Booches.nl

Tunneling sessions via Plink

Plink stands for PuTTY Link and is a command-line connection tool similar to Unix ssh. As a networking consultant I often need to support customers from remote locations. Access to their networking equipment is mostly blocked from unknown locations. Sometimes it is allowed to directly access networking equipment, like a company firewall, from a known location. An example of such a known location could be the public IP space of my companies headquarters.

But how can I support somebody if I am not at my companies headquarters? Most Unix boys already know the answer to that questions…. SSH (Secure SHell) tunneling.

To create a SSH tunnel you need a SSH server and a SSH client. Most Unix servers can be configured as SSH servers by installing OpenSSH. There are also a lot of SSH server applications for the Windows platform. I configure and place the SSH server at my  headquarters. Since the SSH server uses my companies “allowed” public IP space, the server could connect directly, if allowed, to the customers equipment.

By using the SSH tunnel I use my companies SSH server as some kind of man-in-the-middle server. I connect to my companies SSH server via a SSH remote connection. I configure the connection to forward certain localhost connections from my laptop through the SSH tunnel and let the SSH server setup a new connection to the final destination by forwarding the traffic.

An example would be accessing a Cisco ASA firewall via ASDM from my laptop. At first I create the SSH tunnel to my companies SSH server. I “tell” the connection to forward traffic to my localhost on port TCP/1234 to the SSH server and the SSH server should forward the connection to the customers firewall on port TCP/443. That means that my laptops ASDM application uses my companies public IP space to access the customers firewall. Since my companies public IP space is allowed to access the customers firewall, I can use ASDM on my laptop. Even if I am at a completely different location.

I use Windows 7 as operating system on my laptop, so for SSH tunneling I have to use a third-party application. I always use Plink, which I copy to the C:\Windows\system32 directory, so I can run it from the command-line. Plink can be configured with different parameters, like shown below:

PuTTY Link: command-line connection utility
Release 0.60
Usage: plink [options] [user@]host [command]
(“host” can also be a PuTTY saved session name)
Options:
-V        print version information and exit
-pgpfp    print PGP key fingerprints and exit
-v        show verbose messages
-load sessname  Load settings from saved session
-ssh -telnet -rlogin -raw
force use of a particular protocol
-P port   connect to specified port
-l user   connect with specified username
-batch    disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
-D [listen-IP:]listen-port
Dynamic SOCKS-based port forwarding
-L [listen-IP:]listen-port:host:port
Forward local port to remote address
-R [listen-IP:]listen-port:host:port
Forward remote port to local address
-X -x     enable / disable X11 forwarding
-A -a     enable / disable agent forwarding
-t -T     enable / disable pty allocation
-1 -2     force use of particular protocol version
-4 -6     force use of IPv4 or IPv6
-C        enable compression
-i key    private key file for authentication
-noagent  disable use of Pageant
-agent    enable use of Pageant
-m file   read remote command(s) from file
-s        remote command is an SSH subsystem (SSH-2 only)
-N        don’t start a shell/command (SSH-2 only)
-nc host:port
open tunnel in place of session (SSH-2 only)

The best way to use Plink is by creating a batch file, which can be run from the command-line. My batch file looks like this:

@echo off
plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:1234:80.101.152.38:443 <username>@<IP SSH server>

The command configures a SSH connection to <IP SSH server> using username <username>. All connections from my laptop to 127.0.0.1 on TCP/1234 are forwarded by the SSH server to the remote IP address 80.101.152.38 on TCP/443. You can add more statements to the batch file, by just adding another –L command, like shown below.

@echo off
plink.exe -v -x -a -T -C -noagent -ssh -L 127.0.0.1:1234:80.101.152.38:443 -L 127.0.0.1:1235:1.1.1.1:22 <username>@<IP SSH server>

After executing the batch file, you will receive a login prompt to enter the user credentials for the SSH server. After entering the credentials you are ready to go. Just start ASDM or another application and connect to the localhost on port TCP/443 or TCP/22. The traffic will be forwarded through the SSH tunnel and from the SSH server to the final destination.

Of course you need to make some preparations to use this solution, like installing the SSH server and publishing the SSH server to the internet. You also need to have SSH access on the remote location, because else you cannot create the SSH tunnel.

Since you are publishing a server to the internet, it is important to “strip” that server. Make sure there are no vulnerable or unnecessary services running on the server and always patch the server to the appropriate level. It is also recommended to use some kind of two-way authentication, like one-time passwords. That way you know you have a secure environment to access the assets at the final destination.

In the end you will have a secure environment with which you can support your customers or access other resources on the internet or on your internal network.

Cacti – Superlinks not working

After upgrading Cacti, like shown in the previous post, the Superlinks plugin stopped working correctly. When opening a Superlink tab I got a blank page in Google Chrome or a half page in Internet Explorer and Opera, like shown below.

After some Googling I found the solution for this problem on a Cacti forum. The solution describes change some scripting within the file superlinks.php. The changes are displayed below.

