Computer and IT knowledge - things to know
number of matches found: 1098
#view queue
postcat -q << queue-id >>
http://praxistipps.chip.de/windows-10-startmenue-geht-nicht-das-koennen-sie-tun_43348
Sie haben außerdem die Möglichkeit, das Startmenü über die Windows PowerShell zu reparieren:
Drücken Sie die Tastenkombination [Strg] + [Shift] + [Esc], um den Task-Manager zu öffnen.
Klicken Sie unten links auf "Mehr Details".
Suchen Sie im Bereich "Windows-Prozesse" nach dem Eintrag "Windows-Explorer". Klicken Sie ihn mit der rechten Maustaste an und wählen Sie im Kontextmenü "Task beenden" aus.
Klicken Sie in der Menüleiste des Task-Managers zuerst auf "Datei" und anschließend auf "Neuen Task ausführen". Tippen Sie als nächstes "Powershell" (ohne Anführungszeichen) ein.
Geben Sie in der PowerShell diesen Befehl ein: "Get-appxpackage -all *shellexperience* -packagetype bundle |% {add-appxpackage -register -disabledevelopmentmode ($_.installlocation + “\appxmetadata\appxbundlemanifest.xml”)}" (ohne Anführungszeichen).
Nachdem der Vorgang abgeschlossen ist, geben Sie außerdem "Get-AppxPackage | % { Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppxManifest.xml" -verbose }" ein.
Klicken Sie im Task-Manager erst auf "Datei" und dann auf "Neuen Task ausführen". Geben Sie "explorer.exe" (ohne Anführungszeichen) ein und bestätigen Sie mit dem OK-Button.
time echo "scale=1000; 4*a(1)" | bc -l
Word-Datei mit Passwort schützen
Word-Datei mit Passwort schützen
Je nach Office-Version kann die Passwort-Einstellung leicht von dieser Beschreibung abweichen . Nutzen Sie eine ältere Office-Version, lesen Sie im zweiten Absatz weiter.
Öffnen Sie das Word-Dokument, welches Sie mit einem Passwort schützen möchten.
Klicken Sie oben links im Bildschirm auf den Punkt "Datei".
Unter dem Menüpunkt "Informationen" finden Sie nun den Button "Dokument schützen".
Klicken Sie auf diesen und wählen Sie darunter den Punkt "Mit Kennwort verschlüsseln" aus.
Geben Sie nun ein Passwort ein und klicken Sie auf "OK". Diesen Schritt müssen Sie nun noch einmal wiederholen.
Speichern und schließen Sie nun die Datei, müssen Sie bei der nächsten Öffnung das Kennwort eingeben.
Office 2007 und 2003: Word-Datei mit Passwort schützen
Office 2007: Klicken Sie oben links im Bildschirm auf den Office-Button und wählen Sie unter dem Punkt "Vorbereiten" die Option "Dokument verschlüsseln" aus. Geben Sie auch hier Ihr Kennwort doppelt ein und klicken Sie auf den Button "OK".
Office 2003: Klicken Sie oben in der Menüleiste auf "Extras" und wählen Sie etwa mittig in der Liste den Punkt "Dokument schützen" aus. Nun können Sie auch hier Ihr Kennwort setzen.
https://cirt.net/nikto2
gefunden über: http://sectools.org/tag/web-scanners/
FreeIPA - Open Source identity management
readpst - convert PST (MS Outlook Personal Folders) files to mbox and other formats
ping 192.168.2.1 | perl -nle 'print scalar(localtime), " ", $_
with file redirect:
ping 192.168.2.1 | perl -nle 'BEGIN {$|++} print scalar(localtime), " ", $_' >/tmp/log
recode iso-8859-1..UTF-8 test.html
file -i * (abfragen)
put the following to: .vnc/xstartup
gnome-session &
gnome-panel &
screenshot program: http://www.screenpresso.com/de/
echo "ddd 1 test 12345 " | sed 's/[^0-9]//g'
http://tiddlywiki.com/ [ Andi says - the burner! ]
Network Kernel Parameters
These Parameters have been suggested by TIBCO to bring the performance of a LINUX machine to the maximum regarding the network.
We have used these tuning parameters successfully to reduce retransmissions on heavy loaded machines. You will find similar tuning tips, when searching for web-server optimization.
Parameter Red Hat Enterprise Linux Server 5.6 (Tikanga) VALUES proposal
net.core.rmem_max 131071 16777216
net.core.rmem_default 129024
net.core.wmem_max 131071 16777216
net.core.wmem_default 12902?
net.ipv4.tcp_rmem (3) 4096 4096
87380 87380
4194304 16777216
net.ipv4.tcp_wmem (3) 4096 4096
16384 65536
4194304 16777216
txqueuelen 1000 7000
net.core.netdev_max_backlog 1000 30000
Performance daten: missed/pkts und retrans/pkts are good quality parameters
TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or
make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses
or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.
http://www.heise.de/download/testdisk.html
-> %Public%\Desktop
import os
mp = '/mount1'
if os.path.ismount(mp):
print('{0} is mounted'.format(mp))
else:
print('{0} is NOT mounted'.format(mp))
ps -ef | awk 'BEGIN{"hostname" | getline hstnm ; }; {print hstnm "\t" $0}'
Windows 7 PC sind: Ich würde empfehlen, einmal das lokale Profil zu entfernen.
Unter C:\Users liegt das Profil selber. Einfach Löschen oder umbenennen.
Der Profileintrag in der Registry muss evtuell auch gelöscht werden, ansonsten erstellt Windows kein neues. Der Eintrag findet sich hier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Dort die Einträge durchschauen. Einer davon ist für den bestimmten user -- diesen löschen.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\profiles\<Profil>
3. Änder den Wert "Category" entsprechend deinen Wünschen ab.
Öffentlich = 0
Privat = 1
Arbeitsplatz = 2
findstr /c: "my search string" xyz*.log
check_mk -v --debug <hostname>
cmk -vpn <hostname>
OPTIONS:
-v show what's going on
-p also show performance data (use with -v)
-n do not submit results to core, do not save counters
-N --nagios-config Outputs the Nagios configuration
pdsh.x86_64 : Parallel remote shell program
Die Startmenü-Einträge des gerade angemeldeten Benutzers sind im folgenden Ordner zu finden:
Original-Windows-7-Pfad:
C:\Users\[Benutzername]\AppData\Roaming\Microsoft\Windows\Start Menu\
Pfad-Bezeichnung in der deutschen Windows-7-Version:
C:\Benutzer\[Benutzername]\AppData\Roaming\Microsoft\Windows\Startmenü\
Pfad unter Windows XP, 2000, 2003 (dt.):
C:\Dokumente und Einstellungen\[Benutzername]\Startmenü
Die Startmenü-Einträge aller Benutzer sind im folgenden Ordner zu finden:
Original-Windows-7-Pfad :
C:\ProgramData\Microsoft\Windows\Start Menu\
Pfad-Bezeichnung in der deutschen Windows-7-Version:
C:\ProgramData\Microsoft\Windows\Startmenü\
Pfad unter Windows XP, 2000, 2003 (dt.):
C:\Dokumente und Einstellungen\AllUsers\Startmenü
Schneller geht es mit einer pfiffigen Tastenkombination. Um das aktuelle Datum einzufügen, drücken Sie einfach die Tastenkombination [Strg]+[.]. Die aktuelle Uhrzeit wird mit der Tastenfolge [Strg]+[Umschalten]+[.] eingefügt.
diff -u
#backup
dd if=/dev/sdb of=/tmp/compact_flash_winxp-embedded.dd
#restore
dd if=/tmp/compact_flash_winxp-embedded.dd of=/dev/sdb
echo "MYFIRST_Bla_bla_bla_123" | grep -oP "^[^_]*"
MYFIRST
in Verzeichnis: /etc/check_mk/rrds/
rrdtool dump xyz.rrd >dump.xml #archive nach xml
dump.xml #editieren ... GAUGE nach COUNTER umstellen
rrdtool restore -f dump.xml xyz.rrd #restore des rrd archives
-> evtl. noch einen Max Value definieren, z.B. auf 20000:
in der <ds> Sektion: <max>2.0000000000e+04</max>
Als Tool eignet sich der Spike Killer for Cacti Graphs version 1.1, siehe:
http://oss.oetiker.ch/rrdtool/pub/contrib/spikekill-1.1-1.txt
http://oss.oetiker.ch/rrdtool/pub/contrib/removespikes-20080226-mkn.tar.gz
Installiert auf server:
/root/install/removespikes.php mit Softlink /etc/check_mk/rrds/removespikes.php
Aufruf des Tools:
php /etc/check_mk/rrds/removespikes.php
Eine Analyse des RRDs / Dryrun (-D) ausführen:
php /root/install/removespikes.php -R=/etc/check_mk/rrds/myrrd.rrd -D
NOTE: Using RRDtool Version 1.4.5
NOTE: Creating XML file '/tmp/myrrd.dump.1082430277' from '/etc/check_mk/rrds/myrrd.rrd'
NOTE: Searching for Spikes in XML file '/tmp/myrrddump.1082430277'
Size DataSource CF Samples NonNan Avg StdDev MaxValue MinValue MaxStdDev MinStdDev StdKilled VarKilled StdDevAvg VarAvg
---------- --------------- ---------- ------- ------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
1 mins 1 AVERAGE 2880 2657 209509.79 127307.51 500900.16 1530 0 0 2657 0 0 209351.87
1 mins 2 AVERAGE 2880 2652 5.81 1.16 11.43 2.73 17.41 0 2652 0 0 5.8
5 mins 1 AVERAGE 2880 531 209572.01 126806.63 500304.83 2401.56 0 0 531 0 0 208784.81
5 mins 2 AVERAGE 2880 530 5.82 1.04 10.7 3.57 16.19 0 530 0 0 5.81
30 mins 1 AVERAGE 4320 88 208835.31 126307.82 488536.87 5197.31 0 0 88 0 0 204630.94
30 mins 2 AVERAGE 4320 88 5.84 0.72 8.05 4.1 13.03 0 88 0 0 5.82
6 hours 1 AVERAGE 5840 0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
6 hours 2 AVERAGE 5840 0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
1 mins 1 MAX 2880 2657 209509.79 127307.51 500900.16 1530 0 0 2657 0 0 209351.87
1 mins 2 MAX 2880 2652 5.81 1.16 11.43 2.73 17.41 0 2652 0 0 5.8
5 mins 1 MAX 2880 531 211308.28 127291.49 500900.16 2619.45 0 0 531 0 0 210530.73
5 mins 2 MAX 2880 530 6.2 1.16 11.43 3.75 17.77 0 530 0 0 6.18
30 mins 1 MAX 4320 88 214962.64 127600.81 500900.16 9952.85 0 0 88 0 0 210306.38
30 mins 2 MAX 4320 88 7.49 1.09 11.43 5.27 18.39 0 88 0 0 7.42
6 hours 1 MAX 5840 0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
6 hours 2 MAX 5840 0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
1 mins 1 MIN 2880 2657 209509.79 127307.51 500900.16 1530 0 0 2657 0 0 209351.87
1 mins 2 MIN 2880 2652 200.68 2694.89 48866.02 3.22 20000 0 2652 0 0 108.96
5 mins 1 MIN 2880 531 208244.05 127277.6 499411.83 1530 0 0 531 0 0 207453.4
5 mins 2 MIN 2880 530 5.45 1 10.21 3.22 15.41 0 530 0 0 5.44
30 mins 1 MIN 4320 88 196106.56 126782.38 483752.74 1530 0 0 88 0 0 191131.96
30 mins 2 MIN 4320 88 4.78 0.75 7.18 3.22 12.29 0 88 0 0 4.77
6 hours 1 MIN 5840 0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
6 hours 2 MIN 5840 0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
->in Spalte StdKilled und VarKilled sieht man die potentiellen Treffer, möchte man die Treffer von VarKilled korrigieren, so wäre der Aufruf der folgende:
php /root/install/removespikes.php -R=/etc/check_mk/rrds/myrrd.rrd -M=variance
windows 2012 winsxs folder
-> enthält alle komponenten, sind hart verlinkt
Clean up the WinSXS folder from superseded components
You can remove any backup files created during the installation of a service pack by using the following command:
dism /online /cleanup-image /SPSuperseded
Note that after you execute that command you will no longer be able to uninstall the service pack.
To further cleanup any superseded components and reduce the size of the component store execute:
dism /online /cleanup-image /StartComponentCleanup
C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
windows sdk --> kostenlose compiler version
http://ta.speot.is/2012/04/09/visual-studio-2010-sp1-windows-sdk-7-1-install-order/
Shortcut anlegen .. dann services.msc eingeben .. fertig
Computer management Shurtcut auf Desktop: compmgmt.msc
Aufruf: wmic PROCESS
Get-ChildItem *.dat | Foreach-Object {Get-Content $_ | Out-String | Foreach-Object {$_.Replace("altes Haus","neues Schloß")} | Set-Content $_}st
makeNagiosLogReadable.pl
#!/usr/bin/perl
$param1=$ARGV[0];
$file='/var/log/nagios/nagios.log';
if ($param1 ne ''){
$file = $param1;
}
open(IN,"$file") or die "kann Nagios Log Datei $file nicht lesen.";
while(<IN>){
$line = $_;
chomp($line);
if ($line =~ /^\[(\d*)\](.*)$/){
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1);
my $datum = sprintf "%02d.%02d.%04d %02d:%02d:$sec" , $mday , $mon+=1 ,$year+=1900 , $hour , $min, $sec ;
print "\[$datum\]$2\n";
}else{
print "$line\n";
}
}
close(IN);
xmllint --noout <your-file.xml>
X:\Users\benutzer\AppData\Roaming\Microsoft\Window s\Start Menu
für den einzelnen Benutzer
und
C:\ProgramData\Microsoft\Windows\Start Menu
deployment batch:
set host=hostname
mkdir \\%host%\d$\MSSQL_backup
copy mssql_backup_check.vbs "\\%host%\d$\Program Files (x86)\check_mk\plugins"
sc \\%host% stop "check_mk_agent"
sleep 5
sc \\%host% start "check_mk_agent"
-------------
rem @echo off
set src="d:\my_files\check.ps1
for /f "eol= tokens=1" %%i in (d:\my_files\deploy.lst) do copy /v /y "%src%" "\\%%i\d$\Program Files (x86)\check_mk\local\"
yum install perf.x86_64
figlet -- http://www.figlet.org/
Info zu Benutzer auslesen: net user username /dom
If EGit is missing in your Eclipse installation, you can install it via the Eclipse Update Manager via: Help ? Install new Software. EGit can be installed from the following URL: http://download.eclipse.org/egit/updates
Packet Name: Eclipse EGIT
Server unter CentOS aufsetzen
http://www.makethenmakeinstall.com/2012/04/git-part-1-intro-to-git-setup-a-git-server-on-centos-and-create-a-new-project/
http://www.makethenmakeinstall.com/2012/05/git-part-2-interacting-with-your-project/
part1 - server auf centos aufsetzten
- yum install git
- mkdir /git
- cd /git
- mkdir git_projekt1.git
- cd git_projekt1.git
- git init --bare # this command will initialize the server side of your new repository and set up the required git files and 'infrastructure.'
- sc query state= all #alle dienste anzeigen
- sc stop Check_MK_Agent / sc start Check_MK_Agent
clonezilla is a great backup software like acronis trueimage or the Aomei Backupper. Clonezilla is an open source solution.
link to clonezilla: https://clonezilla.org/
links to other backup and recovery software:
- https://www.handyrecovery.com/best-data-backup-and-recovery-tools/ (overview over several tools)
- http://redorescue.com/ (redorescue was called http://redobackup.org/ before!!)
UNetbootin, Universal Netboot Installer
http://sourceforge.net/projects/unetbootin/?source=recommended
#windows prozesse -listening anzeigen
netstat -ano |findstr LISTEN
#prozesse anzeigen
tasklist |findstr putty
netstat -antpe
1.) >>Fixit von Microsoft
https://support.microsoft.com/de-de/kb/958012
2.) Configuring Outlook to Not Send Winmail.dat Attachments
Set the Global Properties to have Outlook by default send your email in Hypertext Markup Language (HTML):
Outlook 2007: Select Tools > Options > Email Format > Internet Options. Select Convert to HTML format.
Outlook 2010 and 2013: Select File > Options > Mail and then scroll to the bottom of the dialog. Select Convert to HTML format.
$ wget -O speedtest-cli https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
$ chmod +x speedtest-cli
$ ./speedtest-cli
ntpserver: 0.de.pool.ntp.org
w32tm /query /status
w32tm /config /syncfromflags:manual /manualpeerlist:0.de.pool.ntp.org /update /reliable:yes
w32tm /config /syncfromflags:manual /manualpeerlist:ntp /update /reliable:yes
net stop w32time
net start w32time
WSO is a PHP shell backdoor that provide an interface for various remote operations. It can perform everything from remote code execution, bruteforcing of servers, provide server information, and more.
example: http://snipplr.com/view/70661/
http://www.exploit-db.com/search/?action=search&filter_description=Linux+Kernel+2.6.32
check-for-backdoors-in-php-scripts
- maldet
- clamav
- https://github.com/emposha/PHP-Shell-Detector --> http://shelldetector.com/
>> http://www.xyz.de/_temp/PHP-Shell-Detector-master/shelldetect.php
lsof -s | awk '$5 == "REG"' | sort -n -r -k 7,7 | head -n 20
neue leer disk erstellen ... danachdas "flat file tauschen" ..
wie hier beschrieben: http://vmwareworld.blogspot.de/2011/05/recreating-missing-virtual-machine-disk.html
vmkfstools -c 64424509440 -a lsisas1068 -d thin hdd1.vmdk
ftp filesync tool + mehr
For those that don't have vCenter or want to connect to a stand alone ESXi 5.5 host via the vSphere Client,
you'll need to ssh into the ESXi host and modify the following file: /etc/vmware/rhttpproxy/config.xml
Insert the following xml line into the appropriate section:
<vmacore>
...
<ssl>
...
<cipherList>ALL</cipherList>
...
</ssl>
...
</vmacore>
After saving your changes restart the service:
/etc/init.d/rhttpproxy restart
This happens if the last 6 characters of this path, ..../ruthwoodtli.ch/httpdocs/ (end of $temp_path), is NOT "typo3/" for some reason.
You may have a strange server configuration. Or maybe you didn't set constant TYPO3_MOD_PATH in your module?
If you want to debug this issue, please edit typo3/init.php of your TYPO3 source and search for the die()
call right after this line (search for this text to find)...
wenn man die auskommentiert bekommt man:
[PATH_TRANSLATED] => /usr/bin/modsec-clamscan.pl
solution:
In the file init.php located in typo3 folder is a variable called $temp_path.
The code seems to be unable to enumerate the
correct path within a php file located in the same folder
(like alt_doc.php).
$temp_path = str_replace('\\','/',dirname(PATH_thisScript).'/');
So I changed it to the absolute path like that...and
it's working.
$temp_path = "/var/www/vhosts/domain.tld/httpdocs/typo3/";
für unseren Fall: $temp_path = "/var/www/web062/html/typo3/";
use Fcntl ':flock';
open SELF, '<', $0 or die 'I am already running...';
flock SELF, LOCK_EX | LOCK_NB or exit;
Linux Malware Detect v1.4.2
http://www.rfxn.com/projects/linux-malware-detect/
Ein "Last Changed" ist in Typo3 kein Problem und lässt sich einfach einfügen.
## Last Changed [Begin]
lib.lastUpdated = TEXT
lib.lastUpdated.data = page:SYS_LASTCHANGED
lib.lastUpdated.strftime = %d-%m-%Y %H:%M
lib.lastUpdated.wrap = <p>Last Changed: |</p>
## Last Changed [End]
Typo3 eMail Absendeadresse kann in der localconf.php angepasst werden. Die Keys lauten:
$TYPO3_CONF_VARS['MAIL']['defaultMailFromAddress'] = 'me@example.com';
$TYPO3_CONF_VARS['MAIL']['defaultMailFromName'] = 'Der Absender der Mail';
[TS]#Zeigt den Inhalt des Sysordners mit der PID 12 am Marker ###TEST### an
page.10.marks.TEST = CONTENT
page.10.marks.TEST {
table = tt_content
select {
pidInList = 12
orderBy = sorting
where = colPos= 0
}
}
[/TS]
... oder anders element #58 einbauen
### Linker Spezial-Inhalt (Öffnungszeiten)##
linke_info = RECORDS
linke_info {
tables = tt_content
source = 58
}
C:\Users\benutzername\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
+ registry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
http://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/
mail.add_x_header = On
mail.log = /tmp/phpmail.log
Your php.ini will be in /etc/php.ini if you are using a RedHat based distro (Centos, Fedora, etc) and in /etc/php5/apache/php.ini if you run a Debian derivative (Ubuntu, etc)
- indexing alternative sourceforge software: docfetcher
- agent ransack: 64bit version! http://mythicsoft.com/agentransack/download
- http://sourceforge.net/projects/docsearcher/
--> http://www.copernic.com/en/products/desktop-search/index.html --> copernic
--> out of support tool: google desktop search
-> es liegt wohl am 64bit windows
-> Lösung: Microsoft Office 2010 Filter Packs: http://www.microsoft.com/de-de/download/confirmation.aspx?id=17062
sbs 2008 susdb to clean it up: http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/6ba524ba-6cf4-48f3-bcf3-18469ce14552/
Connecting to the Windows Internal Database requires the use of a Named Pipes connection. The connection string you want is:
\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
powershell: tail -f
powershell -command "gc D:\Qt\log\log_dispatcherRcvNotEdi.txt -wait"
altes menü etc: classicShell (sourceforge)
1.) reboot switch, connect to the console port
2.) select Boot Profile: 0. Service OS Console
3.) the prompt ServiceOS login: appears >> now enter "admin"
4.) prompt SVOS> appears >> now enter "password" >> then enter to times the new admin password
5.) enter "boot"
hint: the default password of a cx switch is nothing (blank), just press enter
*) tested with Aruba CX 6100, Version PL. 10.11.1005
run the dump
tcpdump -l -i eth0 -n not port 22 -w tcpdump.dump
--> read in the data
ntop -m 192.168.2.0/24 -f tcpdump.dump
Get-MailboxStatistics -server <Servername> | sort TotalItemSize | FT DisplayName,TotalItemSize
google analytics:
anonymous approach:
############# GOOGLE ANALYTICS ############
page.headerData.50 = TEXT
page.headerData.50.value (
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-xxxxx']);
_gaq.push(['_gat._anonymizeIp']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
)
C:\Programme\OpenVPN\bin\openvpn-gui.exe --config_dir C:\Programme\OpenVPN\config\ --connect d12345_v2.ovpn
Da die Systemwiederherstellung auch in den Systemprogrammen ist versuche:
Start/Ausführen und
%SystemRoot%\System32\restore\rstrui.exe
---> oder einfach rstrui eingeben
apt-cache search nikto
nikto - web server security scanner
Here are the steps that I did to build the rpm:
1. installed Red Hat 5.7 / 64 bit server on our VMWARE test (IP 192.168.172.23 / name rhel5-mw-64)
2. installed the follwing rpm out of the 5.7 image:
rpm-build-4.4.2.3-22.el5
elfutils-0.137-3.el5
elfutils-libs-0.137-3.el5
gcc-4.1.2-51.el5
3. download the tool "checkinstall" .. this is a creat tool to build rpm's
- http://asic-linux.com.mx/~izto/checkinstall/download.php
--> saved to /root/checkinstall-1.6.2.tar.gz
--> extract: tar -xvzf /root/checkinstall-1.6.2.tar.gz
--> cd /root/checkinstall-1.6.2
--> make
--> make install
--> command "checkinstall" is now available
4. download the perl module -> source files from http://search.cpan.org/~mshoyher/TacacsPlus-0.16/TacacsPlus.pm
--> saved to /root/TacacsPlus-0.16.tar.gz
--> extract: tar -xvzf /root/TacacsPlus-0.16.tar.gz
--> cd /root/TacacsPlus-0.16
--> generate the make file: perl Makefile.PL
--> use now the command "checkinstall"
check install parameters:
- Should I create a default set of package docs? [y]: n
- Slackware [S], RPM [R] or Debian [D]? R
- description. TacacsPlus Perl Module
--> done:
Done. The new package has been saved to
/usr/src/redhat/RPMS/x86_64/TacacsPlus-0.16-1.x86_64.rpm
You can install it in your system anytime using:
5. problem / warning when running checkinstall: ERROR: ld.so: object ‘/usr/local/lib64/installwatch.so’ from LD_PRELOAD cannot be preloaded: ignored.
Solution: The problem occurs because the loader can’t find the shared object file. The solution is very simple. Assuming that the installwatch.so is located in /usr/local/lib, just type the following commands:
echo "/usr/local/lib64" >/etc/ld.so.conf.d/installwatch.conf
ldconfig
ln -s /usr/local/lib/installwatch.so /usr/local/lib64/installwatch.so
file: /etc/yum.repos.d/local.repo
[localrepo]
name=Red Hat 5.7 - My Local Repo
baseurl=file:///mnt/iso/Server/
enabled=1
gpgcheck=0
#gpgkey=file:///path/to/you/RPM-GPG-KEY
test with "yum update"
http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html#resetting-permissions-unix
1. Stop mysqld and restart it with the --skip-grant-tables option. This enables anyone to connect without a password and with all privileges. Because this is insecure, you might want to use --skip-grant-tables in conjunction with --skip-networking to prevent remote clients from connecting.
2. Connect to the mysqld server with this command: mysql
3. mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
4. mysql> FLUSH PRIVILEGES;
http://www.thegeekstuff.com/2011/05/iozone-examples/
run with iozone -a
for example to 5.6:
Use the 5.6 repos from the vault in your yum configs:
http://vault.centos.org/5.6/
[base]
#name=CentOS-$releasever - Base
name=CentOS-5.6 - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
baseurl=http://vault.centos.org/5.6/os/$basearch/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
usw....
egrep -v '(^$|^#)' /etc/proxychains.conf
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 10.10.10.10 1080
socks5 11.11.11.11 1080
-> auf englisch umstellen:
https://www-304.ibm.com/support/docview.wss?uid=swg21195484
-> in verknüpfung: "C:\Program Files\IBM\SDP75\eclipse.exe" -nl en_US -product com.ibm.rational.rsa4ws.product.v75.ide
-> 4 kb technologie --> format under linux:
https://bbs.archlinux.org/viewtopic.php?id=99626
--> create filesystem with 4096 block size!!!
mkfs.ext3 -b 4096 /dev/hdd1
/opt/IBM/TDI/V6.1.1/ibmditk
http://technet.microsoft.com/de-de/library/bb125064%28EXCHG.65%29.aspx
chkdsk
sfc /scannow
watch cat /proc/mdstat
iozone: http://www.iozone.org/src/current/iozone-3-397.i386.rpm
dd messung: dd if=/dev/zero of=/opt/vmware/test bs=200MB count=1 oflag=direct
rsync messung: rsync --progress test test4
/install/blackbox-0.70.1-1.el5.rf.i386.rpm
cat /root/.vnc/xstartup --->blackbox am ende einfügen
NTFS optimieren
8+3-Dateinamen
Bis Win95 durften Dateinamen lediglich 8 Zeichen beinhalten und 3 Zeichen fü die Datei-Erweiterung (.doc, .xls, .pdf). Seit Windows 95 sind Dateinamen bis zu einer Länge von 259 Zeichen möglich und dennoch wird jeder Dateiname zusätzlich im 8+3-Format gespeichert. Da diese Funktion das System bremst und nur gebraucht wird, wenn die Dateien auf alten DOS-Computern genutzt werden (was sicherlich niemand mehr tut), kann man diese unnötige Funktion getrost abschalten.
Dazu gibt man in die Kommandozeile fsutil behavior set disable8dot3 1 ein und drückt die Enter-Taste
Falls danach Netzwerkprobleme auftreten, lässt sich das 8+3-Format wieder mit fsutil behavior set disable8dot3 0 einschalten.
Datei-Zugriffe
Das NTFS-System speichert für jede Datei, wann sie das letzte Mal benutzt wurde - allerdings benötigt man diese Funktion nur sehr selten. So verursacht das öffnen eines umfangreichen Bilderordners viele unnötige Schreibvorgänge, da für jede Datei der letzte Zugriff gespeichert wird (Dateivorschau sei Dank). Das Abschalten kann vor Allem die Lebensdauer von Solid State Festplatten um einiges erhöhen.
Um die unnötige Speicherung abzuschalten, gibt man in die Kommandozeile fsutil behavior set disablelastaccess 1 ein. Damit die Änderungen übernommen werden, muss der PC allerdings neu gestartet werden.
Um die Funktion bei Bedarf wieder einzuschalten, gibt man in die Befehlszeile fsutil behavior set disablelastaccess 0 ein.
download boot cd:
http://www.sysresccd.org/Main_Page
cd c:\windows\System32\config
chngpw -l SAM
chntpw -u username SAM
find archive* -type f -print0 |xargs -0 grep -i m720bz *
Anleitung Treiber einbindung:
http://www.nu2.nu/pebuilder/help/german/drivers.htm
mount /dev/scd0 /tmp/cdrom/
A prompt for the RSA II or Management Module user name and password should be displayed.
The RSA II or Management Module comes with a default user name of "USERID" and default password of "PASSW0RD" (0 = zero).
lightning -> Kalendermodul
echo "halloe wie gehts 1 2 3 4" | awk '{sub(/$3[ \t]/,""); o=$1; for (i=2;i<NF;i++)o=sprintf("%s:%s",o,$i); printf("%s\n",o)}'
halloe:wie:gehts:1:2:3
echo "halloe wie gehts 1 2 3 4" | awk '{sub($3"[ \t]",""); gsub(FS,":"); print}'
halloe:wie:1:2:3:4
http://www.imagemagick.org/Usage/thumbnails/#shadow
find . |grep -i jpg | awk '{system("identify -ping \"" $0 "\"" )}' |more
convert DSC05005.JPG -resize 1024x1024 DSC05005.JPG
#resize all pictures
find . |grep -i jpg | awk '{system("convert \"" $0 "\" -resize 1000x1000 \""$0"\"")}'
tif -> jpg
find . |grep -i tif$ | awk {'print "convert \""$0"\" \""$0".jpg\""'}
bmp -> jpg
find . |grep -i bmp$ | awk {'print "convert \""$0"\" \""$0".jpg\""'}
search in google
perl site:experts-exchange.com
perl exeption hanlding: t
Trap exceptions using eval{ ... }; if($@) { ... }
perl hacks:
print out module version:
perl -MLWP -le'print $LWP::VERSION'
find out which modules are missing:
perl -MLWP::Protocol::https -le'print
> LWP::Protocol::https::Socket->can("new")'
"%ProgramFiles%\Outlook Express\msimn.exe"
start->run->conf
kickstarter - extension kickstarter
automaketemplate
quixplorer - dateibrowser
spamshield -> spam protector stable extension
wt_spamshield standard mailform protection: http://typo3.org/documentation/document-library/extension-manuals/wt_spamshield/0.6.1/view/1/5/#id2343767
cc_random_image - zufallsbilder (rsr)
rgmediaimages ---> videos einbauen
sh_coinslider - jquery slider: http://typo3.org/extension-manuals/sh_coinslider/1.0.1/view/1/1/
t3s-headerslider: http://www.t3solution.de/ext/t3s-headerslider.html
perfectlightbox
miflowplayer -> extension to play video's mp4 etc.
-> but with /url
miflowplayer/models/class.tx_miflowplayer_model_config.php zeile 51:
von: $config['video']['url'] = $this->url."uploads/".$this->extKeyPrefix."/".$config['video']['url'];
zu: $config['video']['url'] ="/uploads/".$this->extKeyPrefix."/".$config['video']['url'];
debugging:
//debugging
$TYPO3_CONF_VARS['FE']['debug'] = '1';
$TYPO3_CONF_VARS['SYS']['sqlDebug'] = '1';
$TYPO3_CONF_VARS['SYS']['Debug'] = '1';
$TYPO3_CONF_VARS['SYS']['displayErrors'] = '1'
.align-left { text-align: left }
.align-right { text-align: right }
.align-center { text-align: center }
.align-justify { text-align: justify }
http://www.typo3.net/backendkonfiguration/frontend_konfiguration/#pageNotFound_handling
localconf.php
$TYPO3_CONF_VARS['FE']['pageNotFound_handling'] = '1';
$TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'] = 'Status: 404 Not Found';
- problem formatierung wird nciht durchgereicht:
--> bei singel element typoscript anweisung rein:
plugin.tt_news.displaySingle.content_stdWrap.parseFunc < lib.parseFunc_RTE
--> dieses statement ins sub-template der entsprechnden single seite, hat geholfen
plugin.tt_news {
# RTE-Formatierungen in FE-Ausgabe übernehmen
general_stdWrap.parseFunc < lib.parseFunc_RTE
}
metatags
page.meta{
keywords.field = keywords
keywords.ifEmpty (
typo3, backend
)
description.field = description
description.ifEmpty (
Eine Einführung in das TYPO3 Backend und Tutorials zum CMS TYPO3
)
robots = INDEX,FOLLOW
}
Netview:
To subscribe, e-mail: nv-l-subscribe@lists.tivoli.com
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
---------------------------------------------------------------------
Ein inoffizielles Netview List Archiv ist auch http://www.vk.net/lists
topas
increase filesystem: chfs -a size=+128M /install -> but check first if there are free PP .. using command: lsvg datavg
lscfg -vp|grep -p Cabi
- init process -> executes rc.boot
- rc.boot 1 //param 1: configure base devices
- rc.boot 2 //param 2: activate rootvg
-> init from boot logical volume is replaced with init from rootvg
-> new init processes the /etc/inittab file
-> rc.boot 3 is running again
/etc/inittab
#example entry
netview:23:wait:/etc/netnmrc #Start netview
#modifiy start map ...
/usr/OV/app-defaults/OVw #startinit
/usr/OV/conf/ovsuf #daemons started by netview
AIX,Apache
/etc/apache/httpd.conf //Einstellungen
/usr/local/bin/apachectl //starten/stoppen
/usr/local/share/apache/htdocs //Document Root Directory
/var/apache/log/error_log //standard log file
add Alias Directory
in file /etc/apache/httpd.conf
Alias /Nways "/usr/tmp/"
<Directory "/usr/tmp">
Options Indexes MultiViews //you may see directory structure then
Order allow,deny
Allow from all
</Directory>
-> Test this in Browser: 127.0.0.1/Nways should work after restarting httpd
#disable apache
comment out: Listen *.:80 & Port 80
#enable ssl
rpm -i mod_ssl-2.8.4-9.s390.rpm
#mod_proxy
#apache module -> forward https-requests to other http ports ...
<ifModule mod_proxy.c>
ProxyRequest On
ProxyPass /vdradmin http://192.168.0.x:8012/
</ifModule>
#ssl redirect
#added by mwendig, 03.12.2004
#redirect to ssl
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/cgi-bin/(.*)$ https://10.0.0.1/cgi-bin/$1 [L,R]
#apache suse
SuSEconfig --module apache
tcpdump -n not port 22
tcpdump -nn -n not port 22 and not port 3389
tcpdump -nn -n not port 22 and src host 10.0.0.1
#microsoft ip range
-i eth0 portrange 5061-5067 && src net 52.112.0.0/14 or src net 52.120.0.0/14
#only mac-address xxx
-i vlan6 -vv -e ether host d8:cb:8a:cc:a3:45
mailverkehr sniffen: -> wichtig ist option s0 damit paket nicht abgeschnitten werden
tcpdump -l -i eth0 -n not port 22 -s0 -w sniff4.txt
call with: tcpdump -e -n -q -r filename //reading from file
tcpdump -w filename //write to file
tcpdump -I //no buffering
more example .. very good page: https://danielmiessler.com/study/tcpdump/
IBM 8239
useful Commands:
display tr_surrogate ...
display rmon log_data All //out errors ...
display stack //model, version
display network_map all_stations //welche MAC gibts?
display port all
display management_interface all //eigene MAC adresse ...
display trap_log
unwrap data_io //DI oder RO Verbindung ins Netz einfügen
display wrap_points //Status der Datenschnittstelle
save //save configuration
<strg>+<r> repeat last command
<strg>+<f> go forward in command protocol
<strg>+<b> go backward in command protocol
Beacon-Betrieb wird typischerweise aufgrund einer fehlerhaften DAtenstations-NIC oder eines
fehlerhaften Anschlusskables verursacht. Hilfe bringt Befehl DISPLAY PORT.
RI/RO Status: wenn LED nicht an -> etwas falsch mit ferner Einheit!
pop 109/tcp # postoffice
pop3 110/tcp # postoffice
pop stream tcp nowait root /usr/local/lib/popper popper -s
pop3 stream tcp nowait root /usr/local/lib/popper popper -s
popper was downloaded from www.bull.de for aix
-> find popper under: /usr/local/bin/popper.aix
you find documentation under /usr/local/lib/qpopper-2.2/...
restart inetd with kill -HUP <inetdpid>
under aix: refresh -s inetd
debugging: telnet to popper port -> startup banner -> user <name> .. pass <passwd>
export LD_PRELOAD=/usr/lib/libtsocks.so
=>package tsocks
=>http://tsocks.sourceforge.net/
compile result:
- libtsocks.so - the libtsocks library
- validateconf - a utility to verify the tsocks configuration file
- inspectsocks - a utility to determine the version of a socks server
- saveme - a statically linked utility to remove /etc/ld.so.preload
if it becomes corrupt
Configuration file: '/etc/tsocks.conf'
unset LD_PRELOAD
/usr/src/packages/RPMS/s390/tsocks-1.8-1.s390.rpm
local = 192.168.2.0/255.255.255.0
path {
server = 192.168.2.99
reaches = 12.13.14.0/255.255.255.0
}
ifconfig eth0 mtu 1450 #change mtu size on linux
netstat:
netstat --tcp -lp #To see what applications are listening on what ports, type command
netstat -a #show both listening and non-listening sockes;
netstat -p #show the PID to which each socket belongs;
netstat -s #display summary statistics for reach protocol;
netstat -p -l #show active internet sockets and there pids
netstat -i #show mtu size
#mtu permanent verdrehen:
/etc/sysctl.conf
man sysctl
compy.ww.tu-berlin.de/Howto-DE/
fetchmail -u username <name>
- password can be stored in .fetchmailrc under root home
- password can be stored in .netrc in the user directory
-> see in "man ftp" for .netrc
-> syntax in .netrc: machine <name> login <userid> password <password>
/usr/bin/vmstat 2 2 |tail -n 1 |awk '{print $4; print 100-$16}'
dstat -d -r --top-io-adv --top-bio-adv
echo bla |mailx -s <subject> <user>
uuencode mylogfile1.log mylogfile2.log |mailx -s logfiles xxx@zzzz.de
www.socks.nec.com/s5examples.html
smitty chlicense //increase number of user for login
snmptrap testnode 0 agentnode 6 1 0 system.sysDescr.0 octetstring bla bla
another example:
#send snmp test trap to reciever 192.168.2.10 from host 192.168.2.99
snmptrap -v 1 -c public 192.168.2.10 .1.3.6.1 192.168.2.99 6 17 '' .1.3.6.1 s "test trap"
#use tcpdump to watch incoming snmptraps
snmptrap -i <your interface> -nn port 162
http://kbase.redhat.com/faq/FAQ_79_2561.shtm
Resolution:The new way to add static routes on Red Hat Enterprise Linux systems is to create a file
/etc/sysconfig/network-scripts/route-ethX where X corresponds to the network interface you wish to use
the alternate route(s). This file deals with three fields: GATEWAY, NETMASK, and ADDRESS. Each field
should have a number appended to it indicating what route it relates to. The example below shows two
static routes configured for the eth0 network interface.
/etc/sysconfig/network-scripts/route-eth0
GATEWAY0=10.10.0.1
NETMASK0=255.0.0.0
ADDRESS0=10.0.0.0
GATEWAY1=10.2.0.1
NETMASK1=255.255.0.0
ADDRESS1=192.168.0.0
default route: route add 0.0.0.0 10.10.10.99 0.0.0.0
bootinfo -P 0 -s hdisk2 #physical partition size of hdisk2
bootinfo -r #amount of real memory
bootinfo -m #machine model code
free -o
ps -eo pid,ppid,rss,vsize,pcpu,pmem,cmd -ww --sort=pmem
The top 10 monopolizing process would be better if sorted as a numberic key :
ps -eo pcpu,pid,user,args | sort -k 1 -r -n | head -1
-pwdadm
-chpass #freeware passworttool
/etc/rc.d/boot.local
vi g/x/s//y/g
->s/192.168.1.30/192.168.1.20/g #in one line
->%s/192.168.1.30/192.168.1.20/g #in whole file
:260,284s/10.0.6.162/newhostname/g #line 260-284
want to replace a string with another string in several text files. I tried the following command which I read from a Linux book, but it doesn't work. Can anyone give me some help?
perl -pi -e "s/search/replace/g;" *.txt
perl -pi -e "s/\/usr\/local\/mrtg\/web\//\/usr\/local\/mrtg\/web\/10.0.6.162\//g;" *.cfg
perl -pi -e "s/\/usr\/local\/mrtg\/web\//\/usr\/local\/mrtg\/web\/10.149.158.52\//g;" *.cfg
example: lslpp -f X11.Dt.lib
smitty->AIX System Backup&Recovery
/var/ifor/i4blt -ls //list license manager
/var/ifor/i4blt -ll //list installed licenses
/var/ifor/i4blt -d -v "'IBM Corporation'" -p "'Nways Mgr AIX SUite' 2.0.T" -t 1231233123 //delete license for proct ...
du -s dir
ls -l |awk '{print $9}' | xargs du -s #for each directory
/etc/hosts and the hosts=local,bind in the /etc/netsvc.conf
find . |xargs -n 1 chmod 644 #chmod for many files
find . -mtime +15 |xargs rm #delete file that is older than 15 days old
/usr/bin/find /home/backup/ -mtime +30 -type f -exec /bin/rm {} ;
nice #prozesse erhöhen
backup #archiv erstellen
restore #vom archiv lesen
format /dev/rfd0.18 #disk formatieren
dtterm -C #title console
errclear 0 #clear errorlog
errpt #print error log
startsrc -s inetd -a "-d" #debug info for syslog
nc XYZ | gzip -dc | dd of=/dev/hda bs=64k
dd if=/dev/hda of=/dev/hdX bs=256k
cp -aX / /mnt/
remount: mount -n -o remount,rw /
reiserfsck /dev/hdXY --check
reiserfsck /dev/hdXY --rebuild-tree
reiserfsck /dev/hdXY --rebuild-sb
>> if you have to repair something you have to use command "--rebuild-tree", and you should check with "--check"
adding user xyz to group trusted:
gpasswd -a xyz trusted
#######################
#using netcat
#######################
#see open ports on target ..
echo QUIT | nc -v -w 5 target 20-250 500-600 5990-7000
Netcat can be used as a simple data transfer agent, and it doesn't really
matter which end is the listener and which end is the client -- input at one
side arrives at the other side as output. It is helpful to start the listener
at the receiving side with no timeout specified, and then give the sending side
a small timeout. That way the listener stays listening until you contact it,
and after data stops flowing the client will time out, shut down, and take the
listener with it. Unless the intervening network is fraught with problems,
this should be completely reliable, and you can always increase the timeout. A
typical example of something "rsh" is often used for: on one side,
nc -l -p 1234 | uncompress -c | tar xvfp -
and then on the other side
tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234
will transfer the contents of a directory from one machine to another, without
having to worry about .rhosts files, user accounts, or inetd configurations
at either end.
sample entry in /etc/inetd.conf:
pop3 stream tcp nowait root /usr/sbin/pop3d pop3d
Den TK Perl Debugger findet man bei: http://world.std.com/~aep/ptkdb/ .
Für diesen ist jedoch noch das Perl-TK Modul notwendig (http://www.cpan.org oder http://www.rpmfind.net).
Aufrufen tut man den Debugger so: perl -d:ptkdb rrd_test.pl.
fdisk /dev/hdd
talk 5 / network 0 / LE-services
MIB-OID: .1.3.6.1.2.1.17.2.3 #dot1dStpTimeSinceTopologyChange
http://dotnot.org/blog/archives/2005/09/09/quick-nfs-howto-for-centos/
NFS under linux:
#export verzeichnis /home/nfsshare
/home/nfsshare 10.0.0.1(rw,no_root_squash,insecure) 10.0.0.2(rw,no_root_squash)
-> import under AIX using smitty nfs
check.
rpcinfo -p
=> 100003 2 udp 2049 nfs
on client:
/etc/fstab
lnxsni01:/usr/local/uar /mnt/share nfs rsize=8192,wsize=8192,timeo=14,intr,soft,tcp 0 0
lnxsni01:/usr/local/uar /mnt/share nfs rsize=8192,wsize=8192,timeo=14,intr,soft
include vfat partition
mount /dev/hda7 /mnt/hda7 -o id=your-login,gid=users
or have something like this for it in /etc/fstab
/dev/hda7 /mnt/hda7 vfat user,uid=your-login,gid=users 1 0
/dev/hda7 /mnt/hda7 vfat defaults,umask=000 1 0
/dev/hdb /cdrom iso9660 ro,noauto,user,block=2048 0 0
sysrestore -Nn -f /dev/rmt1 -t Directory -vx '/usr/OV'
-> command: "wpostemsg -r CRITICAL probe"test of tec functionality" smc_action XYZ
-> on Tivoli TEC Console the event should appear - if not there is a problem.
- CISCO: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_1/mib/mover.htm
- CISCO: http://www.cisco.com/univercd/cc/td/doc/product/fhubs/fh400/index.htm
- CISCO: using ftp-server:
ftp.cisco.com
cd /pub/mibs
get README #all available files
CISCO
- software: http://sj-webadv.cisco.com/cgi-bin/webisapi.dll?Session=489378,U=54295,ST=82,N=6,K=802,P=Z,Case=515
- Dokumentation FastHub 400: http://www.cisco.com/univercd/cc/td/doc/product/fhubs/fh400/index.htm
echo 1 >/proc/sys/net/ipv4
Action IOS SET
passwords enable password level 1 <pwd> set password <cr>
enable password level 15 <pwd> set enablepass <cr>
hostname hostname <name> set prompt <name>
IP address (config)# ip address <ip> <mask> (ena) set interf so= <ip><mask>
set interf so0 <vlan>
port description (config-if)#description <string> set port name x/x <string>
speed n/a set port speed x/x {10/100/auto}
duplex mode (config-if)#duplex {auto|full| set port duplex x/x {full/half}
full-flow-control|half}
conf. VLANS n/a set vlan <vlan#> x/x
conf. trunk (config-if)#trunk on set trunk x/x [on|off|desirable|auto|nonegotiate]
<vlan-range> [isl|dot1q|dot10|lane|negotiate]
clear VLANS from trunk n/a clear trunk x/x <vlan-range>
choose vtp version n/a set vtp v2 enable
vtp doamin + mode n/a set vtp domain <str> password <str>
set vtp domain <str> mode [clslt]
show vtp show vtp statistics
show vtp domain
vtp pruning set vtp pruneeligible <vlan_range>
clear vtp pruneeligible <vlan_range>
show trunk
enable STP (config)#spantree <vlan_list> set spantree enable x/x
set spantree disable x/x
set spantree enable all
show spantree <vlan>
STP Root Bridge set spantree root <vlans> ..
STP Port Cost (config-if)#spantree cost <xx> set spantree portcost 2/1 <xx>
STP Priority (config-if)#spantree priority <xxx> set spantree portpri x/x <xx>
Multicast (config)#ip multicast-routing
(config-if)#ip pim {dense-mode|
sparse-mode|sparse-dens-mode}
show ip pim interface [<if>][count]
show ip pim neighbour [<if>]
(config)#ip pim rp-address <ip#>
[group-access-list-number]
[override]
(config)#ip pim send rp announce x/x
scope <#> group-list <ad#>
(config)#ip pim send-rp-discovery scope
(config)#ip multicast <xx> threshold <xx>
show ip mroute
debug ip mpacket [detail][add][group]
(config)#ip igmp join-group <gr#>
(config)#ip igmp version {2|1}
show ip igmp interface
(config)#ip cgmp set cgmp enable
set cgmp leave
show cgmp statistics [<vlan>]
show multicast group cgmp [<vlan>]
Channel (config#)port-channel mode [on|off show port capabilities x/x
|des] set port channel x/x {on|off|auto|desirable}
portfast (config#)spantree start-forwarding set spantree portfast x/x enable
uplinkfast (config#)uplink-fast set spantree uplinkfast enable
show uplink-fast show spantree uplink fast
show uplinkfast statistics
backbonefast set spantree backbonefast
ip rout. on route proc. (config)#ip routing router <protocol> n/a
(config-router)#network <#>
VLAN if on external RP Router(config)#int eth 2/1.1 n/a
(config)# encapsulation isl <vlan#>
default gw ip default-gateway <ip addr> set ip route default <ip addr>
MSL (config)#mls rp ip set mls flow [destination|destination-source..
(config-if)#msl rp vlan-id <#> set mls enable
" " mls rp vtp-domain <str> set mls agingtime (#)
" " mls rp ip
show mls rp
show mls rp vtp-domain show mls
(config-if)#mls rp management-intf
show mls rp inteface
(config-if)# mlsrp ip input-ad show mls entry
show mls entry ..
HSRP (config-if)#standby <gr#> ip <ip#>
" " priority <pr#>
" " preempt
" " timers <hello> <hold>
" " track <if> <prio>
debug standby
show standby [<if>|<gr#>|brief]
- Ethernetcard: http://www2.neweb.ne.jp/wd/fbm/3c556/
use 3c59x module
- modem
Lucent softmodem
http://lisas.de/~david/t21/download/ltmodem-5.78e-1.src.rpm
http://lisas.de/~david/t21/download/ltmodem-2.4.3-5.78e-1.i386.rpm
- sound
Sound worked right out of the box. But when I tried playing DVD, the sound was really choppy, lagging a lot ... pretty badly screwed up! (I used omi_gtk dvd player from
the Livid project).
So I decided to use ALSA drivers as reccomended by quite a few people. I downloaded ALSA 0.5.8, untar it, and switched to the directory. Run these commands :
- ./configure --with-cards=cs461x
- make
- make install
After this, you can find the modules on /lib/modules/(kernel version)/misc directory.
Then, add these lines to /etc/modules.conf file :
alias char-major-116 snd
alias char-major-14 soundcore
alias snd-card-0 snd-card-cs461x
alias sound-slot-0 snd-card-0
alias sound-service-0-0 snd-mixer-oss
alias sound-service-0-1 snd-seq-oss
alias sound-service-0-3 snd-pcm-oss
alias sound-service-0-12 snd-pcm-oss
- TokenRing: try ibmtr_cs.o
http://www.linuxtr.net/newhowto/Token-Ring.html
I have a Token Ring Auto 4/16 Credit Card Adaptor that works good with my SuSE setup. One major key to getting it to work was
having at least the 3.x.x series of PCMCIA card services loaded onto your machine. Additionally in your conf.modules file you'll need the
following verbage:
alias tr0 ibmtr_cs mmiobase=0xd6000 srambase=0xd8000 ringspeed=[16]|[4] sramsize=16 irq_list=9
/etc/pcmcia
-> config.opts
# Options for IBM Token Ring adapters
module "ibmtr_cs" opts "mmiobase=0xd000 ..." <- auskommentieren
- PCI Devices
lspci -v
lspci -vv
- reboot notfall
linux init 1
- DHCP
dhclient
- ICA Client
/opt/Citrix/ICAClient
- Token Ring Card
To get the IBM Turbo tokenring 4/16 to work on a Thinkpad 770(9548) I did
the following.
Kernel 2.2.10
pcmcia-cs-3.0.13 And edit '/etc/pcmcia/config.opts' like this
#
# Local PCMCIA Configuration File
#
include port 0x100-0x4ff, port 0x1000-0x17ff
include memory 0xc0000-0xfffff
#
# Extra port range for IBM Token Ring
#
include port 0xa00-0xaff
#
# Resources we should not use, even if they appear to be available
#
# First built-in serial port
exclude irq 4
# Second built-in serial port
#exclude irq 3
# First built-in parallel port
exclude irq 7
module "ibmtr_cs" opts "m
use pump from redhat, should be working if installed ...
- Firewall logs
on management server:
- fw logswitch name
- del $FWDIR\log\name.log
- del $FWDIR\log\name.alog
- script for log files
@ECHO OFF
REM Edit below to modify fw directory
set FWDIR=C:\WINNT\FW
for /F "tokens=1-4 delims=/ " %%i in ('date /t') do (
set DayOfWeek=%%i
set Month=%%j
set Day=%%k
set Year=%%l
set Date=%%i %%j/%%k/%%l
)
cd \
cd %FWDIR%\log
ren fwd.log fwd.%Year%%Month%%Day%.log
ren fwui.log fwui.%Year%%Month%%Day%.log
ren mdq.log mdq.%Year%%Month%%Day%.log
ren sam.log sam.%Year%%Month%%Day%.log
ren aclientd.log aclientd.%Year%%Month%%Day%.log
ren aftpd.log aftpd.%Year%%Month%%Day%.log
ren ahttpd.log ahttpd.%Year%%Month%%Day%.log
ren arlogind.log arlogind.%Year%%Month%%Day%.log
ren asmtpd.log asmtpd.%Year%%Month%%Day%.log
rem atelnetd.log atelnetd.%Year%%Month%%Day%.log
..\bin\fw kill fwd
..\bin\fw d
-----
rc= &docommand("$FWEXE logexport -i $todaylog -o $MYLOG -n");
date | awk '{print $6"_"$3"_"$2"_fw.tar"}'
w//-> get filename like: 2001_8_May_fw.tar
set date:
date -s "11/20/2003 12:48:00"
date -s "12:48"
date -s "11/20/2003"
Then if you want to set the hardware(BIOS) clock so the system will keep the time when it reboots type:
clock -w
or
setclock
shell script:
#!/usr/bin/sh
filename = `date | awk '{print $6"_"$3"_"$2"_fw.tar"}'`
tar -cvf /home/backup/$filename /tmp/*.*
#put STDOUT together
( echo "please check the directory $CHECKDIR\n"; ls -l $CHECKDIR; )
cat austria.usernams |awk '{print tolower($1)}'
IDLEPOS=`eval /usr/bin/vmstat 1 1 | /usr/bin/awk '/ sy /{i=1; while (i<NF) {if ($i~/sy/) print i; i+=1}}'`
vmstat 1 5 | awk 'BEGIN{ID=0}; / id /{i=1; while (i<NF) {if (tolower($i)~/id/) {ID=i; printf("ID in Spalte %s\n", ID)} ; i+=1}} ; /^ [0-9]+/{print $ID}'
at 10:00 /every:Mo,Di,Mi,Do,Fr "e:\test.cmd"
ps -ef |grep xclock |awk '{print $2}' |xargs kill
mypids=`ps uxw | grep ssh-agent | grep -v grep | awk '{print $2}'`
mypids=`ps $psopts 2>/dev/null | grep "[s]sh-agent" | awk '{print $2}'` > /dev/null 2>&1
cat hostlist |awk '{print $1 " 1"}' |xargs ping
#!/usr/bin/ksh -fx
rftpp 10.10.10.10 <<xxx 2>&1 | tee -a $0.log
prompt
verbose
mget *AVAIL*
by
xxx
#for automatic authenticaion create a file ".netrc"
#start script one hour later, if failure
if [ $? -ne 0 ] ; then
at now next hour <<yyy
$0
yyy
fi
Perl
If you are behind a firewall, you may need to set the following
environment variables so that PPM will operate properly:
set HTTP_proxy=address:port [e.g. 192.0.0.1:8080]
set HTTP_proxy_user=username
set HTTP_proxy_pass=password
set HTTP_proxy_agent=agent [e.g. "Mozilla/5.0"]
Installing Modules:
set HTTP_proxy=http://proxy:80/ #windows
export http_proxy=http://proxy:80/ #unix
-> search tk
-> install "module name"
-> perl -MCPAN -eshell
LINUX
runsocks MCPAN -eshell
-> o conf // see config
-> o conf ftpproxy proxy // modify ftp proxy
-> o conf commit // save config
-> o conf urllist push http://cpan.noris.de/
- man perldebug
- perl -d -e 42
commands in debug mode:
h #help
b [line] [condition] #set breakpoint
b [subname] [condition] #breakpoint to sub name
L #List breakpoints and actions
Perl timestamp
open(INFILE,$filename);
($dev,$ino,$mode,undef,undef,undef,undef,undef,
$atime,$mtime,$ctime )= stat INFILE ;
$mdate = &ctime($mtime);
$adate = &ctime($atime);
$cdate = &ctime($ctime);
print "${filename}:mtime:$mtime:$mdate";
print "${filename}:atime:$atime:$adate";
print "${filename}:ctime:$ctime:$cdate";
-> libgd.a was missing: download gd library e.g. http://www-frec.bull.com/download/aix432/gd-1.8.4.0.exe
-> for gd-1.8.4.0 you need:
- http://www-frec.bull.com/download/aix432/jpeg-6.0.2.0.exe
- http://www-frec.bull.com/download/aix432/freetype-1.3.1.0.exe
- http://www-frec.bull.com/download/aix432/xpm-3.4.11.0.exe
BASH
Prompt
[tux] $ export PS1="Hallo \u, bin in \w \$" #Prompt ändern
Hallo tux, bin in ~ $
Und schon ist der Prompt persönlicher.
Wie du sicher siehst, hat alles hinter einen "\" ein besondere Bedeutung, hier mal ein kleiner Auszug der Möglichkeiten:
\$
Promptzeichen: $ für normale Benutzer und # für root
\!
Kommando-Nummer, denk an history
\#
Kommando-Nummer, der aktuellen Shell-Sitzung
\d
Datum
\h
Hostname (Rechnername)
\t
Aktuelle Zeit im 24 Format
\u
Username (Benutzer)
\w
Aktuelles Verzeichnis
\W
letzter Teil vom aktuellen Verzeichnis
-> ~/.bashrc
export PS1="...."
---> export PS1="[\u@host04 \w]# "
place where ssh-keys are stored:
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
winscp:
place where ssh-keys are stored:
HKEY_CURRENT_USER\Software\Martin Prikryl
Lösung: im vi "set paste" setzen .. bzw. das in der /etc/vim/vimrc auf default ...
ssh -R 6010:localhost:6000 remotehost
-> export DISPLAY=localhost:10
remotehost:> ssh +x netview system
in .profile
DISPLAY=`who -mT |sed 's/ */ /g' |cut -d' ' -f7 | sed 's/(//'g | sed 's/)//'g`":0"
export DISPLAY
tty -s && ifconfig -a|awk '/^(en|eth|hsi)[0-9]+/{getline;"uname -n"|getline L; printf("\033]2;%s -- %s \007\n", $2,L);exit}'
tty -s && {
cat /etc/SuSE-release
# update putty terminal window header
HOST=$(ifconfig -a |awk -v U=$USER -v H=`uname -n` '/^(en|eth|hsi)[0-9]+/{getline;if ($2~/addr/){$2=substr($2,6)};printf("\033]2;%s@%s -- %s \007\n", U,$2,H) | "/bin/cat 1>&2";print $2; exit}')
export HOST
PS1='$USER@${HOST}:${PWD#$HOME/}$ '
}
vi
The standard full-screen editor available under Unix.
Using Command mode
ZZ - save file and exit
:q! - exit without save
:w - write buffer to disk
h (left) j (down) k (up) l (right)
ndw - delete n words (default for n = 1)
nx - delete n characters (default for n = 1)
ndd - delete n lines (default for n = 1)
- - go to start of previous line
^ - go to first non-blank character of current line
O - go to first column of current line
$ - go to end of current line
nG - go to nth line of file (default for n = 1)
nyy - yank and save n lines
p - put down lines saved
Using INSERT MODE
<esc> - exit INSERT mode
i - enter INSERT mode ; insert to left of cursor
a - enter INSERT mode ; insert to right of cursor
A - enter INSERT mode ; add at end of current line
o - enter INSERT mode ; add a new line after current line
O - enter INSERT mode ; add a new line before current line
/<pat> - search from cursor down for pattern <pat>
?<pat> - search from cursor up for pattern <pat>
n - go to next occurrence of last pattern indicated
N - go to previous occurrence of last pattern indicated
date
displays the current date and time. (OPTIONAL)
Syntax:
date
date +<format>
<format> may contain the following
a abbreviated day (Sun to Sat)
d day of the month
D date in month/day/year format
h abbreviated month (Jan to Dec)
H hour (00 to 23)
j day of the year (001 to 366)
m month of the year (01 to 12)
M minutes (00-59)
r time in A.M./P.M. notation
y last two digits of year (00 to 99)
S seconds (00 to 59)
T time in hours:minutes:seconds format
w day of the week (0 to 7, Sun=0)
n newline
t tab
Example:
$ date
Wed Aug 7 10:44:34 MST 1991
$ date '+%a %t %h %t %y'
Tue Dec 93
$ date '+%d%t%D%t%H'
07 12/07/93 09
$ date '+%r%n%T'
09:35:16 AM
09:35:16
Serial Cable 2 Linux
-> /etc/inittab
-> S0:123:respawn:/sbin/agetty -L 9600 ttyS0
-> reboot
-> connect serial nullmodem cable to serial port
-> use HyperTerminal / Tera Term ....
-> login, enjoy hacking over serial ;-)
Network Time protocol: NTP
linux: ntpdate IP-Adress
linux packet: ntp-4.0.99k-15
#ntp time synchronization
30 1 * * * /usr/sbin/ntpdate ntp1.ptb.de
-----------------------------------------------
information from colleage F:
ntp installieren und diese 4 zeilen in /etc/ntp.conf
server xyz
multicastclient
driftfile /var/lib/ntp/drift/ntp.drift # path for drift file
logfile /var/log/ntp # alternate log file
-----------------------------------------------
#check difference
/usr/sbin/ntpq -c peers
ntp1.ptb.de
DE ptbtime1.ptb.de
DE ptbtime2.ptb.de
DE ntp0.fau.de
DE ntp1.fau.de
DE ntp2.fau.de
DE ntp3.fau.de
DE ntps1-0.cs.tu-berlin.de
DE ntps1-1.cs.tu-berlin.de
DE rustime01.rus.uni-stuttgart.de
net time /setsntp:"192.168.0.1"
net time /querysntp
Registry: see HKEY_LOCAL_MACHINE\SYSTEM\CurrentContorlSet\Services\W32Time\Parameters
automatisch zeit aktuellisieren:
net time \\w2ktsv /set /yes
programm für windows:
http://home.att.net/~Tom.Horsley/ntptime.html#Download%20NTPTime
LINUX:
hwclock --systohc #set the system time from the hardware clock
AIX user settings
-> .profile ins Home
-> /etc/.kshrc
.kshrc
set -o emacs
if [ "${TERM:=vt100}" = "ibm3151" ]; then
alias _A=^P
alias _B=^N
alias _C=^F
alias _D=^B
alias _H=^A
alias _P=^D
alias _q=^E
else
alias __A=^P
alias __B=^N
alias __C=^F
alias __D=^B
alias __H=^A
alias __P=^D
alias __q=^E
fi
set -o vi
ESC - #befehl zurück
ESC + #befehl vor
ESC / #suchen
access control:
Um bei Apache ein Verzeichnis mit User und Passwort zu schützen müssen in diesem
Verzeichnis 2 Dateien vorhanden sein: ("/home/httpd/htdocs/")
.htaccess
.htpasswd
um zu testen ob .htaccess geht:
#Rewrite Test
ErrorDocument 404 http://www.google.de
-> danach eine ungültige Seite aufrufen .. die es nicht gibt
-> solution:
echo HOST.DOMAIN.com > /etc/hostname
/bin/hostname -F /etc/hostname
Inhalt der .htaccess:
AuthUserFile /home/httpd/htdocs/.htpasswd
AuthGroupFile /dev/null
AuthName TMT
AuthType Basic
<Limit GET>
require valid-user
</Limit>
Nachdem Sie diese Datei erstellt haben, gehen Sie z.B. auf:
"http://www.inch.com/commercial/web/server/apache/htpasswd.html"
Das daraus resultierende Ergebnis sieht dann z.B so aus: TMTuser:rcyjBGYsfasdf0FOfs
Diesen Eintrag fügen Sie nun in die .htpasswd ein und speichern diese ab.
Das Verzeichnis ist nun geschützt!
-> Problem htaccess geht immer noch nicht!
-> /etc/http/conf/httpd.conf
-> im Abschnitt:
# Each directory to to which Apache has access, can be configured with respect
# to which services and features are allowed and / or diasabled in that
# directory (and its subdirectories).
<Directory />
AuthAuthoritative Off
AuthName "TMT User"
AuthType Basic
AuthUserFile /home/httpd/htdocs/.htpasswd
Options FollowSymLinks
require valid-user
</Directory>
Load php module:
httpd.conf
LoadModule php4_module libexec/libphp4.so
AddModule mod_php4.c
AddType application/x-httpd-php .php
ssl mod_ssl
from http://www.apache-ssl.org/#FAQ
removing passphrase:
openssl rsa -in server.key -out server.pem
Now I've got my server installed, how do I create a test certificate?
Step one - create the key and request:
openssl req -new > new.cert.csr
Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.key
Step three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
The Apache-SSL directives that you need to use the resulting cert are:
SSLCertificateFile /path/to/certs/new.cert.cert
SSLCertificateKeyFile /path/to/certs/new.cert.key
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
add user to gruop apache ..
chgrp apache apachectl
% chmod 4510 apachectl
% chmod 4510 httpd
The execution order is important. If you swap the command execution order you will lose the setuid bit.
Now if we look at the file we see:
% ls -l apachectl
-r-s--x--- 1 root apache 32 May 13 21:52 apachectl
MRTG under AIX
dowloaded gcc from www.bull.de
-> install following AIX packets from AIX CDs
- bos.adt.base
- bos.adt.include
- bos.adt.debug
-> get mrtg source:
cd /usr/local/src
gunzip -c mrtg-2.9.17.tar.gz | tar xvf -
cd mrtg-2.9.17
./configure --prefix=/usr/local/mrtg-2
grep over several zipped files
unzip
find *.tar.Z | xargs zcat >out.temp
ls *.tar.Z |xargs zcat >out.temp
LINUX & NOTES
The most frequent question I get about Notes and Linux: If you are using
Windows NT, do not let WINE use your Windows NT directory as it's "Windows"
directory (specified in wine.conf or wine.ini). Instead, point WINE at a Win95/98
directory or create a fake "Windows" directory and use that. If Lotus Notes complains
about missing DLLs, you can find the missing DLLs in the Lotus Notes installer
directories and put them in the Windows directory.
Howto (for systems that can dual-boot Linux and Win95/98/NT)
1.Boot into Win98/95/NT and install a copy of Lotus Notes client for Win32 on a
FAT or FAT32 drive partition.
2.If your notes.ini file is in your Windows directory, move it to your Notes executable
directory.
3.Boot into Linux and mount your FAT / FAT32 drive partitions. You may need to set
up entries in /etc/fstab for Linux to recognize and mount these partitions.
4.Verify that you have set up the X Window system and your window manager of
choice.
5.Download a copy of WINE (open-source Windows on UNIX) from
http://www.winehq.com/ WINE is evolving rapidly, each week brings new changes
and greater functionality, so it pays to stay current. WINE releases are named by
release date; releases before 981108 do not run Lotus Notes very well. You can
download binaries in .RPM format or download the source code and build it
yourself.
6.Create or edit the wine.ini file in your home directory. Make sure it includes
mappings for your Windows drives and that your Notes executable directory is on
the path. I run WINE as root (recommended!) so the file should be placed in
/root/wine.ini.
7.If you are using Windows NT, do not set your Windows NT system directory as the
Windows directory under WINE. WINE does not work well with the Windows NT
versions of system DLLs. Better to use an empty "Windows" directory instead.
8.Start the X Window system and your window manager
9.Start Lotus Notes using WINE. You can start 'notes.exe'. My DOS D: drive
partition is visible to linux as /mnt/windows, so: ./wine
/mnt/windows/Lotus/Notes/notes.exe
Second Address Book
Posted by js ha on 10.May.02 at 04:32 AM using a Web browser
Category: Domino Administrator -- General UseRelease: 5.0.4Platform: Windows NT
you may use 2 apporaches.
1) Using Master Address Book ; See the Admin Help database!
2) - classic/simple concept - you should add parameter 'names=names,newly_created_addr_name' in server's notes.ini.
abgelaufener User ...> mit admin tool neu zertifizieren,
danach ganz wichtig, den adminp new starten (in der console):
tell adminp process all new
AIX - vmstat
-> install:
- It's in the perfagent.tools fileset on your AIX distribution.
- Look for bos.acct on the second installation disk.
