Leslie's Note: 2014

2014年11月13日星期四

2014-11-13更換CSS11506憑證

2014-11-13更換CSS11506憑證

### Suspend Service ###
config term

service backend-server 171
suspend
service backend-server 172
suspend
service backend-server 175
suspend

service backend-server 176
suspend

service SSL_Front_1
suspend
service SSL_Front_2
suspend

exit

### Suspend ssl-proxy-list ###
config term

ssl-proxy-list TCBank_PDC_Branch_ssl-accel
suspend

exit

### Use FTP Upload cert_fcrbrn.2014.cer,cert_fcrbrn_2014.pem ###

###Check and Create ftp-record leslie-ftp
ftp-record leslie-ftp 172.17.1.27 anonymous des-password tcbank

copy ssl ftp leslie-ftp import cert_fcrbrn_2014.cer PEM "password"
copy ssl ftp leslie-ftp import cert_fcrbrn_2014.pem PEM "password"
請參考cert.cer與cert.pem的產出方法

### 需先執行下列rsakey與rsacert刪除的動件 ###

###config term
###

###ssl-proxy-list TCBank_PDC_Branch_ssl-accel

no ssl-server 21 rsakey cert_fcrbrn_withrsa
no ssl-server 21 rsacert cert_fcrbrn_cert

CSS11506(config)# no ssl associate cert cert_fcrbrn_cert
CSS11506(config)# no ssl associate rsakey cert_fcrbrn_withrsa

### 再import RSA certificate and key pair ###
ssl associate cert cert_fcrbrn_cert cert_fcrbrn_2011.cer
ssl associate rsakey cert_fcrbrn_withrsa cert_fcrbrn_2011.pem

### 再於ssl-proxy-list TCBank_PDC_Branch_ssl-accel下設定 ###
ssl-server 21 rsakey cert_fcrbrn_withrsa
ssl-server 21 rsacert cert_fcrbrn_cert

### Active ssl-proxy-list ###
config term
ssl-proxy-list TCBank_PDC_Branch_ssl-accel
active
exit

### Active service & SSL_Front_1 & 2###
service backend-server 171
active
service backend-server 172
active
service backend-server 175
active

service backend-server 176
active

service SSL_Front_1
active
service SSL_Front_2
active

Certificate convert to .pem & .cer file

Certificate .pfx file convert to .pem & .cer file

1. 下載OpenSSL軟體

https://slproweb.com/products/Win32OpenSSL.html

2. 安裝OpenSSL 軟體

Win64OpenSSL-1_0_1j.exe

3. 下指令

由一個 pfx key 產生 PEM 與 CER Key

openssl pkcs12 -in Brn.pfx -nodes -out server.pem

openssl rsa -in server.pem -out server.key

openssl x509 -in server.pem -out server.cer

======================================================

PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates

DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform

P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat

PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys

Converting Certificates between different Formats

PEM
Convert PEM to DER
—————————————————————————————————–
$ openssl x509 -outform der -in certificate.pem -out certificate.der
—————————————————————————————————–

Convert PEM to P7B
———————————————————————————————————————————
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfileCAcert.cer
———————————————————————————————————————————-

Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -incertificate.crt -certfile CAcert.crt
——————————————————————————————————————————————————

DER
Convert DER to PEM
————————————————————————————————–
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
————————————————————————————————–

P7B
Convert P7B to PEM
————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
————————————————————————————————-

Convert P7B to PFX
——————————————————————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -outcertificate.pfx -certfile CAcert.cer
——————————————————————————————————————————————————-

PFX
Convert PFX to PEM
——————————————————————————————–
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
——————————————————————————————–

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer,privateKey.key respectively.

