Scott Pilkinton's Information Technology site

In a previous post, I summarized an experience with a newfound love – Trustix. Today, I’ll try and detail how to go through this install.

First, There is a special 30 meg network-based installation ISO image for 3.0 in the download area called trustix-3.0-net.i586.iso. It includes the PXEboot support files. However, if you download this file – there is still more you need – specifically pxelinux.0 from the syslinux package. To make things simpler, I have assembled everything needed along with it all in the proper directory structure. It can be downloaded from here.

Read More »

It finally dawned on me the other day – that instead of trying to install what most distributions call a minimal install (500+ Meg) and then trying to figure out what all I can remove afterwards, how about starting with a distribution that truly is minimal and then adding only what I need afterwards.

I started out looking at several projects that mainly built everything from scratch – such as LFS. Finally, I found mention of a distribution called Trustix, which seemed to address the minimalist approach – but at the same time keeping it simple. Read More »

If I came home and told my wife that I started ‘folding’ today – she would ask me why I don’t do it at home. I had never heard of ‘Folding’ before recently discovering it on hackaday.  However, it looked very interesting so I began investigating.

What is Folding?

Folding@home is a distributed client computing effort by Stanford University intended to help understand how proteins assemble or “fold.” Exactly how proteins assemble themselves is a mystery, and why proteins sometimes fold improperly or “misfold” is also not fully understood. Many serious diseases are related to the misfolding of proteins, such as Alzheimer’s, Parkinson’s disease, Cystic Fibrosis, Mad Cow Disease, and several forms of cancer. By donating your CPU’s spare cycles, you are contributing to an effort to understand how proteins fold, which is the first step to understanding how basic proteins work and how we might treat these diseases. When you are not using your computer, the processor will run simulations of different proteins and the way they assemble to better help scientists understand why they do what they do.

Read More »

What a waste, pictured below is a rack almost completely full of Cisco equipment that gets hardly used ever. The original intent was to use for CCIE study, which by the way has all the equipment needed for that, but is currently not being used. SSH access is available to this rack from the internet. If you interested in using it, please send me an email and I’ll get you set up.

Current Hardware:

(2) Cisco 3550-12G switches running Enterprise/Layer 3 Software
Cisco 2950 switch
Cisco 3550PWR Switch
Cisco 3750 Switch running Enterprise/Layer 3 Software
Cisco 3640 for Terminal Server + Frame Relay Switch
Cisco 3640 used as distribution site router
Cisco 2621 Router
Cisco 2500 Routers
Cisco 1600 Routers

If you have a Cisco PIX 515 and want to upgrade to the new 7.0 software, you are required to upgrade memory first. By default, the pix comes with 64Mb memory unless you buy a unit after the 7.0 software became generally available. What I am about to describe is by no means a recommendation on how to upgrade your pix – it just makes for good reading. :>)

Now that the disclaimer is out of the way, here is how I got my hardware prepped for the software upgrade in less than 20 minutes at a cost of $0.
First, I removed a 128Mb SDRAM memory module out of a recently decommissioned Dell GXi desktop computer and headed to the testlab. The PIX is a 515E model, but I believe the memory is the same in the original 515.

I backup up the configuration before I pulled the box out of the rack (very important). Once on the bench it is time to remove the cover.

To easiest way to get the cover off, is to just remove the top two screws from each rack mount bracket and then remove the four screws located on the rear of the top cover. Then press down on the top cover and push/slide back (toward the rear of the unit) until a gap in the front of the top cover is exposed. Once the gap is made, the cover will lift straight up.

This PIX had two 32Mb memory modules installed, so I removed both of them…

The new memory module went into the first memory slot which is the leftmost memory slot if you are looking down at the chassis from the front of the firewall. In this picture taken from the side, it would be the rear slot.

Now, it’s time to put the cover back on – re-install into the rack and power up.