-> #vmstat 2 20
> kthr memory page faults cpu
> ----- ----------- ------------------------ ------------ -----------
> r b avm fre re pi po fr sr cy in sy cs us sy id wa
> 0 2 81249 807 0 0 0 0 0 0 431 997 69 0 1 91 8
> 0 2 81249 800 0 1 0 0 0 0 482 2300 148 1 2 41 56
> 0 3 81249 783 0 0 0 0 0 0 507 727 203 0 3 6 91
> 0 2 81249 685 0 0 0 0 0 0 508 2588 102 1 2 68 29
> 0 2 81250 678 0 0 0 0 0 0 447 2393 138 1 1 86 11
> 0 2 81250 677 0 0 0 0 0 0 438 1594 89 0 1 94 4
> 0 2 81299 611 0 0 0 0 0 0 450 2658 129 1 2 88 9
> 0 2 81419 460 0 0 0 0 0 0 467 3099 162 2 3 79 16
>
Hi,
first look response, ( it's a long time I took AIX Perf & Tuning :-)
r = 0 : no jobs running, not so good
b = 2 : 2 jobs waiting I/O, not so good too
avm = 80K : 320 Mb of active Ram for jobs
fre = 800 : free slots ... not many
middle colums = 0 : no paging activity : good: no Ram shortage, no Disk I/O
in,sy,cs : device interrupts, system time, context switch, average load
us = 1 : doing nothing for you
sy = 2 : doing nothing for itself
idle = 90 : wasting CPU cycles
wa = 5-90 : waiting fow slow devices to answer, should be network, since not
paging
-AIX: Installation
Base Install /w Trusted Computing Base
Add following:
*bos.acct 4.3.3.0 {needed for vmstat, iostat, etc.}
*bos.dosutil 4.3.3.0 {needed for dosread/doswrite of floppy disks}
*bos.net.tcp.server 4.3.3.0 {needed for tcpdump and iptrace}
*bos.sysmgmt.trace 4.3.3.0 {needed for trace command}
*bos.adt.syscalls 4.3.3.0 {needed for CP VPN-1/FW-1}
--<man pages: install if really necessary, not recommended>---
*bos.data 4.3.3.0 {needed for man pages}
*bos.txt.tfs 4.3.3.0 {txt formatting, needed for man pages}
System-mrtg:
Workdir: /some/path
Target[home.cpu]: `/usr/bin/awk '/cpu /{print $2+$3; print $2+$3+$4; print "quite some time"; print "home"}'</proc/stat`
Title[home.cpu]: Processor stats at home
PageTop[home.cpu]: <H1>Processor stats</H1>
MaxBytes[home.cpu]: 100
Unscaled[home.cpu]: ymwd
Options[home.cpu]: growright,nopercent
LegendI[home.cpu]: user:
LegendO[home.cpu]: total:
Ylegend[home.cpu]: %
ShortLegend[home.cpu]: %
Legend1[home.cpu]: Time spent in user mode
Legend2[home.cpu]: Time spent in user mode + time spent in system mode
Legend3[home.cpu]: Maximum occurance of time spent in user mode
Legend4[home.cpu]: Maximum occurance of (time spent in user mode + time spent in system mode)
under AIX:
->> vmstat under aix:
Target[home.cpu]: `/usr/bin/vmstat |tail -n 1 |awk '{print 100-$16; print $14}'`
comp.dcom.net-analysis
comp.dcom.net-management
comp.dcom.lans.ethernet
comp.dcom.fax
comp.dcom.servers
comp.dcom.sys.cisco
comp.dcom.vpn
comp.doc.management
comp.groupware.lotus-notes.programmer
comp.groupware.lotus-notes.admin
comp.groupware.lotus-notes.misc
comp.groupware.lotus-notes.apps
comp.os.linux.networking
comp.protocols.snmp
comp.unix.aix
comp.unix.shell
comp.lang.perl.tk
Netview:
der Befehl "ovtopofix -U" bewirkt wunder, bzw. bewirkt dass Netview
alles Symbole neu updated, d.h. => Änderung des Symbols wie in der
Datei /usr/OV/conf/C/oid_to_sym beschrieben ;-))))
sehen, wann symbol changed: ovtopodump -l 4xxxx00011
8260: redbook gg244370
s.47 Superuser Reset
8260 Multiprotocol Intelligent Switching Hub
MRTG - DISKSPACE script
#!/bin/sh
# Get diskspace and inode consumption for MRTG.
# by Jeff Liebermann 04/15/98
#
# usage: script_name Filesystem
# i.e. script_name /dev/root
#
# The format belched by df -v -i
# Mount Dir Filesystem blocks used free %used iused ifree %iused
# / /dev/root 1050000 972132 77868 93% 59872 71384 46%
# /stand /dev/boot 30000 16414 13586 55% 14 3746 1%
# /u /dev/u 600000 252560 347440 43% 4259 70741 6%
# /usr/spool /dev/news 184492 5830 178662 4% 8 23056 1%
#
# Grab last line of df -v -i and remove percent signs
drivel=`df -v -i $1 | tail -1 | tr -d %` # just one Filesystem
# Break apart into fields using IFS seperators
set $drivel
# Print % diskspace used, percent % used, filler, filler.
# The $6 and $9 are the 6th and 9th fields of the df output.
echo "$6\n$9\n0\n0"
-----
# Part of mrtg.cfg
Target[rdf.1]: `dff.sh /dev/root`
Title[rdf.1]: Comix Disk Useage /dev/root
PageTop[rdf.1]: <H1>Comix Disk Useage /dev/root</H1>
Options[rdf.1]: growright, gauge, nopercent
MaxBytes[rdf.1]:100
Unscaled[rdf.1]: dwmy
YLegend[rdf.1]: % Used
ShortLegend[rdf.1]: %
Legend1[rdf.1]: Avg Percent Diskspace Used
Legend2[rdf.1]: Avg Percent Inodes Used
LegendI[rdf.1]: Diskspace
LegendO[rdf.1]: Inodes
MRTG Latency script
> I'm looking for scripts to measure latency in my IP network. Can someone
> help ?
Well, since you didn't specify an operating system, I'll assume
that you're following in my footsteps and doing battle with NT4
as a server. Note that the following requires that you use the
ping.exe supplied with Windoze 95/98 instead of the useless ping
supplies with NT4. See the MRTG stuff somewhere on:
http://www.lns.com
which is from where I stole the script. I also have a somewhat
different version for Linux (RH 7.1) but which I can't get to
as I managed to break SSH and can't grab it.
------------
# MRTGPING.PL
# Plagerized by Jeff Liebermann from original by Tim Pozar.
# 09/14/00 First hack for NT4.
$ipaddr = "NULL";
$ipaddr = $ARGV[0];
$numpings = 3;
if ($ipaddr eq "NULL"){
print "Usage mrtgping.pl [ipaddress]\n";
exit;
}
# Note that "ping95.exe" is the Windoze 95/98 version
# and not the useless ping supplied with NT4.
#
# Windoze ping will return...
# Minimum = 494ms, Maximum = 574ms, Average = 520ms
$result = `ping95 -n $numpings $ipaddr | find /i "average" `;
# Break result apart at the commas.
chop($result);
($Mins,$Maxs,$Avgs) = split(/,/,$result);
# Break each value apart at the = sign.
($Mint,$min) = split(/=/,$Mins);
($Maxt,$max) = split(/=/,$Maxs);
($Avgt,$avg) = split(/=/,$Avgs);
# Remove the "ms" at the end.
$min1 = substr($min,0,-2);
$max1 = substr($max,0,-2);
$avg1 = substr($avg,0,-2);
$min1 =~ s/ //g;
$max1 =~ s/ //g;
$avg1 =~ s/ //g;
# Belch results in 4 lines.
print "$avg1\n";
print "$max1\n";
print "0\n";
print "$ipaddr\n";
------------
If Perl is a bit of a heavy hammer, the following is what
I use on my SCO Unix OSR5 3.2v5.0.5 machines. The use of
the first ping return is intentional as I'm trying to plot
the latency of the Starband satellite flying cache, which
caches everything exept the first packet.
#!/bin/sh
# by Jeff Liebermann 04/15/98
#
# Record ping times.
#
# Results of:
# ping -c 1 -s 1024 bloat
#
# PING bloat (192.168.111.30): 1024 data bytes
# 1032 bytes from bloat (192.168.111.30): icmp_seq=0 ttl=128 time=10 ms
#
# --- bloat ping statistics ---
# 1 packets transmitted, 1 packets received, 0% packet loss
# round-trip min/avg/max = 10/10/10 ms
# Really disgusting way to get rid of extra leading spaces
# by feeding it to a shell variable. Ugly at best.
#
# usage: whatever machine_name_or_ip
# i.e. whatever bloat.comix.santa-cruz.ca.us
#
retch=`ping -c 1 -s 1025 $1 | grep "time"` # extract line with ping time.
set $retch # break apart into fields using IFS seperators
ping=`echo $8 | cut -c 6-` # extract ping time.
echo $ping # ping time=xxx
echo $ping # ping time=xxx
echo "0" # Filler
echo "0" # Filler
#
CPAN & AIX
enter CPAN shell: perl -MCPAN -eshell
use -> wget to grep data
grep ftp data, from website:
wget -r ftp://user:password@hostname
o conf init #-> regenerate CPAN init
http_proxy=http://proxy:80
-> urlist:
http://cpan.noris.de
http://perl.org
reload index #reload index if url has changed ...
cpan> i /TK/ #searches after TK
install modulename
install module in spezial directory:
perl Makefile.PL PREFIX=/home/user/test/lib_v5.8 (lib_v5.8 is directory name - specifiy full directory name)
make
make install
cat /etc/issue
Perl - Activestate
ppm #CPAN pakete installieren
search mail
install Mail-Sender
crontab:
cygrunsrv -I cron -p /usr/sbin/cron -a -D
Cygwin - XServer for Windows ..
http://sources.redhat.com/cygwin/xfree/
-> cygwin installieren -> console starten, install script aus xserver sources starten ...
-> danach: /usr/X11R6/bin in /etc/profile
-> startx
-> Xwindows greppen: XWin -screen 0 800x600 -query 192.168.1.50 -from 192.168.1.10
german keyboard:
-> create .xinitrc: cp /etc/X11/xinit/xinitrc ./.xinitrc
-> setxkbmap de
#background color:
file .xinitrc
xsetroot -solid blue
# start some nice programs
setxkbmap de
twm &
xclock -geometry 50x50-1+1 &
xterm -geometry 80x50+494+51 &
xterm -geometry 80x20+494-0 &
xsetroot -solid blue
exec xterm -geometry 80x66+0+0 -name login
XWin.exe -screen 0 800 600 -fullscreen -depth 32 -refresh 85 -emulate3buttons 100 -nowinkill -unixkill
X-forwarding
SSH-> AIX: /usr/local/etc/sshd_config
-> X11Forwarding yes
start after reboot: -> /etc/rc.tcpip
-> /usr/local/sbin/sshd
FILE SYSTEM AIX
1.) create Logical Volume
smitty->System Storage Management->LVM->Logical Volumes->Add
->choose rootvg->enter name & Number of Logical Partitions (size)
(PP size: use command lsvg rootvg
2.) create Filesystem on Logical Volume
smitty->System Storage Management->File Systems ->Add
-> Journaled File System -> "Add on a Previously Defined Logical Volume!!!"
->choose Logical Volume name defined before
->enter mount point of file system
->mount automatically -> <YES>
go
3.) mount defined filesystem!!
evolution
CISCO
-> see debugging from vty's: terminal monitor
netflow: (http://net.doit.wisc.edu/~plonka/FlowScan/INSTALL.html)
->
First and foremost, to get useful flow information from your Cisco, you'll need to enable flow-switching on the appropriate ingress interfaces using this interface-level configuration statement:
ip route-cache flow
Also, I suggest that you export from your Cisco like this:
ip flow-export version 5 peer-as
ip flow-export destination 10.0.0.1 2055
Of course the IP address and port are determined by your cflowd.conf. To help ensure that flows are exported in a timely fashion, I suggest you also do this if your IOS version supports it:
ip flow-cache timeout active 1
Some IOS versions, e.g. 12.0(9), use this syntax instead:
ip flow-cache active-timeout 1
unless you've specified something such as downward-compatible-config 11.2.
Lastly, in complicated environments, choosing which particular interfaces should have ip route-cache flow enabled is somewhat difficult. For FlowScan, one usually wants it enabled for any interface that is an ingress point for traffic that is from inside to outside or vice-versa. You probably don't want flow-switching enabled for interfaces that carry policy-routed traffic, such as that being redirected transparently to a web cache. Otherwise, FlowScan could count the same traffic twice because of multiple flows being reported for what was essentially the same traffic making multiple passes through a border router. E.g. user-to-webcache, webcache-to-outside world (on behalf of that user).
charts using: http://www.caida.org/tools/utilities/graphing/
-> Graph.pm
$i =~ s/^\s+//; #remove leading whitespaces
$i =~ s/\s+$//; #remove ending whitespaces
use Storable qw(store retrieve );
print "write data to disk:";
store(\%typeHash, $file)or die "can't store hash\n";
print "\n\n open datastructure";
$href = retrieve($file);
CISCO
- see Accesslist: show ip interface
- cancel ping: <strg> + <shift> + <6> + <x>
- RMA - return damaged machines
- BUG Toolkit -> see homepage
- proxy arp -> adapter in workstation gets information about new default-gateway
-> you should use HSRP instead!!
- see debug info on vty: terminal monitor
TOP N Port: CAT OS
- show top background
- show top report
- clear top #
-> get with mib: 1.3.6.1.4.1.9.5.1.20.2.1.4
rpm directory: /usr/src/packages/RPMS/s390/freeradius-1.0.0-1.s390.rpm
rpm -hiv --force --nodpes file.rpm #force it ;-)
rpm -q -a #list all install packages ..
rpm -qa -last |Orders the package listing by install time such that the latest
packages are at the top.
rpm -q -p file.rpm #checks given rpm-files, see version number
rpm -q -p -i file.rpm #see information about given rpm-files
rpm -q -p -l file.rpm #listing of all files belonging to this paket
rpm -q -l file.rpm #see files of installed .rpm file
rpm -q --requires file.rpm #->show's packets/libs that are needed
rpm -q --provides file.rpm #->show's packets/libs that will be installed by this paket
rpm -Va #see missing files #verify ..
rpm -qf /usr/bin/smbmount #find out which package owns it
rpm -Fvh openssh*.rpm #Then, install the package using the following command to apply the update:
rpm -ba foobar-1.0.spec #building a rpm file
rpm -bb foobar-1.0.spec #building only binary rpm
- copy files specified in spec file to /usr/src/packages/BUILD
s390: stored under /usr/src/packages/RPMS/s390/
Use the command 'rpm/rpmbuild -ta dante-<version>.tar.gz' to build all rpm files.
rpm --rebuild src.rpm #make binaray rpm => /usr/src/redhat
#force install of package from other architecture
rpm -iv --force --nodeps --ignorearch freeradius-IBM-bluegroup-1-14.s390.rpm
-> build "noarch" rpm
rpm -bb --target=noarch specfile
apt-get -sy upgrade
apt-get clean #Ungenutzte Pakete entfernen
apt-get autoclean #Ungenutzte Pakete entfernen
#problem with apt-get update under ubuntu
-> resolution:
The fix is just to back up sources.list, delete everything in it and run "apt-get update".
After the update replace sources.list with the backup and run "apt-get update" again. You should not get the error then.
-> another resolution:
sudo apt-get update -o Acquire::http::No-Cache=True
or
sudo apt-get update -o Acquire::BrokenProxy=true
RPM update von libraries:
To add the new library to the shared library cache you have to run
ldconfig(8) as root. Additionally every program that is linked with
libmcrypt needs to be restarted. ldd(1) can be used to find out which
libraries are used by a program.
Another way to determine which process uses a shared library that
had been deleted is:
lsof -n 2>/dev/null | grep RPMDELETE | cut -d " " -f 1 | sort | uniq
lsof - list open files
AIX
lslpp -L |fgrep bos.compat #see software listings
when the aventail socks server, does not forward the network packets as expected it could be that the connection order need to be changed.
To do that, you have to check the connect directory:
Aventail: change connection order
-> c:\Program Files\Aventail\Connect
-> SPMOD->Layered Service Providers: Aventail to top!
Crossover cable:
1 <-> 3 short version: TX+ (1) <-> (3) RX+
2 <-> 6 TX- (2) <-> (6) RX-
3 <-> 1 RX+ (3) <-> (1) TX+
4 <-> 4 RX- (6) <-> (2) TX-
5 <-> 5
6 <-> 2
7 <-> 7
8 <-> 8
Regular end:
|1|2|3|4|5|6|7|8|
^ ^ ^ ^
And at the crossover end:
|3|6|1|4|5|2|7|8|
^ ^ ^ ^
Health Check Anleitung Cisco 6509 MSFC Router (IOS based)
1) Password Syntax - den Regeln entsprechend - Password auf line con0 und line vty ...
2) Timeout auf telnet und Console Session (empfohlen - 15 min) - Standard Setting ist 30 min (kein "exec-timeout 0 0")
3) SNMP Community - mindestens 14 Zeichen - den Regeln entsprechend - command "snmp-server community ..."
4) Business Use Notice - banner motd - muß konfiguriert sein - der Company Text muss hier rein
5) syslog muß weggeschrieben werden auf einen Server ("logging <ip_des_servers>"), default logging Level "informational" erklären wir
als ausreichend
6) IP Source Routing disabled - Stmt "no ip source-route" muß in Config sein
7) Access List für Router prüfen - Router soll per telnet nur Management Netzwerk erreichbar sein
a) access-list 1 permit 10.10.10.0 x.x.x.x
b) line vty 0 4
access-class 1 in
Health Check Anleitung Cisco 6509 Switche (CatOS based)
1) Password Syntax - den Regeln entsprechend - ohne TACACS nicht erzwingbar - Password setzen via set password / set enablepass
2) Timeout auf telnet und Console Session - bei CatOS vermutlich nicht konfigurierbar (kein Command in CmdRef gefunden)
3) SNMP Community - mindestens 14 Zeichen - den Regeln entsprechend - read-write-all muß wie read-write gesetzt sein
4) Business Use Notice - set banner motd - muß konfiguriert sein - der company Text sollte hier drin sein
5) syslog muß weggeschrieben werden auf einen Server ("set logging server <ip_des_servers>", "set logging server enable"),
default logging Level "informational" sollte genug sein
IOS:
ntp peer x.x.x.x prefer
ntp peer x.x.x.x
CAT OS:
set ntp timezone cet1
set ntp summertime eet
set ntp summertime enable
set ntp client enable
set ntp server x.x.x.x
export TERM=xterm-color
#vmstat
/usr/bin/vmstat 2 2 |tail -n 1 |awk '{print $3; print 100-$16}'
LDAP
#--> list of actual running requests - very useful!!
ldapsearch -s base -b cn=workers,cn=monitor -D cn=root -w pass objectclass=*
ldap samples:
get account status:
ldapsearch -h 10.10.10.10 -b dc=org,dc=com -D ... -s one -a never 'uid=mysuser' gecos pwdChangedTime pwdAccountLockedTime pwdExpirationWarned
Schema:
read out the schema:
ldapsearch -x -b cn=schema -s base objectclass=*
#synchronize directories
ldapdiff -b dc=org,dc=com -sh localhost -sp 389 -sD cn=root -sw xyz -ch ldap2 -cp 389 -cD cn=root -cw ? -v -a -F
mount -t smbfs -o username=xxxx,password=xxxx //test12/mnt /windows/test12
//servername/team /mnt/team smbfs credentials=/root/.smbpasswd,uid=ldapsupp,gid=ldapsupp,fmask=660,dmask=775,rw 0 0
kernel >2.6
mount -t cifs -o <username>,<password> //<servername>/<sharename> /mnt/point/
mount -t cifs -o credentials=/root/.smbpasswd //10.10.0.13/webbackup /opt/backup_server/
#######
# mount error(95)
#######
#if you get an error like: mount error(95): Operation not supported, it may help to use version 3 of the smb protocol!
mount -t cifs -o user=user1,password=pwd2,vers=3.0 //<servername>/<sharename> /mnt/point/
>>> in my case, this was necessary using a mount from Debian 10 to a Qnap Discstation TS-231P, after the Discstation was updated to version QTS 5.0.1.2194 (2022/10/22), before the mount worked without version 3.0)
smbclient -U Administrator -L w2ktsv
man -k #man pages keyword
lslpp -w /usr/local/bin/ssh
lslpp -f filesetname
xsetroot -solid blue
kornshell
set -o emacs
<CTRL> + <R> last command
<CTRL> + <R> one more back
or
<r> "last command" #repeat last command
Cisco Tacacs Settings ...
aaa new-model
aaa authentication login default group tacacs+ local
enable password 7 10481C1751161ABC
tacacs-server host 192.168.1.107 key testnetz
netstat -lnp
Linux disk performance
hdparm -v /dev/hdx #check settings
hdparm -t /dev/hdx #find out actual read speed
hdparm -d1 #set DMA mode
hdparm -c1 #set 32BIT Access
#festplatten standby zeit:
hdparm -Sx /dev/hda
beispiel:
hdparm -S60 /dev/sdc
/dev/sdc:
setting standby to 60 (5 minutes)
HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters.
For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations,
the edit AutoShareWks.
und natürlich mußt du dich shares deaktivieren. ohne den schlüssel in der registry
sind die shares beim nächstenmal wieder aktiv
I just want masquerading! Help!
This is what most people want. If you have a dynamically allocated IP PPP dialup (if
you don't know, you do have one), you simply want to tell your box that all packets
coming from your internal network should be made to look like they are coming from the
PPP dialup box.
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Note that you are not doing any packet filtering here: for that, see the Packet
Filtering HOWTO: `Mixing NAT and Packet Filtering'.
#transparent proxy with squid
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#anschauen mit: iptables -L -t nat
AIX
-> detect new Hardware on AIX: cfgmgr
-> install latest software from cd-rom: cfgmgr -i /dev/cd0
-> firmware AIX:
lscfg -vp | grep alterable
#This command will produce a system configuration report similar to the following.
-> ROM Level.(non-alterable)...px010921 <== SvP FW level
-> ROM Level.(alterable).......SPX01264 <== System FW level
mysql : GRANT ALL PRIVILEGES ON *.* to user12@192.168.1.99 IDENTIFIED BY 'password'
mysql : GRANT ALL PRIVILEGES ON *.* to syslog@localhost IDENTIFIED BY 'syslog';
GRANT FILE ON *.* TO repl@"%" IDENTIFIED BY 'passwort';
-- creates a user named joey without any privileges --
CREATE USER 'joey'@'%' IDENTIFIED BY 'joey123';
-- gives all privileges to user 'joey' only on the database named 'joeys_db'
GRANT ALL ON joeys_db.* to joey;
-- gives the FILE privilege to joey (must use the global parameter --> *.*)
GRANT FILE ON *.* to joey;
-- show privileges granted to user 'joey'
SHOW GRANTS FOR joey;
-- drop/delete user 'joey'
DROP USER joey;
-- displays all users in the system
USE mysql;
SELECT * FROM USER
mysql dump:
mysqldum p -u web1 --password=xxx usr_web1_1 >MYSQLFILENAME
mysqlrestore
mysql --user=web5 --password=xxx usr_web5_1 <MYSQLFILENAME
mysqlimport -d -u root -p xyz--local actual.csv --fields-terminated-by=';' --lines-terminated-by='\n' --ignore-lines=1
#montly birthdays
select * from actual where substring_index(substring_index(geburtsdatum,'-',2),'-',-1)=11 order by substring_index(geburtsdatum,'-',-1),substring_index(geburtsdatum,'-',1)
#young people
select * from actual where substring_index(geburtsdatum,'-',1)>1989 and substring_index(geburtsdatum,'-',1)<1994 and aktiv = 'TRUE' order by substring_index(geburtsdatum,'-',1), name
sonderzeichen problem, kein ä,ö
iconv -f encoding -t encoding inputfile
iconv -f latin1 -t ISO-8859-1 _actual_updates_date_changed.csv |grep Fr
Auerswald
Für die serielle Schnittstelle müssen folgende Einstellungen in der Systemsteuerung Ihres Windows-Betriebssystems vorgenommen werden:
b) Bits pro Sekunde 9600 Datenbits 8 Parität keine Stopbits 1 Protokoll Xon / Xoff
c) Wenn Sie einen seriellen Drucker direkt an der Anlage verwenden, darf der Rechner nicht parallel zum Drucker angeschlossen sein.
d) Für die Bediensoftware der einzelnen Systeme benötigen Sie unterschiedliche PC-Voraussetzungen. Die entsprechenden Hinweise finden Sie auf der jeweiligen Diskette in der Datei "liesmich.txt".
e) Auf die serielle Schnittstelle darf kein weiterer Gerätetreiber zugreifen. Überprüfen Sie die Einstellungen vorhandener Treiber, z. B. die eines angeschlossenen Modems. Die Maus darf nicht an der seriellen Schnittstelle betrieben werden, an der die Anlage angeschlossen ist.
f) Bei einigen Systemen besteht die Möglichkeit, die Bediensoftware für DOS und Windows zu installieren. Überprüfen Sie den Verbindungsaufbau in diesem Fall mit beiden Betriebssystemen.
g) Unter Windows kann es zu Fehlermeldungen kommen, z. B. "allg. Schutzverletzung". Beheben Sie dieses, indem Sie die auf der CD vorhandene Treiberdatei "ctl3dv2.dll" in Ihr Systemverzeichnis unter Windows kopieren. Sichern Sie in diesem Fall Ihre Originaldatei unter einem anderen Namen.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs
-> start (4) ??
- einloggen als <admin> <lanplex>
- danach innerhalb von 60s power aus und wieder an
oder
login: 3comcso
password: RIP000
cat /etc/hosts | sort -t'.' -n -k1,1 -k2,2 -k3,3 -k4,4
checkpoint FW1
If you tried to install the policy from the management console and failed, log onto the console of 'gateway' and do a:
fw fetch control
If that fails, try the following:
Logon to the console of "gateway"
IMPORTANT: You are about to uninstall the security policy. This will probably stop existing connections through the firewall (depending on whether or not you allow FireWall-1 to control IP Forwarding) and will also expose your firewall to potential attack.
Unload the existing security policy:
fw unload localhost
From "control", load a new security policy:
fw load policy.pf gateway
############################################################
Hochverfügbarkeit VPN 4.1 SP2
-----------------------------
FW1 MM2 Master für Sleepy & Sneezy
MM1 offline
FWSTOP !(beide MM!)
MM2 + Remote Module 204.32.38.1 (Check Point Configurtaion!)
Security Policy
Netzwerkobject VRRP_Multicast
IP 224.0.0.18/32
Service Object VRRP_Protocol
match: ip_p = 112
Gruppe HA_Firewall enthält
sleepy + sneezy
-> in Policy Sneezy ersetzen durch Gruppe HA_Firewall
Rules einfügen:
- HA_Firewall VRRP_Multicast VRRP_Protocol accept
- NTP service erlauben (net_local auf HA_Firewall)
- MASQ / NAT Hide ausschalten
FW1 Voyager / interface
FWM
sleepy: eth-s4p1 10.10.10.1/24
sleepy-sync (hostname eintragen)
sneezy: eth-s4p1 10.10.10.2/24
sneezy-sync (hostname eintragen)
Voyager / NTP
sneezy: NTP on
Local Clock as Master
Peer Sleepy
(-> NTP Server)
sleepy: NTP on
server sneezy
Voyager / Checkpoint Configuration
-> ! IFWD deaktivieren !
-> save
FW1 FWSTOP (beide FWM)
FWM echo "204.32.38.121" >$FWDIR/conf/masters
sneezy
echo "10.10.10.1" >$FWDIR/conf/sync.conf
FW PUTKEY -p abc123 10.10.10.1
sleepy
echo "10.10.10.2" >$FWDIR/conf/sync.conf
FW PUTKEY -p abc123 10.10.10.2
1. sneezy FWSTART
2. sleepy FWSTART
netstat
-> 2 connections established beetween "sneezy-sync" ..
tcpdump -i eth-s4p1
-> see data transfers of synchronisation
$FWDIR/log/fwd.elg #logging messages for syncronisation
Setting up "Monitored Circuit" using voyager
----------------------------------------
Voyager->Router Services->VRRP
Interface eth-s3p1c0:
- Monitored Circuit on
- Create Virtual Router: 204 (must be the same on the two fw!)
- Priority:
- sleepy: 95
- sneezy: 100
- Priority Delta:
- sleepy: 10
- sneezy: 10
- Monitored Interface:
- eth-s5p1c0
- Backup Address:
- sneezy: 204.32.38.254
- authentication: simple -> pw abc123
Interface eth-s5p1c0:
- Monitored Circuit on
- Create Virtual Router: 192 (must be the same on the two fw!)
- Priority:
- sleepy: 95
- sneezy: 100
- Priority Delta:
- sleepy: 10
- sneezy: 10
- Monitored Interface:
- eth-s3p1c0
- Backup Address:
- sneezy: 192.168.10.254
- authentication: simple -> pw abc123
-> master saves first!!
-> default routes on workstations to 204.32.38.254
in der ldap.conf den eintrag DEREF FINDING od. SEARCHING haben
syslog.conf: *.debug /dev/console
smitty alog: Change / Show Characteristics -> Alog TYPE: <console> -> size + filename ...
-> alog -o -f /var/adm/ras/conslog
Eine andere Möglichkeit ist, fetchmail so zu konfigurieren, dass die Mails z.B. direkt an procmail übergeben werden:
poll mail.provider.de protocol POP3 user asterix password adam mda111 "/usr/bin/procmail -d eva"
mail forwarding:
So, if Bob wanted to forward his mail to Mary and Joe, but also keep a copy of it, he could have a .forward that looks like this:
\bob,
mary@socrates.berkeley.edu,
joe@socrates.berkeley.edu
The backslash (" \ ") before Bob's address leaves a copy of the message in Bob's
account as well as forwards a copy of the message to Mary and Joe.
awk
#show systems in upload dir: alpabetically, unique
ls |awk -F '-' '{printf $NF "\n" }' | sort -d -u
WINE-Settings:
- Basic
- Window Mode: Integration of Wine with X: Unmanaged!!
- Advanced
- Lock & Feel: Specialized Wine options: turn on:
- Use X shared memory
- Double-bufferd desktop
copy file MFC42.DLL to $HOME/.wine/fake_windows/windows/system32
VMWARE
IO-Tuning - http://vmfaq.com/entry/25/
/etc/vmware/config
MemTrimRate=0
sched.mem.pshare.enable = "FALSE"
mainMem.useNamedFile = "FALSE"
prefvmx.minVmMemPct = "100"
---------
server 2.0 command-line:
vmrun -T server -h https://192.168.0.5:8333/sdk -u root -p xxx suspend "[standard] /opt/vmware/server.vmx"
vmrun -T server -h https://localhost:8333/sdk -u root -p xyz start "[standard] iga_navigator/Red Hat Enterprise Linux 4.vmx"
#machine hinzufüggen
vmrun -T server -h https://localhost:8333/sdk -u root -p xyz register "[standard] ipcop_mwendig/Other_Linux_2.6.x_kernel.vmx"
https redirect abschalten:
/etc/vmware/hostd/proxy.xml
1. change "httpsWithRedirect" to "httpAndHttps"
2. restart
file-transfer to windows xp:
mount -t smbfs -o username=user,password=xyz //192.168.110.1/temp /tmp/wxp
08/2005:
vmware 4.5.2 suse 9.3 links!!
mit dem vmware patch ging das compilieren plötzlich ;-))
http://www.vmware.com/community/thread.jspa?threadID=13817&filterOrder=DESC&tstart=0
http://www.linux-club.de/viewtopic.php?t=30855
-------------------------------------------------------
vmware - hangs problem
in vmx:
http://communities.vmware.com/thread/106917
#mwendig, added 20Feb2009, solv hanging problem
mainMem.useNamedFile = "FALSE"
sched.mem.pshare.enable = "FALSE"
MemTrimRate = "0"
Installing VMware Tools from the Command Line with the RPM Installer
http://www.vmware.com/support/ws5/doc/ws_newguest_tools_linux.html
he first steps are performed on the host, within Workstation menus:
1. Power on the virtual machine.
2. After the guest operating system has started, prepare your virtual machine to install VMware Tools.
Choose VM > Install VMware Tools.
The remaining steps take place inside the virtual machine.
3. As root (su -), mount the VMware Tools virtual CD-ROM image, change to a working directory (for example, /tmp), uncompress the installer, then unmount the CD-ROM image.
Note: Some Linux distributions automatically mount CD-ROMs. If your distribution uses automounting, do not use the mount and umount commands below. You still must untar the VMware Tools installer to /tmp.
Some Linux distributions use different device names or organize the /dev directory differently. If your CD-ROM drive is not /dev/cdrom or if the mount point for a CD-ROM is not /mnt/cdrom, you must modify the following commands to reflect the conventions used by your distribution.
mount /dev/cdrom /mnt/cdrom
cd /tmp
Note: If you have a previous installation, delete the previous vmware-distrib directory before installing. The default location of this directory is
/tmp/vmware-tools-distrib.
4. At the command prompt, enter:
rpm -Uhv /mnt/cdrom/VMwareTools-5.0.0-<xxxx>.i386.rpm
umount /dev/cdrom
Where <xxxx> is the build/revision number of the VMware Workstation release.
Note: If you attempt to install an rpm installation over a tar installation — or the reverse — the installer detects the previous installation and must convert the installer database format before continuing.
5. Configure VMware Tools:
vmware-config-tools.pl
Respond to the questions the installer displays on the screen
change user settings, for a directory:
ls -l |awk '{print "chown -R " $9 " " $9}' >test.sh
cardmgr ident -> see cards detected ..
/etc/pcmcia/config #have to match cardmgr ident ..
so funktionierts auf 770X
=> /etc/sysconfig/pcmcia => PCMCIA_SYSTEM="kernel" auf "external"
IP Routing,
Enabling IP Routing
By default, IP routing is disabled. To enable IP routing, you must allow the computer to
forward IP packets it receives. This requires a change to the Windows 2000 system registry.
When you enable the Routing and Remote Access service for IP routing,
this registry entry is made automatically.
To enable IP routing
1 .From the Start menu, click Run.
2.Type regedt32.exe or regedit.exe, and then click OK.
3.In a registry editor, navigate to
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip \Parameters
4. Select the "IPEnableRouter" entry.
5. To enable IP routing for all network connections installed and used by this computer, assign a value of 1.
To do this in regedit.exe, right-click the entry, and then click Modify.
In regedt32.exe, click on the wanted entry, click on Edit, and then click on the appropriate menu choice.
6.Close the registry editor.
It is required to reboot Windows 2000 for this change to take effect.
I have used this in a configuration, where the Windows 2000 Professional system works
as a router between an Ethernet network and a USB-network.
3com trouble:
/usr/3Com/install/logs/ directory checken ....
df
3Com admin synnet
3Com read synnet
3Com write synnet
3Com monitor monitor
3Com manager manager
3Com security security
3Com_Office_Connect_5x0_ISDN_Routers n/a PASSWORD
3comCellPlex7000 tech tech
3comCoreBuilder7000/6000/3500/2500 debug synnet
3comCoreBuilder7000/6000/3500/2500 tech tech
3comHiPerARCv4.1.x adm <blank>
3ComLANplex2500 debug synnet
3ComLANplex2500 tech tech
3comLinkSwitch2000/2700 tech tech
3comSuperStackIISwitch 2200 debug
3comSuperStackIISwitch 2700 tech
AIX Maintanence ...
oslevel #actual version
oslevel -l 4.3.3. #older filesets ...
oslevel -g #List filesets at levels later than maintenance level
#specified by the <level> parameter
How to Create a Startup Boot Disk for Windows XP
The day will come when some files required to start you computer will become corrupted and you won't be able to boot into Windows XP. This can be a heart-sinking event or just another day in the life of a computer user. How can you make it the latter and not the former? Create a Windows XP boot disk before disaster strikes! The boot disk will allow you to start the computer and boot into Windows XP and allow you to begin your troubleshooting. Just do the following to put together your boot disk:
Put a floppy disk into the floppy drive. Click Start and then click the Run command. Type cmd in the Open text box and click OK.
At the command prompt, type format a: and press [ENTER]. Follow the on screen instructions to format the disk.
Open Windows Explorer and go to the C:\ drive. Copy the NTLDR and the NTDETECT.C O M files to the floppy disk.
Click Start and click the Run command. In the Open text box, type Notepad and press [ENTER]. In Notepad, enter the following information:
[boot loader]
timeout=30
Default= multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\windows="Windows XP"
These entries will work if you have a single disk with a single partition.
In Notepad, click File and then click the Save As command. In the File name text box, type "a:\boot.i n i" (you must include the quotes, but not the spaces). Click Save. Then click Notepad.
Test your boot disk. Restart the computer with the boot disk still in the floppy drive. You should be able to boot into Windows XP with no problems.
/etc/sysconfig/network-scripts
edit ifcfg-eth0 ...
db2top -d username
REDHAT Directory Server 4.1 installation
DB2 Installation:
When the LDAP server starts, the LDAP software connects to a local db2 instance (ldapdb2)
with a password authorization. To ensure this password will never expire and bring down the LDAP
service, some special conditions apply to the "ldapdb2" user:
pwdadm -f NOCHECK ldapdb2
chuser login=false ldapdb2
chuser rlogin=false ldapdb2
echo ldapdb2 >> /etc/ftpusers
echo "export DB2LOGINRESTRICTIONS=NONE" >> ~ldapdb2/.profile #DB2 v.8 >= FP5
echo "db2set DB2LOGINRESTRICTIONS=NONE" >> ~ldapdb2/.profile #DB2 v.8 >= FP5
ERROR:
[root@localhost udb72]# ./db2setup
./db2inst: error while loading shared libraries: libstdc++-libc6.1-1.so.2: cannot open shared object file
SOLUTION:
=> create softlink:
[root@localhost udb72]# ln -s /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so /usr/lib/libstdc++-libc6.1-1.so.2
!!!!!
./db2setup works now!!!!
[root@localhost db2]# rpm -hiv db2engn71-7.1.0-40.i386.rpm
error: failed dependencies:
db2rte71 >= 7.1.0-40 is needed by db2engn71-7.1.0-40
[root@localhost db2]# rpm -hiv db2rte71-7.1.0-40.i386.rpm
error: failed dependencies:
db2cliv71 >= 7.1.0-40 is needed by db2rte71-7.1.0-40
db2cucs71 >= 7.1.0-40 is needed by db2rte71-7.1.0-40
[root@localhost db2]# rpm -hiv db2cliv71-7.1.0-40.i386.rpm [ok]
[root@localhost db2]# rpm -hiv db2cucs71-7.1.0-40.i386.rpm [ok]
[root@localhost db2]# rpm -hiv db2rte71-7.1.0-40.i386.rpm
Preparing... ########################################### [100%]
1:db2rte71 ########################################### [100%] [ok]
[root@localhost db2]# rpm -hiv db2engn71-7.1.0-40.i386.rpm
Preparing... ########################################### [100%]
1:db2engn71 ########################################### [100%] [ok]
#[db2 successfully installed]
[root@localhost ldap41_us]# rpm -hiv ldap-serverd-4.1-1.i386.rpm
Preparing... ########################################### [100%]
1:ldap-serverd ########################################### [100%] [ok]
#ldap successfully installed??
[root@localhost ldap41_us]# rpm -qa |grep ldap
ldap-clientd-4.1-1
ldap-serverd-4.1-1
ldap-dmtjavad-4.1-1
f#[ok]
[GSKIT] installation
fehler#
[root@localhost gskit]# rpm -i gsk5bas-5.0-4.58.i386.rpm
error: failed dependencies:
libstdc++.so.2.9 is needed by gsk5bas-5.0-4.58
softlink auf libstdc++.so.2.9
rpm -i gsk5bas-5.0-4.58.i386.rpm --nodeps
LDAP IBM directory server 4.1 & Redhat EAS3 problem
slapd: relocation error: /usr/ldap/lib/libutlsa.so: symbol errno, version GLIBC_2.0 not defined in file libc.so.6 with link time reference
-> solution: export LD_ASSUME_KERNEL=2.2.5
kill LDAP:
kill -9 $(cat /etc/slapd.pid)
kill all ldap instances:
ps -ef |grep slapd | awk '{ system("kill -9 " $2)}'
#ldap check db2 log:
/home/ldapdb2/sqllib/db2dump/db2diag.log
kurzes Howto um die Replication queue zu leeren:
im Prinzip sind es drei Schritte die es zu wiederholen gilt, bis alle Queues
leer sind:
1.)
auf 5.1 Master:
LDAP log file monitoren
tail -f /var/ldap/ibmslapd.log
Suche nach Einträgen, wie:
07/14/2006 01:52:29 PM Error No such object occurred for replica 'CN=host111,IBM-REPLICASERVERID=53892fc0-b6bd-1028-999a-dd86930a4836,IBM-REPLICAGROUP=DEFAULT,dc=org,DC=COM': modify failed for entry 'UID=user1,DC=org,DC=COM' change ID 111111.
2.)
/root/bin/update2Replica.sh host111 uid=user1
=> Eintrag auf Replica kopieren
3.)
/root/bin/skipReplicaEntry.sh host111 111111
=> Replica problem übergehen .. "change ID löschen" und Replication erneut anstossen
ssh:
$ ssh root@192.168.1.1 -L 3000:10.0.0.1:22
$ ssh -R 3000:localhost:389 root@192.168.1.1
$ ssh -f -N -g #-f: background
#-N: no command to execute ...
#-g: disalbe restriction, permitting any host to connect to localally forwareded ports ..
$ ssh root@localhost -p 3000
login without passwort from <originhost> to <destinationhost>
from <originhost>:
#generate keys
$ ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "comment"
#id_dsa.pub is created ...
#To use the key on other hosts you will be connecting from, copy the ~/.ssh/id_dsa key to the other hosts:
$ scp ~/.ssh/id_dsa you@another-box:.ssh/
$ cat ~/.ssh/id_dsa.pub |ssh root@192.168.1.1 'cat - >> ~/.ssh/authorized_keys2'
or
$ cat ~/.ssh/id_dsa.pub |ssh root@192.168.1.1 'cat - >> ~/.ssh/authorized_keys'
Tracing / debugging
ldtrc on
slapd -h 65535
errors under /tmp/slapd.error ..
db2:
db2 "create db ldapdb2 on /home/ldapdb2 using codeset UTF-8 territory US"
#missing libraries for redhat ...:
compat-libstdc++-6.2-2.9.0.16.i386.rpm
pdksh-5.2.14-13.i386.rpm
ldap-dmtjavad-4.1-1.i386.rpm #for script ldapcfg
environment:
file: ~/.bash_profile# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
BASH_ENV=$HOME/.bashrc
USERNAME="root"
export USERNAME BASH_ENV PATH
# The following three lines have been added by UDB DB2.
if [ -f /home/ldapdb2/sqllib/db2profile ]; then
. /home/ldapdb2/sqllib/db2profile
fi
db steuerzentrale unter linux:
db2cc
ldapcfg:
ldapcfg -l /home/ldapdb2 -o
ldapcfg -l /home/ldapdb/ -a ldapdb -w passwort -d ldabdb
!!!!
On SuSE 7.0 and Red Hat 7.2 on Linux for S/390 with kernel level 2.4.x, you
must download and install the compat-libstdc++-2.10.0-1.s390.rpm package. This
package contains compatibility Standard C++ libraries that allow older binaries
(created with old versions of compilers) to execute.
Even after this change, the ldapcfg, ldapucfg and ldapxcfg programs fail on
both SuSE 7.0 and Red Hat 7.2 systems. To correct the problem, edit the
/usr/ldap/bin/ldapcfg script to uncomment the following line by removing the
# in the first column of the line:
export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3
You must specify the absolute path of the library.
################
db2 setup a database instance manually
important directory for instance commands
/opt/IBM/db2/V8.1/instance
#list instances
./db2ilist
#create an DB2 instance
./db2icrt -a SERVER -p 50000 -s ESE -w 32 -u ldapdb2 ldapdb2
#setup autostart of instances
./db2iauto -on ldapdb2
#startup database
su - ldapdb2
db2start
#db2 registry files .. see instances etc.
/var/db2/global.reg
su - db2inst1 -c db2inst1 //opt/db2inst1/sqllib/adm/db2start
db2 init.d script (für stop / start):
#!/bin/sh
# chkconfig: 35 98 02
# description: Start and Stop IBM's db2 dbms.
# Set the path.
BASE=/opt/ibm/db2
VERSION=V9.1
INSTANCE=/opt/db2inst1
PATH=/sbin:/bin:/usr/bin:/usr/sbin
#Check we have the start and stop programs.
test -x $INSTANCE/sqllib/adm/db2start || exit 0
test -x $INSTANCE/sqllib/adm/db2stop || exit 0
test -x $BASE/$VERSION/bin/db2 || exit 0
case "$1" in
start)
echo -n 'Starting IBMdb2 daemons: '
su - db2inst1 -c $INSTANCE/sqllib/adm/db2start
echo
;;
stop)
# We first try twice to kill all existing applications.
# There really should be none most of the time.
echo 'Stopping IBMdb2 daemons: '
su - db2inst1 -c "$BASE/$VERSION/bin/db2 FORCE APPLICATION ALL"
sleep 2
su - db2inst1 -c "$BASE/$VERSION/bin/db2 FORCE APPLICATION ALL"
sleep 2
su - db2inst1 -c $INSTANCE/sqllib/adm/db2stop
echo
;;
reload|restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "Usage: /etc/rc.d/init.d/IBMdb2 {start|stop|restart|reload}"
exit 1
esac
#-----------------------------------------------------------------------
# Exit successfully.
#-----------------------------------------------------------------------
exit 0
db2 commands:
db2 "connect to report user user1"
db2 select name from sysibm.systables #show systables
db2 select * from COMPINFO
db2 LIST DATABASE DIRECTORY #show tables
db2 list applications for database IBMSECW #show connected processes
db2 force application ( <enter here list of application-ids form previous command separated by commas>)
db2 force application "ALL"
db2 use database name
db2 list tables
db2 get dbm cfg ##get database manager configuration
db2log:
/opt/ldap/db2cli.log
select * from stddat where XEORF = 'X' Fetch First 5 Rows Only
ldapsearch:
ldapsearch -b dc=org,dc=com objectclass=* -h localhost -p 3000
ldapsearch -b dc=org,dc=com objectclass=*
ldapsearch -D cn=root -w ? -b dc=org,dc=com objectclass=*
ldapsearch -x -b dc=org,dc=com -D cn=root -w =? -s one "(uid=*)" "*" pwdlockedtime |more
#check if user is locked
ldapsearch -b dc=org,dc=com -D cn=root -w ? uid=myuser ibm-pwdIndividualPolicyDn pwdFailureTime pwdAccountLockedTime pwdReset pwdChangedTime ibm-pwdGroupPolicyDn
#see pw policy
ldapexop -D cn=root -w ? -op effectpwdpolicy -d uid=myuser,dc=org,dc=com
ldapsearch -D cn=root -w ? -b dc=org,dc=com -h localhost uid=* -s one filter=uid gecos
ldapsearch -D uid=user9,dc=org,dc=com -w test -b dc=org,dc=com uid=*
-D cn=root -w ? -b dc=org,dc=com -h localhost -p 3000 uid=myuser
ldapadd -D cn=root -w ? -h localhost -p 3000 -c -a -f allUsers.ldif
ldapadd -x -D cn=root -w ? -h myhost -p 3000 -c -a -f allUsers.ldif
ldapsearch -x -D cn=root -w ? -b "ou=myorg,dc=org,dc=com" -h localhost -p 3000 uid=myuser
ldapdelete:
cat todelete.dat |awk '{ print "ldapdelete -D cn=root -w ? \"" $2 "\""}' >todelete.sh
add " to line (at begin and end):
cat todelete | sed -e s/^/\"/ | sed -e s/$/\"/
dos2unix
cat file | sed -e 's/$//' > newfile
#Secure Way password attributes ...
ldapsearch -D cn=root -w ? -b dc=org,dc=com "(cn=myuser)" pwdreset pwdchangedtime pwd4out
stunnel -d 127.0.0.1:636 -r ldaphost1:636 -c -C 'DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5'
stunnel -D 7 -d localhost:3389 -r ldaphost1:636 -C EXP-RC4-MD5 -c
stunnel ##################################################
To build a new pem, execute the following OpenSSL command:
/usr/bin/openssl req -new -x509 -days 365 -nodes \
-config /usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
#modify
ldapmodify -x -D cn=root -w xxxx
dn: uid=user1,dc=org,dc=com
changetype: modify
replace: objectclass
objectclass: top
objectclass: account
objectclass: eAccount
objectclass: posixAccount
objectclass: shadowAccount
objectclass: ePasswordPolicy
#modify shadow max
ldapsearch -b dc=org,dc=com -s one uid=* shadowmax >shadowmax.ldif
shadowmax.ldif
changetype: modify
replace: shadowmax
uid=user1,dc=org,dc=com
shadowmax=90
uid=user2,dc=org,dc=com
shadowmax=90
ldapmodify -D cn=root -w xyz -f shadowmax.ldif
for i in `ls`; do ls -l $i;done
- serialnumber: summary -> sc
- passwort: security -> pw
Do you ever have the need to exchange .exe or .mdb or other "unsafe" files over email and find that the built-in security within Outlook 2002 (XP) doesn't allow you to open them? You end up getting a warning within the title of your email that says "Outlook blocked access to the following potentially unsafe attachments: test.mdb."
While I don't advocate doing this for the rest of your organization, and I know you won't, being able to take control of your security settings makes it easier for many of us - admins and experienced computer users.
To do this, a tweak to the registry is needed -
Run Regedt32 (or regedit) and go to:
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Under that key, add a new value name called Level1Remove with data type REG_SZ. In the string editor, put in the extensions you want NOT to be blocked separated by a semicolon (;). e.g.
mdb;exe;
outlook express: backup
files are in:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{7D93BA21-0B53-4BB1-95CC-5EF3450D47EA}\Microsoft\Outlook Express
ending with .dbx
serial number rs6000 / aix
lscfg -pv sysplanar0
TEC-Events parsen
=> on tec: wtdumprl -o DESC |more
compile c with ldap library:
gcc test.c -lldap !!!!
In use since 1995 and on a variety of accounts.
Out of the box type software and works on discovery of network. Easy to setup and configure.
Platform - NT or Unix (Sun or HP). No AIX.
If the network is large with many elements (ports, switches, routers etc), then best use Unix.
They have used in network of between 5K and 8K elements.
Reports can be setup for SM or technical staff.
Has web i/f.
Can perform network (WAN & LAN), server and application performance management.
Has real-time analysis.
Excellent backup support from reseller.
Have used for SLA reports.
Great success with linking tool to Helpdesk and ease of reporting/tracking/communication problems.
VitalAnalysis - response times.
VitalNet - network components.
VitalEvent - Threshold limits etc.
Many features the same as Concord.
GUI very good and has web i/f. Can be setup with many view for SM, technical, CIO.
Has agents on end stations for end-to-end analysis.
No realtime data - minimum of two hours delay. Lucent don't say it's realtime.
Sample times are minimum of one hour, so it's already averaged - slight disadvantage.
Lucent will send data from end station to server, whereas Concord will poll. Therefore, Concord server has more load.
Support not always quick and responsive.
snmpwalk bintec community interfaces.ifTable.ifEntry.ifAdminStatus.10001.7 i 2
interfaces.ifTable.ifEntry.ifInOctets
interfaces.ifTable.ifEntry.ifLastChange
interfaces.ifTable.ifEntry.ifOperStatus
interfaces.ifTable.ifEntry.ifAdminStatus
interfaces.ifTable.ifEntry.ifInErrors
interfaces.ifTable.ifEntry.ifInUnknownProtos
interfaces.ifTable.ifEntry.ifOutOctets
interfaces.ifTable.ifEntry.ifOutDiscards
interfaces.ifTable.ifEntry.ifOutErrors
#*** CVS Info: *******************************************************\\\
# $Source: $Source$
# $Date: $Date$
# $Revision: $Revision$
# $Name: $Name$
# $State: $State$
# $Log: $Log$
# $Id: $Id$
#********************************************************************/\
###################
#
# CVSINFO
#
# $Revision$
#
# $Id$
#
# $Log$
#
# Version History:
# The version history is controlled by the cvs system. Modifications in this
# file without using the proper cvs procedures will result in a loss of the
# changes !!
##############################################################################
xwd -root |convert - -resize 100x100 test.jpg
-> file is stored under ~/.kde/share/apps/kabc/std.vcf
/etc/sysconfig/displaymanager
- DISPLAYMANAGER="kdm"
- DISPLAYMANAGER_REMOTE_ACCESS="yes"
- DISPLAYMANAGER_STARTS_XSERVER="yes"
/etc/X11/xdm/xdm-config ist "requestPort" auskommentiert!
/etc/X11/xdm/Xaccess #ips erlauben
+ xdm starten!
/etc/opt/kde3/share/config #interesting config files
# XDMCP access control file in the usual XDM-Xaccess format.
# Default is /opt/kde3/share/config/kdm/Xaccess
ping -l 1460 -f ip-address #don't fragment
xcopy /S /E /H g: e:\my_files
t-online:
Der username besteht aus Anschlußkennung+T-Online-Nr.+Mitbenutzernummer
dns: 194.25.2.129
Aufbau des Benutzernamens für dsl: AnschlußkennungTeilnehmernummerMitbenutzerkennung@t-online.de
linux-backup
tar -tvf /dev/st0
tar -cvf /dev/st0 /home/mwendig/
mt -f /dev/st0 erase #delete tape
mt -f /dev/st0 rewind #rewind tape
mt -f /dev/st0 tell #Find out what block you are at with mt command:
mt -f /dev/st0 offline #unload the tape
mt -f /dev/st0 status #Display status information about the tape unit:
auth-file:
edit -> danach postmap <datei> #neue db datei erstellen
Stellen Sie sicher, dass folgende Einträge in /etc/postfix/main.cf existieren, bzw. fügen Sie diese hinzu:
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd
Achten Sie auf die korrekte Schreibweise: 'smtp' ist nicht das Selbe wie 'smtpd'!
Legen Sie nun die Datei /etc/postfix/saslpasswd mit folgendem Inhalt an:
destination.host.de username:password
destination.host.de wird in der Regel der Relayhost sein, den Sie verwenden. Sie weisen Postfix hiermit an alle Mails, die über den angegebenen Host transportiert werden, nach Möglichkeit per SMTP-AUTH auszuliefern. Etwaige anders definierte Transportwege werden wie bisher behandelt.
Generieren Sie abschließend die neue Map und lesen Sie die Konfiguration neu ein:
postmap /etc/postfix/saslpasswd
rcpostfix reload
#postfix delete mail in queue
postsuper -d ID
see id with: sendmail -bp
rsync -av /src /dest
rsync -uav /src dest #update modus
rsync -uvzcae ssh /home/myuser/log_analysis user@lnxuar04:/home/myuser/log_analysis
/usr/bin/rsync -uvzca -e 'ssh -i /home/myuser/.ssh/id_rsa' -rtpvz --stats --sa
loganalysis
cat run_loganalysis.sh
#!/bin/sh
filename=`date | awk '{print $6"_"$3"_"$2"_logAnalysis.log"}'`
#echo $filename
/usr/local/bin/log_analysis -f /opt/conf/mw_log_analysis.conf -o /opt/web/log_analysis/$filename -m user\@mail.de
chmod 755 /opt/web/log_analysis/$filename
3ware sata raid
tw_cli #command line on linux
/c0 show all
/c0 Driver Version = 2.26.02.008
/c0 Model = 9550SXU-4LP
/c0 Available Memory = 112MB
/c0 Firmware Version = FE9X 3.04.01.011
/c0 Bios Version = BE9X 3.04.00.002
/c0 Boot Loader Version = BL9X 3.02.00.001
/c0 Serial Number = L320909A6450913
/c0 PCB Version = Rev 032
/c0 PCHIP Version = 1.60
/c0 ACHIP Version = 1.90
ps ax |grep D
PID TTY STAT TIME COMMAND
5438 ? Ss 0:00 smbd -D
5441 ? Ss 0:01 nmbd -D
5503 ? S 0:00 smbd -D
32141 pts/2 S+ 0:00 grep D
mdadm --query --detail /dev/md0
#!/usr/bin/perl
###############################################################################
#
# check-hugo-daily-export.pl
#
###############################################################################
use strict;
print "starting\n";
my $mailto='hugo1@gmail.com,hugo2@gmail.com';
my $default_fage=60*25; #fileage in minutes
my %files2check=(); # filename | fileage in minutes
$files2check{'/var/customers/webs/xyz/export/google_rss_feed_daily.xml'}= $default_fage;
$files2check{'/var/customers/webs/xyz/export/google_rss_feed_daily.error'}= $default_fage;
$files2check{'/var/customers/webs/xyzz/shop/export/google_rss_feed_daily.xml'}= $default_fage;
$files2check{'/var/customers/webs/xyzz/shop/export/google_rss_feed_daily.error'}= $default_fage;
$files2check{'/var/customers/webs/xyzz/shop/export/preisroboter.txt'}= $default_fage;
my $date =`date`;
chomp($date);
my $now = time(); # get current time
my $failed=0;
my $failedstr='';
print "---------------------------------------------------------\n";
print "date: $date - starting\n";
foreach my $fname( keys %files2check) {
print "checking file: $fname\n";
my @stats = stat($fname);
my $fage = int (($now-$stats[9]) / 60 ); #get fage minutes
#print "fage=$fage\n";
if ( $fage > $files2check{$fname} ){
$failedstr.="file $fname is too old ($fage min)\n";
$failed++;
}else{
print "file $fname was generated recently ($fage min) - everything is ok\n";
}
}
if ($failed > 0){
print "$failedstr\n";
system("echo \"$failedstr\" \| mailx -s \"Server Alarm - daily export not updated!\" $mailto ");
print "email was send to $mailto!!\n";
}else{
print "everything is fine\n";
}
Solution:
remove "--chuid man" from file
example:
before:
start-stop-daemon --start --pidfile /dev/null --startas /usr/bin/mandb --oknodo --chuid man --iosched idle -- --no-purge --quiet
after:
start-stop-daemon --start --pidfile /dev/null --startas /usr/bin/mandb --oknodo --iosched idle -- --no-purge --quiet
>>to check if something was executed run:
[root@myhost ~]# systemctl status rc-local.service
rc-local.service - /etc/rc.d/rc.local Compatibility
Loaded: loaded (/usr/lib/systemd/system/rc-local.service; static; vendor preset: disabled)
Active: inactive (dead)
>>enabled service and set execute permissions
[root@myhost ~]# systemctl enable rc-local.service
[root@myhost ~]# chmod +x /etc/rc.d/rc.local
#after reboot
[root@myhost ~]# systemctl status rc-local.service
? rc-local.service - /etc/rc.d/rc.local Compatibility
Loaded: loaded (/usr/lib/systemd/system/rc-local.service; static; vendor preset: disabled)
Active: active (exited) since Mo 2017-01-09 16:32:30 CET; 26min ago
Process: 881 ExecStart=/etc/rc.d/rc.local start (code=exited, status=0/SUCCESS)
Jan 09 16:32:30 myhost systemd[1]: Starting /etc/rc.d/rc.local Compatibility...
Jan 09 16:32:30 myhost systemd[1]: Started /etc/rc.d/rc.local Compatibility.
if there are more authentication sources defined in a vpn configuration the user is always authenticated against the default authentication source which is normaly the local Firebox-database.
There is the possiblity to specify the authentication source that should be used, be defining the source in front of the user, separated with a \:
radius\username #for radius as authentication source
-------------------
see more on the watchguard website: http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/mvpn/ssl/mvpn_ssl_client-install_c.html
Use a non-default authentication server
In the User name text box, type <authentication server>\<user name>.
Examples:
If RADIUS is the non-default server: radius\j_smith
If the Active Directory server ad1_example.com is the non-default server: ad1_example.com\j_smith
If Firebox-DB is the non-default authentication server: Firebox-DB\j_smith
if you have the $ dollar sign in a string and want to process it further in some cases you need to escape the dollar sign:
$pwd =~ s/\$/\\\$/g;
Bash script:
cat squidLogReadable.sh
#!/bin/bash
tail -f /var/log/squid/access.log | perl -p -e 's/^([0-9]*)/"[".localtime($1)."]"/e'
-----
if you want to get the logs in color, ccze could be interesting:
ccze - A robust, modular log coloriser
on debian:
apt-get install ccze
tail -f /var/log/squid/access.loc | ccze -CA
bash script, that uploads a file to ftp server and gives back the success or failed status:
#!/bin/bash
cname=FTPuploadTest
host=192.168.1.1
user=user1
pass=pass1
echo "<<<check_mk>>>";
echo "Version: v1";
echo "<<<local>>>";
/usr/bin/ncftpput -u $user -p $pass $host . /home/test/test.cfg 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
echo "0 $cname - FTP upload test to $host successful";
else
echo "2 $cname - FTP upload test to $host failed";
fi
perl - get year-month-day string
my($day, $month, $year)=(localtime)[3,4,5];
my $ymd = sprintf "%.4d-%.2d-%.2d", $year+1900, $month+1, $day;
output example: 2017-01-24
origin:
http://hawk.cis.vutbr.cz/~tpoder/GN3/HPCookBook/upload-hp
copy:
#!/usr/bin/perl
use Expect;
use IO::Tty;
$MORE = "-- MORE --, next page: Space, next line: Enter, quit: Control-C";
$EOF = "-- End of configuration file --";
# $DEBUG = 1;
($hostname,$username,$password) = @ARGV;
if ( ! length ($hostname) ) {
printf ("usage: upload-hp hostname [login [passwd]]\n");
exit;
}
$username = length ($username) ? $usernane : "admin";
$password = length ($password) ? $password : "admin";
$| = 0;
$ENV{'TERM'} = "xterm";
#&show_config (); exit;
open (config, "-|") || &show_config ();
#open (config, "smaz.mne");
# Konfigurace prepinace:
$begin = $end = 0;
$name = "unknown";
$image = "unknown";
while (<config>) {
# print if $DEBUG;
s/[\n\r]//g;
$begin = 1 if /^Startup configuration:/;
last if $begin;
}
$_ = <config>;
while (<config>) {
s/[\r\n]//g;
s/\33\[[0-9]+\;[0-9]+[a-zA-Z]//g;
s/\33\[[0-9][A-Z]//g;
# s/\33\[\?[0-9]+[a-zA-Z]//g;
s/\33E//g;
printf ("LINE: \"%s\"\n", $_) if $DEBUG;
s/$MORE//;
$end = 1 if /^Press any key when done.../;
$end = 1 if /$EOF/;
printf ("BYLO END %d!!!\n", $end) if $DEBUG;
last if $end;
if ( length == 0 ) {
$n++;
$end = 1 if $n > 1;
last if $end;
} else {
$n = 0;
}
if ( length == 80 ) {
$last = $_;
} else {
$oline = $last . $_;
$last = "";
# preskoceni pravedil acces listu 20000 az 30000
if (! ($oline =~ / + (\d+) (deny|permit) ip [\d\.]{7,15} [\d\.]{7,15} [\d\.]{7,15} [\d\.]{7,15}/ && $1 > 20000 && $1 < 50000)) {
printf ("%s\n", $oline);
}
}
}
printf ("; End of configuration file for %s\n", $hostname) if $begin and $end;
while (<config>) {
print if $DEBUG;
}
sub show_config () {
$exp = new Expect;
# $exp->raw_pty(1);
# $exp->log_stdout(10);
$exp->spawn("ssh $username\@$hostname") or die "Cannot spawn $command: $!\n";
$exp->expect(30, [ qr/login:/i, sub { $exp->send ("$username\n"); exp_continue; } ],
[ qr/name:/i, sub { $exp->send ("$username\n"); exp_continue; } ],
[ qr/password:/i, sub { $exp->send ("$password\n"); exp_continue; } ],
[ qr/to continue/i, sub { sleep(1); $exp->send(" "); exp_continue; } ],
[ qr/\> /i, sub { $exp->send("enable\n"); exp_continue; } ],
[ qr/# /i, sub { $ok = 1; } ]);
if ( $ok ) {
# $exp->send ("print \"show config\"\n");
$exp->send ("terminal length 1000\n");
$exp->expect ( 3, [ qr/# /i, sub { $exp->send("show config\n"); } ] );
$exp->expect (20, [ qr/Press any key when done.../i, sub { sleep(1); $exp->send(" "); exp_continue; } ],
[ qr/$MORE/i, sub { sleep(1); $exp->send(" "); exp_continue; } ],
[ qr/# /i, sub { printf ("%s\n", $EOF); $exp->send("\n logout\n"); } ] );
$exp->expect ( 5, [ qr/log out \[y\/n\]\?/i, sub { $exp->send ("y"); exp_continue; } ],
[ qr/configuration \[y\/n\/\^C\]?/i, sub { $exp->send ("n"); exp_continue; } ],
[ qr/connection closed/i, sub { $ok = 2; } ]);
}
$exp->soft_close();
exit;
}
http://nullhaus.com/2013/08/hp-port-troubles-part-1-monitoring/
turn on: fault-finder all action warn sensitivity high
to find port errors and more ..
HP ProCurve Switch Stack Firmware Update
1. save the config. (write memory)
2. save current software to secondary (copy flash flash secondary)
3. upload the new software to primary - it doesn't matter which way:
- via menu
- via web
- via tftp: copy tftp flash <ip-address> <remote-os-file> [<primary | secondary>]
3.1: verify image using "show flash"
4. reboot the stack (boot system flash primary)
Things to know:
- A "reboot" or "reload" (and the corresponding MIB) would cause only the commander to get rebooted.
A "boot system" would boot the entire stack
- uploading software to the commander will cause all members to have that software loaded as well
- scheduled stack reboot can be done via command job:
----> your-switch(config)# job reboot at 08:55 "boot system"
You can specify the default flash to boot from on the next boot by entering the
boot set-default flash command:
HP Switch(config)# boot set-default flash secondary
Booting from the default flash
Syntax: boot[system[flash | <primary | secondary> ]] [config FILENAME]
- system:Boots the switch. You can specify the flash image to boot from. When using
redundant management, boots both the active and standby management modules.
#reload command
This command boots the switch from the currently active flash image and
startup-config file. Because reload bypasses some subsystem self-tests, the switch
boots faster than if you use a boot command.
#schedule a reload:
- To schedule a reload in 15 minutes: HP Switch# reload after 15
- To schedule a reload in 3 hours: HP Switch# reload after 03:00
- To schedule a reload for the same day at 12:05: HP Switch# reload at 12:05
- To schedule a reload for some future date: HP Switch# reload at 12:05 01/01/2008
#scheduled stack reboot:
----> your-switch(config)# job reboot at 08:55 "boot system"
https://avm.de/service/fritzbox/fritzbox-7490/wissensdatenbank/publication/show/1339_FRITZ-Box-fuer-Betrieb-am-IP-basierten-Telekom-Anschluss-einrichten/
Telefonie einrichten:
Telefonie einrichten
Rufnummern einrichten
Tragen Sie alle Rufnummern des IP-basierten Anschlusses als Internetrufnummern in der FRITZ!Box ein:
- Klicken Sie in der Benutzeroberfläche der FRITZ!Box auf "Telefonie".
- Klicken Sie im Menü "Telefonie" auf "Eigene Rufnummern".
- Klicken Sie auf die Schaltfläche "Neue Rufnummer".
- Aktivieren Sie die Option "Internetrufnummer einrichten" und klicken Sie auf "Weiter".
- Wählen Sie in der Ausklappliste „Telekom“ aus.
- Tragen Sie die Internetrufnummer (Telefonnummer) in die entsprechenden Eingabefelder ein.
- Wenn Sie den Telekomdienst "My Login" nachträglich deaktiviert haben, deaktivieren Sie die Option "Standardeinstellung für die Anmeldung verwenden" und tragen Sie im Feld "E-Mail-Adresse" Ihre E-Mail-Adresse, z. B. ihr-name@t-online.de und im Feld "Passwort" Ihr Web-Passwort ein.
- Klicken Sie auf "Weiter" und folgen Sie den Anweisungen des Assistenten.
Herkömmliches Festnetz deaktivieren
Deaktivieren Sie in der FRITZ!Box die Unterstützung für herkömmliche Festnetzanschlüsse (ISDN und analog):
- Klicken Sie in der Benutzeroberfläche der FRITZ!Box auf "Telefonie".
- Klicken Sie im Menü "Telefonie" auf "Eigene Rufnummern".
- Klicken Sie auf die Registerkarte "Anschlusseinstellungen".
- Deaktivieren Sie die Einstellung "Festnetz aktiv".
- Klicken Sie zum Speichern der Einstellungen auf "Übernehmen".
Telefoniegeräte einrichten und Rufnummern zuweisen
- Klicken Sie in der Benutzeroberfläche der FRITZ!Box auf "Telefonie".
- Klicken Sie im Menü "Telefonie" auf "Telefoniegeräte".
- Klicken Sie bei dem betreffenden Telefoniegerät auf die Schaltfläche (Bearbeiten).
- Wählen Sie in der Ausklappliste "Ausgehende Anrufe" die Rufnummer aus, über die das Telefoniegerät ausgehende Gespräche herstellen soll.
- Legen Sie fest, auf welche Rufnummern das Telefoniegerät bei ankommenden Rufen reagieren soll. Sie können maximal zehn Rufnummern (inklusive der Rufnummer für ausgehende Gespräche) auswählen.
- Klicken Sie zum Speichern der Einstellungen auf "OK".
------------------------------------------------------------------------------------
Hinweis - SIP infos - Manuelle SIP Einstellungen
Internetrufnummer: Ihre Telefonnummer
eMail-Adresse bzw. Benutzername: bei All-IP und My Login auf auto hier einfach "anonymous@t-online.de" eintragen und kein passwort
Passwort (Webkennwort) bzw. Kennwort: Ihr Passwort (ausser bei benutzer anonymous@t-online.de)
Registrar: tel.t-online.de
Proxy-Server: tel.t-online.de
STUN-Server: stun.t-online.de
Fritz.box adress that always works: <http://169.254.1.1/>
/* every odd row should be grey*/
tr:nth-child(odd) { background-color: #dddddd; }
/*some width and color for the columns*/
td:nth-child(1) { width:340px; padding:2px;font-weight:bold; color: #6f0006;}
td.nth-child(2) { width:auto; padding:2px;}
td.nth-child(3) { width:auto; padding:2px;}
#important: use CSS styled conted as rendering engine
#put the following to the Setup of the template to the site where the typo3 table is located:
tt_content.table{
20.innerStdWrap.parseFunc =< lib.parseFunc
20.innerStdWrap.htmlSpecialChars >
}
#see also:#http://stackoverflow.com/questions/35014615/how-can-i-enable-html-rendering-for-typo3-7-tables
https://praegnanz.de/weblog/shopsysteme
Interessante Shop systeme:
- https://www.webedition.org/
IPSec tunnel: use key length of 32
tools:
- http://www.kurtm.net/wpa-pskgen/
if outlook is not starting:
- start using command: "outlook.exe /safe" in safe mode
- check the addon's and disable them
Afterwards it worked in my case ;-)
watchguard DNS forwarder
ssh wachtguard-ip -p 4118
check actual config: show ip dns
>> in configure mode:
enable:
WG(config)#ip dns forwarding enable
disable:
WG(config)#no ip dns forwarding enable
Problem: files cannot be uploaded
Solution: set parameters in .htaccess
php_value max_execution_time 1000
php_value max_input_time 1000
php_value post_max_size 100M
php_value upload_max_filesize 100M
(siehe also: https://wiki.typo3.org/How_to_upload_big_files )
on windows, use dhcploc.exe
>> https://gallery.technet.microsoft.com/DHCPLOC-Utility-34262d82
-----------------------------
on linux, you can use:
1.)
perl script https://sourceforge.net/projects/roguedetect/files/roguedetect/0.3/
(march 2017 >> problems getting it running on centos 7 >> error (tap) Can't get interface IP address at /usr/lib64/perl5/Net/RawIP.pm line 223.
