data/install/ks.cfg
add the lines below

# Kickstart generated by Renato de Oliveira
install
url --http://172.16.180.222/install/
lang en_US.UTF-8
keyboard uk
network --device eth0 --bootproto dhcp
rootpw --iscrypted u09u0ojhu0uujoh9y
firewall --disabled
authconfig --enableshadow --enablemd5
selinux --disabled
timezone --utc Europe/London
bootloader --location=mbr --driveorder=sda
clearpart --all --drives=sda

part /boot --fstype ext3 --size=150
part swap --size=10000


part pv.01 --size=15000
volgroup vg_root pv.01
logvol  /  --vgname=vg_root  --size=12000  --name=lv0_root

part pv.02 --size=120000
volgroup vg_local pv.02
logvol /local --vgname=vg_local --size=110000 --name=lv0_local

part pv.03 --size=5000
volgroup vg_afscache pv.03
logvol /local/afs.cache --vgname=vg_afscache --size=4000 --name=lv0_afscache

part pv.04 --size=5000
volgroup vg_log pv.04
logvol /var/log --vgname=vg_log --size=4000 --name=lv0_log

part pv.05 --size=5000
volgroup vg_lvvartmp pv.05
logvol /var/tmp --vgname=vg_lvvartmp --size=4000 --name=lv0_vartmp

part pv.06 --size=5000
volgroup vg_lvtmp pv.06
logvol /tmp --vgname=vg_lvtmp --size=4000 --name=lv0_tmp


%packages
@core

@ X Window System
@ Desktop
@ Sound and Video

bzip2
bash
wget
 
%post
# Turn services off
chkconfig  --level 2345 atd off
chkconfig  --level 2345 bluetooth off
chkconfig  --level 2345 cups off
chkconfig  --level 2345 gpm off
chkconfig  --level 2345 ip6tables off
chkconfig  --level 2345 postfix off
chkconfig --level 2345 NetworkManager off
chkconfig --level 2345 iptables off
chkconfig --level 2345 avahi-daemon off
chkconfig --level 2345 mcelogd off

# Turn necessary services on
chkconfig --level 2345 smb on
chkconfig --level 2345 nslcd on
chkconfig --level 2345 ntpd on
chkconfig --level 2345 postfix on


Note: Save the file and you are almost ready.

Assuming we will use a physical server to install Redhat on.

7. Write the ISO DVD to a DVD media

8. Boot the the server to be installedwith the DVD image you just created.
At boot time type:
linux ks=http://172.16.180.222/install/ks.cfg

 That should give you a fully installed server.

If you want to customise the Kisckstart server, there are many options you can use to automate the install.
 


by Renato de Oliveira

Wednesday, 27 February 2013

Lembrancas

lembrancas
um pensamento distante na cabeca
Ja nem parece que realmente aconteceu
Tudo fica tao fosco,
Vai se apagando aos poucos
Ate parece que desapareceu
Sao Pequenas diferencas
Que Crescem ao longo do tempo
O que era insignificante
se torna muitas vezes um tormento
Um rio que era estreito
Que derepente se alarga
ou so Um pequeno defeito
Que cresce em arduas
Uma lembranca
uma pagina escrita
que o tempo troca as palavras e muda o contexto
Tudo e tao distante
O que era alegre se torna triste
O que era triste se torna alegre
E como uma estoria sendo reescrita
as alegrias passadas
as tristezas vividas
Muita coisa muda de figura
Nenhuma forma parece restrita
As sombras tomam vida
A vida desaparece nas sombras
Fecho os olhos
e muita coisa passa
numa velocidade incrivel
Muita coisa nem lembro mais
muitos choros
alguns risos
mas um pensamento e constante
Qual o significado desse vivido?
Brigas, encontros e reencontros
MAgoas, feridas e cicatrizes
ja nem sei mais o que doi
Ou se e somente uma sensacao
ainda viva no meu cerebro
Coisas que eu falei
Coisas que eu escutei
Coisas que eu disse sem querer
Pra magoar e fazer doer
Silencios que eu escutei
distancia que eu senti
Feridas que nem o tempo apaga
Vidas que nem sei se vivi
A palavra que nao se falou
O gesto que nao se fez
A boca que nao se calou
seria melhor ter perdido a vez
Um pensamento, uma lembranca
Uma ideia, Uma sensacao
Uma imagem, um som
Sera que a vida passada foi vivida
Ou simplesmemte sonhada
Sera que nao sao so paginas de um livro
Que ja foram viradas
A trama esta no inicio
ou no final
O tempo mudas as coisas
as vezes nem deixa um sinal
e Tudo vai se transformando
para o bem ou para o mal
A vida vai se ajustando
De uma forma lenta que nem parece mudar
De repente se olha pra traz
E tudo mudou de lugar
Renato de Oliveira

Tuesday, 26 February 2013

Setting up an iPsec Site to Site VPN Juniper SRX

Setting up an iPsec Site to Site VPN Juniper SRX

I have been tasked to to setup another site to site IPsec VPN. We nto connect to a partner and I had to get it sorted.

