Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console > Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).
Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host > Configure > Services > Locate SSH > Start.
Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.
VMware Enable SSH 6.5
If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.
If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host > Configure > Security Profile > Scroll down to ‘Services’ > Edit.
Locate ‘SSH > Start > OK.
Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.
VMware Enable SSH ESX 5
ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.
Enable Remotely
1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.
2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.
3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.
Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.
VMware Enable SSH ESX 4.0.1
Starting with version 4.0.1 you can enable SSH access from the server console.
1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.
2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.
3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.
Grant SSH Access to ESX 4.0.0 and earlier
1. Go to the normal ESXi console.
2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.
3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,
[box]vi /etc/inetd.conf[/box]
4. The vi editor will open the file, use the arrow keys to move down to the line that says,
[box]#ssh stream tcp nowait root…[/box]
Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.
5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).
6. Enter the following command.
[box]
cat /var/run/inetd.pid
[/box]
It will provide you with a number, (in the example below its 4983, yours will be different).
7. Issue the following command.
[box]
kill -HUP {the number you got from above}
[/box]
8. To get back to the usual ESXi screen and exit command line press ALT+F2.
9. You can now connect with an SSH client like Putty.
Related Articles, References, Credits, or External Links
Recently I was building a lab for testing load balancing, and needed some web servers, I could have built three Windows servers, but I wanted to run them in EVE-NG, so they had to be as light as I could make them. I chose TinyCore Linux, (I know there are smaller options, but it’s light enough for me to run, and work with).
The problem occurs when you reboot the TinyCore host, it (by default) reverts back to its vanilla state, (that’s not strictly true, a couple of folders are persistent).
So I had to build a server that would let me SFTP some web content into it and allow me to reboot it without losing the web content, settings, and IP address.
Step 1: Configure TinyCore IP & Web Server
This is a two step procedure, firstly I’m going to give it a static IP.
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start
[/box]
Now create a basic web page, (index.html) which you can update later. Setup the website, then copy that file to a location that will be persistent (you will see why later).
[box]
cd /usr/local/httpd/bin
sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
sudo vi index.html {ENTER SOME TEXT TO TEST, AND SAVE}
sudo mkdir /mnt/sda1/wwwsite/
sudo cp /usr/local/httpd/bin/index.html /mnt/sda1/wwwsite/index.html
[/box]
At this point, (if you want) you can use your favourite SFTP client, (I recommend FileZilla or WinSCP) and copy in some live web content to /mnt/sda1/wwwsite/ But ensure the home/landing page is still index.html though!
Step 2: Make TinyCore Settings ‘Persistent’
There may be better ways to do this, this just worked for me, and made sense! There’s a shell script that is executed as the TinyCore machine boots (bootlocal.sh) so if you edit that file and put in the commands to configure the IP, copy the website files from the permanent mount folder, start the web server, then start SSH and TFTP, you end up with a server doing what you want, every time the server boots.
[box]
sudo vi /opt/bootlocal.sh
ADD THE FOLLOWING TO THE BOTTOM OF THE FILE;
sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0
sudo route add default gw 192.168.100.1
cp /mnt/sda1/wwwsite/index.html /usr/local/httpd/bin/index.html
cd /usr/local/httpd/bin/
Sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start
[/box]
Save and exit the file, then finally BACKUP THE CHANGES with the following command;
[box]
filetool.sh -b
[/box]
Related Articles, References, Credits, or External Links
I was doing some site tidying this week, usually If I don’t know what something is I leave it alone, but I was on a mission! I had a bunch of files/folders in the root of my website, that, a) I didn’t know what they were doing, and b) wanted to delete.
As it turns out these folders are needed for FrontPage and FrontPage Extensions. I CAN simply delete them, but since my web host provides me with cPanel access to the website, I can simply disable the extensions there, and this removes all the junk for me. (I don’t intend to use FrontPage).
A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other you have all those tunnels to configure as well.
To address that we have DMVPN, rather than a point-to-point GRE tunnel it uses multipoint GRE that can have more than two endpoints. In fact it acts like a ‘network overlay’ that joins all the sites together. It is typically deployed in a hub-and-spoke configuration where one router (the hub) sits at the center and each remote site (spoke) joins the multipoint GRE, tunnels back to the hub. The magic part is, if one spoke needs to speak to another spoke, this is done by building a dynamic tunnel between them ‘on the fly’.
