This article will describe how to setup two-factor authentication for a Debian based Linux machine. This solution will work for console and remote (ssh) logins. When changing a Linux host to using two-factor authentication, there is actually a couple of options. I’ll briefly explain the two options and why one was chosen over the other in this particular example. Before getting to that part, a brief mention of the type of two-factor authentication server that is being used.
RSA Authentication Manager provides an authentication mechanism consisting of a “token” – either hardware (e.g. a Keyfob) or software (application that provides same functionally as a keyfob). A hardware or software token is assigned to an individual, which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the tokens factory-encoded random key (known as the “seed”). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.
In this example, I are using RSA Authentication Manager 6.1, which is running on a purpose built appliance that uses Windows 2003 Server with the RSA server software installed. This particular solution includes Funk Software’s Steel Belted Radius, which provides a radius authentication mechanism into RSA. At the time of this writing, this particular appliance and software version is approaching end of life and has since been replaced with Authentication Manager 7.1. In the appliance version of 7.1 (known as Authentication Manger 3.0), the operating system has moved to Linux with Authentication Manager 7.1 loaded on top of it. Version 7.1/3.0 also includes a radius server that can be used for radius clients needing to utilize two-factor authentication.
Read more…
In the world of firewall administration, one very common problem is a host behind a firewall has more access than what was intended. This occurs mainly due to ‘loosely defined’ rules that happen to ‘catch’ unintended traffic and then inadvertently allows it to pass. I recently was given a task of reducing access from a set of hosts behind a CheckPoint firewall which had a 1000 rule policy installed, with logging turned on for each one (including the cleanup rule). My point of describing the environment is that it can quickly become overwhelming to fire up Tracker and begin to piece access information together, especially across multiple days. In order to get started, the first item of business was to find all the rules this group of hosts were using, which had to be known before implementing the required ‘bare bones’ access.
Before I go any further, it must be stated that commercial packages exist that can do this type of analysis for you. These software programs usually import CheckPoint logs into a larger data-source and then run various reports against it. While those packages are extremely valuable to the firewall administrator, often times it is cost prohibitive to the company they work for. It will be my attempt to share a Do It Yourself, bare bones, just get it done, alternative approach to buying these costly software packages.
Read more…
It is not uncommon to be performing a software upgrade on a network appliance type of device and the operation fails. Hopefully, the failure doesn’t render the hardware useless and allows for a retry of the operation. However, there are times where an upgrade will fail and the device will no longer function. This article uses a specific example to carry you through steps that can be applied to any appliance like device.
First, a few details regarding the example scenario:
A previous upgrade to an IP enabled KVM switch was causing issues with it’s normal operation. There were issues with local use using a directly attached keyboard/monitor/mouse and also when using the viewer plugin remotely. After my co-workers had complained enough, I decided it was time to downgrade the software to the previously running code, which did not have all the issues that was currently happening. Using the management software for the KVM, I downgraded 7 of 8 devices successfully. One device failed during the procedure and subsequently stopped responding on the network.
Read more…
I have a lab setup with a few Windows machines, including a domain controller, which I can never seem to remember the password for. After reading over some different options, this is by far the most easiest method to reset the Administrator password and does not require any third party software – outside of a Windows Server 2008 install disk.
First shut the running machine down, luckily my lab was running in a virtual environment and had the vmware tools installed on the guest machine that needed the password reset on. I opened a console window to the vm and in the viewer selected VM from the menu bar, Power, then Restart Guest (Ctrl+R). Obviously if this is a physical machine or a virtual without the tools installed, you may have to shut it down / power off not so gracefully. However, at this point – if you can’t login to the machine – what else can you do? 
Make sure your boot order is setup properly in the BIOS, so that the machine will attempt to boot from CD/DVD first, before the hard drive. Once this is correctly set, be sure to press a key for booting to the DVD, while the message is shown telling you to do so.
Read more…
Recently, I needed to close a file that was open via a network share on a server containing user home directories. This particular file was a temporary excel file opened from a user workstation. These files are easily identifiable, in this case the name was ~$Weekly Sales Report.xlsx. The Office suite of programs creates a temporary file that is prepended with the ‘~$’ characters, of the same file name which contains the logon name of the person who opened the file first. This temporary file is called the “owner file” and is used to prevent more than one network user from opening the same file in read/write mode at the same time. When this file exists and the second user goes to open the same file, they will see a similar message to the following:
This file is already opened by (user name). Would you like to make a copy of this file for your use?