Here is the output at bootup after the memory has been installed…


CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
128 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10
00 11 00 14E4 5823 Co-Processor 11
00 13 00 8086 B154 PCI-to-PCI Bridge
01 04 00 8086 1229 Ethernet 11
01 05 00 8086 1229 Ethernet 10
01 06 00 8086 1229 Ethernet 9
01 07 00 8086 1229 Ethernet 5

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-515E
System Flash=E******* @ 0xfff00000
Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot in 10 seconds.
Reading 1962496 bytes of image from flash. ####
128MB RAM
mcwa i82559 Ethernet at irq 11 MAC: ****.****.****
mcwa i82559 Ethernet at irq 10 MAC: ****.****.****
mcwa i82559 Ethernet at irq 11 MAC: ****.****.****
mcwa i82559 Ethernet at irq 10 MAC: ****.****.****
mcwa i82559 Ethernet at irq 9 MAC: ****.****.****
mcwa i82559 Ethernet at irq 5 MAC: ****.****.****
System Flash=E******* @ 0xfff00000
BIOS Flash=am******* @ 0xd8000
Crypto5823 (revision 0×1)

———————————————————————–
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
c i s c o S y s t e m s
Private Internet eXchange
———————————————————————–
Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(4)
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

****************************** Warning *******************************
Compliance with U.S. Export Laws and Regulations – Encryption.

This product performs encryption and is regulated for export
by the U.S. Government.

This product is not authorized for use by persons located
outside the United States and Canada that do not have prior
approval from Cisco Systems, Inc. or the U.S. Government.

This product may not be exported outside the U.S. and Canada
either by physical or electronic means without PRIOR approval
of Cisco Systems, Inc. or the U.S. Government.

Persons outside the U.S. and Canada may not re-export, resell
or transfer this product by either physical or electronic means
without prior approval of Cisco Systems, Inc. or the U.S.
Government.
******************************* Warning *******************************

Copyright (c) 1996-2003 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

outside interface address added to PAT pool

Cryptochecksum(unchanged): ******** ******** ******** ********
Type help or ‘?’ for a list of available commands.

pixlab> en

Username: cisco
Password: *****

pixlab# sh ver

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Fri 02-Jul-04 00:07 by morlee

pixlab up 37 secs

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E******** @ 0×300, 16MB
BIOS Flash AM******* @ 0x********, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0×1)
0: ethernet0: address is ****.****.****, irq 10
1: ethernet1: address is ****.****.****, irq 11
2: ethernet2: address is ****.****.****, irq 11
3: ethernet3: address is ****.****.****, irq 10
4: ethernet4: address is ****.****.****, irq 9
5: ethernet5: address is ****.****.****, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: ********* (0x********)
Running Activation Key: 0x******** 0x******** 0x******** 0x********
Configuration has not been modified since last system restart.

pixlab#
Cool, it worked. Part two of this story will be the actual software upgrade. Enjoy….

Last Article – I went through the basic installation of installing CentOS 4.2 using the single Server Install CD. Since this machine was to be used on the Internal network and I didn’t really want the performance overhead of a host based firewall – I decided to not enable the firewall during the installation. Note: The default is the firewall is enabled – so some of what I am about to disclose wouldn’t apply if the firewall was turned on.

My approach will be to disable anything unnecessary and continue to run without the firewall enabled. Actually, it is good practice to disable unused services that might have been installed and enabled during a default installation. This is regardless of whether or not the firewall is enabled.

So, right after the OS installation – I went over and fired up a new session on a Nessus box. I configured it to scan a single host – which was the CentOS box. All the available plugins were enabled and safe checking was turned off. The result was three warnings that come back in the Nessus report:

Read More »

I am writing this as a series. This particular article will discuss just the operating system installation. I will follow with some add-on articles that deals with setting up a centralized log host.

The server used in this project is a Dell 1650 with (2) PIII 1.2 Processors and 2G of Ram. Disk configuration is (3) 18G scsi drives attached to a RAID controller in a RAID 0 configuration – which give me approx 50G of formatted space. I expect not to have enough space for my purposes – so I’m not sure how I will address that yet…

I am doing installation via booting from the CentOS Server Installation CD. Here are the steps I followed:

Read More »

In this world of auditing and compliance, if you don’t have policies documented to change anything that is remotely related to a system password on a regular basis – I would highly encourage you to give it serious consideration.

Let’s say you have a bunch of Windows Servers in your Data Center running the SNMP service. Let’s also say that they are running the < *gulp*> default community strings. It is definately time to change them.

This script will help you automate this process. Once you change them all once – the hard part is over, now that you know all the management systems that need to change when the community strings change. Hopefully, this process is documented after your first time and can be setup to change them on a regular interval (I would recommend every 3 – 6 months).
Read More »

Since my ‘Core’ installation document was getting pretty big, I decided to create a second document listing additional applications that may be needed for your particular use. The intent here is to show how to install just what is needed for any one application. So, by using the minimal install of Fedora plus any specific package installations contained in this document – you should have a pretty lean and mean system. Each set of instructions are listed under a category, making it easier to find and figure out what you need.