2.) nmap script
https://nmap.org/nsedoc/scripts/broadcast-dhcp-discover.html
check a mailserver with nice little windows tool: http://znil.net/index.php?title=ZnilTools:Telnet_SMTP_Test_Tool
http://kb.parallels.com/de/115007
use Parallels Transporter Agent ...
http://www.cnwr.com/automating-veeam-with-powershell/
The powershell script:
# VM names separated by commas
$VMNames = “VM1”, “VM1”
# vCenter name/IP
$HostName = “10.30.10.140”
# Directory that VM backups should go to
$Directory = “\\10.30.10.85\Veeam”
# Desired compression level, following compression level from Veeam (Optional)
$CompressionLevel = “4”
# Quiesce VM when taking snapshot (Optional; VMware Tools are required; Possible values: $True/$False)
$EnableQuiescence = $True
# Protect resulting backup with encryption key (Optional; $True/$False)
$EnableEncryption = $False
# Encryption Key (Optional; path to a secure string, C:\SecureString.txt”
$EncryptionKey = “”
# Retention settings (Optional; By default, VeeamZIP files are not removed and kept in the specified location for an indefinite period of time.
# Possible values: Never , Tonight, TomorrowNight, In3days, In1Week, In2Weeks, In1Month)
$Retention = “In3days”
# Email Settings
# Enable notification (Optional)
$EnableNotification = $True
# Email SMTP server
$SMTPServer = “smtp.smtp.com”
# Email FROM
$EmailFrom = “sender@cnwr.com”
# Email TO
$EmailTo = “recipient@cnwr.com”
# Email subject
$EmailSubject = “Veeam Backup Job”
# Email formatting
$style = “<style>BODY{font-family: Arial; font-size: 10pt;}”
$style = $style + “TABLE{border: 1px solid black; border-collapse: collapse;}”
$style = $style + “TH{border: 1px solid black; background: #54b948; padding: 5px; }”
$style = $style + “TD{border: 1px solid black; padding: 5px; }”
$style = $style + “</style>”
##################################################################
# End User Defined Variables
##################################################################
#################### DO NOT MODIFY PAST THIS LINE ################
Asnp VeeamPSSnapin
$Server = Get-VBRServer -name $HostName
$mbody = @()
foreach ($VMName in $VMNames)
{
$VM = Find-VBRViEntity -Name $VMName -Server $Server
$ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention
If ($EnableNotification)
{
$TaskSessions = $ZIPSession.GetTaskSessions()
$FailedSessions = $TaskSessions | where {$_.status -eq “EWarning” -or $_.Status -eq “EFailed”}
if ($FailedSessions -ne $Null)
{
$mbody = $mbody + ($ZIPSession | Select-Object @{n=”Name”;e={($_.name).Substring(0, $_.name.LastIndexOf(“(“))}} ,@{n=”Start Time”;e={$_.CreationTime}},@{n=”End Time”;e={$_.EndTime}},Result,@{n=”Details”;e={$FailedSessions.Title}})
}
Else
{
$mbody = $mbody + ($ZIPSession | Select-Object @{n=”Name”;e={($_.name).Substring(0, $_.name.LastIndexOf(“(“))}} ,@{n=”Start Time”;e={$_.CreationTime}},@{n=”End Time”;e={$_.EndTime}},Result,@{n=”Details”;e={($TaskSessions | sort creationtime -Descending | select -first 1).Title}})
}
}
}
If ($EnableNotification)
{
$Message = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo
$Message.Subject = $EmailSubject
$Message.IsBodyHTML = $True
$message.Body = $mbody | ConvertTo-Html -head $style | Out-String
$SMTP = New-Object Net.Mail.SmtpClient($SMTPServer)
$SMTP.Send($Message)
}
Chloë
CHLOË
keyboard with keypad:
ë = ALT + 137
Ë = ALT + 211
on mac os / apple:
>> press <alt> and u >> after that enter a small e or a big e
How to reset?
Reset button
The Reset button is accessible via a hole on the bottom of the MSM410 as identified below.
Insert a paper clip under the cable and into the reset button hole at the precise angle shown.
Press and quickly release the button to reset the MSM410. To reset the MSM410 to factory
defaults, press the button until the status lights blink three times, then release
After reset:
https://192.168.1.1/ user admin/admin
See also: https://www.manualslib.com/manual/857144/Hp-Procurve-Msm410.html?page=2#manual
for example J984 Aruba 2530 24G PoE+ 2SFP+ Switch:
https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=J9854A
http://ncalculators.com/digital-computation/ip-address-hex-decimal-binary.htm
AIX gives out some messages in hex syntax .. http://www-01.ibm.com/support/docview.wss?uid=isg3T1024801
for example:
Note: errpt displays DUPLICATE IP ADDRESS in hex.
e.g. 0D54 8009 in hex is 13.84.128.9 in decimal.
https://technet.microsoft.com/de-de/sysinternals/bb897553.aspx
psexec \\targethost -u "domain\username" -p "password" -h cmd /c "\\fileserver\directory\check_mk_agent.msi" /quiet /norestart
#!/usr/bin/perl
###################################################################
#
# turnLightsOnbeforeSunset.pl
#
# uses module: install Astro::Sunrise
#
# get Latitude and Longitude from
# http://www.latlong.net/
# 72555, de:
# - latitude: 48.534733
# - longitude: 9.295337
#
# run as cron:
# 1,31 16,17,18,19,20,21,22,23,0 * * * /root/bin/turnLightsOnbeforeSunset.pl >>/var/log/turnLightsOnbeforeSunset.log 2>&1
#
#
###################################################################
use Astro::Sunrise;
use strict;
my $minbefore = 35;
my $cmd_on = '/root/bin/steckdose1on.sh';
my $cmd_off = '/root/bin/steckdose1off.sh';
my $date = `date`;
chomp($date);
my $sunset = sun_set(9.295337,48.534733); #long, lat
$sunset =~ s/://g;
my @curtime = localtime();
my $curtime = join '', @curtime[2,1];
my $curhour = $curtime[2];
print "$date sunset=$sunset, curtime=$curtime, curhour=$curhour\n";
if (( $curtime + $minbefore) > $sunset){
print "$date turn on the light\n";
system($cmd_on);
}
if ($curhour < 1){
print "$date turn off the light\n";
system($cmd_off);
}
in the user-view just enter a: screen-length disable
in most cases it is better not to use flowcontrol, see also this discussion:
https://community.hpe.com/t5/Switches-Hubs-and-Modems/When-to-use-Flow-Control/td-p/4337588
- uses Port TCP/UDP 5938
see also:
https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139#toc-hId-678445090
this commands where used cleaning up an ubuntu 16 version, removing xwindow related packeages
- remove x11 and components belonging to x11: apt-get purge libx11.* libqt.*
- sudo apt-get autoremove # Uninstall unneeded Packages
- sudo apt-get autoclean # Delete packages no longer installe
#####################################################
#
# checkDomainAdmins.pl
#
# check_mk local check that uses net use command to validate number of users found in group
#
# needs perl .. recommendation is: http://strawberryperl.com/
#
# tested on a windows 2012 server
#
# (c) by m.wendig v2017-08
#
#####################################################
use Data::Dumper;
use strict;
my %group2check;
$group2check{'Domänen-Admins'}=28;
#$group2check{'other-group'}=20;
#print Dumper(%group2check);
foreach my $group ( keys %group2check ){
my $startline=0;
my $usercount=0;
my $userline='';
my $numberOfUsers=$group2check{$group};
#print "checking group: $group\n";
#choose the right character set because of german special character
open(IN,"chcp 1252 & net group /dom $group 2>nul |");
while(<IN>){
chomp($_);
my $line =$_;
$line =~ s/^\s*//;
$line =~ s/\s*$//;
next if $line eq "";
next if $line =~ /^Der Befehl wurde erfolgreich/;
next if $line =~ /^The command completed successfully/;
if ($startline){
#print "$line\n";
my @larr = split /\s\s*/,$line;
#print Dumper(@larr);
foreach my $elem (@larr){
$usercount++;
$userline.="$elem,";
}
}
$startline = 1 if $line =~ /^-------------------------------------------------/;
}
close(IN);
$group =~ s/ä/ae/g;
if ($numberOfUsers == $usercount){
print "0 group_$group member=$usercount number of found users: $usercount, names $userline\n";
}else{
print "2 group_$group member=$usercount number of found users: $usercount, error number should be $numberOfUsers!! $userline\n";
}
}
>> just use mount --bind
example: show up directory /var/log/apache2 under user home /home/loguser
1.) create directory /home/loguser/show_apache2_log_dir
2.) mount the directory by using command:
mount --bind /var/log/apache2 /home/loguser/show_apache2_log_dir
>> to have the directory mounted after system reboot put the mount command to startup file >> /etc/rc.local
sample in vhost:
#needs apache module proxy_http
ProxyPreserveHost On
ProxyRequests off
ProxyPass /abfallkalender/ http://46.4.28.200:5000/abfallkalender/
ProxyPassReverse /abfallkalender http://46.4.28.200:5000/abfallkalender/
search for "windows 10 media creation tool"
>> you can download the iso image or create a bootable usb stick:
https://www.microsoft.com/de-de/software-download/windows10
when using rsnapshot there are a lot of hardlinks, to sync them you can use this command:
rsync -P -H --delete -uav /opt/hdds4c/ /tmp/hdds4cnew/
#faster approach
use option -c, --checksum skip based on checksum, not mod-time & size
rsync -P -H --delete -c --progress -uav /opt/hdds4c/ /tmp/hdds4cnew/
hint from this page: http://www.cryptobadger.com/2017/08/recent-ubuntu-patch-causing-issues-amd-17-x-drivers/
>>>>>>>>>>
1. Power down the rig and disconnect the risers to the GPUs.
2. Boot up the rig, login, and manually delete the old or suspect AMD GPU drivers, by issuing the command amdgpu-pro-uninstall
3. sudo apt update; sudo apt upgrade; sudo apt autoremove for the full Ubuntu cleanse This will also bring you up to 16.04.3, if you’re not there already.
4. Reboot
5. Login and install using the ./amdgpu-pro-install -compute command from the uncompressed AMD GPU driver file you want to use. (I’m on amdgpu-pro 17.30-465504.)
6. Power down and reconnect the risers to the GPUs.
7. Power up and hopefully your miner_launcher.sh will have you mining in no time.
This seems like a bother because it is. The AMD drivers are not that Ubuntu friendly. And the claymore software seems to take lots of low-level actions to enhance speed, perhaps at the expense of stability. But this ritual seems to be the most reliable way of keeping clean.
Always assume your mining rig could self-destruct at any time. Don’t keep any files only there if you would need them to rebuild. And keep notes on how to rebuild so you don’t have to repeat all the blind alleys you encountered on the first journey.
Good luck and happy mining!
use this shortcuts to make screenshots under apple / ios:
Cmd-Shift-3 : screen of complete screen
Cmd-Shift-4 : screenshot of a choosen rectangle
Cmd-Shift-4 : screenshot of choosen windows, select using space key
>> the screenshot is afterwards on the desktop as png picture
ls /sys/class/net/
>> shows which nics are there, e.g:
br0 lo p5p1
>> p5p1 .. nothing was shown when running kernel 4.4.0-93
lspci -nnk |grep iA3 net
>> shows the ethernet device and which driver is loaded
>> here was no driver loaded
>> when starting a later kernel, you see the module and the driver is loaded
kernel: 4.4.0-96 contains module modnifo r8169
>> /lib/modules/4.4.0-96-generic/kernel/drivers/net/ethernet/realtek/r8169.ko
>> solution: upgraded just to 4.4.0-97 ;-))
(1)
when executing: /opt/amdgpu-pro/bin/clinfo
you get:
terminate called after throwing an instance of 'cl::Error'
what(): clGetPlatformIDs
Abgebrochen (Speicherabzug geschrieben)
(2) using command dmesg you see:
4.909396] [drm:amdgpu_init [amdgpu]] *ERROR* VGACON disables amdgpu kernel modesetting.
GRUB Boot: linux /boot/vmlinuz-4-4.0.97 -generic root=UUID=... ro nomodeset text
>> we need to remove the nomodeset and text from the boot parameters,
after that clinfo was running fine
to configure permantent in file: /etc/default/grub
#GRUB_CMDLINE_LINUX_DEFAULT="text"
GRUB_CMDLINE_LINUX_DEFAULT=""
#GRUB_CMDLINE_LINUX="nomodeset"
GRUB_CMDLINE_LINUX=""
>> after modification auf this file you need to run "update-grub"
on windows use the <shift> key and <right mouse key>
C:\Windows\System32\LogFiles\Firewall
Windows-Firewall mit erweiterter Sicherheit >> Protokollierung >> hier anschalten
#wake on lan inuc (works with latest inter bios + driver under windows 10)
inuc1: etherwake -i br0 94:c6:91:14:62:03
inuc2: etherwake -i br0 94:C6:91:14:68:2c
#shutdown windows 10 remotly
idea: user samba-comman package on linux and then command "net rpc shutdown"
settings on windonws 10 to get it running:
problem 1: Connection failed: NT_STATUS_IO_TIMEOUT
solution : open windows fireall port 445 for linux machine
problem 2: Could not initialise pipe winreg. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND
sc config RemoteRegistry start=auto
sc start RemoteRegistry
(2) problem: you get error: WERR_CALL_NOT_IMPLEMENTED on linux
solution: registry editor
>> HKLM/Software/Microsoft/Windows/CurrentVersion/Policies/System
>> create DWORD with vale LocalAccountTokenFilterPolicy >> set value to 1
execute shutdown on linux
net rpc shutdown -f -t0 -S inuc1 -U user%password
net rpc shutdown -f -t0 -S inuc2 -U user%password
solution: setting app armor to complain instead of enforcing it for tcpdump:
aa-complain /usr/sbin/tcpdump
#https://automatetheboringstuff.com/chapter18/
#pip install pyscreenshot
#pip install pyautogui
#
#if you have all screenshots just print them to a pdf printer, like explained here:
#https://www.howtogeek.com/248462/how-to-combine-images-into-one-pdf-file-in-windows/
import pyautogui
import pyscreenshot as ImageGrab
import time
if __name__ == '__main__':
pyautogui.PAUSE = 1
pyautogui.FAILSAFE = True
x=1860
y=530
#hochformat
x=1053
y=955
pyautogui.moveTo(x, y, duration=0.25)
for i in range(1125):
pyautogui.click(x, y, duration=0.25)
#time.sleep(1)
#im=ImageGrab.grab(bbox=(994,90,1708,1000)) # X1,Y1,X2,Y
#hochformat
im=ImageGrab.grab(bbox=(60,305,1026,1600)) # X1,Y1,X2,Y
#time.sleep(1)
im.save('img/screenshot_'+str(i)+'.png')
## Windows server (tested on 2012R2)
w32tm /config /reliable:yes
reg add
HKLM\system\currentcontrolset\services\w32time\timeproviders\ntpserver /v enabled /t REG_DWORD /d 1 /f net stop w32time net start w32time
https://de.scribd.com/document/282413507/Kyocera-TA-3051ci-3551ci-4551ci-5551ci-Service-Manual-Rev-6
service manual:
https://de.scribd.com/doc/157672391/CS3050ci-3550ci-4550ci-5550ciENSMR1-pdf
passwords:
https://www.kyoceradocumentsolutions.de/index/serviceworld/technischer_support/geraetepasswoerter.html
Model 3051:
Command Center: Admin / Admin
System Menu: 3000 /3000
Files under: C:\Windows\SoftwareDistribution\
https://social.technet.microsoft.com/Forums/ie/en-US/d1816c14-f953-4068-b3f0-e49558fe0845/datastoreedb-file?forum=winserverfiles
For a complete cleaning (clearing also the whole update history):
1.net stop wuauserv
2.delete all files inside the C:\Windows\SoftwareDistribution\Download directory
3.delete the DataStore.edb into C:\Windows\SoftwareDistribution\DataStore
4.net start wuauserv
>> solution: set mtu size of interface to a smaller value
C:\WINDOWS\system32>netsh interface ipv4 show subinterface
MTU Medienerkennungsstatus Bytes eingehend Bytes ausgehend Schnittstelle
------ --------------- --------- --------- -------------
1500 1 329087247 46687094 WLAN
1500 5 0 0 LAN-Verbindung* 2
4294967295 1 0 270372 Loopback Pseudo-Interface 1
1404 1 266411 76107 Hamachi
set mtu to 1280
>>>>> netsh interface ipv4 set subinterface Hamachi mtu=1280
>> to have the setting after reboot do a "store=persistent":
netsh interface ipv4 set subinterface „$AdapterName“ mtu=1280 store=persistent
ps: see also: https://aktuelles.computer-fuechse.com/294/unitymedia-vpn-probleme-ipv4-ipv6-geloest.htm
screen - environment emulator
start a process that should run in a own screen process:
- screen -dmS <myscreensessionname> tail -f /var/log/messages
see which screen instances are running:
- screen -list
resume a detached screen session:
- screen -r <myscreensessionname>
detach session when session is active:
- <strg> + <a> + <d>
when you get error "Cannot open your terminal '/dev/pts/0' - please check":
- script /dev/null
for example you want to run two instances, one installed normaly the other install as a portable firefox
>> the problem is that both instances are using the same profile by default!!
solution:
- open a firefox >> about:profiles
- create a new profile, called it for example "portable"
- no create a "shurtcut" for the portable firefox binary and add a >> -no-remote -P "portable"
- for example: C:\tools\FirefoxPortable\FirefoxPortable.exe -no-remote -P "portable"
sample
#create port group
mirroring-group 5 local
#select port that you want to be monitored >> for example 1/0/1
mirroring-group 4 mirroring-port GigabitEthernet 1/0/1 both
#define monitor port, where you are plugged in notebook / wireshark, e.g. 1/0/24
mirroring-group 4 monitor-port GigabitEthernet 1/0/24
Transceiver info
display transceiver diagnosis interface Ten-GigabitEthernet 1/0/49
Ten-GigabitEthernet1/0/49 transceiver diagnostic information:
Current diagnostic parameters:
Temp.(°C) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)
46 3.39 45.34 -0.99 -2.53
Alarm thresholds:
Temp.(°C) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)
High 73 3.80 88.00 3.50 3.50
Low -3 2.80 1.00 -8.00 -9.50
mibs:
hh3cTransceiver
VendorName
.1.3.6.1.4.1.25506.2.70.1.1.1.4 Name/OID: hh3cTransceiverVendorName.49; Value (OctetString): HPE
Distance
.1.3.6.1.4.1.25506.2.70.1.1.1.7 Name/OID: hh3cTransceiverTransferDistance.49; Value (Integer): 220 >> 220m
Cur TX power (dBm)
.1.3.6.1.4.1.25506.2.70.1.1.1.9 Name/OID: hh3cTransceiverCurTXPower.49; Value (Integer): -252
Indicating the current transmitted power.The unit is in hundredths of dBM. >> -2.52dBm
Cur RX power (dBm)
.1.3.6.1.4.1.25506.2.70.1.1.1.12 Name/OID: hh3cTransceiverCurRXPower.49; Value (Integer): -99
Indicating the current received power. The unit is in hundredths of dBM. >> -0.99dBm
Cur Temp °C
.1.3.6.1.4.1.25506.2.70.1.1.1.15 Name/OID: hh3cTransceiverTemperature.49; Value (Integer): 46
Indicating the current temperature. The unit is Celsius centigrade. >> 45C
Cur Voltage (V)
.1.3.6.1.4.1.25506.2.70.1.1.1.16 Name/OID: hh3cTransceiverVoltage.49; Value (Integer): 339
Indicating the current voltage. The unit is in hundredths of V >> 3.39V
Cur Bias (mA)
.1.3.6.1.4.1.25506.2.70.1.1.1.17 Name/OID: hh3cTransceiverBiasCurrent.49; Value (Integer): 4534
Indicating the current bias electric current. The unit is in hundredths of mA >> 45.34mA
Alarm Temp High
.1.3.6.1.4.1.25506.2.70.1.1.1.18 Name/OID: hh3cTransceiverTempHiAlarm.49; Value (Integer): 73000 >> 73°C
Transceiver temperature high alarm threshold limit in thousandths of degrees Celsius.
As an example:49120 is 49.120 degrees Celsius.
Alarm Temp Low
.1.3.6.1.4.1.25506.2.70.1.1.1.19 Name/OID: hh3cTransceiverTempLoAlarm.49; Value (Integer): -3000 >> -3°C
Alarm Voltage High
.1.3.6.1.4.1.25506.2.70.1.1.1.22 Name/OID: hh3cTransceiverVccHiAlarm.49; Value (Integer): 37952 >> 3.80V
Transceiver VCC high alarm threshold limit in hundreds of microvolts.
As an example:32928 is 3.2928 volts. Returns zero if not supported on the transceiver.
Alarm Voltage Low
.1.3.6.1.4.1.25506.2.70.1.1.1.23 Name/OID: hh3cTransceiverVccLoAlarm.49; Value (Integer): 28048 >> 2.80V
Alarm Bias High
.1.3.6.1.4.1.25506.2.70.1.1.1.26 Name/OID: hh3cTransceiverBiasHiAlarm.49; Value (Integer): 88000 >> 88.00mA
Transceiver bias high alarm threshold limit in microamps
Alarm Bias Low
.1.3.6.1.4.1.25506.2.70.1.1.1.27 Name/OID: hh3cTransceiverBiasLoAlarm.50; Value (Integer): 1000 >> 1.00mA
!!dBm = 10 * log ( Leistung / 1mw)
Alarm TX power dBM high
.1.3.6.1.4.1.25506.2.70.1.1.1.30 Name/OID: hh3cTransceiverPwrOutHiAlarm.49; Value (Integer): 22387
Transceiver transmit power high alarm threshold limit in tenths of microwatts.
As an example:10000 is 1 milliwatt.
Alarm TX power dBM low
.1.3.6.1.4.1.25506.2.70.1.1.1.31 Name/OID: hh3cTransceiverPwrOutLoAlarm.49; Value (Integer): 1122
Alarm RX power dBM high
.1.3.6.1.4.1.25506.2.70.1.1.1.34 Name/OID: hh3cTransceiverRcvPwrHiAlarm.49; Value (Integer): 22387
Alarm RX power dBM low
.1.3.6.1.4.1.25506.2.70.1.1.1.35 Name/OID: hh3cTransceiverRcvPwrLoAlarm.49; Value (Integer): 1585
TransceiverErrors
.1.3.6.1.4.1.25506.2.70.1.1.1.38 OctetString List with Errors
Bitmask indicating transceiver errors.
Transceiver information I/O error(0)
Transceiver information checksum error(1)
Transceiver type and port configuration mismatch(2)
Transceiver type not supported by port hardware(3)
WIS local fault(4)
Receive optical power fault(5)
PMA/PMD receiver local fault(6)
PCS receive local fault(7)
PHY XS receive local fault(8)
Laser bias current fault(9)
Laser temperature fault(10)
Laser output power fault(11)
TX fault(12)
PMA/PMD transmitter local fault(13)
PCS transmit local fault(14)
PHY XS Transmit Local Fault(15)
RX loss of signal(16)
Unused(17-31)
##################################################################
#
# auf IRF xx
#
##################################################################
DHCP Pool ist configuriert / vorbereitet:
dhcp server ip-pool vlan99
network 10.99.99 mask 255.255.255.0
address range 10.99.99.10 10.99.99.11
gateway-list 10.99.99.1
##################################################################
# aktivieren (vorher am besten schauen ob pool adressen frei sind)
##################################################################
interface Vlan-interface33
ip address 10.99.99.1 255.255.255.0
folgenden Befehl absetzten:
dhcp server apply ip-pool vlan99
DHCP Clients anschauen:
disp dhcp server ip-in-use
IP address Client identifier/ Lease expiration Type
Hardware address
10.99.99.10 ...
##################################################################
#deaktivieren
##################################################################
interface Vlan-interface99
undo dhcp server apply ip-pool
in firefox: about:config
security.ssl.enable_ocsp_stapling;true >> set to "false" and try again
see also:
https://blog.pki.dfn.de/2015/03/mehr-privacy-fuer-den-nutzer-ocsp-stapling/
https://www.computerbase.de/forum/showthread.php?t=1683403
In browser you see the message:
Exception printing is disabled by default for security reasons.
Error log record number xxxxxxxx
>> check the folder "var/report" for a error log file
1: yum install cpan
2: cpan install Net::SSH::Perl
see also: https://stackoverflow.com/questions/7011160/whats-does-the-perl-error-cant-locate-net-ssh-perl-pm-mean
FAN
hh3cdevMFanStatusTable
OID of this table is: 1.3.6.1.4.1.25506.8.35.9.1.1
Name Access PDS Description
hh3cDevMFanNum
(1.3.6.1.4.1.25506.8.35.9.1.1.1.1) read-only No
This object is used to identify
uniquely fans in device or fabric.
Need confirm by products
hh3cDevMFanStatus
(1.3.6.1.4.1.25506.8.35.9.1.1.1.2) read-only No Need confirm by products
POWER
hh3cdevMPowerStatusTable
OID of this table is: 1.3.6.1.4.1.25506.8.35.9.1.2
Name Access PDS Description
hh3cDevMPowerNum
(1.3.6.1.4.1.25506.8.35.9.1.2.1.1) read-only No
This object is used to identify
uniquely powers in device or
fabric.
Need confirm by products
hh3cDevMPowerStatus
(1.3.6.1.4.1.25506.8.35.9.1.2.1.2) read-only No Need confirm by products
the model 305 for example just offers a special console connection:
There are 4 pins, if you look at the pins seen with the thinner tab at bottom:
PIN 1 - To GND on converter
PIN 2 - To RX on converter
PIN 3 - To TX on converter
PIN 4 - not connected
esxcfg-vswitch -l #show vswitch config
esxcfg-vmknic -l #list vmkerne interfaces - their ip and mac
esxcfg-nics -l #list physical interfaces
esxcli network nic stats get -n vmnic5 #see interface statistic
Performance on esx
>>
esxcli network firewall set --enabled false
server:
/usr/lib/vmware/vsan/bin//iperf3.copy -s
network top - see network statistics
esxtop > pressing N will show network statistics
client:
/usr/lib/vmware/vsan/bin//iperf3.copy -c 192.168.2.10
software and documentation:
https://www.telekom.de/hilfe/geraete-zubehoer/telefone-und-anlagen/archiv/concept/t-concept-xi321
snmptable -v2c -c public 192.168.2.1 IF-MIB::ifTable
>> shows interfaces in table format
#!/usr/bin/perl
my $wg = '192.168.1.1';
my $community = 'public';
my $date = `date`;
chomp($date);
my $OID_sysUpTime = '1.3.6.1.2.1.1.3.0';
my $OID_sysName = '1.3.6.1.2.1.1.5.0';
open(IN,"snmpget -v 2c -c $community $wg $OID_sysUpTime |");
while(<IN>){ if ($_ =~ /= (.*)$/){ print "$date $1\n"; } }
close(IN);
open(IN,"snmpget -v 2c -c $community $wg $OID_sysName |");
while(<IN>){ if ($_ =~ /= (.*)$/){ print "$date $1\n"; } }
close(IN);
problem snmp service is not starting anymore
1) could be a bug / know problem
>> https://forum.qnapclub.de/thread/47395-snmp-will-nicht-mehr/
>> bug in version 4.3.4.0513 Build 20180315
2) see the error / the problem / troubleshooting
>> by running snmpd start command manual:
/usr/local/bin/snmpd -c /etc/config/snmpd.conf -p 161 -f -L o
error on subcontainer 'ia_addr' insert (-1)
Cannot find module (NAS-MIB): At line 0 in (none)
Cannot find module (IP-MIB): At line 0 in (none)
Cannot find module (IF-MIB): At line 0 in (none)
Cannot find module (TCP-MIB): At line 0 in (none)
Cannot find module (UDP-MIB): At line 0 in (none)
Cannot find module (HOST-RESOURCES-MIB): At line 0 in (none)
Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (NOTIFICATION-LOG-MIB): At line 0 in (none)
Cannot find module (DISMAN-EVENT-MIB): At line 0 in (none)
Cannot find module (DISMAN-SCHEDULE-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none)
Cannot find module (NET-SNMP-AGENT-MIB): At line 0 in (none)
Cannot find module (HOST-RESOURCES-TYPES): At line 0 in (none)
Cannot find module (SNMP-MPD-MIB): At line 0 in (none)
Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none)
Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none)
Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (none)
Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none)
Cannot find module (IPV6-ICMP-MIB): At line 0 in (none)
Cannot find module (IPV6-MIB): At line 0 in (none)
Cannot find module (IPV6-TCP-MIB): At line 0 in (none)
Cannot find module (IPV6-UDP-MIB): At line 0 in (none)
Cannot find module (IP-FORWARD-MIB): At line 0 in (none)
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)
Cannot find module (NET-SNMP-VACM-MIB): At line 0 in (none)
Error opening specified endpoint "udp6:[::ffff:127.0.0.1]:161"
Server Exiting with code 1
problem: message log shows denial of service
https://servereye.freshdesk.com/support/solutions/articles/14000079910-qnap-nas-meldet-dos-attacke-durch-den-sensor
setcfg SNMP EnableDetectDDoS FALSE
# /etc/init.d/snmp restart
---
see the parameters on qnap system / console
>> file: /etc/config/uLinux.conf
>> section:
[SNMP]
Server Enable = TRUE
Service Enable = TRUE
Listen Port = 161
Trap Community = elbpublic
Event Mask 1 = 0
Trap Host 1 =
Event Mask 2 = 0
Trap Host 2 =
Event Mask 3 = 0
Trap Host 3 =
Version = 1
Auth Type = 0
Auth Protocol = 0
Priv Protocol = 0
User = test
Auth Key =
Priv Key =
https://humdi.net/vnstat/
vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won't actually be sniffing any traffic and also ensures light use of system resources.
>> solution
stop the automatic scheduled cleaning job
http://tipps4you.de/tipp-62-win7.html
# HTML5 Speedtest
> by Federico Dossena
> Version 4.5.5, April 25, 2018
> [https://github.com/adolfintel/speedtest/](https://github.com/adolfintel/speedtest/)
>> optimize things, when running this under ubuntu:
https://github.com/adolfintel/speedtest/issues/50
-----------------------------------------------------
########### Google Opt-Out
########### https://die-netzialisten.de/wordpress/google-analytics-um-einen-optout-link-ergaenzen/
########### in typo3 template
page.headerData.60 = TEXT
page.headerData.60.value (
<script type="text/javascript">// <![CDATA[
// Set to the same value as the web property used on the site
var gaProperty = 'UA-XXXX-Y';
// Disable tracking if the opt-out cookie exists.
var disableStr = 'ga-disable-' + gaProperty;
if (document.cookie.indexOf(disableStr + '=true') > -1) {
window[disableStr] = true;
}
// Opt-out function
function gaOptout() {
document.cookie = disableStr + '=true; expires=Thu, 31 Dec 2099 23:59:59 UTC; path=/';
window[disableStr] = true;
}
</script>
)
###########
## in datenschutzerklärung
<a onclick="alert('Google Analytics wurde deaktiviert');"
href="javascript:gaOptout()">Google Analytics deaktivieren</a>
- mwdemesrv01.no-ip.info.de
- mwc4qv41idgmwoyof8.myfritz.net.de (##44608##)
snmpwalk -v3 -l authPriv -u user1 -a SHA -A "pwd1" -x AES -X "pwd1" 192.168.1.1
=======================================================================================================================================
pethPsePortAdminEnable
.1.3.6.1.2.1.105.1.1.1.3
#Ausgabe PoE Admin Status aller Ports
snmpbulkwalk -v3 -l authPriv -u user1 -a SHA -A "pwd1" -x AES -X "pwd1" 192.168.1.1 .1.3.6.1.2.1.105.1.1.1.3
possible values are:
1 (enable PoE on Port)
2 (disable PoE on Port)
#Enable PoE an Port 1
snmpset -v3 -l authPriv -u user1 -a SHA -A "pwd1" -x AES -X "pwd1" 192.168.1.1 SNMPv2-SMI::mib-2.105.1.1.1.3.1.1 i 1
#Disable PoE an Port 1
snmpset -v3 -l authPriv -u user1 -a SHA -A "pwd1" -x AES -X "pwd1" 192.168.1.1 SNMPv2-SMI::mib-2.105.1.1.1.3.1.1 i 2
=======================================================================================================================================
pethPsePortDetectionStatus
.1.3.6.1.2.1.105.1.1.1.6
snmpget -v3 -l authPriv -u user1 -a SHA -A "pwd1" -x AES -X "pwd1" 192.168.1.1 .1.3.6.1.2.1.105.1.1.1.6.1.1
possible values are:
1 (disabled)
2 (searching)
3 (delivering power)
4 (fault)
5 (testing)
6 (other fault)
DFS = Dynamic Frequency Selection
Europäische Richtlinie die besagt das im 5-GHz Band Wetter oder Militärradar vorrang haben. Der Access Point prüft regelmässig
ob eine Quelle aktiv ist .. solch ein Test kann bis 10 Minuten dauern, in dieser Zeit geht das WLAN nicht / hat einschränkungen.
Für Deutschland betrifft das die Kanäle 52 bis 64 + 100 bis 140
>> Massnahme:
folgende 5-GHz Kanäle nutzen: 36,40,44 + 48
when trying to connect to an old ssh server .. the message
comes: no matching cipher found. Their offer: des,3des-cbc
Solution:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc <ip>
------------------------
other options -> in user ssh config file
example:
cat /root/.ssh/config
Host 192.168.1.100
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-----------------------
global in server ssh config file something like that:
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
#!/usr/bin/perl
###############################################################################
#
# cleanUpPostfixQueue.pl
#
# (c) s4c 2018-08
#
###############################################################################
$now=` date "+%H:%M:%S"`;
chomp($now);
$now_s = getSeconds($now);
#print "now: $now, $now_s\n";
open(IN, "/usr/sbin/sendmail -bp |");
$counter=0;
$deleted=0;
while(<IN>){
$line=$_;
chomp($line);
#print "$line\n";
#match line:
#3A3E16DC39CD 5474 Fri Aug 24 09:34:34 MAILER-DAEMON
$format = '%a %b %d %H:%M:%S %Y';
if ($line=~/^([\d|\w]*)\s*(\d*).*(\d\d:\d\d:\d\d)\s*MAILER-DAEMON$/ ){
$counter++;
$id=$1;
$size=$2;
$date=$3;
$date_s = getSeconds($date);
$diff = $now_s - $date_s;
print "id=$id, size=$size, date=$date. diff=$diff.";
if ($diff > 3600){
print "deleting id $id.";
system("/usr/sbin/postsuper -d $id >dev/null");
$deleted++;
};
print "\n";
}
}
close(IN);
print "total: $counter, deleted: $deleted\n";
sub getSeconds($){
$ret=-1;
if ($_[0]=~/(\d\d):(\d\d):(\d\d)$/){
$ret = $3 + ($2*60) + ($1 * 60 * 60);
}
return $ret;
}
#!/bin/bash
# findDoSVisotor
#
# useful if CPU is very high .. find out the visitor, which causes the most
# network activity
#
netstat -lanp |grep ":443" | awk {' print $5'} | cut -d: -f 1 |sort |uniq -c | sort -nk 1
###########################
#!/bin/bash
# blockIPaddress.sh
#
# block IP address to access 443
#
if [ -z "$1" ]
then
echo "usage: blockIPaddress.sh <IP>"
exit
fi
iptables -A INPUT -p tcp --dport 443 -i eth0 -s $1 -j DROP
using wmi:
C:\> wmic /node:<TARGET-System> softwarefeature list brief /format:htable > soft.htm
while true; do cat /proc/cpuinfo |grep -i mhz; sleep 2; done
-------------------------
- procurve remote mirror
-------------------------
https://community.hpe.com/hpeb/attachments/hpeb/switching-a-series-forum/3662/1/Port%20mirroring.pdf
on destination switch / switch where analyzer is connected:
mirror endpoint ip < src-ip > < src-udp-port > < dst-ip > < port-# >
no mirror endpoint ip < src-ip > < src-udp-port > < dst-ip >
example: -destination switch is 192.168.2.250 > monitor port 24
-source switch is 192.168.2.233
mirror endpoint ip 192.168.2.233 7922 192.168.2.250 port 24
show monitor
on source switch / switch with traffic of interest:
Syntax: [no] mirror < 1 - 4 > [name < name-str >] remote ip < src-ip >< src-udp-port > < dst-ip >
example:
mirror 1 remote ip 192.168.2.233 7922 192.168.2.250
#add interface to monitor
interface 10 monitor all both mirror 1
there are serveral possiblities
example remove openvpn from runlevels
1) inserv --remove openvpn
2) remove links manually under /etc/rcX.d/ (where X = 0..6)
DNS / Nameserver
Telekom:
Hannover: resolv-h.dtag.de 194.25.0.60 (IPv4) oder 2003:56::53 (IPv6)
Frankfurt: resolv-f.dtag.de 194.25.0.68 (IPv4) oder 2003:40:2000::53 (IPv6)
Leipzig: resolv-l.dtag.de 194.25.0.52 (IPv4) oder 2003:40:4000::53 (IPv6)
problem: after cloning a 120gb ssd harddrive to a 500gb ssd, windows 10 does not want to startup
booting from recovery cd + cmd line command:
bootrec /rebuildbcd
didn't help to fix the issue
----
the following helped:
Type each command then hit <Enter>:
bcdedit /export C:\bcd_save
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.save
bootrec /RebuildBcd
see also:
https://www.groovypost.com/howto/fix-windows-10-wont-boot-startup-repair-bootrec/
problems: windows 10 start takes very long (60 seconds or so)
solution: search for "EnableULPS" in the registry and set the value to "0"
reboot > and the machine is booting as it should be (in a few seconds with a ssd)
if you want to understand the reason why .. there is a explanation in german:
https://www.pctipp.ch/tipps-tricks/kummerkasten/hardware/artikel/windows-10-so-loesen-sie-die-tempobremse-83139/?forcedesktop=1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search
>> change
AllowCortana
to "0"
using random numbers
e.g. overwrite harddisk /dev/sdb 1 times:
sudo shred -vn 1 /dev/sdb
e.g. overwrite just a partition /dev/sdb3 1 times:
sudo shred -vn 1 /dev/sdb3
great software if you have forgotten your pin for the "kids" (Bildschirmzeit pin):
https://github.com/gwatts/pinfinder/blob/master/README.md
veracrypt kann als "Nachfolger" von TrueCrypt gesehen werden: https://www.heise.de/download/product/veracrypt-95747
#start as user root
mysqld --init-file /root/install/reset-mysql-pwd.sql --user=root
cat:
reset-mysql-pwd.sql
ALTER USER 'root'@'localhost' IDENTIFIED BY 'new-password';
How to mount QEMU's qcow2 partitions:
using the "network block device" (nbd) driver and the qemu-nbd tool
step 1:load the module
$ modprobe nbd max_part=8
step 2: > make the image available as block device
$ qemu-nbd --connect=/dev/nbd0 /hdd-fil.qcow2
step 3: list the available partitions by using command:
$ fdisk -l /dev/nbd0
step 4: mount the partion
$ mount /dev/nbd0p1 /tmp/mymountpoint/
>> if this step fails with the warning: mount: special device /dev/nbd0p1 does not exist
>> run the command: partx -a /dev/nbd0
>> and repeat step 4!
step 5: disconnect partion + block device
$ umount /dev/nbd0p1
$ qemu-nbd --disconnect /dev/nbd0
- https://mtr.sh/
- https://lg.he.net/ Looking Glass - from Hurrican Electric
#use case: linux system that is behind a firewall or dsl router >> connects to a cloud server and opens up a tunnel, so that someone
can access the system from the cloudserver
#(access via ssh private / public key)
#
# - improvement when hostkey is changed at target host >> use option -o UserKnownHostsFile=/dev/null otherwise the portforwarding will get disabled if it detects a new host key!
#cron jobs
*/5 * * * * /root/bin/checkSSH2Outside.sh >>/var/log/checkSSH2Outside.log
1 23 1 * * gzip -f /var/log/checkSSH2Outside.log >/dev/null
5 9,12,15,18,21,0 * * * /root/bin/killSSH.sh >/dev/null 2>/dev/null
#cat /root/bin/checkSSH2Outside.sh
#!/bin/bash
ts=`date`
num=`ps -ef |grep ssh |grep mydomain|grep 17000 |wc -l` >/dev/null
echo "$ts Number of found ssh processes = $num."
if [ $num -ge "1" ] ; then
echo "$ts Processes to outside are already running."
else
echo "$ts No processes found >> starting"
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ServerAliveInterval=300 -N -p 10022 -R 17000:localhost:22 user@mydomain.de
fi
#/root/bin/killSSH.sh
ps -ef |grep 17001 |grep ssh |awk {'print $2'} |xargs -n 1 kill
the reverse dns entry should match to a dns name, that points directly to the server and which do not belong to a different domain like for example to a generic virtual server name like "vsrvh3233.providername.com".
you can validate the server ip / reverse dns using:
https://bgp.he.net/ip/your-server-ip-here#_dns
Firefox Fehler:
Blockiert von der Inhaltsicherheitsrichtlinie (CSP)
Diese Webseite hat eine Inhaltsicherheitsrichtlinie (Content Security Policy), die verhindert, dass die Webseite auf diese Weise eingebunden wird.
Firefox hat diese Webseite daran gehindert, auf diese Weise geladen zu werden, weil die Webseite eine Inhaltsicherheitsrichtlinie (Content Security Policy) hat, die dies nicht erlaubt.
Lösung:
about:config
>> security.csp.enable auf false
Problem: after a vmware virtual server (windows 2012) was using 10gbit instead of 1gbit it was not able anymore to build up valid tcp session to some specific hosts
Solution: after using wireshark we found out, that the difference was the tcp ECN bit, which was set when using 10gbit
>> disable ecn on the virtual windows machine:
netsh int tcp set global ecncapability=Disabled
>> check windows settings:
netsh int tcp show global
see also:
- https://de.wikipedia.org/wiki/Explicit_Congestion_Notification
- http://lifeofageekadmin.com/network-performance/
two cool tools
- WSUS offline https://www.heise.de/download/product/wsus-offline-update-ct-offline-update-38170
- Winfuture Update Pack https://winfuture.de/UpdatePack
coming soon
apple installation from El capitan does not work
>> solution >> disable wlan and make sure to set the time to year 2015,
the reason for this is since there are some run out security certificates
>> in terminal enter command:
>> date 010106002015
(this should set the time to 06:00h, 01.01.2015)
see also
https://communities.apple.com/de/thread/251082331
https://[device interface IP address]/sslvpn.html
https://[device interface IP address]:4100/sslvpn.html
https://[device host name]/sslvpn.html
https://[device host name]:4100/sslvpn.html
speedtest
- https://fast.com/de/
seams to be a Netflix service
many possibilities:
#1 run a "yes" command loop, in this case for threads .. for a 4 core pcu
yes >/dev/null & yes >/dev/null & yes>/dev/null & yes >/dev/null
video streaming server with trendnet webcam
> connect via rstp to the camera and make the stream available to a webbrowser
steps to install:
(1)
debian 9:
install ffmpeg: apt-get install ffmpeg
(2)
stream configuration:
/etc/ffserver.conf
<Feed vogel.ffm>
File /tmp/vogel.ffm
FileMaxSize 5M
Launch ffmpeg -i "rtsp://<ip>/channel=1&stream=1.sdp?real_stream"
#Launch ffmpeg -i "rtsp://<ip>/channel=1&stream=1.sdp?sub_stream"
</Feed>
<Stream vogel.mjpg>
Feed vogel.ffm
Format mpjpeg
VideoBitRate 10000
VideoFrameRate 15
#VideoSize 800x450 // Auflösung des konvertierten Streams
#VideoSize 320x320
#VideoSize hd1080
VideoSize hd720
#VideoSize 160x128
VideoIntraOnly
NoAudio
Strict -1
NoDefaults
</Stream>
(3)
start server:
/usr/bin/ffserver
(4)
access stream: http://85.214.97.152:8090/vogel.mjpg
---------
links:
tinyurl
https://tinyurl.com/Vogelzeit
http://85.214.97.152:8090/vogel.mjpg
https://www.loxwiki.eu/display/LOX/beliebige+Kamera+mittels+FFmpeg+einbinden
how to bookmark a custom site?
after you created a configfile like the example below, you will be able
to bookmark this page via this link:
>> http://hostname/your-site/pnp4nagios/index.php/page?page=yoursitename.cfg
configurations files are under:
etc/pnp4nagios/pages/yoursitename.cfg
#
#
#
# Global Section
# use_regex [0|1]
# page_name < your page title >
# background_pdf <pdf file>
# page_name myname
define page {
use_regex 1
page_name my-report 1
#
# Define the first Graph
#
define graph {
host_name ^switch-192.168.1.2
service_desc ^Interface.*001$
source 0 # OPTIONAL Show only the first image
}
define graph {
host_name ^switch-192.168.1.3
service_desc ^Interface.*003$
source 0 # OPTIONAL Show only the first image
}
Problem: After Switch login you get the menu not the cli
Solution: go to console and enter the following command:
setup default-logon cli
>> don't forget to "write memory"
Falls jemand mal itunes Backups auf einen anderen PC verschieben möchte, könnte diese Info nützlich sein:
- windows 10 microsoft itunes app: C:\Users\wema\Apple\MobileSync\Backup
- andere itunes versionen: C:\Users\wema\AppData\Roaming\Apple Computer\MobileSync\Backup
switch 5700:
the default is 10000 bytes and passthrough is enabled, you can verify this by this command:
display interface Ten-GigabitEthernet 1/0/9
>> The Maximum Frame Length is 10000
>> Allow jumbo frame to pass
using command "jumboframe enable xxx' the size can be changed ..
Überwachung der Router arp Einträge:
- snmpwalk auszuführen und die mib tabelle: IP-MIB::ipNetToMediaPhysAddress auszulesen
>> man erhält auch die aktuelle IP
Der snmp befehl wäre (müsste unter windows mit snmptools auch gehen):
snmpwalk -v 2c -c public 192.168.x.x IP-MIB::ipNetToMediaPhysAddress
Oder:
snmpwalk -v 2c -c public 192.168.x.x .1.3.6.1.2.1.4.22.1.2
Monitoring arp entries of an IP router:
- execute snmpwalk to read the mib table: IP-MIB::ipNetToMediaPhysAddress auszulesen
>> you get a list with actual ip adresses and mac addresses
The snmp command is:
snmpwalk -v 2c -c public 192.168.x.x IP-MIB::ipNetToMediaPhysAddress
or:
snmpwalk -v 2c -c public 192.168.x.x .1.3.6.1.2.1.4.22.1.2
######
# comware syslog format
# unicom format verwendet ip statt hostname, wenn source vlan definiert ist
syslog format ändern:
info-center format unicom
info-center timestamp loghost no-year-date
info-center loghost source Vlan-interface5
info-center loghost 192.168.10.57
info-center loghost 192.168.10.61
having some trouble to get a Buffalo LinkStation 421 LS421DE up and running again, after two new harddrives where placed into
- problem with emergency mode
- problem with deploying new firmware using the firmware updater tool >> message "partition not found"
solution
>> download firmware updater: https://www.buffalo-technology.com/de/productview/LS421DE
>> set a debug flag in: LSUpdater.ini
[Flags]
VersionCheck = 0
NoFormatting = 1
[SpecialFlags]
Debug=1
now start LS-Updater, right click with the mouse on the system menu >> there are the debug options!!
>> further steps are described in detail on that great page: http://www.herzig-net.de/prog/?page=unbrick_ls-wxl
- factory reset: press character "q" when starting the switch to access the boot menu.
At the boot menue select "11": Restore configuration to factory default,
after that select "10": reset the system
- default user / password: the default user is admin, the default password is "blank" (nothing, just press enter)
command line commands:
- tzutil /l #show all possible time zones
- tzutil /g #show current time zone
- tzutil /s "Central America" #change time zone to "Central America"
see also: http://woshub.com/how-to-set-timezone-from-command-prompt-in-windows/
########################################
# rsync / ssh jail for linux on centos
########################################
- create user backup01, set home directory to /home/backup01/jail_backup in /etc/passwd:
backup01:x:501:502:backup01:/home/backup01/jail_backup:/bin/bash
- create jail directory
mkdir /home/backup01/jail_backup
chown root.root /home/backup01
chown root.root /home/backup01/jail_backup
- create backup directory for user with user rights
mkdir /home/backup01/jail_backup/backup01
chown backup01.backup01 /home/backup01/jail_backup/backupdir1
- changes in /etc/ssh/sshd_config:
Match User backup01
ChrootDirectory /home/backup01/jail_backup
AllowTcpForwarding no
X11Forwarding no
- restart ssh: /etc/init.d/sshd restart
- prepare isolated environment for user
use script: setup.chroot.for.rsync.sh ( get the script from here: https://tools.deltazero.cz/server/setup.chroot.for.rsync.sh )
>> run it from directory: /home/backup01/jail_backup/
- test user:
ssh backup01@localhost
- test rsync: (use -n for dry run)
rsync -uvzca -n -e 'ssh' messages* backup01@localhost:backupdir1
Fehlermeldung:
- Printer not activated-Error code -30
- Printer not activated-Error code -20
https://www.lexware.de/support/faq/produkt/kassenbuch/faq-beitrag/000018474-meldung-printer-not-activated-error-code-30-oder-20/
>> Lösung: Installation PDF 6 - Treiber war erfolgreich (getestet Okt 2020)
https://delta.lexware.de/sf_get_wmattachment.php?att=b270a0762ffc25bf8104fc9efe68b1
see document: https://support.hpe.com/hpesc/public/docDisplay?docId=a00094242en_us
problem: you get "duplicate ip address" when pinging through the gateway
solution: no ip icmp redirect
Cisco 200 Series Smart Switches
reboot / reset:
- just rebooting: press the reset button for < 10 seconds
factory Default:
- with power on press and hold the reset button > 10 seconds
default logon:
username = cisco
password = cisco
default ip: 192.168.1.254 if there is no dhcp
firmwareupgrade:
https://community.cisco.com/t5/small-business-switches/sg200-26-26-port-switch-firmware-upgrade/td-p/2768163
>rfb files are boot code files .. install them via tftp !!
mssql connection from a linux server using odbc.
installation for centos 7:
- yum install unixodbc freetds
- /etc/dbcinst.ini
[FreeTDS]
Driver=/usr/lib64/libtdsodbc.so.0
Setup=/usr/lib64/libtdsS.so.2
FileUsage=1
UsageCount=1
- /etc/odbc.ini for example:
[db01]
Driver=FreeTDS
Description=db01
Trace=No
Server=192.168.1.111
Port=1433
Database = Database1
- try connection using: isql -v db01 dbuser <password>
- php example:
$conn = odbc_connect("Driver=FreeTDS;DSN=$dsn;Database=$database", $user, $pwd);
if (!$conn){
print '<h2> Error: Unable to connect to Database. </h2>';
}else{
$query = 'SELECT * from orders';
$result = odbc_exec($conn, $query);
while(odbc_fetch_row($result)){
$customer=utf8_encode(odbc_result($result, 1));
$title=utf8_encode(odbc_result($result, 2));
$customer_name=utf8_encode(odbc_result($result, 13));
$order_status1=utf8_encode(odbc_result($result, 14));
}
odbc_close($conn);
----------------------------------------
- see also https://zend18.zendesk.com/hc/en-us/articles/218197897-Configuring-a-Linux-Server-to-Connect-to-an-MSSQL-Database-Using-ODBC
validate windows ldap / active directory using checkmk:
since we use ssl / port 636 we set in: /etc/openldap/ldap.conf
TLS_REQCERT never
(see details below if you are interested)
run ldap test in command line:
/omd/versions/default/lib/nagios/plugins/check_ldaps -H 192.168.2.10 -b 'dc=company,dc=local' -D 'cn=my-bind-user,dc=company,dc=local' -P 'my password' -p 636 --ssl
>> result: LDAP OK - 0,020 seconds response time|time=0,020456s;;;0,000000
configure a rule in checkmk:
- Wato > Active checks > Check access to Ldap service:
Base DN: dc=company,dc=local
Authentication:
Bind DN: cn=my-bind-user,dc=company,dc=local
passwrd: my password
TCP Port: 636
Use LDAPS
Explicit hosts: my ldap server
>> this leads to the service check command: check_mk_active-ldap! -H $HOSTADDRESS$ -b 'dc=company,dc=local' -D 'cn=my-bind-user,dc=company,dc=local' -P 'my password' -p 636 --ssl
-----------------------------------------------------------------------------------------------------------
>> TLS_REQCERT in detail:
TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS
session, if any. The <level> can be specified as one of the
following keywords:
never The client will not request or check any server
certificate.
allow The server certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad
certificate is provided, it will be ignored and the
session proceeds normally.
try The server certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad
certificate is provided, the session is immediately
terminated.
demand | hard
These keywords are equivalent. The server certificate is
requested. If no certificate is provided, or a bad
certificate is provided, the session is immediately
terminated. This is the default setting.
LP 4235
https://www.triumph-adler.de/ta-de-de/produkte/produkte/produktdetails/katalog/drucksysteme/lp-4235-126910
>>download treiber
>>/Downloads/LinuxPackagesTA/LP 3235_LP 4235 series/64bit/EU/German$
>>LP3235.PPD
Einstellungen cups:
Treiber: LP 3235_LP 4235 (KPDL) (schwarz-weiß, 2-seitiges Drucken)
Verbindung: socket://192.168.178.2:9100
Standardeinstellungen: job-sheets=none, none media=iso_a4_210x297mm sides=two-sided-long-edge
problem: the great mining software claymore will not work anymore for mining ethereum since end of 2020,
there is no official solution from ethos but it is possible to use a third party miner instead of the default etherminer, which
consumes more energy.
solution: install the phoenixminer
1) get miner-manager from github
wget https://raw.githubusercontent.com/cynixx3/third-party-miner-installer-for-ethos/master/miner-manager
2) install the thirdparty miner
./minder-manager phoenixminer install
in your local.conf just update the "globalminer" setting to "phoenixminer"
Using the EthOS config:
globalminer phoenixminer
stratumproxy enabled
proxywallet 0xMYWALLET
proxypool1 eu1.ethermine.org:4444
poolpass1 x
see also:
https://www.reddit.com/r/EtherMining/comments/i2ifz3/teamredminer_on_ethos/
Problem: Network Traffic Analyser (NTA) import problem - no data is seen on HPE Aruba Intelligent Management Center (IMC)
software version:
- iMC PLAT v7.3 (E0705P06)
- IMC NTA 7.3 (E0509) + SP1
-----------------
Analysing:
- validate that sflow data is beeing received using wireshark
- c:\Program Files\iMC\data\processorData\data
>> directory shows that data is coming in but the data is not processed!
- error found in logfile!
logfile: c:\Program files\iMC\unba\log\processor.current-date
-----------------
Solution:
>>error: mysql error code=3948, error message=Loading local data is disabled; this must be enabled on both the client and server sides
solution:
in mysql my.ini:
[client]
local_infile=1
[mysql]
local_infile=1
[mysqld]
local_infile=1
>> stop IMC + restart Database
-----------------
other help: HPE IMC NTA/UBA Troubleshooting Guide
https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c05247038
ethos - change timezone
tested on ethOS 1.3.3: (ethOS Mining OS)
as user root:
cp -p /etc/timezone /etc/timezone.original
echo "Europe/Berlin" > /etc/timezone
cp -p /etc/localtime /etc/localtime.original
cp -p /usr/share/zoneinfo/Europe/Berlin /etc/localtime
>> check with command "date"
>> Fri Dec 4 21:06:59 CET 2020
how to see all dhcp requests and offers from linux commandline perspective:
#!/bin/bash
tcpdump -pvn port 67 and port 68
problem: nothing provides graphviz-gd needed by check-mk
solution: enable PowerTools repository!
cat /etc/yum.repos.d/CentOS-Stream-PowerTools.repo
# CentOS-Stream-PowerTools.repo
#
# The mirrorlist system uses the connecting IP address of the client and the
# update status of each mirror to pick current mirrors that are geographically
# close to the client. You should use this for CentOS updates unless you are
# manually picking other mirrors.
#
# If the mirrorlist does not work for you, you can try the commented out
# baseurl line instead.
[powertools]
name=CentOS Stream $releasever - PowerTools
mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=PowerTools&infra=$infra
#baseurl=http://mirror.centos.org/$contentdir/$stream/PowerTools/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
>> after that: yum install
>> and install checkmk again
examples:
socat TCP-LISTEN:3389,fork TCP:192.168.2.15:3389 &
socat TCP-LISTEN:12000,fork TCP:192.168.2.15:6556 &
socat TCP-LISTEN:3389,fork TCP:192.168.2.135:3389
allow only specific resource to access the Listening port:
socat tcp4-listen:4343,fork,su=nobody,range=10.100.100.10/32 TCP:localhost:4343
>> in the example above only 10.100.100.10 is allowed to connect to port 4343
problem:
JL075 and JL322A with OEM modules 16.10.11 firmware >> error message: “Unsupported Transceiver”
solution:
allow-unsupported-transceiver
#stop mining, no restart
minestop && disallow
#start mining, allways restart
minestart && allow
Problem: old ftp link on noxon website does not work
>> on http://www.my-noxon.net/ some links are not working and some links
are leading to terratec ftp server, which seams not to work (tested in december 2020).
Some links are leading to https://www.terratec.de/page.php?page=/support/ which seams to be ok,
but where to find the noxon software there? >> if you want to use the direct link .. see the solution below
Solution: the new files seams to be here:
http://terratec.ultron.info/NOXON/
---------
problem: how to reboot a fritzbox via script?
solution: by script
https://github.com/nicoh88/cron_fritzbox-reboot
version from 28 december 2017, tested successfully with a fritzbox 6591 Cable (january / 2020):
##################
# crontab entry
##################
#reboot fritz
50 4 * * 5 root /root/Scripts/cron_fritzbox-reboot.sh
##################
# Code from github
##################
#!/bin/bash
#######################################################
### Autor: Nico Hartung <nicohartung1@googlemail.com> #
#######################################################
# Skript sollte ab FritzOS 6.0 (2013) funktioneren - also auch für die 6.8x und 6.9x
# Dieses Bash-Skript nutzt das Protokoll TR-064 nicht die WEBCM-Schnittstelle
# http://fritz.box:49000/tr64desc.xml
# https://wiki.fhem.de/wiki/FRITZBOX#TR-064
# https://avm.de/service/schnittstellen/
# Thanks to Dragonfly (https://homematic-forum.de/forum/viewtopic.php?t=27994)
###=======###
# Variablen #
###=======###
IPS="192.168.137.1
192.168.137.2
192.168.137.3"
FRITZUSER=""
FRITZPW="passwort-weboberflaeche"
###====###
# Skript #
###====###
location="/upnp/control/deviceconfig"
uri="urn:dslforum-org:service:DeviceConfig:1"
action='Reboot'
for IP in ${IPS}; do
curl -k -m 5 --anyauth -u "$FRITZUSER:$FRITZPW" http://$IP:49000$location -H 'Content-Type: text/xml; charset="utf-8"' -H "SoapAction:$uri#$action" -d "<?xml version='1.0' encoding='utf-8'?><s:Envelope s:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/' xmlns:s='http://schemas.xmlsoap.org/soap/envelope/'><s:Body><u:$action xmlns:u='$uri'></u:$action></s:Body></s:Envelope>" -s > /dev/null
done
#!/bin/bash
###################################################################
#
# mountSMBgio.sh
#
# use gio mount to mount smb shares in the user scope, and link
# the mounted path to a defined directory
#
# gio is the successor of gvfs and is used since Ubuntu 18.04LTS.
# gio is also used in Linux Mint: https://linuxmint.com/
#
# gio stand for Gnome Input / Output library
#
# credentials needs to be stored in homedirectory - file .smbcredentials:
#
# format of file .smbcredentials:
# USER
# Active Directory Domain / leave emtpy if there is no Active Directory
# PASSOWRD
#
#
###################################################################
MOUNTDIR=~/mnt-photos
SMBSRV=storage1
SMBDIR=photos
#gio mount script
#!/bin/bash
gio mount smb://$SMBSRV/$SMBDIR <~/.smbcredentials
DIR="/run/user/$UID/GVfs/smb-share\:server\=$SMBSRV\,share\=$SMBDIR"
#echo $DIR
#set link to mount-point
ln -s $DIR $MOUNTDIR
##helpful commands
#see gio mounts
#gio mount -l -i
nmap examples
- classical ping scan: nmap -PE 192.168.178.*
- tcp scan: nmap -sP 192.168.178.0/24
(in local subnet, do arp request - detect more systems)
problem:
error message: cannot install on local hard drive
solution:
in cmd window as administrator run the following:
>> msiexec /i packagename.msi /q
#########################
# Huawei - Switches
#########################
!##### Enter System-View mode #####
system-view
!
!
!##### System Information #####
sysname "System-Name"
!
!
!###### OOBM ####
ip vpn-instance mgmt
description mgmt-vpn-instance
ipv4-family
quit
!
interface MEth0/0/0
ip binding vpn-instance mgmt
ip address 192.168.2.99 255.255.255.0
quit
!
ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.2.1
!
!##### User ####
aaa
undo local-user policy security-enhance
local-user admin password irreversible-cipher my-password
local-user admin service-type ssh terminal
local-user admin level 3
stelnet server enable
ssh authentication-type default password
!
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
quit
!
user-interface console 0
authentication-mode aaa
quit
!
rsa local-key-pair create
!
!##### SNMP version2 Configuration #####
snmp-agent
snmp-agent sys-info version v2c
snmp-agent sys-info location "Standort"
snmp-agent sys-info contact my company
snmp-agent community read my-snmp-read
!# snmp-agent community write private
!
!
!##### Timezone & NTP Configuration #####
!# WARNING! Important for troubleshooting and correlating network incidents
undo ntp server disable
ntp unicast-server 192.168.2.1 vpn-instance mgmt
clock timezone CET add 01:00:00
clock daylight-saving-time CEST repeating 01:00 last Sun Mar 03:00 last Sun Oct 01:00
!
!
lldp enable
!
!
!##### Loop Protection #####
stp bpdu-protection
stp enable
stp root primary
!stp root secondary
interface range 25GE 1/0/1 to 25GE 1/0/47
stp edged-port enable
quit
interface range 25GE 2/0/1 to 25GE 2/0/47
stp edged-port enable
quit
!
!
!
!##### Exit System-View mode #####
commit
quit
save
ProLiant ML350 G6
ILO2: latest firmware (2021 - january): 2.33 from 03/20/2018
Integrated Lights-Out 2 supports Microsoft Internet Explorer version 7.0 or greater, Firefox version 1.9.1 or greater, and Mozilla version 1.6 or greater. Some functionality may not work and pages may not format correctly on other browser platforms. This browser platform reports it is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
>> for remote console use a windows xp machine ;-))
vmware support for this hardware
>> vmware esxi 5.5 works and is supported (not 6.0 and above!!)
- lynis, an auditing and rootkit scanner
apt-get install lynis > after that run command: lynis audit system
- chkrootkit
apt-get install chkrootkit > run with chekrootkit
- rkhunter - a linux rootkit scanner
apt-get install rkhunter > run with rkhunter -c
- clamav - antivirus opensource
apt-get install clamav > update pattern with freshclam > clamscan -r -i <directory>
- zeroconf "standard"
- wireshark mDNS filter: dns and udp.port eq 5353
- windows commands:
- dns-sd -B _airplay._tcp #show up airplay devices in local network (in same vlan)
- dns-sd -B _servcies._dns-sd._udp #see available services in local network (in same vlan)
- switching environment:
problem with different vlan's: client can not find apple tv
>> solution on hpe switch: mdns gateway vlan 3,4,10
>> see also: https://www.youtube.com/watch?v=gMUnkp6Ao8o
HPE Switch Chromecast Gateway and Bonjour Gateway
Platform 2530,2620,2920,3500,3800,3810,5400,5400R
- HPE Switches, since version KB.16.0.1.0004 Chromecast Gateway + Bonjour Gateway functionality
>> Bonjour Gateway:
mDNS gateway on the switch is listen for Bonjour packets and forwards them to different subnets.
See also the HPE ArubaOS-Switch Multicast and Routing Guide of the switch
>> Chromecast Gateway:
Chromecast is from google and brings a digital media player with it. It uses simple multicast protocol
for mDNS discovery, so that other devices can find the chromecast device.
The HPE switches support mDNS >>
See also the HPE ArubaOS-Switch Multicast and Routing Guide of the switch
- switching environment:
problem with different vlan's: client can not find apple tv
>> solution on hpe switch: mdns gateway vlan 3,4,10
>> see also: https://www.youtube.com/watch?v=gMUnkp6Ao8o
find the category of an URL, for example: https://www.google.de
https://securityportal.watchguard.com/UrlCategory
Monitoring Mircrosoft Exchange Transport Queue
---------------------------------------
-- Hint!! On Windows side the perfmon (Windows performance registry (Winperf)) counters muste be enabled, to see something!
---------------------------------------
checkmk - windows agent version 1.6x
>> read out microsoft exchange MSExchangeTransport Queues as checkmk service
>> - MSExchangeTransport Queues: msx_queues
#########################
# in file check_mk.user.yml
#########################
winperf:
enabled: yes
# changes only section name winperf_******
# prefix: winperf
# default value, increase for heavy loaded machine
# timeout: 10
# Select counters to extract. The following counters
# are needed by checks shipped with check_mk.
# Format:
# - id:name
# where id is OS counter and name is part of CHECK_MK Header
counters:
#- 638: tcp_conn
#- Terminal Services: ts_sessions
- MSExchangeTransport Queues: msx_queues
#########################
# Windows command line
#########################
check config:
C:\Program Files (x86)\checkmk\service>check_mk_agent.exe showconfig winperf
output:
# Environment Variables:
# MK_LOCALDIR="C:\ProgramData\checkmk\agent\local"
# MK_STATEDIR="C:\ProgramData\checkmk\agent\state"
# MK_PLUGINSDIR="C:\ProgramData\checkmk\agent\plugins"
# MK_TEMPDIR="C:\ProgramData\checkmk\agent\tmp"
# MK_LOGDIR="C:\ProgramData\checkmk\agent\log"
# MK_CONFDIR="C:\ProgramData\checkmk\agent\config"
# MK_SPOOLDIR="C:\ProgramData\checkmk\agent\spool"
# MK_INSTALLDIR="C:\ProgramData\checkmk\agent\install"
# MK_MSI_PATH="C:\ProgramData\checkmk\agent\update"
# Loaded Config Files:
# system: 'C:\Program Files (x86)\checkmk\service\check_mk.yml'
# bakery: 'C:\ProgramData\checkmk\agent\bakery'
# user : 'C:\ProgramData\checkmk\agent\check_mk.user.yml'
# winperf
enabled: yes
exe: agent
prefix: winperf
timeout: 10
counters:
- 234: phydisk
- 510: if
- MSExchangeTransport Queues: msx_queues
- 238: processor
reload config / checkmk agent:
C:\Program Files (x86)\checkmk\service>check_mk_agent.exe reload_config
Reloading configuration...
Asking for reload service
Asking for reload executable
Done.
in checkmk client output, you should see now the section: "winperf_msx_queues":
>> check with telnet <ip-address>
<<<winperf_msx_queues>>>
1613038628.96 44486 10000000
6 instances: total_excluding_priority_none none_priority low_priority normal_priority high_priority _total
2 0 0 0 0 0 0 rawcount
4 0 0 0 0 0 0 rawcount
6 0 0 0 0 0 0 rawcount
8 0 0 0 0 0 0 rawcount
10 0 0 0 0 0 0 rawcount
12 0 0 0 0 0 0 rawcount
14 0 0 0 0 0 0 rawcount
16 0 0 0 0 0 0 rawcount
18 0 0 0 0 0 0 rawcount
20 0 0 0 0 0 0 rawcount
22 0 0 0 0 0 0 rawcount
24 0 0 0 0 0 0 rawcount
26 0 0 0 0 0 0 rawcount
28 0 0 0 0 0 0 rawcount
30 44132 0 22613 21519 0 44132 rawcount
32 44132 0 22613 21519 0 44132 counter
34 44132 0 22613 21519 0 44132 rawcount
36 44132 0 22613 21519 0 44132 counter
38 0 0 0 0 0 0 rawcount
40 0 0 0 0 0 0 rawcount
42 0 0 0 0 0 0 rawcount
44 0 0 0 0 0 0 rawcount
46 0 0 0 0 0 0 rawcount
48 0 0 0 0 0 43124 rawcount
50 0 0 0 0 0 43124 counter
52 0 0 0 0 0 43124 rawcount
54 0 0 0 0 0 43124 counter
56 0 0 0 0 0 0 rawcount
58 0 0 0 0 0 0 rawcount
60 0 0 0 0 0 0 rawcount
62 0 0 0 0 0 0 rawcount
64 0 0 0 0 0 0 counter
66 0 0 0 0 0 0 rawcount
68 0 0 0 0 0 0 rawcount
70 0 0 0 0 0 0 rawcount
72 0 0 0 0 0 38311 rawcount
74 0 0 0 0 0 38311 counter
76 0 0 0 0 0 67 rawcount
78 0 0 0 0 0 0 rawcount
80 0 0 0 0 0 0 rawcount
82 0 0 0 0 0 2 rawcount
84 0 0 0 0 0 1 rawcount
86 0 0 0 0 0 100 rawcount
88 0 0 0 0 0 0 rawcount
90 0 0 0 0 0 0 rawcount
92 0 0 0 0 0 0 rawcount
94 0 0 0 0 0 0 rawcount
96 0 0 0 0 0 0 rawcount
######################
# in checkmk there are new 4 services, default warning is 500, critical: 1000
######################
Queue Active Mailbox Delivery warning: 250 critical: 500
Queue Active Remote Delivery warning: 250 critical: 500
Queue Poison Queue Length warning: 1 critical: 10
Queue Retry Remote Delivery warning: 250 critical: 500
Eventlog Monitoring:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_event_log_configure.html
Group Policies
On your domain controller, you must configure group policies that require Windows clients to audit logon events.
