SSH using public key authentication to IOS

23 Monday Jan 2017

Tags

ip domain-name router.fakrul.com
!
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!
username fakrul privilege 15 secret R@nDomp@$$worD!
!
ip ssh pubkey-chain
 username fakrul
 key-string
 ! copy the entire public key as appears in the cat id_rsa.pub including the ssh-rsa and username@hostname.
 exit
 exit
!
ip ssh server algorithm authentication publickey !enable key based authentication only
!
line vty 0 4
transport input ssh
privilege level 15

Install Cisco IOS XRv in GNS3

09 Friday Dec 2016

Posted by fakrul in My Work, Uncategorized

≈ Leave a comment

Tags

cisco, gns3, ios xrv, Virtual Box, virtualization

Software / Application:

VirtualBox (https://www.virtualbox.org/)
GNS3 (https://www.gns3.com/)

We also need Cisco IOS XRv Router image. For lab we use iosxrv-demo-6.0.0.vmdk which is free to use. The only limitation is it has AAA hardcoded users & rate limit of 2 Mbps. For full features please check the following link:

http://www.cisco.com/en/US/docs/ios_xr_sw/ios_xrv/install_config/b_xrvr_432_chapter_01.html

To download the image please visit https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv. You need Cisco CCO account.

STEP 1: IOS XRV WORKING ON VIRTUALBOX

1. Create a new VM

v-1

2. For the VM please choose:

Name: xrv-1
Type: Other
Version: Other/Unknown (64-bit)

Continue reading →

Sign expiring zone (DNSSEC)

14 Monday Nov 2016

Posted by fakrul in My Work

≈ Leave a comment

Tags

DNSSEC

Following script will check the expiry of RRSIG and if it’s expiring within 7 days; it will sign your zone again.

#!/bin/bash

declare -i expire_date declare -i currert_date declare -i d1 declare -i diff

expire_date="$(date +%s -d $(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8))" echo "Expire date: $expire_date" #expire_date="$(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8)" currert_date="$(date +%s)" echo "Current date: $currert_date"

diff=$((expire_date-currert_date))/86400 echo "Days to expire: $diff"

if [ "$diff" -gt "7" ] then echo "RRSIG will not expiring within one week. No need to sign the zone" else echo "RRSIG will expire next week. Sign DNS Zone......" sudo ldns-signzone /etc/nsd/ZONES/fakrul.com.zone /etc/nsd/KSK/Kfakrul.com.+007+22704 /etc/nsd/ZSK/Kfakrul.com.+007+04664 -f /etc/nsd/SIGNED/fakrul.com.zone.signed echo "Reload NSD......" /etc/init.d/nsd reload fi

Enable IPv6 in OpenVPN

08 Tuesday Nov 2016

Posted by fakrul in My Work, Tutorial

≈ Leave a comment

Tags

IPv6, OpenVPN

In my earlier post (OpenVPN in Ubuntu 14.04) I have gone through the steps to install OpenVPN in Ubuntu; that was only for IPv4. To enable IPv6 in OpenVPN do the followings:

OpenVPN Server IP : 2001:df2:ee00:ee00::10/64

2001:df2:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get one prefix from 2001:df2:ee00:abcd::/64 block.

Step 1: We need to edit OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following :

server-ipv6 2001:0df2:ee00:abcd::/64 tun-ipv6 push tun-ipv6 ifconfig-ipv6 2001:0df2:ee00:abcd::1 2001:0df2:ee00:abcd::2 push "route-ipv6 2001:0df2:ee00:ee00::2/64" push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

/etc/init.d/openvpn restart

Try connect your OpenVPN client. Test the IPv6 reachablity by accessing http://test-ipv6.com/

Note:
1. To make IPv6 forwarding persistent remember, in /etc/sysctl.conf uncomment:
net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:df2:ee00:abcd::/64 to you OpenVPN Server. I have done this from my cisco router

ipv6 route 2001:df2:ee00:abcd::/64 2001:df2:ee00:ee00::10

NSD with DNSSEC (Forward & Reverse DNS)

01 Tuesday Nov 2016

Posted by fakrul in Education, My Work

≈ Leave a comment

Tags

DNS, DNSSEC, NSD

In previous two blogs (1st part & 2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone: name: “ssh.com.bd” zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \ /etc/nsd/KSK/Kssh.com.bd.+007+22704 \ /etc/nsd/ZSK/Kssh.com.bd.+007+04664 \ -f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading →