3. Install and configure TFTP server in Red Hat/Centos 7.5 Linux

Step 1: Install, enable and start firewalld

sudo yum install firewalld

sudo systemctl enable firewalld <<<starts up firewall when system boots up

sudo systemctl start firewalld

 

Step 2: Punch a hole in firewalld to allow TFTP traffic.

 

firewall-cmd –permanent –zone=public –add-service=tftp

firewall-cmd –reload

iptables -I INPUT -p udp –dport 69 -j ACCEPT

 

Step 3: Install, enable and start TFTP server and client

sudo yum install xinetd tftp-server tftp

sudo systemctl enable xinetd tftp <<<starts up automatically on system boot-up

sudo systemctl start xinetd tftp

 

Step 4: We don’t want TFTP user to have root user permission. So let’s create a system account called tftpuser with no home directory and no login capability.

sudo useradd –no-create-home –s /sbin/nologin tftpuser

 

Step 4: Create a directory for TFTP Server use.

sudo mkdir –p /tftpdata

sudo chmod 777 /tftpdata

nano /tftpdata/demo1.txt

chown tftpuser:tftpuser –R /tftpdata

 

 

Step 5: Configure TFTP service using the following settings.

 

nano /etc/xinetd.d/tftp

222

Server_args notes:

-c = allows clients to connect and create files on the directory

-s = automatically change directory when client connect to TFTP server, to a specific directory in the configure file such as /tftpdata. A security feature.

-u = specifies the user as the owner of the directory /tftpdata

-p = Perform no additional permissions check

-U = Set-up Umask setting when client creates or pushes a new file

-v = Print some logging verbose when client connect to TFTP server.

 

Step 6: Edit file system start service for TFTP. Update [Service] > ‘ExecStart’line as below:

sudo nano /usr/lib/systemd/system/tftp.service

 

 

[Unit]

Description=Tftp Server

Requires=tftp.socket

Documentation=man:in.tftpd

 

[Service]

ExecStart=/usr/sbin/in.tftpd -c -v -u tftp -p -U 117 -s /tftpdata

StandardInput=socket

 

[Install]

Also=tftp.socket

 

Step 7: Reload the system daemon & TFTP services

 

sudo systemctl daemon-reload

sudo systemctl start xinetd

sudo systemctl enable xinetd

sudo systemctl start tftp

sudo systemctl enable tftp

 

 

Step 8: Check UDP port 69 is in listening mode

https://www.tecmint.com/20-netstat-commands-for-linux-network-management/

 

netstat -na | grep udp6

111

 

Use ‘netstat –lu’ for all UDP listening ports/services

222

Use ‘netstat –ap | grep tftp’ to check the service.

333

 

Check that firewall is allowing udp port 69.

netstat -tupan

netstat –tupan | grep 69

111

 

Step 9: Check connection and download a demo.txt file. Using another server/router/switch. Download a demo.txt from TFTP server.

 

  1. On TFTP server (192.168.47.135), create demo.txt file under tftpdata directory.

 

nano /tftpdata/demo.txt

222

 

  1. On another Linux host (IP: 192.168.47.131), download demo.txt file.

 

tftp 192.168.47.135

get demo.txt

 

333

 

Now verification has been completed and you have a working TFTP server.

Advertisements

2. Install and configure SFTP server in Red Hat/Centos 7.5 Linux

Step 1: Create a SFTP user with password

sudo adduser sftpuser

sudo passwd password

 

Step 2: Create Directory for File Transfer

 

  1. sudo mkdir –p /var/sftp/sftpdata

 

[root@localhost /]# find . -name “sftpdata”

find: ‘./run/user/1000/gvfs’: Permission denied

./var/sftp/sftpdata

 

  1. Make the root user as the owner of this directory.

sudo chown root:root /var/sftp

 

  1. Grant write permission to the root user and read permission to other users.

sudo chmod 755 /var/sftp

 

  1. Modify the owner of sftpdata to be the user access.

sudo chown sftpdata:sftpdata /var/sftp/sftpdata

 

Step 3: Restrict Directory Access

 

  1. open sshd_config file

 

sudo nano /etc/ssh/sshd_config

 

  1. Add the following to the end of the file.

Match User sftpuser

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

 

  1. Restart sshd to apply change

sudo systemctl restart sshd

 

Step 4: Verification via SSH connection

 

ssh sftpuser@192.168.47.135

 

The SSH connection gets closed as expected.