Open the Group Policy Object Editor and edit the Default Domain Policy.
Make sure the Audit Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit logon events policies enabled.
Open a command prompt and run the command gpupdate/force /boot.
Motherboard Z390-A PRO (MS-7B98) MSI - trouble with more than 4 GPU
--> with CPU Intel Pentium Gold G5400 + 4GB RAM
Problem:
-----------------------------------------------------------
when the computer starts we get the following message, and have to visit always the Bios settings:
"!!!! PCI Resource ERROR !!!
PCI OUT of Resoures Condition:
ERROR: Insufficient PCI Resources Detected!!!
System is running with Insufficient PCI Resources!
In order to display this message some
PCI devices were set to disabled state!
It is strongly recommendet to Power Off the System
and remove some PCI/PCI Express cards from the system.
...... "
Solution:
-----------------------------------------------------------
using the following settings with the BIOS from January / February 2021, 6 Graphic devices (GPUs) could be successfully used:
Settings/Advanced/PCIe/PCI Sub-system Settings
- PEG0 - Max Link Speed: Gen1
- PCI Latency Timer: 32 PCI Bus
- Above 4G memory/crypto Currency mining: Enabled
Settings/Advanced/Integrated Peripherals
- HD Audio Controller: Disabled
Settings/Advanced/Integrated Graphics Configuration
- Initiate Graphic Adapter: IGD
Settings/Advanced/Super IO Configuration
- Serial Port: Disabled
- Parallel Port: Disabled
Settings/Advanced/Power Managenment Setup
- Restore after AC Power Loss: Power On
Settings/Advanced/Windows OS Configuration:
- Windows 10 WHQL Support: UEFI
- FAST Boot: disabled
Settings/BOOT:
- POST Beep Enabled
- Boot mode slect: UEFI
>>> The most importend setting, is setting the Integrated Graphics Adapter to "on" (Initiate Graphic Adapter: IGD),
after that, the warning vanished, and the systems runs stable
- the dig command is usually available on linux systems
- dig stands for: omain information groper
##########################
# dig samples
##########################
- just a records: dig ibm.com
- see mx records: dig ibm.com mx
- see soa records: dig ibm.com soa
- see txt records: dig ibm.com txt (here you find probably some spf records)
- see serial number of dns record from google dns server 8.8.8.8: dig @8.8.8.8 +noall +answer +multiline computer2know.de any
at the moment nothing - to copy paste ;-)
Device LLDP PVID mismatch
Beim Uplink ArubaOS zu Comware tritt der PVID mismatch nur dann auf, wenn auf dem Uplink Port keine PVID definiert ist (Comware)
bzw. kein VLAN untagged übertragen wird (ArubaOS). In diesem Fall setzt Comware die PVID auf „1“ und ArubaOS auf PVID „0“ = PVID mismatch.
Lösungsmöglichkeiten:
1. Sie übertragen beim Uplink ein VLAN untagged (ArubaOS) und definieren auf dem Comware eine PVID (z.B. Management VLAN).
2. Sie deaktivieren die ausgehende LLDP PVID Nachrichten Portbezogen auf beiden Seiten (z.B. Port 11)
ArubaOS-Switch
no lldp config 11 dot1TlvEnable port-vlan-id
Comware
int g1/0/11
undo lldp tlv-enable dot1-tlv port-vlan-id
Running configuration:
; hpStack_KB Configuration Editor; Created on release #KB.16.10.0007
; Ver #34:2f.6f.f8.3d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:40
stacking
member 1 type "JL075A" mac-address 133f58-7d3f21
member 1 priority 255
member 2 type "JL075A" mac-address 883a30-86a2180
exit
hostname "xyz-building1-3810"
console idle-timeout 1800
console idle-timeout serial-usb 1800
aruba-central disable
trunk 1/1,2/1 trk1 lacp
trunk 1/2,2/2 trk2 lacp
trunk 1/3,2/3 trk3 lacp
trunk 1/4,2/4 trk4 lacp
trunk 1/5,2/5 trk5 lacp
trunk 1/6,2/6 trk6 lacp
trunk 1/7,2/7 trk7 lacp
trunk 1/8,2/8 trk8 lacp
trunk 1/9,2/9 trk9 lacp
trunk 1/10,2/10 trk10 lacp
trunk 1/16,2/16 trk16 lacp
banner motd "WARNING: Unauthorized access prohibited, authorized access
only!\nThis system is the property of Company XY and managed by provider Z
GmbH\n\nDisconnect IMMEDIATELY if you are not an authorized user!\n\nContact
helpdesk@mycompany.de +44 0000 00001 for help\n"
logging 10.0.0.99
logging filter "mycompany" 1 "logged in from REST" deny
logging filter "mycompany" 2 "logged out from REST" deny
logging filter "mycompany" 3 "PVID mismatch on port" deny
logging filter "mycompany" default permit
logging filter "mycompany" enable
logging command
timesync sntp
sntp unicast
sntp server priority 1 10.0.0.1
time daylight-time-rule western-europe
time timezone 60
ip default-gateway 10.0.0.1
interface 1/1
name "uplink_1-1"
exit
interface 1/2
name "uplink_1-2"
exit
interface 1/3
name "uplink_1-3"
exit
interface 1/4
name "uplink_1-4"
exit
interface 1/5
name "uplink_1-5"
exit
interface 1/6
name "uplink_1-6"
exit
interface 1/7
name "uplink_1-7"
exit
interface 1/8
name "uplink_1-8"
exit
interface 1/9
name "uplink_1-9"
exit
interface 1/11
disable
exit
interface 1/12
disable
exit
interface 1/13
disable
exit
interface 1/14
disable
exit
interface 1/15
disable
exit
interface 1/16
name "uplink_core"
exit
interface 2/1
name "uplink_2-1"
exit
interface 2/2
name "uplink_2-2"
exit
interface 2/3
name "uplink_2-3"
exit
interface 2/4
name "uplink_2-4"
exit
interface 2/5
name "uplink_2-5
exit
interface 2/6
name "uplink_2-6"
exit
interface 2/7
name "uplink_2-7"
exit
interface 2/8
name "uplink_2-8"
exit
interface 2/9
name "uplink_2-9"
exit
interface 2/11
disable
exit
interface 2/12
disable
exit
interface 2/13
disable
exit
interface 2/14
disable
exit
interface 2/15
disable
exit
interface 2/16
name "uplink_core"
exit
snmp-server community "xyzpub" operator
aaa accounting commands interim-update syslog
oobm
no ip address
ipv6 address dhcp full
member 1
no ip address
ipv6 address dhcp full
exit
member 2
no ip address
ipv6 address dhcp full
exit
exit
vlan 1
name "DEFAULT_VLAN"
no untagged Trk1-Trk10,Trk16
untagged 1/11-1/15,2/11-2/15
no ip address
ipv6 address dhcp full
exit
vlan 501
name "vlan-401
tagged Trk1-Trk10,Trk16
no ip address
exit
vlan 504
name "vlan-504
tagged Trk1-Trk10,Trk16
no ip address
exit
vlan 10
name "Mgmt"
tagged Trk1-Trk10,Trk16
ip address 10.0.0.20 255.255.255.0
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree Trk4 priority 4
spanning-tree Trk5 priority 4
spanning-tree Trk6 priority 4
spanning-tree Trk7 priority 4
spanning-tree Trk8 priority 4
spanning-tree Trk9 priority 4
spanning-tree Trk10 priority 4
spanning-tree Trk16 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
activate software-update disable
activate provision disable
password manager
password operator
see also:
https://www.elektronik-kompendium.de/sites/raspberry-pi/2204031.htm
-----------------
steps:
1) find out installed version:
cat /etc/issue
>>Raspbian GNU/Linux 8 \n \l
>> find out the names: https://en.wikipedia.org/wiki/Raspberry_Pi_OS
Debian 8 = Jessie
Debian 9 = Stretch
Debian 10 = Buster
>> we have Raspbian 8 >> let's upgrade to Raspbian 9
>> Jessie > Stretch
2) install latest packages:
sudo apt-get update
sudo apt-get dist-upgrade
3) package respositories
/etc/apt/sources.list
>> deb http://mirrordirector.raspbian.org/raspbian/ stretch main contrib non-free rpi
(comment out the other lines!)
/etc/apt/sources.list.d/raspi.list
>> deb http://archive.raspberrypi.org/debian/ stretch main ui
(comment out the other lines!)
4) get new packages
sudo apt-get update
5) do the release upgrade
sudo apt-get upgrade
sudo apt-get dist-upgrade
6) clean up after upgrade
sudo apt-get autoremove
sudo apt-get autoclean
7) restart of the machine
sudo reboot
- see banned ssh ip's of fail2ban:
command: fail2ban-client status sshd
sample output:
Status for the jail: ssh
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 0
| `- Total failed: 1434
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 169
#useful command to find out more about windows certificates
certutil
#see all options
certutil -?
#content of clients trusted root certification authority certificate
certutil -enterprise -viewstore Root
#see information about given *.cer or *.crl / certificate file
certutil <filename>
#see user certificate store >> this shows all user certificates
certutil -user -store my
adobe connect app trouble
https://arcps.adobeconnect.com/common/help/de/support/meeting_test.htm
https://helpx.adobe.com/adobe-connect/kb/configure-ports-1935-443-80.html
firewall rules:
port 1935 tcp: intern -> *.adobeconnect.com allow
port 443 udp: intern -> *.adobeconnect.com allow
ubuntu 20 uses netplan as default ip configuration utility
usefule netplan commands:
- netplan get #shows the actual configuration
- /etc/netplan #in this configuration directory the netplan yaml file is located
- netplan try #test the new configuration
- netplan apply #apply the configuration
#a sample bash script to set some new parameters comes here:
changeIP.sh:
#!/bin/bash
configfile="/etc/netplan/00-installer-config.yaml"
# make a backup
cp $configfile $configfile.save.`date +%Y%m%d%H%M`
# Changes dhcp from 'yes' to 'no'
sed -i "s/dhcp4: yes/dhcp4: no/g" $configfile
# Retrieves the NIC information
nic=`ifconfig | awk 'NR==1{print $1}'`
# Ask for input on network configuration
read -p "Enter the static IP of the server (example 192.168.2.20/24): " staticip
read -p "Enter the IP of your gateway: " gatewayip
read -p "Enter the IP of your nameservers (seperated by a coma if > 1): " nameserversip
echo
cat > $configfile <<EOF
network:
version: 2
ethernets:
$nic
addresses:
- $staticip
gateway4: $gatewayip
nameservers:
addresses: [$nameserversip]
EOF
sudo netplan apply
echo ">>> new settings are now activated"
echo
problem occured on ubuntu 18.04.xx
>> connect not possible via:
mysql -u root -p -h 127.0.0.1 -P 3306
>> only connect via console / pipe is possible
solution 1: create an extra database admin user for network access
--------------------------------------
Mysql –u root –p
#create user sqladmin
MariaDB [(none)]> CREATE USER 'sqladmin'@'localhost' IDENTIFIED BY 'your-password';
#grant all privileges to the user
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'sqladmin'@'localhost';
#making the changes take effekt
MariaDB [(none)]> FLUSH PRIVILEGES;
solution 2: enable root user
--------------------------------------
use mysql;
update user set plugin='mysql_native_password' where user='root';
flush privileges;
exit;
>> check your password access afterwards!
maybe you need to set a new password:
MariaDB [(none)]> UPDATE mysql.user SET Password=PASSWORD('your-new-password') where user='root';
#!/usr/bin/perl
######################################################################
# getMacAddress.pl
#
# see also:
# - https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/44800-mactoport44800.html
#
# version 2021-04-07
#
# example:
# getMacAddress.pl -ip=10.20.49.250 -type=hpe -community=mypub
# result:
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:3d:d8;ip;192.168.1.10
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:2f:3c;ip;192.168.1.11
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:3f:e0;ip;192.168.1.12
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:44:b8;ip;192.168.1.13
# switch;10.20.49.250;vlan;VLAN30;mac;94:40:c9:4a:31:1c;ip;192.168.1.14
# switch;10.20.49.250;vlan;VLAN30;mac;52:54:00:4e:cd:c4;ip;192.168.1.15
#
#
# (c) m.wendig
#
######################################################################
use Data::Dumper;
use strict;
use DBI;
my $num_args = $#ARGV;
if ($#ARGV == -1 ){
usage();
}
#my $ip="172.20.12.50";
my $ip='';
if ($ARGV[0]=~/-ip=(.*)$/){
$ip=$1;
}
print usage() if $ip eq '';
my $updatedb=0;
if (($ARGV[2]=~/-db/) || ($ARGV[3]=~/-db/)){
$updatedb=1;
}
my $type= "";
if ($ARGV[1]=~/-type=(.*)$/){
$type=$1;
}
if (($type eq 'hpe') || ($type eq 'cisco') || ($type eq 'watchguard')){
}else{usage();}
my $community = "public";
if ($ARGV[2]=~/-community=(.*)$/){
$community=$1;
}
my $dbname="mactable";
my $dbuser="root",
my $dbpwd="";
my $dbhost="localhost";
my $debug=0;
my $snmpwalk = '/usr/bin/snmpwalk';
my $line;
my @vlans=();
my $dbh;
if ($updatedb){
$dbh = DBI->connect("DBI:mysql:$dbname;host=$dbhost", "$dbuser", "$dbpwd") || die "Could not connect to database: $DBI::errstr";
}
#######################################
#1 retrieve vlan
#######################################
my $cmd ='';
if ($type eq "cisco"){
$cmd= "$snmpwalk -v 2c -c $community $ip .1.3.6.1.4.1.9.9.46.1.3.1.1.2";
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect someting like: SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.2.1.41 = INTEGER: 1
if ($line =~ /(\d*)\s\=/){
my $vlan = $1;
print "vlan=$vlan.\n" if $debug;
#print "$line\n";
push @vlans,$vlan;
}
}
close(IN);
}
if ($type eq "hpe"){
#get all interface type 53 = vlan
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.3";
print "$cmd\n" if $debug;
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect something like: iso.3.6.1.2.1.2.2.1.3.2249 = INTEGER: 53
if ($line =~ /(\d*)\s\=\sINTEGER: 53/){
my $vlan = $1;
print "vlan=$vlan.\n" if $debug;
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.2.$vlan";
open(IN2, "$cmd |");
my $vlanname='';
while(<IN2>){
my $line2=$_;
chomp($line2);
#we expect something like: iso.3.6.1.2.1.2.2.1.2.2249 = STRING: "VLAN1000"
if ($line2 =~ /STRING:\s\"(.*)\"$/){
$vlanname=$1;
}
print ">>$line2: vlanname=$vlanname\n" if $debug;
}
close(IN2);
#print "$line\n";
push @vlans,[$vlan,$vlanname];
}
}
close(IN);
}
if ($type eq "watchguard"){
#get all interface type 6 = vlan
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.3";
print "$cmd\n" if $debug;
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect something like: iso.3.6.1.2.1.2.2.1.3.2249 = INTEGER: 6
if ($line =~ /(\d*)\s\=\sINTEGER: 6/){
my $vlan = $1;
print "vlan=$vlan.\n" if $debug;
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.2.$vlan";
open(IN2, "$cmd |");
my $vlanname='';
while(<IN2>){
my $line2=$_;
chomp($line2);
#we expect something like: iso.3.6.1.2.1.2.2.1.2.2249 = STRING: "VLAN1000"
if ($line2 =~ /STRING:\s\"(.*)\"$/){
$vlanname=$1;
}
print ">>$line2: vlanname=$vlanname\n" if $debug;
}
close(IN2);
#print "$line\n";
push @vlans,[$vlan,$vlanname];
}
}
close(IN);
}
#we should have a datastructure like the following now:
#$VAR46 = [
# '2249',
# 'VLAN1000'
# ];
#$VAR47 = [
# '3249',
# 'VLAN2000'
# ];
#print Dumper(@vlans);
####################################
#2 foreach vlan do something
####################################
if ($type eq "cisco"){
foreach my $vlanelem (@vlans){
my $vlan = @$vlanelem[0];
my $vlanname = @$vlanelem[1];
#print "check vlan $vlan.\n";
next if $vlan > 1000;
my $cmd = "$snmpwalk -v 2c -c $community\@$vlan $ip .1.3.6.1.2.1.17.4.3.1.1";
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect someting like: SNMPv2-SMI::mib-2.17.4.3.1.1.254.175.11.155.132.164 = Hex-STRING: FE AF 0B 9B 84 A4
if ($line =~ /\.(\d*\.\d*.\d*\.\d*) = Hex-STRING: (.*)$/){
my $macip = $1;
my $mac = $2;
$mac =~s/\s*$//g;
$mac =~s/\s/:/g;
$mac =lc($mac);
print "switch;$ip;vlan;$vlanname;mac;$mac;ip;$macip\n";
updateDatabase($ip,$vlanname,$mac,$macip)if $updatedb;
}
}
close(IN);
}
}
####################################
if (($type eq "hpe") || ($type eq "watchguard")) {
foreach my $vlanelem (@vlans){
my $vlan = @$vlanelem[0];
my $vlanname = @$vlanelem[1];
#print "check vlan $vlan.\n";
#next if $vlan > 1000;
my $cmd = "$snmpwalk -v 2c -c $community $ip .1.3.6.1.2.1.4.22.1.2.$vlan ";
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect someting like: SNMPv2-SMI::mib-2.17.4.3.1.1.254.175.11.155.132.164 = Hex-STRING: FE AF 0B 9B 84 A4
if ($line =~ /\.(\d*\.\d*.\d*\.\d*) = Hex-STRING: (.*)$/){
my $macip = $1;
my $mac = $2;
$mac =~s/\s*$//g;
$mac =~s/\s/:/g;
$mac =lc($mac);
print "switch;$ip;vlan;$vlanname;mac;$mac;ip;$macip\n";
updateDatabase($ip,$vlanname,$mac,$macip)if $updatedb;
}
}
close(IN);
}
}
if ($updatedb){
$dbh->disconnect();
}
########
# updateDatabase(switch,vlan,mac)
########
sub updateDatabase($$$){
my $switch=$_[0];
my $vlan=$_[1];
my $mac=$_[2];
my $ip=$_[3];
print "run db update for vlan $vlan and mac $mac and ip $ip.\n" if $debug;
#my $sth = $dbh->prepare('select id, count from macs where vlan like \''.$vlan.'\' and mac like \''.$mac.'\' and switch like \''.$switch.'\'');
my $sth = $dbh->prepare('select id, count from macs where vlan like \''.$vlan.'\' and mac like \''.$mac.'\' and ip like \''.$ip.'\'');
$sth->execute();
my $result =$sth->fetchrow_hashref();
my $rows = $sth->rows;
#print "Value returned: $result->{id}. rows: $rows.\n";
if ($rows > 0){
#update
my $count = $result->{count} + 1;
my $sqlstr = 'update macs set count='.$count.' where id='.$result->{id}.' ';
print "sqlstr=$sqlstr\n" if $debug;
$dbh->do($sqlstr);
}else{
#insert
$dbh->do('insert into macs (switch,vlan,mac,ip,count,firstseen) values (\''.$switch.'\',\''.$vlan.'\',\''.$mac.'\',\''.$ip.'\',1,now() )');
}
}
sub usage(){
print "usage:\n";
print "\n";
print "getMacAddress -ip=<IP-Address> -type=<hpe|cisco|watchguard> -community=<SNMP-community> <-db>\n";
print "\n";
print " -ip: IP Address of switch to query\n";
print " -type: supported type = hpe or cisco or watchguard\n";
print " -community: SNMP community if unspecified default is public\n";
print " -db: if specified update database\n";
print "\n";
exit(1);
}
#########################################
##### needed database schema
#########################################
=sqlschema
CREATE TABLE IF NOT EXISTS `macs` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`switch` char(50) NOT NULL,
`vlan` char(50) NOT NULL,
`mac` char(50) NOT NULL,
`ip` char(50) NOT NULL,
`count` int(11) NOT NULL DEFAULT '0',
`firstseen` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`lastseen` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
=END
libreoffice - make unix timestamp readable
sample timestamp=1499015644 >> written in cell B2:
to get human readable time use the following:
=B2/86400+25569 and format the cell to data format
>> now you should see the human readable date: 02.07.2017
explanation to formula:
- 86400 is the number of seconds of a day (60s * 60 * 24)
- 25569 is the number of days from 30.12.1899 until 01.01.1970 (unix timestamp)
> 30.12.1899 is somehow the day in in libreoffice
hostname korenix-4508-testswitch
vlan learning independent
!
vlan 1
!
vlan 99
name not-in-use
!
vlan 11
name vlan11
!
vlan 12
name vlan12
!
vlan 10
name management
!
interface fastethernet1
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet2
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet3
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet4
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet5
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet6
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet7
acceptable frame type vlantaggedonly
description Uplink Trunk
switchport trunk allowed vlan add 10-12,99
!
interface fastethernet8
description management
switchport access vlan add 10
switchport trunk native vlan 10
!
interface lo
ip address 127.0.0.1/8
!
interface vlan1
shutdown
!
interface vlan10
ip address 10.20.30.250/24
no shutdown
!
ip route 0.0.0.0/0 10.20.30.254
!
log syslog local
log syslog remote 10.20.30.10
service http disable
service telnet disable
spanning-tree mst configuration
exit
clock timezone 27
clock set 0:0:0 1 1 2008
administrator admin my-secred-pwd
snmp-server community s4cpub ro
snmp-server host 10.20.30.10 version 2 s4cpub
snmp-server contact "my-contact"
snmp-server location Test-Location
warning-event coldstart
warning-event warmstart
warning-event authentication
warning-event linkdown fa1-8
warning-event linkup fa1-8
warning-event power 1
warning-event ring
warning-event fault-relay
dot1x radius server-ip 192.168.10.10 key radius-key 1812 1813
dot1x system-auth-control
dot1x authentic-method local
dot1x username admin passwd my-secred-pwd vlan 10
ntp peer enable
ntp peer primary 10.20.30.254
!
https://admin.microsoft.com/
select Show all > Settings > Domains
>> here you can see if all settings, like for example the mx record is valid set at your hosting provider and more ...
-----
see also: https://docs.microsoft.com/de-de/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide
checkmk - windows netstat plugin: netstat_an.bat
1) on windows system install checkmk agent > 1.6
1.) enable netstat plugin by copy netstat_an.bat
from source: c:\Program Files (x86)\checkmk\service\plugins
to destination: c:\ProgramData\checkmk\agent\plugins
2) now you should see netstat information in the plugin output
(test using: telnet <ip> 6556)
3) to see something in checkmk you need to enable a manual check!
Manual Checks:
>> Monitor specific TCP/UDP connections and listeners
- Checktype: win_netstat - Established TCP Connections or TCP/UDP Listeners
hints:
see also this discussion on checkmk forum: https://forum.checkmk.com/t/windows-netstat-howto/23563/3
- a2dismod --force autoindex
- apachectrl reload
hiveos - network interface kills the local network
problem: a rig with nvidea rtx 3080 cards kills from time to the the whole network and also the wlan
on the fritzbox (7490) - seen with hive os version: 5.4.80-hiveos · H 0.6-190 · N 465.24.02 (april 2021)
solution:
>> see also https://forum.hiveos.farm/t/asus-b250-asrock-h110-e1000e-nic-hangs-entire-network-solution/32708
>> steps to do
1.)use command: ethtool -i eth0
to see your driver
root@myrig:~# ethtool -i eth0
driver: e1000e
version: 3.8.4-NAPI
firmware-version: 0.2-4
>> if it's an intel driver continue, if not I don't know if it helps as well ;-)
2.) turn off tcp-segmentation-offload and alos generic-segementation-offload
> in file /etc/network/interfaces, add the following line:
post-up ethtool -K eth0 tso off gso off
2.1) reboot the system
3.) now check if the settings have applied, by using command:
ethtool -k eth0 |grep tcp-segmentation-offload
ethtool -k eth0 |grep tx-tcp-segmentation
ethtool -k eth0 |grep generic-segmentation-offload
>> all the parameters above should now be "off"
problem: because of windows security enhancements the plugin does not deliver values anymore
solution: add a path to the schtask command:
>> added:
- cd $env:systemroot
- cd system32
- $tasks = .\schtasks.exe /query /fo csv -v | ConvertFrom-Csv
instead of just running "$task = schtask /query ...."
--- the workaround code with the enhancement is here below:
#
# Monitor Windows Tasks
#
cd $env:systemroot
cd system32
Write-Host "<<<windows_tasks:sep(58):encoding(cp437)>>>"
$lang = Get-UICulture | select -expand LCID
if ($lang -eq 1031){
$tasks = .\schtasks.exe /query /fo csv -v | ConvertFrom-Csv
mtu size windows detect
- https://github.com/PowerShell/PowerShell/releases
- with powershell 7.1:
Test-Connection 8.8.8.8 -MtuSizedetect
ubuntu LTS 20.4
check for bad harddrive (hdd) sectors:
#search for bad blocks
1) badblocks -v /dev/sdc > /tmp/sdc_badblocks.log
#tell linux not to use the bad blocks anymore
fsck -l /tmp/sdc_bad_blocks.log /dev/sdc
How to access Raid controler menu when system is booting?
1) wait for first messages and message "Press any key to view Option ROM messages"
>> press <space> here
2) wait until you see the raid controller initializing .. press then <F8>
(make sure <F8> works .. maybe use a screen keyboard !!)
Setup Windows Plotting machine
- installed standard chia client
- enter your security seed
- disable now upnp:
>> find chia.exe under
old path : c:\users\<username>\AppData\Local\chia-blockchain\app-1.1.1\resources\app.asar.unpacked\daemon\
new path: C:\ProgramData\<username>\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon>
>> chia.exe configure --enable-upnp false
>>restart application to active the change
-----------------
see also article > Farming on many machines > How to harvest on other machines that are not your main maschine
>> this is more secure but more complex ;-)
- https://github.com/Chia-Network/chia-blockchain/wiki/Farming-on-many-machines
- the main thing here is: then creating plots on the other harvesters, use chia plots create -f farmer_key -p pool_key, inserting the farmer and pool keys from your main machine.
Alternatively, you could copy your private keys over by using chia keys add, but this is less secure. After creating a plot, run chia plots check to ensure everything is working correctly.
#!/usr/bin/perl
######################################################################
# changeMacinDB.pl
#
# get mac-addresses from database and change format from
# xx:xx:xx:xx:xx:xx >> to >> xxxxxxxxxxxx
#
# version 2021-05-18
#
# (c) computer2know
######################################################################
use Data::Dumper;
use strict;
use DBI;
my $dbname="mactable";
my $dbuser="root",
my $dbpwd="";
my $dbhost="localhost";
my $dbh;
$dbh = DBI->connect("DBI:mysql:$dbname;host=$dbhost", "$dbuser", "$dbpwd") || die "Could not connect to database: $DBI::errstr";
my $sth = $dbh->prepare('select id, mac from macs');
$sth->execute();
my ($id,$mac)='';
my $i=0;
my $j=0;
while(($id,$mac) = $sth->fetchrow()){
$i++;
print "$id,$mac\n";
if ($mac=~/^(..):(..):(..):(..):(..):(..)$/){
my $newmac = "$1$2$3$4$5$6";
print "new mac: $newmac\n";
my $sqlstr = 'update macs set mac=\''.$newmac.'\' where id='.$id.' ';
#print "sqlstr=$sqlstr\n";
$dbh->do($sqlstr);
$j++;
}
}
print "Summary: Number of all macs = $i. Changed mac-adresses = $j\n";
#ubunut 20.x
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
problem in syslog file:
May 28 10:06:57 myhostname multipathd[578]: sda: failed to get sgio uid: No such file or directory
May 28 10:07:02 myhostname multipathd[578]: sda: add missing path
May 28 10:07:02 myhostname multipathd[578]: sda: failed to get udev uid: Invalid argument
May 28 10:07:02 myhostname multipathd[578]: sda: failed to get sysfs uid: Invalid argument
May 28 10:07:02 myhostname multipathd[578]: sda: failed to get sgio uid: No such file or directory
May 28 10:07:07 myhostname multipathd[578]: sda: add missing path
May 28 10:07:07 myhostname multipathd[578]: sda: failed to get udev uid: Invalid argument
May 28 10:07:07 myhostname multipathd[578]: sda: failed to get sysfs uid: Invalid argument
May 28 10:07:07 myhostname multipathd[578]: sda: failed to get sgio uid: No such file or directory
>> this happens if machine is virtual machine ..
my solution:
add a black list to file: /etc/multipath.conf, so that it looks like:
defaults {
user_friendly_names yes
}
blacklist {
device {
vendor "VMware"
product "Virtual disk"
}
}
>> after that run a restart: /etc/init.d/multipath-tools restart
- https://dashkiosk.readthedocs.io/en/latest/index.html (Dashkiosk is a solution to manage dashboards on multiple screens. )
ping <ip-address> rapid count 100
how to create an watchguard configuration report?
- Access Webfrontend on Firebox > https://<ip>:8080
- go to System -> Configuration File and select: Firebox Configuration Report
problem: ubuntu 20 timeservice, was not working since the firewall did not allow to access the default ntp server
> solution: use the internal ntp server
- status: systemctl status systemd-timesyncd.service
- restart: systemctl restart systemd-timesyncd.service
- use defined ntp server:
- /etc/systemd/timesyncd.conf
- [Time]
NTP=name1,name2,name3
XCA - X Certificate and Key Management
nice tool to handle: ssl certificates / keys / x509
https://www.heise.de/download/product/xca-14273
(Tip from jochen)
problem:
--------------------------------------
command: cmk-update-config -v
shows errors
solution
---------------------------------------
in ....../etc/check_mk/conf.d/wato there are invalid characters, find them using:
grep -r "\xa0" *
replace this character through nothing:
>>> perl -pi -e "s/\\\xa0//g;" * : ....../etc/check_mk/conf.d/wato
check again: cmk-update-config -v
remove invalid mkp packages:
- to find them: mkp list
- remove them using mkp rm <package-name>
some other errors in rules.mk:
rules.mk
....../etc/check_mk/conf.d/wato$ grep -r "\\Optimiz" *
ERROR: Invalid regular expression in service condition detected: (Ruleset: ignored_services, Folder: , Rule nr: 3, Condition: Task.*\Optimiz.*, Exception: bad escape \O at position 6)
grep -r "\\Optimiz" *
> replace \\ trough a .* to get it fixed
eset protect server / eset security management center / try to avoid full filesystem
problem: proxy cache directory eats too much filesystem
solution:
###############
# cleanup eset cache
################
55 0 * * 0 /usr/sbin/htcacheclean -d60 -t -i -p /var/cache/httpd/proxy -l 5000M >>/var/log/htcacheclean.log
5 23 1 * * gzip -f /var/log/htcacheclean.log >/dev/null 2>/dev/null
monitoring file system
#install checkmk agent
#open firewall
iptables -I INPUT -p tcp --dport 6556 -j ACCEPT
service iptables save
how to find out used policies on a watchguard?
1) configure dimension command (subscription / feature is necessary) and see the policy hit counter in watchguard dimension
2) without dimension command, just use this command on the watchguard console (ssh <watchguard-ip> 4118):
show connection count by-policy
you should see a list something like this:
--
-- Connection Information
--
Policy Name Current Connections Total Connections Total Discards
FTP-noProxy.out 0 0 0
FTP-proxy.out 21 602 0
SSH.out 0 17 0
SMTP-proxy.in 0 6357 0
SMTP-proxy.out 0 0 0
HTTP.NoProxy.out 0 10936 0
## monitor files in a folder
- on checkmk agent >> change in configfile:
fileinfo:
enabled: yes
path:
- 'c:\*.*'
- restart client
- on checkmk:
- File Grouping Patterns, with the explicit host, a name of group "testgroup" and the path "C:\test" in Include "Pattern".
- Size, age and count of file groups (Manual check), with the explicit host and in "File Group Name" I wrote "testgroup".
echo | openssl s_client -servername www.computer2know.de -connect computer2know.de:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jul 4 21:02:34 2021 GMT
notAfter=Oct 2 21:02:33 2021 GMT
let's have the scenario:
- domain controller is in trusted network
- a domain member is in DMZ, for example a Remote Desktop Farm and the users are authenticated through the domain
->> you need to open a lot of ports to get things running
>> see also document at microsoft page: Service overview and network port requirements for Windows
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
my sample firewall rule look like this:
rds / windows server > to domain controller
53 udp dns
88 tcp kerberos
123 udp ntp
135 tcp location servcies
389 tcp ldap unsecure
445 tcp smb
636 tcp ldap secure
3268 tcp ldap gc
3269 tcp ldap secure gc
49152-65535 tcp upper portrange
Ubuntu 20.04.2 LTS >> set timezone
to new yorrk:
sudo timedatectl set-timezone America/New_York
to berlin:
sudo timedatectl set-timezone Europe/Berlin
Debian GNU/Linux 10 - antivirus clamav error message Could not resolve host: clamav.securiteinfo.com
Debian GNU/Linux 10 - antivirus clamav error message Could not resolve host: clamav.securiteinfo.com
error message:
curl: (6) Could not resolve host: clamav.securiteinfo.com
solution:
>> directory /usr/share/clamav-unofficial-sigs/conf.d/
>> file: 00-clamav-unofficial-sigs.conf
>> comment out line:
00-clamav-unofficial-sigs.conf
>> section:
# ========================
# SecuriteInfo Database(s)
# ========================
# Add or remove database file names between quote marks as needed. To
# disable any SecuriteInfo database downloads, remove the appropriate
# lines below. To disable all SecuriteInfo database file downloads,
# comment all of the following lines.
si_dbs="
honeynet.hdb
# securiteinfo.hdb
securiteinfobat.hdb
securiteinfodos.hdb
securiteinfoelf.hdb
securiteinfohtml.hdb
securiteinfooffice.hdb
securiteinfopdf.hdb
securiteinfosh.hdb
"
>> comment out line securiteinfo.hdb
>> run now the command. /usr/sbin/clamav-unofficial-sigs
Problem: Aruba Access Point - no SSID seen - since AP is in restricted mode - when powered by poe injector
--> poe injector specificaton: IEEE802.3at (PoE+) und 802.3af (PoE)
>>> but access point is in restricted mode
>>> problem occured with modell 515
Solution:
>> ssh to aruba virtual controller console
- configure
ipm
enable
>> after ipm was enabled, the SSID are seen in the environment!!
send a test email to:
https://www.mail-tester.com/
>> the result will show you what you can improve for your domain
---
if you need to set an SPF entry:
set SPF entry as a DNS TXT entry, and allow your mailserver ip to send emails:
example:
TXT v=spf1 a mx ip4:<<your-mail-server-ip-address>> ~all
#mirror commands
mirror 1 port 1/35
interface 2/22 monitor all both mirror 1
show monitor
Aruba CX Switch
for example 6100 series
commandline interface
- usb-c console port (usb-a to usb-c cable needed)
- usb console driver needed > get it from https://asp.arubanetworks.com > Software > search for "usb console driver"
- get com port number from device manager
- serial settings: speed = 115200
- initial username = admin, password is blank
- show running
- ntp server is enabled by default
some configurations
- vlan 1 static ip:
config
int vlan 1
description vlan-1
ip address 192.168.1.10/24
no shut
- interface config
int 1/1/1
descripton interface-1
vlan access 1
no shutdown
end
write memory
- some vlan
config
vlan 12
description vlan12
voice
exit
vlan 13
description vlan13
exit
interface 1/1/10-1/1/11
vlan trunk native 12
vlan trunk allowed 13,1
- show vlan port 1/1/10
- sh version #see firmware
- get firmware from https://asp.arubanetworkds.com, search for switch model > download latest firmware
- terminal monitor #live log (only available in ssh session)
#########################
# useful commands:
#########################
disp mac-authentiation
disp connection #display online user information
term monitor + terminal debug + debug radius #debug radius
disp mac-authentication interface GigabitEthernet 1/0/1
disp mac-authentiation connection int gigabitEthernet 1/0/1
terminal monitor
terminal debugging
debugging radius all
#########################
# base settings
#########################
mac-authentication
mac-authentication timer offline-detect 28800
mac-authentication domain mynac-mac
radius scheme mynac
primary authentication 192.168.2.99
key authentication cipher $asdfkljasdlfkjasdklfjasdf==
user-name-format without-domain
nas-ip 192.168.2.199
domain mynac-mac
authentication lan-access radius-scheme mynac
authorization lan-access radius-scheme mynac
#pro port
interface GigabitEthernet1/0/1
mac-authentication
mac-authentication max-user 2
mac-authentication re-authenticate server-unreachable keep-online
#remove port from mac authentication
interface GigabitEthernet1/0/1
undo mac-authentication
#remove port from macauthentication
interface range GigabitEthernet 2/0/1 to GigabitEthernet 2/0/48
undo mac-authentication
problem with cygwin and ssh connection:
$ ssh -oKexAlgorithms=+diffie-hellman-group14-sh1 admin@10.0.0.1
Unsupported KEX algorithm "diffie-hellman-group14-sh1"
command-line line 0: Bad SSH2 KexAlgorithms '+diffie-hellman-group14-sh1'.
>>> you get the error message .. "Bad SSH2 KexAlgorithms" ....
solution(s):
---------------
1) temporary solution:
ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 admin@10.0.0.1
2) permanent solution
in user home directory:
$ cat .ssh/config
KexAlgorithms=+diffie-hellman-group14-sha1
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="0; url=/edit/public/">
<title>Page Redirection</title>
</head>
<body>
you should get redirected to: <a href='/edit/public/'>link</a>.
</body>
</html>
unknown port tcp 4190 on linux?
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN
using netstat:
netstat -natop |grep 4190
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 274/dovecot aus (0.00/0/0)
>> this belongs to dovecut > and is a remote management port, that we don't need!
to remove > just deinstall the management package:
apt-get purge dovecot-managesieved
or bind the tcp 4190 just to localhost
see also: https://blog.tausys.de/2015/06/17/dovecot-offenen-externen-port-managesieve-entfernen/
error: when try to open "public" site:
"Whoops! We seem to have hit a snag. Please try again later..."
>> solution to see more: app/Config/Boot/production.php: set to 1 (ini_set('display_errors', '1');)
in my case I got then the following error when open again the "public" site:
"The framework needs the following extension(s) installed and loaded: intl. "
>> solution: apt-get install php-intl && /etc/init.d/apache2 restart</p>
problem: a replaced toner has not really been recognized, there is still the replacement message on the printer
solution: do a manuel toner reset on the printer
steps:
- turn on printer
- open front door
- press menu button for a longer time period, until you see the "reset menu" in the display
- choose "TNR-HC"
- confirm the "reset" message by pressing "yes"
>> now everything should be okay
#import is the "enable" setting ;-))
device-profile name "default-ap-profile"
cos 0
exit
device-profile name "aruba"
untagged-vlan 30
tagged-vlan 31-32
exit
device-profile type "aruba-ap"
associate "aruba"
enable
exit
>> how to disable profile on a single port?
>> disable lldp! for example on port 1
lldp admin-status 1 disable
if you use wireshark to check this error you see a tftp timeout and you thing there is a "network problem"
>> this was not the case in my case. The problem was a audio problem.
After I reset the audio settings to default and rebooted the machine the problem was gone
> there is a tool that is called "collect data", that comes with the softphone client software. You can use this tool to analyse the error, just press windows button and enter "collect data" to find and start the tool!
Note
When possible use modifications that can be removed so the device can be returned for service in the same condition that it was provided as at time of purchase.
Otherwise it is likely the warranty would be void.
If a customer makes a decision that it is acceptable to void the warranty and chooses to paint the device anyway, here are some guidelines when painting RF (Access Point) devices.
Tip
Use a paint that has no conductive properties (i.e. metal colored flakes etc.)
Here are some paints that were tested that displayed good RF characteristics.
Brand Name Product Line Color Spray Can Part Number Gallons Part Number
Rust-Oleum Professional Gray Primer 7582 7769 (Aluminum Primer)
Rust-Oleum Professional Light Machine Gray 7581 7781
Rust-Oleum Professional Dark Machine Gray 7587 7786 (Smoke Gray)
Rust-Oleum Professional Hunter Green 7538 7738
Rust-Oleum Professional Dark Brown 7548 7748
Rust-Oleum Professional Gloss Black 7579 7779
Rust-Oleum brand can be found at https:/?/?www.rustoleum.com/?product-catalog/?consumer-brands/?rocksolid
Figure 5. When painting do not get paint into any of the connectors (tape them properly)
links: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-4/b_painting_of_access_points.html
Yealink T48S
- reset des Telefon's: lange auf Taste X bleiben
- werkseinstellungen laden: lange auf "ok" bleiben
- *66 = Echotest .. reinreden > Telefon wiederholt
- wenn Du auf die Weboberfläche vom Yealink gehst…
Benutzer immer: admin
Wenn es noch nicht provisioniert ist : admin
Ansonsten : xyz?
- bei problemen mit registrierung:
Am besten wäre es, direkt den Provisionierungsserver im Telefon einzutragen:
Settings -> Automatische Einrichtung -> Server URL:
- neu start via webfrontend:
Settings > Starten -> restart
default user / pwd: admin/admin
placetel info: https://www.placetel.de/hilfe/telefonanlage/cisco-spa
sample queries v3:
- noAuthNoPriv
snmpwalk -v 3 -l noAuthNoPriv -u <username> <ip-address>
- authPriv
snmpwalk -v 3 -l authPriv -u <username> -a (MD5|SHA) -A <PASSPHRASE> -x <(DES|AES)> -X <PASSPHRASE> <ip-address>
- authNoPriv
snmpwalk -v 3 -l authPriv -u <username> -a (MD5|SHA) -A <PASSPHRASE> <ip-address>
----------------------------------------------------
snmp good 2 know
# Base OID is the
# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1)}
BASEOID=.1.3.6.1.4.1
# {LENOVO(19046) lenovoServerMibs(11)}
XCCOID=$BASEOID.19046.11.1
Aruba Instant version 8.5.0.1 now supports multiple PSKs (MPSK) for the same SSID. This means that each client
connected to the PSK based SSID will have its own unique PSK that is not shared with the rest of the clients. This feature
requires Aruba ClearPass 6.8.x to be the authentication server.
https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=1bb73a74-0ea1-4111-b5cb-ebed597e91b5
Cisco Router 4300 series
Model ISR4331
- Try default settings: username/password of "Cisco/Cisco".
reset router to default settings:
https://dcloud-cms.cisco.com/help/reset-router#router-reset-using-commands
1) reset button
>> press and hold button while power on > after 10 seconds release
2) from commandline
>> logon to console
>> enter enable mode: enable
>> command: write erase
>> command: reload
#!/usr/bin/perl
###############################################################################
#
# checkWatchguardVPNTunnel.pl
#
# reads out watchguard snmp ipsec table and check if tunnel to specified subnet exists
#
# OMD[romina]:~/local/bin$ snmpwalk -v 2c -c rompub 10.163.10.1 .1.3.6.1.4.1.3097.6.5.1.2.1.20
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.0 = IpAddress: 192.168.104.0
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.1 = IpAddress: 172.22.0.0
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.2 = IpAddress: 172.22.0.0
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.3 = IpAddress: 172.16.0.0
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.4 = IpAddress: 172.16.0.0
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.5 = IpAddress: 172.16.0.0
# SNMPv2-SMI::enterprises.3097.6.5.1.2.1.20.6 = IpAddress: 172.16.0.0
#
# usage:
# ./checkWatchguardVPNTunnel.pl 10.0.0.1 public 172.99.0.0 vpnname
#
# example:
# ./checkWatchguardVPNTunnel.pl <hostname> <community> <vpn-tunnel-ip> <display-name>
#
# output:
# 0 VPNTunnel-vpnname-172.99.0.0 - Tunnels found for IP 172.99.0.0 = 2.
#
# version 2021-09-23, mw
#
###############################################################################
$watchguard=$ARGV[0];
$community=$ARGV[1];
$searchForIP=$ARGV[2];
$name=$ARGV[3];
$debug=0; #1=on
if (($watchguard eq '') || ($community eq '') || ($searchForIP eq '') || ($name eq '') ){
print "usage: checkWatchguardVPNTunnel.pl <hostname> <community> <vpn-tunnel-ip> <display-name> \n";
print "\n";
exit 1;
}
$found=0;
open(IN,"snmpwalk -v 2c -c $community $watchguard 1.3.6.1.4.1.3097.6.5.1.2.1.20 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
print "$line\n" if $debug;
if ($line =~ /$searchForIP$/){
print "found!!\n" if $debug;
$found++;
}
}
close(IN);
print "<<<check_mk>>>\n";
print "Version:v2021-03-23\n";
print "<<<local>>>\n";
if ($found == 0){
print "1 VPNTunnel-$name-$searchForIP - No tunnels found for IP $searchForIP\n";
exit(0);
#exit(1);
}
print "0 VPNTunnel-$name-$searchForIP - Tunnels found for IP $searchForIP = $found.\n";
exit(0);
>> under section plugins, set enabled to yes and define the pattern to match "veeam_backup_status.ps1". Don't forget to set async to yes and the cache age to for example 3600, to execute the script only once an hour.
-------------
file ... check_mk.user.yml :
# $CUSTOM_PLUGINS_PATH$ -> is ProgramData/checkmk/agent/plugins
# $BUILTIN_PLUGINS_PATH$ -> is Program Files(x86)/checkmk/service/plugins
plugins:
enabled: yes
execution:
- pattern: $CUSTOM_PLUGINS_PATH$\veeam_backup_status.ps1
async: yes
timeout: 120
cache_age: 300
retry_count: 2
# enabled: yes
# max_wait: 60 # max timeout for every sync plugin. Agen will gather plugins data no more than max_wait time.
# this is useful to terminate badly written or hanging plugins
# async_start: yes # start plugins asynchronous, this is default
# folders are scanned left -> right, order is important
# all files from folders are gathered and verified, duplicated files will be removed
# folders: ['$CUSTOM_PLUGINS_PATH$', '$BUILTIN_PLUGINS_PATH$' ] # ProgramData/checkmk/agent/plugins & Program Files x86/checkmk/service/plugins
_execution:
# *********************************************************************************************
# PATTERNS:
# patterns 1. Absolute path: 'c:\Windows\*.exe' or '$CUSTOM_PLUGINS_PATH$\win_license.bat'
# 2. Only Filename: 'mk_*.exe' or win_license.bat
# IMPORTANT: if you use relative path, then Agent takes only filename
# 'win_license.bat' and 'include\win_license.bat' are the same
#
# PRIORITY:
# Most important is top-most pattern:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
useful hint!!
make sure that the yaml file check_mk.user.yml is still valid, after changing something within the file!
>> use a validator for test
>> https://www.computer2know.de/yaml-file-syntax-validator:::625.html
to test if the cached settings in the checkmk config file were set correctly, check the output of the checkmk client (telnet <ip> 6555),
and look for the <<<veeam_.... >>> line >> the line should contain a "cached" information, like the sample below:
<<<veeam_tapejobs:sep(124):cached(1643120016,7200)>>>
JobName|JobID|LastResult|LastState
Backup-to-Tape-weekly|a969d385-f322-4c48-83d1-0343257fdf3341|Success|Stopped
#!/usr/bin/perl
###############################################################################
#
# checkWebdavDirectory.pl
# check webdav as checkmk local check
#
# need to be executed in directory: /usr/lib/check_mk_agent/local
#
###############################################################################
use strict;
my $critical=95;
my $warning=90;
#get data using df-k: df -k |grep directory
#https://myurl/webdav1 3 100000 55000 45000 45% /mnt/webdav1directoryname
my $usage=-1;
open(IN,"df -k \|grep webdav1directoryname | ");
while(<IN>){
my $line=$_;
chomp($line);
# print "$line\n";
if ($line =~ /\s(\d*)%\s/){
$usage=$1;
}
}
close(IN);
if ($usage > $critical ){
print "2 webdav-directory1 usage=$usage Critical! The usage is $usage\n";
exit 0;
}
if ($usage > $warning ){
print "1 webdav-directory1 usage=$usage Warning! The usage is $usage\n";
exit 0;
}
print "0 webdav-directory1 usage=$usage Ok. The usage is $usage\n";
problem: ubuntu 14.04.6 > certbot gets an error, when connecting >> ssl error (this happend, after letsencrypt itself renewed their ssl root certificates)
openssl s_client -servername acme-staging-v02.api.letsencrypt.org -connect acme-staging-v02.api.letsencrypt.org:443
verify error:num=20:unable to get local issuer certificate
#get root + intermediate certificate via webbroweser and store them in crt files > put them to the linux machine
root@LaboProdApp01:/usr/local/share/ca-certificates# ls
letsencrypt-inter-r3.crt letsencrypt-isrg-root-x1.crt
#run command
update-ca-certificates
Running hooks in /etc/ca-certificates/update.d....
Adding debian:letsencrypt-inter-r3.pem
Adding debian:letsencrypt-isrg-root-x1.pem
>>> creates a "big" /etc/ssl/certs/ca-certificates.crt files that is used be the openssl tools
checkmk - vsphere - esx 6.7 - hpe server gen 10 - Hardware Sensors -> Crit Disk xx on HPSA1 Unconfigured ...
error massage = CRIT - Disk 10 on HPSA1 : Port Box 0 Bay 87 : 0GB : Unconfigured Disk : Disk Error: Red (The physical element is failing)CRIT, Disk 11 on HPSA1 : Port Box 0 Bay 113 : 0GB : Unconfigured Disk : Disk Error: Red (The physical element is failing)CRIT, Disk 12 on HPSA1 : Port Box 0 Bay 115 : 0GB : Unconfigured Disk : Disk Error: Red (The physical element is failing)CRIT, Disk 13 on HPSA1 : Port Box 0 Bay 116 : 0GB : Unconfigured Disk : Disk Error: Red (The physical element is failing)CRIT, Disk 14 on HPSA1 : Port Box 0 Bay 121 : 0GB : Unconfigured Disk : Disk Error:
Diskussion:
https://communities.vmware.com/t5/ESXi-Discussions/Hardware-Status-Alerts-Unconfigured-Disk-Disk-Error-HPSA/td-p/2847302/page/2
Solution:
https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00117054en_us
OMD[sitename]:~/share/check_mk/agents/special$ ./agent_vsphere -u <esx-user> -s 'esx-password' --no-cert-check --debug <IP|HOSTNAME>
for example to be used with aruba iap accesspoints
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=34748
example:
port-access lldp-group IAP-group
seq 30 match vendor-oui 000b86
exit
port-access role IAP-role
description Aruba IAP
poe-priority high
trust-mode dscp
vlan trunk native 1
vlan trunk allowed 1-3,99
exit
port-access device-profile IAP-prof
enable
associate role IAP-role
associate lldp-group IAP-group
in procurve / aruba os switches there is a command "show uptime",
but this doesn't exist on comware switches.
>> the command is: display version
this shows:
Slot 1:
Uptime is 0 weeks,0 days,227 hours,15 minutes
HP 5130-24G-PoE+-4SFP+ (370W) EI JG936A with 1 Processor
BOARD TYPE: 5130-24G-PoE+-4SFP+ EI
DRAM: 1024M bytes
FLASH: 512M bytes
problem: try to turn on ssh via comman: ip ssh
>> error message
ssh cannot be enabled until a host key is configured (use 'crypto' command).
solution:
crypto key generate ssh rsa
see "server manager" >> local server >> team adapter
instruction in german
https://www.windowspro.de/wolfgang-sommergut/nic-teaming-konfigurieren-windows-server-2012-r2
in static mode the switch side on hpe switches (procurve) looks like this:
trunk 1-5 trk1
interface 1
name nic1
exit
interface 2
name nic2
exit
interface 3
name nic3
exit
interface 4
name nic4
exit
interface 5
name nic5
exit
wordpress / apache / mod_fcgid - Error: HTTP ... exceeds MaxRequestLen
problem: MaxRequestLen value
solution:
in webserver log we see:
[Fri Oct 08 22:34:02.638818 2021] [fcgid:warn] [pid 877745] [client 92.117.179.218:55725] mod_fcgid: HTTP request length 137683 (so far) exceeds MaxRequestLen (131072), referer: https://www.mysite.com/wp-admin/upload.php
(1): global config for fcgid module:
>> add line " FcgidMaxRequestLen 8388608" to file:
/etc/apache2/mods-enabled/fcgid.conf
>> so that it looks like this:
<IfModule mod_fcgid.c>
FcgidConnectTimeout 20
FcgidMaxRequestLen 8388608
<IfModule mod_mime.c>
AddHandler fcgid-script .fcgi
</IfModule>
</IfModule>
(2) second aproach that could help to set the value only for one domain
>> in apache vhost settings, put:
<IfModule mod_fcgid.c>
FcgidMaxRequestLen 8388608
</IfModule>
virtual box - turn off time sync for virtual machine
1) shutdown the virtual machine
2) go to your virtual box folder, for example: C:\Program Files\Oracle\VirtualBox>
3) run command: VBoxManage setextradata <<virtual machine name>> "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1
4) start the virtual machine
hint:
the commands above updates your "virtual-machine-name.vbox" file,
it adds one line to the "ExtraData" section!
<ExtraData>
<ExtraDataItem name="GUI/LastCloseAction" value="PowerOff"/>
<ExtraDataItem name="GUI/LastGuestSizeHint" value="1504,1099"/>
<ExtraDataItem name="GUI/LastNormalWindowPosition" value="-1558,31,1504,1141"/>
<ExtraDataItem name="VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" value="1"/>
</ExtraData>
hpe - imc - admin password reset
just run C:\Program Files\iMC\client\bin>resetpwd.bat
default from IMC PLAT 7.3 (E0706) is: Pwd@12345
default is: admin/admin
the .bat file has to be in the same folder like the executable ipsecc.exe
example for autologon-vpn.bat:
ipsecc -r <filename.vpn> -u <username> - p <password> -a
see also:
"C:\Program Files\ShrewSoft\VPN Client\ipsecc.exe" -?
commands:
1)grep -E "^(menuentry|submenu)" /boot/grub/grub.cfg | cut -d"'" -f2 | nl -v0
> you should see the menu entries now
2) edit "/etc/default/grub" and change entry "GRUB_DEFAULT"
3) run command "update-grub" to update the boot-loader
https://askubuntu.com/questions/1341389/need-to-change-default-boot-order-instead-of-ubuntu-21-04-to-windows-7
just use the simple opensource tool: WhyNotWin11
https://www.heise.de/download/product/WhyNotWin11
go to directory of the cpan bin, for example:
/root/.cpan/build/Net-SSH-Expect-1.09-dIBvM1
Net-SSH-Expect-1.09-dIBvM1]# perl Makefile.PL INSTALL_BASE=/opt/mydir/bin/perl-lib
make
Skip blib/lib/Net/SSH/Expect.pod (unchanged)
Skip blib/lib/Net/SSH/Expect.pm (unchanged)
Manifying 1 pod document
[root@mysystem Net-SSH-Expect-1.09-dIBvM1]# make install
Manifying 1 pod document
Installing /opt/mydir/bin/perl-lib/lib/perl5/Net/SSH/Expect.pod
Installing /opt/mydir/bin/perl-lib/lib/perl5/Net/SSH/Expect.pm
Installing /opt/mydir/bin/perl-lib/man/man3/Net::SSH::Expect.3pm
Appending installation info to /opt/mydir/bin/perl-lib/lib/perl5/x86_64-linux-thread-multi/perllocal.pod
in your perl script you need to add the lib a the beginning:
use lib "/opt/mydir/bin/perl-lib/lib/perl5";
from site:
https://www.ibm.com/docs/en/content-collector/4.0.0?topic=reports-enabling-tls-connections-in-lotus-domino
Procedure
To configure Lotus Domino to use TLS connections:
In the Domino Administrator Client, navigate to Configuration > Server > Configurations.
Open the configuration document for the server that you want to configure.
Select Router/SMTP > Advanced > Commands and Extensions.
Under SSL negotiated over TCP/IP port, select Required.
Navigate to Configuration > Server > Current Server Document.
Select Ports > Internet Ports > Mail.
Under SSL port number for Mail (SMTP Outbound), specify the port 465.
Under SSL port status for Mail (SMTP Outbound), select Enabled.
good pages to help you to check an email server:
https://www.checktls.com/TestReceiver
hpe procurve / aruba os - dhcp
>> you need to turn on "dhcp-server enable" in the global config to enable the dhcp server!
## in vlan section enable using the dhcp-server command
vlan 20
name "mgmt"
untagged 1/41-1/43
tagged Trk3
ip address 10.99.22.250 255.255.255.0
dhcp-server <<<<<<<<<<<<<<<<<<<
exit
#define a pool using the same name as the vlan
dhcp-server pool "mgmt" <<<<<<<<<<<<<<<<<<
authoritative
default-router "10.99.22.250"
dns-server "192.168.2.1"
network 10.99.22.0 255.255.255.0
range 10.99.22.10 10.99.22.20
exit
#!/usr/bin/perl
################################################################################
# poeOffOnSwitch.pl
#
# (c) s4c
#
# v2021-10-22
#
# get it running,install necessary perl libs:
# - open CPAN eshell: perl -MCPAN -eshell
# - run command in CPAN shell: install Net::SSH::Expect
#
# Changes
# -2020-10-22: version 1
#
################################################################################
use strict;
use Net::SSH::Expect;
my $timeout_login =3;
my $usage = "usage: poeOffOnSwitch.pl \"<switch-user;switch-pwd;switch-ip;switch-port>\"\n";
my $user='';
my $pwd='';
my $ip='';
my $port='';
if ($ARGV[0] eq ''){
print "$usage\n";
exit(1);
}else{
my $input=$ARGV[0];
#print "$input\n";
$input=~s/^\s*//;
$input=~s/\s*$//;
if ($input=~/^(.*);(.*);(.*);(.*)$/){
$user=$1;
$pwd=$2;
$ip=$3;
$port=$4;
}else{
print "$usage\n";
exit(1);
}
}
my $ts=`date '+%m-%d'`;
chomp($ts);
write2log("turn poe off -on for ip:$ip, port=$port.");
my ($ret,$retmsg)=setPoe($user,$pwd,$ip,$port);
if ($ret == 0){
write2log("Poe off / on for ip:$ip, port=$port success.");
}else{
write2log("Poe off / on for ip:$ip, port=$port failed.");
}
sub setPoe($$$$){
my $user=$_[0];
my $pwd=$_[1];
my $ip=$_[2];
my $port=$_[3];
my $type="procurve";
my $debug=0;
print "getConfig for: $user,$pwd,$ip,$port\n" if $debug;
my $ssh = Net::SSH::Expect->new ( host => $ip,
user => $user,
password=> $pwd,
raw_pty => 1,
no_terminal => 0,
timeout => $timeout_login,
ssh_option => '-o StrictHostKeyChecking=no'
);
my $login_output;
eval { $login_output = $ssh->login(); };
return(1,"Login has failed: $login_output") if($@);
my $out= $ssh->exec(" ");
#use enable mode when we don't see the # in the prompt
if( $out !~ /\>\s*\z|\#\s*/ ){
$ssh->close();
return(2,"Login has failed. No prompt as expected");
}
if ($type =~ /procurve/i){
my $paging= $ssh->exec("terminal length 1000"); #wo don't like prompts when showing the config
if ( $paging =~ /\s?%\s/ ){
$ssh->close();
return( 3, "Unable to set terminal to length 1000");
}
my $cmd=$ssh->exec("configure");
#write2log("cmd=$cmd.");
sleep(1);
$cmd=$ssh->exec("interface $port");
#write2log("cmd=$cmd.");
sleep(1);
write2log("poe off - port $port");
$cmd=$ssh->exec("no power-over-ethernet");
#write2log("cmd=$cmd.");
sleep(5);
write2log("poe on - port $port");
$cmd=$ssh->exec("power-over-ethernet");
#write2log("cmd=$cmd.");
sleep(5);
$ssh->close();
}else{
$ssh->close();
return (6, "unknown switch type");
}
return(0,'success');
}
sub error($){
print "Error: $_[0]\n";
exit;
}
sub write2log($){
my $dt = `date`;
chomp($dt);
print "$dt $_[0]\n";
}
to install for example Microsoft Office Home & Business 2016 or 2019 in the old way, without have a microsoft account ready, you can use:
>> Microsoft Windows and Office ISO Download Tool.
https://www.giga.de/downloads/microsoft-windows-and-office-iso-download-tool/
>> copy the "smart" script to the plugin directory:
cp /omd/versions/default/share/check_mk/agents/plugins/smart /usr/lib/check_mk_agent/plugins/
- run > cmd "as administrator"
- go to directory:
Office 2013: C:\Program Files\Microsoft Office\Office15 or C:\Program Files (x86)\Microsoft Office\Office15
Office 2016 / 2019: C:\Program Files\Microsoft Office\Office16 or C:\Program Files (x86)\Microsoft Office\Office16
- find out the license status: cscript ospp.vbs /dstatus
>> you see the last 5 characters from the product key
- remove the product key:
cscript ospp.vbs /unpkey:<last 5 characters from step above>
see also:
https://www.top-password.com/blog/remove-license-product-key-for-office-2016-2013/
using a root cron job:
cronjob:
33 9 * * * mk-job backup-checkmk-site omd backup <sitename> /opt/backup_mount_smb/<sitename>.tar >/dev/null
mount smb file system, in /etc/fstab
//<smb-server-name-or-ip>/<backupshare> /opt/backup_mount_smb cifs credentials=/root/.smbcredentials 0 0
snmpwalk -c public -v 2c <ip> 1.3.6.1.2.1.1
or
snmpwalk -c public -v 2c <ip> system
run from cron:
55 5 * * * /root/bin/getTodayPaketList.sh 1>/dev/null 2>/dev/null
skript:
#!/bin/bash
###############################################################################
#
# getTodayPaketList.sh
#
# run via cron, save installed paket list to directory /root/log
#
# 5 0 * * * /root/bin/getTodayPaketList.sh 1>/dev/null 2>/dev/null
###############################################################################
today=`date +%m-%d`
FN=/root/log/pkgversion.$today
if ! [ -d "/root/log" ]; then
mkdir /root/log
fi
echo "save paket list from today to file $FN"
dpkg -l > $FN
yesterday=`date -d "yesterday 13:00" '+%m-%d'`
FNyesterday=/root/log/pkgversion.$yesterday
echo "Compare $FN (new) | $FNyesterday (old)"
echo "-------------------------------------------------------------"
diff -y $FN $FNyesterday |grep '|' |grep ^ii
problem:
error message on teamviewer screen on centos: "Wayland detected - Incoming remote control connections will fail. Only Xorg sessions are currently supported.
solution:
#1:when login as user to the desktop choose "GNOME on Xorg"!
2#: change permanent
cp /etc/gdm/custom.conf /etc/gdm/custom.conf.save.xxx
in file /etc/gdm/custom.conf
(1)
uncomment line:
WaylandEnable=false
(2)
Add to [ daemon ] section:
DefaultSession=gnome-xorg.desktop
(3)
save the file and reboot the system
*see also: https://docs.fedoraproject.org/en-US/quick-docs/configuring-xorg-as-default-gnome-session/
yum update fails ...
Error:
Problem: cannot install both graphviz-2.40.1-43.el8.x86_64 and graphviz-2.40.1-40.el8.x86_64
- package graphviz-gd-2.40.1-40.el8.x86_64 requires graphviz = 2.40.1-40.el8, but none of the providers can be installed
- cannot install the best update candidate for package graphviz-2.40.1-40.el8.x86_64
- problem with installed package graphviz-gd-2.40.1-40.el8.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
##this command helps a bit to get the system updated
yum update --skip-broken --nobest
##but the error still exists,
##what to do now? > maybe disable a repository?!
##show which repositories are enabledyum repolist enabled
Paketquellen-ID Paketquellen-Name:
appstream CentOS Linux 8 - AppStream
baseos CentOS Linux 8 - BaseOS
epel Extra Packages for Enterprise Linux 8 - x86_64
epel-modular Extra Packages for Enterprise Linux Modular 8 - x86_64
extras CentOS Linux 8 - Extras
>> solution: disable the CentOS-Linux-AppStream repo
>> set enabled=0
cat /etc/yum.repos.d/CentOS-Linux-AppStream.repo
[appstream]
name=CentOS Linux $releasever - AppStream
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=AppStream&infra=$infra
#baseurl=http://mirror.centos.org/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
#disabled because of conflict
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
ubuntu 20 lts - manual file system check
(1)
download a "SystemRescue" system "iso", like for example:
https://sourceforge.net/projects/systemrescuecd/
(2)
boot for iso
(3)
find your partition that you want to check
-> for LVM use command:
(3-1):
lsblk
>> you see a structure like:
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
??sda1 8:1 0 20G 0 part
??ubuntu--vg-ubuntu--lv 253:0 0 1999G 0 lvm /
sr0 11:0 1 2024M 0 rom
or
(3-1):
lvscan
ACTIVE '/dev/ubuntu-vg/ubnutu-lv' [<..GB] inherit
[if it is not active run: lvchange -ay /dev/ubuntu-vg/ubnutu-lv ]
(4)
now check the filesystem:
fsck.ext4 -cfv /dev/ubunut-vg/ubuntu-lv
##hints:
https://www.thomas-krenn.com/de/wiki/FSCK_Best_Practices
multipathd failed to get udev uid / failed to get sysfs uid / - how to disable
this error come very often in /var/log/syslog:
ov 18 15:38:08 cloud multipathd[763]: sda: add missing path
Nov 18 15:38:08 cloud multipathd[763]: sda: failed to get udev uid: Invalid argument
Nov 18 15:38:08 cloud multipathd[763]: sda: failed to get sysfs uid: Invalid argument
Nov 18 15:38:08 cloud multipathd[763]: sda: failed to get sgio uid: No such file or director
>> how to disable:
add a blacklist section to file:
/etc/multipath.conf
defaults {
user_friendly_names yes
}
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st|sda)[0-9]*"
}
don't forget to restart the service: /etc/init.d/multipath-tools restart
error message:
I/O error, dev fd0, sector 0 op 0x0
(1) disable floppy in /etc/fstab
disable line with /dev/fd0 be inserting a hashtag "#"
(2) disable modprobe
/etc/modprobe.d/blacklist.conf
>> insert a new line with:
blacklist floppy
(3) reboot
: Der dpkg-Prozess wurde unterbrochen; Sie müssen manuell »dpkg --configure -a« ausführen, um das Problem zu beheben.
root@system:~# dpkg --configure
dpkg: Fehler: --configure benötigt mindestens ein Paketnamen-Argument
#solution that may help
>> run apt-get -f install
search for "windows 10 media creation tool"
>> you can download the iso image or create a bootable usb stick:
https://www.microsoft.com/de-de/software-download/windows10
>> download iso
>> extract iso file (for example with 7zip)
#now let's run setup with parameter
setup.exe /auto upgrade
Error message:
W 11/19/21 04:12:15 00562 ports: port 2 PD Over Current indication.
>> enabled "device profiles" for access points are consuming to "much" power but only reservered power. if you check the real power consumtion, there is still enough power left on the device
>> workaround
(1): disable device profiles and add vlan configuration in a static way
(2): reconfigure the lldp "talk" between switch and access point, by using the setting:
no lldp config <port#> dot3TlvEnable poeplus_config
##see also:
https://www.reddit.com/r/networking/comments/4dl6rv/hp_2530_2448_port_poe_not_delivering_poe/
ClearPass Admin Access via Active Directory
- see also Workshop: https://www.youtube.com/watch?v=L2U_IjWFmUI
- Configuration -> Services
>> make a copy of Default Service Rule [Policy Manager Admin Network Login Service]
[ square braket’s mean default rule ]
call the new server “yoursuffix_Policy Manager Admin Network Login Service”
- Reorder new service > move to first position
- Service configuration:
- Authentication Tab: Authentication Sources
remove [Local User Repository]
remove [Admin User Repository]
add your Active Directory “Authentication Source”
- Roles >> no Role Mapping
- Enforcement
>> make a copy of Default Enformement Policy [Admin Network Login Policy]
[ square braket’s mean default rule ]
call the Enforcement Policy “yoursuffix_Admin Network Login Policy”
>> Add a Rule:
Authorization:your-Active-Directory-authentication source
memberOf EQUALS “your-add-group”
>> Profile Names: choose [TACACS+ Super Admin]
- Test login in private browser windows + check under Monitoring > Access Tracer
- User “admin” will always work!
checkmk > raw edition to enterprise > optimize creation of rrd graph files
1: create rule:
Configuration of RRD databases of services
> RRD storage format: One RRD per host/service (saves disk IO, only with CMC)
2: create another rule:
Configuration of RRD databases of hosts
> RRD storage format: One RRD per host/service (saves disk IO, only with CMC)
3: stop site
4: in command line / as site user run the command:
cmk -v --convert-rrds
>> old rrd files are under: ~/var/pnp4nagios/perfdata
>> to count old, run: find ~/var/pnp4nagios/perfdata |grep rrd$ |wc -l
>> new rrd files will now be created under: ~/var/check_mk/rrd
>> to count new, run: find ~/var/check_mk/rrd |grep rrd$ |wc -l
>> to delete old rrd files, run command:
cmk -v --convert-rrds --delete-rrds
------------------------------------
additional stuff:
------------------------------------
- live watching the convertion process:
watch "find ~/var/check_mk/rrd |grep rrd$ |wc -l; find ~/var/pnp4nagios/perfdata |grep rrd$ |wc -l"
CSL HDD Docking Station
my system:
Mod.Nr: 45063/20150716DG005
two slots: HDD A + HDD B
- copy functionality > copy HDD A -> to -> HDD B
- integrated led light shows the progress:
- press the front button if both lights are blue
- green light: means 25% progress
- green + red light: means 50% progress
- red + yellow light: means 75% progress
- red + yellow + organge means 100% progress.
