To disable root login from network do the following:-
1. edit the file /etc/ssh/sshd_config file
2. find the PermitRootLogin no
3. uncomment the line
4. simililarly you can control other options also
Thursday, January 20, 2011
Monday, January 17, 2011
Intel new AESNI instructions set
Intel has introduced 6 new instruction for AES encryption. These instruction has hardware support in processor itself. The instructions AESENC, AESENCLAST, AESDEC, and AESDELAST support AES encryption and decryption operations. The instructions AESIMC and AESKEYGENASSIST support AES key expansion. Using these instructions your encryption throughput may increase significantly. I tested AESNI for IPSEC throughput between two gateways (One linux box other fortigate 3016B firewall) over 1 Gbps link using ipsec-tools 0.7.3.
System Requirements:-
presently it is uspported for 64 bit machine only.
Linux kernel 2.6.31 or above is required
Without IPSEC throughput comes around 900 Mbps
With IPSEC (withoutAESNI) throughput comes around 500 Mbps
With IPSEC (With AESNI ) throughput comes around 800 Mbps
So I got throughput enhancement about 1.6 times in my case. These result may vary depending on your applications and operating systems. But one thing is sure your throughput will increase.
System Requirements:-
presently it is uspported for 64 bit machine only.
Linux kernel 2.6.31 or above is required
Without IPSEC throughput comes around 900 Mbps
With IPSEC (withoutAESNI) throughput comes around 500 Mbps
With IPSEC (With AESNI ) throughput comes around 800 Mbps
So I got throughput enhancement about 1.6 times in my case. These result may vary depending on your applications and operating systems. But one thing is sure your throughput will increase.
Monday, January 3, 2011
Quagga Installation guide
Follow these steps.
1. I used freeBSD as OS. Quagga works for Linux also.
2. In case of freeBSD . Go to the port and give following command "make install clean"
3. In case of missing project file. Download the files from internet (if you are not directly connected to internet) an put these files in dist folder.
4. Once quagga get installed you require to have two configuration files some where in the system(default location /usr/local/etc/quagga/
5. First one ospfd.conf should have the following configuration
! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ospfd
password zebra
enable password zebra
!
router ospf
redistribute connected
network 192.168.1.0/24 area 0
network 10.10.11.0/24 area 11
log stdout
6. Second one zebra should have the following configuration
! -*- zebra -*-
!
! zebra sample configuration file
!
! $Id: zebra.conf.sample,v 1.1.1.1 2002/12/13 20:15:30 paul Exp $
!
hostname Router
password zebra
enable password zebra
!
! Interface's description.
!
!interface lo
! description test of desc.
!
!interface sit0
! multicast
!
! Static default route sample.
!
!ip route 0.0.0.0/0 203.181.89.241
!
!log file zebra.log
7. once you are over with all these.
you require to put following lines in the rc.conf for starting the quagga during boot up.
quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
router_enable="NO"
watchquagga_enable="YES"
watchquagga_flags="-dz -R '/usr/local/etc/rc.d/quagga restart' zebra ospfd"
8. watchquagga is a supporting daemons which keeps watching quagga. In case of quagga process termination, it restart quagga. cool isn't ?
9. For more detail visit the following url
http://openmaniak.com/quagga.php
1. I used freeBSD as OS. Quagga works for Linux also.
2. In case of freeBSD . Go to the port and give following command "make install clean"
3. In case of missing project file. Download the files from internet (if you are not directly connected to internet) an put these files in dist folder.
4. Once quagga get installed you require to have two configuration files some where in the system(default location /usr/local/etc/quagga/
5. First one ospfd.conf should have the following configuration
! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ospfd
password zebra
enable password zebra
!
router ospf
redistribute connected
network 192.168.1.0/24 area 0
network 10.10.11.0/24 area 11
log stdout
6. Second one zebra should have the following configuration
! -*- zebra -*-
!
! zebra sample configuration file
!
! $Id: zebra.conf.sample,v 1.1.1.1 2002/12/13 20:15:30 paul Exp $
!
hostname Router
password zebra
enable password zebra
!
! Interface's description.
!
!interface lo
! description test of desc.
!
!interface sit0
! multicast
!
! Static default route sample.
!
!ip route 0.0.0.0/0 203.181.89.241
!
!log file zebra.log
7. once you are over with all these.
you require to put following lines in the rc.conf for starting the quagga during boot up.
quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
router_enable="NO"
watchquagga_enable="YES"
watchquagga_flags="-dz -R '/usr/local/etc/rc.d/quagga restart' zebra ospfd"
8. watchquagga is a supporting daemons which keeps watching quagga. In case of quagga process termination, it restart quagga. cool isn't ?
9. For more detail visit the following url
http://openmaniak.com/quagga.php
Open Source Router/Firewall
There are number of open source router/Firewalls are available .