333

 

sftp sftpuser@192.168.47.135

You can connect via sftp and now download and manage files as below.

111

Now the ssh access has been restricted successfully and the sftpuser can only upload and manage his/her file via SFTP only.

Python: Installing netmiko (paramiko) on Windows 10 PC for automation

In order to write a script and automate your infra devices via ssh/telnet, python uses paramiko. In Linux/MAC OS environment, it is easy to install or this module is already included as a package. For windows, the module installation process is more cumbersome. I have come a few articles on Google attempting to do this but the examples given were clear as mud. Here is a precise steps for the installation and also some troubleshooting URLs referenced for your convenience. 🙂

1. Install Python (https://www.python.org/downloads/https://www.python.org/downloads/)

2. Install Anaconda. (https://store.continuum.io/cshop/anaconda/https://store.continuum.io/cshop/anaconda/)

3. From the Anaconda Prompt (Shell), run “conda install paramiko”.

4. From the Anaconda Prompt (Shell), run “pip install scp”.

5. Install git for Windows. (https://www.git-scm.com/downloadshttps://www.git-scm.com/downloads)

6. From Git Bash window. Clone netmiko with “git clone https://github.com/ktbyers/netmiko&#8221;

7.From Git Bash window. Unable to install Netmiko in windows after it cloned. define the path for python.

bchoi@AUD-4D1KYF2 MINGW32 /h/netmiko (develop)

$ export PATH=$PATH:/C/Users/bchoi/AppData/Local/Programs/Python/Python36-32

8. cd into the netmiko directory and run “python setup.py install”.

bchoi@AUD-4D1KYF2 MINGW32 /h/netmiko (develop)

$ python setup.py install

End result: You can now use parmiko on your windows PC!

paramiko OK

Tip1: To display Windows 10 Roaming folder

https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_files-insiderplat_pc/windows-10-roaming-folder/6c99ffdc-90d5-4d1d-8ab1-b4f448ecc8ee?auth=1https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_files-insiderplat_pc/windows-10-roaming-folder/6c99ffdc-90d5-4d1d-8ab1-b4f448ecc8ee?auth=1

Unable to install Netmiko in windows after it cloned:

https://stackoverflow.com/questions/47726184/unable-to-install-netmiko-in-windows-after-it-clonedhttps://stackoverflow.com/questions/47726184/unable-to-install-netmiko-in-windows-after-it-cloned

 

Cisco APE’s TIP: Configuring a Cisco Router as an Authoritative NTP Server

Why NTP matters to your network?

It is all about time precision and all systems in your infrastructure running on the same time. Network Time Protocol (NTP) is a critical service for all IP devices. Servers and network devices need to synchronize with a reliable time source such as an NTP server.

 

Real life scenario:

Scenario: Client is using a Windows 2012 Server running Windows 32 Time Services (W32TM) as their only NTP server. Which is not a full NTP deployment and Cisco devices have been pointed to this server, but Cisco IOS devices cannot synchronize time with Windows NTP server. Cisco recommends Linux or IOS based devices to provide this NTP services to other devices. This is a real life scenarios based on my client’s network.

 

 

Pre-task: Synchronize hardware clock to software clock

Why? Most of Cisco routers have two clocks, one, a battery-powered hardware clock, a.k.a ‘calendar clock’ and a software clock, a.k.a ‘(software) clock’ in the IOS CLI.

 

Step 1: Check the software clock:

R1#show clock

12:57:03.186 AEDST Fri Dec 11 2015

 

R1#show calendar

12:44:30 AEDST Fri Dec 11 2015

 

As you can see, there is more than 12 minute time drift between the software and hardware clocks.