The first step is, whenver we need to connect to a third part company, thy most certainly will provide us with a VPN form, which we need to complete.
The form will request various piece of information, such as:
  • Public IP address
  • Firewall used (Make and Model)
  • Private IPs or subnets which need accessing the VPN

Once you have complete the form and sent it back, you will probably receive the VPN parameters. Sometimes the same form to be complete already includes the VPN parameters.

I am going to describe the VPN setup with a ficticious thirdparty company name.

VPN Parameters
Company Name: LivingUK
Phase1
Auth method – Pre Shared Key
Encrypt - aes128
Hash - sha1
Group2
Lifetime in seconds 36400
 
Phase2
Encrypt - eas128
Hash - sha1
Lifetime in seconds 36400
 
You have to match the above parameters with Juniper Junos parameters (most the time your peer will not be a Juniper)
 
Phase 1
Proposal
Authentication Algorithm: Sha1
Authentication method: pre-shared-keys
Descriptions: "LivingUK P1"
DH Group: group2
Encryption Algorithm: aes-128-cbc
Lifetime seconds: 3600

IKE Policy
Mode: main

IKE Gateway
Policy: "PolicyName"

Setup Phase I

set interfaces st0 unit 30 description "Tunnel Name"
Create a Phase I Proposal
set security ike proposal "VPNPartner P1 Name" description "VPN Partner Name"
set security ike proposal "VPNPartner P1 Name" authentication-method pre-shared-keys
set security ike proposal "VPNPartner P1 Name" dh-group group2
set security ike proposal "VPNPartner P1 Name" authentication-algorithm sha1
set security ike proposal "VPNPartner P1 Name" encryption-algorithm aes-128-cbc

set security ike proposal "VPNPartner P1 Name" lifetime-seconds 86400

set security ike policy "IKEPolicyName" mode main
set security ike policy "IKEPolicyName" proposals "VPNPartner P1 Name"
set security ike policy "IKEPolicyName" pre-shared-key ascii-text "Your VPN Key"

set security ike gateway "IkeGatewayVPN" ike-policy "IKEPolicyName"
set security ike gateway "IkeGatewayVPN" address "Peer IP Address"
set security ike gateway "IkeGatewayVPN" external-interface reth0.0


Setup Phase II
set security ipsec proposal "IPSEC VPNPartner P2 Name" description "PhaseII"
set security ipsec proposal "IPSEC VPNPartner P2 Name" protocol esp
set security ipsec proposal "IPSEC VPNPartner P2 Name" authentication-algorithm hmac-sha1-96
set security ipsec proposal "IPSEC VPNPartner P2 Name" encryption-algorithm aes-128-cbc
set security ipsec proposal "IPSEC VPNPartner P2 Name" lifetime-seconds 28800

set security ipsec policy "IpsecPolicyP2" description "Ipsec P2 Policy"
set security ipsec policy "IpsecPolicyP2" perfect-forward-secrecy keys group2
set security ipsec policy "IpsecPolicyP2" proposals "IPSEC VPNPartner P2 Name"


set security ipsec vpn "VPNNameAK" bind-interface st0.30
set security ipsec vpn "VPNNameAK ike gateway "IkeGatewayVPN"
set security ipsec vpn "VPNNameAK ike proxy-identity local <Local IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike proxy-identity remote <Remote IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike ipsec-policy "IpsecPolicyP2"
set security ipsec vpn "VPNNameAK establish-tunnels immediately


set security nat source rule-set LANOut rule "NATRuleName" match source-address <Local IP or subnet to be matched>
set security nat source rule-set LANOut rule "NATRuleName" match destination-address <Remote IP to be matched>
set security nat source rule-set LANOut rule "NATRuleName" then source-nat off


Note: This is not finishe yet. I need to explain each parameter used within this configuration.

Tuesday, 19 February 2013

Implementing MimeCast as business continuity solution

Implement MiMeCast as a business continuity solution

I have been tasked to implement MimeCast to comply with some internal needs and some external regulations.

Let me give you a brief idea about the reasons we will be using MiMecast.

1. We need to have a business continuity plan for our mail system (Exchange)
2. We must keep our emails for 7 years
3. We must keep backups off site
4. We must be able to access all our emails from anywhere
5. We must be able to provide full reports on emails send and received
6. Track email deletion through the system

The list above is just a short list of our requirements and Mimecast seems to meet most if not all of them and many more.

I am not going to give you a lot of detail about Mimecast and how it works, I am only going to give you details on how I implemented it for the company I work for.

I will be detailing all the steps I took in order to get it fully up working.

Monday, 18 February 2013

Installing and configuring Nagios NRPE from source


Install and configure Nagios NRPE and NPRE Plugins

Before you start some dependencies:

zlib-devel             
libsepol-devel         
libselinux-devel       
keyutils-libs-devel    
e2fsprogs-devel        
krb5-devel             
openssl-devel 

# cd /usr/local

# wgethttp://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.14/nrpe-2.14.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fnagios%2Ffiles%2Fnrpe-2.x%2Fnrpe-2.14%2F&ts=1361216535&use_mirror=garr

# tar -zxvf nrpe-2.14.tar.gz

# cd nrpe-2.14


# ./configure --prefix=/usr/local/nagios


# make all

# adduser nagios

# mkdir /usr/local/nagios

# mkdir /usr/local/nagios/libexec

# mkdir /usr/local/nagios/share

# cp /usr/local/nrpe-2.14/src/nrpe /usr/local/nagios

# cp /usr/local/nrpe-2.14/src/check_nrpe /usr/local/nagios/libexec/

# cp /usr/local/nrpe-2.14/sample-config/nrpe.cfg /usr/local/nagios

# chown -R nagios: /usr/local/nagios

# add the line below to /etc/services on all servers to be monitored
nrpe 5666/tcp #NRPE



Modify /etc/xinetd.d/nrpe
Note: Do it on all servers and add the lines below:
# default: on
# description: NRPE
service nrpe
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = nagios
        server          = /usr/local/nagios/nrpe
        server_args     = -c /usr/local/nagios/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = <IPADDRESS of your Nagios Server>
}


# /etc/init.d/xinetd restart


# netstat -ant |grep 5666

Note: you should see a similar output as the one below
tcp     0    0 0.0.0.0:5666       0.0.0.0:* LISTEN

Installing Nagios NRPE plugins

# cd /usr/local

# wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.16.tar.gz

# tar -zxvf nagios-plugins-1.4.16.tar.gz

# cd nagios-plugins-1.4.16

# ./configure --prefix=/usr/local/nagios

# make all

# make install

NOTE: All plugins will be compiled and copied to /usr/local/nagios/libexec/

# chown nagios: -R /usr/local/nagios/libexec/

I will be writing about how to Install and configure Nagios server on next posts.

Something I would like to draw your attention to; once you have compiled the NRPE addon, you can simply tar the whole /usr/local/nagios folder and copy to remaining servers.

#tar -cvf nagios.tar /usr/local/nagios

by Renato


Configuring Juniper SRX (some commands)



Configuring Juniper (Some Commands)

How to save config to a File:
root@fw-name# save <config-11-21-10-version-1>

How to restart Firewall
root@srx100-01> request system reboot

How to display systems alarms 
root@srx100-01> show system alarms

How to set System hostname
root@srx100-01# set system host-name <hostname>

How to set the system domain name on Juniper SRX
admin@srx100-01# set system domain-name <domainname>

How to set the nameserver or resolvers for your SRX
admin@srx100-01#set system name-server <IP Nameserver>

How to set root password
root@srx100-01#set system root-authentication plain-text-password

How to create an user on Juniper SRX
root@srx100-01#set system login user <username> class super-user

How to set the new user's name password on Juniper
root@srx100-01#set system login user renato authentication plain-text-password

How to create a readonly user on SRX
admin@srx100-01# set system login user readonly class read-only

How to display the Junos version
root@srx100-01# show version

How to set Time Zone
root@srx100-01# set system time-zone Europe/London

How to set Date and Time
root@srx100-01> set date 201302170917.32

Note: The command above can be explained as follows:
2013 (year), 02 (month), 17 (day of month), 0917.32 (09:17:32am - nine o'clock, seventeen minutes and thirty two seconds a.m)

