Saturday, 27 June 2015

install and configure tacacs/freeradius in centos


1) Get the TAC rpm on google based your linux architecture and install
[root@www ~]#rpm -ivh tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm
warning: tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm: Header V4 RSA/SHA1 Signature, k                                                            ey ID 85c6cd8a: NOKEY
Preparing...                ########################################### [100%]
        package tac_plus-4.0.4.26-1.el6.nux.x86_64 is already installed


2) Edit config file

[root@www ~]# vi /etc/tac_plus.conf
key = "MYKEY"
accounting file = /var/log/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd

acl = default   {
                #permit = 192\.168\.0\.
                permit = 10\.255\.160\.7     <<<<< this is the IP I was to allow
}

# Example of host-specific configuration:
host = 10.255.160.7 {
        prompt = "Enter your Unix username and password, Username: "
        # Enable password for the router, generate a new one with tac_pwd
        enable = des xb5MO66xiT93Q  <<<< des + password generated with tac_pwd
}

# Group that is allowed to do most configuration on all interfaces etc.
group = sysadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd:
        #login = file /etc/passwd
        # or authenticated via PAM:
        login = PAM
        acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit .*
        }
        cmd = interface {
                permit FastEthernet.*
                permit GigabitEthernet.*
        }
        cmd =  switchport  {
                permit "access vlan.*"
                permit "trunk encapsulation.*"
                permit "mode.*"
                permit "trunk allowed vlan.*"
        }
        cmd = description {
                permit .*
        }

        cmd = no {
                permit shutdown
        }

}

user = joe {
        login = cleartext MYpassword  <<<< to put pwd in cleartext in config use "cleartext"
        #member = sysadmin
        member = admin
}

user = testuser {
        default service = permit
        login = PAM
        member = admin
}

user = fred {
        login = PAM
        member = sysadmin
}

# User account configured for use with "rancid"
user = rancid {
        # Generate a new password with tac_pwd
        #login = des LXUxLCkFhGpwA

        service = exec {
                priv-lvl = 15
        }

        cmd = show { permit .* }
        cmd = exit { permit .* }
        cmd = dir { permit .* }
        cmd = write { permit term }
}

# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
        login = des xb5MO66xiT93Q
}

#user = DEFAULT {
#       login = PAM
#member = default
#}

***** AX config ( A10 load balancer  config)
authorization commands 15 method tacplus
authentication type tacplus local
authentication console type tacplus local
authentication login privilege-mode
accounting exec start-stop tacplus
accounting commands 15 stop-only tacplus
tacacs-server host 10.255.161.55 secret secret-encrypted CtFNhJOqYs08EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn port 49 timeout 12


[root@www ~]# ssh joe@10.255.160.7
Password:
Last login: Sun Jun 21 03:11:07 2015 from 10.255.161.55

ACOS System is ready now.

[type ? for help]

AX02#
******************************** FREERADIUS *****************************
[root@www ~]# ls freeradius-*
freeradius-2.1.12-6.el6.x86_64.rpm
freeradius-mysql-2.1.12-6.el6.x86_64.rpm
freeradius-utils-2.1.12-6.el6.x86_64.rpm
[root@www ~]#

[root@www ~]# rpm -ivh freeradius-*
Preparing...                ########################################### [100%]
   1:freeradius             ########################################### [ 33%]
   2:freeradius-mysql       ########################################### [ 67%]
   3:freeradius-utils       ########################################### [100%]

[root@www ~]# service radiusd restart
Stopping radiusd:                                          [  OK  ]
Starting radiusd:                                          [  OK  ]

3) check whether ports are listening/open
[root@www ~]# netstat -nulp | grep radiu
udp        0      0 0.0.0.0:44946               0.0.0.0:*                               19995/radiusd
udp        0      0 0.0.0.0:1812                0.0.0.0:*                               19995/radiusd
udp        0      0 0.0.0.0:1813                0.0.0.0:*                               19995/radiusd
udp        0      0 0.0.0.0:1814                0.0.0.0:*                               19995/radiusd
udp        0      0 127.0.0.1:18120             0.0.0.0:*                               19995/radiusd

**** Adding user
[root@www ~]# vi /etc/raddb/users
#"John Doe"     Cleartext-Password := "hello"
siaka Cleartext-Password := "password"

**** testing server connectivity
[root@www ~]# radtest siaka password localhost 1812 testing123
Sending Access-Request of id 4 to 127.0.0.1 port 1812
        User-Name = "siaka"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=4, length=20 ( this is good sign)

**** adding client
[root@www ~]# vi /etc/raddb/clients.conf
client 10.255.160.7 {
        secret          = testing123
}

[root@www ~]# service radiusd restart
Stopping radiusd:                                          [  OK  ]
Starting radiusd:                                          [  OK  ]
[root@www ~]#


******* A10 box config
AX02(config)#radius-server host 10.255.161.55 secret testing123
AX02(config)#authentication type radius local
AX02(config)#accounting exec start-stop radius

******* test time
Last login: Sun Jun 21 20:50:23 2015 from 10.200.2.150

ACOS System is ready now.