 

 

Step 2: Now synchronize the hardware time to the software time.

R1#conf t

R1(confg)#ntp update-calendar

 

Step 3: Now check the time synchronization:

R1#show clock

12:59:31.88 AEDST Fri Dec 11 2015

R1#show calendar

12:59:31 AEDST Fri Dec 11 2015

 

Excellent! Now both software and hardware clocks showing the same time. You are ready to configure your IOS as NTP server.

Note: if you don’t use ‘ntp update-calendar’, NTP services on the router will still work, but it will use the software clock time, so ‘show clock’ time.

 

 

Task: Configure your router (R1) as an Authoritative NTP Server

 

Step 1: Check NTP source interface

R1# show run | begin interface Loopback0

interface Loopback0

ip address 10.10.10.1 255.255.255.255

 

 

Step 2: Actual configuration to make the router an NTP server

R1# conf t

R1(confg)#ntp master 2           <<<I am leaving stratum 1 for atomic clock, it will use its internal IP as its source of time, so 127.127.1.1 will become stratum 1, its loopback0 will take stratum 2.

R1(confg)#ntp server loopback 0  <<<Use loopback0 as NTP server

R1(confg)#ntp source loopback0   <<<Use loopback0 as NTP source

 

Optional commands:

R1(config)#(clock timezone (any name) (timezone)

 

 

Step 3: Using R1’s time on another device (R2). Now synchronize R2’s time with R1’s time (NTP time).

R2# conf t

R2(confg)#ntp server 10.10.10.1  <<<10.10.10.1 is the IP of R1’s loopback0

 

Step 4: Wait for 1-5 mins and run show clock command for verification.

R1#show clock

13:09:30.77 AEDST Fri Dec 11 2015

R2#show clock

13:09:30.77 AEDST Fri Dec 11 2015

 

 

Useful commands:

show ntp status

show ntp association

Cisco Collaboration 101-3: download MoH file from CUCM TFTP server

When you administrate Cisco CUCM, often there is a situation where you have to locate a file and download the file from CUCM server, particularly from the CUCM TFTP and MOH servers.

OK, first, here is an example of ‘file get’ command to download an xml file from a CUCM TFTP server.

admin:file get tftp /WLANDefault.xml
Please wait while the system is gathering files info …done.
Sub-directories were not t*raversed.
Number of files affected: 1
Total size in Bytes: 21768
Total size in Kbytes: 21.257812
Would you like to proceed [y/n]? y
SFTP server IP: 10.168.46.2
SFTP server port [22]:
User ID: administrator
Password: ********

Download directory: /

The authenticity of host ‘192168.46.2 (192168.46.2 )’ can’t be established.
RSA key fingerprint is 08:39:1b:80:c5:e4:c1:60:de:5c:5b:3a:7d:be:8a:ae.
Are you sure you want to continue connecting (yes/no)? yes
.
Transfer completed.
admin:

=====================================================================

Now here is a list of ‘file list’ command sets.

admin:file list
file list activelog
file list inactivelog
file list install
file list license
file list partBsalog
file list salog
file list tftp

We have to snoop around to locate where our hidden MoH files are and it is under “activelog /mohprep” folder:

admin:file list activelog /*
<dir> audit
<dir> car_db
<dir> ccm_db
<dir> cm
<dir> core
<dir> dp_db
<dir> installed_options
<dir> mgetty
<dir> mohprep
<dir> patches
<dir> platform
<dir> sa
<dir> syslog
<dir> tomcat
dir count = 14, file count = 0
admin:file list activelog mohprep /*
CiscoMOHSourceReport.xml SampleAudioSource.alaw.wav
SampleAudioSource.g729.wav SampleAudioSource.ulaw.wav
SampleAudioSource.wb.wav SampleAudioSource.xml
SilenceAudioSource.alaw.wav SilenceAudioSource.g729.wav
SilenceAudioSource.ulaw.wav SilenceAudioSource.wb.wav
SilenceAudioSource.xml
dir count = 0, file count = 11
admin:file list activelog syslog ?
Syntax:
file list activelog file-spec [options]
file-spec mandatory file to view
options optional page|detail|reverse|[date|size]

