4. Install and configure NTP server in Red Hat/Centos 7.5 Linux

NTP (Network Time Protocol) is a protocol which runs over UDP port 123. NTP synchronise clients’ time and date with a master server. Within Enterprise Networking environment, to provide a reliable time service, an NTP server should have a minimum NTP stratum of 5 or less.

Step 1: Install and configure NTP daemon

sudo yum install ntp

 

Step 2: Check and adjust time zone

  1. timedatectl
  2. timedatectl list-timezones <<<to list and find time zones
  3. timedatectl set-timezone Australia/Sydney

Step 3: Enable and start ntpd service

sudo systemctl enable ntpd

sudo systemctl start ntpd

 

Step 4: Check basic NTP functionality

ntpstat

date

ntpq –p

 

Step 5: Check NTP configuration under /etc/ntp.conf

more /etc/ntp.conf

Advertisements

3. Install and configure TFTP server in Red Hat/Centos 7.5 Linux

Step 1: Install, enable and start firewalld

sudo yum install firewalld

sudo systemctl enable firewalld <<<starts up firewall when system boots up

sudo systemctl start firewalld

 

Step 2: Punch a hole in firewalld to allow TFTP traffic.

 

firewall-cmd –permanent –zone=public –add-service=tftp

firewall-cmd –reload

iptables -I INPUT -p udp –dport 69 -j ACCEPT

 

Step 3: Install, enable and start TFTP server and client

sudo yum install xinetd tftp-server tftp

sudo systemctl enable xinetd tftp <<<starts up automatically on system boot-up

sudo systemctl start xinetd tftp

 

Step 4: We don’t want TFTP user to have root user permission. So let’s create a system account called tftpuser with no home directory and no login capability.

sudo useradd –no-create-home –s /sbin/nologin tftpuser

 

Step 4: Create a directory for TFTP Server use.

sudo mkdir –p /tftpdata

sudo chmod 777 /tftpdata

nano /tftpdata/demo1.txt

chown tftpuser:tftpuser –R /tftpdata

 

 

Step 5: Configure TFTP service using the following settings.

 

nano /etc/xinetd.d/tftp

222

Server_args notes:

-c = allows clients to connect and create files on the directory

-s = automatically change directory when client connect to TFTP server, to a specific directory in the configure file such as /tftpdata. A security feature.

-u = specifies the user as the owner of the directory /tftpdata

-p = Perform no additional permissions check

-U = Set-up Umask setting when client creates or pushes a new file

-v = Print some logging verbose when client connect to TFTP server.

 

Step 6: Edit file system start service for TFTP. Update [Service] > ‘ExecStart’line as below:

sudo nano /usr/lib/systemd/system/tftp.service

 

 

[Unit]

Description=Tftp Server

Requires=tftp.socket

Documentation=man:in.tftpd

 

[Service]

ExecStart=/usr/sbin/in.tftpd -c -v -u tftp -p -U 117 -s /tftpdata

StandardInput=socket

 

[Install]

Also=tftp.socket

 

Step 7: Reload the system daemon & TFTP services

 

sudo systemctl daemon-reload

sudo systemctl start xinetd

sudo systemctl enable xinetd

sudo systemctl start tftp

sudo systemctl enable tftp

 

 

Step 8: Check UDP port 69 is in listening mode

https://www.tecmint.com/20-netstat-commands-for-linux-network-management/

 

netstat -na | grep udp6

111

 

Use ‘netstat –lu’ for all UDP listening ports/services

222

Use ‘netstat –ap | grep tftp’ to check the service.

333

 

Check that firewall is allowing udp port 69.

netstat -tupan

netstat –tupan | grep 69

111

 

Step 9: Check connection and download a demo.txt file. Using another server/router/switch. Download a demo.txt from TFTP server.