Replace

print ‘<iframe src=”‘ . $page['contentfile'] . ‘” width=”100%” height=”100%” frameborder=”0″></iframe>’;

by

print ‘<iframe id=”frame” src=”‘ . $page['contentfile'] .’” width=”100%” height=”100%” frameborder=”0″></iframe>’;
print “<script type=’text/javascript’>
function resizeIframe() {
var height=window.innerWidth;//Firefox
if (document.documentElement.clientHeight) {
height=document.documentElement.clientHeight;//IE
};
document.getElementById(‘frame’).style.height=parseInt(height-document.getElementById(‘frame’).offsetTop-72)+’px’;
};
document.getElementById(‘frame’).onload = resizeIframe;
window.onresize = resizeIframe;
</script>”;

Superlinks is working fine again after applying the change.

Upgrade Cacti 0.8.x

A lot of people use the CactiEZ virtual appliance to install a running Cacti environment. The latest CactiEZ virtual appliance (CactiEZ v0.6) uses Cacti v0.8.7c with Plugin Architecture 2.2. Of course a lot of people are developing Cacti and the latest stable version is Cacti v0.8.7g with Plugin Architecture 2.8.

I always have trouble with upgrading Cacti, because you have to take multiple steps and you shouldn’t forget one. This blog post helps, because it shows the steps to take for upgrading to the latest version of Cacti.

I always start with changing the default behavior of the cp command. The command default adds the parameter –i, which creates an interactive command. The result of the –i parameter is an overwrite question before copying, like shown below.

cp: overwrite `/var/www/html/docs/html/data_input_methods.html’?

This behavior can be changed by deleting or commenting out the cp-alias within /root/.bashrc. Don’t forget to logout and login again.

Now we are ready to upgrade Cacti. Let’s go.

1. First you need to backup the current Cacti database;

mysqldump -l –add-drop-table cacti > cacti_sql_backup

2. Backup your current Cacti html directory;

mv /var/www/html /var/www/html.bak

3. Copy the new tarball to the target system and extract the tarball;

tar zxvf cacti-0.8.7g.tar.gz

4. Move the new files over the Cacti root directory;

mv /root/cacti-0.8.7g/ /var/www/html/

5. Edit include/config.php to include the correct database credentials and default session name;

$database_type = “mysql”;
$database_default = “cacti”;
$database_hostname = “localhost”;
$database_username = “cactiuser”;
$database_password = “cactiuser”;
$database_port = “3306″;

#$cacti_session_name = “CactiMadeEZ”;

6. Copy the *.rrd files, scripts and XML files from the old Cacti directory;

cp /var/www/html.bak/rra/* /var/www/html/rra/.
cp -rfv /var/www/html.bak/scripts/* /var/www/html/scripts/
cp -rfv /var/www/html.bak/resource/* /var/www/html/resource/

7. Set the appropriate owner and permissions;

chown –R apache:apache /var/www/html

8. Go the the Cacti website and follow the screen instructions to upgrade the database;

9. Copy and extract the plugin architecture tarball, copy .diff file to the Cacti root directory and apply the patch;

tar zxvf cacti-plugin-0.8.7g-PA-v2.8.tar.gz
cp /root/cacti-plugin-arch/cacti-plugin-0.8.7g-PA-v2.8.diff /var/www/html/.
cd /var/www/html
patch -p1 –N < cacti-plugin-0.8.7g-PA-v2.8.diff

10. Change the file include/global.php to include the correct database credentials, default session name and the plugin list;

/* Default database settings*/
$database_type = “mysql”;
$database_default = “cacti”;
$database_hostname = “localhost”;
$database_username = “cactiuser”;
$database_password = “cactiuser”;
$database_port = “3306″;

/* Default session name – Session name must contain alpha characters */
$cacti_session_name = “CactiMadeEZ”;

$plugins = array();
$plugins[] = ‘settings’;
<..>
$plugins[] = ‘superlinks’;

11. Copy the old plugins directory;

cp -rfv /var/www/html.bak/plugins/* /var/www/html/plugins/.

12. Go to Configuration – Plugin Management to install / enable your plugins. Install / enable the plugin loginmod to get your customized login page back.

Now the upgrade is ready and you are set to experience your freshly upgraded CactiEZ appliance.

STP successor – CiscoNL

I just watched a online movie on the CiscoNL – Technology site about the successor for Spanning Tree Protocol in the near future. The movie can be found here (language: Dutch).

Cisco Virtual Com

It took some time, but Cisco started to migrate from the blue RJ-45 based console cable to an USB based console cable. The latest types of routers and switches are equipped with both types of connections or only with the USB based connection, like the new IBM blade switches.

The picture below shows the console ports on a Cisco 2921 router.

Sorry for the bad quality, I guess I will never be a good paparazzi. You can see the USB and the RJ-45 connection. To use the USB connection you need to install the Cisco Virtual Com software. The software can be downloaded through the Cisco Download center, like shown below.

The installation process for Windows based workstations is