Let’s also look at what is under active syslog folder:

admin:file list activelog syslog /*
AlternateSyslog CiscoSyslog
CiscoSyslog.1 CiscoSyslog.2
CiscoSyslog.3 CiscoSyslog.4
boot.log boot.log.ori
cron cron.1
cron.2 maillog
messages messages.1
messages.2 messages.3
messages.4 messages.ori
notify.sh.log ntp_start.sh.log
ntp_validate_servers.sh.log ntpd.log
sd_ntp.log secure
secure.1 secure.2
secure.3 secure.4
secure.ori setkeysdetails.sh.log
spooler
dir count = 0, file count = 3

======================================================================

Now if you found what you are looking for in an active MoH folder, go ahead and run “file get activelog /mohprep/[name of your MoH file]”:

admin:file get activelog /mohprep/ECM-MOH-Bunnings-Aug-2015.ulaw.wav
Please wait while the system is gathering files info …done.
Sub-directories were not traversed.
Number of files affected: 1
Total size in Bytes: 1728822
Total size in Kbytes: 1688.3027
Would you like to proceed [y/n]? y
SFTP server IP: 10.171.217.110
SFTP server port [22]:
User ID: cisco
Password: *********

Download directory: /

.
Transfer completed.

======================================================================
admin:file list activelog /mohprep/SampleAudioSource-test.ulaw.wav
SampleAudioSource-test.ulaw.wav
dir count = 0, file count = 1
admin:file get activelog /mohprep/SampleAudioSource-test.ulaw.wav
Please wait while the system is gathering files info …done.
Sub-directories were not traversed.
Number of files affected: 1
Total size in Bytes: 2702728
Total size in Kbytes: 2639.3828
Would you like to proceed [y/n]? n
Files transfer cancelled.
admin:file get activelog /mohprep/SampleAudioSource -test.ulaw.wav
Invalid command, a dash character must be preceded by an alphanumeric character

admin:file get activelog /mohprep/SampleAudioSource test.ulaw.wav
Missing file-spec or invalid command option specified.
Valid options: [reltime|abstime][match][compress]
admin:

The issue with the space seems to match defect CSCsr43052: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr43052

Yo Gabba Gabba Cool Tricks 1: Backup your data on failing OS (Windows/Linux)

One of my colleagues at work has asked me if I can help him to back-up/recovery some data (72.6Gb on 320GB HDD) from a laptop running Windows 7 which held very important data for his cousin’s tax return documents. He has described the symptom as “The laptop will not boot up properly due to Windows boot-up file corruption or some sort, also the hard disk cannot be recognized when connected via Sata to USB coverter or Sata to motherboard as a second HDD. The HDD wasn’t completely dead and plates spindling.”

Unfortunately, the Hard disk was 320GB in size but was only partitioned into a single partition, so both OS and data resided on the same partition. I have tried my usual tricks on both Windows and Linux OS and the damn HDD cannot be detected hence, I was unable to back-up any data from this failed hard disk, then a little bit of googling pointed me to this URL: http://www.sevenforums.com/tutorials/256518-peppermint-live-cd-dvd-usb-create-emergency-backup.html. Wow! what a cool way to recover your data!!! This data back-up method can be used in both Windows and Linux data recovery. Thanks to the Author who documented the recovery process, it worked like magic on the First GO!

Step 1: Find an old USB flash drive

*I am using an old 2GB USB drive 🙂

Old 2GB USB

Step 2: Download your OS from the following site:

http://peppermintos.com/

*32bit OS will do the job just fine, do not bother with 64bit OS.

Step 3: Download Lufus bootable USB maker from the following link and make a bootable usb using above two:

https://rufus.akeo.ie/

Step 4: Run Peppermint OS from the usb itself, running in live OS mode, connect an external USB storage and start data backing up/recovery

backup

Keep your bootable usb handy all times and have a fun!