案例:由Core Switch上發現某vlan或某interface流量爆升達100Mb/s,且持續發生,假設你又沒有足夠的網管工具協助你
步驟:
1. 清除interface Counters
#clear counters
2. 檢查各interface流量,找出異常流量之interface
#show interfaces stats
找到相對應的in最大量及out最大量的interface,即為可疑流量之兩端
3. 確認該interface是否向下串接switch
#show cdp neighbors
若是向下串接switch,則連入該switch重複步驟1,2,3的動作,持續查出末端
4. 當查出最末端之interface,查該port之MAC與IP
#show mac-address-table
檢查MAC address table,查該出0001.0260.5d6b這個MAC address被記錄於該interface
#show arp | include 0001.0260.5d6b
查出該MAC對應的IP address,若edge switch查不到,請到Core switch上查
5. 查出IP後即可立即處理,或土一點的方法就是到Switch上看接在該port的是哪一台設備。
2008年8月21日 星期四
2008年8月14日 星期四
使用Linuxe建置log server儲存網路設備log
目的:網路設備buffer通常很小,將log保存該設備上,非常不恰當,常常設備出問題,查log因log buffer儲存量有限,造成重要log已被覆蓋而無法找到,或設備損壞,連帶log也沒了,無法查出問題點。故網路設備上常附帶syslog功能讓你將log導出到log server,這裡簡單示範一下。
環境說明:RHEL 5(或其它Linux都有syslog service) + PIX 525 firewall
必要條件:你要有Linux+Firewall的設定權限,網路要通,尤其是Firewall --> Log Server(udp514) ,syslog使用的udp port 514
設定步驟:
1. 設定Linux server上的syslog
vi /etc/sysconfig/syslog
將SYSLOGD_OPTIONS="-m 0"
修改為SYSLOGD_OPTIONS="-r -x -m 0"
說明:-r是允許從遠端主機寫入messages,-x是disable DNS lookup
vi /etc/syslog.conf
新增 local4.* /var/log/pix.log
說明:把local4(PIX預設為local4,在PIX上的facility為20)的所有的log 儲存到 /var/log/pix.log中 附註:修改 *.info;mail,authpriv,cron,local4.none /var/log/messages
(可讓local4不要存入messages)
2. 為了避免日誌過大,配置日誌輪循(man logrotate 查看詳細的幫助資訊)
vi /etc/logrotate.conf
#PIX Firewall log
/var/log/pix.log{
daily
create
rotate 10
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null grue
endscript
}
說明:詳細請參閱http://linux.vbird.org/linux_basic/0570syslog.php
3. 重起syslog service:
service syslog restart
4. 設定PIX
pix(config)# logging on
pix(config)# logging host 192.168.1.1 <--這裡要寫Linux log server主機IP
pix(config)# logging trap 4
pix(config)# logging facility 20
pix(config)# exit
pix# wri mem
補充:
Log level:
1:(Alerts)
2:(Critical)
3:(Errors)
4:(Warnings)
5:(Notifications)
6:(Informational)
7:(Debugging)
Local對應Facility:
local 0 = Logging Facility 16
local 1 = Logging Facility 17
local 2 = Logging Facility 18
local 3 = Logging Facility 19
local 4 = Logging Facility 20
local 5 = Logging Facility 21
local 6 = Logging Facility 22
local 7 = Logging Facility 23
或使用PDM設定
IP Address 處填寫你的log server IP
★Debug方法:如果你還是設定不起來,可以用以下方法測試
1. 在PIX上下指令檢查設定是否正確?
pix# show logging
Syslog logging: enabled
Facility: 20
Trap logging: level warnings
Logging to inside 192.168.1.1
此為檢查syslog的設定是否正確
2. 在log server上檢查udp port 514是否有listen
linux# netstat -an | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
環境說明:RHEL 5(或其它Linux都有syslog service) + PIX 525 firewall
必要條件:你要有Linux+Firewall的設定權限,網路要通,尤其是Firewall --> Log Server(udp514) ,syslog使用的udp port 514
設定步驟:
1. 設定Linux server上的syslog
vi /etc/sysconfig/syslog
將SYSLOGD_OPTIONS="-m 0"
修改為SYSLOGD_OPTIONS="-r -x -m 0"
說明:-r是允許從遠端主機寫入messages,-x是disable DNS lookup
vi /etc/syslog.conf
新增 local4.* /var/log/pix.log
說明:把local4(PIX預設為local4,在PIX上的facility為20)的所有的log 儲存到 /var/log/pix.log中 附註:修改 *.info;mail,authpriv,cron,local4.none /var/log/messages
(可讓local4不要存入messages)
2. 為了避免日誌過大,配置日誌輪循(man logrotate 查看詳細的幫助資訊)
vi /etc/logrotate.conf
#PIX Firewall log
/var/log/pix.log{
daily
create
rotate 10
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null grue
endscript
}
說明:詳細請參閱http://linux.vbird.org/linux_basic/0570syslog.php
3. 重起syslog service:
service syslog restart
4. 設定PIX
pix(config)# logging on
pix(config)# logging host 192.168.1.1 <--這裡要寫Linux log server主機IP
pix(config)# logging trap 4
pix(config)# logging facility 20
pix(config)# exit
pix# wri mem
補充:
Log level:
1:(Alerts)
2:(Critical)
3:(Errors)
4:(Warnings)
5:(Notifications)
6:(Informational)
7:(Debugging)
Local對應Facility:
local 0 = Logging Facility 16
local 1 = Logging Facility 17
local 2 = Logging Facility 18
local 3 = Logging Facility 19
local 4 = Logging Facility 20
local 5 = Logging Facility 21
local 6 = Logging Facility 22
local 7 = Logging Facility 23
或使用PDM設定
IP Address 處填寫你的log server IP
★Debug方法:如果你還是設定不起來,可以用以下方法測試
1. 在PIX上下指令檢查設定是否正確?
