David Ramsden – Network engineer, general geek, petrol + drum and bass head
26Jul/16

Reviving an Acer Aspire One ZG5 Netbook

I was given an Acer Aspire One ZG5 (A110) and asked to try to update it. There were a few problems with it. Firstly, it was running Ubuntu 12.04 but the upgrade to Precise Pangolin had broken and wasn't easily recoverable. Secondly, the battery appeared to be dead and wouldn't charge. In addition I also found that a BIOS password ("user" and "supervisor") had been set but the password wasn't known.

A Modern OS

When the Aspire One first came out there was a wide range of Operating Systems to choose from. It was capable of running Windows XP, various Linux flavours, FreeBSD and even OS X. A lot of customised Linux distributions started to appear, designed specifically for netbooks. However, fast forward a few years and Windows XP is dead and a lot of the Linux distributions for netbooks are no longer actively developed and have fallen behind the times.

Wikipedia has a page dedicated to comparisons of netbook-orientated Linux distributions. Most of these are no longer actively developed, apart from a few. First I tried Lubuntu but after installing successfully, found it would get stuck booting and I didn't have the inclination to troubleshoot it.

Next I tried Manjaro Netbook Edition, a community developed flavour of Manjaro Linux. This can be downloaded here. Specifically I downloaded the latest and greatest 32-bit version (direct link to ISO). Since the Aspire One doesn't have a CD/DVD drive, I used UNetBootin to create a bootable USB thumbdrive from the ISO, booted, installed and rebooted successfully.

After logging in for the first time I was prompted to install the linux-netbook-manjaro package and palemoon-atom package. The former is a Linux kernel optimised for netbooks and the latter is an optimised version of the Palemoon browser.

I found that the package manager was extremely slow to download anything. This turned out to be because the mirror list had select a location in South Africa first. The Manjaro wiki has some handy pacman tips to resolve this.

I was then able to perform an upgrade to the latest Manjaro release, 16.06.1 (Daniella), released 11th June 2016. So finally the Aspire One had a modern and fully functional OS, including sound, wireless, webcam etc. I also installed the Flash player plugin for Palemoon (although testing BBC iPlayer is slow with sound and video out of sync), AbiWord and Skype.

Battery and BIOS

As mentioned, the other issue was the battery. It wouldn't charge. This was either because the battery was dead or there was something wrong with the charging circuitry. But one clue was after I had installed Manjaro Linux, the battery was reported as "unknown". Maybe clearing the BIOS settings and/or re-flashing the BIOS would help.

As I pressed F2 to enter the BIOS setup I was prompted for a user password. Unfortunately no one knew what this was. My first thought was to remove the CMOS battery but after a quick Google, taking the Aspire One apart was a little too much trouble.

Introducing Hiren's Boot CD. I downloaded the ISO and again used UNetBootin to create a bootable USB thumbdrive. However, after booting from it I found the boot menu was broken. To fix this I had to copy the isolinux.cfg file found inside the HBCD directory on the USB thumbdrive to the root of the USB thumbdrive, replacing the syslinux.cfg file. In one of the menus is a bunch of BIOS/CMOS tools and one of those tools can dump the plaintext strings found in the CMOS. Here, I was able to find the "user" and "supervisor" BIOS passwords.

Now I had access to the BIOS I tried loading the default settings. Unfortunately this didn't resolve the battery issue. So next was to try flashing the BIOS. Enter the SNID (found on the underside of the Aspire One) in to Acer's download and support site to get the latest BIOS download. The problem here is that the BIOS update utility is geared towards Windows users.

Acer do have a help page covering updating the BIOS on the A110 or A115 models, which involves copying some files to a FAT32 formatted USB thumbdrive, holding Fn+Esc and powering on the netbook which should initiated the BIOS upgrade. But I found this didn't work (all the right lights flashed but nothing actually happened).

