петък, март 12, 2021

HA with ExaBGP

The idea is simple: convenient way to blackhole some prefixes (bogus, wellknown C&C, spam,malicious, personally predefined, etc)

I'm using Linux + exaBGP + python script to collect some prefixes from a list of sources; exaBGP holding BGP session with our 2 RR and announce generated list of prefixes with blackhole community.

 exaBGP  is a python application to interact with BGP networks

List of prefixes is generated by generate_blacklists.py 

https://drive.google.com/file/d/1XgksQVcb2rpabv8OVCBkFabR6YuQpxV9

The configuration itself is pretty straightforward  and self-explanatory 

1. to announce a single static route:

neighbor 192.168.0.1 {
router-id 192.168.0.10;
local-address 192.168.0.10;
local-as 12345;
peer-as 12345;

### optional

### hold-time 180;
### outgoing-ttl 1;
### capability {
### multi-session;
### }


family {
ipv4 unicast;
}
static {
route 10.0.0.1/32 next-hop self;

route 10.0.0/24 origin IGP as-path [10 20 30 30 30  ]  next-hop 192.168.2.1;

route 172.10.0.0/22 next-hop 192.168.2.1 med 200 community [30303:30303] split /24;

route 9.9.9.9/32 next-hop 192.168.2.1 extended-community [ target:120000L:123 origin:130000:1234 ];
}
}

### Or 

announce {
        ipv4 {
            unicast 10.0..0/24 next-hop 192.168.2.1 local-preference 200 community 30303:30303;
        }
    } 

A direct API command (via exabgcli <- for systemd https://github.com/Exa-Networks/exabgp/blob/master/etc/systemd/exabgp.service) 

announce route 10.0.0/24 origin IGP as-path [10 20 30 30 30  ]  next-hop 192.168.2.1

2 servers; preview VIP is assigned as secondary IP; nginx listening on this "VIP"; if no output from curl == stop announcing VIP i.e. no incoming connections (ToDo: more detailed explanation about healthcheck and route announce)

process service-nginx {
run python3 -m exabgp healthcheck -s --name nginx --cmd "curl --fail --verbose --max-time 2 http://localhost" --start-ip 0;
encoder text;
}
neighbor 192.168.0.1 {
router-id 192.168.0.10;
local-address 192.168.0.10;
local-as 12345;
peer-as 12345;

api services {
processes [ service-nginx ];
}

ExaBGP could be used for DDoS protection (with NetFlow/syslog/monitoring), Internet Watch Inerception, Traffic Engineering, Server's HA and any other SDN variations


Some useful links:

https://github.com/Exa-Networks/exabgp

https://vincent.bernat.ch/en/blog/2013-exabgp-highavailability

https://thepacketgeek.com/exabgp/

Part 1 : https://www.dasblinkenlichten.com/working-with-exabgp-4/

Part 2: https://www.dasblinkenlichten.com/building-static-routes-with-exabgp/

https://blog.plessis.info/blog/2020/02/11/haproxy-exabgp.html

 

 

Simple example from developer:

neighbor 192.168.127.128 {        
description "will flap a route until told otherwise";        
router-id 198.111.227.39;        
local-address 192.168.127.1;        
local-as 65533;        
peer-as 65533;        
### add and remove routes when flap.sh prints
### flap.sh should produce readable for ExaBGP output
### in proper ExaBGP API syntax
process loving-flaps {                
run etc/processes/flap.sh;        
}

1 - take your favourite language : perl, python, lua, C, shell, french !
2 - create a forever loop3 - print what you want to do ...
#!/bin/sh
# ignore Control C
trap
'' SIGINT
while `true`;

### that echo result is understandable for ExaBGP API
do echo "announce route 192.0.2.1 next-hop 10.0.0.1"
sleep 10
echo "withdraw route 192.0.2.1 next-hop 10.0.0.1"
sleep 10
done

Real life example:

neighbor 10.255.1.254 {
    router-id 10.255.42.1;
    local-as 65042;
    peer-as 65001;

    api services {
        processes [ watch-loghost, watch-mailhost ];
    }
}

process watch-loghost {
    encoder text;
    run python -m exabgp healthcheck --cmd "nc -z -w2 -u localhost 514" --no-syslog --label loghost --withdraw-on-down --ip 10.255.255.1/32;
}

process watch-mailhost {
    encoder text;
    run python -m exabgp healthcheck --cmd "nc -z -w2 localhost 25" --no-syslog --label mailhost --withdraw-on-down --ip 10.255.255.2/32;
}

 

Публикувано от в Няма коментари:
Етикети: , , ,

петък, декември 18, 2020

Hyper-V nested virtualization (for EVE-NG примерно)

 Run PowerShell as Administrator

Set-VMProcessor -VMName "VirtualMachineName" -ExposeVirtualizationExtensions $True
VirtualMachineName - the  name of previously created VM on which we want to start nested virtualization 
Публикувано от в Няма коментари:
Етикети: , , ,

сряда, ноември 25, 2020

SWAKS - linux cli mail client

 SWAKS(1)                                                                   SWAKS                                                                  SWAKS(1)

NAME
       swaks - Swiss Army Knife SMTP, the all-purpose smtp transaction tester

DESCRIPTION
       swaks' primary design goal is to be a flexible, scriptable, transaction-oriented SMTP test tool.  It handles SMTP features and extensions such as
       TLS, authentication, and pipelining; multiple version of the SMTP protocol including SMTP, ESMTP, and LMTP; and multiple transport methods
       including unix-domain sockets, internet-domain sockets, and pipes to spawned processes.  Options can be specified in environment variables,
       configuration files, and the command line allowing maximum configurability and ease of use for operators and scripters.