pix# show logging
Syslog logging: enabled
Facility: 20
Trap logging: level warnings
Logging to inside 192.168.1.1
此為檢查syslog的設定是否正確
2. 在log server上檢查udp port 514是否有listen
linux# netstat -an | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
2008年7月8日 星期二
Windows XP 使用MMC 3.0管理AD
目的:在Windows XP上,也能管理AD、DHCP、DNS、WINS...等等,不需要連到各Server
環境說明:Windows XP perfessional sp3
必要條件:使用Domain Administrator登入或你的帳號擁有Domain Admin權限
步驟:
1. 找來Windows 2003 server 光碟,執行光碟中I386目錄裡的ADMINPAK.MSI
2. 開始 >> 執行 >> mmc
3. 檔案 >> 新增/移除嵌入式管理單元
4. 新增希望加入的單元,如:AD使用者及電腦、DHCP、DNS...
PS. Windows XP perfessional sp2 需要下載1個patch 安裝,才有MMC 3.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=61FC1C66-06F2-463C-82A2-CF20902FFAE0&displaylang=en
環境說明:Windows XP perfessional sp3
必要條件:使用Domain Administrator登入或你的帳號擁有Domain Admin權限
步驟:
1. 找來Windows 2003 server 光碟,執行光碟中I386目錄裡的ADMINPAK.MSI
2. 開始 >> 執行 >> mmc
3. 檔案 >> 新增/移除嵌入式管理單元
4. 新增希望加入的單元,如:AD使用者及電腦、DHCP、DNS...
PS. Windows XP perfessional sp2 需要下載1個patch 安裝,才有MMC 3.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=61FC1C66-06F2-463C-82A2-CF20902FFAE0&displaylang=en
2008年7月7日 星期一
在Core Switch使用ACL Block 特定IP
案例:從美國總公司有1台主機,不斷大量連線台灣分公司Database造成Production DB loading過重,產線無法使用ERP,造成全廠生產、出貨停頓。
立即性的暫時解法:從Core switch上將該特定IP立即封鎖
環境說明:美國總公司透過E1專線從Core switch 4510 interface g7/32 port連入
簡易設定:
4510(config)# access-list 10 deny 10.15.32.35
4510(config)# access-list 10 permit any
4510(config)# interface g7/32
4510(config-if)# ip access-group 10 in
設定後10.15.32.35將被封鎖,但其它IP均不影響。
ps. Core switch必竟不是Firewall 請不要把它當成Firewall使用,會造成Core switch loading嚴重影響,所以當問題解決後,應再將ACL移除,保持Core switch穩定。
立即性的暫時解法:從Core switch上將該特定IP立即封鎖
環境說明:美國總公司透過E1專線從Core switch 4510 interface g7/32 port連入
簡易設定:
4510(config)# access-list 10 deny 10.15.32.35
4510(config)# access-list 10 permit any
4510(config)# interface g7/32
4510(config-if)# ip access-group 10 in
設定後10.15.32.35將被封鎖,但其它IP均不影響。
ps. Core switch必竟不是Firewall 請不要把它當成Firewall使用,會造成Core switch loading嚴重影響,所以當問題解決後,應再將ACL移除,保持Core switch穩定。
2008年5月21日 星期三
啟動Linux內建FTP(gssftp)
# vi /etc/xinetd.d/gssftp
將disable=yes改成no,及server_args = -l -a的-a拿掉,如下:
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l
log_on_failure += USERID
}
存檔並重啟xinetd
# /etc/rc.d/init.d/xinetd restart
將disable=yes改成no,及server_args = -l -a的-a拿掉,如下:
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l
log_on_failure += USERID
}
存檔並重啟xinetd
# /etc/rc.d/init.d/xinetd restart
2008年4月25日 星期五
Snort安裝步驟
安裝目的:Snort為IDS,我安裝的目的是拿來偵測公司網路環境內的異常行為,這些異常可能源自Hacker, Virus, Trojan, User
OS: Linux RedHat FC 8
Software: Snort v2.8.1 + Barnyard v0.2.0 + BASE v1.3.9
★Start the Apache service
# chkconfig httpd on
# service httpd start
然後以瀏覽器開啟http://yourhostip/
★更新相關套件
# yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ libpcap-devel php php-pear yum-utils
若要全系統套件更新,請輸入yum -y update,會非常多
★Create the installation folder
# cd /root
# mkdir snortinstall
# cd snortinstall
★Snort install
# wget http://snort.org/dl/current/snort-2.8.1.tar.gz
# tar -zxvf snort-2.8.1.tar.gz# cd snort-2.8.1
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
# cd /root/snortinstall/snort-2.8.1/etc/
# cp * /etc/snort
# groupadd snort
# useradd -g snort snort –s /sbin/nologin
# cd /root/snortinstall
連上http://www.sonrt.org,註冊
註冊完成,方可download:Sourcefire VRT Certified Rules (registered user release)
點選下載snortrules-snapshot-2.8.tar.gz
下載後,將檔案傳送到Snort Server的/root/snortinstall
# tar -zxvf snortrules-snapshot-2.8.tar.gz
# cd /root/snortinstall/rules
# cp * /etc/snort/rules
# vi /etc/snort/snort.conf
修改以下:
var HOME_NET 10.0.0.0/8 (HOME_NET:內部網段)
var EXTERNAL_NET !$HOME_NET (EXTERNAL_NET:外部網段,此設定非內即外)
var RULE_PATH /etc/snort/rules
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
存檔
# cd /etc/rc.d/init.d
# wget http://internetsecurityguru.com/snortinit/snort
# chmod 755 snort
# chkconfig snort on
★Set up MySQL
chkconfig mysqld on
service mysqld start
# mysql
mysql> set password for root@localhost=password(snort);
mysql> create database snort;
mysql> grant insert,select on root.* to snort@localhost;
mysql> set password for snort@localhost=password('snort');
mysql> grant create,insert,select,delete,update on snort.* to snort@localhost;
mysql> grant create,insert,select,delete,update on snort.* to snort;
mysql> exit
★barnyard install
# cd /root/snortinstall
# wget http://snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
# tar –zxvf barnyard-0.2.0.tar.gz # cd barnyard-0.2.0
# ./configure --enable-mysql
# make
# make install
# cd /root/snortinstall/barnyard-0.2.0/etc/
# cp barnyard.conf /etc/snort
# vi /etc/snort/barnyard.conf
修改以下:
config daemonconfig hostname: ATT1IDS
config interface: eth0
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password snort
output log_acid_db: mysql, database snort, server localhost, user root, password snort, detail full
存檔,並啟動snort測試
# snort –c /etc/snort/snort.conf
停在Not Using PCAP_FRAMES不動,表示運作正常,這時按Ctrl+c中斷
# ls -l /var/log/snort
應該會有兩個檔案,類似:
snort.alert.1209025984
snort.log.1209025984
# cd /etc/rc.d/init.d
# wget http://www.internetsecurityguru.com/barnyard
# chmod 755 barnyard
# chkconfig barnyard on
# service barnyard start
★BASE install
# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
# cd /root/snortinstall
# wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgz
# wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
# cd /var/www
# tar -zxvf /root/snortinstall/adodb504a.tgz
# mv adodb5 adodb
# cd /var/www/html
# tar -zxvf /root/snortinstall/base-1.3.9.tar.gz
# mv base-1.3.9 base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
修改以下:
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password_from_snort_conf";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
存檔
# service snort start
開啟IE測試https://YourHostIP/base
Click the “setup page” link
Click the "Create BASE AG" button
成功的話會跑出一堆紅色成功訊息
Goto the "Main page"檢視
Snort安裝完成!
★Securing the BASE directory:
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords admin
這是建立一個帳號admin,然後會讓你輸入password
# vi /etc/httpd/conf/httpd.conf
找到下面這段:
<>
Options FollowSymLinks
AllowOverride None
新增For /var/www/html/base的設定:
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user admin
存檔,然後重啟Apache
# service httpd restart
★設定e-mail通知Alarm(可選擇不作)
# vi /etc/aliases
修改以下(要輸入管理者的信箱):
# Person who should get root's mail
root: me@mydomain.com
存檔並執行newaliases
# newaliases(vi /usr/share/logwatch/default.conf/logwatch.conf 修改信件寄送等級)
★NTOP install(尚待測試)
# yum install ntop
★兩張網卡設定
sniffing interface: eth0
management interface: eth1
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
修改以下:
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0D:60:A8:9D:1D
ONBOOT=yes
TYPE=Ethernet
#vi /etc/sysconfig/network-scripts/ifcfg-eth1
修改以下:
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
HWADDR=00:04:75:83:fe:62
TYPE=Ethernet
HOSTNAME=ATT1IDS.att.amkor.com
IPADDR=10.1.1.50
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=yes
GATEWAY=10.1.1.254
IPV6INIT=no
OS: Linux RedHat FC 8
Software: Snort v2.8.1 + Barnyard v0.2.0 + BASE v1.3.9
★Start the Apache service
# chkconfig httpd on
# service httpd start
然後以瀏覽器開啟http://yourhostip/
★更新相關套件
# yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ libpcap-devel php php-pear yum-utils
若要全系統套件更新,請輸入yum -y update,會非常多
★Create the installation folder
# cd /root
# mkdir snortinstall
# cd snortinstall
★Snort install
# wget http://snort.org/dl/current/snort-2.8.1.tar.gz
# tar -zxvf snort-2.8.1.tar.gz# cd snort-2.8.1
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
# cd /root/snortinstall/snort-2.8.1/etc/
# cp * /etc/snort
# groupadd snort
# useradd -g snort snort –s /sbin/nologin
# cd /root/snortinstall
連上http://www.sonrt.org,註冊
註冊完成,方可download:Sourcefire VRT Certified Rules (registered user release)
點選下載snortrules-snapshot-2.8.tar.gz
下載後,將檔案傳送到Snort Server的/root/snortinstall
# tar -zxvf snortrules-snapshot-2.8.tar.gz
# cd /root/snortinstall/rules
# cp * /etc/snort/rules
# vi /etc/snort/snort.conf
修改以下:
var HOME_NET 10.0.0.0/8 (HOME_NET:內部網段)
var EXTERNAL_NET !$HOME_NET (EXTERNAL_NET:外部網段,此設定非內即外)
var RULE_PATH /etc/snort/rules
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
存檔