- the destination drive in solt HDD B must be greater / equals the source disk!
HPE ArubaOS-CX - ZTP events are beeing logged all the time
this events are seen all the time (every 2-3 minutes), seen on Version: GL.10.08.1021
2021-10-10T16:10:53.086141+0200 dhcp_options[890470] <INFO> Event|8714|LOG_INFO|AMM|-|ZTP: TFTP server option not provided
2021-10-10T16:10:53.086631+0200 dhcp_options[890470] <INFO> Event|8712|LOG_INFO|AMM|-|ZTP: Image file not provided
2021-10-10T16:10:53.086683+0200 dhcp_options[890470] <INFO> Event|8713|LOG_INFO|AMM|-|ZTP: Config file not provided
2021-10-10T16:10:53.086714+0200 dhcp_options[890470] <INFO> Event|8723|LOG_INFO|AMM|-|ZTP: Aruba Central location option not provided
2021-10-10T16:10:53.086752+0200 dhcp_options[890470] <INFO> Event|8726|LOG_INFO|AMM|-|ZTP: HTTP proxy location was not received in the DHCP offer.
show ztp information
TFTP Server : NA
Image File : NA
Configuration File : NA
Status : Failed - Custom startup configuration detected
Aruba Central Location : NA
Force-Provision : Disabled
HTTP Proxy Location : NA
from Aruba documentation:
Zero Touch Provisioning
Zero Touch Provisioning (ZTP) enables the auto-configuration of factory default switches without a network administrator onsite.
When a switch is booted from its factory default configuration, ZTP autoprovisions the switch by automatically downloading and
installing a firmware file, a configuration file, or both.
With ZTP, even a nontechnical user (for example: a store manager in a retail chain or a teacher in a school)
can deploy devices at a site.
#handle with care ;-)
ztp force-provision
Usage
DHCP options received are processed independent of he current state of configuration on the switch.
Previous ZTP TFTP Server, Image File, Configuration File, Aruba Central Location, and HTTP Proxy location
options are cleared and the switch sends a DHCP request.
>> disable with "no ztp force-provision"
#
########################
Solution
#######################
>>> currently no command to disable this event
>>> solution to filter out messages in event log:
logging filter ztp
enable
10 deny event-id 8714
20 deny event-id 8712
30 deny event-id 8713
40 deny event-id 8723
50 deny event-id 8726
60 deny event-id 8709
70 deny event-id 8730
80 deny event-id 8701
>> check with "show event -r"
###see also:
https://www.youtube.com/watch?v=lI3mChuUhr0
#make backup of old primary image
copy flash flash secondary
#get new firmware from remote ssh / sftp server
copy sftp flash usersftp@<server-ip> port 10022 YA_
16_10_0017.swi
aruba cx - cable diagnosis
#go to diagnostics mode
diagnostics
#test port 1/1/1
6100# diag cable-diagnostic test 1/1/1
This command will cause a loss of link on the port under test
and will take several seconds to complete.
Continue (y/n)? y
Cable Diagnostics: [Done]
Cable Impedance Distance* MDI
Interface Pinout Status (Ohms) (Meters) Mode
--------------------------------------------------------------------
1/1/1 1-2 good 85-115 10 +/- 10 mdi
(1GbT) 3-6 good 85-115 3 +/- 10 mdi
4-5 good 85-115 8 +/- 10 mdi
7-8 good 85-115 10 +/- 10 mdi
###########################################################################
6100# diag cable-diagnostic show 1/1/3
This command will cause a loss of link on the port under test
and will take several seconds to complete.
Continue (y/n)? y
Cable Diagnostics: [Done]
Cable Impedance Distance* MDI
Interface Pinout Status (Ohms) (Meters) Mode
--------------------------------------------------------------------
1/1/3 1-2 open >115 0 +/- 5
(1GbT) 3-6 open >115 0 +/- 5
4-5 open >115 0 +/- 5
7-8 open >115 0 +/- 5
Cable status legend (1GbT):
Cable Impedance
Status (Ohms) Description
----------------------------------------------------------------
good 85-115 No cable faults found
open >115 Open circuit detected
intra-short <85 Short-circuit within the same wire pair
inter-short <85 Short-circuit with another wire pair
high-imp >115 Cable impedance was higher than expected
low-imp <85 Cable impedance was lower than expected
unknown -- Cable test was inconclusive
perl ssh automation libs for deployment
3 libs are needed to run lib: use Net::SSH::Expect;
[root@system1 Expect-1.35-5jN4zk]# perl Makefile.PL INSTALL_BASE=/root/deploy
[root@system1 IO-Tty-1.16-76YMxG]# perl Makefile.PL INSTALL_BASE=/root/deploy
[root@system1 Net-SSH-Expect-1.09-dIBvM1]# perl Makefile.PL INSTALL_BASE=/root/deploy/
cd /root/deploy
tar -cvf ../perl_deploy.tar lib/ man/
>> the perl_deploy.tar file contains the necessary libs
>> copy perl_deploy.tar to destination system >> and extract the tar file in a lib directory,
now the new lib directory contains directory man + lib
>> to make use of the deployed libs just add the "use lib" definition to your perl script:
use lib "<path to your lib directory>/lib/perl5";
use strict;
use Net::SSH::Expect;
https://ase.arubanetworks.com/solutions?page=1&page_size=20&order=-modified
- template builder for radius aaa and more
arubaos / procurve switche - find out ip address of connected clients
option (1):
-----------------
one way to do that in a nice way is using "ip client-tracker"
command: ip client-tracker
# Enables or disables the visibility of statically and
# dynamically assigned IPv4 and IPv6 addresses for both
# authenticated clients and non-authenticated clients
to see the clients run the command: show port-access clients
option (2)
----------------
the other way is using dhcp snooping
commands:
DHCP-Snooping Configuration:
(MySwitch)<config># dhcp-snooping enable
(MySwitch)<config># dhcp-snooping vlan 1099
(MySwitch)<config># show dhcp-snooping
and define a trusted interface where the dhcp answers are allowed to come from, for example:
Interface trk1
dhcp-snooping trust
exit
to see the clients run the command: show dhcp-snooping binding
virtual linux ubuntu 20 - how to increase / root partition
problem:
not enough space in: /dev/mapper/ubuntu--vg-ubuntu--lv
solution:
1) increase harddrive in hosting environment (for example in vmware)
2) boot virtual linux system
3) cfdisk > resize partition
4) resize pvs: pvresize /dev/sda3
5) extend logical volume: lvextend -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv
6) finaly resize filesystem: resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv
7) check with: df -h
see also:
- https://kb.vander.host/operating-systems/how-to-resize-an-ubuntu-18-04-lvm-disk/
- https://packetpushers.net/ubuntu-extend-your-default-lvm-space/
scenario: copy a virtual linux system and give the new system another ip address
1) find out the new mac adress ( for example in vmware settings)
2) disconnect network interface and boot up the system
3) make changes in this files
---- /etc/hosts #maybe change ip
---- /etc/sysconfig/network-scirpts/ifcfg-eth0 #change mac to new mac + ip
---- /etc/udev/rules.d/70-persistent-net-rules #change mac to new mac
4) shutdown system
5) connect interface > start system > ping + tests
open certificate in windows > open tab certification path
- select each certificate from path list for example
-- Sectigo RSA Domain Validation Secure Server CA
----- Sectigo
>> press button "show certifcate" > under "more" > select copy to file > now you have it
>> if you select der format >> you get a binary format
>> if you select Base-64-coded >> you get a ascii readable format
SSL - how to view details of a .cer file using openssl
command: openssl x509 -in your-cert-file.cer -noout -text
SSL - how to view details of a .cer file using certutil on windows
command: certutil -f urlfetch -verify your-cert-file.cer
##### Monitoring > interfering accesspoints
> Support: Command: AP Monitor AP Table
--> curr-snr .. if high this is bad, neighbor accesspoint has bad influence
--> curr-rssi .. if high this is bad, neighbor accesspoint has bad influence
- AP arm history
- AP arm rf summary
- AP arm neighbors
#########################################################################
# VSF - Virtual Switching Framework
#########################################################################
show vsf
#switch 1
vsf member 1
link 1 1/1/49
link 2 1/1/50
show vsf link
#switch2
vsf member 1
link 1 1/1/49
link 2 1/1/50
vsf renumber to 2
#define a secondary-member, to have a standby member in the stack >> this is really recommended!
vsf secondary-member 2
#vsf-factory-reset #in case you need to clean
commands:
member <x> #x is number of member
#with this command you can switch to a vsf member
documentation:
AOS-CX 10.09 Virtual Switching Framework (VSF) Guide 6200, 6300 Switch Series
6300xx example
- show images (check Active Image - should be primary)
- 2 partition on switch: primary / secondary
- show version: see the Active Image
- copy primary secondary #backup primary to secondary
- copy tftp://ip/filename.swi primary <vrf mgm>
sample: copy tftp://192.168.100.1/ArubaOS-CX_6400-6300_10_08_1030.swi primary <vrf mgmt>
- copy sftp://user@ip/filename.swi primary <vrf mgmt>
sample: copy sftp://pi@192.168.100.1//srv/tftp/ArubaOS-CX_6400-6300_10_08_1030.swi primary
- [not necessary since we boot on primary] boot set-default secondary #set boot-image to secondary
- show images (check versions again)
- boot system >> Continue >> Enter "y"
> Multiple components will be updated and several reboots will be triggered during these updates. When
>all component updates are completed, the switch console port will arrive at the login prompt
- vsf environment
- if image is uploaded to the "conductor" > all members will also upgrade
- vsf member <x> reboots #reboot a member
- boot system #whole stack will be rebooted
#see also
- documentation: https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/vsf.pdf
- Firmware update
- https://www.youtube.com/watch?v=kCNK5djDq0k
there are several possibilities:
- it could be the 6/4 digit unlock code for your iPhone.
- it could be the password of your iTunes Store account.
- it coud be the password of your iCloud account.
- it could be just simple 0000
- it could be the password, that you choosed to encrypt your backup file
#Monitoring Lenovo Xclarity Controller
- for example ThinkSystem SR630
on XClarity Controller
(1) Define contact and location
To enable the SNMPv3 agent, the following criteria must be met:
A BMC contact is specified
A BMC location is specified
Server Configuration > Server Properties:
define contact and building (= location)
(2) add a local user
BMC Configuration
User /LDAP > Global Settings: unset option "Force to change password on first access"
User/LDAP: add a local user
monitor / <password>
Authority level: Read-only
under SNMP Settings choose Authentication protocol "HMAC-SHA"
(3) enable snmp-v3
BMC Configuration
Network > SNMP setup
>> Enable SNMPv3 Agent >> Apply
(4) test snmp query
snmpwalk -v 3 -u monitor <host||ip-address> #if there is no Authentication protocol
snmpwalk -v 3 -u monitor <host||ip-address> -l authNoPriv -a SHA -A <password> #if Authentication protocol = HMAC-SHA
(5) don't forget to disable password expiration!
BMC Configuration
User /LDAP > Global Settings:
Password expiration period: 0
Password expiration warning period:0
-----------------------------------
>> now get check_ lenovo xcc script from exchange.nagios.org:
https://exchange.nagios.org/directory/Plugins/Hardware/Server-Hardware/Lenovo/check_-lenovo-xcc-bash/details
run test:
check_lenovo_xcc.sh -H $HOSTADDRESS$ -u monitor -l authNoPriv -a SHA -A <password> -T health
-----------------------------------
errors and solutions:
- snmpwalk: Unknown user name
>> solution: BMC configuration > User/LDAP > Global Settings
>> unset option "Force to change password on first access"
- snmpwalk: Unsupported security level
>> solution: maybe missing Authentication protocol under User/LDAP > user specific SNMP Settings
firewall-cmd could be used for example on linux centos or red hat
(1) remove old rule, that allows all source addresses (if there is such a rule)
firewall-cmd --zone=public --remove-port=8443/tcp --permanent
(2)
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.20.4.69/32" port protocol="tcp" port="8443" accept'
(3)
firewall-cmd --reload
ssh -o StrictHostKeyChecking=no admin@10.10.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:Y0Mc293ukQqU2VYt372EqGq4Htg4chdBJ0D5KJwgOTU.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:105
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
possible solution but consider your policy policy!!
>> connect to the remote system with "no known hosts file", by running this command:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no admin@10.10.1.1
#see also: https://www.shellhacks.com/disable-ssh-host-key-checking/
1) Switch settings
tacacs-server host 192.168.2.10 vrf xyz
tacacs-server host 192.168.2.11 vrf xyz
tacacs-server key plaintext xyzxyzxyz
tacacs-server auth-type pap #pap is default - statement not needed
aaa group server tacacs group-tacacs
server 192.168.2.10 vrf xyz
server 192.168.2.11 vrf xyz
aaa authentication login default group group-tacacs local
aaa authentication allow-fail-through
1.1) to verify user permissions, after successful logon run command: show user information
to see which groups are available on cx switch run command:
show user-group
GROUP NAME GROUP TYPE INCLUDED GROUP NUMBER OF RULES
-------------- -------------- ------------------ -------------------
administrators built-in n/a n/a
auditors built-in n/a n/a
operators built-in n/a n/a
2) on Tacacs server side return the right attributes
2.1) clearpass Enforcement Profile:
Action: Accept
Service Attributes: Aruba:Common Aruba-Admin-Role = administrators
>> the important part is the service attribute "Aruba:Common" and the role "administrators"
problem with certificate > renew certificate and maybe reboot
see more details here:
https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA16S000000SNhXSAW&lang=en_US
Problem:
Using Aomei Backupper Version 6.8 > and building a boot medium using the Aomei Backupper Application did not really work on a hp notebook 850 G8, the usb boot stick was booting but the application just hang.
Solution:
after creating the bootable USB stick using the AOMEI PEbuilder:
WinPE bootable CD/USB via AOMEI PEBuilder:
http://www2.aomeisoftware.com/download/pe/2.0/full/PEBuilder.exe
>> the usb stick / backup application works fine!!
ubuntu linux system - big size of directory /var/log/journal/
1) determine the size of the directory:
1.1) with command journalctl:
journalctl --disk-usage
>> for example: Archived and active journals take up 4.0G in the file system.
1.2) with command du (disk usage)
du -s -h /var/log/journal/
>>> for example: 4,1G /var/log/journal/
2) check settings in configfile: /etc/systemd/journald.conf
>> set max use size, for example to 1G:
SystemMaxUse=1000M
3) restart service >> this will cleanup to specified size / or age
service systemd-journald restart
WatchGuard FireCluster configuration
####################################
pre-config:
-----------
0.1 get feature key from member_2 via the WatchGuard website
0.2 comply with naming convention
0.3 save feature key from member_2
config:
-------
1.1 network > configuration > interface
1.2 last available interface will become the cluster_interface
1.2.1 activate interface
1.2.2 name interface
1.2.3 deactivate interface
1.3 firecluster > configure
1.4 enable firecluster
1.5 enable active/passive cluster
1.6 select cluster_interface
1.7 managment interface is the one you access the firewall with
1.8 switch to advanced tab
1.8.1 enable monitor hardware status
1.9 switch to member tab
1.10 edit member_1
1.10.1 primary cluster > 169.254.254.1/24 (for heartbeat only)
1.10.2 enter management ipv4 > ex. 10.0.0.251/24
1.11 add new member_2
1.11.1 add saved feature key
1.11.2 primary cluster > 169.254.254.2/24 (for heartbeat only)
1.11.3 enter management ipv4 > ex. 10.0.0.252/24
1.12 setup > system > change name to wg...-ha (high availability)
ArubaOS CX SNMPv3
(1) snmp default community is public, make sure to define another community, e.g. companypub
switch(config)# snmp-server community companypub
(2) Create an SNMPv3 user using SHA for authentication and AES for privacy:
switch(config)# snmpv3 user checkmk-monitoring auth sha auth-pass plaintext passAuth01 priv aes priv-pass plaintext passAuth02
(3) create an SNMPv3 context with the community name created above and assigned to the mgmt VRF:
switch(config)# snmpv3 context snmpv3mgmt vrf mgmt community companypub
(4) Enable SNMP on the VRF, that is used for switch monitoring:
switch(config)# snmp-server vrf mgmt
(5) optional
Disable support for SNMPv1 and SNMPv2c and only accept SNMPv3 messages using the following command:
switch(config)# snmp-server snmpv3-only
(6) run a test ;-)
snmpwalk -v 3 -l authPriv -u checkmk-monitoring -a SHA -A passAuth01 -x AES -X passAuth02 192.168.100.100
windows server - how to change a subnet mask of a dhcp scope
for example change subnet mask from a scope 172.16.0.0/16 to 172.16.99.0/24
1) export to xml file using powershell
Export-DhcpServer -Computername <name of computer> -Leases -File C:\export_dhcpserver.xml -verbose
<name of computer could be 127.0.0.1 or localhost if do export the configuration directly from the server>
2) make a copy of the exported file, name it: import_dhcpserver.xml
3) edit the import_dhcpserver.xml file and replace the dhcp scope section,
and all lease entries that reference to the section name:
3.1) dhcp scope section, change the ScopeId + the subnet mask
<Scopes>
<Scope>
<ScopeId>172.16.99.0</ScopeId>
<Name>intern</Name>
<SubnetMask>255.255.255.0</SubnetMask> #change subnet mask here
<StartRange>172.16.99.1</StartRange>
3.2) dhcp lease entrie, make sure to change the ScopeId to the new scope id
<Lease>
<IPAddress>172.16.99.177</IPAddress>
<ScopeId>172.16.99.0</ScopeId> #change the scope ip here
4) delete the scope id(s) from the dhcp server, using the dhcp admin tool
5) now import the new file:
Import-DhcpServer -Computername <name of computer> -Leases -File C:\import_dhcpserver.xml -BackupPath C:\dhcpbackup\ -Verbose
6) Restart both DHCP client and Server services
7) check the dhcp tool if everything looks fine
hpe switch mac adress 000000-000000 in arp cache - what does it mean?
>> this is the result of an arp request, with no response
let's assume you have a subnet 192.168.2.0/24 and you ping the not existing ip address (not reachable ip address) "192.168.2.99" from the switch, then the arp table of your HPE Procurve / ArubaOs Switch will look like:
switch## show arp
IP ARP table
IP Address MAC Address Type Port
--------------- ----------------- ------- ----
192.168.2.13 abcdef-23df33 dynamic 1
192.168.2.99 000000-000000 dynamic
>> in the next 5 minutes (or dependant of your arp cache settings) you will see the 192.168.2.99 000000-000000 entry
when restarting windows, it may happen that windows performs a quick restart
--> some services are not restarted and this can lead to errors
fix
###
to disable this option permanently you can execute the following command in the command line:
>> powercfg /H off
nice and simple ping tools to measure availability in your network
(1)
PingInfoView - Ping monitor utility
https://www.nirsoft.net/utils/multiple_ping_tool.html
(2)
Multiping Grapher
just a simple exe file, software is not up2date anymore but still works
https://www.heise.de/download/product/multiping-grapher-38992
ArubaOS-CX wake on lan / ip directed broadcast
how to handle wake on lan packets on ArubaOS-CX switches?
using ip directed broadcast to get WOL (wake on LAN) running over different routed subnets.
On ArubaOS-CX switches IP directed broadcast is supported on:
- Route Only Port (ROP)
- Switched Virtual Interface (SVI)
- Layer 3 Link Aggregation Group (L3LAG) interfaces
example:
turn ip directed broadcast on for vlan 999:
switch(config)# interface vlan 999
no shutdown
ip address 10.0.21.1/24
ip directed-broadcast
> now all ip directed broadcast will be "broadcasted" to all members in vlan 999
> ACL (Access lists) can be used to only allow this ip-directed broadcast from specific ip-adresses,
for example only ip 10.0.20.20 is allowed to send wol
access-list ip ipdb
10 permit udp 10.0.20.20 any eq 7
100 deny udp any any eq 7
#apply access list on interface where the packets are initiated
interface vlan500
apply access-list ip ipdb routed-in
#commands
show ip interface vlan999 #show ip directed broadcast status on interface
show ip directed-broadcast #gives you an overview where ip directed broadasts are enabled
see also:
https://www.arubanetworks.com/techdocs/AOS-CX/10.08/PDF/ip_route_6300-6400-83xx.pdf
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=28864
---------------------------------------------------------
how to use wol.exe to initiate a ip directed broadcast packet:
wol.exe <<destination mac>> /d 10.0.21.255
>> 10.0.21.255 is the broadcast network address of the subnet 10.0.21.0/24
>> wol.exe - you can download it from: https://www.heise.de/download/product/wol.exe-43799
checkmk problem when monitoring mssql database > error: msoledbsql - the provider cannot be found!
error message:
-------------------------------------------------------------------------
Microsoft (R) Windows Script Host, Version 5.812
Copyright (C) Microsoft Corporation. Alle Rechte vorbehalten.
?<<<mssql_instance:sep(124)>>>
<<<mssql_databases:sep(124)>>>
<<<mssql_counters:sep(124)>>>
<<<mssql_tablespaces>>>
<<<mssql_blocked_sessions:sep(124)>>>
<<<mssql_backup:sep(124)>>>
<<<mssql_transactionlogs:sep(124)>>>
<<<mssql_datafiles:sep(124)>>>
<<<mssql_cluster:sep(124)>>>
<<<mssql_jobs:sep(09)>>>
<<<mssql_versions:sep(124)>>>
<<<mssql_connections>>>
<<<mssql_instance:sep(124)>>>
<<<mssql_instance:sep(124)>>>
MSSQL_INSTANCENAME|config|14.0.1000.169|Standard Edition|
<<<mssql_instance:sep(124)>>>
MSSQL_INSTANCENAME|state|0|Connecting using provider msoledbsql. ERROR: Der Provider kann nicht gefunden werden. Möglicherweise ist er nicht richtig installiert worden. Connecting using provider sqloledb. ERROR: Fehler bei der Anmeldung für den Benutzer "". ERROR: Fehler bei der Anmeldung für den Benutzer "". (SQLState: 42000/NativeError: 18456). Connecting using provider sqlncli11. ERROR: Fehler bei der Anmeldung für den Benutzer "". ERROR: Fehler bei der Anmeldung für den Benutzer "". (SQLState: 28000/NativeError: 18456).
-------------------------------------------------------------------------
solution option 1:
--------------------------
in the plugin file mssql.vbs search for line:
>>>> 'For Each connProv in Array("msoledbsql", "sqloledb", "sqlncli11")
and change the line to:
>>>> For Each connProv in Array( "sqloledb", "sqlncli11")
now the mssql.vbs plugin will probably run without error!
solution option 2:
-------------------------
>> install the msoledbsql plugin on your database server, see also:
https://docs.microsoft.com/de-de/sql/connect/oledb/applications/installing-oledb-driver-for-sql-server?view=sql-server-ver15
sometimes you need a yaml file syntax validator, for example if you want to check if the checkmk user agent file is still valid
list of yaml file syntax validator tools:
- https://onlineyamltools.com/validate-yaml
-------------------------------------------------------
Problem:
-------------------------------------------------------
after upgrading HPE IMC to version 7.3 E0706P06 there are many many log messages like:
Interface Switch loopbackup interface-5073 of device, address 127.0.0.1 is duplicate
-------------------------------------------------------
Solution from HPE:
-------------------------------------------------------
https://support.hpe.com/hpesc/public/docDisplay?docId=sf000076717en_us&docLocale=en_US
cause:
A new Duplicate IP trap has been added in IMC 7.3 E0706P06, and does not ignore the loopback address.
Workround:
1. Stop imcnetresdm process in IDMA
2. Back up $IMC/server/conf/qvdm.conf to the desktop.
3. Edit the original file, adding the line at the end of the file:
DupIpConflictAlarm=false
add another blank line and save the file.
4. Start imcnetresdm process in IDMA
read the readme file that comes with the update package.
document the theoretical update path, if you have to apply several update steps, like for example, if you have E0703 installed, the update path would be:
imc: JG748AAE 7.3 (E0703)
>> update path: 7.3 (E0705)
>> update path: 7.3 (E0706)>> P06
>> update path: 7.3 (E0706P06) >> update Hotfix (because of log4j security issue)
Once you have downloaded and extraced the update files in a directory that can be access by the IMC server and its Deployment Monitoring Agent, you can follow this steps (this steps are also within the readme file!)
update steps:
--------------------------------
1 Back up the IMC database on the Environment tab in the Deployment Monitoring Agent.
2 Manually copy the IMC installation directory to a backup path.
3 Stop IMC in the Deployment Monitoring Agent.
4 Restart IMC server.
5 Click Install on the Monitor tab of the Deployment Monitoring Agent
6 Select the windows/install/components directory in the upgrade package and click OK.
7 Click OK in the popup message dialog box.
8 Click Start in the Upgrade Common Components dialog box to upgrade common components.
9 After common components are upgraded, click Close.
10 In distributed deployment mode, stop the Deployment Monitoring Agent on the master server and restart the Deployment Monitoring Agent on every subordinate server. Click Yes in the popup message dialog box to upgrade common components on every subordinate server.
11 The Deployment Monitoring Agent displays all components that need to be upgraded. Click OK to start upgrading.
12 In distributed deployment mode, upgrade all components deployed on every subordinate server.
13 After all components are updated, start all processes in the Deployment Monitoring Agent.
----------------------------------------------------------------------------
>>>> when you have trouble after the update:
----------------------------------------------------------------------------
if the IMC does not start after your update session, make sure to undeploy all packages that have still an old version, like vor example the old WLAN management module etc.
android:
infrastructure & application monitoring
https://play.google.com/store/apps/details?id=app.check_mk&hl=de&gl=US
apple:
https://www.easynag.com/
HPE Intelligent Management Center - things to know
- Linux: Start Deplyment Monitoring Agent
/opt/iMC/deploy/dma.sh
- Features released in IMC PLAT 7.3 (E0706)
The default password for the administrator changes to Pwd@12345 when you install IMC.
- TCL scripts for backup / update and more: %IMCDIR%/server/conf/adapters/ICC
directory under linux for example: /opt/iMC/server/conf/adapters/ICC/Hewlett Packard/HPProcurve2500
checkmk - how to handle Windows event logs / logwatch messages
sometimes you want to ignore or change the status some windows event logs if you are monitoring the using the checkmk windows agent.
1) create a test event in system logs
eventcreate /ID 999 /L System /SO TestSourceSystem /T ERROR /D "this is a test critical test message"
2) in checkmk you will get a Critical message for service Log System, now let us create a rule, so that the event
should be shown as "warning" instead of "critical"
3.) create a rule > add a Logfile pattern rule
- Setup > Services > Service monitoring rules > Logfile patterns
- Create rule in folder "Main directory" / or another directory that you want to choose
- Description: this is a test critical test message
- Logfile pattern > Add pattern:
choose State "Warning" + Pattern "this is a test critical test message"
- Logfile to match: System
4.) test the rule - using "Try Pattern Match"
- at the service of the host click on: Log System > Open Log
- select the message "TestSourceSystem this is a test critical test message", by clicking on the symbol in the left
- now the dialog "Setup > Services > Service monitoring rules > Logfile patterns >
Logfile patterns of logfile System on host xyz" opens:
- press the "Try out" button, and see if the defined rule from step "3" matches
5.) final test
-> create the event again --> step 1
for the google search engine - https://www.google.com - just run a query like:
site:computer2know.de
----------
for the microsoft bing search engine - https://www.bing.com - just run a query like:
url:computer2know.de
the watchguard default ip address is:
10.0.1.1 and it is available on interface 1 (not interface wan, which is 0).
the watchguard webfrontend can be access via:
https://10.0.1.1:8080
the default username is admin, with password readwrite
before the "show running" command is executed the two commands are setup:
my $paging= $ssh->exec("terminal length 1000"); #we don't like prompts when showing the config
my $paging= $ssh->exec("no page"); #we don't like prompts when showing the config
Message when script backups, every 1000 lines or so we see the following characters:
^[[232;1H^[[2K^[[1000;1H^[[1;1000r^[[1000;1H
we need to have a look on the hex values of the charactes, to build a valid perl regular expression
. [ 2 3 2 ; 1 H . [ 2 K . [ 1 0 0 0 ; 1 H . [ 1 ; 1 0 0 0 r . [ 1 0 0 0 ; 1 H
HEX: 1B 5B 32 33 32 3B 31 48 1B 5B 32 4B 1B 5B 31 30 30 30 3B 31 48 1B 5B 31 3B 31 30 30 30 72 1B 5B 31 30 30 30 3B 31 48 20 20 20
------------------------------
regular expression solution:
------------------------------
if ($line=~/^(.*)\x1b\x5b232\x3b1H\x1b\x5b2K\x1b\x5b1000\x3b1H\x1b\x5b1\x3b1000r\x1b\x5b1000\x3b1H(.*)$/){
------------------------------
in the code it looks like this:
------------------------------
#filter out strange line: ^[[232;1H^[[2K^[[1000;1H^[[1;1000r^[[1000;1H
# . [ 2 3 2 ; 1 H . [ 2 K . [ 1 0 0 0 ; 1 H . [ 1 ; 1 0 0 0 r . [ 1 0 0 0 ; 1 H
#in hex it is: 1B 5B 32 33 32 3B 31 48 1B 5B 32 4B 1B 5B 31 30 30 30 3B 31 48 1B 5B 31 3B 31 30 30 30 72 1B 5B 31 30 30 30 3B 31 48 20 20 20
#print "$lc $line\n";
if ($line=~/^(.*)\x1b\x5b232\x3b1H\x1b\x5b2K\x1b\x5b1000\x3b1H\x1b\x5b1\x3b1000r\x1b\x5b1000\x3b1H(.*)$/){
#print "match found in line $lc: $line!\n";print "1=$1\n";print "2=$2\n";exit;
push @config, ($1.$2);
}else{
push @config, $line;
}
here is a list of windows ftp server
- very minimalist, but it works:
https://www.rebex.net/tiny-sftp-server/
- NetEdit can be download from Aruba ASP site, as a Virtual Appliance
- Browser based application
- after installation of the Virtual Appliance, use the console configuration tool:
- user: neadmin / define new password
- use dhcp / or define static ip (recommended)
- check if services are running: sudo systemctl status netedit-svr.service
- see ip address: hostname -I
- launch Netedit System Configuration: sudo python netedit_config-py -f
- webfronted access of netedit: https://<IP-Address/
- logon credentials are different
- user: admin / define new password
see also:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00063402en_us
for quick download you can use the following links
windows agent:
http://<IP||Hostname>/<Your-Sitename>/check_mk/agents/windows/check_mk_agent.msi
Pin TIA-568A
1 green-white
2 green
3 orange-white
4 blue
5 blue-white
6 orange
7 brown-white
8 brown
Pin TIA-568B
1 orange-white
2 orange
3 green-white
4 blue
5 blue-white
6 green
7 brown-white
8 brown
*132# #check if sms functionality is activate
*133* #enable sms functionality
##################################################################
# HPE IMC - using SFTP / SCP to upload firmware
##################################################################
if you need to debug SFTP / SCP process there are log files under
/opt/iMC/server/conf/log/*.log ....
This logs are a bit confusing .. so sometimes it makes sense to have the understand
how the copy process will work manual. Therefore some testing was made. Here comes the result:
-----------------------
prerequisites
-----------------------
To turn on the secury copy feature it is necessary to set "ip ssh filetransfer" on the switch:
using the command show ip ssh, you see the settings:
(config)# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : Yes
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
>> Secury Copy Enabled has to be yes!
------------------------
sftp firmware deploy tests / using manual sftp / psftp / scp commands
------------------------
FIRMWARE located on IMC
firmware that is stored in the ICM software database is located in directory: <IMC directory>/server/data/image,
for example:
windows: c:\program files\iMC\server\data\image
/opt/iMC/server/data/image/YA_16_11_0003.swi
/opt/iMC/server/data/image/YA_15_18_0007.swi
FIRMWARE destionation on HPE / Aruba / procurve switch
the firmware files are under directory:
- /os/primary
- /os/secondary
- copy via sftp by using the psftp command from IMC
lets copy firmware YA_15_18_0007.swi via SFTP to a HPE Aruba 2530 8 Port Switch (J9774A):
#starting in directory: /opt/iMC/server/bin/
/opt/iMC/server/bin/psftp -P 22 admin@10.0.0.99
#once you are logged in change the local data path using command:
psftp> lpwd
Current local directory is /opt/iMC/server/bin
psftp> put ../data/image/YA_16_11_0003.swi /os/secondary
local:../data/image/YA_16_11_0003.swi => remote:/os/secondary
>> file copied successfully
- copy via scp (scp from a linux machine)
scp /opt/iMC/server/data/image/YA_15_18_0007.swi admin@10.0.0.99:/os/secondary
scp /opt/iMC/server/data/image/YA_15_18_0007.swi radiususer1@10.0.0.99:/os/secondary
>> both user local + radius authenticated "radiususer1" worked!!
- copy via IMC pscp command:
/opt/iMC/server/bin/pscp -P 22 /opt/iMC/server/data/image/YA_15_18_0007.swi admin@10.0.0.99:/os/secondary
/opt/iMC/server/bin/pscp -P 22 /opt/iMC/server/data/image/YA_15_18_0007.swi radiususer1@10.0.0.99:/os/secondary
>> both user local + radius authenticated "radiususer1" worked!!
#there are two flags, where you can choose the protocol
-sftp force use of SFTP protocol
-scp force use of SCP protocol
#on switch side, you see in the log:
01/05/90 00:26:47 00637 ssh: scp session from 10.0.0.10
or
I 01/05/90 00:25:17 00636 ssh: sftp session from 10.0.0.10
I 01/05/90 00:26:21 00163 update: Firmware image contains valid signature.
I 01/05/90 00:26:30 00150 update: Secondary Image updated.
##copy from windows
C:\Program Files\iMC\server\bin>pscp.exe -P 22 ..\data\image\YA_16_11_0003.swi radius.user1@10.0.0.99:/os/secondary
radius.user1@10.0.0.99's password:
YA_16_11_0003.swi | 14846 kB | 159.6 kB/s | ETA: 00:00:00 | 100%
# option -scp (speed about 800kbit)
# option -sftp (speed about 150kbit)
- IMC copy command settings:
cat /opt/iMC/server/conf/ssh_sftp_client.cfg
#linux putty
ssh-cmd = plink -P $port [-i $key-file] $user-name@$device-ip
sftp-cmd = psftp -P $port [-i $key-file] $user-name@$device-ip
- After have done some "manual" testing, lets use IMC -> Service > Deployment Task to deploy some switch firmware
to switches
------
- further readings
-------
Execute command in sftp connection through script:
https://unix.stackexchange.com/questions/315050/execute-command-in-sftp-connection-through-script
useful stuff regarding ssh/sftp and hpe switches:
https://www.kagerer.net/category/hp-switch/page/2/
checkmk - how to integrate good old nagios plugins
checkmk version 2.x you find the rules under: Integrate Nagios plugins
checkmk version 1.x you find the rules under: Classical active and passive Monitoring checks
sample for check_snmp
- test from commandline:
/omd/versions/default/lib/nagios/plugins/check_snmp -H 172.16.2.15 -o 1.3.6.1.4.1.18928.1.2.5.1.1.5.0 -s Normal
in checkmk rule >> Command line: check_snmp -H 172.16.2.15 -o 1.3.6.1.4.1.18928.1.2.5.1.1.5.0 -s Normal
>> in case, the data has performance data, like for example a cpu counter >> turn performance data on
sample for check_ping:
- check_ping -H $HOSTADDRESS$ -w 300.00,80.00% -c 800.00,100.00%
essential information from youtube videos of Airhead Broadcasting channel:
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #1 Wired 802.1X
---------------------------------------------------------------------------------------------------
- see also: HPE Aruba Wired Enforcement Guide
- 802.1x on windows: services > Wired AutoConfig > set to automatic
after service is enabled, an "authentication" tab is visable in the network settings of the interface
>> decide between user or computer authentication
- in clearpass create a network device + a shared secret
- port bounce: interface 1/x/x > shutdown > no shutdown
- in clearpass create a a 802.1X Wired service, choose active directory as authenticaton source
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #2 Wired User Roles
---------------------------------------------------------------------------------------------------
- Rolebased access with local user roles
- best practise enable accounting: aaa accounting port-access start-stop interim 60 group clearpass
- best practise enable client visability:
client track ip #enable on global level
vlan xx
client track ip #enable per vlan
#on uplink port do a: client track ip disable
- in Clearpass Enforcement profile assign a role: for example admin
- create role on switch:
port-access role admin
vlan access name Management VLAN
- check on switch with: show port-access clients
- make username visable > create enforcement profile that reads out the username and sends it back via radius,
than the "show port-access client" will also show the username,
you can make the same with the computername
- Video about Aruba Dynamic Segmentation on AOS-CX: downloadable user roles and more
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #3 Device Profiling
---------------------------------------------------------------------------------------------------
- device profiling: dhcp profiling, ip helper on core switch
- trigger a new dhcp request: Clearpass Access Tracker -> Change Status > choose port bounce
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #4 Wired MAC Authentication
---------------------------------------------------------------------------------------------------
- default setting the switch will first try and timeout for 802.1X before it attempts MAC Authentication,
default timeout is 2 minutes and 30 seconds
>> solution: port-access onboarding-method concurrent enable
- configure the Profiling tab in our service to automatically trigger a port bounce as soon as ClearPass profiles a new or changed device.
- Clearpasss Radius Mac Authentication service
- enable Profile Endpoints
- Authentication Method: Allow All Mac Auth (with All only "known" endpoints are considered)
- Authentication Source: Endpoint Repository (so you can use the profiling information)
- Profiler: Radius CoA Action > AOS-CX Bounce Port, triggered it to "Any category / OS Family / Name",
so if the device is connection the first time it will be bounced, and we know the device type
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #5 Wired MAC Enforcement
---------------------------------------------------------------------------------------------------
allow role based traffice for the endpoint
- define some classes, like: "class ip class-dns", "class ip class-private", "class ip class-pbx"
- bring the classes together to policies:
port-access policy pol-internet
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-private action drop
40 class ip class-any
- port-access role profiler
associate policy pol-profile
vlan access name Untrusted VLAN
- port-access role machine
vlan access name Corporate VLAN
- port-access role voip
associate policy pol-voip
vlan access name Voice VLAN
- in clearpass define roles, and define rolemapping
- in clearpass define enforcement profiles, to return the role names, for example:
Radius:Aruba > Aruba-User-Role(1) = voip
Radius:Aruba > Aruba-User-Role(1) = profiler
- check with "show port-access clients" on switch
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #6 Wired Device behind phone - AP with tagged VLANs
---------------------------------------------------------------------------------------------------
- allow more devices behind a port:
interface 1/1/1-1/1/24
aaa authentication port-access client-limit 3 #default is one
- show client ip
- special role for a accesspoint, the special thing is the "auth-mode":
port-access role instant-ap
vlan trunk native name Management VLAN
vlan trunk allowed name Guest1 VLAN
vlan trunk allowed name Guest2 VLAN
auth-mode device-mode
- auth-mode:
client-mode: authenticate all devices
device-mode: authenticate just the first device
multi-domain: authentication for the native vlan and one for the voice vlan
- check with "show port-access clients" >> Authentication Mode should be seen as "device-mode"
information is from year 2022:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=sf000079717en_us
MC 7.3E0706H07 uses log4j 2.17
An old log4j file is in IMC 7.3E0706H07 but it's not used and can be removed: $iMC\client\web\apps\rpt\WEB-INF\lib\log4j-1.2.17.jar.
The file will be removed in the next IMC release.
ClearPass certificates - things to consider
- ClearPass Certificates 101 Technote
V1.2: https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us&docLocale=en_US
Radius Service
- use a private CA certificate for RADIUS
- use the same radius certificate on all your ClearPass servers
- subject could be: cn=ClearPass-Radius,ou=IT,O=your organisation,L=your location,ST=BW,C=DE
- Create Certificate Signing Request on first radius server > install the certificate on first radius server.
After installation > export the Radius certificate with the private key and save it to a file.
>> now import the saved file with certificate and private key to all other radius servers
HTTPS Service
- use a public certificate for https (guest + captive portal)
- wildcard or multi-san recommended
- decide to use ECC or not! disable on all subscribers
- subject should be: cn=*.your-org.com
Installation:
- Administration > Certificates > Certificate Store
- HTTPS > ECC + RSA is available, if only a RSA is available disable the ECC certificate!
(why shold you use ECC - faster SSL handshakes - more speed and security)
- Import Certificate, maybe enable the CA Issuer
DNS names:
cppm1.testdomain.de: 10.18.2.100 (virtual ip)
cppm1-pub.testdomain.de: 10.18.2.101 (publisher)
cppm1-sub.testdomain.de: 10.18.2.102 (subscriber 1)
get root certificate for switches:
- DUR - downloadable user roles, root certificate is required on the switch
get the certificate from clearpass server:
http://x.x.x.x/.well-known/aruba/clearpass/https-root.pem
on switch#: crypto pki ta-profile https-root
ta-certificate terminal
........
<ctrl>+D
(you need to leave the ta-profile section)
show certificate:
show crypto pki ta-profile
links:
Aruba ClearPass Workshop (2021) - Getting Started #3 - Installing the HTTPS Certificate on ClearPass
https://www.youtube.com/watch?v=S9J-1JQ1V4Q
webmin is a great system admin tool for several linux distributions
how to make it very secure in a easy and simple way?
>> my approach is:
bind the webfrontend to localhost only, and after that access the webfrontend using ssh and tunneled connection ;-))
- if you run: netstat -nat |grep LISTEN |grep 10000,
you see that webmin is running on all interfaces
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
- webmin runs on tcp port 10000, usually accessible for everybody (if the server is in the internet and now firewall on the server is turn on)
>> you can access the frontend using https://your-server-ip:10000/
- let change the port, so that is runs only on localhost / 127.0.0.1 tcp 10000:
edit configuration file: /etc/webmin/miniserv.conf
>> change line listen=10000 to listen=0 #this disabled udp port 10000 and that other webmins are finding us!
>> add line: allow=127.0.0.1 #allow only access from localhost, but the port will still be open!
>> add line: bind=127.0.0.1 #this binds the tcp 10000 socket to 127.0.0.1:10000 > not public visiable anymore!
>> restart the service: service webmin restart
- check if webmin now runs only on localhost port:
run command: netstat -nat |grep LISTEN |grep 10000
now it should look like:
tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN
Support for SSH (plink) was added on the Resource > Device View page in the Windows operating system.
1) Click Download SSH (Plink) File in the right action pane to download the SSH (Plink) file to your local client.
2) Decompress the downloaded SSH (Plink) file to the C:\localssh directory.
3) Double-click registry file localssh_reg.reg in the C:\localssh\ directory to import it, and restart the browser and login again.
4) On the details page for a device, click the SSH (Plink) link to remotely log in to the device.
Support for checking the max server memory was added for SQL Server installatio
see information about security advisories here:
https://www.arubanetworks.com/support-services/security-bulletins/
checkmk performance tuning
usually your checkmk site is becoming bigger and bigger .. this could lead to error messagen and performance issues if there are many services and hosts to be monitored
> use global fetcher and checker settings to optimize execution of checks. The
> settings can be found under Setup > General > Global settings:
> Use spearate fetchers and checkers should be on!
- fetchers:
they make the network communication, for example the snmp query or the query for the checkmk agent.
This query takes some time and uses about 30MB per process
Rule: increase that number, if you have enough free memory left on the server
- checker:
the checker processes are processing the collected data from the fetchers. A checker needs at least 90MB. Use only so many checkers as your machine has cores!
Rule: Use only so many checkers as your machine has cores!
### further reading
- https://docs.checkmk.com/latest/en/cmc_differences.html
when trying to install microsoft 2019 32bit, there was a message that office still exists, but office was already deinstalled!
Solution:
download the microsoft recovery tool from link:
https://support.microsoft.com/de-de/office/deinstallieren-von-office-auf-einem-pc-9dd49b83-264a-477a-8fcc-2fdf5dbf61d8
>> with the tool you can remove any existing office installation, in my case it found an office 365 click installer and remove it
---
see also:
- https://support.microsoft.com/de-de/office/deinstallieren-von-office-auf-einem-pc-9dd49b83-264a-477a-8fcc-2fdf5dbf61d8
WatchGuard Cyclops Blink Detector
to check if your firebox is affected by the cyclops blink issue (found in 2022-02), and to fix the issue do the following:
1) install watchguard system manager WSM 12.7.2 Update 2 or higher)
2) start the watchguard system manager and connect to the firebox you want to check
3) start Tools => Cyclops Blink Detector and query your watchguard
4) if there is no issue:
- install latest Fireware Version
- make sure that any-external is not allowed to access the Firebox itself!
5) if an issue is found > see further steps under:
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SNyiSAG&lang=en_US
see also:
- https://www.boc.de/watchguard-info-portal/2022/02/cyclops-blink-detector-selbstcheck-mit-dem-watchguard-system-manager/
- https://www.boc.de/watchguard-info-portal/2022/02/cyclops-blink-detector-selbstcheck-mit-dem-watchguard-webdetector/
windows 10 - how to allow access to usb port devices in a RDP remote desktop session?
Problem:
in a remote desktop session it was not possible to connect to the usb connect CrossChex Time Attendance & Access Control device
Solution:
- set the right group policy!
1) Edit Group Policy
2) Local Group Policy Editor: Computer Configuration > Administrative Templates > System > Removable Storage Access
(in german this is: Wechselmedienzugriff!)
3) in the folder locate entries that have something to do with remote access - set this policies to enabled
(in german it is: Remotezugriff auf die Plug & Play-Schnittstelle zulassen)
4) apply the policy and reboot the system
1) if you have access to command line:
>> erase startup-config
2) if you have no password, but physical access to the switch:
>> press both, the clear and the reset button on the switch until you see the power and fault lights
>> when you release the reset button, make sure to still press the clear button
>> the clear button can be release, when the self test led is starting to blink ..
in switch log I detected messages like:
Mar 09 10:34:38 switch-8320-1 hpe-restd[4889]: Event|7708|LOG_INFO|AMM|1/1|Certificate devices-v2.arubanetworks.com verified and accepted
>> since I don't want to use Aruba central in this setup let's disable it:
switch-8320-1# conf t
switch-8320-1(config)# aruba-central
switch-8320-1(config-aruba-central)# disable
switch-8320-1(config-aruba-central)# exit
switch-8320-1(config)#
---
to check the Aruba Central settings run command:
switch-8320-1(config)# show aruba-central
Central admin state : disabled
Central location : N/A
VRF for connection : N/A
Shared Token : N/A
Central connection status : N/A
Central source : none
Central source connection status : N/A
Central source last connected on : N/A
System time synchronized from Activate : False
Activate Server URL : devices-v2.arubanetworks.com
CLI location : N/A
CLI VRF : N/A
Source IP : N/A
Source IP Overridden : False
Central support mode : disabled
>> you should see the admin state "disabled"
Mimosa B5 update firmware from 1.5.1 problem
we wanted to upgrade a Mimosa B5 to the latest version and downloaded two files:
- Mimosa-B5-2.8.1.2.img.signed
- Mimosa-B5-2.9.0.img.signed
Problem:
the upgrade 1.5.1 to 2.8.1.2 didn't work, since the file could not really be uploaded.
Solution:
rename the file Mimosa-B5-2.8.1.2.img.signed to Mimosa-B5-2.8.1.img.signed, after that
the file could be uploaded and verified
The update from 2.8.1.2 to 2.9.0 was no problem
problem: if there is a problem with the internet connection, the openvpn tunnel dies and is not beeing restarted automatically
solution:
>> ping openvpn server ip and restart vpn
root@GL-MT300N-V2:/tmp# crontab -l
######
# check vpn, cron need to be enabled! (/etc/init.d/cron enable + start)
######
1,16,31,46 * * * * ping -c 5 10.8.0.1 &> /dev/null && sleep 1 || /etc/init.d/openvpn restart
#23 * * * * echo "test2" >> /tmp/test
using a german apple keyboard
- backslash \ : <right alt key> + <ctrl key> + <ß key>
checkNetman.pl - script to get usv load and power in watts from a riello usv in checkmk agent format
#!/bin/perl
use strict;
######################################################################################
#
# checkNetman.pl
#
# get data from a netman snmp component, that is for example build in, in a riello usv
#
# base snmpwalk call:
# snmpwalk -v 2c -c public 10.10.10.10 SNMPv2-SMI::mib-2.33
#
######################################################################################
if ($ARGV[0] eq '' ){
print "Usage: checkNetman.pl <hostname or ip-address> <snmp-community> <load-warning> <load-critical>\n";
print " example checkNetman.pl 192.168.2.1 public 80 90\n";
print "\n";
exit(1);
}
my $ip= $ARGV[0];
my $community = $ARGV[1];
my $warning = $ARGV[2];
my $critical= $ARGV[3];
$warning=80 if $warning eq '';
$critical=90 if $critical eq '';
$community='public' if $community eq '';
my $debug=0; #1=on
my %foundHash={};
my $name='';
my $line='';
my $status='';
my $statustxt='';
my $alarm='';
print "<<<check_mk>>>\n";
print "Version: pn-v2022-03-14\n";
print "<<<local>>>\n";
open(IN,"snmpwalk -v 2c -c $community $ip SNMPv2-SMI::mib-2.33.1.6.1.0 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
print "$line\n" if $debug;
#SNMPv2-SMI::mib-2.33.1.6.1.0 = Gauge32: 0
if ($line =~ /33.1.6.1.0 = .*:\s(\d)$/){
print "alarm=$1\n" if $debug;
$alarm=$1;
}
}
close(IN);
open(IN,"snmpwalk -v 2c -c $community $ip SNMPv2-SMI::mib-2.33.1.4.4 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
print "$line\n" if $debug;
#Real Power in Watt
if ($line =~ /33.1.4.4.1.4.1 = INTEGER:\s(\d*)$/){
$foundHash{'pL1'}=$1/1000;
}
if ($line =~ /33.1.4.4.1.4.2 = INTEGER:\s(\d*)$/){
$foundHash{'pL2'}=$1/1000;
}
if ($line =~ /33.1.4.4.1.4.3 = INTEGER:\s(\d*)$/){
$foundHash{'pL3'}=$1/1000;
}
#load
if ($line =~ /33.1.4.4.1.5.1 = INTEGER:\s(\d*)$/){
$foundHash{'loadL1'}=$1;
}
if ($line =~ /33.1.4.4.1.5.2 = INTEGER:\s(\d*)$/){
$foundHash{'loadL2'}=$1;
}
if ($line =~ /33.1.4.4.1.5.3 = INTEGER:\s(\d*)$/){
$foundHash{'loadL3'}=$1;
}
}
close(IN);
if (exists $foundHash{'loadL1'}){
$status=0;
$statustxt=">> Warning/Critical: $warning".'/'.$critical.'. ';
if ($foundHash{'loadL1'} > $critical){$status=2;$statustxt.="L1 has critical value! ";}
if (($foundHash{'loadL1'} > $warning) and ($foundHash{'loadL1'}<= $critical)){$status=1;$statustxt.="L1 has warning value! ";}
if ($foundHash{'loadL2'} > $critical){$status=2;$statustxt.="L2 has critical value! ";}
if (($foundHash{'loadL2'} > $warning) and ($foundHash{'loadL2'}<= $critical)){
$status=1 if $status < 1;
$statustxt.="L2 has warning value! ";}
if ($foundHash{'loadL3'} > $critical){$status=2;$statustxt.="L3 has critical value! ";}
if (($foundHash{'loadL3'} > $warning) and ($foundHash{'loadL3'}<= $critical)){$status=1;$statustxt.="L3 has warning value! ";}
print "$status ups-load L1=$foundHash{'loadL1'}|L2=$foundHash{'loadL2'}|L3=$foundHash{'loadL3'} upsOutputPercentLoad L1=$foundHash{'loadL1'}%, L2=$foundHash{'loadL2'}% ,L3=$foundHash{'loadL3'}%. $statustxt\n";
}else{
print "1 ups-load L1=|L2=|L3= no values found!\n";
}
if (exists $foundHash{'pL1'}){
my $summary=$foundHash{'pL1'} + $foundHash{'pL2'} + $foundHash{'pL3'};
print "0 ups-power Sum=$summary|L1=$foundHash{'pL1'}|L2=$foundHash{'pL2'}|L3=$foundHash{'pL3'} Power L1-L3 and Summary in Kilo-Watts: Summary=".$summary."KW, L1=$foundHash{'pL1'}KW, L2=$foundHash{'pL2'}KW ,L3=$foundHash{'pL3'}KW.\n";
}else{
print "1 ups-power Sum=|L1=|L2=|L3= no values found!\n";
}
if ($alarm==0){
print "0 ups-alarm - No alarm present!\n";
}else{
print "2 ups-alarm - UPS alarm found! Please check your USV!!\n";
}
Monitoring Riello USV with NetMan 204 adapter using snmp
NetMan 204 Network Adapter
> users manual: https://www.riello-ups.com/uploads/file/768/2768/0MNACCSA4ENUL__MAN_ACC_NETMAN_204_EN_.pdf
> mib files can be found, also on riello-ups website: https://www.riello-ups.com/uploads/file/136/1136/MIBs.zip
>> important mib: RFC1628A.MIB
>> short solution:
(1):
use a simple perl script to get data in checkmk format:
https://computer2know.de/checknetman.pl-script-to-get-usv-load-and-power-in-watts-from-a-riello-usv-in-checkmk-agent-format:::656.html
(2):
use a Nagios script
https://exchange.nagios.org/directory/Plugins/Hardware/UPS/SNMP-UPS-Check/details
run it like:
./check_ups_snmp -H 10.115.0.82 -C pnpub -t status
OK: Battery Status Normal.
or
./check_ups_snmp -H 10.115.0.82 -C pnpub -t alarm
OK: 0 alarms present.|'alarms'=0
=====================================================================================================
my detail analysis ....
Doing a snmpwalk on the device:
------------------------------------
snmpwalk -c my-community -v 2c usv-ip-address
SNMPv2-MIB::sysDescr.0 = STRING: NetMan 204
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.5491.6
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2761455986) 319 days, 14:42:39.86
SNMPv2-MIB::sysContact.0 = STRING: my-organisation
SNMPv2-MIB::sysName.0 = STRING: my-usv-name
SNMPv2-MIB::sysLocation.0 = STRING: my-localtion
SNMPv2-MIB::sysServices.0 = INTEGER: 0
IF-MIB::ifNumber.0 = INTEGER: 1
IF-MIB::ifPhysAddress = STRING: 0:0:0:5:22:99
SNMPv2-SMI::mib-2.33.1.1.1.0 = STRING: "RPS SpA"
SNMPv2-SMI::mib-2.33.1.1.2.0 = STRING: "T2MK20 "
SNMPv2-SMI::mib-2.33.1.1.3.0 = STRING: "SWM022-02-21"
SNMPv2-SMI::mib-2.33.1.1.4.0 = STRING: "AppVer. 01.03.010"
SNMPv2-SMI::mib-2.33.1.1.5.0 = STRING: "FT-H 20 kVA "
SNMPv2-SMI::mib-2.33.1.1.6.0 = STRING: "??? "
SNMPv2-SMI::mib-2.33.1.2.1.0 = INTEGER: 2 !!#upsBatteryStatus 2 = should be on batteryNormal
SNMPv2-SMI::mib-2.33.1.2.2.0 = INTEGER: 0 #upsSecondsOnBattery
SNMPv2-SMI::mib-2.33.1.2.3.0 = INTEGER: 60 #upsEstimatedMinutesRemaining
SNMPv2-SMI::mib-2.33.1.2.4.0 = INTEGER: 100 #upsEstimatedChargeRemaining
SNMPv2-SMI::mib-2.33.1.2.5.0 = INTEGER: 2726 #upsBatteryVoltage
SNMPv2-SMI::mib-2.33.1.2.6.0 = INTEGER: 0 #upsBatteryCurrent
SNMPv2-SMI::mib-2.33.1.2.7.0 = INTEGER: 23 !!#upsBatteryTemperature - The ambient temperature at or near the UPS Battery casing.
SNMPv2-SMI::mib-2.33.1.3.1.0 = Counter32: 0
SNMPv2-SMI::mib-2.33.1.3.2.0 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.3.3.1.1.1 = INTEGER: 1 #upsInputLineBads
SNMPv2-SMI::mib-2.33.1.3.3.1.1.2 = INTEGER: 2 #upsInputNumLines
SNMPv2-SMI::mib-2.33.1.3.3.1.1.3 = INTEGER: 3 #upsInputTable
SNMPv2-SMI::mib-2.33.1.3.3.1.2.1 = INTEGER: 500 #upsInputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.3.3.1.2.2 = INTEGER: 500 #upsInputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.3.3.1.2.3 = INTEGER: 500 #upsInputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.3.3.1.3.1 = INTEGER: 232 #upsInputVoltage
SNMPv2-SMI::mib-2.33.1.3.3.1.3.2 = INTEGER: 233 #upsInputVoltage
SNMPv2-SMI::mib-2.33.1.3.3.1.3.3 = INTEGER: 232 #upsInputVoltage
SNMPv2-SMI::mib-2.33.1.3.3.1.4.1 = INTEGER: -1 #upsInputCurrent
SNMPv2-SMI::mib-2.33.1.3.3.1.4.2 = INTEGER: -1 #upsInputCurrent
SNMPv2-SMI::mib-2.33.1.3.3.1.4.3 = INTEGER: -1 #upsInputCurrent
SNMPv2-SMI::mib-2.33.1.3.3.1.5.1 = INTEGER: 0 #upsInputTruePower
SNMPv2-SMI::mib-2.33.1.3.3.1.5.2 = INTEGER: 0 #upsInputTruePower
SNMPv2-SMI::mib-2.33.1.3.3.1.5.3 = INTEGER: 0 #upsInputTruePower
SNMPv2-SMI::mib-2.33.1.4.1.0 = INTEGER: 3 !!#upsOutputSource 3 = normal
SNMPv2-SMI::mib-2.33.1.4.2.0 = INTEGER: 500 #upsOutputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.4.3.0 = INTEGER: 3 #upsOutputNumLines
SNMPv2-SMI::mib-2.33.1.4.4.1.1.1 = INTEGER: 1 #upsOutputLineIndex >> 3 out put lines!
SNMPv2-SMI::mib-2.33.1.4.4.1.1.2 = INTEGER: 2 #upsOutputLineIndex
SNMPv2-SMI::mib-2.33.1.4.4.1.1.3 = INTEGER: 3 #upsOutputLineIndex
SNMPv2-SMI::mib-2.33.1.4.4.1.2.1 = INTEGER: 230 #upsOutputVoltage
SNMPv2-SMI::mib-2.33.1.4.4.1.2.2 = INTEGER: 230 #upsOutputVoltage
SNMPv2-SMI::mib-2.33.1.4.4.1.2.3 = INTEGER: 230 #upsOutputVoltage
SNMPv2-SMI::mib-2.33.1.4.4.1.3.1 = INTEGER: 110 #upsOutputCurrent -- UNITS 0.1 RMS Amp
SNMPv2-SMI::mib-2.33.1.4.4.1.3.2 = INTEGER: 75 #upsOutputCurrent -- UNITS 0.1 RMS Amp
SNMPv2-SMI::mib-2.33.1.4.4.1.3.3 = INTEGER: 23 #upsOutputCurrent -- UNITS 0.1 RMS Amp
SNMPv2-SMI::mib-2.33.1.4.4.1.4.1 = INTEGER: 2290 !!#upsOutputPower -- UNITS Watts
SNMPv2-SMI::mib-2.33.1.4.4.1.4.2 = INTEGER: 1590 !!#upsOutputPower -- UNITS Watts
SNMPv2-SMI::mib-2.33.1.4.4.1.4.3 = INTEGER: 432 !!#upsOutputPower -- UNITS Watts
SNMPv2-SMI::mib-2.33.1.4.4.1.5.1 = INTEGER: 38 !!#upsOutputPercentLoad
SNMPv2-SMI::mib-2.33.1.4.4.1.5.2 = INTEGER: 26 !!#upsOutputPercentLoad
SNMPv2-SMI::mib-2.33.1.4.4.1.5.3 = INTEGER: 7 !!#upsOutputPercentLoad
SNMPv2-SMI::mib-2.33.1.5.1.0 = INTEGER: 500 #upsBypassFrequency
SNMPv2-SMI::mib-2.33.1.5.2.0 = INTEGER: 3 #upsBypassNumLines
SNMPv2-SMI::mib-2.33.1.5.3.1.1.1 = INTEGER: 1
SNMPv2-SMI::mib-2.33.1.5.3.1.1.2 = INTEGER: 2
SNMPv2-SMI::mib-2.33.1.5.3.1.1.3 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.5.3.1.2.1 = INTEGER: 232
SNMPv2-SMI::mib-2.33.1.5.3.1.2.2 = INTEGER: 231
SNMPv2-SMI::mib-2.33.1.5.3.1.2.3 = INTEGER: 233
SNMPv2-SMI::mib-2.33.1.5.3.1.3.1 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.3.2 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.3.3 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.4.1 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.4.2 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.4.3 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.6.1.0 = Gauge32: 0 #upsALARM : The present number of active alarm conditions. >> if 0 == No alarms present.
SNMPv2-SMI::mib-2.33.1.6.2.1.1.1 = INTEGER: 1
SNMPv2-SMI::mib-2.33.1.6.2.1.1.2 = INTEGER: 2
SNMPv2-SMI::mib-2.33.1.6.2.1.1.3 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.6.2.1.1.4 = INTEGER: 4
SNMPv2-SMI::mib-2.33.1.6.2.1.1.5 = INTEGER: 5
SNMPv2-SMI::mib-2.33.1.6.2.1.1.6 = INTEGER: 6
SNMPv2-SMI::mib-2.33.1.6.2.1.1.7 = INTEGER: 7
SNMPv2-SMI::mib-2.33.1.6.2.1.1.8 = INTEGER: 8
SNMPv2-SMI::mib-2.33.1.6.2.1.1.9 = INTEGER: 9
SNMPv2-SMI::mib-2.33.1.6.2.1.1.10 = INTEGER: 10
SNMPv2-SMI::mib-2.33.1.6.2.1.2.1 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.2 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.3 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.4 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.5 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.6 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.7 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.8 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.9 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.10 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.3.1 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.2 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.3 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.4 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.5 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.6 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.7 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.8 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.9 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.10 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.8.1.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.2.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.3.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.4.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.5.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.9.1.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.2.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.3.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.4.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.5.0 = INTEGER: 20000
SNMPv2-SMI::mib-2.33.1.9.6.0 = INTEGER: 18000
SNMPv2-SMI::mib-2.33.1.9.7.0 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.9.8.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.9.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.10.0 = INTEGER: 0
---------------------------------------------------------------------------
- if you want to react on snmp traps
---------------------------------------------------------------------------
SensorTrap.mib:
-- IRMS-MIB { iso org(3) dod(6) internet(1) private(4)
-- enterprises(1) riello(5491) }
SENSORTRAP-MIB DEFINITIONS ::= BEGIN
-- Title: SENSOR TRAP MIB
-- Version: 1.0 by Michele Marcon
-- Date: 02.11.2009
IMPORTS
enterprises
FROM RFC1155-SMI
OBJECT-TYPE
FROM RFC-1212
TRAP-TYPE
FROM RFC-1215;
rielloMIB OBJECT IDENTIFIER ::= { enterprises 5491 }
sensorgroup OBJECT IDENTIFIER ::= { rielloMIB 9 }
sensor OBJECT IDENTIFIER ::= { sensorgroup 1 }
sensorId OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The number of the sensor."
::= { sensor 1 }
sensorTrapGroup OBJECT IDENTIFIER ::= { sensor 2 }
sensorAlarmTMax TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when temperature reaches maximum level"
::= 1
sensorAlarmTMaxRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when temperature returns to standard level"
::= 2
sensorAlarmTMin TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when temperature reaches minimum level"
::= 3
sensorAlarmTMinRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when temperature returns to standard level"
::= 4
sensorIOAlarm TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when input contact is in alarm"
::= 5
sensorIOAlarmRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when input contact is normal"
::= 6
sensorHumidityAlarm TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when humidity reaches maximum level"
::= 7
sensorHumidityAlarmRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when humidity returns to normal level"
::= 8
sensorHumidityLowAlarm TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when humidity reaches minimum level"
::= 9
sensorHumidityLowAlarmRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when humidity returns to normal level"
::= 10
END
CentOS Linux 8 > cannot update anymore
Problem:
yum update
CentOS Linux 8 - AppStream 170 B/s | 38 B 00:00
Fehler: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
Solution:
>> migrate to CentOS Stream8:
dnf --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos
dnf distro-sync
>> after distro-sync there were some errors ... they could be solved, running command:
dnf distro-sync --nobest
##see also
- https://haydenjames.io/fix-error-failed-to-download-metadata-for-repo-appstream-centos-8/
just query the standard mib: .1.3.6.1.2.1.25.3.3.1.2
snmpwalk -v 2c -c public 192.168.2.112 .1.3.6.1.2.1.25.3.3.1.2
SNMPv2-SMI::mib-2.25.3.3.1.2.196608 = INTEGER: 100
---
.1.3.6.1.2.1.25.3.3.1.2 in detail:
1 iso
3 identified-organization, org, iso-identified-organization
6 dod
1 internet
2 mgmt
1 mib-2, mib
25 host, hostResourcesMibModule
3 hrDevice
3 hrProcessorTable
1 hrProcessorEntry
2 hrProcessorLoad
---
see also:
https://oidref.com/1.3.6.1.2.1.25.3.3.1.2
CentOS 8 - error message: failed to download metadata fro repo AppStream
Error occured when trying to update "yum update" a minimalistic installed CentOS 8 installation.
This happends because CentOS Linux 8 has reached End of Life by end of year 2021.
You have to options now:
1) used different mirror vault.centos.org
2) upgrade to CentOS Stream
----------
Option 1): used different mirror vault.centos.org
- cd /etc/yum.repos.d/
- sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
- sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
- now run: yum update again
----------
Option 2): upgrade to CentOS Stream
- up date to latest CentOS 8: dnf update
- dnf install centos-release-stream -y --allowerasing
- synchronizse installed packages to available stream version: dnf distro-sync
- cat /etc/redhat-release, should show now the Stream relase version
-------
good pages, with more details:
- https://techglimpse.com/failed-metadata-repo-appstream-centos-8/
- https://techglimpse.com/convert-centos8-linux-centosstream/
wordpress - how to rename media files
Solution
there are serveral plugins available, after some tests the decision was made for plugin (1):
(1)
- use plugin: Advanced File Manager / File Manager Advanced
Renames your media files for better SEO and a nicer filesystem (automatically or manually).
> under settings set the Public Root Path, to your wp-content/uploads directory,
so that you can only rename uploaded files
(2)
- use plugin: Media File Renamer – Auto & Manual Rename
Renames your media files for better SEO and a nicer filesystem (automatically or manually).
enable debug:
- debug portaccess role
- debug portaccess dot1x all
- debug portaccess radius
- debug destination buffer
--------------------------------------
view debug
- show debug buffer
--------------------------------------
disable debug:
- no debug portaccess role
- no debug portaccess dot1x all
- no debug portaccess radius
use this nice tool:
https://davetapley.com/helium-tax/
sample snmpwalk command to get out, some information from the vsa:
#default community string ist public
snmpwalk -v 2c -c public <vsa-ip-address> .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.19
some interesting snmp mib variables can be found in the file "LEFTHAND-NETWORKS-NSM-CLUSTERING-MIB.mib", which can be found on the internet
for example:
clusModuleStorageStatus storage status of a module .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.19
clusModuleRaidStatus RAID status of a module .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.10
clusModuleName hostname of module .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.4
.1.3.6.1.4.1.9804.3.1.1.2.12.46.1.2
>> have this knowledge, you can easily build a simple perl script that queries the information from the VSA and formats to "checkmk" format, so that it can be used as an "individual script":
--------------------------------------------------------------------------------------
checkVSACluster.pl
--------------------------------------------------------------------------------------
#!/bin/perl
######################################################################################
#
# VSA Cluster Monitor
#
#
#
#[root@pnrtnagios01 ~]# snmpwalk -c public -v 2c 10.10.10.10 .1.3.6.1.4.1.9804.3.1.1.2.12.48.1
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.2.1 = STRING: "MyCluster" #Clustername
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.3.1 = Gauge32: 2
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.4.1 = Gauge32: 3
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.7.1 = Counter64: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.8.1 = Gauge32: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.15.1 = Gauge32: 1
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.16.1 = INTEGER: 1
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.17.1 = Counter64: 13773420544 #clusClusterAvailableSpace /Space available to create volumes (assuming one replica) in the cluster.