General

Compile Support

Many applications do not come ‘packaged’ to where they can be installed via yum or RPM. The application author will provide the source code and give instructions on how to compile on your machine. If you install the development tools during the initial Linux installation, it will add several hundred Mb’s of data – most of it not needed for basic compiles. Here is all you need for the most commonly used C and C++ compiler used in *UNIX.

At a shell prompt, we will install gcc via yum by using the following command:

yum -y install gcc

and

yum -y install gcc-c++

CPAN support

CPAN is a very nice platform built on Perl that allows you to automatically download, compile, and install various perl modules that you may want to use with your system. Think of CPAN as yum for Perl – very nice!!!!. The first time you invoke the CPAN shell, it will ask you to configure it – which can be messy if you try and go through all the options and set each one. I’ll point out the important ones to cut down on the headaches. First invoke the shell:

perl -MCPAN -e "shell"

The first thing you will see is a prompt asking if your ready for manual configuration. Regardless of your thoughts here, answer yes and hit Enter
The first question will ask if it can create a working directory, which is used to hold temporary and working files – along with any files it may cache. By default it will want to create a .cpan directory under your home directory (probably /root/.cpan). To be tidy, you can specify your tmp directory structure by answering the question with:

/tmp/.cpan

and press Enter.
- Next question: Cache size and build directory – leave the default, so just hit Enter
- Next question: Perform cache scanning – leave the default (atstart), so just hit Enter
- Next question: Cache metadata – leave the default (yes), so just hit Enter
- Next question: Your terminal expects ISO-8859-1 – leave the default(yes), so just hit Enter
- Next question: File to save your history – leave the default, so just hit Enter
- Next question: Number of lines to save – leave the default [100], so just hit Enter
- Next question: Policy on building prerequisites – I prefer to just let it do it without asking, so type follow and press Enter
- Next question: Where is your gzip program – leave the default, so just hit Enter
- Next question: Where is your tar program – leave the default, so just hit Enter
- Next question: Where is your unzip program – leave the default, so just hit Enter
- Next question: Where is your make program – leave the default, so just hit Enter
- Next question: Where is your links program – leave the default, so just hit Enter (you may not have this installed)
- Next question: Where is your wget program – leave the default, so just hit Enter
- Next question: Where is your ncftpget program – leave the default, so just hit Enter (you may not have this installed)
- Next question: Where is your ncftp program – leave the default, so just hit Enter (you may not have this installed)
- Next question: Where is your ftp program – leave the default, so just hit Enter
- Next question: Where is your gpg program – leave the default, so just hit Enter
- Next question: What is your favorite pager program? – leave the default, so just hit Enter
- Next question: What is your favorite shell? – leave the default, so just hit Enter
- Next question: Big paragraph asking for additional parameters to pass – leave default (leave blank), so just hit Enter
- Next question: Parameters for the ‘make’ command – leave the default, so just hit Enter
- Next question: Parameters for the ‘make install’ command – leave the default, so just hit Enter
- Next question: Timeout for inactivity during Makefile.PL – leave the default, so just hit Enter
- Next question: Your ftp_proxy – If you use a proxy server to get to the Internet, enter it here and then press Enter
- Next question: Your http_proxy – If you use a proxy server to get to the Internet, enter it here and then press Enter
- Next question: Your no_proxy – If you use a proxy server to get to the Internet, enter it here and then press Enter
- Next question: Select your continent – Enter the appropriate number and press Enter
- Next question: Select your country – Enter the appropriate number and press Enter
- Next question: Select URLs (to download from) – Enter 1 2 , and press Enter
- Next question: Enter additional URL – press Enter

 

Now, let’s give CPAN an update for itself. At the cpan> enter:

install Bundle::CPAN

After the install, you will returned to the CPAN prompt. If you want to look at all the modules available to install on your system type m and press Enter. Be sure to have your scrollback buffer set pretty high

If you see something you want to install – use install blah::blah at the cpan> prompt.

I was recently asked to evaluate the SolarWinds products, specifically Orion Performance Monitor and the Network Management Tools (Engineer’s Edition). Below is my experience: Read More »