# cd /etc/rc.d/init.d
# wget http://internetsecurityguru.com/snortinit/snort
# chmod 755 snort
# chkconfig snort on
★Set up MySQL
chkconfig mysqld on
service mysqld start
# mysql
mysql> set password for root@localhost=password(snort);
mysql> create database snort;
mysql> grant insert,select on root.* to snort@localhost;
mysql> set password for snort@localhost=password('snort');
mysql> grant create,insert,select,delete,update on snort.* to snort@localhost;
mysql> grant create,insert,select,delete,update on snort.* to snort;
mysql> exit
★barnyard install
# cd /root/snortinstall
# wget http://snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
# tar –zxvf barnyard-0.2.0.tar.gz # cd barnyard-0.2.0
# ./configure --enable-mysql
# make
# make install
# cd /root/snortinstall/barnyard-0.2.0/etc/
# cp barnyard.conf /etc/snort
# vi /etc/snort/barnyard.conf
修改以下:
config daemonconfig hostname: ATT1IDS
config interface: eth0
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password snort
output log_acid_db: mysql, database snort, server localhost, user root, password snort, detail full
存檔,並啟動snort測試
# snort –c /etc/snort/snort.conf
停在Not Using PCAP_FRAMES不動,表示運作正常,這時按Ctrl+c中斷
# ls -l /var/log/snort
應該會有兩個檔案,類似:
snort.alert.1209025984
snort.log.1209025984
# cd /etc/rc.d/init.d
# wget http://www.internetsecurityguru.com/barnyard
# chmod 755 barnyard
# chkconfig barnyard on
# service barnyard start
★BASE install
# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
# cd /root/snortinstall
# wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgz
# wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
# cd /var/www
# tar -zxvf /root/snortinstall/adodb504a.tgz
# mv adodb5 adodb
# cd /var/www/html
# tar -zxvf /root/snortinstall/base-1.3.9.tar.gz
# mv base-1.3.9 base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
修改以下:
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password_from_snort_conf";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
存檔
# service snort start
開啟IE測試https://YourHostIP/base
Click the “setup page” link
Click the "Create BASE AG" button
成功的話會跑出一堆紅色成功訊息
Goto the "Main page"檢視
Snort安裝完成!
★Securing the BASE directory:
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords admin
這是建立一個帳號admin,然後會讓你輸入password
# vi /etc/httpd/conf/httpd.conf
找到下面這段:
<>
Options FollowSymLinks
AllowOverride None
新增For /var/www/html/base的設定:
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user admin
存檔,然後重啟Apache
# service httpd restart
★設定e-mail通知Alarm(可選擇不作)
# vi /etc/aliases
修改以下(要輸入管理者的信箱):
# Person who should get root's mail
root: me@mydomain.com
存檔並執行newaliases
# newaliases(vi /usr/share/logwatch/default.conf/logwatch.conf 修改信件寄送等級)
★NTOP install(尚待測試)
# yum install ntop
★兩張網卡設定
sniffing interface: eth0
management interface: eth1
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
修改以下:
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0D:60:A8:9D:1D
ONBOOT=yes
TYPE=Ethernet
#vi /etc/sysconfig/network-scripts/ifcfg-eth1
修改以下:
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
HWADDR=00:04:75:83:fe:62
TYPE=Ethernet
HOSTNAME=ATT1IDS.att.amkor.com
IPADDR=10.1.1.50
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=yes
GATEWAY=10.1.1.254
IPV6INIT=no
2008年4月21日 星期一
IP衝突處理步驟
網管最討厭的就是有User自行設定固定IP,然後跟DHCP Client相衝突,這種User當然要找出來給他死。
★IP衝突徵狀:DHCP Client 網路時通時不通
(DHCP Client MAC address: 00-11-25-4B-96-F8)
(DHCP Client IP address: 10.1.1.99)
★確認方式:檢查Core Switch ARP table (請注意格式及要用小寫)
Core#show arp include 10.1.1.99
Internet 10.1.1.99 7 0800.3712.f2ad ARPA Vlan36
該IP與DHCP Client MAC不同,所以IP衝突的判斷成立
★輔助工具:可連上MAC address lookup的網站查一下該MAC addree 網卡是哪家公司出的,可以輔助判斷該台機器可能是哪個廠牌。
MAC address lookup(http://www.coffer.com/mac_find/)
★找出牠(禽獸):
Step 1: 從Core Switch開始追查
Core>show mac-address-table address 0800.3712.f2ad
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
36 0800.3712.f2ad dynamic ip,ipx,other GigabitEthernet4/1
Step 2:來源為G4/1,再查G4/1是否為網路設備:
Core>show cdp neighbors
SWITCH3524-2 Gig 4/1 129 T S WS-C3524-XGig0/1
得知來源是從1台3524 G0/1來的
Step 3: 連至該台3524繼續追查,方式同Step1~2,不斷向下追查,直到來源不再是Switch
Step 4: 如果貴公司有by port管理user那至此就可以查出,如果沒有,那就進機房查該Port是連接到哪1個網點編號,配合Cabling分佈圖,查出該User坐位,然後去警告牠。
