We had to enable SNMP on a XenServer today, I’d never even logged onto one, but it turns out, much like ESX, it’s just a Linux server, at least the good folk at Citrix included nano on there so I didn’t have to struggle with the vi editor!
Solution
First from the web console ensure that SSH access is enabled > Remote Services Configuration > Enable/Disable Remote Shell.
SSH into the host and execute the following commands to start the SNMP daemon, take a backup of the config file, and finally edit the ‘live’ config file.
You can delete EVERYTHING (At the beginning of the file press CTRL+6 to mark the file, then Press ALT+Shif+T (or ALT+T) to cut the text away). Then type in;
[box]
rocommunity {SNMP-String} {IP address or range with /{bits}}
i.e.
rocommunity public 192.168.1.0/24
[/box]
Save and Exit (CTRL+X > ‘Y’ > {Enter}). Now you need to edit the firewall on the host (iptables). To allow the IP addresses of your SNMP collector(s).
[box]
nano /etc/sysconfig/iptables
[/box]
At the bottom, (usually) you will see a deny for ICMP, put an entry for each collector BEFORE that in the following format;
Save and Exit (CTRL+X > ‘Y’ > {Enter}). then restart iptables and the snmp daemon.
[box]
service iptables restart
service snmpd restart
[/box]
If you are polling it though a firewall you can test it locally using this piece of freeware, (I use this to test, but remember to add the local IP you are testing from to the sump config and the iptables!)
Related Articles, References, Credits, or External Links
While moving my DNS records from my old hosting company, I finally got round to pointing my domain name server records at my own server. I then saw my web traffic nose dive! Some troubleshooting steps later I realised I could not connect to my server on TCP port 53 (use an online port scanner to test yours).
Solution
Allow Access to DNS BIND From Remote Clients
1. Firstly let’s make sure that the firewall is not blocking DNS (Note: I’m using iptables).
[box]iptables -A INPUT -p udp -m state –state NEW –dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 53 -j ACCEPT
service iptables save
service iptables restart[/box]
2. Still mine refused to work! I had to edit the named.conf file
[box] nano /etc/named.conf[/box]
3. Mine was set to only respond to 127.0.0.1, and only return localhost.
I was a little perturbed to find out the firewall on my CentOS web server was wide open today. My server setup notes yielded no clues, so it was time to put my ‘Linux Head’ on and fix it.
Solution
1. Connect to the server via console or SSH. As I’m going to change the iptables config file lets back it up (always assume you are going to smash something!)
2. I have a VPS so I’m usually logged on via SSH, so to avoid locking myself out I’m going to change the default policy to allow (yes in my current scenario that’s a moot point, but it’s good practice). Then I can flush the current rules, without kicking myself out.
[box]iptables -P INPUT ACCEPT
iptables -F[/box]
3. Then allow packets destined to Loopback (127.0.0.1), some processes on the server rely on this, and expect it to be open.
[box] iptables -A INPUT -i lo -j ACCEPT [/box]
4. Allow packets that were not initiated by the server, but are already established or related to an established connection.
[box] iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT[/box]
5. Allow in the ports you require (your requirements may differ).
[box]iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 993 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 12345 -j ACCEPT[/box]
6. To allow your server to respond to pings (if required);
[box]iptables -A INPUT -p icmp -j ACCEPT
[/box]
7. Drop all other traffic, and set the forwarding table to also drop all traffic. Then I’m going to allow all outbound ports from the server.
[box]iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT[/box]
8. TEST EVERYTHING! Then save the changes, to make them persistent.
[box] /sbin/service iptables save[/box]
Show iptables Settings
[box] iptables -L -v[/box]
Start/Stop and Restart the iptables Service
[box]service iptables stop
service iptables start
service iptables restart[/box]
Related Articles, References, Credits, or External Links
I needed to back up a Cisco firewall, and perform an upgrade remotely, despite my best efforts to use the ASDM and update via http, I had to go ‘old school’ and bring up a TFTP server on one of my CentOS Linux servers.
Solution
1. Log onto the server and install the xinetd TFTP Server. Execute the following command and follow the on-screen prompts.
[box]Using username “root”.
Last login: Thu Aug 7 17:58:10 2014 from midd-8.cable.virginm.net
[root@Web-Test ~]# yum install tftp tftp-server xinetd[/box]
2. Now you need to edit the config file, here I’m using nano, but you could use vi as well.
# default: off
# description: The tftp server serves files using the trivial file transfer
# protocol. The tftp protocol is often used to boot diskless
# workstations, download configuration files to network-aware printers,
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = yes
per_source = 11
cps = 100 2
flags = IPv4
}
[/box]
4. Edit the file and save it, so it looks like this;
[box]
# default: off
# description: The tftp server serves files using the trivial file transfer
# protocol. The tftp protocol is often used to boot diskless
# workstations, download configuration files to network-aware printers,
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
Note: if you run SELinux you may also need to execute the following command, ‘setsebool -P tftp_anon_write 1‘.
WARNINIG: This enables anonymous access on the TFTP root folder, if your server is public facing and not firewalled, then I would suggest you do what I do, (stop and start the service manually, and only open the firewall for TFTP when you need to use it – see below).
6. If you use iptables as a firewall, you will need to open the TFTP port (UDP Port 69).
10. I could SSH into the server and change to the /var/lib/tftpboot directory and see the file. But I’ve got WinSCP installed so I can view the backup with that.
11. Let’s see if we can copy a file off the TFTP server back to the firewall.
[box]
Petes-ASA# copy tftp flash
Address or name of remote host []? 123.123.123.123