[type ? for help]

AX02#


******* on A10 box
AX02#sh radius-server
Radius server              : 10.255.161.55
contact start              : 2
contact failed             : 0
authentication success     : 1
authentication failed      : 0
authorization success      : 1


****************************** other resources
https://networklessons.com/linux/how-to-install-tacacs-on-linux-centos/

Thursday, 25 June 2015

Socket Programming (python)





******** client.py
#!/usr/bin/python

#importing socket module for socket creation and sys for user input/output
import socket
import sys


## to accept user input of hostname and port
(host,port)=(sys.argv[1],int(sys.argv[2]))
print "host is",host
print "port is",port

#creating and a socket and connecting to host via port
socket=socket.socket()
socket.connect((host, port))

#prompting user for input 
input=raw_input("user>")
while input != "bye":
  socket.send(input)
  data=str(socket.recv(65535))
  print data 
  input=raw_input("user>")



socket.close()


******** server.py
#!/usr/bin/python

import socket
import sys
#import subprocess
import commands

socket=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server=("localhost",12000)
socket.bind(server)
socket.listen(5)
conn,clientip=socket.accept()

var=1

while var==1:
 print "conn accepted"
 data=str(conn.recv(65635))
 print "data received"

 if data != "" and data != "bye":
#   p = subprocess.Popen(['ls'],stdout=subprocess.PIPE)
   result=commands.getoutput(data)
   print "printing result:" ,result
   print "sending result"

 if result =="":
   result = " "

 conn.send(result)
 print "result sent"

 if data == "bye":
   conn.close

   socket.close

******** result
siakas-MacBook-Pro:PYTHON siaka$ ./client.py localhost 12000
host is localhost
port is 12000
user>ls -lh
total 56
-rwxr-xr-x  1 siaka  staff   534B Jun 14 05:54 client.py
-rwxr-xr-x  1 siaka  staff   1.2K Jun 14 03:46 client2.py
-rwxr-xr-x  1 siaka  staff    86B Jun 14 04:01 cmd.py
-rwxr-xr-x  1 siaka  staff   154B Jun 14 03:39 getargs.py
-rwxr-xr-x  1 siaka  staff   594B Jun 13 20:47 python.py
-rwxr-xr-x  1 siaka  staff   1.5K Jun 14 03:45 serv1.py
-rwxr-xr-x  1 siaka  staff   703B Jun 14 05:56 server.py
user>touch file{1..10}

user>ls -lh
total 56
-rwxr-xr-x  1 siaka  staff   534B Jun 14 05:54 client.py
-rwxr-xr-x  1 siaka  staff   1.2K Jun 14 03:46 client2.py
-rwxr-xr-x  1 siaka  staff    86B Jun 14 04:01 cmd.py
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file1
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file10
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file2
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file3
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file4
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file5
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file6
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file7
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file8
-rw-r--r--  1 siaka  staff     0B Jun 14 18:29 file9
-rwxr-xr-x  1 siaka  staff   154B Jun 14 03:39 getargs.py
-rwxr-xr-x  1 siaka  staff   594B Jun 13 20:47 python.py
-rwxr-xr-x  1 siaka  staff   1.5K Jun 14 03:45 serv1.py
-rwxr-xr-x  1 siaka  staff   703B Jun 14 05:56 server.py
user>bye

siakas-MacBook-Pro:PYTHON siaka$ 



Monday, 15 June 2015

wireshark filters

You can find all filters keyword by expanding the element in the packet detail pane , clicking on the element and looking at the word in parenthesis at the  bottom of the capture file.



**** Layer 1
frame.encap_type == 1   # frame encapsulation type
frame.number == 35    # frame number
frame.len == 1058     # frame length


**** Layer 2
eth.dst == 00:1f:a0:02:66:29   
eth.addr == 00:1f:a0:02:66:29  # ethernet address ( same as above)
eth.type == 0x0800    #  ethernet type

*** Layer 3
ip.version == 4 # ip version 4 or 6
ip.hdr_len == 20 # ip header length
ip.dsfield == 0
ip.dsfield.dscp == 0x00
ip.dsfield.ecn == 0x00
ip.len == 1044
ip.id == 0x123   # ip identification
ip.flags == 0x00   # ip flags
ip.flags.rb == 0   # reserve bit
ip.flags.df == 0   # don't fragment bit
ip.flags.mf == 0  # more fragment bit
ip.frag_offset == 0
ip.ttl == 64
ip.proto == 6
ip.checksum == 0xaaa1
ip.src == 10.10.10.10
ip.dst == 10.10.10.10


*** Layer 4
tcp.flags.ack == 1  # tcp ack flag set to 1
tcp.hdr_len == 20   # tcp header length of 20bytes
tcp.ack == 1        # ack sequence of 1
tcp.len == 1004     # tcp segment length
tcp.dstport == 22616
tcp.srcport == 10000 

*** Layer 7
* payload 
data.data == XXXX 
* payload length
data.len == 1004