Step 5: 如果貴公司網點編號不確實或根本沒有,在機房茫茫線海中無從找起,那…你可以讓他來找你,直接把線拔了,或把Port down下來或鎖MAC,他就會來找你了。
Step 6: IP衝突解決後,Core switch上的ARP table會存在一段時間,要立即清除該筆錯誤的ARP,可以用:
Core#clear ip arp 10.1.1.99
(注意不要將Core switch上的ARP全清,會造成全面網路瞬斷)
★IP衝突徵狀:DHCP Client 網路時通時不通
(DHCP Client MAC address: 00-11-25-4B-96-F8)
(DHCP Client IP address: 10.1.1.99)
★確認方式:檢查Core Switch ARP table (請注意格式及要用小寫)
Core#show arp include 10.1.1.99
Internet 10.1.1.99 7 0800.3712.f2ad ARPA Vlan36
該IP與DHCP Client MAC不同,所以IP衝突的判斷成立
★輔助工具:可連上MAC address lookup的網站查一下該MAC addree 網卡是哪家公司出的,可以輔助判斷該台機器可能是哪個廠牌。
MAC address lookup(http://www.coffer.com/mac_find/)
★找出牠(禽獸):
Step 1: 從Core Switch開始追查
Core>show mac-address-table address 0800.3712.f2ad
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
36 0800.3712.f2ad dynamic ip,ipx,other GigabitEthernet4/1
Step 2:來源為G4/1,再查G4/1是否為網路設備:
Core>show cdp neighbors
SWITCH3524-2 Gig 4/1 129 T S WS-C3524-XGig0/1
得知來源是從1台3524 G0/1來的
Step 3: 連至該台3524繼續追查,方式同Step1~2,不斷向下追查,直到來源不再是Switch
Step 4: 如果貴公司有by port管理user那至此就可以查出,如果沒有,那就進機房查該Port是連接到哪1個網點編號,配合Cabling分佈圖,查出該User坐位,然後去警告牠。
Step 5: 如果貴公司網點編號不確實或根本沒有,在機房茫茫線海中無從找起,那…你可以讓他來找你,直接把線拔了,或把Port down下來或鎖MAC,他就會來找你了。
Step 6: IP衝突解決後,Core switch上的ARP table會存在一段時間,要立即清除該筆錯誤的ARP,可以用:
Core#clear ip arp 10.1.1.99
(注意不要將Core switch上的ARP全清,會造成全面網路瞬斷)
2008年4月15日 星期二
Ntop 3.3 安裝步驟
建置Ntop的目的: 此工具主要在依IP address & TCP/UDP port來Monitor網路流量狀況,可以快速發現網路變慢的問題點在哪?是網路管理者必備工具,而且…它不用花錢。
設置點:看你要Monitor哪裡的封包,通常設置於LAN <--> Internet之間,或是分公司<-->分公司之間,還可以在Core switch上視狀況機動將某個port的流量導入作監控,非常方便。
使用版本: Ntop 3.3
作業系統:Linux Fedora core 8 (需兩張網卡,Monitor & Management)
安裝步驟:
(參考http://forum.icst.org.tw/phpBB2/viewtopic.php?p=47187&sid=5c8f8f7004d72113238af02ee28657e5)
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.2.27.tar.gz
#Don't use libtool-2.2.2.tar.gz, ntop make will failed
wget http://ftp.gnu.org/gnu/libtool/libtool-1.5.tar.gz
wget http://ftp.gnu.org/gnu/automake/automake-1.9.6.tar.gz
wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.62.tar.gz
# rrdtool need libpcap-devel libpng-devel libart_lgpl-devel zlib-devel freetype-devel
# ntop need libtool, automake, autoconf gcc-c++ gdbm-devel; automake need autoconf yum -y install gcc gcc-c++ httpd gdbm-devel libpcap-devel libpng-devel libart_lgpl-devel zlib-devel freetype-devel
tar -zvxf rrdtool-1.2.27.tar.gz
cd rrdtool-1.2.27
./configure
make
make install
cd ..
ln -s /usr/local/rrdtool-1.2.27/bin/rrdtool /usr/local/bin/rrdtool
ln -s /usr/local/rrdtool-1.2.27 /usr/local/rrdtool
tar -zxvf libtool-1.5.tar.gz
cd libtool-1.5
./configure
make
make install
cd ..
tar -zxvf autoconf-2.62.tar.gz
cd autoconf-2.62
./configure
make
make install
cd ..
tar -zxvf automake-1.9.6.tar.gz
cd automake-1.9.6
./configure
make
make install
cd ..
tar -zxvf ntop-3.3.tar.gz
cd ntop-3.3
./autogen.sh
make
make install
mkdir /usr/local/var/ntop/rrd
service httpd restart
chkconfig httpd on
ntop -A
http://YourHostIP:3000/
看到ntop畫面
再到Core switch(Cisco 4510 switch)將封包導至Ntop Server 的Monitor port:
3/1 PROXY
3/2 Firewall
3/48 NTOP
monitor session 1 source interface Gi3/1 , Gi3/2
monitor session 1 destination interface Gi3/48
設置點:看你要Monitor哪裡的封包,通常設置於LAN <--> Internet之間,或是分公司<-->分公司之間,還可以在Core switch上視狀況機動將某個port的流量導入作監控,非常方便。
使用版本: Ntop 3.3
作業系統:Linux Fedora core 8 (需兩張網卡,Monitor & Management)
安裝步驟:
(參考http://forum.icst.org.tw/phpBB2/viewtopic.php?p=47187&sid=5c8f8f7004d72113238af02ee28657e5)
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.2.27.tar.gz
#Don't use libtool-2.2.2.tar.gz, ntop make will failed
wget http://ftp.gnu.org/gnu/libtool/libtool-1.5.tar.gz
wget http://ftp.gnu.org/gnu/automake/automake-1.9.6.tar.gz
wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.62.tar.gz
# rrdtool need libpcap-devel libpng-devel libart_lgpl-devel zlib-devel freetype-devel
# ntop need libtool, automake, autoconf gcc-c++ gdbm-devel; automake need autoconf yum -y install gcc gcc-c++ httpd gdbm-devel libpcap-devel libpng-devel libart_lgpl-devel zlib-devel freetype-devel
tar -zvxf rrdtool-1.2.27.tar.gz
cd rrdtool-1.2.27
./configure
make
make install
cd ..
ln -s /usr/local/rrdtool-1.2.27/bin/rrdtool /usr/local/bin/rrdtool
ln -s /usr/local/rrdtool-1.2.27 /usr/local/rrdtool
tar -zxvf libtool-1.5.tar.gz
cd libtool-1.5
./configure
make
make install
cd ..
tar -zxvf autoconf-2.62.tar.gz
cd autoconf-2.62
./configure
make
make install
cd ..
tar -zxvf automake-1.9.6.tar.gz
cd automake-1.9.6
./configure
make
make install
cd ..
tar -zxvf ntop-3.3.tar.gz
cd ntop-3.3
./autogen.sh
make
make install
mkdir /usr/local/var/ntop/rrd
service httpd restart
chkconfig httpd on
ntop -A
http://YourHostIP:3000/
看到ntop畫面
再到Core switch(Cisco 4510 switch)將封包導至Ntop Server 的Monitor port:
3/1 PROXY
3/2 Firewall
3/48 NTOP
monitor session 1 source interface Gi3/1 , Gi3/2
monitor session 1 destination interface Gi3/48
2008年4月1日 星期二
ASA Firewall access rules for VPN client
★Cisco IPSec VPN client:
預設的IPSec/UDP:
UDP port 500
UDP port 4500
★PPTP(Point-to-Point Tunneling Protocol) VPN client:
TCP port 1723
IP protocol 47(GRE)
security policy >> service policy rule >> edit Globat policy >> Rule Actions >> protocal inspection >> PPTP 打勾就行了
預設的IPSec/UDP:
UDP port 500
UDP port 4500
★PPTP(Point-to-Point Tunneling Protocol) VPN client:
TCP port 1723
IP protocol 47(GRE)
security policy >> service policy rule >> edit Globat policy >> Rule Actions >> protocal inspection >> PPTP 打勾就行了
2008年3月31日 星期一
How to check EIGRP routing
>show ip route eigrp (顯示EIGRP routing table)
192.91.75.0/24 is variably subnetted, 2 subnets, 2 masksD EX
192.91.75.0/26 [170/188672] via 10.185.200.2, 6d02h, Vlan200
##192.91.75.0/26此筆routing record是從10.185.200.2學回來的
>show ip eigrp topology 192.91.75.0/26 (顯示192.91.75.0/26 EIGRP topology table)
##其中有一行是:"Originating router is 135.42.63.2" 代表應該是由這顆Router產生
192.91.75.0/24 is variably subnetted, 2 subnets, 2 masksD EX
192.91.75.0/26 [170/188672] via 10.185.200.2, 6d02h, Vlan200
##192.91.75.0/26此筆routing record是從10.185.200.2學回來的
>show ip eigrp topology 192.91.75.0/26 (顯示192.91.75.0/26 EIGRP topology table)
##其中有一行是:"Originating router is 135.42.63.2" 代表應該是由這顆Router產生
2008年3月13日 星期四
AIX ntpd設定方法
#vi /etc/rc.tcpip (修改為開機能啟動)
start /usr/sbin/xntpd "$src_running" (將其#拿掉,即會開機啟動ntp)
#vi /etc/ntp.confserver 10.31.10.54 (加入此行,會向10.31.10.54校時)
#startsrc -s xntpd (手動將xntpd啟動)
看ntp version方法:
#ntpq
ntp> version
3.4 (代表3.4版的ntp)
start /usr/sbin/xntpd "$src_running" (將其#拿掉,即會開機啟動ntp)
#vi /etc/ntp.confserver 10.31.10.54 (加入此行,會向10.31.10.54校時)
#startsrc -s xntpd (手動將xntpd啟動)
看ntp version方法:
#ntpq
ntp> version
3.4 (代表3.4版的ntp)
讓user閒置300秒就登出
#/usr/sbin/utmpd [interval] (defalut interval time would be 300 seconds.)
#vi /etc/inittab加入utmpd:2:respawn:/usr/sbin/utmpd
umount 不掉的解決方法
#fuser -u /dev/lv00 (查哪些User,process在用 /dev/lv00)
#fuser -k /dev/lv00 (kill所有在使用/dev/lv00的user或process)
AIX Server查系統資訊
CPU: #lsdev -Cgrep proc 然後再看#lsattr -El proc0 (check proc0,proc1,proc2...)
Memory: #lscfg -vpgrep mem 看有幾條RAM,再看#lsattr -El mem0 (check mem0,mem1,mem2...)
HDD: #lsdev -Ccdisk (check disk number & type) , #lsattr -El hdisk0grep size (check disk size)
OS: #oslevel -r
kernel: #uname -v
機型: #uanme -i
網卡: #lsdev -Ccif , #lsdev -Ccadapter
PCI #lsdev -Ccadapterdevice: #lsdev -Cmore
IO: #iostatHardware #lscfg -vp
Memory: #lscfg -vpgrep mem 看有幾條RAM,再看#lsattr -El mem0 (check mem0,mem1,mem2...)