Below is the the network topology I’m going to use;
I have a main site that will be the ‘Hub Site’ and at that site MainSiteRTR will be the NHS router. The remaining three hub sites will act as ‘spokes’, so my ‘network overlay’ will be 192.168.1.0/24.
Solution
Configure DMVPN Hub (NHS) Router
Before I start, all the sites are pre-configured as per figure1 above, all the routers can see each other via EIGRP.
1. To begin the setup looks very much like a standard GRE tunnel, but we define a source but no destination (we don’t need to, because we specify tunnel mode gre multipoint). There are two commands for the NHRP setup, ‘ip nhrp map multicast dynamic‘ lets EIGRP information propagate to the ‘spokes’. And ‘ip nhrp network-id 1’ creates a group ID for the DMVPN group. All the spokes will need to share this ID to form tunnels with this NHS Router.<.p>
[box]
MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#interface Tunnel0
MainSiteRTR(config-if)# ip address 192.168.0.1 255.255.255.0
MainSiteRTR(config-if)# ip nhrp map multicast dynamic
MainSiteRTR(config-if)# ip nhrp network-id 1
MainSiteRTR(config-if)# tunnel source 1.1.1.1
MainSiteRTR(config-if)# tunnel mode gre multipoint
*Mar 1 00:02:31.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
MainSiteRTR(config-if)#exit
*Mar 1 00:02:41.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
MainSiteRTR(config)#
[/box]
Configure the Branch ‘Spoke’ Routers
2. There are a few differences here, first ‘ip nhrp map 192.168.0.1 1.1.1.1’ tells the branch router to map the 192.168.0.2 private IPpermanently to the 1.1.1.1 public address. ‘ip nhrp map multicast 1.1.1.1’ tells the router to relay ALL its multicast traffic back to the hub router. ‘ip nhrp nhs 192.168.0.1’ tells the spoke router where the hub router is.
[box]
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#interface Tunnel0
Branch1(config-if)# ip address 192.168.0.2 255.255.255.0
Branch1(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch1(config-if)# ip nhrp map multicast 1.1.1.1
Branch1(config-if)# ip nhrp network-id 1
Branch1(config-if)# ip nhrp nhs 192.168.0.1
Branch1(config-if)# tunnel source 2.2.2.1
Branch1(config-if)# tunnel mode gre multipoint
*Mar 1 00:07:28.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch1(config-if)#exit
*Mar 1 00:07:38.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch1(config)#
[/box]
3. Then configure each branch router the same, (apart from the tunnel source and the endpoint IP).
[box]
Branch 2 Router Config
Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#interface Tunnel0
Branch2(config-if)# ip address 192.168.0.3 255.255.255.0
Branch2(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch2(config-if)# ip nhrp map multicast 1.1.1.1
Branch2(config-if)# ip nhrp network-id 1
Branch2(config-if)# ip nhrp nhs 192.168.0.1
Branch2(config-if)# tunnel source 3.3.3.1
Branch2(config-if)# tunnel mode gre multipoint
Branch2(config-if)# exit
*Mar 1 00:09:32.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch2(config)#
Branch 3 Router Config
Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#interface Tunnel0
Branch3(config-if)# ip address 192.168.0.4 255.255.255.0
Branch3(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch3(config-if)# ip nhrp map multicast 1.1.1.1
Branch3(config-if)# ip nhrp network-id 1
Branch3(config-if)# ip nhrp nhs 192.168.0.1
Branch3(config-if)# tunnel source 4.4.4.1
Branch3(config-if)# tunnel mode gre multipoint
Branch3(config-if)# exit
*Mar 1 00:11:05.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch3(config)#
*Mar 1 00:11:15.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch3(config)#
[/box]
Verifying and Testing the DMVPN Setup
4. On the main site;
[box]
MainSiteRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 2.2.2.1 192.168.0.2 UP never D
1 3.3.3.1 192.168.0.3 UP never D
1 4.4.4.1 192.168.0.4 UP never D
[/box]
5. On a branch site (Note: There is only one tunnel to the Main Site);
[box]
Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 192.168.0.1 UP 00:08:24 S
[/box]
6. But if from the same branch site you ping another branch site, it will dynamically build a tunnel to that site also. (Note: The S denotes static, and the D denotes dynamic).
[box]
Branch1#ping 192.168.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/60/108 ms
Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 192.168.0.1 UP 00:08:52 S
1 4.4.4.1 192.168.0.4 UP never D
[/box]
Protect and Encrypt the Tunnel(s) with IPSEC
7. BE AWARE the traffic traveling over these tunnels is still being sent in cleartext, it’s simply been ‘encapsulated’ with GRE. To rectify that we can protect the tunnels with IPSEC.