1. Vyatta:- It is based on XORP routing software architecture. Its is very good open source routers/ firewalls. you require less than 30 minutes to make a router or firewall from any i386 based machines. Configuration is very simple. It also has a GUI running over HTTPS. I have not tested its GUI thoroughly. But command lines configuration is very good and self explanatory. you may test live CD to have a feel of it.
2. XORP:- It is Linux based routing software architecture. I have not tested it.
3. pfsense:-It is freeBSD based open soucre software architecture. Mainly it is used for firewall purpose. But it also support OSPF. It is a fork of monowall.
4. ZEBRA:- Its is mainly UNIX based routing software architecture. Quagga a fork of ZEBRA and more popular that Zebra.
1. Vyatta:- It is based on XORP routing software architecture. Its is very good open source routers/ firewalls. you require less than 30 minutes to make a router or firewall from any i386 based machines. Configuration is very simple. It also has a GUI running over HTTPS. I have not tested its GUI thoroughly. But command lines configuration is very good and self explanatory. you may test live CD to have a feel of it.
2. XORP:- It is Linux based routing software architecture. I have not tested it.
3. pfsense:-It is freeBSD based open soucre software architecture. Mainly it is used for firewall purpose. But it also support OSPF. It is a fork of monowall.
4. ZEBRA:- Its is mainly UNIX based routing software architecture. Quagga a fork of ZEBRA and more popular that Zebra.
Open Source Routers/Firewall.
Nowadays hardware are getting cheaper day by day. In these scenario, it is software which is costing more to us. Open source routing software is very good in this context. So let us analyze pros and cons of open source routers.
Pros:-
1. First of all it is free. You require to spend nothing except time to make a router/Firewall.
2. For small and medium business enterprise it is like a boon since it costs very less.
3. Source code is available with almost all open source routers/firewall.You can audit and scrutinize you router/firewall. You can tweak the code as per your needs.
4. Now a days most of the open source router come with GUI. So it very easy to configure it.
Cons:-
1. For network requiring high throughput it may not be a viable solutions.
2. Hardware configuration should be checked before installation.
3. it require more management skills in comparison to some branded router or firewall.
Pros:-
1. First of all it is free. You require to spend nothing except time to make a router/Firewall.
2. For small and medium business enterprise it is like a boon since it costs very less.
3. Source code is available with almost all open source routers/firewall.You can audit and scrutinize you router/firewall. You can tweak the code as per your needs.
4. Now a days most of the open source router come with GUI. So it very easy to configure it.
Cons:-
1. For network requiring high throughput it may not be a viable solutions.
2. Hardware configuration should be checked before installation.
3. it require more management skills in comparison to some branded router or firewall.
Monday, October 18, 2010
Ceritificate based IPSEC VPN in freeBSD
Here I considering ESP IPSEC with authentication based on certificate between two peer.
1. use the following command to generate private key and certificate request
openssl req -new -nodes -out req.pem -keyout cert.pem
here cert.pem is the private key and req.pem is the certificate request
2. Get this certificate signed by some certificate authority (CA) using the following commands
openssl x509 -req -days 365 -in certs/req.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -outform PEM -out certs/mycert.pem
3. Now put both the certificate as well as CA public certificate in the directory specified in racoon.conf file give the following commands
ln -s CA.crt `openssl x509 -noout -hash -in CA.crt`.0
4. Start racoon
ref :http://www.fefe.de/racoon.txt
1. use the following command to generate private key and certificate request
openssl req -new -nodes -out req.pem -keyout cert.pem
here cert.pem is the private key and req.pem is the certificate request
2. Get this certificate signed by some certificate authority (CA) using the following commands
openssl x509 -req -days 365 -in certs/req.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -outform PEM -out certs/mycert.pem
3. Now put both the certificate as well as CA public certificate in the directory specified in racoon.conf file give the following commands
ln -s CA.crt `openssl x509 -noout -hash -in CA.crt`.0
4. Start racoon
ref :http://www.fefe.de/racoon.txt
Wednesday, October 13, 2010
How to install a package in freeBSD
1. Usually freeBSD provides a ports for many packages. So just search for a port using the following commands
whereis
this may give out like this /usr/ports/.....
now just change the directory to the above directory and give commands
make install clean
for removing make deinstall clean
if you having package tar file in /usr/ports/distfiles/ then fine you are done otherwise freeBSD will try to connect to internet. If you are not connected to internet just download the package (note the version number required) manually and put it in /usr/ports/distfiles
2. If no port is available for the desired package. Then use the following commands
pfg_add
for removing pkg_delete
good luck
whereis
this may give out like this /usr/ports/.....
now just change the directory to the above directory and give commands
make install clean
for removing make deinstall clean
if you having package tar file in /usr/ports/distfiles/ then fine you are done otherwise freeBSD will try to connect to internet. If you are not connected to internet just download the package (note the version number required) manually and put it in /usr/ports/distfiles
2. If no port is available for the desired package. Then use the following commands
pfg_add
for removing pkg_delete
good luck
Subscribe to:
Posts (Atom)