HDD: #lsdev -Ccdisk (check disk number & type) , #lsattr -El hdisk0grep size (check disk size)
OS: #oslevel -r
kernel: #uname -v
機型: #uanme -i
網卡: #lsdev -Ccif , #lsdev -Ccadapter
PCI #lsdev -Ccadapterdevice: #lsdev -Cmore
IO: #iostatHardware #lscfg -vp
在Win XP安裝 Windows Server 2003 Active Directory 管理工具
1.OS:Windows XP Professional SP2
2.Win XP 加入Domain
3.以Domain Admin權限的帳號登入
4.放入Windows Server 2003光碟,執行I386中的"Adminpak.msi"
5.即可在系統管理工具中多出AD管理工具
6.也可使用MMC新增AD管理工具
2.Win XP 加入Domain
3.以Domain Admin權限的帳號登入
4.放入Windows Server 2003光碟,執行I386中的"Adminpak.msi"
5.即可在系統管理工具中多出AD管理工具
6.也可使用MMC新增AD管理工具
2008年3月11日 星期二
使用Dos指令搜尋特定檔案並刪除
有時候電腦或Server會中毒而在每個資料夾被放入中毒檔案,數量達好幾十萬的時候,使用檔案總管的搜尋再全選全刪會當在那而刪不掉,可使用簡單的Dos command執行此工作即可。
將以下幾行存成bat或cmd檔執行,會將所有存在C:D:E:的Virus.eml檔案刪除:
DIR /S/B C:\Virus.eml >> virus.txt
DIR /S/B D:\Virus.eml >> virus.txt
DIR /S/B E:\Virus.eml >> virus.txt
echo Y FOR /F "tokens=1,* delims=: " %%j in (virus.txt) do del "%%j:%%k"
將以下幾行存成bat或cmd檔執行,會將所有存在C:D:E:的Virus.eml檔案刪除:
DIR /S/B C:\Virus.eml >> virus.txt
DIR /S/B D:\Virus.eml >> virus.txt
DIR /S/B E:\Virus.eml >> virus.txt
echo Y FOR /F "tokens=1,* delims=: " %%j in (virus.txt) do del "%%j:%%k"
SNMP MIB OID reference
★Cisco CPU loading:
☆Cisco IOS Software releases prior to 12.0(3)T
CPU五分鐘平均:avgBusy5 (.1.3.6.1.4.1.9.2.1.58)
CPU一分鐘平均:avgBusy1 (.1.3.6.1.4.1.9.2.1.57)
CPU五秒鐘平均:busyPer (.1.3.6.1.4.1.9.2.1.56)
☆Cisco IOS Software releases later to 12.0(3)T and prior to 12.2(3.5)
CPU五分鐘平均:cpmCPUTotal5min (.1.3.6.1.4.1.9.9.109.1.1.1.1.5)
CPU一分鐘平均:cpmCPUTotal1min (.1.3.6.1.4.1.9.9.109.1.1.1.1.4)
CPU五秒鐘平均:cpmCPUTotal5sec (.1.3.6.1.4.1.9.9.109.1.1.1.1.3)
☆Cisco IOS Software releases 12.2(3.5) or later
CPU五分鐘平均:cpmCPUTotal5minRev (.1.3.6.1.4.1.9.9.109.1.1.1.1.8)
CPU一分鐘平均:cpmCPUTotal1minRev (.1.3.6.1.4.1.9.9.109.1.1.1.1.7)
CPU五秒鐘平均:cpmCPUTotal5secRev (.1.3.6.1.4.1.9.9.109.1.1.1.1.6)
★Netscreen:
☆Netscreen5200 CPU loading:(.1.3.6.1.4.1.3224.16.1.2.0)
☆Netscreen concurrent session:(1.3.6.1.4.1.3224.16.3.2.0)
☆Cisco IOS Software releases prior to 12.0(3)T
CPU五分鐘平均:avgBusy5 (.1.3.6.1.4.1.9.2.1.58)
CPU一分鐘平均:avgBusy1 (.1.3.6.1.4.1.9.2.1.57)
CPU五秒鐘平均:busyPer (.1.3.6.1.4.1.9.2.1.56)
☆Cisco IOS Software releases later to 12.0(3)T and prior to 12.2(3.5)
CPU五分鐘平均:cpmCPUTotal5min (.1.3.6.1.4.1.9.9.109.1.1.1.1.5)
CPU一分鐘平均:cpmCPUTotal1min (.1.3.6.1.4.1.9.9.109.1.1.1.1.4)
CPU五秒鐘平均:cpmCPUTotal5sec (.1.3.6.1.4.1.9.9.109.1.1.1.1.3)
☆Cisco IOS Software releases 12.2(3.5) or later
CPU五分鐘平均:cpmCPUTotal5minRev (.1.3.6.1.4.1.9.9.109.1.1.1.1.8)
CPU一分鐘平均:cpmCPUTotal1minRev (.1.3.6.1.4.1.9.9.109.1.1.1.1.7)
CPU五秒鐘平均:cpmCPUTotal5secRev (.1.3.6.1.4.1.9.9.109.1.1.1.1.6)
★Netscreen:
☆Netscreen5200 CPU loading:(.1.3.6.1.4.1.3224.16.1.2.0)
☆Netscreen concurrent session:(1.3.6.1.4.1.3224.16.3.2.0)
2008年3月9日 星期日
Backup Cisco running-config automatic
Server OS: Linux Server
Necessary Tools: TFTP, TCL (Install TFTP and TCL at Linux Server)
Necessary Scripts: shell script, expect script
三段式Script概念:Main scripts(backup.sh)--> Call Devices List(list.txt) --> Run TFTP interact scripts(tftp.sh)
撰寫完成後,排入cronjob即可自動執行備份。
backup.sh(將所需參數置入,密碼為明碼,請小心)
----------------------------------------------------------------------
#!/bin/sh
#filename: backup.sh
#purpose: Backup router & switch running-config
#Variable settingTOPDIR=/angus/bkconfig
TFTPSERVER=10.10.1.32
TFTPDIR=/tftpboot
BACKUPDIR=/backup
TODAY=`date +%Y%m%d`
#USERNAME
USERNAME1=MISBK
#Password