# Divide by the number of replicas to obtain the true number.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.20.1 = Counter64: 322388095 #clusClusterStatsIOsRead /A counter of IO read operations in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.21.1 = Counter64: 605929634 #clusClusterStatsIOsWrite /A counter of IO write operations in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.22.1 = Counter64: 26001669629952 # clusClusterStatsBytesRead /The number of bytes read from the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.23.1 = Counter64: 15787429566976 # clusClusterStatsBytesWrite /The number of bytes written to the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.24.1 = Gauge32: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.25.1 = Gauge32: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.26.1 = Counter64: 882064504 #clusClusterStatsIoLatencyRead /The total time spent waiting for read operations to complete in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.27.1 = Counter64: 4432349402 #clusClusterStatsIoLatencyWrite /The total time spent waiting for write operations to complete in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.28.1 = Counter64: 221403500 #clusClusterStatsCacheHits /The number of read cache hits and read ahead hits in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.29.1 = Counter64: 20930038784 #clusClusterTotalSpace /The total space for data storage in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.30.1 = Counter64: 7156618240 #clusClusterProvisionedSpace /The amount of storage space that has been provisioned in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.31.1 = Counter64: 7154634240 #clusClusterUsedSpace /The amount of storage space that has been used in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.32.1 = Gauge32: 34 #ClusterUtilization /The percentage of storage space that has been used in the cluster.
#
# sample nagios check output
# OK - www.google.de: rta 33,341ms, lost 0%|rta=33,341ms;200,000;500,000;0; pl=0%;40;80;; rtmax=33,362ms;;;; rtmin=33,309ms;;;;
#
# see also: http://community.hpe.com/t5/HPE-StoreVirtual-Storage/SNMP-Monitoring/td-p/4390990
# 4. PNP Templates for local checks
# https://mathias-kettner.de/checkmk_localchecks.html#PNP%20Templates%20for%20local%20checks
# All those files are expected to be in the same directory as check_mk-local.php.
#
######################################################################################
if ($ARGV[0] eq '' ){
print "Usage: checkVSACluster.pl <hostname or ip-address> <snmp community - if not specified public is used> <80 - warning> <90 - critical>\n";
print " example checkVSACluster.pl 192.168.2.1 public 80 90\n";
print "\n";
exit(1);
}
$clusterip = $ARGV[0];
$community = $ARGV[1];
$warning = $ARGV[2];
$critical= $ARGV[3];
$warning=80 if $warning eq '';
$critical=87 if $critical eq '';
#$clusterip='10.125.30.15';
$community='public' if $community eq '';
$debug=0; #1=on
%foundHash={};
$clustername = '';
print "<<<check_mk>>>\n";
print "Version: pn-v2016-07-22\n";
print "<<<local>>>\n";
open(IN,"snmpwalk -v 2c -c $community $clusterip .1.3.6.1.4.1.9804.3.1.1.2.12.48.1 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
print "$line\n" if $debug;
if ($line =~ /9804.3.1.1.2.12.48.1.2.1.*\"(.*)\"$/){
print "clustername = $1\n" if $debug;
$clustername=$1;
}
#read write information
if ($line =~ /9804.3.1.1.2.12.48.1.20.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIOsRead count=$1c $clustername: counter of IO read operations in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIOsRead'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.21.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIOsWrite count=$1c $clustername: counter of IO write operations in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIOsWrite'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.22.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsBytesRead count=$1c $clustername: The number of bytes read from the cluster $1.\n";
$foundHash{'VSA-ClusterStatsBytesRead'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.23.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsBytesWrite count=$1c $clustername: The number of bytes written to the cluster $1.\n";
$foundHash{'VSA-ClusterStatsBytesWrite'}=1;
}
#Io Latency
if ($line =~ /9804.3.1.1.2.12.48.1.26.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIoLatencyRead count=$1c $clustername: The total time spent waiting for read operations to complete in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIoLatencyRead'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.27.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIoLatencyWrite count=$1c $clustername: The total time spent waiting for write operations to complete in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIoLatencyWrite'}=1;
}
#space used
#print "$line\n";
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.32.1 = Gauge32: 80
if ($line =~ /9804.3.1.1.2.12.48.1.32.1.*Gauge32:\s(\d*)$/){
if ($1 >= $critical){
print "2 VSA-ClusterUtilization count=$1 $clustername: percentage of storage space used = $1.\n";
}else{
if ($1 >= $warning ){
print "1 VSA-ClusterUtilization count=$1 $clustername: percentage of storage space used = $1.\n";
}else{
print "0 VSA-ClusterUtilization count=$1 $clustername: percentage of storage space used = $1.\n";
}
}
$foundHash{'VSA-ClusterUtilization'}=1;
}
}
close(IN);
if (! exists $foundHash{'VSA-ClusterStatsIOsRead'}){print "1 VSA-ClusterStatsIOsRead count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsIOsWrite'}){print "1 VSA-ClusterStatsIOsWrite count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsBytesRead'}){print "1 VSA-ClusterStatsBytesRead count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsBytesWrite'}){print "1 VSA-ClusterStatsBytesWrite count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsIoLatencyRead'}){print "1 VSA-ClusterStatsIoLatencyRead count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsIoLatencyWrite'}){print "1 VSA-ClusterStatsIoLatencyWrite count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterUtilization'}){print "1 VSA-ClusterUtilization count=c $clustername: no values found!\n";}
sometimes you need to check the fixed services status or the warranty of a device or software, just go to:
https://support.hpe.com/hpsc/wc/public/home
there are at least two versions available:
WG9006 and WG8031
>> you need to consider this, if you want to buy an emergency power supply for your watchguar device
see also:
https://www.boc.de/watchguard-info-portal/2020/02/neues-netzteil-fuer-firebox-t35-und-t55/
#1# Curent Management IP Configuraiton
admin:/>show system management_ip
Port ID : CTE0.A.MGMT
IPv4 Address : xxx.xxx.xxx.182
Subnet Mask : 255.255.255.0
IPv4 Gateway : xxx.xxx.xxx.250
IPv6 Address : --
IPv6 Prefix Length : --
IPv6 Gateway :
-------------------------------------
Port ID : CTE0.B.MGMT
IPv4 Address : xxx.xxx.xxx.183
Subnet Mask : 255.255.255.0
IPv4 Gateway : xxx.xxx.xxx.250
IPv6 Address : --
IPv6 Prefix Length : --
IPv6 Gateway :
#2# Change Management IP Configuration
admin:/>change system management_ip eth_port_id=CTE0.A.MGMT ip_type=ipv4_address ipv4_address=xxx.xxx.xxx.182 mask=255.255.255.0 gateway_ipv4=xxx.xxx.xxx.250
Reference:
https://support.huawei.com/enterprise/de/doc/EDOC1100112639/f4ff0349/changing-ip-addresses-of-management-network-ports-using-a-serial-port
--------------------
the script make use of:
https://secure.asteas.com/docu/interfacing/batch_access.html
-------------------
#!/usr/bin/perl
use strict;
use Data::Dumper;
use JSON;
###############################################################################
#
# checkIACBox
#
# see also: https://secure.asteas.com/docu/interfacing/batch_access.html
#
# use IACBOX api, to get some data out of the IACBOX, return results back in check syntax
#
# usage:
#
# ./checkIACBOX.pl <hostname or ip-address> <iac-user> <iac-pwd> <warning-online>
#
###############################################################################
my $version='v2022-30-03';
my $user='';
my $pwd='';
my $url='';
my $warning_online = 90; #warning if more users are online, than this percentage number
my $debug=0;
my %retHash = {};
if ($ARGV[0] eq '' ){
print "Usage: checkIACBox.pl <hostname or ip-address> <iac-user> <iac-pwd> <warning-online>\n";
print "\n";
exit(1);
}
my $ip=$ARGV[0];
$user=$ARGV[1];
$pwd=$ARGV[2];
$warning_online==$ARGV[3];
my $url='https://'.$ip.'/batch.php';
print "<<<check_mk>>>\n";
print "Version: pn-$version\n";
print "<<<local>>>\n";
getUserInfo();
##################
# Sub-Routines
##################
#get User Info
#curl --insecure --data "username=xyz&password=xyz&action=json&want=userinfo" https://192.168.2.33/batch.php
#{"users_online":1,"lic_users":"25","max_users":"25","percent_onl":4,"percent_free":96,"reg_number":"2018070502"}
sub getUserInfo(){
my $cmd = 'curl --insecure --data "username='.$user.'&password='.$pwd.'&action=json&want=userinfo" '.$url;
my $users_online=0;
my $max_users=-1;
my $percent_online=0;
my $i=0;
my $servicename = "IACBOX-Users";
my $line='';
print "cmd=$cmd\n" if $debug;
open(IN, "$cmd 2>/dev/null |");
while(<IN>){
$i++;
$line = $_;
chomp($line);
print "$i: $line\n" if $debug;
#line is something like:
# 1: {"users_online":4,"lic_users":"25","max_users":"25","percent_onl":16,"percent_free":84,"reg_number":"2022033001"}
#
my $ret = decode_json($line);
%retHash = %$ret;
print Dumper(%retHash) if $debug;
if ($retHash{'users_online'}){
$users_online=$retHash{'users_online'};
}
if ($retHash{'max_users'}){
$max_users=$retHash{'max_users'};
}
if ($retHash{'percent_onl'}){
$percent_online=$retHash{'percent_onl'};
}
#print Dumper($users_online) if $debug;
}
#$max_users=0;
if ($max_users <= 0){
print "1 $servicename users=$users_online warning - max_users value should be > 0! Maybe problem with getting values from IACBOX! (Last result from query was >> $line << ).\n";
return;
}
if ($percent_online > $warning_online ){
print "1 $servicename users=$users_online warning - more than $warning_online% of users are online! $users_online / max: $max_users are online. Percent online = $perce nt_online.\n";
return;
}
print "0 $servicename users=$users_online ok - $users_online / max: $max_users are online. Percent online = $percent_online. Warning if > than $warning_online%.\n";
}
#click on ? in the right corner > click "documentation center" >> now a new page is opened:
for example:
https://www.arubanetworks.com/techdocs/central/2.5.7/content/nms/nwk-services/conf-visitors.htm
>> in this case the version is 2.5.7
---------------------------------------------------------------------
#how to see the version until 2.5.4?
1) click on "?" in the top right courner
2) click on "Documentation Center"
3) see under "What's New": See What's New in 2.5.5 for more information
>> in this case "2.5.5" is the version your instance is running at
#this worked until version 2.5.4
https://app-eucentral3.central.arubanetworks.com/admin/version
>> for example: AUTO-ATH-2.5.4-269-P
IMC license transfer
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00052171en_us
------------------------
IMC license transfer instructions (text only):
IMC license keys are locked to the software serial number.
If you move your IMC licenses to another computer or a new VM a new IMC software serial number will be created.
To obtain a fresh license key for the new software serial number, you need to transfer the IMC licenses from the old software serial number to the new one.
Before you start the license transfer make a note of the current IMC software serial number and the new IMC software serial number.
An IMC license transfer will move all the licenses to the new serial number.
IMC licenses can be transferred up to 3 times without Customer Support assistance.
- Step 1: Sign in to the My Networking account where the current IMC serial number is registered.
My Networking portal: http://hpe.com/networking/mynetworking/
- Step 2: On the home page/dashboard, select “Transfer licenses to new platform”.
Note: There are several paths to the transfer license pages such as the My License dropdown menu, on the My Licenses page and from the License Details page.
- Step 3: On the Transfer Licenses page, enter the current IMC software serial number in the Search field and click Search. All the licenses registered to the software serial number will be displayed for your review.
- Step 4: Click the Select icon (>>) to the right of the platform license. This will open the License Details page.
Review the license information to confirm this is the serial number whose licenses will be transferred to the new serial number.
Click Next to proceed.
- Step 5: On the Transfer licenses to a new platform page, enter the new IMC software serial number in the Target serial number* field and click the Transfer button.
- Step 6A successful transfer will display a confirmation page with the new license key file and the transfer details for each license.
- Last Step: Download and install the license key file.
you can run a paket trace under System Status > Diagnostics, the result will be a file in pcap format, which you can analyse with wireshark.
Some settings to run a trace:
>> trace interface eth0, with paket length 128byte:
-i eth0 -s 128
cat /root/bin/runFroxlorTask.sh
#!/bin/bash
/usr/bin/php -q /var/www/html/froxlor/scripts/froxlor_master_cronjob.php --tasks
the IAP controller always tries to talk to the aruba cloud (aruba central),
you can disable this!
logon via ssh to the vc controller:
#show status of cloud connection
- show activate
#disable cloud connection
- configure
config# activate-disable
commit apply
- show status
# to enable the service again, run in config mode:
no activate-disable
----------------
see also:
https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=833f6d35-c9eb-4c54-9506-25dc5971466a
>> solution: disable "dos" (Denial of Service) on the planet, since it is enabled by default!!
>> disable it on each interface >> command "no dos", for example
!
ip http secure-redirect
interface lag1
switchport trunk allowed vlan add 1-4094
description "uplink-switch"
ip dhcp snooping trust
no dos
!
interface gi1
switchport trunk native vlan 1000
switchport trunk allowed vlan add 998,999,1000
storm-control unknown-unicast
storm-control unknown-multicast
storm-control broadcast
storm-control
description "Aruba-Accesspoint"
no dos
- tested with model: PLANET WGS42158P2S
############################################
# Planet switch commands
############################################
[tested with model: WGS42158P2S]
#show vlan's on port:
show interfaces switchport GigabitEthernet 1
show interfaces switchport LAG 1
#show poe
show poe
#lldp
show lldp neighbor
#dhcp-snopping binding
show ip dhcp snooping binding
#show logging
show logging buffered
#disable / enable poe on interface gigabit ethernet 1
poe port disable gi1
poe port enable gi1
#show poe (power of ethernet) in config mode:
do show poe
#rmon
show rmon interfaces LAG 1 statistics
#dos (denial of service) is disabled by default -> disable it per interface
no dos
#packet size is 10000 per default! set it to 1522 (HPE Aruba compatible)
jumbo 1522
sample script:
#script name: run_backup.bat
set myDate=%date:~-4%_%date:~3,2%_%date:~0,2%__%time:~0,2%_%time:~3,2%_%time:~6,2%
set BackupFile=d:\backup\backup_appname_%myDate%.7z
"C:\Program Files\7-Zip\7z.exe" a -t7z -mhe=on %BackupFile% D:\directory-to-backup
Problem: the firmware update daemon does not work
Solution: if this service is not really necessary, just remove the service:
command: "dpkg -r fwupd"
if you get a dependency error for fwupd-signed, the removal command should be:
dpkg -r fwupd fwupd-signed
----
see also: https://wiki.ubuntuusers.de/fwupd/
HPE Aruba central - how to add a crypto pki ta-profile using multiedit
1) create a test root CA
1.1) create a private key for the CA: openssl genrsa -out myTestCA.key 2048
1.2) generate the root certificate: openssl req -x509 -new -nodes -key myTestCA.key -sha256 -days 99 -out myTestCA.pem
-> fill in some test info / Country Name
2) no we have a new root certificate, it looks like:
cat myTestCA.pem
-----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgITE8nlWhXSPIsS6vmJkKjxIP1YUDANBgkqhkiG9w0BAQsF
ADBQMQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxETAPBgNVBAcMCFRlc3RjaXR5
MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjIwNTAyMTE1
OTQ1WhcNMjIwODA5MTE1OTQ1WjBQMQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcx
ETAPBgNVBAcMCFRlc3RjaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDafJAlr09QH8p
KJPopa0wSLkqJaO9/u//Fnpdsq+1NOrOsmJNba+pBdtWY0lZW/VQviWW124RUxfr
w1JxEW8GkiER7HTgtIjKsxI9DXnqwEaZwj4Tw0GaBi5VPbsrcWGJt2JDVVYbUdpy
CpI5IzPYBdJUKuGbtaSnfWHEK5Gn6Kn2VvSEZl7Bs4gFgbj42+Hzt+qp3VXgYOYt
WdWwDC4/Wr1uBPXqdtAgSiyoa1MHjCEV/sI9+ButKirgnK/+PacMse8MBDabBMIf
wp+LFeOR77i8DEkIfk1TsKgPl3WgLkedDWr46KaKCyXsP8tRO/ksg7ouUWpjHb7W
ZZ65M5SBAgMBAAGjUzBRMB0GA1UdDgQWBBRA1EhOVnu5V5j4CI26jQrJaf3P6TAf
BgNVHSMEGDAWgBRA1EhOVnu5V5j4CI26jQrJaf3P6TAPBgNVHRMBAf8EBTADAQH/
MA0GCSqGSIb3DQEBCwUAA4IBAQCv1Ur5rX+/vSsxHcWxMaGp3E1gyiVHxl48aGCk
XYNPq0oqjzAnhvI2DGAoSbQDu51VxHUsm+KJM2hRf7P7YWrxZZmoKa5Q7GX8OZ0P
Vi/p7NC59GqFplInTTE7ZHwX5zdC65JH3vl3s/E6Fj3QyvYsaYdaeL/OQA7mter3
Q3g8ixrXZ7BmxRObs5e0Fk9MIOVoueVUvXGdfvq+FAzjJxkjW/HrWo+YT+6NX2JP
oJzMvf27mTK3ZYNb0kK9hrXyUHTyh5kZRtovAM/VVEO0g5r7XS9glFKTRMtxDmBW
PGVww3w17yU5amZtAkYFs7pZvlDP+15v4cYazCg3VaU1VQ+U
-----END CERTIFICATE-----
3) to insert the certificate using multiedit, you need to paste (oopy the whole section once!!!) the PEM certificate including "END_OF_CERTIFICATE" on a new line at the end followed by a CR/LF, so it looks like:
crypto pki ta-profile myTestCA
ta-certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgITE8nlWhXSPIsS6vmJkKjxIP1YUDANBgkqhkiG9w0BAQsF
ADBQMQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcxETAPBgNVBAcMCFRlc3RjaXR5
MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjIwNTAyMTE1
OTQ1WhcNMjIwODA5MTE1OTQ1WjBQMQswCQYDVQQGEwJERTELMAkGA1UECAwCQlcx
ETAPBgNVBAcMCFRlc3RjaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDafJAlr09QH8p
KJPopa0wSLkqJaO9/u//Fnpdsq+1NOrOsmJNba+pBdtWY0lZW/VQviWW124RUxfr
w1JxEW8GkiER7HTgtIjKsxI9DXnqwEaZwj4Tw0GaBi5VPbsrcWGJt2JDVVYbUdpy
CpI5IzPYBdJUKuGbtaSnfWHEK5Gn6Kn2VvSEZl7Bs4gFgbj42+Hzt+qp3VXgYOYt
WdWwDC4/Wr1uBPXqdtAgSiyoa1MHjCEV/sI9+ButKirgnK/+PacMse8MBDabBMIf
wp+LFeOR77i8DEkIfk1TsKgPl3WgLkedDWr46KaKCyXsP8tRO/ksg7ouUWpjHb7W
ZZ65M5SBAgMBAAGjUzBRMB0GA1UdDgQWBBRA1EhOVnu5V5j4CI26jQrJaf3P6TAf
BgNVHSMEGDAWgBRA1EhOVnu5V5j4CI26jQrJaf3P6TAPBgNVHRMBAf8EBTADAQH/
MA0GCSqGSIb3DQEBCwUAA4IBAQCv1Ur5rX+/vSsxHcWxMaGp3E1gyiVHxl48aGCk
XYNPq0oqjzAnhvI2DGAoSbQDu51VxHUsm+KJM2hRf7P7YWrxZZmoKa5Q7GX8OZ0P
Vi/p7NC59GqFplInTTE7ZHwX5zdC65JH3vl3s/E6Fj3QyvYsaYdaeL/OQA7mter3
Q3g8ixrXZ7BmxRObs5e0Fk9MIOVoueVUvXGdfvq+FAzjJxkjW/HrWo+YT+6NX2JP
oJzMvf27mTK3ZYNb0kK9hrXyUHTyh5kZRtovAM/VVEO0g5r7XS9glFKTRMtxDmBW
PGVww3w17yU5amZtAkYFs7pZvlDP+15v4cYazCg3VaU1VQ+U
-----END CERTIFICATE-----
END_OF_CERTIFICATE.
4) check on switch (it talkes a while to sync from cloud)
6100# show crypto pki ta-profile
TA Profile Name TA Certificate Revocation Check
-------------------------------- -------------------- ----------------
myTestCA Installed, valid disabled
- choose global or a group
- choose Tools >> Commands
- select devices >> Category
- Commands: choose "show running-config" here
- press RUN to trigger the execution
you need to make the following settings in the check_mk.user.yml file:
>> under section plugins, this will query the updates once a day and caches the result
plugins:
enabled:yes
execution:
- pattern : '$CUSTOM_PLUGINS_PATH$\windows_updates.vbs'
timeout : 900
async : yes
cache_age : 86400
#hint .. make sure to keep always a clean yaml file ...
hpe aruba switch - how to renew expired https certificate
1.) check local certificates
command: show crypto pki local-certificate
>> you should see a column with Expiration and the date
1.) in the event log of the switch you should see something like:
W 07/07/22 15:47:33 03425 crypto: Certificate used by http-ssl application is expired
2.) remove the expired certificates
2.1) to remove just the web certificate use:
>> command: crypto pki clear certificate-name <cert-name>
>> <cert-name> can be found out from step 1!
2.2) to remove all pki
>> command: crypto pki zeroize
3.) generate a new certificate
>> command: crypto pki enroll-self-signed certificate-name <cert-name> valid-start <mm/dd/yyyy> valid-end <mm/dd/yyyy> subject common-name <name>
>> <cert-name> could be your dns name, or your switchname
>> <name> could be your dns name, or your switchname
>> if you do not specify valid-start and valid-end the certificate will be valid for one year
------------------------
#disable aruba activate#
if you see logs like: May 22 08:22:04 10.151.8.53 05220 activate: Unable to resolve the Activate server address device.arubanetworks.com.
aruba-central disable
activate software-update disable
activate provision disable
-----------------------------------------------------------------------------------------
swaks – SMTP test tool
-----------------------------------------------------------------------------------------
-install: apt-get install swaks
-send an email to a server with port 587 / tls, after commiting this command it will be asked for a user and password:
swaks --from your-name@<your-domain> --to <user>@<destination-domain> --server <smtp-sever-name-or-ipaddress>:587 -tls -a LOGIN
https://easyengine.io/tutorials/mail/swaks-smtp-test-tool/
- enter | pipe symbol in team remote session: <altgr> + <strg - left key!> +<|>
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey
>> REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel" /v "CertificateMappingMethods" /t REG_DWORD /d "0x1F" /f
there is already a fix for the update:-
---------------------------------------------------
https://www.borncity.com/blog/2022/05/20/windows-out-of-band-updates-19-5-2022-fixen-ad-authentifizierungsfehler-und-store-installationsfehler/
https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2?irgwc=1&OCID=AID2200057_aff_7794_1243925&tduid=(ir__0dyvpwft6wkf6gakw3uygvphcu2xv2g0t0q193ac00)(7794)(1243925)(hL3Qp0zRBOc-Dc9QeUY7_QTcoN78NM3u4Q)()&irclickid=_0dyvpwft6wkf6gakw3uygvphcu2xv2g0t0q193ac00#2826msgdesc
Problem: session limit is full!
solution:
- no rest-interface
- rest-interface
german keyboard layout:
- | pipe symbol: <altgr> + <strg - left key!> +<|>
Debian 10: instead of ifconfig use: ip addr show
#sample config file
cat /etc/dhcp/dhcpd.conf
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.199.0 netmask 255.255.255.0 {
allow unknown-clients;
authoritative;
range 192.168.199.200 192.168.199.250;
option routers 192.168.199.1;
option broadcast-address 192.168.199.255;
default-lease-time 600;
max-lease-time 7200;
}
#show dhcp leases
/usr/sbin/dhcp-lease-list
To get manufacturer names please download http://standards.ieee.org/regauth/oui/oui.txt to /usr/local/etc/oui.txt
Reading leases from /var/lib/dhcp/dhcpd.leases
MAC IP hostname valid until manufacturer
===============================================================================================
44:5b:ed:7d:c6:81 192.168.199.110 Aruba-Stack-38 2022-06-02 07:07:22 -NA-
44:5b:ed:6e:f7:81 192.168.199.105 Aruba-Stack-38 2022-06-02 07:07:54 -NA-
#dhcp server commands
dhcpcd -h #show options
dhcpcd -l 3600 #set the leasetime in seconds
dhcpcd -x #exit / turn of the dhcp service
if you are the owner of a helium miner for the helium blockchain you get a lot of small income transaction day by day. To make the report for your taxes there is a great tool, that helps you:
https://helium-reports.com
helium-report.com is a great tool, that help you to get your helium income value!!
##############
# simple monero mining script that uses xmrig
#
# you can download xmrig here: https://xmrig.com/download
#
##############
startMiningXMR.sh
#!/bin/bash
WALLET=your-monero-wallet.yourmachine
BIN=xmrig
if [ "$1" == "" ]; then
THREAD="-t 1"
else
THREAD="-t $1"
fi
#kill process
ps -ef |grep xmrig |grep -v grep |awk {'print $2'} |xargs -n 1 kill -9
CMD="$BIN $THREAD --donate-level=0 -a rx/0 -o de.minexmr.com:4444 -u $WALLET -p youremail"
#echo $CMD
#$CMD
#exit
screen -dmS xmr $CMD
this error occurs for example, when executing the checkmk mk-job binary:
"/usr/bin/mk-job: line 55: /usr/bin/time:"
>> solution: install the time package
apt-get install time
#hint: there is also a build in "time" command in the shell, but the command "which time" shows you, if there is a "time" binary installed or not
under google security, make sure two factor authentication is turned on, then you are able to create a app password, for smtp:
see also:
https://www.golinuxcloud.com/gmail-smtp-relay-server-postfix/
solution: use the OpenCore Legacy Patcher >> https://dortania.github.io/OpenCore-Legacy-Patcher/
>> using OpenCore Legacy patcher will help you for example, to run an iMac9.1 with Monterey
oot@debian10:/omd/versions/default# cmk-agent-ctl register --help
cmk-agent-ctl-register 1.0.0
Register with a Checkmk site
Register with a Checkmk instance for monitoring. The required information can be read from a config file or must be
passed via command line.
USAGE:
cmk-agent-ctl register [FLAGS] [OPTIONS]
FLAGS:
-d, --detect-proxy
Detect and use proxy settings configured on this system for outgoing HTTPS connections. The default is to
ignore configured proxies and to connect directly
-h, --help
Prints help information
--trust-cert
Blindly trust the server certificate of the Checkmk site
-V, --version
Prints version information
-v, --verbose
Enable verbose output. Use once (-v) for logging level INFO and twice (-vv) for logging level DEBUG
OPTIONS:
-H, --hostname <host-name>
Name of this host in the monitoring site
-P, --password <password>
Password for API user. Can also be entered interactively
-s, --server <server>
Address of the Checkmk site in the format "<server>" or "<server>:<port>"
-i, --site <site>
Name of the Checkmk site
-U, --user <user>
API user to use for registration
------------------------------------------------------------------------------
example: server = localhost, user = cmkadmin, site=1
cmk-agent-ctl register -H debian10 -P <password> -s localhost -i site1 -U cmkadmin
checkmk network monitoring -> best practice when monitoring all network ports
idea comes from article "3 rules to rule them all" by Alexander Wilms
( https://checkmk.com/de/blog/network-monitoring-with-checkmk-2-0 )
1) rename important switch ports on the devices, e.g. uplink_server1, access_point
> a problem is: some vendors use the SNMP table Alias, others the table Description
> solution: 2 x checkmk rules ( 1 x alias + 1 x decription) +
>> define a new Host Tag "if_alias_desc" / Title: Interface: by Alias/by Description
>>> Tag ID: default - Title: default
>>> Tag ID: if_alias - Title: use Alias
>>> Tag ID: if_desc - Title: use Description
2) rule to discover all network ports:
> Network interface and switch port discovery > create 2 new rules
> >from "Use Index" to "Use alias" and condition tag "use Alias" + Condations for this rule to apply: Match all interfaces
3) rule to separete access ports from "vip" ports
Services > Service monitoring > new rule: Network interfaces and switch ports
3.1: rule for access ports, name is for example 0001:
- Operating speed: ignore speed
- Operational state: ignroe the operational state
- port specification: \d+ || Gigabit Ethernet || and more
- maybe use label condition: cmk/device_type:switch
wget is a very useful linux command line tool:
>>> Wget - The non-interactive network downloader.
----------------------------------------------------------------------------
to make a offline copy of a webpage just run this command:
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://your-page-to-backup
problem:
the lan ports of the switches, where the aruba access points are connected, are showing regular errors .. giant packets etc.
solution:
the default settings of the aruba ap's is, that they are doing a path MTU discovery every minute, to find out the best MTU size for them.
if you want to stop this "unnecessary traffic" you need to define a static value:
>> on wlan controller:
ap-group ->> ap system profile ->> AP system profile has an mtu parameter that you can change to 1500 or less.
see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=24850
rsnapsht is showing warning: could not lchown() symlink "path-to-file"
problem:
rsnapshot is getting errors / warning, the exit could is not "success":
example:
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/ssl/certs/SecureSign_RootCA11.pem"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/ssl/certs/ISRG_Root_X1.pem"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/ssl/certs/Certigna_Root_CA.pem"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/ssl/certs/TWCA_Global_Root_CA.pem"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/systemd/system/bind9.service"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/systemd/system/multi-user.target.wants/cron.service"
[2022-07-01T08:40:01] WARNING: Could not lchown() symlink "/opt/backup_rsnapshot/daily.1/localhost/etc/systemd/system/mult
solution:
>>> install the necessary perl library!!
>>>>>>> apt-get install liblchown-perl
microsoft teams - performance troubleshooting
#make sure to open the defined addresses on your firewall and disable "security" on your firewall for this ports
https://docs.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams
#microsoft test tool >> run the tool to get a performance report
https://connectivity.office.com/
https://electronicbase.net/de/leitungsquerschnitt-berechnen/
example:
- voltage = 48V
- length = 1,5m
- Ampere = 20A
- Material = Copper
>>> 2.16mm^2
Installation mb40: https://vrm.victronenergy.com/installation/180834/share/56ec6aef
windows service name in english: wired autoconfig
windows service name in deutsch: Automatische Konfiguration (verkabelt)
at the moment there is no easy method that "I know" - to set for example 200 printer endpoints from unkown to know in a easy way!
the methods that are know by me, are at the moment:
1) Export selected endpoints / edit xml file / import xml list
--go to Identity > Endpoints and run a filter to select your endpoints that needs to be changed.
-- press "Export All" at the right top
-- save to a xml file: Endpoint.xml
-- open the xml file in a text editor like Notepad++ and press <STRG> +<H> to replace a string: search for status="Unknown" and replace it through: status="Known"
-- import the file to clearpass under Identity > Endpoints
2) manual selection of several endpoints
-- go to Monitoring > Profiler and Network Scan > Endpoint Profiler and run a filter to select your endpoints that needs to be changed. To see the Filter section press on "Change Filter Selection"
-- after you selected some endpoints make sure to press "Hide Filter Selection" then you will see the buttons "Mark Known" or "Mark Unknown" again .. and press "Mark Known" if you want to set them to known
- spell checker
-- plugin name = Spell-Checker
-- after installation notepad++ needs to be restarted
-- after installation go to http://aspell.net/win32/ and download and install the Full "installer"
-- in notepad++ go to plugins > spell-checker and press "how to use": enter the path to aspell directory, for example: "C:\Program Files (x86)\Aspell\bin" if you installed aspell at the default lokation
-- in the notepadd++ symbol bar you see now a "ABC" button, click on this button to enable spell checking
- aruba-os switch# copy command-output "show tech all" tftp 10.0.0.99 show-tech.txt
- aruba-cx switch# copy command-output "show tech" tftp://10.0.0.99/show-tech.txt <vrf xyz>
see also:
https://community.arubanetworks.com/blogs/esupport1/2020/04/30/how-to-save-the-output-of-a-show-tech-all-command-to-a-tftp-server
especially if you use data + mgmt port make sure to restricte the access to the ClearPass policy manager only to your trusted networks!
>> Administration » Server Manager » Server Configuration
>>>>> Network >> Application Access Control
https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=b5d3c132-7a57-4277-ae35-400fa7d7a8fc
Newer Linux kernels / procps utilities report one thread by default.
Use ps in the following way to see the threads:
For older versions of ps / kernel (2.4), use:
ps -efm
ps auxm
newer versions of ps / kernel (2.6+), you can also use:
ps -efL
ps auxH
add an Aruba CX switch with existing configuration to Aruba Central
1) switch# show system
note serial + mac-address
2) Aruba Central > greenlake > add device >> using serial + mac-address
2.1) make sure license is assigned (that you have a licence available)
3) on device make sure that Aruba-Central is not in "disable" mode, to enable it run a "Aruba-Central" > "enable",
check with command "show Aruba-Central" on device, if the connection to Aruba Central is there
4) in Aruba Central > go to Global
4.1) Under Maintain > Organization > Groups you should find now an unprovisioned device,
add the device to a new group, press "preserve" configuration if you want to keep the config
#documentation:
https://www.Arubanetworks.com/techdocs/Central/latest/content/nms/aos-cx/get-started/prov-tmplt-prcnf-cx.htm
- overleaf: cool online - Latex Editor: https://de.overleaf.com/
cmk -vv --debug -II --detect-plugins=<<plugin-name>> objectname
for example:
cmk -vv --debug -II --detect-plugins=watchguard_fire_cluster mw-watchguard-firewall1
2022 August: https://minexmr.com/
>> for some reason: The mining pool is closing on August 19
>> This pool is closing
alternative pool is:
https://xmr.2miners.com/
an overview, over different monero / xmr mining pools can be found here: https://miningpoolstats.stream
just delete the .selected_editor file in your profile
rm ~/.selected_editor
after that the are able to choose the editor again, for example:
user@my-linux-host:~$ crontab -e
Select an editor. To change later, run 'select-editor'.
1. /bin/nano <---- easiest
2. /usr/bin/vim.basic
3. /usr/bin/mcedit
4. /usr/bin/vim.tiny
5. /bin/ed
Choose 1-5 [1]: 2
crontab: installing new crontab
>> of course you can also just edit the file .selected_editor and change the editor there directly
Configuration -> System
- Show Advanced options: Deny local routing (if this is not enabled users that are connected to the same access point can connect to each other!! (a connect between different vlan's works - security issue?!!))
help text from aruba = If you have security and traffic management policies defined in upstream devices, you can use this option to disable routing traffic between two clients on the same AP on different VLANs.
Routing traffic between the clients will be sent to the upstream device to make the forwarding decision.
https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/GeneralConfTasks/Adv_conf_tasks/ConfigureLocalRouting.htm
from page: https://im-coder.com/groesse-aller-tabellen-in-der-datenbank-ermitteln.html
SELECT
t.NAME AS TableName,
s.Name AS SchemaName,
p.rows AS RowCounts,
SUM(a.total_pages) * 8 AS TotalSpaceKB,
CAST(ROUND(((SUM(a.total_pages) * 8) / 1024.00), 2) AS NUMERIC(36, 2)) AS TotalSpaceMB,
SUM(a.used_pages) * 8 AS UsedSpaceKB,
CAST(ROUND(((SUM(a.used_pages) * 8) / 1024.00), 2) AS NUMERIC(36, 2)) AS UsedSpaceMB,
(SUM(a.total_pages) - SUM(a.used_pages)) * 8 AS UnusedSpaceKB,
CAST(ROUND(((SUM(a.total_pages) - SUM(a.used_pages)) * 8) / 1024.00, 2) AS NUMERIC(36, 2)) AS UnusedSpaceMB
FROM
sys.tables t
INNER JOIN
sys.indexes i ON t.OBJECT_ID = i.object_id
INNER JOIN
sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id
INNER JOIN
sys.allocation_units a ON p.partition_id = a.container_id
LEFT OUTER JOIN
sys.schemas s ON t.schema_id = s.schema_id
WHERE
t.NAME NOT LIKE 'dt%'
AND t.is_ms_shipped = 0
AND i.OBJECT_ID > 255
GROUP BY
t.Name, s.Name, p.Rows
ORDER BY
t.Name
command to unban ip: 10.12.13.14
>> fail2ban-client set sshd ubanip 10.12.13.14
how to validate the execution?
>> check the already banned clietns using command:
>> fail2ban-client status sshd
there is a document from hpe, regarding routing behavior:
https://www.hpe.com/psnow/doc/a00100349en_us
see details in the mentioned document ...
if you use both interfaces, always consider how the behavior of ClearPass is ...
for example - one important rule is:
"If the destination network is not in either management or data subnets, then we use the data interface by default. "
>> B5 devices do not have wifi chips anymore since Feb 2021!!
https://community.mimosa.co/t/2-4-ghz-network-missing-b5c/15412
https://community.mimosa.co/t/b5-2-4-ghz-wifi-management-console/15315/2
rtsp - live stream - how to access the camera directly
https://www.tapo.com/de/faq/34/
url:
for 1080P (1920*1080) stream: rtsp://username:password@IP Address:554/stream1
for 360P (640*360) stream: rtsp://username:password@IP Address:554/stream2
> gehe zum google adsense account
> dann auf anzeigen
> webseite auswählen > dann bearbeiten
> auf Tab Datenschutzbezogene Nachrichten klicken
> DSGVO-konforme mitteilung aktivieren
> url der Datenschutzerklärungsseite eingeben
> einwilligungs option auswählen, z.B: Einwilligen, nicht einwilligen oder Optionen verwalten
> aktivieren: Auf die Webseite anwenden anklicken
https://www.wintotal.de/tipp/windows-10-uhrzeit-falsch/
>> user different timeserver as default microsoft server:
- <windows + R> (execute) > enter "timedate.cpl"
- choose "internet time", change the default server there to a new server, for example for Germany you can use: "ptbtime1.ptb.de" as server
in command line:
thunderbird -safe-mode
1) Einstellungen
2) Anzeige und Helligkeit
3) Automatische Sperre
4) >> Zeit festlegen, nach wieviel Inaktivitätsdauer der Bildschirm des iPhones ausgeschaltet werden soll
#switch settings (tested on switch type JL258A (2930f) )
-----------------------------------
#a role with only tagged vlan's and port-mode
aaa authorization user-role name "role1"
vlan-id-tagged 10,11,12
device
port-mode
exit
exit
#a role with an untagged vlan and a tagged one
aaa authorization user-role name "role2"
vlan-id 10
vlan-id-tagged 11
exit
#a untrusted role should also be assigned
aaa authorization user-role name "untrusted"
vlan-id 99
exit
aaa authorization user-role initial-role "untrusted"
#Radius Server settings
-------------------------------------------
make sure that the radius server sends back an "accept" and the following attribute:
Radius:Hewplett-Packard-Enterprise HPE-User-Role = <user-role-name>
#hints
---------------------------------------------
- commands: show user-role <user-role-name>
- multiple tagged vlans > supported since ArubaOS 16.08
- multiple vlan tagged name is not supported
- Maximum tagged VLANs that can be associated with a user role is 256. (tested with version: WC.16.10.0010)
- debug on switch: debug security port-access mac-based
- cool video from Herman Robers: https://www.youtube.com/watch?v=0RHGyWFNxjI&feature=youtu.be
#just turn off foreign key checks
SET FOREIGN_KEY_CHECKS = 0;
TRUNCATE yourtable1;
TRUNCATE yourtable2;
SET FOREIGN_KEY_CHECKS = 1;
sample config on ArubaCX:
port-access role testrole1
auth-mode device-mode
reauth-period 3600
cached-reauth-period 28800
vlan trunk native 1
vlan trunk allowed 1-50
needed Radius attribute:
Radius:Aruba:Aruba-User-Role: testrole1
-----------------------------------------------
- see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=34779
-----------------------------------------------
- good to know:
- bug in version 10.08 + 10.09 !! only 50 vlan's per role permitted! "Failed to associate VLANs to the Role. Maximum of 50 VLANs is allowed"
- according to documentation, 256 vlan's should be permitted!
>> https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/security_4100i-6000-6100/Content/Chp_Port_acc/Port_acc_rol_cmds/vla-por-acc-fl-ml-10.htm
reolink - cool and not so expensive surveillance system
How to Set up the Reolink PoE Camera System (3 Mins)
>> https://www.youtube.com/watch?v=4tRMW0hPVaU
Remote Viewing - 3 easy ways:
>> https://www.youtube.com/watch?v=4tRMW0hPVaU
RLC-810A
4K PoE Cam, with zoom
- Horizontal: 101°
- Vertikal: 55°
RLC-811A
Smarte 4K UHD PoE Cam with night view in color
5X optical zoom
- Horizontal: 105°-31°
- Vertical: 55°-17°
- night vision: up to 30 meters
doom camera:
RLC-823A
Smart 4K UHD PoE Cam with High-Speed-PTZ
- Horizontal: 96° - 27°
- Vertikal: 69° - 21°
- night vision: up to 60 meters
ESS Settings
>> VE configure > turn ESS Assistant on
>> https://www.victronenergy.com/live/battery_compatibility:pylontech_phantom
ESS System Settings
pylontec 5000
4800Wh > x 3 = 14400Wh / 48V = 300Ah
The settings that are specific to the Pylontech battery in the
VEConfigure ESS Assistant are below:
>> Select the externally managed Lithium battery option :
- Sustain voltage. 48V
- Dynamic cut-off values set all values to 46V.
- Restart offset: 1.2V (Default)
- Question: PV Inverters
Are there PV inverters connected on the AC out
of the Multi/Quattro system? >> No
Settings on Gerbo GX
- Problem after setting to ESS mode: systems runs always in passthrough mode
>> ESS > Grid metering >> "set to Inverter/Charger"
- ESS: Grid setpoint - default 50W
-> this means always get 50W from grid
-> setting this to 0W: Multiplus tries to keep 0W,
if you set this to -20W the Multiplus feeds some Watts to the Grid
byte packets overview: netstat.exe -e
statistics for protocols: netstat.exe -s
statistics per interface: powershell Get-NetAdapterStatistics
#problem:
>> in syslogfile /var/log/syslog
logrotate[111859]: error: error running shared postrotate script for '/var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/mysql/error.log '
>> you also see the error running the command:
service logrotate status
#how to test:
mysqladmin --defaults-file=/etc/mysql/debian.cnf flush-log
#solution:
check your user + password settings in file: /etc/mysql/debian.cnf
https://gist.github.com/jaircuevajunior/5b2a210563392570c2aae8ed29be432b
example:
show capacities
System Capacities:
Capacities Name Value
-------------------------------------------------------------------------------------------------------------------
Maximum number of active gateway vmacs configurable 16
Maximum number of BFD sessions configurable in a system 256
Maximum number of AS numbers in BGP as-path attribute 32
Maximum number of BGP as-path entries in a single aspath-list 128
Maximum number of aspath-lists 256
Maximum number of community entries in a single community-list 128
Maximum number of community-lists 256
Maximum number of equal cost paths 8
Maximum number of BGP neighbors allowed across all VRFs 256
Maximum number of BGP peer groups allowed across all VRFs 128
Maximum number of routes accepted from a BGP peer 15000
Maximum number of routes in BGP RIB 30000
Maximum number of BGP route reflector clients allowed across all VRFs 256
Maximum number of Access Control Entries configurable in a system 4000
Maximum number of Object Group Entries configurable in a system 2000
Maximum number of Object Groups configurable in a system 512
Maximum number of Access Control Lists configurable in a system 512
Maximum number of class entries configurable in a system 4000
Maximum number of classes configurable in a system 2048
Maximum number of entries in an Access Control List 2304
Maximum number of entries in a class 2304
Maximum number of entries in an Object Group 1024
Maximum number of entries in a policy 256
Maximum number of classifier policies configurable in a system 4000
Maximum number of policy entries configurable in a system 4000
Maximum number of dynamic VLANs that can be allowed using MVRP 1024
Maximum number of nexthops per IP ECMP group 8
Maximum number of IP neighbors (IPv4+IPv6) supported in the system 120000
Maximum number of GRE IPv4, "IPv6 in IPv4" and "IPv6 in IPv6" tunnels in a system 127
Maximum number of IP Directed Broadcast Neighbors supported in the system 4096
Maximum number of ipsla responder sessions configurable in a system 500
Maximum number of ipsla source sessions configurable in a system 500
Maximum number of IPv4 neighbors(# of ARP entries) supported in the system 120000
Maximum number of IPv6 neighbors(# of ND entries) supported in the system 52000
Maximum number of Keychains supported in the system 64
Maximum number of Keys supported in a single Keychain 64
Maximum number of Keys supported in the system 4096
Maximum number of L2 MAC addresses supported in the system 98304
Maximum number of L3 Groups for IP Tunnels and ECMP Groups 2000
Maximum number of L3 Destinations for Mcast, Neighbors, Routes and Nexthops in ECMP groups (VXLAN enabled) 32766
Maximum number of L3 Destinations for Neighbors, Routes and Nexthops in Tunnels and ECMP groups 12286
Maximum number of configurable LAG ports 128
Maximum number of members supported by a LAG port 16
Maximum number of VLANs across ports allowed in loop-protect 10240
Maximum number of configurable VSX ports 128
Maximum number of members supported by a MCLAG port 16
Maximum number of IGMP/MLD groups supported 8192
Maximum number of IGMP/MLD snooping groups supported 8192
Maximum number of IGMP/MLD static groups supported 8192
Maximum number of Mirror Sessions configurable in a system 4
Maximum number of enabled Mirror Sessions in a system 4
Maximum number of MSDP Peers supported 64
Maximum number of MSDP SA Cache entries supported 32768
Maximum number of mstp instances configurable in a system 64
Maximum number of NAE agents in a system 50
Maximum number of NAE monitors in a system 150
Maximum number of NAE scripts in a system 25
Maximum number of OSPFv2 areas configurable in the system 256
Maximum number of OSPFv2 interfaces configurable in the system 256
Maximum number of OSPFv2 interfaces per area in the system 256
Maximum number of OSPFv2 processes supported across each VRF 8
Maximum number of OSPFv3 areas configurable in the system 256
Maximum number of OSPFv3 interfaces configurable in the system 256
Maximum number of OSPFv3 interfaces per area in the system 256
Maximum number of OSPFv3 processes supported across each VRF 8
Maximum number of PBR Action Lists configurable in a system 256
Maximum number of PBR Action List entries configurable per PBR Action List 8
Maximum number of PIM/PIMv6 mroutes supported 8192
Maximum number of PIM/PIMv6 nexthops supported 65536
Maximum number of RBAC rules per user group 1024
Maximum number of RIP interfaces configurable in the system 32
Maximum number of RIP processes supported across each VRF 1
Maximum number of routes in RIP supported across all VRFs 10000
Maximum number of RIPng interfaces configurable in the system 32
Maximum number of RIPng processes supported across each VRF 1
Maximum number of routes in RIPng supported across all VRFs 10000
Maximum number of prefix entries in a single prefix-list 128
Maximum number of prefix-lists 256
Maximum number of route map entries in a single route-map 128
Maximum number of route-maps 256
Maximum number of RPVST VLANs configurable on the system 254
Maximum number of RPVST VPORTs supported in a system 2048
Maximum number of SVIs supported in the system 4040
Maximum number of unique GRE IPv4, "IPv6 in IPv4" and "IPv6 in IPv6" tunnel local IPs in a system 16
Maximum number of unique GRE IPv4, "IPv6 in IPv4" and "IPv6 in IPv6" tunnel TTLs in a system 4
Maximum number of active UDLD interface 56
Maximum number of routes (IPv4+IPv6) on the system 29696
Maximum number of IPv4 routes on the system 28672
Maximum number of IPv6 routes on the system 13312
Maximum number of VLANs supported in the system 4040
Maximum number of unique IPv4 VRRP VRIDs configurable between 1 to 255 8
Maximum number of unique IPv6 VRRP VRIDs configurable between 1 to 255 8
Maximum number of VRRP IPv4 addresses supported 1024
Maximum number of VRRP IPv4 addresses supported per virtual router 16
Maximum number of VRRP IPv4 virtual routers supported per port 8
Maximum number of VRRP IPv6 addresses supported 512
Maximum number of VRRP IPv6 addresses supported per virtual router 8
Maximum number of VRRP IPv6 virtual routers supported per port 8
Maximum number of VRRP virtual routers supported 256
Maximum number of VXLAN interfaces in a system 1
Maximum number of L2VNIs per VXLAN interface 4039
Maximum number of L3VNIs per VXLAN interface 255
Maximum number of VNIs per VXLAN interface 4294
Maximum number of VTEPs per VXLAN interface 1024
Aruba AOS-CX Basics 2 - Management Network Config
https://www.youtube.com/watch?v=4F1RaMOV2FU
ip dns server-address x.x.x.x vrf mgmt
ip dns domain-name xxxx.xxx verf mgmt
show clock
show ntp status
ntp server x.x.x.x iburst version 4 #iburst = faster sync
ntp vrf mgmt
ntp enable
------
ArubaOS-CX Switching Series - How to Stack Switches using VSF
https://www.youtube.com/watch?v=TjYSi4l-2OM
show vsf
#switch 1
vsf member 1
link 1 1/1/49
link 2/1/1/50
show vsf link
#switch2
vsf member 1
link 1 1/1/49
link 2/1/1/50
vsf renumber 1 to 2
#vsf-factory-reset #in case you need to clean
#switch 3
vsf member 1
link 1 1/1/49
link 2/1/1/50
vsf renumber 1 to 3
show vsf #see 3 switches, see topology >> best redundancy is ring topology ;-)
vsf secondary member 2 #make sure to have a secondary member, so that there is a standby
usecase: we needed an openvpn server to connect our mango router (Modell: GL-MT300N-V2) via openvpn to an openvpn server,
so that clients behind the router, are getting internet through the server machine
---------------------
install necessary packages:
openvpn with easy-rsa
- apt-get install easy-rsa openvpn
- easy-rsa is a great tool that helps you to build your own certificate authority
--------------------
since the installation is quiet complex, let's use a script:
found on:
https://www.cyberciti.biz/faq/debian-10-set-up-openvpn-server-in-5-minutes/
>> this leaded us to a cool script: https://github.com/angristan/openvpn-install
>> this is the install script:
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O debian10-vpn.sh
The configuration file has been written to /root/mango1.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
-------------------
useful commands:
systemctl restart openvpn@server
systemctl status openvpn@server
#status check
-- ps aux |grep openvpn
-- netstat -tulpn | grep :51194
how to use built-in symmetric encryption?
1) create a rule to access the target using a shared password
>> Setup menu and create a rule in the Setup > Agents > Access to agents > Checkmk agent > Encryption (Linux, Windows)
2) on target host, configure the agent to run in encrypted mode
>> create file: /etc/check_mk/encryption.cfg
>> using the following content:
ENCRYPTED=yes
PASSPHRASE='MyPassword'
>> give the file the right access rights (on linux)
chmod 600 /etc/check_mk/encryption.cfg
3) how to test?
3.1 on agent machine just run a "check_mk_agent" .. you should see only strange letters
3.2 test with telnet using "telnet agentmachine 6556" .. you should also see only strange leters
3.3 on checkmk server, run the command "cmk -d agentmachine" .. you should see the normal agent data
#see also:
https://docs.checkmk.com/latest/en/agent_linux_legacy.html
use case: ip address 192.168.2.99 should never be blocked
solution:
file: /etc/fail2ban/jail.local
>> line ignoreip =
ignoreip = 192.168.2.99
>> restart the service: /etc/init.d/fail2ban restart
error message seen in file: /var/log/auth.log
pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (8192)
>> interim solution: systemctl restart systemd-logind
>> longterm solution >> not yet found ;-))
solution:
see aruba tac:
https://community.arubanetworks.com/blogs/arunhasan11/2020/10/20/what-cause-iap-does-not-have-a-cloud-activate-key
----------------------
nstant AP is unable to communicate with device.arubanetworks.com via HTTP/HTTPS.
>> information from the tac page:
1. Can the Instant AP resolve device.aruabnetworks.com?
From CLI of Instant AP ping device.arubanetworks.com
If no resolution check the Instant AP is configured with a DNS server to send DNS queries to Use CLI command ‘show summary support | include NameServer’
2. Can the Instant AP route to device.arubanetworks.com?
From CLI of Instant AP ping device.arubanetworks.com
If there is no response it may just be that ICMP is blocked along the path. HTTP and HTTPS may still be allowed.
3. Are HTTP and HTTPS blocked by a firewall along the path?
Connect a PC to a port in the same vlan/subnet as the master Instant AP. Telnet to port 80 and 443, on device.arubanetworks.com.
If above is working and still IAP doesn't have cloud activation key, kindly contact Aruba TAC with above details.
2 methods are available (at least)
1) use dhcp snooping
turn on:
(SW)<config># dhcp-snooping enable
(SW)<config># dhcp-snooping vlan 99
(SW)<config># show dhcp-snooping
>> define trusted interface where the dhcp answers are coming from, for example interface 49 (your uplink)
see the clients: (Switch)<config># show dhcp-snooping binding
2) client tracker
turn on: (SW)<config># ip client-tracker
see the clients: show port-access clients
see also:
https://community.arubanetworks.com/blogs/esupport1/2020/05/12/how-to-learn-the-ip-address-of-the-clients-connected-in-switch
see also:
https://www.heise.de/download/product/pping-92985
#check responsibility of port tcp 3389
pping -t <destination-ip || hostname> 3389
if you look for example for a visio shape for aruba switch
-- HPE Aruba CX 6000 48G PoE+ 370W CL4 4SFP Part.-Nr. R8N85A
or
-- HPE Aruba CX 6000 12G PoE CL4 2SFP 139W Part.-Nr. R8N89A
you find them in Shape: HPE-Aruba-Switches-small
see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32690
problem: the service did not start after reboot!
how to start after reboot?
systemctl start isc-dhcp-server
check status?
/etc/init.d/isc-dhcp-server status
sometimes you need a list of all the files on a harddrive, you can use some nice tools, for example:
- https://www.sttmedia.de/dateilistenschreiber
- direct windows download: https://www.sttmedia.de/download=FilelistCreatorWin64
solution: delete / or rename a specific file in your profile:
your-ThunderbirdPortable\Data\profile\handlers.json
problem: when running starter templates, no pictures and css styles are beeing deployed, only the text works,
but the start templates process says "success"
Solution:
error message seen in the apache log file:
[Mon Nov 28 11:15:33.544383 2022] [fcgid:warn] [pid 24679] [client 192.168.1.99:63696] mod_fcgid: stderr: PHP Warning: XMLReader::read(): /var/customers/webs/customer1/wp-content/uploads/2022/11/wxr.xml:1: parser error : Document is empty in /var/customers/webs/customer1/wp-content/plugins/astra-pro-sites/inc/importers/wxr-importer/class-wxr-importer.php on line 256, referer: http://mywebseite/wp-admin/themes.php?page=starter-templates&ci=5
>> since we use mod_fcgid it seams that some rights are missing,
so we changed the php configuration:
allow_url_fopen = On
max_execution_time = 60
max_input_time = 60
memory_limit = 512M
post_max_size = 100M
SubstituteMaxLineLength = 20M
upload_max_filesize = 100M
we also disabled the function "curl_exec", but this was probably not the most important setting
>> probably allow_url_fopen or SubstituteMaxLineLength was the important setting
if you monitor linux server using checkmk you may get an error that there are failed systemd services, how to fix this in
case the mentiond services are not needed
on linux machine:
#systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
? check_mk@service.service loaded failed failed Checkmk agent
? cmk-agent-ctl-daemon.service loaded failed failed Checkmk agent controller daemon
#stop service
systemctl stop check_mk@service.service
systemctl stop cmk-agent-ctl-daemon.service
#disable service
systemctl disable check_mk@service.service
systemctl disable cmk-agent-ctl-daemon.service
#for manually clear out failed units, you can use the following command:
systemctl reset-failed
If you want to authenticate a device on a switch port using mac authentication or 802.1x authentication using a radius server, you may have the requirement to put the device into more than one vlans - in one untagged vlan and multiple tagged vlans.
the radius server has to return some special attributes back to the switch
>> here comes a sample Enforcement Profile from the HPE Aruba ClearPass Policy manager
>> Type: Radius
>> Action: Accept
Radius:IETF Session-Timeout = 10800
Radius:IETF Termination-Action = RADIUS-Request (1)
Radius:IETF Tunnel-Type = VLAN (13)
Radius:IETF Tunnel-Medium-Type = IEEE-802 (6)
Radius:IETF Tunnel-Private-Group-Id = 10
Radius:Hewlett-Packard-Enterprise HPE-Port-MA-Port-Mode = 1
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083684
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083685
Radius:Hewlett-Packard-Enterprise HPE-Egress-VLAN-ID = 822083686
>> The Attribute Tunnel-Private-Group-Id sets the switch port to vlan 10 untagged
>> the HPE-Egress-VLAN-ID values are looking a bit strange, to get this values you have to calculate them: 0x31<000><VLAN-ID in Hex>, this hex value needs then converted to a decimal value, which we need for the attribute:
-------- value: 822083684 means vlan 100 tagged
-------- value: 822083685 means vlan 101 tagged
-------- value: 822083686 means vlan 102 tagged
>>>>>> use this calculater to get the value for a specific vlan: https://computer2know.de/index.php?site=radius-vlan-hex-value
>> the attribute HPE-Port-MA-Port-Mode makes sense for HPE ArubaOS switches, in case you want to set port mode
Operation System: Centos 7.9
checkmk version 2.1.p17 and also 2.1.p16
when trying to create a map using nagvis, on the webfronted we get the error message:
> "Failed to execute ajax call. Maybe a network issue or webserver is not available. HTTP-Status-Cdoe:500,
> /mysite/nagvis/server/core/ajax_handler.php?mod=Map&act=manage&_ajaxid=1669804880
in the apache log file > /opt/omd/sites/mysite/var/log/apache/error_log, we see the error:
> Wed Nov 11 11:41:22.645532 2022] [fcgid:warn] [pid 7254] [client 127.0.0.1:59876] mod_fcgid: stderr:
> PHP Fatal error: Arrays are not allowed as constants in
> /opt/omd/versions/2.1.0p17.cee/share/nagvis/htdocs/server/core/sources/geomap.php on line 9,
> referer: http://192.168.2.99/mysite/nagvis/frontend/nagvis-js/index.php
Quick and dirty solution:
go to file: /opt/omd/versions/2.1.0p17.cee/share/nagvis/htdocs/server/core/sources/geomap.php on line 9
>> comment out line 9: const ACCEPTED_GEOMAP_SERVER_URL_SCHEMES = ["http", "https"];
>> after that it worked!!
Enterpise oid is: 2011
#plugin for ibmc / server
https://github.com/Huawei/Server_Management_Plugin_Check_MK
- if you don't know the password that is need on the webfrontend from the WDMyCloud, press the button through the very small hole on the back of the device (reset pin), for about 4 seconds. After that the password is cleared, that means there is no password anmore, just use the user "admin" with no password.
#see also
https://support-de.wd.com/app/answers/detailweb/a_id/7731
older tool with an hp workstation B2000
----
how to clone the harddrive of such a B2000 for emergency issues??
---
information to HP B2000:
HP B2000 Workstation (A5983A, A5983AR, A5983B, A5983BR, A5983C, A6043A, B2000, Y1644A)
The legacy HP B2000 Worstation is the ideal combination for price and performance.
With it's PA-Risc 8500 400Mhz Processor with 1.5MB on-chip cache, up to 2Gb Memory,
and integrated on-board visualize fxe graphics this system provides the best 3D capability
across all HP workstations. As one of HP's most affordable and powerful PA-RISC workstations,
the B2000 is still widely used as an ABB Advant station for defense, power plants,
paper mills and other industries around the world.
User:
ut16/ut16
root/root
zeiss/zeiss
commands:
sam (hp verwaltung tool)
disk devices:
0/0/15/0.6.0 LVM vg00 17366 HP 18.2GST318406LC
Internet Adresses
192.168.4.55 kmg01s1
172.20.11.248 umc2
192.4.1.200 cmm_1
127.0.0.1 zell
172.20.11.247 umc1
dd
Let's suppose that your boot disk is /dev/rdsk/c0t6d0 and that your lifeboat disk is /dev/rdsk/c1t5d0.
dd if=/dev/rdsk/c0t6d0 bs=256k of=/dev/rdsk/c1t5d0
>> ls /dev/rdsk: c0t0d0 c2t6d0 flopp rmbfloppy2
>> if you build in a second hardrive, you see: c2t5d0
the right cloning "dd" command is therefore:
dd if=/dev/rdsk/c2t6d0 bs=256k of=/dev/rdsk/c2t5d0
clone disk:
- https://community.hpe.com/t5/system-administration/hp-ux-mirroring-disk-clone-a-hdd-into-another-hdd/td-p/5037136
hp dynroot disk tool
- https://myenterpriselicense.hpe.com/cwp-ui/free-software/DynRootDisk
- https://www.slideshare.net/slide44/hp-uxdynamicrootdiskbootdiskcloningbenefitsandusecasesdusanbaljevicmar2013
other readme:
- read out old SCSI-harddrive: - Mikrocontroller.net: https://www.mikrocontroller.net/topic/481710
https://techcommunity.microsoft.com/t5/windows-11/lldp-in-windows-11-build-22h2-triggers-an-stp-shutdown-on-the/m-p/3667178
it seams that windows-11-h2 uses a spanning tree reserved mac-address in it's lldp packet >> the destination address is: 01:80:c2:00:00:00
according to
https://standards.ieee.org/products-programs/regauth/grpmac/public/
this mac-adress should not be used in lldp packets ..
- nice and useful tools:
-- https://sqlbackupandftp.com/features
console# erase start
Dell Switches N2000 Series (N2024P)
tested with version 6.6.3.17
####################################
# Static Port security
####################################
#How to configure MAC based port security on Dell N2000, N3000, and N4000 series switches.
https://www.dell.com/support/kbdoc/de-de/000121440/how-to-configure-mac-based-port-security-on-dell-n2000-n3000-and-n4000-series-switches?lang=en
#turn on port security on port gi1/0/1 (needs configure mode)
switchport port-security
interface gi1/0/1
> switchport port-security #turn on security
> switchport port-security maximum 5 #define a maxium of 5 mac-addresses on this port
>> now all learned mac-addresses will be removed on interface gi1/0/1 and the port will authenticate them
#add static mac-addresses to an interface
console(config)# mac address-table static abcd.2233.1221 vlan 1 interface gi1/0/1
####################################
# Dynamic / Radius based Port security (mac-authentication)
####################################
console#configure
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control #enable 802.1 port-based access
console(config)#authentication enable
console(config)#radius server <radius-server-ip>
console(config)#radius server key <your-radius-key>
console(config)#aaa authorization network default radius #allow the radius server to assign vlans
#enable authentiction on device port
#MAC Authentication Bypass (MAB) >> authenticate using a MAC address as identifier
#using freeradius as authentication servers needs mab authtype pap or chap!!
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#authentication port-control auto
console(config-if-Gi1/0/1)#mab
console(config-if-Gi1/0/1)#mab auth-type pap
console(config-if-Gi1/0/1)#switchport mode general
#uplink interface > no authentication on this port
console(config)#interface gigabitethernet 1/0/24
console(config-if-Gi1/0/24)#authentication port-control force-authorized
####################################
# useful show commands
####################################
show authentication statistics gigabitethernet 1/0/1
console(config)#show authentication
console#show authentication clients all
show authentication interface gigabitethernet 1/0/1
show radius statistics
show dot1x users #show authenticated users
show dot1x statistics gigabitethernet 1/0/1
####################################
# Documentation
####################################
https://usermanual.wiki/Dell/DellDellNetworkingN2000SeriesUsersManual136323.1551399830/html#pf42
Name of document:
Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON and N3200-ON Switches User’s Configuration Guide Version 6.6.3
page 371: Authentication, Authorization, and Accounting
####################################
useful common dell switch commands:
####################################
#turn on ssh server
console(config)# ip ssh server
#see interfaces
show interfaces status
save settings:
console#copy running-config startup-config
#set user / password with high privileges
console(config)#username admin password adminadmin privilege 15
#privilege 15 means read and write access
#what is the ip address of the switch?
show ip interface
####################################
#log messages
####################################
#after successful mac authentication you should see in the log
<190> Dec 15 14:02:59 172.16.99.20-1 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 548 %% INFO Client authorized on port (Gi1/0/1) with VLAN type RADIUS.
###################################
# Sample Configs
###################################
#######
#interface gi1/0/1 with some mac-auth settings
#######
interface Gi1/0/1
switchport mode general
authentication event fail action authorize vlan 200
authentication event no-response action authorize vlan 300
authentication periodic
authentication timer reauthenticate 300
authentication timer restart 60
mab
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
#######
# Sample config when tested with freeradius server
#######
!Current Configuration:
!System Description "Dell EMC Networking N2024P, 6.6.3.17, Linux 4.14.138, Not Available"
!System Software Version 6.6.3.17
!
configure
vlan 99
exit
vlan 99
name "isolated"
exit
slot 1/0 3 ! Dell EMC Networking N2024P
stack
member 1 2 ! N2024P
exit
interface vlan 1
ip address dhcp
exit
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server key 7 "asdlfjasdlkfjasdklfj"
radius server auth 192.168.2.87
name "Default-RADIUS-Server"
exit
application install SupportAssist auto-restart start-on-boot
!
interface Gi1/0/1
switchport mode general
authentication timer reauthenticate 300
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
snmp-server engineid local 800002a203fasfasdfasdf
eula-consent hiveagent reject
exit
Fortinet - Basic configuration
- put your notebook to the fortinet default subnet, 192.168.1.0/24.
The default ip of the fortinet device is 192.168.1.99
plug the ethernetcable on port 1
> access the webfronted https://192.168.1.99/
--------------------------------------------------
do some basic configuration,
let us setup the following configuration
>> port 1: leave it as it is >> 192.168.1.99
>> port 2-3: create a software switch >> 192.168.178.1/24
>> port 4: configure it as "wan" interface
System > Network > Interfaces
>> create new Interface, Type Software Switch
-- Interface Name = 178
-- Physical Interface Members: port2 and port3
-- Addressing mode: Manual, IP/Network Mask: 192.168.178.1/255.255.255.0
-- Administrative Access: HTTPS + PING
-- DHCP Server: Enable, Starting IP: 192.168.178.100, End IP: 192.168.178.200, Netmaskk 255.255.255.0, Default Gateway: Same as Interface IP, DNS Server: Same as System DNS
System > Network > Interfaces
>> edit port4 > the wan interface
-- Alias: wan
-- Addressing mode: DHCP
-- Retrieve default gateway from server: yes
-- Administrative Access: HTTPS PING SSH SNMP
-- [ port4 will be connected to the default gateway in may case a fritzbox ]
System > Config > SNMP
-- create a SNMPv1/v2c community name to monitor the box using a tool like checkmk
no lets create some Policy Rules, under: Policy & Objects > Policy > IPv4
-- lets make some simple rules, so that no addresses in the wan subnet can be access, except the router (fritz.box)
-- 1: source=all, destination=192.168.2.1, always, service=HTTPS, deny
-- 2: source=all, destination=192.168.2.1, always, service=ALL, accept, NAT=enable enabled
-- 3: source=all, destination=192.168.2.0/25, always, service=ALL, deny
-- 4: source=all, destination=all, always, service=ALL, ACCEPT, NAT=enable
Fortinet - admin password reset / factory reset
FortiGate 80D
- console serial cable
- a terminal software lke putty or Tera Term VT
- the serial number of the device
> wait until the device has been started:
enter username: maintainer
pwd: bcp + serial number of the device in UPPERCASE
> now do a factory reset:
execute factoryreset
>> answer the question with yes if you want to do it
>after the reboot, you can login just with user admin and no password
#on a system with vdoms are not enabled
# config system admin
edit admin
set password
end
#on a system with vdoms enabled
# config global
config system admin
edit admin
set password
end
on linux shell, as site use run:
OMD[your-site-name]:~$ cmk --debug -vvn hostname
office 365 exchange > pst export
unter Lösungen > Inhaltssuche
Neue Suche
>> Name: export-<postfachname>
>> Bestimmte Orte: Ein > Exchange-Postfächer
>> Danach ist dann export in pst file möglich
Inhaltssuche
- Exchange-Inhaltsformat
Eine PST-Datei, die alle Nachrichten enthält
Ergebnisse herunterladen > eDiscovery-Exporttool öffnet sich
#################################################
# wichtig: Edge Browser benutzten!!!
#################################################
######################################################
# iperf Durchsatzmessung
######################################################
Durchsatzmessungen mit iPerf
iPerf Vorstellung
• iPerf ist ein weltweit eingesetztes, anerkanntes Open Source Tool für Bandbreitenmessungen
• Verfügbar seit über 15 Jahren und kostenlos erhältlich für die meisten Betriebssysteme
• Ermöglicht das Konfigurieren von TCP-Parametern wie z.B. TCP Window- und Segment-Size
• Achtung: Gemäss Erfahrungen von cnlab Experten greifen die TCP-Parameter bei verschie-
denen Betriebssystem unterschiedlich. Mit Wireshark überprüfen!
• Misst Paketverluste und Latenz-Schwankungen (Jitter)
• Generiert Übertragungsdaten ohne Zugriff auf die Speichermedien (ist dadurch schneller)
• Das iPerf Programm wird auf zwei (oder mehr) Stationen installiert
• Die Funktion, ob Client oder Server, wird durch die Befehlseingabe definiert (siehe Beispiel unten)
Client mit iPerf: iperf -c 192.168.0.200 -w 2M
Server mit iPerf: iperf -s -w 2M
Durchsatzmessungen mit iPerf3
Neue Funktionen von iPerf3
• iPerf3 ist eine komplette Neuentwicklung und ist nicht kompatibel mit älteren iPerf Versionen
• Neu müssen die TCP Parameter für Server und Client nur noch auf dem Client definiert werden!
• Der Client übermittelt diese Parameter vor der Messung über eine TCP Session an den Server
Client mit iPerf3: iperf3 -c 192.168.0.200 -w 2M
Server mit iPerf3: iperf3 -s
öffentliche iperf server: https://iperf.fr/iperf-servers.php
beispiel: iperf3 -c bouygues.iperf.fr -w 2M -R
-w 2M: TCP Windows Size: 2 Mbyte
-R reverse direction (download)
- beispiel aufrufe:
iperf -c 172.17.4.234 -i 2 -t 30 #intervall messungen, alle 2 sekunden - 30 sekunden lang
iperf -c 172.17.4.234 -i 2 -t 30 -P 3 #intervall messungen, alle 2 sekunden - 30 sekunden lang - 3 parallele streams
siehe auch: https://iperf.fr/iperf-download.php
>> tested with aruba iap model 505
access console:
AP05# write erase all
Are you sure you want to erase the configuration? (y/n): y
Erase configuration all.