How to set Juniper to sync date and time from NTP server
root@srx100-01> set date ntp <NTPSERVER>

How to setup 2 NTP servers and have one as a preferred one
root@srx100-01# set system ntp server <NTPSERVER> version 4 prefer
root@srx100-01# set system ntp server <NTPSERVER> version 4

How to setup NTP server at boot time
root@srx100-01# set system ntp boot-server <NTPSERVER>

Hot to show NTP server configured on Juniper
root@srx100-01# show system ntp

How to show NTP status 
root@srx100-01> show ntp status

How to show the Uptime for a Juniper firewall
root@srx100-01> show system uptime | match current

How to troubleshoot NTP problems
root@srx100-01> show log messages | match ntp

Some Cisco CCNA Notes


Some CCNA Notes (I will retaking my CCNA soon)

switch> (User mode or User Exec)
switch# Enable (Privileged Mode)
switch (config)# Comnfigure Terminal (Global configuration Mode)
switch(config)#interface fastethernet 0/1 or int fa0/1
swicth(config-if)# 
[end] goes back to privileged mode
[exit] goes back to privileged mode

<Ctrl>+Z goes back to Privileged mode

Set Name:
hostname <name>

Set IP:
Interface VLAN1
swicth>enable
switch#config t
switch(config)# int
switch(config)#interface vlan 1
switch(config-if)#ip address 192.168.10.100 255.255.255.0
switch# show interface vlan 1

Note: whenever you see an interface administratively down, it is logically down and needs to be brought up.

swicth>enable
switch#config t
switch(config)# int
switch(config)#interface vlan 1
switch(config-f)#no shutdown

VLAN is not the same as Interface VLAN1. VLAN 1 is the default VLAn which all ethernet ports on the switch belongs to by default.
Interface VLAn1 is a virtual interface which allows you to assign an IP address

Setup Default Gateway
from global mode
switcch(config)# ip default-gateway 192.168.10.1

Save Config:
copy running-confg startup-config
NVRAM - Non-Volatile RAM

Setup Password
Switch>enable
switch#configure terminal
swiitch(config)#enable password <password>
Note: This is unencrypted password

Setup encrypted password
Switch>enable
switch#configure terminal
swiitch(config)#enable secret <password>

setup password for console mode
Switch>enable
switch#configure terminal
swiitch(config)#line console 0
switch(config-line)# password <password>
switch(config-line)# login
switch(config-line)# line vty 0 4
switch(config-line)# password <passsword>
switch(config-line)# service password-encryption
Note: level 7 password for Cisco is very easily crack-able
http://www.ifm.net.nz/cookbooks/passwordcracker.html

Setting the Banner:
switch(config)#banner motd # TEXT #

Setting up SSH
Switch>enable
switch#configure terminal
switch(config)#username <renato> password <password>
switch(config)#ip domain-name <domain>

Generate SSH keys
Switch>enable
switch#configure terminal
switch(config)#crypto key generate rsa <ENTER>
[1024]
switch(config)#ip ssh version 2
switch(config)#line vty 0 4
switch(config-line)#trasport input ssh
<Ctrl> + Z
switch#

Setup Port sercurity
switch>enable
switch#configure terminal
switch(config)#interface fastethernet <port>i.e. 0/5
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security 
switch(config-if)#switchport port-security maximum 1
switch(config-if)#switchport port-security violation restrict
switch(config-if)#switchport port-security mac-address <MAC ADDRESS> or sticky
switch# show ip interface brief
switch# terminal monitor
switch# show mac address-table 
switch# show port-security interface fastEthernet <port> i.e. 0/5
switch# show port-security 

Configure a Range of Ports
switch>enable
switch#config terminal
switch(config)#interface range fastEthernet 0/2 - 24
switch(config-if-range)# switchport port-security

Troubleshooting Switches
switch# terminal monitor

Sunday, 17 February 2013

How to troubleshoot traffic flowing through your SRX

I have been managing two SRX clusters for the past 2 years. 
I am so happy I have bough these devices, they are so reliable, so feature rich, flexible and great fun to setup. Another very important point is; Juniper's support is amazingly good. 

One of the great options built into the Juniper SRX is the ability to monitor traffic coming IN an going OUT of your device; one very handy debugging tool is the 'traceoptions'. 

If you have a problem with communication, hosts not able to communicate with one another, a VPN which is not routing through the correct interface, NAT is not happening and you not sure why. You can set up a 'traceoptions' and it will capture the traffic as it traverses your firewall and will help you in pinpoint the problem.