PASSWORD1=12345
PASSWORD2=67890
#MAIN
exec 3^list.txt(因gblog無法在此顯示"小於"符號,請自行將"^"換成"小於")
while read LINE ^&3 ; do(因gblog無法在此顯示"小於"符號,請自行將"^"換成"小於")
HOSTNAME=`echo $LINE|cut -d"," -f1`
HOSTIP=`echo $LINE|cut -d"," -f2`
touch $TFTPDIR/$HOSTNAME.$TODAY
chmod 766 $TFTPDIR/$HOSTNAME.$TODAY
$TOPDIR/tftp.sh $HOSTNAME.$TODAY $HOSTIP $USERNAME1 $PASSWORD1 $PASSWORD2 $TFTPSERVER
mv $TFTPDIR/$HOSTNAME.$TODAY $TFTPDIR/$HOSTNAME.$TODAY
done
list.txt(將Devices List以"Hostname,IP"的方式置入)
----------------------------------------------------------------------
HK-1F-COR2970-1,10.1.1.248
HK-1F-COR2970-2,10.1.1.247
HK-1F-COR3725-1,10.1.1.2
HK-1F-COR4507-1,10.1.1.253
HK-1F-COR4507-2,10.1.1.252
tftp.sh(模擬User在Switch中使用tftp指令傳檔)
----------------------------------------------------------------------
#!/usr/local/bin/expect
#filename: tftp.sh
#purpose: telnet and tftp the running-config to TFTP server
set FILENAME [lindex $argv 0]
set HOSTIP [lindex $argv 1]
set USERNAME [lindex $argv 2]
set PASSWORD [lindex $argv 3]
set ENPASSWORD [lindex $argv 4]
set TFTPSERVER [lindex $argv 5]
log_user 0
#telnetspawn /usr/kerberos/bin/telnet $HOSTIP
#Interact
expect "Username:"
send "$USERNAME\r"
expect "Password:"
send "$PASSWORD\r"
expect ">"
send "enable\r"
expect "Password:"
send "$ENPASSWORD\r"
expect "#"
send "copy running-config tftp\r"
expect "]"
send "$TFTPSERVER\r"
expect "]"
send "$FILENAME\r"
expect "#"
send "exit\r"
#end
Necessary Tools: TFTP, TCL (Install TFTP and TCL at Linux Server)
Necessary Scripts: shell script, expect script
三段式Script概念:Main scripts(backup.sh)--> Call Devices List(list.txt) --> Run TFTP interact scripts(tftp.sh)
撰寫完成後,排入cronjob即可自動執行備份。
backup.sh(將所需參數置入,密碼為明碼,請小心)
----------------------------------------------------------------------
#!/bin/sh
#filename: backup.sh
#purpose: Backup router & switch running-config
#Variable settingTOPDIR=/angus/bkconfig
TFTPSERVER=10.10.1.32
TFTPDIR=/tftpboot
BACKUPDIR=/backup
TODAY=`date +%Y%m%d`
#USERNAME
USERNAME1=MISBK
#Password
PASSWORD1=12345
PASSWORD2=67890
#MAIN
exec 3^list.txt(因gblog無法在此顯示"小於"符號,請自行將"^"換成"小於")
while read LINE ^&3 ; do(因gblog無法在此顯示"小於"符號,請自行將"^"換成"小於")
HOSTNAME=`echo $LINE|cut -d"," -f1`
HOSTIP=`echo $LINE|cut -d"," -f2`
touch $TFTPDIR/$HOSTNAME.$TODAY
chmod 766 $TFTPDIR/$HOSTNAME.$TODAY
$TOPDIR/tftp.sh $HOSTNAME.$TODAY $HOSTIP $USERNAME1 $PASSWORD1 $PASSWORD2 $TFTPSERVER
mv $TFTPDIR/$HOSTNAME.$TODAY $TFTPDIR/$HOSTNAME.$TODAY
done
list.txt(將Devices List以"Hostname,IP"的方式置入)
----------------------------------------------------------------------
HK-1F-COR2970-1,10.1.1.248
HK-1F-COR2970-2,10.1.1.247
HK-1F-COR3725-1,10.1.1.2
HK-1F-COR4507-1,10.1.1.253
HK-1F-COR4507-2,10.1.1.252
tftp.sh(模擬User在Switch中使用tftp指令傳檔)
----------------------------------------------------------------------
#!/usr/local/bin/expect
#filename: tftp.sh
#purpose: telnet and tftp the running-config to TFTP server
set FILENAME [lindex $argv 0]
set HOSTIP [lindex $argv 1]
set USERNAME [lindex $argv 2]
set PASSWORD [lindex $argv 3]
set ENPASSWORD [lindex $argv 4]
set TFTPSERVER [lindex $argv 5]
log_user 0
#telnetspawn /usr/kerberos/bin/telnet $HOSTIP
#Interact
expect "Username:"
send "$USERNAME\r"
expect "Password:"
send "$PASSWORD\r"
expect ">"
send "enable\r"
expect "Password:"
send "$ENPASSWORD\r"
expect "#"
send "copy running-config tftp\r"
expect "]"
send "$TFTPSERVER\r"
expect "]"
send "$FILENAME\r"
expect "#"
send "exit\r"
#end
訂閱:
文章 (Atom)