#restart access point
48:2f:6b:77:77:77# reload
>> problem is always the same: smb is too slow ;-))
because of the latency which is about 10ms (at least) .. that means 2 x 10ms = 20ms waiting for confirmation etc.
https://www.msxfaq.de/netzwerk/smb_im_wan.htm
#how to check the configuration of Microsoft Defenmder in powershell:
Get-MpPreference
#don't scan files of a special process
Add-MpPreference -ExclusionProcess "c:\yourpath\your-prog.exe"
#don't scan files of a defined path
Add-MpPreference -ExclusionPath „c:\yourpath“
Factory Reset on a Mac Pro G5 or other version (tested with Mac G5) - if you don't know the password
-- restart machine
-- press the key: <command> + <s> at same time - when you see the black screen, if you have a windows keyboard use <windows key> + <s>
-- you should see the root# prompt
-- to make modifactions to files run: "mount -uw /"
-- now delete a file: "rm /var/db/.AppleSetupDone"
-- reboot the machine - command "reboot"
-- when the machine now comes up, the welcome screen comes up >> let's configure the new system
you need to define that in config file: torrc
>> after modification of this file, you need to stop and start the tor browser
you find it probably in directory
<your tor main directory>\Browser\TorBrowser\[Daten|Data]\Tor\torrc
>> here you can define EntryNodes and ExitNodes
EntryNodes {} StrictNodes 1
ExitNodes {} StrictNodes 1
>> if you set StrictNodes to 0 .. all countries are possible
>> you can specify several countries like this, in this example to have us and canada as exitnodes: {us},{ca}
>> you need to define:
ExitNodes {ch} StrictNodes 1
many tools are using mdb databases
here is a great freeware tool - in case you need to make a deep dive database session:
http://www.alexnolan.net/software/mdb_viewer_plus.htm
- default host ip: dhcp
- there is a reset button: press for 10 seconds to restore default values
- default password is:1234
- configuration through: webfrontend
documentation:
- https://support.intellinet-network.com/
- https://cdn-reichelt.de/documents/datenblatt/E910/INT_524827_DB_DEU.pdf
- https://support.intellinet-network.com/products/intellinet-en-guestgate-mk-ii-524827
commandline commands:
- query user #show active sessions and the session id
- tscon #terminal session command
details can be found here:
- https://www.computerwoche.de/a/was-sie-ueber-rdp-hijacking-wissen-sollten,3549536?utm_source=First+Look&utm_medium=email&utm_campaign=newsletter&pm_cat%5B1%5D=software+allgemein&tap=3ab7853c0a6321c45c1895e180293b35 (german)
if you have trouble to get the checkmk exchange nextcloud plugin running, this content may be helpful for you.
plugin / mkp package:
https://exchange.checkmk.com/p/nextcloud
[ version: [special_nextcloud_data] Version: 25.0.2.3 ]
[ checkmk version: 2.0.0p12 ]
>> we had no success in getting the data out from nextcloud by configuring the plugin using the checkmk webfrontend, so we made some deep dive on the console:
OMD[yoursite]:~local/share/
OMD[yoursite]:~/local/share$ ./check_mk/agents/special/agent_nextcloud_data -u yourUsername -p yourPassword nextcloud.yourdomain.com
now we got the following error message:
-------------------------------------------------------------------
Traceback (most recent call last):
File "./check_mk/agents/special/agent_nextcloud_data", line 116, in <module>
data = response.json()
File "/omd/sites/rvm/lib/python3/requests/models.py", line 910, in json
return complexjson.loads(self.text, **kwargs)
File "/omd/sites/rvm/lib/python3.8/json/__init__.py", line 357, in loads
return _default_decoder.decode(s)
File "/omd/sites/rvm/lib/python3.8/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/omd/sites/rvm/lib/python3.8/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
-------------------------------------------------------------------
>>> by debugging the script, we found out that the problem was a special character in the password, we used a § and a $ sign.
Without this characters - with only a ! as special character the plugin is working
big sure (for iMac 5k ultimo 2014 running with 10.10.5 yosemite:
-- download software from:https://www.google.com/url?client=internal-element-cse&cx=partner-pub-7395890353660701:71cus9-hn8f&q=https://www.techspot.com/downloads/1928-macos-big-sur.html&sa=U&ved=2ahUKEwiLpf-QuMD8AhUCqaQKHWR3BpcQFnoECAMQAg&usg=AOvVaw0-mfwpdWykuntqKVFBM-mU
-- see download links on apple support page:
https://support.apple.com/de-de/HT211683
problem: if you send a email to a exchange online hosted address you get the answer from the mailserver:
microsoft office 365 error: smtp; 550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain.
solution:
- go to https://admin.exchange.microsoft.com/
-- Mail flow
--- Connectors: check your connecter settings
in german:
- E-Mail-Fluss
-- Connectors: check your connecter settings
additional you can check your antispam settings:
- https://security.microsoft.com/
solution (if you get the 14 days message):
- go to https://admin.exchange.microsoft.com/
>> https://aad.portal.azure.com/
>> Azure Active Directory > Settings >> Disable Security standards
see also:
https://www.act-computer.de/hilfe-tipps/item/geloest-microsoft-365-zwei-faktor-authentifizierung-deaktivieren
openai / chatGPT - cool chatbot,that answers all your questins:
- https://chat.openai.com/auth/login
under windows the configuration files are stored under:
c:\Users\<username>\.nagstamon
in this directory there is a file "nagstamon.conf" with the common settings and in the "servers" directory there are server specific configuration files
this information should fit to version >= 3.x
see also:
https://nagstamon.de/documentation
#list installed packages
mkp list
#see details of a package, you will see things like version / author
mkp show <package name>
#see files of a package
mkp list <package name>
>> this will show up python files and more
#package info file, here you can change version number
~/var/check_mk/packages/<package name>
for example: set version to 1.1
>> line: 'version': '1.1',
#to build a new package run the pack command, put before make sure to be in directory ~/var/check_mk/packages_local
mkp pack <package name>
using ide PyCharm, you can do this like this:
1) go to terminal inside your project "myFirstUI" as example
2) pip install pyinstaller
3) pyinstaller.exe main.py --onefile
4) in your projectfolder there will now be a folder "dist", with a file main.exe >> this is your executable file that you can copy to another pc
see also
- https://www.youtube.com/watch?v=bqNvkAfTvIc
https://www.arubanetworks.com/support-services/end-of-life/#product=aruba-central
for example - Aruba InstantOS Access Points:
https://www.arubanetworks.com/support-services/end-of-life/#product=instantos&version=0
InstantOS 8.10.x (LSR) 8.10.0.0: 13-Apr-22 13-Apr-26 13-Apr-27
systemctl show --property=DefaultTasksMax
>> only 64
>> increase the value, set the value to 1024 in file:
/etc/systemd/system.conf
>> reboot machine
>> the performance was much better afterwards!
see also:
https://www.ibm.com/docs/de/db2/11.5?topic=linux-troubleshooting-tasksmax-set-too-low
https://www.strato.de/faq/server/Wie-kann-ich-Performance-Einschraenkungen-bei-meinem-Server-pruefen/
under common linux system you can use the command
cat /proc/cpuinfo
to see the frequency from the cpu's
to see that on vmware on esxi linux shell, you can run the command:
- vim-cmd hostsvc/hosthardware
- vim-cmd hostsvc/hosthardware | grep -i hz
example:
[root@esxi1:~] vim-cmd hostsvc/hosthardware |grep -i hz
hz = 2596992066
hz = 2596992067,
busHz = 99884288,
description = "Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz",
hz = 2596992066,
busHz = 99884283,
description = "Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz",
see also:
https://kb.vmware.com/s/article/1031785
# settings in /etc/ssh/sshd_config should be like:
Subsystem sftp internal-sftp -f AUTH,USER -l VERBOSE
Match User testuser
ChrootDirectory /home/testuser
#ForceCommand internal-sftp -u 0002
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
>> you can also do a match on a group:
Match Group testgroup
# if you made changes on sshd_config, test the config syntax using "sshd -t" bevor you restart the ssh server using a command like "sudo systemctl restart sshd"
# the user, in this case testuser should have a passwd / user shell entry nologin or false!
testuser:x:1010:1100::/home/testuser:/usr/sbin/nologin
# if you run in trouble, if no login is possible or so, watch the logfile using:
tail -f /var/log/auth.log
# make sure that the directories on the chroot path, in this case /home/testuser have all the right permissions and ownership. You can verify this for each directory using command:
ls -ld /
ls -ld /home
ls -ld /home/testuser
> all directories should have 755 permissions with owner root, like:
drwxr-xr-x 20 root root 4096 Jan 20 09:30 /
#the commands above where tested on Ubuntu 22.04 LTS ...
some useful documentation you can find here:
- Aruba 2530 Multicasting and Routing Guide for AOS-S Switch 16.09
- AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS AN ARUBA AIRGROUP SOLUTION GUIDE:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiWhKOjheX8AhVHdcAKHUOJCdUQFnoECAsQAQ&url=https%3A%2F%2Fhigherlogicdownload.s3.amazonaws.com%2FHPE%2FMigratedAttachments%2FE1200F32-65FA-4153-AC23-5657EFCBADAA-1-AirGroup%2520TB_080112_FINAL.pdf&usg=AOvVaw3SLHQxLnYdcYN7K6lGT3Q8
Console >> Configuration >> Users >> Click on your User >> User Settings >> Theme
here you can select: Classic | Dark | Modern | Paper-plane | Raw - Sunrise
after you select a different Theme save the sessting and logoff and logon again using that user, after that you should see the new settings
on the same page you can also set the user language!
#checkmk plugin - to read other checkmk agent using powershell
#place this .ps (powershell) script to a file stored in directory: C:\ProgramData\checkmk\agent\plugins
$Server = "172.23.225.161"
$Port = "6556"
$hostname = "my-host-name"
Write-Output "<<<<$hostname>>>>"
[System.Net.Sockets.TcpClient] $tcpClient = [System.Net.Sockets.TcpClient]::new($Server, $Port)
$tcpStream = $tcpClient.GetStream()
$reader = [System.IO.StreamReader]::new($tcpStream)
while (($Line = $reader.ReadLine()) -ne $null) {
$Line
}
$reader.close();
$tcpClient.close();
Aruba Central managed wlan > Aruba AOS-10 WLAN Tunnel and Bridge Modes using a Gateway
video from Nafith Salama: https://youtu.be/lPGQ1UG6Ewk
- controller Aruba A7005
- version 10.3.1.3
- Central managed controller
- licence for controller is: Foundation-WLAN-Client
- create a Gateway Group > AOS10> Mobility (since it is for campus)
- use some wizzards
- on the AOS10 accesspoint,
>> create a "bridge" ssid with a static vlan (local breakout)
>> create a "tunneled" ssid
Aruba Central AOS 10 WLAN Gateway Redundancy
https://youtu.be/Ku34u0gRTHE
the problem is there are a lot of HPE visio files that contain many objects,
but how to find them?
I copied all shape files to one directory and in that directory I run a grep query ;-)
user@mypc/cygdrive/c/users/user/Documents/Meine Shapes
$ grep -i j9576a *
grep: HPE-Networking-3xxx-Switches.vss: binary file matches
grep: _private: Is a directory
ip source-interfacee syslog vlan <your vlan>
Problem:
you want to create an extra user, that should have access only to the visitor
area, to create guest accounts > but your user sees nothing
Solution found:
1) create a Resource Restriction Policy
HPE GreenLake > Manage Account > Identity & Access >> Resource Restriction Policy
>> add one or more central group's of your organisation to the policy
2) assign the Restriction Policy to the user:
HPE GreenLake > Manage Account > Identity & Access >> Assign Role
>> select Limit Resource Access and and that field use the Resource Restriction Policy created in step 1)
You need to allow this for a user account:
- Admin center > Active users > select the user:
- Select Mail > Email apps > Manage email apps:
- here you need to turn on "Authenticated SMTP"
after you did that you can use this smtp server settings in your application:
- E-Mailserver: smtp.office365.com
- Port: 587
- Username: your Office 365 email address
- Psssword: your password
- ssl: turn on
pktmon is a build in packet sniffer for windows. It is available via the pktmon.exe command, and via Windows Admin Center extensions.
commands:
- pktmon start help
- pktmon counters help
#run a realtime sniffing session
- pktmon start --etw --log-mode real-time
#save sniffing to file:
pktmon start -c --comp 12 --pkt-size 0 -f cap1.etl
#convert etl format to wireshark
pktmon etl2pcap cap1.etl --out cap1.pcapng
#see also
https://www.securitynik.com/2020/08/beginning-packet-capturing-with-windows.html
https://majornetwork.net/2023/05/capturing-packets-on-windows-with-packet-monitor-pktmon/
Windows Defender Firewall > settings > Logging:
here you can turn on logging, make sure that you turned on writing the dropped log
the log files can be found here:
C:\Windows\System32\LogFiles\Firewall
checkmk - increase limit for open files
<home-directory of your site>/etc/init.d/cmc
here you find under start:
>> # Try to raise the soft limit for open files. The Microcore needs a *lot* of open
>> # files when you have a large number of helper processes and/or Livestatus threads
>> # configured. Setting the soft limit to "unlimited" (i.e. the hard limit) is not a
>> # good idea, this limit can be very high (1 M), which negatively impacts closefrom().
>> for i in 8192 6144 4096 2048; do # find a sane soft limit below the hard one
>> ulimit -S -n $i 2> /dev/null && break
>> done
>> add a 16384 before 8192 and restart your site
>> if you update to a new version, you need to check if the setting is still there ;-((
how to make sure which are the real values?
>> create a script and use it as individual check, in the script dump the limit parameters, using the command ulimit -a
>> here is such sample script, that writes the values to /tmp/ulimit.log
#!/bin/perl
system("ulimit -a >> /tmp/ulimit.log");
print "<<<check_mk>>>\n";
print "Version: pn-v2022-09-13\n";
print "<<<local>>>\n";
print "0 ulimit-openfiles - just for debug, write values to /tmp/ulimit.log\n";
you can use command:
ip -br addr show
example:
root@raspi:~ $ ip -br addr show
lo UNKNOWN 127.0.0.1/8 ::1/128
enxb827ebb0b9a8 UP 192.168.2.8/24 192.168.2.9/24
>> this linux device has two ip addresses 192.168.2.8 + 192.168.2.9
you can monitor citrix information, things like
- Citrix Serverload
- Citrix Sessions
use the plugin citrix_farm.ps1 for that and install the plugin on the citric controller machine. The checkmk agent on that machine needs to run under a user with citrix admin rights!!
>> the plugin reads out the performance values for all citrix machines and gives back the data to the citrix machines using the piggyback mechanism. Maybe you need to use the ruleset "Hostname translation for piggybacked hosts" to match the piggyback output to the hosts.
##see also:
https://forum.checkmk.com/t/check-mk-deutsch-windows-agent-dienst-unter-anderem-user-laufen-lassen/4562/5
Problem: a module like J4858D does not work in a Aruba CX 8325 switch, before the module was working with an HPE 5406 switch, but it does not work with an Aruab 8325 CX Switch
for example:
switch = JL635A Aruba 8325-48Y8C 48p 25G 8p 100G Switch
sfp module = J4858D (1G-SX)
>> in documentation, we find:
https://www.arubanetworks.com/assets/ds/DS_8325Series.pdf
1 Consult the ArubaOS-Switch and AOS-CX Transceiver Guide in the Aruba Support Portal for the minimum required software releases to support these transceivers. Guide also provides certain limitations for specific transceivers for use on switch models
>>> from the "Transceiver Guide" we find the information:
1G optics at the opposite end of the link
must NOT enable auto-negotiation and operate in full duplex mode.!!!
>> so this is the solution:
>>>> set the neighbor interface to full duplex
for example, if the neighbor switch is a hpe 2540 (aruba os / procurve), the uplink interface should look like:
interface 52
speed-duplex 1000-full
####################################################################
# >> very important!!!
# 1G optics at the opposite end of the link
# must NOT enable auto-negotiation and operate in full duplex mode.!!!
####################################################################
enabling spanning tree is not always a good idea, maybe it is better to use features like loop protection these days:
example:
interface 1/1/24
description Server-X
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,100,101
loop-protect
loop-protect action do-not-disable
if there is a loop detected you will get log messages like:
<timestamp> .. <WARN> Event|2803|LOG_WARN|AMM|1/1|Loop detected on port lag256
>> make sure that you have some error detection in place that immediately informs you about such events, so that the loop causing device can be identified and disabled
a batch script, that you can use with robocopy:
set source_directory=C:\path\to\source\directory
set destination_directory=D:\path\to\destination\directory
set /P answer="Are you ready for the backup? (Y/N) "
if /I "%answer%"=="Y" (
robocopy %source_directory% %destination_directory% /MIR /R:3 /W:10 /IF
if %errorlevel% neq 0 (
msg * "Robocopy sync failed! Please check the log file for details."
exit /b %errorlevel%
)
pause
msg * "Robocopy sync completed successfully!"
) else (
msg * "Backup process cancelled."
)
---------------------
another example, with an UNC target directory:
robocopy C:\source_folder \\servername\shared_folder /MIR /USER:username /PASSWORD:password
/IF option can be used, if you only want to copy if the destination directory exists!
checkmk 2.1 > [agent] Success, Missing monitoring data for plugins: wmi_cpuload <<WARN>>
the problems seams to be that sometime that windows machine, does not deliver wmi data and since
checkmk version 2.1 the handling of the missing data on the server side is different, so that we get a warning.
It is said that updating the client agent also to version > 2.1 should improve that, but if you need a quick solution
you can take the advise from the checkmk article:
https://forum.checkmk.com/t/update-from-2-0-0p22-to-2-1-missing-monitoring-data-for-plugins-wmi-cpuload/31815/45
on your checkmk server modify the file wmi_cpuload.py:
/omd/versions/default/lib/python3/cmk/base/plugins/agent_based/wmi_cpuload.py
--------------------------------------------------------------------------------
Original
--------------------------------------------------------------------------------
try:
load = wmi_tables["system_perf"].get(0, "ProcessorQueueLength")
timestamp = get_wmi_time(wmi_tables["system_perf"], 0)
computer_system = wmi_tables["computer_system"]
except (KeyError, WMIQueryTimeoutError):
return None
assert load
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
changed version
--------------------------------------------------------------------------------
try:
load = wmi_tables["system_perf"].get(0, "ProcessorQueueLength")
except (KeyError, WMIQueryTimeoutError):
load = 0.0
try:
timestamp = get_wmi_time(wmi_tables["system_perf"], 0)
except (KeyError, WMIQueryTimeoutError):
timestamp = 0.0
try:
computer_system = wmi_tables["computer_system"]
except (KeyError, WMIQueryTimeoutError):
return None
--------------------------------------------------------------------------------
ps:
- when I tested this I was running CEE 2.1.0.p22
- make sure to make no unindent level errors when editing the file wmi_cpuload.py!
>> you can verify this by running an inventory query from command line
>> OMD[your-site]: cmk -I a_windows_host
to find link monitor problems, use this filter:
- Any of thes words: FWStatus
- AND Exect match: Link Monitor
How to change the result panel order column?
- check the settings-conf file!
"C:\Users\username\AppData\Roaming\DocFetcher\conf\programs-conf.txt"
# By default, the program initially sorts the results by score. To change the
# initial sorting criterion, specify the number of the column to sort by here.
# The numbering starts at 1. Zero and out-of-range values will be ignored.
# If the value is negative, the sorting is reversed, e.g., "-2" means "sort by
# second column, but in reversed order".
InitialSorting = -8
.. if you want to dort by latest date use -8
see also
- https://sourceforge.net/p/docfetcher/wiki/FAQ/
ClearPass certificates
See also documentation from: ClearPass Certificates 101 Technote
V1.2:
https://www.hpe.com/psnow/doc/a00100345en_us
https://support.hpe.com/hpesc/public/docDisplay?docId=a00100345en_us&docLocale=en_US
Radius Service
- use a private CA certificate for RADIUS
- use the same radius certificate on all your ClearPass servers
- subject could be: cn=ClearPass-Radius,ou=IT,O=your organisation,L=your location,ST=BW,C=DE
- Create Certificate Signing Request on first radius server > install the certificate on first radius server.
After installation > export the Radius certificate with the private key and save it to a file.
>> now import the saved file with certificate and private key to all other radius servers
-links:
Aruba ClearPass Workshop - Wireless #2 - Installing the ClearPass RADIUS certificate
https://www.youtube.com/watch?v=G7I2JyF8z7w&list=PLsYGHuNuBZcb0xD05v9zdwv7NlUG_8oJS&index=36
sh port all = sh interface brief
sh fiber-ports optics-info all = sh interface tranceiver
show interface ethernet all
show port all
show poe port info all
if you search for the good old network settings under windows just run a:
execute: ncpa.cpl
(c:\windows\system32\ncpa.cpl)
Problem: service SQLServer (JTLWAWI) was not automatically started, and fails when trying to do it manually
>> check log files: C:\Program Files\Microsoft SQL Server\MSSQL15.JTLWAWI\MSSQL\Log\...lates log
Error: Initializing the FallBack certificate failed with error code: 15, state: 29, error number: 0.
2023-03-22 17:56:58.29 Server Database Instant File Initialization: deaktiviert. For security and performance considerations see the topic 'Database Instant File Initialization' in SQL Server Books Online. This is an informational message only. No user action is required.
2023-03-22 17:56:58.30 Server Total Log Writer threads: 3. This is an informational message; no user action is required.
2023-03-22 17:56:58.32 Server clflush is selected for pmem flush operation.
2023-03-22 17:56:58.32 Server Software Usage Metrics is disabled.
2023-03-22 17:56:58.35 spid11s Starting up database 'master'.
2023-03-22 17:56:58.45 spid11s 4 transactions rolled forward in database 'master' (1:0). This is an informational message only. No user action is required.
2023-03-22 17:56:58.49 spid11s 0 transactions rolled back in database 'master' (1:0). This is an informational message only. No user action is required.
2023-03-22 17:56:58.58 Server Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
2023-03-22 17:56:58.83 spid11s Resource governor reconfiguration succeeded.
2023-03-22 17:56:58.83 spid11s SQL Server Audit is starting the audits. This is an informational message. No user action is required.
2023-03-22 17:56:58.84 spid11s SQL Server Audit has started the audits. This is an informational message. No user action is required.
2023-03-22 17:56:58.86 spid11s FILESTREAM: connected to kernel driver RsFx0600. This is an informational message. No user action is required.
2023-03-22 17:56:58.87 spid11s FILESTREAM: effective level = 2 (remote access disabled), configured level = 2, file system access share name = 'JTLWAWI'.
2023-03-22 17:56:58.87 spid11s FILESTREAM feature is enabled. This is an informational message. No user action is required.
2023-03-22 17:56:59.00 spid11s SQL Trace ID 1 was started by login "sa".
2023-03-22 17:56:59.01 spid11s Server name is 'WAWI-SERVER\JTLWAWI'. This is an informational message only. No user action is required.
2023-03-22 17:56:59.05 spid29s Error: 17190, Severity: 16, State: 1.
2023-03-22 17:56:59.05 spid29s Initializing the FallBack certificate failed with error code: 15, state: 29, error number: 0.
2023-03-22 17:56:59.06 spid29s Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate.
2023-03-22 17:56:59.06 spid29s Error: 17182, Severity: 16, State: 1.
2023-03-22 17:56:59.06 spid29s TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support.
2023-03-22 17:56:59.06 spid29s Error: 17182, Severity: 16, State: 1.
2023-03-22 17:56:59.06 spid29s TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors.
2023-03-22 17:56:59.06 spid29s Error: 17826, Severity: 18, State: 3.
2023-03-22 17:56:59.06 spid29s Could not start the network library b
>> https://blog.sqlauthority.com/2018/11/12/sql-server-initializing-the-fallback-certificate-failed-with-error-code-1-state-20-error-number-0/
>> it looks like the user profile, from the service user is corrupted in the registry
>> check the profiles: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
>> in our case, there was a .bak profile .. we renamed the new created profile and removed the .bak from the old profile name and everything was fine again
ssh login:
racadm>>racadm set System.ServerOS.HostName DELLT340
#####################
# svn-cheat-sheet
#####################
list all repos
==============
>> http://<server>/svn/
>> or: svn ls -R
create repo
===========
>> go into /svn
>> svnadmin create <repo_name>
>> change permissions of the repository to the right user and group
checkout repo
=============
>> go into /omd/sites/mysite
>> svn checkout --force <URL> .
>> eg: svn checkout --force http://<server>/svn/checkmk_mkp_xfusion/ .
enable keyword substition
=========================
>> svn propset svn:keywords "Date Revision Author" <files/path>
add files to repo
=================
>> svn add <file/path>
>> if you want to include all subfolders use: svn add --parents <file/path>
remove files from repo
======================
>> svn delete <file/path>
commit changes
==============
>> svn commit -m "<message>"
show added files
================
>> svn status |grep A
keywords
========
#################################
# $Rev$
# $Date$
# $Author$
#################################
KNX IP devices - with aruba os switches
----------------------------------------------------------------------
>> for communication the multicast default address is 224.0.23.12 !
>> it is very important that igmp is configured, and on of the switches has the igmp querier role !
----------------------------------------------------------------------
The IP routing multicast address defines the destination address for the IP messages of KNX IP devices.
The default address 224.0.23.12 is the address for KNXnet/IP devices set by the KNX Association in conjunction with IANA.
This address should be maintained and only changed if the existing network requires the use of a different address.
By default, these messages are sent as multicast messages to the multicast IP address 224.0.23.12, port 3671.
------------------------------------------
Configuration on Arubo OS switch side
------------------------------------------
- own vlan, for example vlan 100 name knx
- configure all knx ip devices to be in vlan 100 (untagged)
- enable igmp on the switch and the vlan!
(1) set ip lookup mode, to be able to use igmp version 3
>> igmp lookup-mode ip
(2)
>enable igmp in the vlan, and assign for example port 1 to 5 on the switch, also give the switch an ip address so that the igmp network can have a querier!
>> vlan 100
name "knx"
untagged 1-5
ip address 10.24.100.50 255.255.255.0
ip igmp
ip igmp version 3
exit
- igmp show commands
(1)
show ip igmp groups
IGMP Group Address Information
VLAN ID Group Address Expires UpTime Last Reporter | Type
------- --------------- ------------- ------------- --------------- + ------
100 224.0.23.12 0h 4m 14s 0h 28m 31s 10.24.100.20 | Filter
100 224.22.4.224 0h 4m 17s 0h 28m 32s 10.196.69.10 | Filter
(2)
show ip igmp
> here you should see the Querier Address
- how to see the igmp messages? debugging on switch
>> debug ip igmp
>> debug destination session
>> to turn off, say: no debug ip igmp
you should see messages like this:
0008:18:05:26.57 IGMP mIpPktRecv: Received an IGMP v3 membership report; VID:100
port:1 src:10.24.100.20 dest:224.0.23.12
example KNX ip device: ABB i-bus® KNX IP-Router IPR/S 3.1.1 Produkthandbuch
-- https://new.abb.com/products/de/2CDG110175R0011/ipr-s3-1-1
(1) go to watchguard.com
(2) login to watchguard.com with your account
(3) my watchguard >> activate products >> enter your license key (may also be a serial number)
(4) activate your license on the specific firewall
(4.1) [firecluster] the total security license should be activated on the main firewall
(4.2) [firecluster] the standard security license should be activated on teh secondary firewall
(5) get the feature key(s)
(6) go into the watchguard system manager
(7) import/update the new feature key(s)
(7.1) [firecluster] the feature keys need to be imported/updated via the firecluster settings
client track ip
vlan 100
clien track ip
vlan 1001
client track ip
interface 1/1/1
client track ip disable
call the shelly using a script:
root@lnx02:~/bin# ./getShelly1pmTemperature4checkmk.pl 192.168.2.170
<<<checkmk>>>
version: 2023-04-01
<<<local>>>
0 Shelly1pm-Temperature temp=30.6 30.6 C
0 Shelly1pm--t1 temp=42.12 Temperature from Sensor 1: 42.12
0 Shelly1pm--t2 temp=54.38 Temperature from Sensor 2: 54.38
0 Shelly1pm--t3 temp=41.12 Temperature from Sensor 3: 41.12
-------------------------------------------------------------------------------------
>> here is the script
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
#!/usr/bin/perl
################################################################################
#
# getShelly1pmTemperature4checkmk.pl
#
# checkmk local check to get temperature from shelly device
#
# (c> by m.wendig v2023-04
#
################################################################################
use LWP::UserAgent;
use JSON qw( decode_json );
use Data::Dumper;
my $version='2023-04-01';
my $cname='Shelly1pm';
my $debug=0;
my $shelly_ip = shift;
my $ext_temp_name_1 = shift;
my $ext_temp_name_2 = shift;
my $ext_temp_name_3 = shift;
my $ext_temp_name_4 = shift;
my $ext_temp_name_5 = shift;
if (!defined $shelly_ip) {
print "usage:\n";
print "getShelly1pmTemperature4checkmk.pl <Shelly IPy> [ext_temp_name_1] [ext_temp_name_2] [ext_temp_name_3] [ext_temp_name_4] [ext_temp_name_5]\n";
print "Example: getShelly1pmTemperature4checkmk.pl 192.168.1.10 temp-top temp-middle temp-buttom\n";
exit;
}
my $ua = LWP::UserAgent->new;
my $url = "http://$shelly_ip/status";
my $req = HTTP::Request->new(GET => $url);
my $res = $ua->request($req);
print "<<<checkmk>>>\n";
print "version: $version\n";
print "<<<local>>>\n";
if ($res->is_success) {
my $content = $res->content;
# Decode JSON response
my $json = decode_json($content);
print Dumper($json) if $debug;
# Print temperature in Celsius
my $temp = $json->{tmp}{tC};
my $temp_unit = $json->{ext_sensors}{temperature_unit};
my $ext_temp_1 = $json->{ext_temperature}{0}{tC};
my $ext_temp_2 = $json->{ext_temperature}{1}{tC};
my $ext_temp_3 = $json->{ext_temperature}{2}{tC};
my $ext_temp_4 = $json->{ext_temperature}{3}{tC};
my $ext_temp_5 = $json->{ext_temperature}{4}{tC};
print "0 $cname-Temperature temp=$temp $temp $temp_unit\n";
print "0 $cname-$ext_temp_name_1"."-t1 temp=$ext_temp_1 Temperature from Sensor 1: $ext_temp_1\n" if defined $ext_temp_1;
print "0 $cname-$ext_temp_name_2"."-t2 temp=$ext_temp_2 Temperature from Sensor 2: $ext_temp_2\n" if defined $ext_temp_2;
print "0 $cname-$ext_temp_name_3"."-t3 temp=$ext_temp_3 Temperature from Sensor 3: $ext_temp_3\n" if defined $ext_temp_3;
print "0 $cname-$ext_temp_name_4"."-t4 temp=$ext_temp_4 Temperature from Sensor 4: $ext_temp_4\n" if defined $ext_temp_4;
print "0 $cname-$ext_temp_name_5"."-t5 temp=$ext_temp_5 Temperature from Sensor 5: $ext_temp_5\n" if defined $ext_temp_5;
} else {
print "2 $cname-Temperature temp=- Failed to fetch temperature data from Shelly\n";
}
Set access level to Superuser
To set the root password, first set the access level to Superuser:
Go to Settings, General
Set the Access Level to User and installer, the password is ZZZ
Highlight Access Level (don't open the select page, ie. make sure you are in the General Page, not the Access Level page)
Press and hold the right button of the center pad until you see the Access Level change to Superuser. Note: when working from the Remote Console, you need to use the right key on your keyboard. Pressing and holding the right button with your mouse won't work.
Now you have access to the super user features.
https://www.victronenergy.com/live/ccgx:root_access
Note that on a touchscreen, such as a Cerbo GX + GX Touch, there is no “right button”. Instead, drag the menu down and hold it down for five seconds. Or, use Remote Console.
solution: a script called "getArpFromRouter.pl"
--------------------------------------------------------------------------------------------------
#!/usr/bin/perl
##############################################################################
#
# This script is designed to retrieve the ARP table entries for a router using
# the Simple Network Management Protocol (SNMP) and display them in a
# human-readable format.
#
# The script first sets SNMP credentials and the target router IP address,
# then retrieves VLAN names from the IF-MIB::ifName table using the snmpwalk
# command. The VLAN names are stored in an associative array called vlannames.
# The script then walks the IP-MIB::ipNetToMediaPhysAddress table to retrieve
# ARP table entries, which contain IP addresses, MAC addresses, and VLAN IDs.
# The script uses the VLAN IDs to look up the corresponding VLAN names in the
# vlannames array, and then prints out the IP address, MAC address, VLAN name,
# and VLAN ID in a formatted table.
#
# Overall, this script provides a quick and easy way to retrieve and view ARP
# table entries for a router, which can be useful for troubleshooting network
# issues or monitoring network activity.
#
# usage: ./getArpFromRouter.pl
#
# output sample:
#
# 10.20.30.141 aa:bb:cc:1f:a5:75 vlantest 1712.
# 10.20.30.142 aa:bb:cc:1f:a5:7a vlantest 1712.
#
#
##############################################################################
use strict;
use warnings;
# Set SNMP credentials and target router IP address
my $community = "public";
my $router_ip = "192.168.2.1";
# OID for IP-MIB::ipNetToMediaPhysAddress table
my $ip_oid = "IP-MIB::ipNetToMediaPhysAddress";
# OID for IF-MIB::ifName table
my $vlan_oid = "IF-MIB::ifName";
# Set debug flag
my $debug = 1;
my %vlannames;
sub main {
# Walk the IF-MIB::ifName table and store VLAN names in an associative array
if ($debug) {
print "DEBUG: Retrieving VLAN names from $vlan_oid\n";
}
open(my $SNMPWALK, "-|", "snmpwalk -c $community -v 2c $router_ip $vlan_oid") or die "Could not run snmpwalk: $!";
while (my $line = <$SNMPWALK>) {
chomp($line);
# Extract VLAN ID and name from line
my ($vlan_id, $vlan_name) = ($line =~ /.*\.(\d+)\s+=\s+STRING:\s+(.+)/);
$vlannames{$vlan_id} = $vlan_name;
# Print VLAN name if debug flag is set
if ($debug) {
print "DEBUG: Received VLAN name: $vlan_name (VLAN ID: $vlan_id)\n";
}
}
close($SNMPWALK);
print "---- VLAN Names ----\n";
foreach my $vlan_id (keys %vlannames) {
my $vlan_name = $vlannames{$vlan_id};
print "VLAN ID: $vlan_id, VLAN name: $vlan_name\n";
}
# Walk the IP-MIB::ipNetToMediaPhysAddress table and print out VLAN name, IP, and MAC
if ($debug) {
print "DEBUG: Retrieving IP-MIB::ipNetToMediaPhysAddress table from $router_ip\n";
}
open(my $SNMPWALK, "-|", "snmpwalk -c $community -v 2c $router_ip $ip_oid") or die "Could not run snmpwalk: $!";
while (my $line = <$SNMPWALK>) {
chomp($line);
#print "$line\n" if $debug;
# Extract VLAN ID, IP, and MAC from line
my ($vlan_id) = $line =~ /IP-MIB::ipNetToMediaPhysAddress\.(\d+)/;
my ($ip) = $line =~ /IP-MIB::ipNetToMediaPhysAddress\.\d+\.(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
my ($mac) = $line =~ /STRING: (.+)$/;
#print " vlan_id=$vlan_id\n" if $debug;
#print " ip=$ip\n" if $debug;
#print " mac=$mac\n" if $debug;
# Look up VLAN name in associative array
my $vlan_name = $vlannames{$vlan_id};
# Print VLAN name, IP, and MAC in the desired format
printf("%-15s %-20s %-20s %-10s\n", $ip, $mac, $vlan_name, "$vlan_id.");
#exit;
}
close($SNMPWALK);
}
# Call main function
main();
press <FN> + <backspace> key
>> the backspace key is the key with the sign " <---"
available firmware:
- MW3_16U_5406_1.57.bin
https://zinnzgreen.de/service/deye-mikrowechselrichter-systemupdate/
cool tool in case of have trouble booting a linux machine:
https://www.supergrubdisk.org/super-grub2-disk/
if maybe the name of the partition where the root file system ( / ) is, has changed, change /etc/fstab to the correct partition name und to write the MBR (Master Boot Record) on the harddrive run "grup-install"
deye 600 or 800w microinverter (for example for balkonkraftwerk), how to read out data using a script? in my case a perl script?
##########################################################################################
# >> here is a solution: getDeyePowergenerationData.pl
##########################################################################################
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long;
use strict;
##########################################################################
#
# getDeyePowergenerationData.pl
#
# get some data from a deye inverter like the current power, firmware, serial, wlan quality / information
#
# use the parameter --checkmk if you want to get the output in checkmk output format,
# then you can use the script as an individual script in checkmk!
# (Individual program call instead of agent access)
#
# usage:
# ./getDeyePowergenerationData.pl [--checkmk] [--debug] <ip_address> <name> <username> <password>
#
# needs some libraries:
# install them with this command: cpan DateTime::Event::Sunrise,
# or: apt-get install libdatetime-event-sunrise-per,
# apt-get install liblist-moreutils-perl
#
# (c) sys4com 2023
#
##########################################################################
my $version='s4c-2023-08-09';
use DateTime;
use DateTime::Event::Sunrise;
my ($ip_address, $name, $checkmk, $debug, $username, $password);
# Parse command line options
GetOptions(
'checkmk' => \$checkmk,
'debug' => \$debug
) or die "Usage: $0 [--checkmk] [--debug] <ip_address> <name> <username> <password>\n";
# Get the IP address and name from remaining command line arguments
($ip_address, $name, $username, $password) = @ARGV;
# Check if arguments were provided
unless (defined $ip_address && defined $name && defined $username && defined $password) {
print "Usage: $0 [--checkmk] [--debug] <ip_address> <name> <username> <password>\n";
exit;
}
# Set the URL of the page to fetch
my $url = "http://$ip_address/status.html";
my $current_power=0;
my $yield_today=0;
my $yield_total=0;
my $serial_device='';
my $serial_inverter='';
my $firmware='';
my $control=0;
my $sta_ssid=''; #wlan
my $sta_rssi=0; #wlan signal connection strength
my $sta_ip=''; #wlan ip
my $sta_mac=''; #wlan mac
# Funktion mit Breitengrad und Längengrad für Stuttgart
my $latitude = 48.7758; # Breitengrad von Stuttgart
my $longitude = 9.1829; # Längengrad von Stuttgart
my $isDaytime = is_it_daytime($latitude, $longitude);
#if ($isDaytime) {
# print "Es ist noch hell in Stuttgart.\n";
#} else {
# print "Es ist dunkel in Stuttgart.\n";
#}
#
if ($isDaytime){
# Create a new LWP::UserAgent object
my $ua = LWP::UserAgent->new();
# Create a new HTTP::Request object with authentication credentials
my $request = GET $url;
$request->authorization_basic($username, $password);
# Make the HTTP request and get the response
my $response = $ua->request($request);
# Check if the request was successful
if ($response->is_success) {
my $content = $response->content;
my @carray = split /\n/,$content;
my $i=0;
foreach my $line (@carray){
$i++;
print "$i: $line\n" if $debug;
if ($line=~ /var webdata_now_p.*\"(.*)\"/) { $current_power = $1; $control++; }
if ($line=~ /var webdata_today_e .*\"(.*)\"/) { $yield_today = $1; $control++; }
if ($line=~ /var webdata_total_e .*\"(.*)\"/) { $yield_total = $1; $control++; }
if ($line=~ /var webdata_sn.*\"(.*)\"/) { $serial_inverter = $1; $control++; $serial_inverter=~s/\s//g; }
if ($line=~ /var cover_mid.*\"(.*)\"/) { $serial_device = $1; $control++; }
if ($line=~ /var cover_ver.*\"(.*)\"/) { $firmware = $1; $control++; }
if ($line=~ /var cover_sta_ssid.*\"(.*)\"/) { $sta_ssid = $1; $control++; }
if ($line=~ /var cover_sta_rssi.*\"(.*)%\"/) { $sta_rssi = $1; $control++; }
if ($line=~ /var cover_sta_ip.*\"(.*)\"/) { $sta_ip = $1; $control++; }
if ($line=~ /var cover_sta_mac.*\"(.*)\"/) { $sta_mac = $1; $control++; }
}
} else {
print "HTTP request failed: " . $response->status_line . "\n";
}
}else{
$current_power=0;
$yield_today=0;
$yield_total=0;
$serial_inverter = 'na';
$serial_device = 'na';
$firmware = 'na';
$sta_ssid = 'na';
$sta_rssi = 0;
$sta_ip = 'na';
$sta_mac = 'na';
$control = 10;
}
if ($checkmk){
my $status=0;
my $txt_warn="";
print "<<<check_mk>>>\n";
print "version: $version\n";
print "<<<local>>>\n";
my $str_perf = "current-power=$current_power|production-today=$yield_today|production-total=$yield_total";
my $str_txt = "current-power=$current_power W, today=$yield_today kWH, total=$yield_total kWH, ".
"serial-inverter=$serial_inverter, serial-device=$serial_device, firmware=$firmware, name=$name.";
if ($control != 10){
$status = 1;
$txt_warn = " WARNING - could not get all values! ";
}
print "$status power power=$current_power current-power=$current_power W\n";
print "$status today today=$yield_today today=$yield_today kWH\n";
print "$status total total=$yield_total total=$yield_total kWH\n";
print "$status info - $txt_warn $str_txt\n";
print "$status wlan wlansignal=$sta_rssi Connected with WLAN $sta_ssid, Signalstrength=$sta_rssi%, ip=$sta_ip, mac=$sta_mac\n";
}else{
print "current power=$current_power.\n";
print "production today=$yield_today.\n";
print "production total=$yield_total.\n";
print "serial inverter=$serial_inverter.\n";
print "serial device=$serial_device.\n";
print "firmware=$firmware.\n";
print "wlan info: with WLAN $sta_ssid, Signalstrength=$sta_rssi%, ip=$sta_ip, mac=$sta_mac\n";
}
sub is_it_daytime {
my ($latitude, $longitude) = @_;
my $dt = DateTime->now(time_zone => 'local');
my $sunrise = DateTime::Event::Sunrise->new(
longitude => $longitude,
latitude => $latitude,
precise => 1,
)->sunrise_datetime($dt);
my $sunset = DateTime::Event::Sunrise->new(
longitude => $longitude,
latitude => $latitude,
precise => 1,
)->sunset_datetime($dt);
my $tolerance = 30; # Tolerance in minutes
my $sunrise_plus_tolerance = $sunrise->clone->add(minutes => $tolerance);
my $sunset_minus_tolerance = $sunset->clone->subtract(minutes => $tolerance);
if ($dt >= $sunrise_plus_tolerance && $dt <= $sunset_minus_tolerance) {
return 1; # It's daytime within the tolerance
} else {
return 0; # It's not yet daytime within the tolerance
}
}
Solution:
> Server Manager > Server Configuration > Cluster-Wide Parameters
set the following to true:
- Automatically download Posture Signature and Windows Hotfixes Updates
- Automatically download Endpoint Profiler Fingerprints
go to the command line of the Aruba virtual controler, and send a test request:
aaa test-server <servername> username <username> password <passwd> auth-type <type>
#see also:
https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/aaa_test_server.htm
show ap association
> see clients connected to ap, and their bssid
pcap start <bssid> <ip of wireshark pc> <udp port of wireshark pc> 1 1000
> example: pcap start 55:44:77:33:99:cc 192.168.2.10 5555 1 10000
> no we see a capture id of the job, for example: pcap-id:2
on wireshark pc:
- Wireshark Capture Option
- Capture Filter: udp 5555
- no we see a lot of data, click of one of them, an say: "decode as PEEKREMOTE", now we see the wlan frames
- to see the packets of a specific client entere a filter, for example: wlan.addr aa:bb:cc:dd:ee:ff
stopping the capture on the controller:
> pcap stop <bssid> <session-number>
> for example: pcap stop 55:44:77:33:99:cc 2
https://www.youtube.com/watch?v=1O5vXmBulDE
The status screen can be used to gain insight into the player setting, its hardware, and its environment. It is available at the following URL:
http://<sonos_ip>:1400/status
http://<sonos_ip>:1400/support/review
Rebooting the player
Accessing the following URL will trigger an immediate reboot of the player:
http://<sonos_ip>:1400/reboot
Troubleshooting Network Connectivity
Sonos offer 3 traditional network debugging tools (ping, traceroute and nmblookup) from this URL:
http://<sonos_ip>:1400/tools.htm
Controling the WiFi network link
The WiFi link can be enabled or disabled through the wifictfl URL. If the WiFi is turned on, it will use different frequency channels based on the region in which the player was sold. For example, the use of channels 12 through 14 is not allowed in the United States. You can update this setting at the following URL:
http://<sonos_ip>:1400/region.htm
>> use this individual script:
#!/usr/bin/perl
######################################################################################
#
# checkMimosa.pl
#
# Mib Reference - see also
# http://backhaul.help.mimosa.co/snmp-usage-examples-snmpget
#
# Examples (Rx signal strength)
# snmpget -v 1 -c public 192.168.1.20 1.3.6.1.4.1.43356.2.1.2.6.6.0
# MIMOSA-NETWORKS-BFIVE-MIB::mimosaTotalRxPower.0 = INTEGER: -42.7 dBm
#
# update log:
# -----------
# - 2023-04-26: first version
#
######################################################################################
$hostname=$ARGV[0];
$community=$ARGV[1];
$param=$ARGV[2];
$debug=0; #1=on
$error=0;
$errmsg='';
if (($hostname eq '') || ($community eq '')){
print "usage: checkMimosa.pl <hostname> <community> <-p=xxx>\n";
print " -p port number for snmp query is optional\n";
exit 1;
}
if ($param =~ /^-p=(\d*)$/){
$hostname="$hostname:$1";
}
print "<<<check_mk>>>\n";
print "Version: pn-v2023-04-26\n";
print "<<<local>>>\n";
#Rx signal strength
my $name="rx_signal_strength";
open(IN,"snmpget -v 2c -c $community $hostname .1.3.6.1.4.1.43356.2.1.2.6.6.0 | ");
if ($? != 0){
print "1 $name dbm=- Cannot get value for rx signal strength\n";
}else{
while(<IN>){
$line=$_;
chomp($line);
#print ">>>> $line\n";
if ($line =~ /= Integer:\s(.*)$/i){
$value=$1 / 10;
print "0 $name dbm=$value Rx signal strength is: $value dbm\n";
}
}
close(IN);
}
in HPE GreenLake, go to:
Manage Account > Identity & Access >> Resource Restriction Policy:
>> select the group name that you want to use
after that go to the user account, and select Limit Resource Access > and select the defined Resource Restriction Policy
QinQ is a networking technology that stands for "Quality in Quality". It is also known as VLAN stacking or VLAN double tagging. QinQ is an extension of the IEEE 802.1Q VLAN tagging standard and allows service providers to transport multiple VLANs over a single physical link between two switches or routers.
In a QinQ scenario, two VLAN tags are added to Ethernet frames, with the outer tag used to identify the service provider's VLAN and the inner tag used to identify the customer's VLAN. This allows service providers to provide multiple customers with VLAN services over a single physical link, while also ensuring that each customer's VLAN remains isolated and secure from other customers' VLANs.
QinQ is commonly used in metropolitan area networks (MANs) and wide area networks (WANs) to provide connectivity between customer sites and service provider networks. It is also used in data center environments to provide isolation and segregation of different virtualized networks.
Overall, QinQ technology is an important tool for service providers and network engineers to ensure efficient and secure network communication between different VLANs over a single physical link.
---------------
hpe comware switches documentation: https://techhub.hpe.com/eginfolib/networking/docs/switches/5940/5200-1018b_l2-lan_cg/content/491966409.htm
I: Long version
-----------------------------------------------------
there are a lot of messages displayed by default, if you login, into your ubuntu, let's say version 22.04 LTS.
The messages have there origin in folder:
/etc/update-motd.d/
#remove the execution of some scripts
chmod -x /etc/update-motd.d/*
-----------
old approach, that does not really work:
to disabled all of them, may solution is:
mkdir /etc/update-motd.d.original/
mv /etc/update-motd.d/* /etc/update-motd.d.original/
and disable the service:
systemctl disable motd-news.service
--------------
and just create a classic motd file:
/etc/motd
##########################################################
#
# some information
#
# motd
#
##########################################################
II: Short version
-----------------------------------------------------
1. Disable System default MOTD files on Ubuntu:
sudo chmod -x /etc/update-motd.d/*
2. Use the default MOTD
sudo vi /etc/motd
3. Optional enable the 00-header
sudo chmod o+rx /etc/update-motd.d/00*
cmk version: CEE v2.1.0p24
OS: ubuntu 22.04.2 LTS
Problem: fetcher usage is increasing until site restart or server reboot
the site has 40 fetchers defined, if the site is restarted the fetcher usage is about 20%, but soon the fetcher usage starts to increase slowly. After 4 weeks the usage is about 80% and goes in direction 100%.
how can I fix this? or find the root cause for this. This issue has alse been with older 2.1 versions on this server.
In the kernel message log I found this messages:
[Apr 4 16:51] python3[4068036]: segfault at 8 ip 00007f74056f66ec sp 00007ffdc51510e0 error 4 in libpython3.9.so.1.0[7f740561b000+1ce000]
[ +0.000036] Code: 89 e2 48 89 de 48 0f ba f1 3f 4c 89 ef e8 dc 84 f2 ff eb b2 e8 65 8e f2 ff eb b9 0f 1f 00 55 48 89 fd 48 89 f7 53 48 83 ec 18 <48> 8b 45 08 48 8b 40 40 48 85 c0 0f 85 a6 d2 f3 ff e8 6e 57 f2 ff
[Apr 4 18:57] python3[4084587]: segfault at 8 ip 00007fe4a88546ec sp 00007ffee5b0c940 error 4 in libpython3.9.so.1.0[7fe4a8779000+1ce000]
I guess they have something to do with the increasing fetchers. I also noticed thate some fetcher processes, have been restarted.root@cmk-server:~# ps -ef |grep fetch
site1 1481 1431 0 Mar16 ? 00:03:52 python3 /omd/sites/site1/bin/fetcher
site1 1487 1431 0 Mar16 ? 00:06:17 python3 /omd/sites/site1/bin/fetcher
site1 1498 1431 0 Mar16 ? 00:05:20 python3 /omd/sites/site1/bin/fetcher
site1 1499 1431 0 Mar16 ? 00:04:59 python3 /omd/sites/site1/bin/fetcher
site1 1500 1431 0 Mar16 ? 00:05:51 python3 /omd/sites/site1/bin/fetcher
site1 1507 1431 0 Mar16 ? 00:07:04 python3 /omd/sites/site1/bin/fetcher
site1 1509 1431 0 Mar16 ? 00:06:10 python3 /omd/sites/site1/bin/fetcher
site1 1511 1431 0 Mar16 ? 00:41:46 python3 /omd/sites/site1/bin/fetcher
site1 8436 1431 0 Mar20 ? 00:04:45 python3 /omd/sites/site1/bin/fetcher
site1 46673 1431 1 08:43 ? 00:06:23 python3 /omd/sites/site1/bin/fetcher
site1 89353 1431 0 Mar20 ? 00:06:54 python3 /omd/sites/site1/bin/fetcher
----------------------------------------
>>>> SOLUTION:
----------------------------------------
- enabling debug in global settings, enable debugging of helpers, now you should see a lot of entries in the cmc.log file!
- now wait until another crash has happend (check with command "dmesg -H -P")
- if you have the timestamp of the crash >> check the cmc.log file
- in the logfile I found that it happends after a snmp usv query occured
- reconfig the device to use "classic snmp" to query the define instead of inline python checkmk snmp
>> Problem solved.
command to set to factory default: erase all zeroize
after factory reset, use the default user admin without a password to access the switch via console
solution: ser2net
https://sourceforge.net/projects/ser2net/
to use sonos with the wireless lan from aruba following settings must be set:
- configuration > networks > selected_network > show advanced options:
>> Broadcast filtering: disabled
>> Deny inter user bridging: off
>> Deny intra VLAN traffic: off
WARNING! Do NOT use the integrated default DHCP-Scope! The vc will replace the mac-addresses with his own. This was tested with version: 8.10.0.6 LSR
Here are some Sonos resources you can access via web:
>> http://<sonos_ip>:1400/status
>> http://<sonos_ip>:1400/support/review
>> http://<sonos_ip>:1400/reboot
>> http://<sonos_ip>:1400/tools.htm
With ser2net you can map serial devices to a port.
installation:
>> apt install ser2net
how to get the usb device id:
>> all connected usb-devices are listed here: /dev/serial/by-path/
config:
>> the config file can be found at /etc/ser2net.yaml
>> <accepter> can be tcp or telnet, if tcp is selected tab and arrow keys won't work because the data is transmitted raw
>> example:
#####################################################
%YAML 1.1
---
# This is a ser2net configuration file, tailored to be rather
# simple.
#
# Find detailed documentation in ser2net.yaml(5)
# A fully featured configuration file is in
# /usr/share/doc/ser2net/examples/ser2net.yaml.gz
#
# If you find your configuration more useful than this very simple
# one, please submit it as a bugreport
define: &banner \r\n\ port \p device \d [\B] (Debian GNU/Linux) \r\n\r\n
connection: &con001
accepter: telnet,5001
enable: on
options:
banner: *banner
kickolduser: true
telnet-brk-on-sync: true
connector: serialdev,
/dev/serial/by-path/pci-0000:00:14.0-usb-0:4:1.0,
115200n81,local
#####################################################
troubleshooting:
>> if you restart the machine the ser2net service will fail, because the usb ports are not ready on startup
>> to fix this add the following line to ser2net.service in the [Unit] section:
After=network-online.target
Wants=network-online.target
link: https://manpages.ubuntu.com/manpages/impish/man5/ser2net.yaml.5.html
touch -t 2212231634 yourfilename
solution:
image seams to be signed with a very "high" certificate > just rename the .cert file in the filestructure and import again
Validated Solution Guide: https://www.arubanetworks.com/techdocs/VSG/
If you encounter a problem with the bandwidth limit on aruba's access points the fritzbox might be the problem.
To solve the bandwdith limit not working properly you have to go to:
Fritz!Box >> home-network >> network >> remove (to remove all inactive devices)
For all active devices go to:
device >> pencil >> reset
This was tested with the firmware (fritzbox): 161.07.29
If you want to know what SSID's are broadcasted on a specific access point do the following:
>> go to the virtual controller gui
>> select the support tab
>> select command: "AP BSSID Table"
>> select target: All Access Points
>> select run
/*
just an example: HalloWeltPlugin.java
1)
compile the java file, use the bukkit jar in the classpath:
javac HalloWeltPlugin.java -cp c:\server\bundler\libraries\bukkit-1.19.3-R0.1-SNAPSHOT.jar
>> now we get a file: HalloWeltPlugin.class
1.1)
create a plugin.yml file:
name: Hallo_Welt-Plugin
main: HalloWeltPlugin
api-version: 1.19
version: 0.1
2)
build a new jar file:
jar -cf HalloWeltPlugin.jar HalloWeltPlugin.class plugin.yml
3)
copy jar file to minecraft server plugin directory:
copy HalloWeltPlugin.jar c:\server\plugins
*/
import org.bukkit.plugin.java.JavaPlugin;
public class HalloWeltPlugin extends JavaPlugin {
public void onEnable() {
this.getLogger().info("Hallo Welt!");
}
public void onDisable() {
}
}
import org.bukkit.event.EventHandler;
import org.bukkit.event.Listener;
import org.bukkit.event.player.PlayerInteractEvent;
import org.bukkit.plugin.java.JavaPlugin;
public class MyPlugin extends JavaPlugin implements Listener {
@Override
public void onEnable() {
getServer().getPluginManager().registerEvents(this, this);
}
@EventHandler
public void onPlayerInteract(PlayerInteractEvent event) {
if (event.getAction().toString().contains("RIGHT_CLICK")) {
event.getPlayer().sendMessage("You clicked the right mouse button!");
}
}
}
1.) reboot switch, connect to the console port
2.) select Boot Profile: 0. Service OS Console
3.) the prompt ServiceOS login: appears >> now enter "admin"
4.) prompt SVOS> appears >> now enter "password" >> then enter to times the new admin password
5.) enter "boot"
hint: the default password of a cx switch is nothing (blank), just press enter
*) tested with Aruba CX 6100, Version PL. 10.11.1005
good links
- https://www.flomain.de/2022/06/aruba-downloadable-user-roles/
- HPE document named: HPE_a00091135en_us_ClearPass Wired Policy Enforcement Solution Guide_2020-08.pdf >> link = https://www.hpe.com/psnow/doc/a00091135en_us
https://gettopics.com/de/calc/wasser-erhitzen-zeit-rechner
for example to increase 800 liters water from 38 degree Celcius to 39 degree Celcius using 3900Watts you need 15minutes time.
for example to incrase 800 liters water from 35 degree Celcius to 40.5 degree Celcius using 3900Watts you need 79minutes
Enhancements and Resolved Issues
>> in the list you see the latest enhancements ...
https://www.watchguard.com/support/release-notes/WatchGuard_Cloud/en-US/index.html#en-US/WatchGuard-Cloud/resolved_issues_WGC.html?TocPath=WatchGuard%2520Cloud%2520Release%2520Notes%257C_____2
https://www.arubanetworks.com/products/wireless/antennas/
>> there is a Antenna Product Line Matrix pdf file, that gives you a good overview: matrix-antennas.pdf
turning on some settings here may help, in case you get an error / warning like: "check_mk: ERROR: Duplicate service description (auto check) ' MSSQL Blocked Sessions' for host ....
info from checkmk:
In order to make Check_MK more consistent, the descriptions of several services have been renamed in newer Check_MK versions. One example is the filesystem services that have been renamed from fs_ into Filesystem. But since renaming of existing services has many implications - including existing rules, performance data and availability history - these renamings are disabled per default for existing installations. Here you can switch to the new descriptions for selected check types
MSM335-MSM422 - version 5.7.2.0:
https://computer2know.de/download/HP_Colubris_MSM/V5.7.2.0_MR_V5.7.2.0-MSM335-MSM422-B12736.cim.zip
------------------------------------
MSM410-MSM430-MSM460-MSM466-MSM466R - version 6.3:
https://computer2know.de/download/HP_Colubris_MSM/V6.3.0.0-MSM410-MSM430-MSM460-MSM466-MSM466R-B15824.cim.zip
Digitus Print Server - DN-13003-2
default-ip: 192.168.0.10
-> give your pc a static ip, like 192.168.0.99 > go to the webmenu of the printserver and change it to dhcp
the mac-addresse of the device is on the device itself > find the mac-address in your network and the final dhcp ip
now install the device and test it with a label printer, like hotlabel:
------------------------------------------------------
on a mac:
> Drucker hinzufügen / Add printer:
>> Adresse: 192.168.2.168
>> Protokoll: Line Printer Daemon - LPD
>> Warteliste / queue: p1
>> Name: Labelprinter via Printserver
>> zu verwendender Treiber / driver to use: 4BARCODE 4B-3044A
steps to do:
- sudo apt install xfce4 xfce4-goodies
- sudo apt install tightvncserver
- under the user environment start the vnc server: vncserver
---- after starting vncserver kill it: vncserver -kill :1
- now change the xstartup file:
---- cd ~./vnc
---- cp -p xstartup xstartup.save
---- create a new xstartup file with the following content:
#!/bin/sh
# Start up the standard system desktop
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
/usr/bin/startxfce4
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
x-window-manager &
>> now start the vnc server again
*done*
---
see also:
https://www.howtoforge.de/anleitung/so-installierst-du-vnc-server-ubuntu-2204/
>> Devices > select your switch
then click on Analyze > Tools > Device Check
on the field where you see "test", you can choose:
- Cable Test
- Interface Bounce
- PoE Bounce
- Chassis Locate
-> downloaded filename.ovpn configuration from the watchguard webfrontend, after logon with the user and password
-> logon works with the official watchguard ssl-vpn client, but not with another openvpn client, the error message in the log file is:
OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM') if you want to connect to this server.
>> solution:
change one line in the configfile.ovpn file:
-- instead of line: cipher AES-256-CBC write the line:
>>>> data-cipers AES-256-CBC
you cannot use vlan 4041 to 4094 by default on a hpe 8325 aurba cx switch!
>> but you can change this range!
Setting a new internal VLAN range:
switch(config)# system internal-vlan-range 3041-3094 This will briefly interrupt traffic. Continue (y/n)?
https://www.arubanetworks.com/techdocs/AOS-CX/AOSCX-CLI-Bank/cli_9300/Content/Chp_VLANs/VLAN_cmds/sys-int-vla-ran-gl-tl-10.htm
Aruba WLAN Mobility Controller - 2 know
documentation:
- ArubaOS 8.10.0.0 User Guide: https://www.arubanetworks.com/techdocs/ArubaOS-8.x-Books/810/ArubaOS-8.10.0.0-User-Guide.pdf
show log security 50 | include aaa
https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/sh-log.htm
tutorials / further readings:
----------------------------------------------
- https://wifiwizardofoz.com/802-1x-wlan-using-aruba-controller-clearpass/
- https://community.arubanetworks.com/discussion/dynamic-vlan-assignment-with-radius-and-aruba-controller
##### Tested with ArubaOS version 10.11 on a CX 6100 switch in 2023, by mw
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
use Data::Dumper;
# ArubaOS-CX switch details
my $switch_ip = '192.168.2.99';
my $username = 'admin';
my $password = 'bla#bla';
# URL-encode the password
my $encoded_password = uri_escape($password);
# API endpoints
my $login_url = "https://$switch_ip/rest/v10.11/login?username=$username&password=$encoded_password";
my $system_url = "https://$switch_ip/rest/v10.11/system?attributes=hostname";
my $logout_url = "https://$switch_ip/rest/v10.11/logout";
# Create a user agent
my $ua = LWP::UserAgent->new;
$ua->ssl_opts(verify_hostname => 0, SSL_verify_mode => 0); # Disable SSL certificate verification
# Set the headers
my $headers = [
'accept' => 'application/json',
'x-use-csrf-token' => 'true',
];
# Perform login
my $login_request = HTTP::Request->new('POST', $login_url, $headers);
my $login_response = $ua->request($login_request);
#print Dumper $login_response;
# Check the login response status
if ($login_response->is_success) {
my $session_cookie = $login_response->header('Set-Cookie');
my $x_csrf_token = $login_response->header('x-csrf-token');
print "session_cookie=$session_cookie\n";
print "x_csrf_token = $x_csrf_token\n";
# Retrieve system information
my $system_request = HTTP::Request->new('GET', $system_url, $headers);
$system_request->header('Cookie' => $session_cookie, 'x-csrf-token' => $x_csrf_token, );
#$system_request->header('x-csrf-token' => $x_csrf_token, );
my $system_response = $ua->request($system_request);
# Check the system response status
if ($system_response->is_success) {
my $system_data = $system_response->decoded_content;
# Process the system data as needed
print "System Information:\n";
print $system_data;
print "\n";
} else {
print "Error retrieving system information: " . $system_response->status_line . "\n";
}
# Perform logout
my $logout_request = HTTP::Request->new('POST', $logout_url, $headers);
#$logout_request->header('Cookie' => $session_cookie);
$logout_request->header('Cookie' => $session_cookie, 'x-csrf-token' => $x_csrf_token, );
my $logout_response = $ua->request($logout_request);
# Check the logout response status
if ($logout_response->is_success) {
print "Logged out.\n";
} else {
print "Error logging out: " . $logout_response->status_line . "\n";
}
} else {
print "Error logging in: " . $login_response->status_line . "\n";
}
#Aruba 7005 Controller Installation Guide
HPE_a00108010en_us_Aruba 7005 Controller Installation Guide.pdf
ETH-0: PoE-PD Ethernet Port >> you can power the device using this port via poe (from a switch for example)
ETH-1-3: Non-PoE Ethernet Port
>> not much more details
#Aruba 7005 erase config / factory reset if logon is possible
Aruba7005_AA_BB_CC) *[mynode] #write erase
all Erase configuration and databases. Controller will be
factory defaulted.
#Aruba 7005 controller firmware update through console
- show image version #see the actual image files and versions
- show memory #see the available free memory
- show storage #check if there is enough flash space
- delete filename <filename> #delete something, in case there is not enough space
- backup flash #make a copy of the configuration > file is saved to flashbackup.tar.gz
- dir #check your files
- copy you backup to somewhere else:
---- (host) #copy flash: flashbackup.tar.gz ftp: <ftphost> <ftpuser> <remote-directory> <destinationfilename> <ftpuserpassword>
---- or: (host) #copy flash: flashbackup.tar.gz usb: partition <partition-number> <destinationfilename>
- copy a backup file to the flash:
---- (host) #copy tftp: <tftphost> <filename> flash: flashbackup.tar.gz
---- or: (host) #copy usb: partition <partition-number> <filename> flash: flashbackup.tar.gz
- download the fireware file from asp: > filename for example: ArubaOS_70xx_10.3.1.3_85763
- copy from tftp server to second flash: copy tftp: 172.23.99.99 ArubaOS_70xx_10.3.1.3_85763 system: partition 1
#Aruba 7005 and other controllers default ip:
172.16.0.254
The default IP address of the managed device is 172.16.0.254/24.
Aruba 7005 or 7010 or other Controlers -> factory reset using cpboot environment
# see also the video: format Aruba Controller https://www.youtube.com/watch?v=I0k7kL9JcKc
#delete current configuration > forced factory reset
- boot via console > cpboot environement (this is the second press the button hint, not the first!)
- press a key, so that cpboot is shown
- format the configuration partition using command: format 0:2
- after that reboot again and images from 0:0 or 0:1 will be loaded, you can change the images by use "bootf 0:0" or "bootf 0:1"
- after reboot this screen comes up:
--- auto-provisioning is in progress. It requires DHCP and Activate servers
--- Choose one of the following options to override or debug auto-provisioning...
--- 'enable-debug' : Enable auto-provisioning debug logs
--- 'disable-debug' : Disable auto-provisioning debug logs
--- 'full-setup' : Start full setup dialog. Provides full customization
--- 'static-activate' : Provides customization for static or PPPOE ip assignment. Uses activate for master information
- we choose static-active since automatic seams not to work
Current choices are:
Controller VLAN id: 1
Uplink port: GE 0/0/0
Uplink port mode: access
Uplink Vlan IP assignment method: static
Uplink Vlan static IP Address: 172.23.99.20
Uplink Vlan static IP net-mask: 255.255.255.0
Uplink Vlan IP default gateway: 172.23.99.250
Domain Name Server to resolve FQDN: 192.168.2.10
Option to configure VLAN interface IPV6 address: no
Spanning-tree is disabled: no
Do you wish to accept the changes (yes|no)yes
>> did not work! ssl cert errors
- next try we choosed "full-setup":
current choices are:
System name: Aruba7005_TEST
Switch Role: standalone
Controller VLAN id: 1
Controller VLAN port: GE 0/0/0
Controller VLAN port mode: access
Option to configure VLAN interface IPV4 address: yes
VLAN interface IP address: 172.23.99.20
VLAN interface subnet mask: 255.255.255.0
IP Default gateway: 172.23.99.250
Domain Name Server to resolve FQDN: 192.168.2.10
Option to configure VLAN interface IPV6 address: no
Country code: de
IANA Time Zone: Europe/Berlin
To debug Wired AutoConfig (WAC) messages in Windows, you can follow these steps:
1. Open the Event Viewer: Press the Windows key, type "Event Viewer," and select the "Event Viewer" application.
2. In the Event Viewer, navigate to "Applications and Services Logs" -> "Microsoft" -> "Windows" -> "Wired-AutoConfig."
3. In the "Wired-AutoConfig" section, you will find logs related to the Wired AutoConfig service.
4. Look for events with the Event ID 5007. These events correspond to WAC messages and can provide information about any issues or errors encountered by the service.
5. Click on an event to view its details. The event's description will contain information about the error message and any associated details that can help diagnose the problem.
6. Pay attention to the specific error messages, error codes, and other details mentioned in the event description. These can provide clues about the root cause of the issue.
Additionally, you can enable additional logging for Wired AutoConfig to gather more detailed information. To enable verbose logging for WAC, you can modify the registry settings by following these steps:
1. Press the Windows key, type "regedit," and select the "Registry Editor" application.
2. In the Registry Editor, navigate to the following location:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot3svc\Parameters
```
3. Create a new DWORD (32-bit) value named "EventLogLevel" if it doesn't already exist.
4. Set the value of "EventLogLevel" to 0xFFFFFFFF (hexadecimal) to enable verbose logging.
5. Restart your computer to apply the changes.
After enabling verbose logging, check the Event Viewer again for updated logs with more detailed information about the Wired AutoConfig service.
Remember to be cautious when modifying the registry. Incorrect changes to the registry can cause system instability, so it's always a good practice to create a backup or restore point before making any modifications.