[box]
MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#crypto isakmp policy 10
MainSiteRTR(config-isakmp)# authentication pre-share
MainSiteRTR(config-isakmp)# encryption aes
MainSiteRTR(config-isakmp)# group 2
MainSiteRTR(config-isakmp)# hash sha
MainSiteRTR(config-isakmp)# crypto isakmp key Sh@reds3cret address 2.2.2.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 3.3.3.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 4.4.4.1
MainSiteRTR(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
MainSiteRTR(cfg-crypto-trans)# crypto ipsec profile PF-PNL
MainSiteRTR(ipsec-profile)# set transform-set TFS-PNL
MainSiteRTR(ipsec-profile)# interface Tunnel0
MainSiteRTR(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:25:34.055: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MainSiteRTR(config-if)# exit
MainSiteRTR(config)#
[/box]
8. Then simply repeat on the branch routers, the only difference is the peer addresses.
[box]
Branch 1 Router Config
Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)# authentication pre-share
Branch1(config-isakmp)# encryption aes
Branch1(config-isakmp)# group 2
Branch1(config-isakmp)# hash sha
Branch1(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch1(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch1(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch1(ipsec-profile)# set transform-set TFS-PNL
Branch1(ipsec-profile)#interface Tunnel0
Branch1(config-if)# tunnel protection ipsec profile PF-PNL
Branch1(config-if)#exit
Branch1(config)#
*Mar 1 00:36:47.179: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch1(config)#
Branch 2 Router Config
Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#crypto isakmp policy 10
Branch2(config-isakmp)# authentication pre-share
Branch2(config-isakmp)# encryption aes
Branch2(config-isakmp)# group 2
Branch2(config-isakmp)# hash sha
Branch2(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch2(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch2(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch2(ipsec-profile)# set transform-set TFS-PNL
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)# tunnel protection ipsec profile PF-PNL
Branch2(config-if)#exit
Branch2(config)#
*Mar 1 00:37:57.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch2(config)#
Branch 3 Router Config
Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#crypto isakmp policy 10
Branch3(config-isakmp)# authentication pre-share
Branch3(config-isakmp)# encryption aes
Branch3(config-isakmp)# group 2
Branch3(config-isakmp)# hash sha
Branch3(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch3(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch3(ipsec-profile)# set transform-set TFS-PNL
Branch3(ipsec-profile)#interface Tunnel0
Branch3(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:39:10.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch3(config-if)#exit
[/box]
9. To test re-establish the tunnels, and this time you can see they are protected;
[box]
MainSiteRTR#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 3.3.3.1 QM_IDLE 1002 0 ACTIVE
1.1.1.1 4.4.4.1 QM_IDLE 1003 0 ACTIVE
1.1.1.1 2.2.2.1 QM_IDLE 1001 0 ACTIVE
Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).
Solution
Step 1: Import the CA Certificate into ISE
Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.
1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.
9. Again save it somewhere you can find it easily.
10. Open the PEM file you just created, and copy all the text to the clipboard.
11. Back at you web enrollment portal > Request a certificate.
12. Advanced certificate request.
13. Submit a certificate request by using…
14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.
15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.
16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.
17. Browse to the new cert > Select EAP and HTTPS > Submit.
18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)
At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?
Related Articles, References, Credits, or External Links
I’m fortunate enough that VMware gave me a free copy of VMware Workstation, but there’s nothing to stop you carrying out this procedure with the FREE VMware player.
BackTrack Linux is an operating system that is primarily used for security auditing, and penetration testing. I’m going to be playing with it a bit in the coming weeks, so I thought I’d at least document how to get it running.
Note: There is a bootable CD version available, if you would prefer to use that instead.
Solution
1. Head over to BackTrack and download your virtual machine files.
2. Once downloaded, extract the files to a folder on your computer.
3. Make sure the files have extracted.
4. From within VMware Workstation, File > Open.
5. Navigate to the .vmx file that’s in the files you extracted earlier > Open.
6. After a few seconds you should be able to power on the virtual machine.
7. Always select “I moved it” UNLESS you are going to run more than one, then choose “I Copied it”.
8. The default username is root and the default password is toor. You will then need to execute a startx command to bring up the GUI interface.
9. Job done, enjoy!
Related Articles, References, Credits, or External Links