The easiest (and probably safest) way to update the BIOS is to again use UNetBootin to create a bootable USB thumbdrive of FreeDOS. After that, copy the DOS folder from the Acer BIOS update download to the root of the USB thumbdrive and boot the netbook in to FreeDOS. Change to the C: drive (this will be the USB thumbdrive) and then change directory in to the DOS folder. Run the batch file to start the BIOS upgrade.

Success. BIOS upgraded and as a bonus, the battery started charging and did hold charge too.

29Mar/16

Disabling WordPress XML-RPC and banning offenders with fail2ban

This isn't something new. SANS ISC reported on this 2 years ago. The bad guys love anything that can be used in a reflection DoS and the WordPress XML-RPC functionality is a prime candidate. There are various ways to disable it, through WordPress plugins for example, or by hacking away at code. All of these are fine if you're in control over what gets installed on the web server. In a shared hosting environment you've got to rely on your users.

Running Apache you can disable XML-RPC globally and simply with the following:

The configuration should be placed as part of the global Apache configuration. When any file called xmlrpc.php is requested, on any vhost, from an IP address not listed by the Require ip line, an Error 403 Forbidden will be served instead. This configuration should ensure that WordPress plugins like Jetpack continue to work.

I've seen a few examples where even after doing this the bad guys still continuously request xmlrpc.php even though they're being served a 403 error. To further protect the web server fail2ban can be deployed.

Firstly create a filter definition:

Then create the jail:

Now when someone requests xmlrpc.php 3 times within the defined findtime their IP address will be blocked.

29Mar/16

Cisco two armed VPN concentrator and default route

Take the following scenario:

  • You have a hub site.
  • Branch (spoke) sites connect to the hub with a L2L IPsec tunnel.
  • All traffic must traverse the tunnel (no local breakout to the Internet).
  • At the hub, your VPN concentrator is separate from your firewall and runs in two armed mode. Where one interface is outside the firewall (public) to terminate the incoming tunnels and another interface is within a DMZ. As such no NAT is configured since the firewall will be doing this, routing and filtering traffic.

The VPN concentrator will have its default gateway pointing out of the public interface. This becomes a problem when you're tunnelling all traffic from the spokes over the L2L tunnel, especially for traffic destined to the Internet which should go via the hub site's central firewall.

On a Cisco ASA two default gateways can be specified. One for non-tunneled traffic and one for traffic exiting from a tunnel.

In the example above, any traffic exiting from a tunnel on the inside interface and not matching another route, will be routed towards 192.168.0.1. Without this the traffic would be routed towards 111.222.333.444.

If a device running IOS is being used the same can be achieved using a route-map to match the traffic exiting the tunnel and then setting the next hop IP.

 

Tagged as: , , No Comments
21Mar/16

Banning repeat offenders with fail2ban

More and more I see fail2ban banning the same hosts repeatedly. One way to tackle this could be to increase the ban time but you could also have fail2ban monitor itself to find "repeat offenders" and then ban them for an extended period of time.

Firstly, create a filter definition:

This will be used against the fail2ban log and will find any hosts that have been unbanned. We don't want to monitor hosts that have been banned because, er, they're already banned. We also want to ignore any log entries that are generated by the jail itself.

Next edit jail.local to add a new jail:

This jail will monitor the /var/log/fail2ban.log file and use the repeat-offender filter that was defined earlier. If 3 unban's are seen within 5 hours, the host will be banned for 48 hours. You could adjust the banaction to use the route action which may give some performance benefits on a very busy server.

10Oct/15

DHCP Option 43 generator for Cisco Lightweight APs

I got lazy after having to create a load of DHCP scopes for Cisco Lightweight Access Points, each requiring Option 43 in TLV format. And now you can be lazy too.

Save the following as a HTML file and open in your favorite browser. In the text area enter your WLC IP addresses one per line and hit submit. This will generate the hex string to use in DHCP Option 43. Alternatively I've also put the code in to jsfiddle here.

 

 

19May/15

loadbalancer.org – Linux feedback agent

I've been working with some loadbalancer.org appliances recently, load balancing traffic over MySQL and Apache servers running Linux. The load balancer supports a feedback agent where it can query the real server to gauge how utilised it is based on, for example, CPU load and then distribute the request to the real server that should perform the best.

Over on the loadbalancer.org blog is an article about the feedback agent and how to implement it for Linux servers. The shell script suggested is:

Although this does give you a 1 second average CPU, it's a bit too accurate and doesn't give much headroom. If the CPU suddenly spiked very quickly and then returned to normal the load balancer wouldn't know this. And indeed watching the real server weighting change on the load balancer v's what top is reporting confirms this. The weighting on a real server can drastically jump up and down.

A better feedback agent script is:

This will take a 3 second average reading and then report back the overall average. This prevents the real server weighting on the load balancer from fluctuating so much. Change the NUM_CHECKS variable to take more or less readings as required.

7Feb/15

Cisco VSS, domain ID and virtual MAC addresses

The other weekend I connected a L2 circuit between two sites. At both ends were Cisco 6500 Catalyst switches running VSS. The interfaces they connected to were configured as L3 and EIGRP was run between the two sites to share routes. But as soon as they were connected the neighbors started flapping.

Troubleshooting started and as always you start at the lowest OSI layer and work up. Bingo! The issue was at Layer 2 as I could see ARP was incomplete on both sides for the neighbor addresses. Checking the MAC address for the interface the L2 circuit was connected to at site A and the MAC address for the interface the L2 circuit was connected to at site B showed the same MAC. How could this happen?

As mentioned in the first sentence both ends had a Cisco 6500 Catalyst switches running VSS. One of the first things you do when configuring VSS so set the switch virtual domain ID. Cisco recommend that you enable virtual MAC addresses (mac-address use-virtual) under the switch virtual domain. I'll explain why Cisco recommend this option. When when the first switch comes up, VSS uses the MAC address pool from that member and uses that pool across all L3 interfaces. This MAC address pool is maintained by VSS when one (and only one) switch is reloaded. But if the entire VSS is reloaded and the other switch happens to come up first the MAC address pool will change. This shouldn't be a huge deal but if there are any other devices out there that are ignoring gratuitous ARP they will require manual intervention to get them working which will cause further service disruption.

Hence Cisco recommend using mac-address use-virtual under the switch virtual domain ID. This ensures the same MAC address pool is used at all times. No exceptions. But the switch virtual domain ID is significant in determining the virtual MAC address pool. It's used in the formula to calculate this pool. As per the Cisco documentation:

The MAC address range reserved for the VSS is derived from a reserved pool of addresses with the domain ID encoded in the leading 6 bits of the last octet and trailing 2 bits of the previous octet of the mac-address. The last two bits of the first octet is allocated for protocol mac-address which is derived by adding the protocol ID (0 to 3) to the router MAC address.

When I checked both switches I found they both had a switch virtual domain ID of 10. Therefore the virtual MAC address on the L3 interfaces were both 0008.e3ff.fc28. We can use the formula to check this:

6th octet (28) to binary: 00101000
Remove trailing 2 bits: 001010
001010 (bin) to decimal: 10

But what are the options for fixing the problem where the MAC addresses are the same on both sides?

  1. On one side, under the L3 interface use mac-address H.H.H.H
  2. Change the switch virtual domain ID on one VSS - Possible to do but requires a complete outage as a VSS reload is required.
  3. Remove mac-address use-virtual from the switch virtual domain ID - Not recommended as discussed previously.

Option 1 seems like the most viable option but how do you guarantee the MAC address you manually assign is unique? Will there be issues in the future? If we pick an arbitrary number between 1 and 255 (switch virtual domain ?) we can then use the formula to calculate a "safe" MAC address as long as no one in the future connects a VSS with this arbitrary number as the switch virtual domain ID. I decided to choose 99.