Extraction Private Key From PEM
Method 1 -- use openssl——————————————————————————————–
$ openssl x509 -in server.pem -out server.cer

——————————————————————————————–

Method 2 --
2.1 Install .pfx file
2.2 Open Certificate -> Detail -> copy to file

2014年10月3日星期五

Cisco 2811 Router Branch Qos

1.
ip access-list extended acl_BranchQos
10 permit ip host 192.168.1.50 any
11 permit ip host 192.168.1.52 any
12 permit ip host 192.168.91.50 any
13 permit ip host 192.168.1.60 any
20 permit ip host 192.168.1.166 any
21 permit ip host 192.168.91.166 any
22 permit ip host 172.16.127.166 any
remark "(10-Antivirus),(20-FileServer)"

2.
class-map match-all classmap_BranchQos
match access-group name acl_BranchQos

3.
policy-map policymap_BranchQos
class classmap_BranchQos
police cir 1000000
conform-action transmit
exceed-action drop
violate-action drop

4.
interface FastEthernet0/0
service-policy input policymap_BranchQos

2014年9月23日星期二

FortiGate Firewall Debug command

config vdom
edit i-Pass_VDOM
FortiGate Firewall Debug command

Method 1
diagnose sniffer packet any 'host 192.168.102.19'

Method 2
diag debug flow filter clear
diag debug flow filter addr 192.168.90.23
diag debug flow show console enable
diag debug flow trace start 20
diag debug enable

2014年8月13日星期三

【Cisco EEM】Shutdown ISDN at Daily 18:00

使用Cisco EEM applet星期一至星期五自動shutdown isdn interface BRI0/0/0

=====================Cisco Router 1841 Configure=====================
event manager applet ShutdownISDN
event timer cron name MonFri cron-entry "0 18 * * 1-5"
action 1 cli command "enable"
action 2 cli command "config term"
action 3 cli command "interface bri0/0/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 6 syslog msg "Shutdown BRI0/0/0 at 18:00"
!

=====================Show EEM policy registered=====================
TCB2NCCC#show event manager policy registered

No. Class Type Event Type Trap Time Registered Name
1 applet system timer cron Off Wed Aug 13 15:28:41 2014 ShutdownISDN
name {MonFri} cron entry {0 18 * * 1-5}
action 1 cli command "enable"
action 2 cli command "config term"
action 3 cli command "interface bri0/0/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 6 syslog msg "Shutdown BRI0/0/0 at 18:00"

2014年8月5日星期二

【Cacti】導入模板報錯 Error: XML: Hash version does not exist.

將新版本到處的cacti模板導入到舊版本的時候，就會報Error: XML: Hash version does not exist.，
解决的辦法是修改xml裏面的相關hash值就可以了。

以下是cacti xml hash的一些說明：

Take the following example:

0018258d1c9487a6c58dd804f4a012007664>
The first 2 digits are the type of the template.
The next 4 digits are the Cacti version it was created on.
The next 32 digits are a random number.

"0.8.4"  => "0000",    
"0.8.5"  => "0001",    
"0.8.5a" => "0002",    
"0.8.6"  => "0003",    
"0.8.6a" => "0004",    
"0.8.6b" => "0005",    
"0.8.6c" => "0006",    
"0.8.6d" => "0007",    
"0.8.6e" => "0008",    
"0.8.6f" => "0009",    
"0.8.6g" => "0010",    
"0.8.6h" => "0011",    
"0.8.6i" => "0012",    
"0.8.6j" => "0013",    
"0.8.7"  => "0014",    
"0.8.7a" => "0015",    
"0.8.7b" => "0016",    
"0.8.7c" => "0017",    
"0.8.7d" => "0018"   
"0.8.7e" => "0019"

For the example above, this template was exported with Cacti 0.8.7d.

所以需要導入新版cacti模板的時候，只需要修改hash裏面的version相關字段即可。

【Thecus N16000Pro】rSyslog

### ps | grep rsyslog ###

# ps | grep rsyslog
11595 root 311m S /raid/data/module/rSyslog/system/sbin/rsyslogd -x -c5

### cat /raid/data/module/rSyslog/system/etc/rsyslog-user.conf ###

##
## User configuration managed through the web UI
##
## Create a share or use an existing share and replace /PATH/TO/SHARE with the actual path
## to the share. If the share resides on the master RAID the path would be
## "/raid/data/SHARENMAME" with SHARENAME being the name of the share.
##
## !!! Avoid spaces in the share name !!!
##
## The following modules are pre-loaded from the main configuration file:
##
## immark
## imuxsock
## imklog
##

