db.osoal.org.nz

Subscribe to this feed

WTF is up with the ntp defaults on Cisco?

Thursday, 27th February 2014

So, it turns out that configuring an ntp peer on a Cisco router enables an ntp server that is open on every interface that that router has.

The only valid excuse I can come up with for this is that the defaults were chosen so long ago that the internet was a much nicer place.

So how do we fix this up?

There isn't a nice knob that says 'Don't serve client requests to anyone' ( which is screaming out to be the default ). So excluding ACL's applied directly to interfaces, we have to fake it with what there is.

There is the ability to appy ACL's on the ntp service for three classes of ntp packets; peers, querys and servers. This isn't as useful as it sounds, when you apply an ACL to a query class it triggers a default drop in all of the other classes, so if you apply a default deny to the query class, then you have to put in an ACL to permit the NTP servers that you have configured to talk to you.

Depending on what version of IOS you have, you may only be able to configure numbered access lists on your ntp service. The configuration that should work on anything running an old version of IOS as long as you are only doing IPv4 is the following:

ip access-list standard 99
permit 202.21.137.10
permit 202.21.136.66
permit 202.21.136.67

ntp access-group peer 99

If you have IOS 15.3 or newer and IPv6 configured you want something like the following:

ip access-list standard v4-ntp-servers
permit 202.21.137.10
permit 202.21.136.66
permit 202.21.136.67

ipv6 access-list v6-ntp-servers
permit 2001:4428:0:13::10
permit 2001:4428:0:6::66
permit 2001:4428:0:6::67

ntp access-group ipv4 peer v4-ntp-servers
ntp access-group ipv6 peer v6-ntp-servers

Speaking of defaults

Friday, 11th October 2013

I just recently noticed that I set up the page layout ( a heap of years ago ) on this site so it could fit full screen on a browser running 800x600.

I hope no poor sod still browses the web in 800x600 anymore, but if they do I expect they are doing it on a phone or other such limited platform that deals with that okay.

I put in a few quick adjustments to the css so it is at least set up for 1024 pixels wide less a margin of safety and did a new logo backing png. I guess if I really felt like doing some work I would do something that scales nicely with screen size. I really can't be bothered though and I reckon it is always going to look dorky maximised on a 2560x1440 desktop unless there is a heap of horizontal stuff that all scales nicely too.

Getting manufacture dates from cisco serial numbers

Tuesday, 8th October 2013

I've just added a javascript utility that gets the manufacture dates from a Cisco serial number and prints it out.

It turns out that it is in plain view other than the offset in the year value. The format is described in the text above the decoder, so you can write your own or do it in your head if you like to remember trivia like that.

Brute force for the win

Friday, 4th October 2013

If you are going to try an brute force passwords over ssh you should probably try better usernames than ferlac and gyurushop.

I wish I had logs of what sort of password ferlac and gyurushop would have.

Oct 4 14:56:15 wombat sshd[12240]: input_userauth_request: invalid user ferlac [preauth]
Oct 4 14:56:15 wombat sshd[12240]: pam_unix(sshd:auth): check pass; user unknown
Oct 4 14:56:15 wombat sshd[12240]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=134.75.32.6
Oct 4 14:56:17 wombat sshd[12240]: Failed password for invalid user ferlac from 134.75.32.6 port 38348 ssh2
Oct 4 14:56:17 wombat sshd[12240]: Received disconnect from 134.75.32.6: 11: Bye Bye [preauth]
Oct 4 14:59:19 wombat sshd[12271]: Invalid user gyurushop from 222.36.0.48
Oct 4 14:59:19 wombat sshd[12271]: input_userauth_request: invalid user gyurushop [preauth]
Oct 4 14:59:19 wombat sshd[12271]: pam_unix(sshd:auth): check pass; user unknown
Oct 4 14:59:19 wombat sshd[12271]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.48
Oct 4 14:59:21 wombat sshd[12271]: Failed password for invalid user gyurushop from 222.36.0.48 port 58955 ssh2

Defaults chosen for another era

Tuesday, 1st October 2013

I had to set up squid last week for a reverse proxy type arrangement and I was pretty amazed to see that the default config file that comes with ubuntu still has the same example memory and disk cache entries that were probably around when I first set it up in the late 90's on Slackware.

eg.

cache_mem 100 MB

cache_dir ufs /var/spool/squid3 100 16 256

100mb may have been a lot of memory way back when, but for the box I was using last week 28GB was a bit more like it. As a practical issue I was left wondering if the cache_dir entry was actually in GB and had to look it up.

Makes me wonder if everyone uses varnish or some other such new shiny these days and if there is some kind of beautiful symmetry around dinosaurs such as me using old dinosaur software like squid.

Google Adsense over SSL

Wednesday, 18th September 2013

It looks like Google have started offering adsense ads over an SSL transport in the last few days, so I've made the relatively minor change to take advantage of it.

With the scary warnings and other messages taken care of plus me finding the smaller wide format text ads I think I'm happy enough to leave them on the site.

What has happened here?

Tuesday, 17th September 2013

Some poor misguided firewall / router / voodoo packet forwarding aparatus has decided to let this packet out:

*mangle DROP: IN=eth0 OUT= MAC=00:14:85:17:09:8e:00:23:5e:7c:ba:1b:08:00 SRC=0.0.0.0 DST=202.21.137.10 LEN=76 TOS=0x00 PREC=0x00 TTL=251 ID=19777 PROTO=UDP SPT=65535 DPT=123 LEN=56

Theres a heap of drops in the logs for rfc1918 addresses, but 0.0.0.0 is a new one.

Trying to route on a Cisco ASA

Thursday, 12th September 2013

NAT, NAT sausage egg and NAT, that's not got much NAT in it.

Next

© 2009 Lincoln Reid <lincoln@osoal.org.nz>