Virtual MAC address with domain ID 10: 0008.e3ff.fc28
Last two octets (fc28) hex to binary: 1111110000101000
99 (dec) to binary: 01100011
Insert 01100011 after leading 6 bits and before trailing 2 bits: 1111110110001100
1111110110001100 (bin) to hex: fd8c

Hence if a switch virtual domain ID of 99 was used the virtual MAC address assigned to a L3 interface would be 0008.e3ff.fd8c.

Problem solved. It was just unfortunate that the switch virtual domain ID happened to be the same. No one ever saw the two sites needing to be connected this way. If you're deploying VSS in your organisation, work smart and use unique switch virtual domain IDs everywhere. If you happen to connect to a 3rd party first check if they're using VSS and if they are, check what they have as their switch virtual domain ID. If there's a conflict someone will need to manually set a MAC address on an interface.

29Dec/14

Root shell on DrayTek AP 800

The DrayTek AP 800 is a 2.4Ghz 802.11n Access Point with the ability to make it dual band, 2.4Ghz and 5Ghz, with an optional USB dongle. It supports multi-SSID with VLAN tagging, built in RADIUS server, per-SSID/station bandwidth control and can act as a bridge, repeater etc.

As with all of these SOHO products it'd built on Linux. Which means somewhere there is a root shell lurking.

The DrayTek AP 800 has telnet enabled out of the box. Establish a telnet connection and login as the admin user. You'll be dropped in to a restricted busybox shell. To make it slightly less restrictive type rddebug. This will let you use commands such as ps and echo.

Now spawn telnetd on a different port and invoke a full shell, with:

Telnet to the AP on port 2323 to be dropped in to a root shell.

This will likely also work with the AP 900 and the 2860 series. Leave a comment if you've tried it.

Tagged as: , , No Comments
25Oct/14

Show me the config!

Back in the days before stacks and VSS, doing a "show run" to look at something was easy. You pressed space a few times to page through the output and found the section you were interested in. Now when you've got a stack of several switches or switch running VSS with hundreds of interfaces you'll be pressing space forever and a day paging through the config.

In IOS you can pipe output to a selection of commands to filter output. Much like redirecting output using a pipe in UNIX or even Powershell.

Say for example you want to see the static routes in the running-config:

As with the above, regular expressions are acceptable too!

This is all well and good for commands such as "ip route" or "ntp" for example but what if you want to check an EIGRP config?

Oh. This isn't what we were expecting. This is because the EIGRP config is a section. Thankfully you can pipe to the "section" command:

Much easier than "sh run" and then paging through the output until you find what you're after.

And finally, if you're in configuration mode and want to check something with show, ping etc and don't want to have to drop back to priv exec mode, prefix your command with "do":

 

13Oct/14

Cisco Crypto ACLs – Do they really need to match?

When starting out with IPsec tunnels it seems to be a common misconception that the crypto ACL, sometimes referred to as the encryption domain or the interesting traffic, must match 100% or be mirrored at both peers or the tunnel won't come up. This isn't strictly true. Whilst the ISAKMP phase 1 and IPsec phase 2 proposals must match, the crypto ACL can be different.

Assume that at the local peer traffic to be encrypted originates from 10.0.0.0/24 and is destined for 192.168.0.0/24. The crypto ACL would be:

But what about the following?

IPsec phase 2 can still be established even though the crypto ACL isn't mirrored at the local and remove peer. The local peer specifies 10.0.0.0/24 but the remote peer specifies 10.0.0.0/8. In this scenario IPsec phase 2 can only be initiated from the peer that has the larger subnet. This is true for both Cisco ASA and IOS.

And in the example above, in the local peer's ACL there's a deny ACE but none on the remote peer's ACL. In this scenario any traffic originating on the local peer from 10.0.0.0/24 destined to 192.168.0.200/32 won't traverse the tunnel. The device (ASA or IOS router) will look at the next crypto map in the sequence and try to match traffic there. If no crypto maps are found it'll flow unencrypted out of the egress interface.

Obviously be careful with mismatching subnets and using deny ACEs in the crypto ACL because you may end up with traffic trying to enter the wrong tunnel and other strange things happening.

 

Tagged as: , , , , , , No Comments