I was setting up an Ipsec VPN to another location, and it was not working. The traffic was not going through the tunnel. I was really getting nowhere or making any progress with the configuration.
Then I read about 'traceoptions' and once I did understand it, and set it up, I could easily figure out what was going on. The traffic intended to go through the tunnel and be routed to st0 interface was going through the reth3 Interface. 

I am going to show you how to setup a simple tracetions monitor to help you in troubleshoot many communication problems.

The way I approach is; I first identify the source and destination hosts IPs you are having trouble.
In my case my private source IP is 192.168.1.5 my destination Public IP is 8.8.8.8

How to setup traceoptions for for isolating traffic problems
admin@srx100-01# set security flow traceoptions file flow-trace
admin@srx100-01# set security flow traceoptions flag basic-datapath
admin@srx100-01# set security flow traceoptions packet-filter f0 source-prefix 192.168.1.5/32
admin@srx100-01# set security flow traceoptions packet-filter f0 destination-prefix 8.8.8.8/32
admin@srx100-01# show | compare (this command displays the lines which will be added to your config)
admin@srx100-01# commit and-quit (this line commits the changes and exits you one level back
admin@srx100-01# show security flow traceoptions
admin@srx100-01> show configuration security flow
admin@srx100-01> show log flow-trace

Don't forget to delete the 'traceoptions' once you have identified and solved the problem.
Deleting is very easy all you have to do is, to replace the word 'set' for 'delete', see below:

How to delete traceoptions from your SRX

admin@srx100-01# delete security flow traceoptions file flow-trace
admin@srx100-01# delete security flow traceoptions flag basic-datapath
admin@srx100-01# delete security flow traceoptions packet-filter f0 source-prefix 192.168.1.5/32
admin@srx100-01# delete security flow traceoptions packet-filter f0 destination-prefix 8.8.8.8/32
admin@srx100-01#  commit

That is it folks. I hope this will help you in troubleshooting your next problems.

By Renato Oliveira




Saturday, 16 February 2013

How to replace a broken node in a Juniper SRX HA cluster

Couple of weeks ago, one of our Juniper SRXs failed. Just as well I had invested the money and time in setting up a HA Cluster.
I think these devices are very robust and it got me really as a big surprise to have found this device completely failed for apparently no reason.
There were no lights at the front panel, no access via console, I had to pull its plug off and even so, it did not come back alive.

The replacement is very easy. I logged a call with Juniper, received the replacement SRX the following day.
One thing I would like to point out, Juniper support so far has been fantastic, their engineer's knowledge are high level. I am very happy not only to use Juniper's devices but also to recommend the use of them.

Replacement How To

  1. Check the OS version on your existing one: 
          root@srx100-01# show version (hit ENTER)
     ## Last changed: 2013-02-16 05:13:37 GMT
     version 11.2R4.3;

    2.  Connect your SRX to your laptop or PC via the console port using the console cable.

    3.  Power the Juniper replacement on and check its version:
         root@srx100-01# show version (hit ENTER)
         Note: both nodes must be running the same OS version. 

    4.  I am going to assume both devices are on the same OS version.
         Note: I'll write another How to later about how to upgrade the OS on an Juniper SRX.

    5. Delete the configuration on your replacement device:
        root@srx100-01# delete (hit ENTER)
        Note: this command will delete the whole configuration and leave your device blank
   
    6. Set the root password:
        root@srx100-01# set system root-authentication plain-text-password  (hit ENTER)

    7. Commit the changes: 
        root@srx100-01# commit

    8.  The following steps will require some knowledge of your existing cluster, and how it it is setup.
                 * Cluster-id (ID)
                 * Node number (No.)

    9. Once you have at hand your cluster ID and the node number, type in the following command:
        root@srx100-01> set chassis cluster cluster-id 1 node 0 reboot
         Note: the command above will set your new Juniper to be part of cluster 1 and it will be node 0, then
         it will reboot.

10. Log to existing Juniper SRX and save the configuration file /root
      root@srx100-01# save config_Juniper_SRX

11. Copy the config file config_Juniper_SRX to the new SRX.
    Note: You can use an USB memory stick to transfer the file.

12. Once you have copied the file config_Juniper_SRX to /root,
    run the following command:
    root@srx100-01# load override /root/config_Juniper_SRX

13. Commit the changes
    root@srx100-01# commit
    root@srx100-01> show configuration | display set
    Note: I always compare both devices and make sure the config
    is the same.

