Skip to content

My take on Amazon Network Switches

There has been a rumour floating around lately that Amazon is going to be introducing Ethernet switches. A move like this by Amazon will eventually challenge manufacturers like Cisco Systems. I have came across a video from Packet Pushers where Greg Ferro talks about the possibilities and avenues which Amazon would take to venture into the switching or even networking arena.

As Greg stated, Amazon, in this case AWS already run their own network on their own hardware and software. This is because they cannot have a profit margin by relying on another vendor. It would be cheaper in the long run, to run on your own hardware and software managed and manufactured by themselves. Furthermore, it will be near impossible to run the biggest cloud architecture in the world and run the network on some other vendor. They would most likely run their underlying network as a fabric, controlled by Software Driven Network SDN such as OpenFlow and run the rest of the architecture virtualized and controlled by the AWS console.

Read more

Setup Two Factor Authentication to Debian

It is always best to have Two-factor authentication (2FA) to any method of access control. The following post will guide you to enable 2FA on Debian Linux environment.

It is assumed that we will be using Password Authentication in conjunction with 2FA.

Install Google Authenticator

apt-get install libpam-google-authenticator

Edit /etc/pam.d/sshd and add the following.

auth required pam_google_authenticator.so

Edit the file _/etc/ssh/sshdconfig and make sure you have the following enabled.

UsePAM yes
ChallengeResponseAuthentication yes

Run Google Authenticator from the account.

google-authenticator

Add the account to your Google Authenticator app and save the emergency codes.

Read more

Assigning /31 prefix address to interfaces

When it comes to subnetting most people usually stop at /30. This will give them a netmask of 255.255.255.252 thus resulting in two usable IP address along with one Network and one Broadcast address.

The /31 subnet prefixes was introduced in RFC3021 which defines that it can be used on a point-to-point link. A point-to-point interface does not need broadcast address, therefore we don’t really need to assign a /30 address prefix. On a /31 bit segment, both addresses are interpreted as hosts addresses.

The main advantage of using /32 prefix will enable us to limit the number of network address required on a segment. Therefore, if a company using multiple point-to-point networks using public IP addresses, then they will be able to save half of its allocated IP space.

Read more

Ubiquiti EdgeRouter Tunnelbroker IPv6 Configuration

This post will cover the IPv6 configuration on Ubiquiti Edge Router ERPoE-5 running Version 1.9.1. I will be going through the whole process of setting up IPv6 connectivity using Hurricane Electric 6in4 tunnel.

I will not be using the real IP Addresses, however the reader should be able to understand and substitute for their own configuration.

This is a home network, therefore a lot of aspects are not considered in the design!

Overview

  • There are three VLANs. (Main (1) , Guest (2) , Automation (3) )
  • Since there is no native IPv6 support from my ISP, I am using a 6in4 Tunnel to get IPv6 working.
  • The EdgeRouter is the public facing device connected to a vDSL Modem via eth0.
  • The Ethernet interfaces eth1, eth2, eth3, eth4 are bridged via bridge interface br0.
  • Bridge interface br0 has a 192.168.1.124 RFC1918 address assigned to VLAN1 and also used as the management IP.

Part 1

In this part, I will be covering the tunnel creation. You need to head to Hurricane Electric (HE) https://www.tunnelbroker.net and get yourself an IPv6 tunnel. I have used a /48 Routed Prefix for my configuration which you can see below.

Read more

Exim Error: Exit R=virtual_aliases: No Such User Here

T he following Exim mail servers error was encountered while sending out mails. The original error was experienced by Gravity Forms WordPress plugin. However, I was able to test it out by using command line to rule out the plugin.

someone@domain.com R=virtual_aliases: No Such User Here

The debug message I received via Gravity Forms is the following. This confirms the mail has been passed on from WordPress to the mail server.

2016-03-25 11:06:04.042599 - DEBUG --> GFCommon::send_email(): Result from wp_mail(): 1
2016-03-25 11:06:04.042748 - DEBUG --> GFCommon::send_email(): Mail was passed from WordPress to the mail server.
2016-03-25 11:06:04.153172 - DEBUG --> GFFormDisplay::handle_confirmation(): Sending confirmation.

Before I go any further, I would like to give some background information on domain.com, which the following aspects are hosted as below.

Read more

How to force APT/apt-get to use IPv4 instead of IPv6

Even though I am a big advocate on promoting IPv6, I have came across Debian’s APT / apt-get stuck with the following message. I believe it is due to an issue on the serve concerning the FQDN http.debian.net and security.debian.org. The easy way to fix is to force APT to use IPv4 as opposed to IPv6. 0% [Connecting to http.debian.net (2a01:4f8:151:555d::42)] [Connecting to security.debian.org (2610:148:1f10:3::73)] echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4

Cisco VIRL: KVM acceleration is not available

Visco VIRL sometimes throw the following error stating KVM acceleration is not available on hosts running ESXi. KVM acceleration is not available INFO: Your CPU does not support KVM extensions KVM acceleration can NOT be used You can also run the kvm-ok command to find the status of KVM accleration. This is due to a missing setting on ESXi Guest OS and the following parameter needs to be added VM’s .VMX configuration file. Please make sure the VM is shut down before making the change. vhv.enable = “TRUE” You can also add this parameter to /etc/vmware/config of the host, but it is not imperative you should do it.

IANA ROOT DNS Object-Group

The following object-group consists the latest IANA ROOT DNS Servers which can be used on the Cisco ASA firewalls.

IANA Root DNS Servers (IPv4/IPv6)
object-group network IANA-ROOT-DNS
 description IANA Root DNS Servers (IPv4/IPv6)
 network-object host 198.41.0.4
 network-object host 2001:503:ba3e::2:30
 network-object host 192.228.79.201
 network-object host 2001:500:84::b
 network-object host 192.33.4.12
 network-object host 2001:500:2::c
 network-object host 199.7.91.13
 network-object host 2001:500:2d::d
 network-object host 192.203.230.10
 network-object host 192.5.5.241
 network-object host 2001:500:2f::f
 network-object host 192.112.36.4
 network-object host 128.63.2.53
 network-object host 2001:500:1::803f:235
 network-object host 192.36.148.17
 network-object host 2001:7fe::53
 network-object host 192.58.128.30
 network-object host 2001:503:c27::2:30
 network-object host 193.0.14.129
 network-object host 2001:7fd::1
 network-object host 199.7.83.42
 network-object host 2001:500:3::42
 network-object host 202.12.27.33
 network-object host 2001:dc3::35
Read more

Best Practice Access Control List Firewall Rules

When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.

Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.

  • Do you have all the necessary ports required for the firewall?
  • Do you have all the IP/Subnet information?

Make the ACLs short and sweet

It is always a best practice to avoid using IP addresses in ACLs.

  • Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
  • You should be able to understand how the firewalling is done by reading the ACLs.
Read more