 

  1. On TFTP server (192.168.47.135), create demo.txt file under tftpdata directory.

 

nano /tftpdata/demo.txt

222

 

  1. On another Linux host (IP: 192.168.47.131), download demo.txt file.

 

tftp 192.168.47.135

get demo.txt

 

333

 

Now verification has been completed and you have a working TFTP server.

2. Install and configure SFTP server in Red Hat/Centos 7.5 Linux

Step 1: Create a SFTP user with password

sudo adduser sftpuser

sudo passwd password

 

Step 2: Create Directory for File Transfer

 

  1. sudo mkdir –p /var/sftp/sftpdata

 

[root@localhost /]# find . -name “sftpdata”

find: ‘./run/user/1000/gvfs’: Permission denied

./var/sftp/sftpdata

 

  1. Make the root user as the owner of this directory.

sudo chown root:root /var/sftp

 

  1. Grant write permission to the root user and read permission to other users.

sudo chmod 755 /var/sftp

 

  1. Modify the owner of sftpdata to be the user access.

sudo chown sftpdata:sftpdata /var/sftp/sftpdata

 

Step 3: Restrict Directory Access

 

  1. open sshd_config file

 

sudo nano /etc/ssh/sshd_config

 

  1. Add the following to the end of the file.

Match User sftpuser

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

 

  1. Restart sshd to apply change

sudo systemctl restart sshd

 

Step 4: Verification via SSH connection

 

ssh sftpuser@192.168.47.135

 

The SSH connection gets closed as expected.

333

 

sftp sftpuser@192.168.47.135

You can connect via sftp and now download and manage files as below.

111

Now the ssh access has been restricted successfully and the sftpuser can only upload and manage his/her file via SFTP only.

1. Install and configure FTP server in Red Hat/Centos 7.5 Linux

Step 1: Install vsftpd (very secure FTP daemon) package.

yum install -y vsftpd ftp

 

Step 2: Enable FTP on firewall

firewall-cmd –permanent –zone=public –add-service=ftp
firewall-cmd –reload

 

Step 3: to automatically start FTP Server when server powers on.

  1. enable vsftpd service.

systemctl enable vsftpd.service

2. Checking the status of ftp server

systemctl status vsftpd.service

 

Step 4: Configure vsftpd package. Edit /etc/vsftpd/vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

 

  1. Change the line which contain anonymous_enable=NO to anonymous_enable=YES. This will give permit any one to access FTP server with authentication. If this setting is changed to ‘NO’, then users must use their login and password to access files from their home directory. [Note: For our use, I am keeping this setting as YES, so each user has to log in access their own files]
  2. local_enable=YES
    c. write_enable=YES
  3. Add the following to the end of the file.

#ADDED BY BC

allow_writeable_chroot=YES

pasv_enable=Yes

pasv_min_port=40000

pasv_max_port=40100

 

Step 5: Start FTP Server
systemctl start vsftpd.service

 

Step 6: Verification. Create a file under ‘var/ftp/pub’. Use a web browser to access the file.

[root@localhost /]# find . -name “pub”

find: ‘./run/user/1000/gvfs’: Permission denied

./var/ftp/pub

[root@localhost /]# cd var/ftp/pub

[root@localhost pub]# nano ftppubfile1.txt

 

If anonymous_enable=YES, ./var/ftp/pub Directory will be used.

111

If anonymous_enable=NO, users have to login with their credentials to access files.

222

Chasing Packets in GNS3 & Production Environment, Part 1: Capturing packets using built-in Live Wireshark Capture in GNS3 1.4.4

Why do you want to do this lab?

You can capture any interesting packets and analyse for your learning purpose, analyzing packet captures can give you the real inside of how the packets are working on the devices and on different segments of the network. Simply reading the books and learn about how packets work behind the scenes is a little like trying to learn something as if you are three wise monkeys (see no evil, hear no evil, speak no evil).

On the real production, you can use other methods to capture interesting packets. Some examples are IOS Embedded Packet capture and tee off the configuration to a TFTP server, use a sniffer using spanning port or remote spanning port. Also, use more advanced method of Cisco NAM (Network Analyzer).