The reason I needed to close this file, was because I was running robocopy to mirror a directory from one drive to another. Robocopy detected the file in use and would stall for 30 seconds then retry to copy the file. Since I didn’t specify how many times to retry, the default was one million times. How’s that for bringing a 450GB copy operation to a standing halt! Since this job was over 50 percent complete, I didn’t want to start it over – so the question was: How do I close this file in use?
Read more…
Anyone who manages a network will benefit from having a plan in place to backup network device configurations. Switches, Routers, Load Balancers, Firewalls, and VPN devices all contain configurations that should have copies stored off the device itself. By doing this, it provides a backup in case the device fails and needs to be replaced, or more commonly, a mis-configuration is performed on a device and you need to go back to where you started from.
In this example, we will use a very nice tool called Expect. Expect has traditionally been run on Unix variants, but has also been ported to Windows. Activestate, the company known for Perl on the Windows platform, also offers TCL for Windows – which includes Expect. This particular article will cover the program running on the Linux platform, with the possibility of revisiting at a later date to explore whether we can run the same processes in Windows.
Read more…
There are things that will bug me from time to time when setting up a new system in regards to how software is implemented. I’m sure this is common for other people in similar situations, most of the time it is just easier to ignore whatever the issue is – especially if it is just ‘cosmetic’. This particular issue falls somewhere in the middle of cosmetic and possibly problematic, but I would prefer it to be gone, nonetheless…
The issue I’m speaking about is one regarding Windows Vista/7/2008 Server and the ‘Unidentified network’. Before we dive into fixing the unidentified network categorization, a little explanation on how the process works: The Windows Operating System wants to classify each active network interface, in order to determine what category to place the adapter in. Inside the Control Panel, click on Network and Internet, then click View network status and tasks. In the default view, this should bring you to the ‘Network and Sharing Center’. Inside the section ‘View your active networks’, each connected network interface will be displayed.
Each network interface is then categorized as either Public, Private, or Domain. Once the interface is automatically assigned to one of these categories, certain rules are applied. The rules are related to the Windows Firewall, Network Discovery, and Network Sharing.
Read more…
Eventlog to Syslog, originally developed by Curtis Smith at Purdue University, is a very small and efficient program to take Windows event logs and forward them as syslog messages to a syslog server. It’s last modification was done by Sherwin Faria of Rochester Institute of Technology. The current version at the time of this writing is 4.4 which was revised November 29, 2010. The project is now available to all and is hosted at code.google.com.
Since there is both a 32-bit and a 64-bit version of this service, I have put together a little deployment script that determines the target architecture and then deploys the appropriate client.
Read more…
The intent of this series is to carry you through an entire network design. By creating a scenario and documenting the process of designing a network for the fictitious company, my hope is to share some knowledge in the process.
Let’s get started:
An insurance company in TN named qwikPolicy has decided to open their doors for business and has secured the services to design a network for their business. They have provided a business plan that includes where and how the business will be operated.
Read more…
In the previous article, we had some general parameters defined, which will be used to design the network around. The first thing we will do is figure out our WAN connectivity.
WAN
After reviewing multiple telecom provider offerings, the determination is made to enter into an agreement with bellX. bellX will provide a private MPLS cloud for the wide area network requirements. Ninety two offices will have T1 access into the bellX MPLS cloud with a 512kb port speed. Memphis, which is the only claims combination office without datacenter space, will have a full 1.5mb port speed. The other two combination office/datacenters will have T3 access, with the full 45mb port speed.
With a decision made on how the offices will be connected together, now we can start working on the overall design. Here are a few points that need to be considered during the design phase.
- Redundant internet connections
- Redundant wide area connectivity between the two datacenters
- Centralized phone system, so there is minimal phone infrastructure to manage in each office
- Redundancy in the Phone Switch & Call Center infrastructure
- Redundant internet DMZ for highly available public web sites
The first thing needed is to sketch out a high level design drawing. Visio can be used to quickly sketch out a high level drawing. It can also be used later to expand a high level drawing into a detailed design drawing. The following is a high level diagram of the datacenter networking:
Loading ...
Print This Post
(2 votes, average: 4.50 out of 5)