### COMMENT OUT OR REMOVE THE LINE BELOW WHEN YOU FINISHED CONFIGURATION ###
#NotYetConfigured
if $source == 'TP-N16000PRO' and $syslogseverity <= '6' then /raid/data/log/messages
# Log anything (except mail) of level info or higher. Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none -/raid/data/log/messages

# The authpriv file has restricted access.
authpriv.* /raid/data/log/secure

# Log all the mail messages in one place.
mail.* -/raid/data/log/maillog

# Log cron stuff
cron.* -/raid/data/log/cron

## ######### Receiving Messages from Remote Hosts ##########
## TCP Syslog Server: provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514 # start up TCP listener at port 514

## UDP Syslog Server: provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514 # start a UDP syslog server at standard port 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$AllowedSender UDP, 127.0.0.1, 10.90.90.245/32, 10.90.90.210/32, 192.168.90.254/32, 10.172.26.244/32, 192.168.14.252/32, 172.16.127.244/32, 10.211.0.88, 10.211.0.89, 10.211.0.250

$template tpe-asa5550,"/raid/data/syslog/tpe-asa5550/tpe-asa5550-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '10.90.90.245' then -?tpe-asa5550

$template tpe-F800,"/raid/data/syslog/tpe-F800/tpe-F800-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '10.90.90.210' then -?tpe-F800

$template tpe-E8500,"/raid/data/syslog/tpe-E8500/tpe-E8500-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '192.168.90.254' then -?tpe-E8500

$template tpe-E2400,"/raid/data/syslog/tpe-E2400/tpe-E2400-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '10.172.26.244' then -?tpe-E2400

$template tpe-014pix,"/raid/data/syslog/tpe-014pix/tpe-014pix-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '192.168.14.252' then -?tpe-014pix

$template tpe-hqpix,"/raid/data/syslog/tpe-hqpix/tpe-hqpix-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '172.16.127.244' then -?tpe-hqpix

$template tpe-4506-01,"/raid/data/syslog/tpe-4506-01/tpe-4506-01-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '10.211.0.88' then -?tpe-4506-01

$template tpe-4506-02,"/raid/data/syslog/tpe-4506-02/tpe-4506-02-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '10.211.0.89' then -?tpe-4506-02

$template tpe-7609,"/raid/data/syslog/tpe-7609/tpe-7609-%$YEAR%%$MONTH%%$DAY%.log"
if $fromhost-ip == '10.211.0.250' then -?tpe-7609

【Thecus N16000Pro】/raid/data/log/dailytar.sh

cat dailytar.sh
#!/bin/sh
cd /raid/syslog/tpe-asa5550/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid/syslog/tpe-F800/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid/syslog/tpe-E8500/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid/data/syslog/tpe-E2400/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid0/data/syslog/tpe-hqpix/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid0/data/syslog/tpe-014pix/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid0/data/syslog/tpe-4506-01/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5
cd /raid0/data/syslog/tpe-4506-02/
fname=`find -mmin +1 -type f -name '*.log'`
md5sum $fname > $fname.md5
tar -zcvf $fname.tar.gz $fname* --remove-files
md5sum $fname.tar.gz > $fname.tar.gz.md5

cd /raid0/data/syslog/tpe-7609/

fname=`find -mmin +1 -type f -name '*.log'`

md5sum $fname > $fname.md5

tar -zcvf $fname.tar.gz $fname* --remove-files

md5sum $fname.tar.gz > $fname.tar.gz.md5

2014年7月28日星期一

Linux Command

TP-N16000PRO:/# uname -mrs
Linux 3.4.45 x86_64

2014年5月12日星期一

【QoS】Bandwidth QoS For 7613/7609/2811

For OPC example
=======================================================
mls qos (Enable QoS feature in Global mode)

ip access-list extend OPC_ACL (Define OPC packet)

permit ip host 10.91.1.185 host 10.90.90.185
permit ip host 10.91.1.186 host 10.90.90.186

class-map match-all OPC
match access-group name OPC_QOS

policy-map QOS-OPC
class OPC
police 25000000 conform-action transmit

interface Gi11/11 (interface to 4506)
service-policy output QOS-OPC