In this part, I will quickly show you how to whiz up a simple lab and capture some packets on GNS3 and Wireshark live capture within, GNS3. In the next section, I will demonstrate IOS Embedded Packet capture and teeing off to a TFTP server. Lastly, I will demonstrate packet capturing using spanning port and remote span.

Prerequisite 1: GNS3 1.4.4 pre-installed on Windows PC/laptop

Prerequisite 2: IOU VM ova deployed and integrated with GNS3

Prerequisite 3: Familiar with VMware workstation and Windows loopback configuration

 

Topology:

aaa1

Step 1: Add devices as below and make all connections. When you add the devices, your GNS3 topology will look like this. Remember to use dummy switches to make connection between your virtual machines and your host PC loopback to your IOU switches.

aaa2.png

Step 2: Configure your routers and switches similar to the configuration found in  the attached zip file.

r1

r2

sw1

sw2

 

Step 3: Capture packets using various link positions

aaa3

aaa4

If you run into the following error, you will have to go to GNS3 setting and update the path of Wireshark.

aaa5

=> Error: SW3: Could not start the packet capture reader: [WinError 2] The system cannot find the file specified: None

Changing path in GSN3 preferences:

C:\Program Files\Wireshark\wireshark.exe” ==> C:\Program Files (x86)\Wireshark\wireshark.exe

 

Step 4: Wireshark will open automatically and start capturing all the traffic on the link you have selected.

e.g.) TCP/IP packet capture example

aaa6.png

e.g.) Voice packet capture using soft phones (On virtual machines) between two work stations and CUCM.

aaa7

Now you can set up any server and clients and study how TCP/IP, UDP work behind the scenes. Jump straight in and try to enjoy your study!

 

Note: This lab can be completed on a single PC, Save Electricity, save Money, save Time, SAVE THE PLANET.

 

 

 

Notes on Cisco QoS: Clearing the fog – Part 2. Quality issues

Quality of Service

QOS = Method of giving priority to some specific traffic as moving over the network.

The basic aim of QoS is to have a consistent and predictable performance on your network.

 

1 qos intro

General characteristics of today’s Converged Network:

  • Small voice packet compete with bursty data packets, many different applications are using network as services
  • Critical traffic must get priority over less critical traffic, without QoS, default behavior is First In First Out (FIFO)
  • Voice and video traffics are time-sensitive
  • Outages are not acceptable

 

Converged Network Quality issues:

  • Lack of Bandwidth
  • Packet Loss
  • Delay
  • Jitter

 

Bandwidth

2 Bandwidth Measure.png

  • Maximum available bandwidth is the slowest link on the traffic paths
  • On the same physical links (traffic paths), multiple flows compete for the same bandwidth, multiple applications sharing the same bandwidth
  • Lack of bandwidth causes performance degradation on network applications

 

 

Packet Loss

3 Tail Drop due to Queue Congestion

Packet loss due to Tail Drop: Queue only can so much packets and once it is full and more packets arrive at the tail end of the queue before the queue is emptied (due to link congestion etc.), the packets will be dropped, and this behavior is called ‘Tail Drop’. If the tail drop occurs to the time sensitive traffics such as voice and video, the effects are immediately felt by the users on the flow. If this happens to data traffic, it may interrupt file transfer and corrupt the file.

 

 

Delay

4 Types of Delay

  • Processing Delay – time taken by router to process packets from an input interface and put them into the output queue of output interface
  • Queuing Delay – time a packet resides in the output queue of a router
  • Serialization Delay – time taken to place bits on the wire
  • Propagation Delay – time taken for packets to cross links from one end to the other end

 

 

Jitter

5 Jitter

  • Packets from a source will reach a destination with different delay times
  • Congestion on the network will cause jitter
  • Congestion can occur at a router interface/Service Provider network if the circuits are not properly provisioned