QUICK START
       Deliver a standard test email to user@example.com on port 25 of test-server.example.net:

        swaks --to user@example.com --server test-server.example.net

       Deliver a standard test email, requiring CRAM-MD5 authentication as user me@example.com.  An "X-Test" header will be added to the email body.  The
       authentication password will be prompted for.

        swaks --to user@example.com --from me@example.com --auth CRAM-MD5 --auth-user me@example.com --header-X-Test "test email"

       Test a virus scanner using EICAR in an attachment.  Don't show the message DATA part.:

        swaks -t user@example.com --attach - --server test-server.example.com --suppress-data </path/to/eicar.txt

       Test a spam scanner using GTUBE in the body of an email, routed via the MX records for example.com:

        swaks --to user@example.com --body /path/to/gtube/file

       Deliver a standard test email to user@example.com using the LMTP protocol via a UNIX domain socket file

        swaks --to user@example.com --socket /var/lda.sock --protocol LMTP

       Report all the recipients in a text file that are non-verifyiable on a test server:

        for E in `cat /path/to/email/file`
        do
            swaks --to $E --server test-server.example.com --quit-after RCPT --hide-all
            [ $? -ne 0 ] && echo $E
        done


Публикувано от в Няма коментари:

понеделник, август 17, 2020

ESXi 5/6 stuck on “Relocating modules and starting up the kernel…”

 On some server (SunFire, ProLiant) after installation and/or reboot server stuck in state “Relocating modules and starting up the kernel…” 

To fix this we have to add a boot parameter to the ESXi kernel. To do this, reboot, and while ESXi is booting hit the tab key. Next add a parameter to disable the headless check “ignoreHeadless=TRUE” 

To make the ignoreHeadless=TRUE permanent for each reboot open ESXi shell (locally or via SSH) and excute: 

esxcfg-advcfg --set-kernel "TRUE" ignoreHeadless
 

Confirm by:
esxcfg-advcfg –get-kernel ignoreHeadless


 

Публикувано от в Няма коментари:

вторник, юли 28, 2020

traceroute/ping !H vs * (destination host unreachable)

raceroute -n 192.168.33.8
traceroute to 192.168.33.8 (194.134.33.8), 30 hops max, 60 byte packets
 1  192.168.199.1  0.128 ms  0.076 ms  0.086 ms
 2  192.168.161.122  0.391 ms  0.390 ms  0.280 ms
 3  192.168.161.114  0.283 ms  0.417 ms  0.407 ms
 4  192.168.161.191  0.571 ms  0.665 ms  0.757 ms
 5  192.168.100.4  0.747 ms  0.707 ms  0.381 ms
 6  192.168.96.4  0.848 ms  0.834 ms  0.563 ms
 7  192.168.96.4  3011.733 ms !H  3011.689 ms !H  3011.574 ms !H 
The simple difference is that for an unreachable host, the last hop router is returning an ICMP destination unreachable response.
  • * means that your machine received no response.
  • !H means that your machine received ICMP message "destination host unreachable" from the host indicated in the traceroute output.
  • Rarely traceroute can indicate also other unreachable messages like !N or !P (network or protocol) etc.
A machine normally sends "destination host unreachable" when it cannot send the IP packet to the network. This could happen when:
  • There is no route to the destination.
  • The next-hop IP address or the final IP address cannot be resolved to an L2 address (there is no ARP reply for the IP address).
Routers can be configured to not to send the ICMP message but you can also get * instead of !H when your request was silently dropped by an ACL or firewall policy. In security policies silent drop is a normal practice.
The drop caused by a security policy depends on the type of message sent by traceroute. Traditional Unix traceroute by default sends UDP packets to "unusual" ports like 33434 but it can use other methods too. Windows tracert sends ICMP echo requests.
Публикувано от в Няма коментари:

вторник, юли 14, 2020

ASDM "this app can't run on your PC" - Windows 10

C:\Users\ivan.popov>ver
Microsoft Windows [Version 10.0.19041.329]
After installing the latest java and trying to start Cisco ASDM:







Solution: change target in shortcut (right-click - Properties - Target) to :
C:\Windows\System32\wscript.exe invisible.vbs run.bat
Публикувано от в Няма коментари:
Етикети: , ,
Абонамент за: Публикации (Atom)