14. root@srx100-01# exit

15. Halt the system, with the command below:
    root@srx100-01> request system halt

16. Connect the fabric and control ports 

17. Power your new SRX on

18. Once the New Firewall has booted, check cluster status
    root@srx100-01# show chassis cluster status
    root@srx100-01# show chassis fpc pic-status
    
19. Check if there are any alarms on your new SRX:
    root@srx100-01> show system alarms


Note: There might be two minor alarms, I will talk about that in the next posts.

Your cluster should be fully online and operating well by now.

By Renato


Friday, 15 February 2013

IT projects I have successfully worked and complete

IT projects I have successfully worked and complete...

I started working for the current company one year and six months ago.
I was brought in to be Linux Systems Administrator and help in building two Data Centers, to be used as primary and backup. Things changed, and I became, project manager, IT manager, Systems Administrator and Implementer.

The idea was to bring in house all services which have been hosted by different companies in US.

My first task was to identify what was being hosted and where and try and copy as much as I could parts of the system and try and replicate it.

I successfully identified all the necessary systems and components which composed the system. I interviewed some of the developers and many people to gather information.

I had a very limited time frame to complete the whole project, in fact   I had less than a year to identify all components of the system, understand how they are setup, identify how they are being used, usage, bottle necks and start to plan it.
Here is a list of equipment I had to identify, buy and work with, to build the system from scratch.

  • Firewalls (Juniper SRX) x 2 HA cluster
  • File Server (NetApp 3240) x 2 Cluster
  • Switches (Cisco 3750) x 5 Stack
  • Physical servers (HP DL580s and DL380s) x 20
  • Remote access (Citrix XenApp 6.5) x 12
  • Virtualization  (VMware vSphere 5.0) x 4
  • Linux Redhat 6.2 x 20 between Virtuals and Physicals
  • Windows 2008 R2 x 20 mostly Virtuals
  • Virtual Server backup (Veeam 6)
  • Integrate Linux authentication to Active Directory using LDAP
  • Many different types of VPNs and leased lines to connect to different companies
  • Monitoring system (using Nagios and Cacti)
Once I had identified all equipment and sourced suppliers, I started to think about the Network topology.
The best way to organize the whole system and make sure the security was kept at High levels.

I will be posting about each section of the system and specifying the configuration for each part of the layer, in detail.

Part one (1)

I will be writing next about the Firewall project.


by Renato Oliveira

Recover Juniper SRX Lost root Password


How to reset a forgotten root password on a Juniper SRX security Gateway
I am going to write about something which does not happen very often, if it does it is good to have the right information at hand.
I was trying to replace a broken Juniper SRX 240, which is set in a HA cluster. I received the replacement in the office and set the root password.
I took the Firewall to the Data Center, placed it in the rack, powered it on, and for my surprise, I could not access it.
I tried all passwords I could remember, and various combinations, but I was not lucky that day.
It is frustrating, most the time I am organised and I take not of my password in my password manager, but this time I was in a hurry. I had loads to do and had to go back to the office.
After 30 minutes trying various different passwords I gave up and decided to try and break it.
In fact it was easier than I thought, but I thought in documenting it and sharing my experience or bad experience with everyone.
The First thing is to connect your device via serial port to your laptop.
1.      Connect your Juniper Firewall console port to your PC or laptop serial port.
2.      Power off your Juniper Firewall, by pressing the power buttom at the front
3.      I use putty to console to the firewalll, you can use any console program
4.      Power on your Juniper Firewall
5.      You will see your Juniper booting and loads of messages will scroll on your screen
6.      Press <spaceba> right as soon as the boot messages start to scroll
7.      You will see a prompt, similar to the one: loader>
8.      At the prompt, type in: boot -s (hit ENTER)
9.      You will see the following message:
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery (hit ENTER)
1.      Go to configuration mode by typeing in: root@srx100-01% cli (hit ENTER)
2.      Type: root@srx100-01> configure
3.      The prompt changes to: root@srx100-01#
4.      Set the new root password:
root@srx100-01# set system root-authentication plain-text-password (hit ENTER)
New password: newrootpassword
Retype new password: newrootpassword
5. At the command prompt, type:
root@srx100-01# commit (hit ENTER)
6. Exit configuration mode:
root@srx100-01# exit (hit ENTER)
7. Reboot your Juniper firewall, with the following command:
root@srx100-01> request system reboot
That is it folks. I hope this never will never happen to you, but if it does, you know what to do now.
by Renato de Oliveira