################################################################
# Windows Powershell - Certificates commands
################################################################
#get user certificates
Get-ChildItem -Path Cert:\CurrentUser\My
#show root certificates
Get-ChildItem -Path Cert:\LocalMachine\Root
#show specific root certificates
Get-ChildItem -Path Cert:\LocalMachine\Root -Filter "IssuedTo=OpenAI"
#show to delete a certificate
certutil -delstore Root <Thumbprint>
#show root certificates with a match
Get-ChildItem Cert:\LocalMachine\Root\ | where-Object {$_.subject -Match "yourmatch"}
#show root certificates with a match and details (fl = format-list cmdlet)
Get-ChildItem Cert:\LocalMachine\Root\ | where-Object {$_.subject -Match "yourmatch"} | fl
#delete specific root certificates
Get-ChildItem Cert:\LocalMachine\Root\ | where-Object {$_.subject -Match "yourmatch"} | remove-item
Model AV1300 Gigabit Pass-through Powerline ac Wi-Fi Extender
- TL-WPA8631P/TL - WPA8635P
- Pair button: hold and press for 1 second on two devices within 2 minutes
- use the device always directly in the wall outlet, not in a extension wall outlet
- Wifi Device: SSID and password is printed directly on the device / on the label!
- Access the webfrontend - each device has one!
-- 1) use your browser and enter: http://tplinkplc.net
-- 2) use the tpPLC utility
-- 3) use tpPLC app
-------------
see also:
https://www.tp-link.com/de/support/download/tl-wpa8631p-kit/
check if application access control is in place!
Administration > Server Manager > Server Configuration -> Network
>> Application Access Control:
Allow IP Adress of new subscriber to the Clearpass API!!
on the side where you want to receive the screen, make sure that under windows 10 the optional feature "wireless screen" (in german: Drahtlose Anzeige) is installed and enabled. You need also to make sure that the "receiving app" (in german: Verbinden App) is started!
on the sending computer just press a <windows key>
<k> and select the receiver
----------------------------------------
see also:
https://support.microsoft.com/de-de/windows/inhalte-eines-bildschirms-auf-ihrem-pc-spiegeln-oder-projizieren-5af9f371-c704-1c7f-8f0d-fa607551d09c
in Firebox System Manager go to File > Settings. On the Traffic Monitor Tab you see a click field named "Regular expression filtering" > make sure that this is set!
example filter, that matches all ip-adressen from 192.168.23.230 to 192.168.23.249:
192.168.23.2[3-4]
see also:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/regular_expressions_c.html
#####################
#1) create user role with only necessary restrictions
#####################
[HPE]role name switchbackup
[HPE-role-switchbackup]rule 1 permit command display current-configuration
[HPE-role-switchbackup]rule 2 permit command display saved-configuration
[HPE-role-switchbackup]rule 3 permit command screen-length disable
#####################
#2) review your created role, by using the following command:
#####################
[HPE]display role name switchbackup
Role: switchbackup
Description:
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit command display current-configuration
2 permit command display saved-configuration
3 permit command screen-length disable
R:Read W:Write X:Execute
#####################
#3) create the user and assign the user-role switchbackup to it
#####################
[HPE]local-user backup
[HPE-luser-manage-backup]password simple StrongPassword
[HPE-luser-manage-backup]authorization-attribute user-role switchbackup
[HPE-luser-manage-backup]no authorization-attribute user-role network-operator
[HPE-luser-manage-backup]service-type ssh
#####################
#4) review the created user, make sure that there are no other assigned roles than switchbackup
#####################
[HPE]display local-user user-name backup class manage
Total 1 local users matched.
Device management user backup:
State: Active
Service type: SSH
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: switchbackup
Password control configurations:
Password complexity: username checking
#####################
#5) run a ssh login test, maybe you need to change the password once
#####################
login as: backup
backup@192.168.99.10's password:
First login or password reset. For security reason, you need to change your password.
Old password:
#########################################################
# tested with following switch configuration
#########################################################
#
version 7.1.070, Release 3507
#
sysname HPE
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
#
interface GigabitEthernet1/0/29
#
interface GigabitEthernet1/0/30
#
interface GigabitEthernet1/0/31
#
interface GigabitEthernet1/0/32
#
interface GigabitEthernet1/0/33
#
interface GigabitEthernet1/0/34
#
interface GigabitEthernet1/0/35
#
interface GigabitEthernet1/0/36
#
interface GigabitEthernet1/0/37
#
interface GigabitEthernet1/0/38
#
interface GigabitEthernet1/0/39
#
interface GigabitEthernet1/0/40
#
interface GigabitEthernet1/0/41
#
interface GigabitEthernet1/0/42
#
interface GigabitEthernet1/0/43
#
interface GigabitEthernet1/0/44
#
interface GigabitEthernet1/0/45
#
interface GigabitEthernet1/0/46
#
interface GigabitEthernet1/0/47
#
interface GigabitEthernet1/0/48
#
interface Ten-GigabitEthernet1/0/49
#
interface Ten-GigabitEthernet1/0/50
#
interface Ten-GigabitEthernet1/0/51
#
interface Ten-GigabitEthernet1/0/52
#
scheduler logfile size 16
#
line class aux
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
password-control enable
undo password-control aging enable
undo password-control length enable
undo password-control composition enable
undo password-control history enable
password-control login-attempt 3 exceed unlock
password-control update-interval 0
password-control login idle-time 0
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
role name switchbackup
rule 1 permit command display current-configuration
rule 2 permit command display saved-configuration
rule 3 permit command screen-length disable
#
user-group system
#
local-user admin class manage
service-type ssh terminal
authorization-attribute user-role network-admin
#
local-user backup class manage
service-type ssh
authorization-attribute user-role switchbackup
#
return
short version:
---------------------------------------------------------------------------------
- poweroff the switch + power on again
- then press <CTRL> + <B>
- choose: 7. Skip current system configuration
- The switch boots now with default configuration >> user admin and no password
long version with sample:
---------------------------------------------------------------------------------
Starting......
Press Ctrl+D to access BASIC BOOT MENU
********************************************************************************
* *
* HPE 5130-48G-PoE+-4SFP+ (370W) EI Switch BOOTROM, Version 147 *
* *
********************************************************************************
Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP
Creation Date : Apr 5 2017, 12:55:45
CPU Clock Speed : 1000MHz
Memory Size : 1024MB
Flash Size : 512MB
CPLD Version : 002
PCB Version : Ver.B
Mac Address : abcdeeeffaa
Press Ctrl+B to access EXTENDED BOOT MENU...0
Password recovery capability is enabled.
EXTENDED BOOT MENU
1. Download image to flash
2. Select image to boot
3. Display all files in flash
4. Delete file from flash
5. Restore to factory default configuration
6. Enter BootRom upgrade menu
7. Skip current system configuration
8. Set switch startup mode
0. Reboot
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format file system
Ctrl+P: Change authentication for console login
Ctrl+R: Download image to SDRAM and run
Ctrl+C: Display Copyright
Enter your choice(0-8): 7
The current setting will run with current configuration file when reboot.
Are you sure you want to skip current configuration file when reboot? Yes or No
(Y/N):Y
>> The switch boots now with default configuration >> user admin and no password
--------------------------
links to know:
https://community.hpe.com/t5/comware-based/recover-admin-password-or-reset-to-factory-default/td-p/2314964
-----------------
<HPE>reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]:y
Configuration file in flash: is being cleared.
Please wait ...
MainBoard:
Configuration file is cleared.
<HPE>reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
Current configuration may be lost after the reboot, save current configuration? [Y/N]:n
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait....
----------------------------------------------------------------
local users!!
the local admin user may still exist, consider to delete the password!
-----------------------------------------------------------------
Rocky Linux 9 some basics
- see hostname: hostnamectl
- change hostname: hostnamectl set-hostname new-hostname
- see all installed packages: dnf list (or rpm -qa)
- see repositories: dnf repolist
##############################
# apache with ssl:
##############################
a)with certbot: https://www.linuxteck.com/secure-apache-with-ssl-in-rocky-linux/
b)without certbot:
- install apache basic: dnf install httpd
- install apache security module: dnf install mod_ssl
- check apache version: httpd -v
- httpd service - start and enable:
-- systemctrl start httpd
-- systemctrl enable httpd
-- systemctrl status httpd
- firewall things to consider
-- firewall-cmd --list-all
-- firewall-cmd --permanent --add-port=80/tcp
-- firewall-cmd --permanent --add-port=443/tcp
-- firewall-cmd --reload
- check webpage, port 80 + 443 should work
http://your-ip/
https://your-ip/
-----------------------------------------------------------
generate own selfsigned certificate, with 3650 days expiry:
-----------------------------------------------------------
- openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 3650 -out /etc/pki/tls/certs/httpd.crt
- make changes to file: /etc/httpd/conf.d/ssl.conf
-- change: SSLCertificateFile /etc/pki/tls/certs/localhost.crt >> to: SSLCertificateFile /etc/pki/tls/certs/httpd.crt
-- SSLCertificateKeyFile /etc/pki/tls/private/localhost.key >> to: SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
- reload apache: systemctl reload httpd
----------------------------------------------
Redirect All HTTP Traffic To HTTPS
----------------------------------------------
new file: /etc/httpd/conf.d/redirect_http.conf
with content:
<VirtualHost _default_:80>
Servername rocky9
Redirect permanent / https://your-server-hostname/
</VirtualHost/>
and reload apache: systemctl reload httpd
- see also:
- https://www.linuxteck.com/how-to-install-apache-on-rocky-linux/
solution > use a where like the following example
>> in the controller file under application/controllers/yourfile.php:
public function index()
{
$crud = new grocery_CRUD();
$crud->set_theme('tablestrap');
$crud->set_table('macs');
$crud->display_as('firstseen','Firstseen');
$crud->unset_add();
$crud->unset_edit();
$crud->unset_delete();
#$crud->field_type('firstseen','datetime');
#$crud->field_type('lastseen','datetime');
$crud->callback_column('firstseen', array($this, 'callback_date'));
$crud->callback_column('lastseen', array($this, 'callback_date'));
#$crud->where([' NOW() - lastseen < ' => ' 100000 ' ]);
$crud->where([' NOW() - lastseen < ' => ' 25920000 ' ]); #30 tage
$output = $crud->render();
$this->load->view('proMAC.php',$output);
}
checkmk - Notification configuration - How to setup an ASCII Email template with links to your site?
checkmk - Notification configuration - How to setup an ASCII Email template with links to your site?
SetupEventsNotification configuration
Description: Notify some contacts of a host/service via ASCII Email
Notification Method: ASCII Email
--------------------------------------------------
Body head for both host and service notifications
--------------------------------------------------
Host: $HOSTNAME$
Alias: $HOSTALIAS$
Address: $HOSTADDRESS$
--------------------------------------------------
Body tail for host notifications
--------------------------------------------------
Event: $EVENT_TXT$
Output: $HOSTOUTPUT$
Perfdata: $HOSTPERFDATA$
$LONGHOSTOUTPUT$
https://your-hostname/$OMD_SITE$/$HOSTURL$
--------------------------------------------------
Body tail for service notifications
--------------------------------------------------
Service: $SERVICEDESC$
Event: $EVENT_TXT$
Output: $SERVICEOUTPUT$
Perfdata: $SERVICEPERFDATA$
$LONGSERVICEOUTPUT$
https://your-hostname/$OMD_SITE$/$SERVICEURL$
##see also:
https://computer2know.de/checkmk-notification-how-to-find-out-all-notification-variables:::891.html
#!/bin/perl
######################################################################################
#
# checkArubaOScx.pl
#
# checkmk Individual program call instead of agent access
#
# script queries parameters from Aruba CX Switches and deliveres output for checkmk
# individual program call ...
#
# Monitores Health Parameters like
# - VsxKeepAliveOperState
# - VsxDeviceRole
# - VsxConfigSync
# - VsxIslOperSate
# - PowerSupply
# - Temperature
#
# - see also: https://www.circitor.fr/Mibs/Html/A/ARUBAWIRED-VSX-MIB.php#arubaWiredVsxKeepAliveOperState
#
# sample output:
# <<<check_mk>>>
# Version: pn-v2023-07-08
# <<<local>>>
# 0 arubaOScx-VsxKeepAliveStatus - OK: vsx KeepAliveOperState: inSyncEstablished.
# 0 arubaOScx-VsxDeviceRole - OK: vsx device role: secondary.
# 0 arubaOScx-VsxConfigSync - OK: vsx config sync: enabled.
# 0 arubaOScx-VsxIslOperState - OK: vsx isl operating state: inSync.
# 0 arubaOScx-PowerSupply-1/1 - OK: 1/1 power supply state is ok
# 0 arubaOScx-PowerSupply-1/2 - OK: 1/2 power supply state is ok
# 0 arubaOScx-Temp-1/1-1 temp=23 OK Temp=23, State=normal, TempMin=19.5, TempMax=34
# 0 arubaOScx-Temp-1/1-2 temp=22 OK Temp=22, State=normal, TempMin=18.5, TempMax=33
# 0 arubaOScx-Temp-1/1-3 temp=20.5 OK Temp=20.5, State=normal, TempMin=17, TempMax=31.5
#
# (c) s4c
#
######################################################################################
my $version= '2023-07-08';
use Data::Dumper;
use strict;
my $debug=0; #1=on
if ($ARGV[0] eq '' ){
print "Usage: checkArubaOScx.pl <hostname or ip-address> <snmp community> --vsx\n";
print " example checkArubaOScx.pl 192.168.2.1 public \n";
print " or\n";
print " example checkArubaOScx.pl 192.168.2.1 public --vsx\n";
print "\n";
exit(1);
}
my $argument_count = scalar @ARGV;
my $ip= $ARGV[0];
my $community = $ARGV[1];
my $vsxmode = 0;
if ($argument_count == 3){
$vsxmode = 1 if $ARGV[2] eq '--vsx';
print "vsxmode is on" if $debug;
}
my $debug=0; #1=on
my %foundHash={};
my $line='';
print "<<<check_mk>>>\n";
print "Version: pn-v$version\n";
print "<<<local>>>\n";
if ($vsxmode){
#arubaWiredVsxKeepAliveOperState
my %matrix=();
$matrix{1}='init';
$matrix{2}='configured';
$matrix{3}='inSyncEstablished';
$matrix{4}='outofSyncEstablished';
$matrix{5}='initEstablished';
$matrix{6}='failed';
$matrix{7}='stopped';
my $service="arubaOScx-VsxKeepAliveStatus";
my $value = getSNMPInt(".1.3.6.1.4.1.47196.4.1.1.3.7.2.2.1");
if (($value >= 1) && ($value <=2)){
print "1 $service - Warning: vsx KeepAliveOperState: $matrix{$value}.\n";
}elsif ($value==3){
print "0 $service - OK: vsx KeepAliveOperState: $matrix{$value}.\n";
}elsif (($value >= 4) && ($value <=7)){
print "1 $service - Warning: vsx KeepAliveOperState: $matrix{$value}.\n";
}else{
print "3 $service - Unknown value\n";
}
}
if ($vsxmode){
#arubaWiredVsxDeviceRole
my %matrix=();
$matrix{1}='primary';
$matrix{2}='secondary';
$matrix{3}='notConfigured';
my $service="arubaOScx-VsxDeviceRole";
my $value = getSNMPInt(".1.3.6.1.4.1.47196.4.1.1.3.7.1.4.1");
if (($value >= 1) && ($value <=3)){
print "0 $service - OK: vsx device role: $matrix{$value}.\n";
}else{
print "3 $service - Unknown value\n";
}
}
if ($vsxmode){
#arubaWiredVsxConfigSync
my %matrix=();
$matrix{1}='enabled';
$matrix{2}='disabled';
my $service="arubaOScx-VsxConfigSync";
my $value = getSNMPInt(".1.3.6.1.4.1.47196.4.1.1.3.7.1.4.2");
if (($value >= 1) && ($value <=2)){
print "0 $service - OK: vsx config sync: $matrix{$value}.\n";
}else{
print "3 $service - Unknown value\n";
}
}
if ($vsxmode){
#arubaWiredVsxIslOperState
my %matrix=();
$matrix{1}='init';
$matrix{2}='outSync';
$matrix{3}='inSync';
my $service="arubaOScx-VsxIslOperState";
my $value = getSNMPInt(".1.3.6.1.4.1.47196.4.1.1.3.7.2.1.1");
if ($value == 1){
print "1 $service - Warning: vsx isl operating state: $matrix{$value}.\n";
}elsif ($value==2){
print "2 $service - Critical: vsx isl operating state: $matrix{$value}.\n";
}elsif ($value==3){
print "0 $service - OK: vsx isl operating state: $matrix{$value}.\n";
}else{
print "3 $service - Unknown value\n";
}
}
#psu
#name: .1.3.6.1.4.1.47196.4.1.1.3.11.2.1.1.3
#state: .1.3.6.1.4.1.47196.4.1.1.3.11.2.1.1.4
#$debug=1;
#psu 1) get names
my $service="arubaOScx-PowerSupply";
my %psuname=();
my $i=0;
open(IN,"snmpwalk -v 2c -c $community $ip .1.3.6.1.4.1.47196.4.1.1.3.11.2.1.1.3 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
$i++;
print "[$i] $line\n" if $debug;
if ($line =~ /STRING: \"(.*)\"$/){
$psuname{$i}=$1;
}
}
close(IN);
print Dumper(\%psuname) if $debug;
#psu 1) get state
my $i=0;
my $psustate='';
open(IN,"snmpwalk -v 2c -c $community $ip .1.3.6.1.4.1.47196.4.1.1.3.11.2.1.1.4 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
$i++;
print "[$i] $line\n" if $debug;
if ($line =~ /STRING: \"(.*)\"$/){
$psustate=$1;
if ($psustate =~ /ok/i){
print "0 $service-$psuname{$i} - OK: $psuname{$i} power supply state is ok\n";
}else{
print "1 $service-$psuname{$i} - Warning: $psuname{$i} power supply state is warning!\n";
}
}
}
close(IN);
#ARUBAWIRED-TEMPSENSOR-MIB get temperature
#we have something like that:
#1] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.5.1.3.1.1 = STRING: "1/1-1"
#[2] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.5.1.3.1.2 = STRING: "1/1-2"
#[3] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.5.1.3.1.3 = STRING: "1/1-3"
#[4] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.6.1.3.1.1 = STRING: "normal"
#[5] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.6.1.3.1.2 = STRING: "normal"
#[6] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.6.1.3.1.3 = STRING: "normal"
#[7] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.7.1.3.1.1 = INTEGER: 27000
#[8] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.7.1.3.1.2 = INTEGER: 26500
#[9] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.7.1.3.1.3 = INTEGER: 25500
#[10] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.8.1.3.1.1 = INTEGER: 19500
#[11] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.8.1.3.1.2 = INTEGER: 18500
#[12] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.8.1.3.1.3 = INTEGER: 17000
#[13] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.9.1.3.1.1 = INTEGER: 34000
#[14] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.9.1.3.1.2 = INTEGER: 33000
#[15] .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.9.1.3.1.3 = INTEGER: 31500
my $service="arubaOScx-Temp";
my $i=0;
$debug=0;
my $tempname; #5.1.3.1.1
my $tempstate; #6.1.3.1.1
my $temp; #7.1.3.1.1
my $tempmin; #8.1.3.1.1
my $tempmax; #9.1.3.1.1
my %tempHash;
my $numOfTemp=0;
open(IN,"snmpwalk -v 2c -On -c $community $ip .1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
$i++;
print "[$i] $line\n" if $debug;
#grep the oid before the string
if ($line =~ /(\d\.\d\.\d\.\d\.\d*) = STRING: \"(.*)\"$/){
print "val1=$1, val2=$2\n" if $debug;
$tempHash{$1}=$2;
$numOfTemp++ if ($1 =~ /^5\.1\.3\.1\./);
}
if ($line =~ /(\d\.\d\.\d\.\d\.\d*) = INTEGER: (.*)$/){
print "val1=$1, val2=$2\n" if $debug;
$tempHash{$1}=$2/1000;
}
}
close(IN);
print "i=$i / number of Temp=$numOfTemp.\n" if $debug;
print Dumper(\%tempHash) if $debug;
for (my $i=1;$i<=$numOfTemp;$i++){
$tempname=$tempHash{"5.1.3.1.$i"};
$tempstate=$tempHash{"6.1.3.1.$i"};
$temp=$tempHash{"7.1.3.1.$i"};
$tempmin=$tempHash{"8.1.3.1.$i"};
$tempmax=$tempHash{"9.1.3.1.$i"};
if ($tempstate =~ /^normal$/i){
print "0 $service-$tempname temp=$temp OK Temp=$temp, State=$tempstate, TempMin=$tempmin, TempMax=$tempmax\n";
}else{
print "1 $service-$tempname temp=$temp Warning Temp=$temp, State=$tempstate, TempMin=$tempmin, TempMax=$tempmax\n";
}
}
###########################
#other sub routines
###########################
sub getSNMPStr($){
my $mib=$_[0];
my $found="not found";
open(IN,"snmpwalk -v 2c -c $community $ip $mib 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
#print "$line\n" if $debug;
if ($line =~ /STRING: \"(.*)\"$/){
$found=$1;
#print "found=$found!!\n";
}
}
close(IN);
return $found;
}
sub getSNMPInt($){
my $mib=$_[0];
my $found="not found";
open(IN,"snmpwalk -v 2c -c $community $ip $mib 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
print "$line\n" if $debug;
if ($line =~ /INTEGER: (.*)$/){
$found=$1;
#print "found=$found!!\n";
}
}
close(IN);
return $found;
}
checkmk notification - how to find out all notification variables?
How to find out all possible variables, that can be use?
Global settings > Notifications > Notification log level >> set to "Full dump of all varibales and commands"
#now "produce" a notification and what the notifiy.log using on console:
OMD[sitename ]:~/var/log$ tail -f notify.log
>> you will now see variables like this: (from checkmk version 2.1)
CONTACTS=contact1,contact2,contact3
HOSTACKAUTHOR=
HOSTACKCOMMENT=
HOSTADDRESS=192.168.8.65
HOSTALIAS=test device mysite-switch1
HOSTATTEMPT=1
HOSTCHECKCOMMAND=check-mk-host-ping
HOSTCONTACTGROUPNAMES=all
HOSTDOWNTIME=0
HOSTGROUPNAMES=check_mk
HOSTNAME=test
HOSTNOTES=
HOSTNOTESURL=
HOSTNOTIFICATIONNUMBER=0
HOSTOUTPUT=OK - 192.168.8.65: rta 0.792ms, lost 0%
HOSTPERFDATA=rta=0.792ms;200.000;500.000;0; pl=0%;80;100;; rtmax=0.877ms;;;; rtmin=0.733ms;;;;
HOSTPROBLEMID=41170
HOSTSTATE=UP
HOSTSTATEID=0
HOSTTAGS=/wato/ auto-piggyback default ip-v4 ip-v4-only lan no-agent prod site:mysite snmp snmp-v2 unknown
HOST_ADDRESSES_4=
HOST_ADDRESSES_6=
HOST_ADDRESS_4=192.168.8.65
HOST_ADDRESS_6=
HOST_ADDRESS_FAMILY=4
HOST_EC_CONTACT=
HOST_FILENAME=/wato/hosts.mk
HOST_SL=
HOST_TAGS=/wato/ auto-piggyback default ip-v4 ip-v4-only lan no-agent prod site:mysite snmp snmp-v2 unknown
LASTHOSTPROBLEMID=41170
LASTHOSTSTATE=UP
LASTHOSTSTATECHANGE=1691416167
LASTHOSTSTATEID=0
LASTHOSTUP=1691475116
LASTSERVICEOK=1691475151
LASTSERVICEPROBLEMID=42110
LASTSERVICESTATE=CRITICAL
LASTSERVICESTATECHANGE=1691475151
LASTSERVICESTATEID=2
LONGHOSTOUTPUT=
LONGSERVICEOUTPUT=Total CPU: 1.0%
MAXHOSTATTEMPTS=1
MAXSERVICEATTEMPTS=1
MICROTIME=1691475151864063
NOTIFICATIONAUTHOR=
NOTIFICATIONAUTHORALIAS=
NOTIFICATIONAUTHORNAME=
NOTIFICATIONCOMMENT=
NOTIFICATIONTYPE=RECOVERY
PREVIOUSHOSTHARDSTATE=DOWN
PREVIOUSHOSTHARDSTATEID=1
PREVIOUSSERVICEHARDSTATE=CRITICAL
PREVIOUSSERVICEHARDSTATEID=2
SERVICEACKAUTHOR=
SERVICEACKCOMMENT=
SERVICEATTEMPT=1
SERVICECHECKCOMMAND=check_mk-hp_procurve_cpu
SERVICECONTACTGROUPNAMES=all
SERVICEDESC=CPU utilization
SERVICEDISPLAYNAME=CPU utilization
SERVICEDOWNTIME=0
SERVICEGROUPNAMES=
SERVICENOTES=
SERVICENOTESURL=
SERVICENOTIFICATIONNUMBER=1
SERVICEOUTPUT=Total CPU: 1.0%
SERVICEPERFDATA=util=1;80;90;0;100
SERVICEPROBLEMID=42110
SERVICESTATE=OK
SERVICESTATEID=0
SERVICE_EC_CONTACT=
SERVICE_SL=
SVC_SL=
CONTACTNAME=check-mk-notify
DATE=2023-08-08
HOSTFORURL=test
HOSTLABEL_cmk/device_type=switch
HOSTLABEL_cmk/site=mysite
HOSTSHORTSTATE=UP
HOSTURL=/check_mk/index.py?start_url=view.py?view_name%3Dhoststatus%26host%3Dtest%26site%3Dmysite
LASTHOSTSHORTSTATE=UP
LASTHOSTSTATECHANGE_REL=0d 16:23:04
LASTHOSTUP_REL=0d 00:00:35
LASTSERVICEOK_REL=0d 00:00:00
LASTSERVICESHORTSTATE=CRIT
LASTSERVICESTATECHANGE_REL=0d 00:00:00
LONGDATETIME=Tue Aug 08 08:12:31 CEST 2023
MONITORING_HOST=mysitecheckmk-vm.mysite
OMD_ROOT=/omd/sites/mysite
OMD_SITE=mysite
PREVIOUSHOSTHARDSHORTSTATE=DOWN
PREVIOUSSERVICEHARDSHORTSTATE=CRIT
SERVICEFORURL=CPU%20utilization
SERVICESHORTSTATE=OK SERVICEURL=/check_mk/index.py?start_url=view.py?view_name%3Dservice%26host%3Dtest%26service%3DCPU%2Butilization%26site%3Dmysite
SHORTDATETIME=2023-08-08 08:12:31
WHAT=SERVICE
Problem:
there are no ActiveSiteServices anymore afters some windows updates
when digging deeper into the error, we found out that the citrix powershell command "Get-BrokerController" gets no information for ActiveSiteServices anymore:
https://developer-docs.citrix.com/en-us/citrix-virtual-apps-desktops-sdk/current-release/Broker/Get-BrokerController.html
Solution:
not known yet - no checkmk problem, maybe update citrix version and check afterwards if the powershell script Get-BrokerController gets some information afterwards
https://github.com/ypid-bot/check_mk/blob/master/agents/windows/plugins/citrix_farm.ps1
tp-link - Range extender - essential things to know
model: RE330EU
setup
---------
1) via the Tether App (Apple Store / Google Play) > you need a TP-Link ID for that!
2) via web browser:
- connect to wifi network: TP-Link_Extender,
- visit http://tplinkrepeater.net or http://192.168.0.254 > create password and login
3) via wps button
- press wps button on your router
- within 2 minutes press the wps button on the extender for 1 second
download iso from:
https://www.proxmox.com/en/downloads/proxmox-virtual-environment/iso
use an clone tool that supports raw copy mode, like etcher!
- see also:
https://pve.proxmox.com/wiki/Prepare_Installation_Media
>> solution:
run command:
switch# aruba-central support mode
no you can for example run a command like:
port-access reauthenticate interface <INTERFACE-NAME>
if you want to bring the device / switch back under Aruba Central control run:
switch# no aruba-central support-mode
While ($True) {
(netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+',''
Start-Sleep -s 1
}
--------------------------------------
more details:
netsh wlan show interfaces
https://proxmox-server-ip:8006
>> tcp 8006 is the default port
by default it is not possible to create a good old offline account, you need to enter a microsoft account etc, but there is a workaround:
1) when you are beeing ask to enter your microsoft account >> enter a@a.com under email account > press enter
2) enter a "random" password
> since this account is locked anyway you are able now to process to step 3
3) now enter you "local" name and create your local account: admin or so
see also:
https://beebom.com/how-create-local-account-windows-11/
linux distribution blackarch:
https://blackarch.org/index.html
no ssh logins possible anymore! Maximum number of sessions
Problem:
Aug 18 17:48:46 yourservername sshd[9846]: pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (…sessions.
solution:
- see "man sshd_config" parameter MaxSessions:
MaxSessions
Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all shell, login and subsystem sessions while still permitting for?
warding. The default is 10.
>> default is 10
let it increase to 20:
file /etc/ssh/sshd_config:
new line with:
MaxSessions 20
and restart sshd: /etc/init.d/ssh restart
debian update error message - changed its suite from value 'oldstable' to 'oldoldstable'
when trying to update a debian 10 server I got this error message, when running apt-get update:
error message in german:
-------------------------
Paketlisten werden gelesen... Fertig
N: Für das Depot »http://ftp.somewhere.net/pub/linux/debian buster InRelease« wurde der »Suite«-Wert von »oldstable« in »oldoldstable« geändert.
error message in english:
-------------------------
Reading package lists... Done.
N: The "Suite" value for the repository "http://ftp.somewhere.net/pub/linux/debian buster InRelease" has been changed from "oldstable" to "oldoldstable".
solution:
-------------------------
apt-get --allow-releaseinfo-change update
after that run a "apt-get update" + "apt-get upgrade" command again, and it should work now.
steps to do:
#goto default directory
cd /etc/default
#make a backup of grub config
cp -p grub grub.save.original
#edit file /etc/default/grub >> change there the GRUB_CMDLINE_LINUX_DEFAULT to:
GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 console=tty0"
#aktivate the settings by running the command:
update-grub . /boot/grub/grub.cfg
>> now reboot and connect using a serial cable and a tool like Tera Term VT or a putty serial connection, make sure to use only 9600bps as setting.
>> enjoy this new feature, you can now administrate the machien without a display ;-)
----------------------------------------
tested on a debian based proxmox linux system:
pveversion
pve-manager/8.0.4/d258a813cfa6b390 (running kernel: 6.2.16-3-pve)
----------------------------------------
see also:
https://cweiske.de/tagebuch/serial-console-debian9.htm
- try to repair the computer using the Apple Configuration App on another Mac Computer
- when running the repair mode the firmware will be updated and the recoveryOS will be brought to the latest version
- Apple Configurator App : https://apps.apple.com/us/app/apple-configurator/id1037126344 needs at least a Mac with macOS 12.4 or later
- use a usb-c to usb-c cable to connect the both mac devices (make sure to choose the right usb-c port >> see apple documentation for that)
- start the problem Mac using a key combination >> see apple documentation for that
- for the model A2337 a Macbook Air with apple silicon M1 chip the keys are: right shift key + left control key + left option key >>> press the power button and all of the keys mentioned before and after 10 seconds release the 3 mentions keys and after additional 10 seconds you can also release the power button
- All the key pressings have one aim: to get in the DFU mode of the device on Apple Configurator that runs on the "good" PC
- once you are in the DFU mode press the right mouse button and choose "repair device"
- once started it takes up to 2 hours until the right operationg system has been downloaded and the process will continue
----------------
links:
- https://support.apple.com/de-de/guide/apple-configurator-mac/apdd5f3c75ad/mac
- https://www.howtoisolve.com/how-to-boot-mac-with-external-boot-drive-on-m1-macbook/
- Mr.Macintosh: https://mrmacintosh.com/
-------------------------------
further links:
-------------------------------
- https://www.flomain.de/2017/03/external-sql-authentication-source-clearpass/
#process a csr request from console on windows server
certreq -submit -attrib "CertificateTemplate:<Name>"
problem: harddrive is running out of space , since there are many files under /var/lib/mysql/binlog.*
solution:
under /var/lib/mysql there are a lot of files like:
binlog.000290
binlog.000291
Here are the steps to delete all binary logs except for the active one in MySQL 8:
#1: Connect to MySQL: mysql -u your_username -p
#2: show logs: SHOW BINARY LOGS;
#3: purge some logs: PURGE BINARY LOGS TO 'binlog.000000';
>> maybe you don't need binary logging (if one backup per day is okay for you), you can disable it:
disable binary logging:
/etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
skip-log-bin
--------------------------
how to verify if binary logging is disabled?
--------------------------
after you disabled the binary logging and restartet the mysql service, you should get this in the console if you run a "show binary logs;":
mysql> show binary logs;
ERROR 1381 (HY000): You are not using binary logging
job "BackUp" at 01:01 on Sun "copy startup-config tftp 192.168.2.10 myswitch.cfg"
job "WriteMemory" at 01:05 on Sun "write memory"
if you are used to use https://www.shrew.net/download/vpn you probably are a bit sad, since the last version is from 2013!!
use this client instead:
https://www.softether.org/
------------------
if you need to connect via vpn to a fritz.box use FritzBox Fernzugang:
https://avm.de/service/vpn-neu/downloads/
web request form to get a free na relay for your deye microinverter,
you need to have one of this models of deye microinverters:
- SUN300/500/600/800/1000G3-EU-230
- SUN-M60/80/100G3-EU-Q0
- SUN-1300/1600/2000G3-EU
------
see also:
- https://www.notebookcheck.com/Relaisgate-Update-bei-Deye-und-Bosswerk-Bestellformular-fuer-externes-Relais-jetzt-online.752624.0.html
- https://www.heise.de/news/Deye-Wechselrichter-Externer-NA-Schutz-zertifiziert-9231530.html
in case you want to check the cabeling on a comware based switch like a 5130 switch, you can:
use the virtual-cable-test feature on interface level
[switch-GigabitEthernet1/0/47]vir
[switch-GigabitEthernet1/0/47]virtual-cable-test
Cable status: normal, 15 metre(s)
Pair Impedance mismatch: -
Pair skew: - ns
Pair swap: -
Pair polarity: -
Insertion loss: - db
Return loss: - db
Near-end crosstalk: - db
use command line tool: jq
jq - Command-line JSON processor
#on redhat / centos just install the tool using: yum install jq
error message on switch:
W 10/05/23 11:01:04 03425 crypto: Certificate used by http-ssl application is
expired.
W 10/05/23 11:01:04 03425 crypto: Certificate used by http-ssl ap
what to do:
#command to see your certificates
show crypto pki local-certificate
#remove the certificates (handle this careful if you have other usage for certificates)
crypto pki zeroize
#create a new selfsigned certificate
crypto pki enroll-self-signed certificate-name your-switch valid-star
t 01/01/2023 valid-end 12/31/2043 subject common-name your-switch
#see also
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=1e6a17ec-f054-47e0-bd46-7915973fa844&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments
1) let's create 3 new attributes, under Administration > Dictionaries > Dictionary Attributes
Entity = Endpoint: Name = customer_NAS-IP-Adresss (String, Allow Multiple = no )
Entity = Endpoint: Name = customer-NAS-Port (String, Allow Multiple = no )
Entity = Endpoint: Name = customer-NAS-Port-Id (String, Allow Multiple = no )
2) let's create an Enforcement Profile
Enforcement > Profile > new Profile
- Template = ClearPass Entity Update Enforcement
- Name = Customer-Update-NAS-Information-to-Endpoint
- Attributes:
Type=Endpoint, Name=customer_NAS-IP-Adresss, Value=%{Radius:IETF:NAS-IP-Address}
Type=Endpoint, Name=customer-NAS-Port, Value=%{Radius:IETF:NAS-Port}
Type=Endpoint, Name=customer-NAS-Port-Id, Value=%{Radius:IETF:NAS-Port-Id}
3) assign Profile to a policy, add a new rule
Conditions: Data:Date-Time EXISTS >> then: Customer-Update-NAS-Information-to-Endpoint
the exit code of the last program call is written to variable
>> ERRORLEVEL
how to test?
- open command line
- run command "dir"
- print error level: echo %ERRORLEVEL%
>> you should get a 0 as error code
- run command "blabla" (a command that does not exist)
- print error level: echo %ERRORLEVEL%
>> you should get a 9009 as error code
monitor
----------
to monitor windows tasks with checkmk copy the "windows_tasks.ps1" script from:
"C:\Program Files (x86)\checkmk\service\plugins\windows_tasks.ps1"
>> to
"C:\ProgramData\checkmk\agent\plugins\windows_tasks.ps1"
after that the agent should deliver information about the scheduled tasks on that host
rules
------
if you want different states depending on the exit code from the windows task you can create a rule to match specific exit codes
checkmk > setup > Windows Tasks > Add Rule
!warning! the name of the windows task usually starts with a "\" so you need to define the task name with double slashes ("\\")
example: \\WindowsTaskTest$
documentation:
- AOS-CX 10.12 Layer-2 Bridging Guide (6300, 6400 Switch Series)
- AOS-CX 10.8 Update > private VLANs: https://www.youtube.com/watch?v=jTdk5HJA8fU
latest documentation:
- https://secure.asteas.com/manual/21.0/docs/
- parameters for redirecion
https://secure.asteas.com/manual/21.0/docs/loginpage/redirects/#placeholder
update log info:
- https://www.iacbox.com/log/updates/
Execute the following command in the vim editor
:set background=dark
or
:set bg=dark
or - if you have a light background use:
:set bg=light
#!/bin/bash
# Directory to monitor
directory="/path/to/directory"
# Check if the directory exists
if [ -d "$directory" ]; then
# Find the newest file in the directory
newest_file=$(ls -t "$directory" | head -n1)
# Check if at least one file is present in the directory
if [ -n "$newest_file" ]; then
echo "Monitoring $newest_file..."
# Run tail -f on the newest file
tail -f "$directory/$newest_file"
else
echo "No files found in the directory."
fi
else
echo "The directory does not exist."
fi
----------------------------------------------------------------
put an alias to .bash_rc to have a command available in your environment
alias livelog='/path/to/your/script.sh'
Management Card:
- Default IP: 10.10.10.10
- Default credentials: admin / cs141-snmp
########################
# trouble with checkmk agent check-mk-agent_2.1.0p35-1_all.deb on debian 11
# >> error message: Systemd Service Summary>> service failed (cmk-agent-ctl-daemon)
########################
-----------------
!!before it worked with problem with agent version check-mk-agent_2.0.0p27-1_all.deb
> the error come up since updating to 2.1.0p35 agent version
-----------------
######################
#Analysing the problem
######################
###journalctl -u cmk-agent-ctl-daemon.service
-- Journal begins at Mon 2022-09-26 15:10:14 CEST, ends at Wed 2023-10-18 17:12:07 CEST. --
Oct 18 17:06:41 my-system systemd[1]: Started Checkmk agent controller daemon.
Oct 18 17:06:41 my-system cmk-agent-ctl[1286]: ERROR [cmk_agent_ctl] Failed to listen on TCP socket for incoming pull connections.
Oct 18 17:06:41 my-system cmk-agent-ctl[1286]: Error with IPV6:
Oct 18 17:06:41 my-system cmk-agent-ctl[1286]: Address in use (os error 98)
Oct 18 17:06:41 my-system cmk-agent-ctl[1286]: Error with IPV4:
Oct 18 17:06:41 my-system cmk-agent-ctl[1286]: Address in use (os error 98)
Oct 18 17:06:41 my-system systemd[1]: cmk-agent-ctl-daemon.service: Main process exited, code=exited, status=1/FAILURE
Oct 18 17:06:41 my-system systemd[1]: cmk-agent-ctl-daemon.service: Failed with result 'exit-code'.
###systemctl status cmk-agent-ctl-daemon.service
cmk-agent-ctl-daemon.service - Checkmk agent controller daemon
Loaded: loaded (/lib/systemd/system/cmk-agent-ctl-daemon.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2023-10-18 17:08:52 CEST; 8min ago
Process: 758 ExecStart=/usr/bin/cmk-agent-ctl daemon (code=exited, status=1/FAILURE)
Main PID: 758 (code=exited, status=1/FAILURE)
CPU: 2ms
Oct 18 17:08:52 my-system systemd[1]: cmk-agent-ctl-daemon.service: Scheduled restart job, restart counter is at 5.
Oct 18 17:08:52 my-system systemd[1]: Stopped Checkmk agent controller daemon.
Oct 18 17:08:52 my-system systemd[1]: cmk-agent-ctl-daemon.service: Start request repeated too quickly.
Oct 18 17:08:52 my-system systemd[1]: cmk-agent-ctl-daemon.service: Failed with result 'exit-code'.
Oct 18 17:08:52 my-system systemd[1]: Failed to start Checkmk agent controller daemon.
### restart service
systemctl restart cmk-agent-ctl-daemon.service
>> does not help
### cmk-agent-ctl command
/usr/bin/cmk-agent-ctl daemon
ERROR [cmk_agent_ctl] Failed to listen on TCP socket for incoming pull connections.
Error with IPV6:
Address in use (os error 98)
Error with IPV4:
Address in use (os error 98)
####################
# my solution >> remove the systemd settings >> and install xinetd
####################
1) remove
/var/lib/cmk-agent/scripts/super-server/0_systemd/setup purge
Removing leftover systemd units: /etc/systemd/system/check_mk.socket, /etc/systemd/system/check_mk@.service, /etc/systemd/system/check_mk-async.service\nRemoving agent controller: /usr/bin/cmk-agent-ctl
Removing deployed systemd units: check-mk-agent-async.service, cmk-agent-ctl-daemon.service, check-mk-agent@.service, check-mk-agent.socket
2) install xinetd, so that the checkmk agent will be started from there
sudo apt-get -y install xinetd
-------------------------------------------
link with no solution ;-)
-------------------------------------------
https://forum.checkmk.com/t/cmk-agent-systemd-service-summary-1-service-failed-cmk-agent-ctl-daemon/34005
STP Spanning tree
STP comes with extra features that help keep the network stable. Here's a simple explanation of these features and when to use them:
Root Guard: This stops devices from sending certain kinds of messages on certain connections. Use Root Guard on certain connections to make sure the main part of the network stays stable. Don't use it on connections between important switches.
Admin Edge: This lets a connection start working without waiting. It's good for connections with only one device or with a computer connected to a phone. But be careful, because it might not catch network problems. Only use Admin Edge on connections facing devices like computers.
BPDU Guard: This automatically stops certain messages from being sent on certain connections. You should usually activate this feature on specific ports that connect to devices used by users, like computers or printers, on access switches. BPDU Guard is especially helpful because it ensures that BPDUs are not received on access ports, which prevents loops and, importantly, guards against spoofed BPDU packets. This means it adds an extra layer of protection against fake or deceptive messages in the network.
BPDU Filter: This ignores certain messages on a connection and doesn't send its own messages. It's used in special cases, like when different groups want separate networks. Normally, it's best not to use BPDU Filter, unless you're in a specific situation.
Loop Protect: This is like a backup system for STP. It can find problems when a device causes a loop but doesn't follow STP rules. It stops connections when it senses a loop and restarts them when the problem is fixed. Use this for all the connections facing devices to avoid accidental loops. Don't use it on important connections in the network.
Fault Monitor: This watches for big traffic or errors in connections. It can log events, send alerts, or temporarily stop a connection. Turn on Fault Monitor to get alerts for recognized problems, and use it on all connections for a stable network. But don't use the "stop" feature with Fault Monitor, because Loop Protect handles that.
--------------------------------------
links
--------------------------------------
https://www.arubanetworks.com/techdocs/VSG/docs/010-campus-design/esp-campus-design-044-lan-design-switching/
$printer_status = Get-Printer -Name "my-printer" | select PrinterStatus
if ($printer_status.PrinterStatus -eq "TonerLow" -or $printer_status.PrinterStatus -eq "Normal" -or $printer_status.PrinterStatus -eq "PaperOut")
{
echo "0 Printer - OK - Printer is Online"
$counter = Get-Content C:\tmp\mycounter.txt
if ($counter -eq "1" )
{
"0" | Out-File C:\tmp\mycounter.txt
echo "counter reset"
}
}
if ($printer_status.PrinterStatus -eq "Offline" )
{
echo "2 Printer - Critical - Printer is Offline!!"
$counter = Get-Content C:\tmp\mycounter.txt
#echo $counter
if ($counter -eq "0" )
{
Restart-Service -Name Spooler -Force
"1" | Out-File C:\tmp\mycounter.txt
} else {
echo "already restarted!"
}
}
Tested with AOS-CX 10.12
- there is a AOS-CX 10.12 SNMP/MIB Guide - a good documentation
- in earlier versions (not sure which exact versions!) of AOS-CX it was not possible to write SNMP - just read operations were implemented
#create a snmpv3 user:
snmpv3 user mySNMPv3user auth sha auth-pass plaintext myauthpassword01 priv des priv-pass plaintext myprivpassword01 access-level rw
#read test
snmpwalk -v3 -l authPriv -u mySNMPv3user -a SHA -A "myauthpassword01" -x DES -X "myprivpassword01 " 192.168.2.55 .1.3.6.1.2.1.105.1.1.1.3
#write test - enable power of ethernet (PoE) on port 1:
snmpset -v3 -l authPriv -u mySNMPv3user -a SHA -A "myauthpassword01" -x DES -X "myprivpassword01 " 192.168.2.55 SNMPv2-SMI::mib-2.105.1.1.1.3.1.1 i 1
#write test - disable power of ethernet (PoE) on port 1:
snmpset -v3 -l authPriv -u mySNMPv3user -a SHA -A "myauthpassword01" -x DES -X "myprivpassword01" 192.168.2.55 SNMPv2-SMI::mib-2.105.1.1.1.3.1.1 i 2
#see poe Admin status on all ports
snmpbulkwalk -v3 -l authPriv -u mySNMPv3user -a SHA -A "myauthpassword01" -x DES -X "myprivpassword01" 192.168.2.55 .1.3.6.1.2.1.105.1.1.1.3
videos:
- Configure Aruba ClearPass for a MySQL backend
https://www.youtube.com/watch?v=BJ7MGuZL4JM
problem: the magic wol packet is not waking up the client
solution 1:
-------------------------
Enabling flood traffic on a port:
switch(config-if)# port-access allow-flood-traffic enable
Description
Activates or deactivates the transfer of excessive data flow, including broadcast, multicast, and unfamiliar unicast messages, via a secured port that has not undergone client authentication.
By default, the transfer of excessive data flow is deactivated.
Usage
This directive can be employed to permit Wake-on-LAN packets on secured ports prior to client authentication.
- turn on on firewall under:
Subscription Services > Enable DNSWatch -> Enforce on selected interfaces
- use the watchguard dns servers:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/dnswatch/dnswatch_dns_servers_c.html
> for region: EU (Ireland)
34.240.115.208
34.251.171.117
#!/usr/bin/env python3
################################################################################
# getFirmwareArubaOS.py
#
# gets oids from a list of switch ips, mostly used for firmware version
#
# ex.: ./getFirmwareArubaOS.py -c <community> -o <oid> -cf <path_to_cfg_file>
#
# oids_procurve:
# - firmware: 1.3.6.1.2.1.47.1.1.1.1.9.1
# - model: 1.3.6.1.2.1.47.1.1.1.1.2.1
# - hostname: 1.3.6.1.2.1.1.5.0
#
#
# to get it running,install necessary python libs:
# -
#
# Changes
# -2023-11-21: first version
#
################################################################################
import subprocess
import argparse
#########
# parser
#########
parser = argparse.ArgumentParser()
parser.add_argument("--debug", "-d", action="store_true")
parser.add_argument("--ip_address", "-ip", type=str)
parser.add_argument("--config_file", "-cf", type=str)
requiredArgs = parser.add_argument_group("required arguments")
requiredArgs.add_argument("--community", "-c", type=str, required=True)
requiredArgs.add_argument("--oid", "-o", type=str, required=True)
args = parser.parse_args()
if args.config_file:
config_file = open(args.config_file, "r")
ip_list = config_file.readlines()
for ip in ip_list:
ip = ip.rstrip()
try:
firmware_version = subprocess.check_output(f"snmpwalk -v 2c -c {args.community} {ip} {args.oid}", shell=True, stderr=subprocess.STDOUT)
firmware_version = firmware_version.decode("utf-8").split('"')[1]
except:
firmware_version = "unknown"
print(f"{ip}\t{firmware_version}")
else:
try:
firmware_version = subprocess.check_output(f"snmpwalk -v 2c -c {args.community} {args.ip_address} {args.oid}", shell=True, stderr=subprocess.STDOUT)
except:
firmware_version = "unknown"
print(f"{ip}\t{firmware_version}")
>> delete specific file in directory:
/var/lib/check_mk_agent/cache
If you encounter a problem where you ping a device and get the following output:
64 bytes from 10.6.12.253: icmp_seq=1 ttl=62 time=55.9 ms
64 bytes from 10.6.12.253: icmp_seq=1 ttl=62 time=55.9 ms (DUP!)
64 bytes from 10.6.12.253: icmp_seq=2 ttl=62 time=54.0 ms
64 bytes from 10.6.12.253: icmp_seq=2 ttl=62 time=54.0 ms (DUP!)
64 bytes from 10.6.12.253: icmp_seq=3 ttl=62 time=41.0 ms
64 bytes from 10.6.12.253: icmp_seq=3 ttl=62 time=48.9 ms (DUP!)
> if there is routing involved, you should check if ICMP-Redirect is enabled on the routing device
> ICMP-Redirect is enabled by default on Aruba-CX Layer 3 Switches
>> Aruba-CX -> issue the following command:
>> no ip icmp redirect
You can save your putty configuration like so:
> open an elevated command prompt
> to save only your sessions execute the following command:
regedit /e "%USERPROFILE%\Desktop\putty_sessions.reg" HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
> to save all settings (except ssh keys) execute the following command:
regedit /e "%USERPROFILE%\Desktop\putty_config.reg" HKEY_CURRENT_USER\Software\SimonTatham
You can import your putty settings with:
regedit /s "%USERPROFILE%\Desktop\putty_config.reg"
>> Administration > Server Manager > Server Configuration
Cluster wide parameters > enable tls 1.0 (Disable TLSv1.0 support set from All to None)
>> create Local User ALCIPT
>> create service that handles ALCIPT 802.1x packets and authenticate against Local User Repository
#netedit useful commands
console:
sudo su -
service networking restart
ip addr #show ip addr
version 2.2.1 > upgrade to 2.9.0
> netedit userguide for 2.9.0:
-- chapter "Upgrade to Debian 10", since with the release of NetEdit 2.4.0 Debian 10 (Buster) is the base operating system
-- console logon to NetEdit 2.2.1, follow the instructions from the userguide to upgrade Debian 9 to Debian 10
-- after following all steps reboot the machine
-- login to netedit webuser frontend again > click on the ? in the right corner > and select Upgrade NetEdit > upload the file "Aruba_Netedit_2.9.0_upgrade.tar.gz" > press upgrade after upload
SMBv1 is an old protocol, that should not be used if possible, but sometimes it has to be used:
how to turn on / check?
- start a powershell with administrative privileges
- check the settings: Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
- activate: Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
- disable: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
**maybe a reboot makes sense after enabling / disabling
#restart webserver
- synosystemctl restart nginx
##get list of services you can start / stop / restart
systemctl list-units
https://portal.office.com/account
>> download office there
if case of problem with office activation use support and recovery assistant from microsoft
link: https://support.microsoft.com/en-us/office/about-the-microsoft-support-and-recovery-assistant-e90bb691-c2a7-4697-a94f-88836856c72f
Microsoft changed the name of Microsoft Azure Active Directory (AAD) to Microsoft Entra ID. (2023-08)
very good video:
https://www.youtube.com/watch?v=rJzHpc1kQW4
see also:
https://alexskra.com/blog/ubuntu-20-04-with-software-raid1-and-uefi/
####################################################################
After installation > before reboot use the second console session to make some checks!
commands to use:
- alt + <F2> to switch to second session
- mount |grep boot #check which partition is the boot partition
- dd if=/dev/sdb1 of=/dev/sda1 #if sdb1 is the active boot partition then clone the partition, so that the other partition is also bootable
- check raid status: mdadm --detail /dev/md0
--> wait until raid sync is complete
- install efibootmgr tool: apt-get install efibootmgr
- ls -la /dev/disk/by-partuuid [see the uuid of sda1 + sdb1]
- efibootmgr -v [check if boot partuuid - from sda1 + sdb1 are in the boot list!]
----------------------------------------------------------------------------------
useful commands
#How to show status
mdadm -D /dev/md0
How to re-add a drive when RAID is in degraded mode?
$ mdadm /dev/md0 -a /dev/sdb2
mdadm: re-added /dev/sdb2
#How to remove a partition from a raid ?
mdadm /dev/md0 --remove /dev/sdc2
#nice network flow view
Tenants > Security Policies
>> instead of Table View choose Network Graph in the right corner above
Best practise for rules
- assign policy to egress direction
- assign a bigger vrf policy to the vrf, but there things like deny ssh, or allow rdp only for this hosts
- network policies attached to vlan's for more specific rules
- allows consider: if you assign an empty policy to a network or vrf it means "deny any"!!
#persona best practice > always access except special vsx ports
- interface 1/1/1-1/1/47 > persona access
- interface 1/1/48 > no persona (vsx keepalive)
- interface 1/1/49+50 > no persona (vsx isl)
- interface 1/1/51-54 > persona access
#commands to know
- pdsctl show security-policy
chia - how to convert database to version 2 when there is not enough disc space?
problem:
chia db upgrade
there is probably not enough free space on the volume where the output database will be written:
/home/sys4com/.chia/mainnet/db/blockchain_v2_mainnet.sqlite
solution:
- stop chia processes
- write v2 database to another directory: chia db upgrade --output /opt/nfs_nas01/blockchain_v2_mainnet.sqlite
- change your config.yaml file (can be found for example in .chia/mainnet/config on a linux system )
-- replace under the full_node: section from database_path:
---- db/blockchain_v1_CHALLENGE.sqlite to
---- database_path: db/blockchain_v2_CHALLENGE.sqlite
- move v1 database or delete it: cd $HOME/.chia/mainnet/db
-- move blockchain_v1_mainnet.sqlite /to/somewhere
-- rm blockchain_v1_mainnet.sqlite
- copy backup new v2 file to $HOME/.chia/mainnet/db
- start chia
links:
- https://docs.chia.net/cli/#upgrade
- https://www.reddit.com/r/chia/comments/ul87kx/chia_db_upgrade_tips/
- https://wiki.spacefarmers.io/guides/farming/upgradedb
sample:
the following to commands will be executed every 2 seconds if you run this command:
watch "du -s -h blockchain_v1_mainnet.sqlite.gz && df -h /"
Every 2.0s: du -s -h blockchain_v1_mainnet.sqlite.gz && df -h / chia-farm-nas02: Wed Dec 13 17:16:49 2023
52G blockchain_v1_mainnet.sqlite.gz
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv 457G 341G 97G 78% /
using tool rtorrent
----------------------------------------
- install: apt-get install rtorrent
- start: rtorrent
- press enter to add a torrent link > after that you will see the download in a list
- select the download and press: <strg> + <s>
- leaving rtorrent: <strg> + <q>
more information:
https://wiki.ubuntuusers.de/rTorrent/
#the following command produces a html report
netsh wlan show wlanreport
the default tcp port for rsyncd is tcp 873
------------------------------------------------------------------------
install the service
----------------------------------------------------
apt install rsync
------------------------------------------------------------------------
create configuration file /etc/rsyncd.conf:
----------------------------------------------------
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
uid = nobody
gid = nobody
[nas01]
path = /opt/rsyncd-backup/nas01
comment = nas01 files
uid = nas01
gid = nas01
read only = no
list = yes
auth users = nas01backup
secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.2.199/255.255.255.255
-------------------------------------------------------------------------
------------------------------------------------------------------------
create secrets file /etc/rsyncd.conf:
----------------------------------------------------
nas01backup:cyz
> change permissions: chmod 600 /etc/rsyncd.conf
------------------------------------------------------------------------
start service
----------------------------------------------------
systemctl start rsync
systemctl enable rsync
systemctl stop rsync
- see also:
https://blog.programster.org/ubuntu-set-up-rsync-server
-> add a line to the rsyslog configuration file: /etc/rsyslog.conf
example:
#forward all messages to remote syslog server
*.* @@10.18.23.22:514
or:
*.* @10.18.23.22:514
#restart the service after the change
systemctl restart rsyslog.service
##from the rsyslogd.conf man page:
>> from the man page:
To forward messages to another host via UDP, prepend the hostname with the at sign ("@"). To forward
it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in
front of the hostname.
Example:
*.* @192.168.0.1
In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination port
defaults to 514. Due to the nature of UDP, you will probably lose some messages in transit. If you
expect high traffic volume, you can expect to lose a quite noticeable number of messages (the higher
the traffic, the more likely and severe is message loss).
start with:
=for comment
end with:
=cut
---------
sample
---------
$i=1;
$j=2;
=for comment
my $k=4;
while(true){
print "test\n";
}
=cut
#!/bin/bash
if [ -z "$1" ]
then
echo "usage: plotLoop <tmp directory>"
exit
fi
tmpdir=$1
dstdir=/opt/usbhdd
logdir=/home/myuser/logs
#get the keys from command: chia keys show
farmkey="<<your chia farm key>>"
poolkey="<<your chia pool key"
#farming to pool
#from pool contract address from command: chia plotnft show
poolingcontract="xch<<your pool contract id>>"
#chia command
chia="/opt/chia/resources/app.asar.unpacked/daemon/chia "
arg1=" plots create -k32 -n1 -t$tmpdir -2$tmpdir -d$tmpdir -b3390 -u128 -r2 -a1235814531 -x"
#arg2 for generating self pooling plots
#arg2=" -f $farmkey -p $poolkey"
#arg2 for generating plots to be used in other pools
arg2=" -f $farmkey -c $poolingcontract"
copycmd="nohup rsync --partial --remove-source-files --bwlimit=50000 $tmpdir/*.plot $dstdir/ "
i=0
while :
do
i=$((i+1))
fn=`date | awk '{print "chia-plot-"$4"-"$3"-"$2"-"$5"-"$4}'`
fnappendix="${tmpdir//\//-}"
logfile=$logdir/$fn-$fnappendix.log
echo "chia plotting loop number $i - logging to $logfile"
echo "$chia $arg1 $arg2 >>$logfile"
`$chia $arg1 $arg2 >>$logfile`
# echo "transfer plot file in background"
# echo $copycmd
# `$copycmd `
sleep 4
done
>> use robocopy!
robocopy C:\source C:\destination /COPYALL /E /R:0 /DCOPY:T
/E : copy directory recursively
/COPYALL : copy all file informations
/R:0 : the number of retries on failed copies
/DCOPY: T : preserver original directories timestams
you can connect to the watchguard cli with putty
Host Name (or IP address): <watchguard ip address)
Port: 4118
How to configure mac-based port authentication on a Aruba CX switch, and how can you set device mode via radius response?
#######################################################################################
#Aruba CX switch config
###################################
radius-server host radius-server-ip key ciphertext yoursecret...
aaa authentication port-access mac-auth
auth-method pap
enable
#quiet-period <1-65535>
#reauth
#reauth-periond <0-65535>
#turn on mac address authentication on interface 1/1/12
interface 1/1/12
aaa authentication port-access mac-auth
enable
client-limit <number>
#######################################################################################
#######################################################################################
#useful switch commands
#######################################################################################
#reauthenticate a client
port-access reauthenticate interface 1/1/12
#show authentication status
show port-access clients
or
show port-access clients detail
#######################################################################################
#how can you set the client to device mode, let's day the client is an access point with local vlan breakout,
#so that only the access point will be authenticated, and not all the other clients?
#######################################################################################
#>> you need this radius attributes in your radius accept response:
#Radius Attribute for device mode on a switch port
Type: Radius:Aruba
Name: Aruba-Port-Auth-Mode(50)
Value: Infrastructure-Mode (1)
#to support this atributes define the attributes in your radius dictionary:
VENDOR Aruba 14823
BEGIN-VENDOR Aruba
ATTRIBUTE Aruba-Port-Auth-Mode 50 integer
VALUE Aruba-Port-Auth-Mode Infrastructure-Mode 1
VALUE Aruba-Port-Auth-Mode Client-Mode 2
VALUE Aruba-Port-Auth-Mode Multi-Domain-Mode 3
END-VENDOR Aruba
#radius dictonary for aruba can also be found here:
https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.aruba
1) you need to buy a license! copy the license file backuplic.cao to right program folder
2) use a script like the following:
runCAOBackup.cmd:
SET PATH=%PATH%;c:\Program Files (x86)\CAO-Faktura-1.5\
cao_autobackup.exe M=MANDANTNAME DIR=\\speicher1\yourbackuppath\CAO\backup\
3) create a task and execute the script at least once a day
----
see also:
https://www.cao-faktura.de/doku/cao-faktura/Autobackup.html
add the ondrej php repository to your machine:
sudo add-apt-repository ppa:ondrej/php
apt update
apt upgrade
apt install php5.6
install additional php 5.6 modules:
apt-get install php5.6-gd php5.6-mysql php5.6-imap php5.6-curl php5.6-intl php5.6-pspell php5.6-recode php5.6-sqlite3 php5.6-tidy php5.6-xmlrpc php5.6-xsl php5.6-zip php5.6-mbstring php5.6-soap php5.6-opcache libicu65 php5.6-common php5.6-json php5.6-readline php5.6-xml
--- links ----
- https://launchpad.net/~ondrej/+archive/ubuntu/php/+packages?field.name_filter=php5&field.status_filter=published&field.series_filter=
- https://vitux.com/how-to-install-php5-php8-on-ubuntu/
you can use it for example, to find out the switch names using snmp
-----------------------------------------
the script to check all devices in ip-range from 192.168.2.1-254
> the output will be:
192.168.2.1;switchname1
192.168.2.2;switchname2
....
------------------------------------------
#!/bin/bash
community="public" # Replace with your actual community string
oid="1.3.6.1.2.1.1.5.0" # OID for sysName
for ((i=1; i<=254; i++)); do
current_ip="192.168.2.$i"
result=$(snmpget -v 2c -c "$community" "$current_ip" "$oid" 2>/dev/null)
if [ $? -eq 0 ]; then
name=$(echo "$result" | awk '{print $NF}' | tr -d '"' )
echo "$current_ip;$name"
else
echo "Failed to retrieve data from $current_ip"
fi
done
- fresh installation tested on ubuntu server 22.04 and 23.10
- turn on syslog-like message logging submit the changes and make sure
that the syslog services of the site are enabled (omd config sitename)
- send some syslog teste messages:
echo '<78>Jan 15 12:23:01 mytestserver01 myapplication: is working now.' | nc -w 1 -u <checkmk-serverip> 514
or:
echo 'This is no syslog message' | nc -w 1 -u <checkmk-serverip> 514
- make sure that the test syslog messages are seen on the system, using tcpdump:
tcpdump port 514
- if you send the syslog message from the own machine, make sure to monitor your loopback interface:
tcpdump -i lo port 514
- normaly you should now see a log file under your site ./var/mkevent/messages/somelogfile.log
>> the problem with version 2.2.0p18 was that the directory "messages" under ./var/mkevent/ was not created and also no log files.
As soon as I installed 2.2.0p17 or earlier the messages directory was created and also the log files
--------------
INFO 2023-01-18>> seams to be a bug checkmk will be fixed with version 2.2.0p19!
-------------
> use this script: deleteOldrrdFilesFromCheckmkSite.sh
#!/bin/bash
site=yoursitename
find /omd/sites/$site/var/pnp4nagios/ -mtime +30 |grep rrd$
while true; do
read -p "should I really delete all the files shown above (y/n) ?" yn
case $yn in
[Yy]* ) echo "delete files"; find /omd/sites/$site/var/pnp4nagios/ -mtime +30 |grep rrd$ |xargs -n 1 rm; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
Firmware Update
1. check if there is enough space on flash:
<sysname> dir
1.1 display information abouth the current software images
<sysname> display version
1.2 check the boot order:
<sysname> display boot-loader
2. make a backup of the current firmware:
<sysname> boot-loader file boot flash:/<filename> system flash:/<filename> slot 1 backup
sample (copy all current flashes to all members):
<sysname> boot-loader file boot flash:/5130ei-cmw710-boot-r3109p05.bin system flash:/5130ei-cmw710-system-r3109p05.bin all backup
3. load new fireware to switch:
<sysname> tftp <IP-Address> get <Image.ipe>
4. boot-loader file flash:/<Image.ipe> slot 1 main
<sysname> boot-loader update all
5. optional step -> if you need some space:
<sysname> delete /unreserved flash:/<file name>
<sysname> reset recycle-bin
6. verify the startup image settings again:
<sysname> display boot-loader
7. reboot the device to complete the upgrade
<sysname> reboot
8. verify the software after reboot
<sysname> display version
change Boot sequence
===================================
after startup, when you see the Dell logo press:
<F2> to access bios / setup
<F12> to show the one time boot menu
run: resmon.exe
in german: Resourcenmonitor via taskmanager
an alternative program is tcpview in case you want to understand who is talking to whom on the network stack: https://learn.microsoft.com/de-de/sysinternals/downloads/tcpview
tcpview it gives you deep insight above network connectivity
if you run into the problem, that no more graphs are beeing created maybe there are too many open files
(problem seen on an Ubuntu 20.04 LTS installation)
1) find the root cause:
---------------------------------------------
check logfile:
/omd/sites/<sitename>/tmp/run/mkeventd/events/mkeventd.log.1
2024-01-11 07:22:37,880 [40] [cmk.mkeventd.StatusServer] Error handling client None: [Errno 24] Too many open files
Traceback (most recent call last):
File "/omd/sites/cb/lib/python3/cmk/ec/main.py", line 2203, in serve
client_socket, addr_info = s.accept()
^^^^^^^^^^
File "/omd/sites/cb/lib/python3.11/socket.py", line 294, in accept
OSError: [Errno 24] Too many open files
>>> the Error is: "Too many open files"
2) check how many files are allowed in the site user context
---------------------------------------------
OMD[sitename]:~$ ulimit -a |grep "open files"
open files (-n) 1024
>>> in this case 1024 files are allowed
3) fix the problem by increasing the number of files allowed
---------------------------------------------
/etc/security/limits.conf
cb soft nofile 20000
4) restart checkmk / or at least the event daemon, so that the new values take effekt
!!!!
the number of openfiles may also be specified in your cmc site >> see also:
checkmk enterprise - increase limit for open files - in your site: https://computer2know.de/checkmk-enterprise-increase-limit-for-open-files-in-your-site:::809.html
>>> solution add: HostKeyAlgorithms=+ssh-dss to your ssh config file
-----------------------------------------------------------------------------------------------
cat .ssh/config
Host 192.168.2.88
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
KexAlgorithms diffie-hellman-group1-sha1
HostKeyAlgorithms=+ssh-dss
error message is shown up, when apache is beeing restarted,
how to fix this?
solution on ubuntu 22.04 LTS:
>> file: /etc/apache2/apache2.config
add:
ServerName <yourservername>
apachectl restart
check_snmp_firecluster.sh is a script to monitor watchguard's cluster status,
the script can be downloaded here:
https://exchange.nagios.org/directory/Plugins/Hardware/Network-Gear/Others/check_snmp_firecluster/details
=======================================================
-----------------------
Problem:
-----------------------
check_snmp_firecluster.sh > does not run on ubuntu 22.04 minimal installation
-----------------------
Solution:
-----------------------
#analysing the script:
#working example
snmpget -t 10 -v 1 -c public 192.168.2.10 .1.3.6.1.4.1.3097.6.6.9.0
SNMPv2-SMI::enterprises.3097.6.6.9.0 = INTEGER: 3
#not working example
snmpget -t 10 -v 1 -c pnpub 192.168.2.10 .1.3.6.1.4.1.3097.6.6.9.0
iso.3.6.1.4.1.3097.6.6.9.0 = INTEGER: 3
>> the problem is that the parsing of the result was failing, since there where only numeric oid's
>> so let's turn on SNMP mibs, in file /etc/snmp/snmp.conf:
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :
mibs SNMPv2-SMI
>> the line mibs SNMPv2-SMI was added after that the snmpget commands receives "SNMPv2-SMI::enterprises.3097.6.6.9.0 = INTEGER: 3" as result and the parsing was ok again
-----------------------------------
snmp packages installed on ubunut 22.04 LTS minimal installation:
----------------------------------
ii libsnmp-base 5.9.1+dfsg-1ubuntu2.6 all SNMP configuration script, MIBs and documentation
ii libsnmp40:amd64 5.9.1+dfsg-1ubuntu2.6 amd64 SNMP (Simple Network Management Protocol) library
ii snmp 5.9.1+dfsg-1ubuntu2.6 amd64 SNMP (Simple Network Management Protocol) applications
ii snmp-mibs-downloader 1.5 all install and manage Management Information Base (MIB) files
Fiberstore Switches - S5800-8TF12S 10Gb
https://www.fs.com/de/products/69404.html
S5800-8TF12S 10Gb Glasfaser SFP+ 12-Port Switch Layer 2/Layer 3
mit 8 RJ45/SFP Combo Ports für Hyper-Converged Infrastruktur
syslog service: https://maxbelkov.github.io/visualsyslog/
#turn on syslog
Switch1(config)# logging server enable
Switch1(config)# logging server address 192.168.2.22
#igmp commands
ip igmp snooping fast-leave
ip igmp snooping querier tcn enable
ip igmp snooping discard-unknown
ip igmp snooping querier show tcn enable
ip igmp snooping vlan 1 querier address 192.168.2.23
ip igmp snooping vlan 1 querier (switch3)
lldp enable
show ip igmp snooping querier
show logging buffer
show ip igmp snooping groups
debug ipmp events
Switch# show ip igmp snooping
Global Igmp Snooping Configuration
-------------------------------------------------
Igmp Snooping :Enabled
Igmp Snooping Fast-Leave :Enabled
Igmp Snooping Version :3
Switch1# show ip igmp snooping querier
Global Igmp Snooping Querier Configuration
-------------------------------------------------
Version :3
Last-Member-Query-Interval (msec) :1000
Last-Member-Query-Count :2
Max-Query-Response-Time (sec) :10
Query-Interval (sec) :125
Global Source-Address :0.0.0.0
TCN Query Count :2
TCN Query Interval (sec) :10
TCN Query Max Respose Time (sec) :5
Vlan 1: IGMP snooping querier status
--------------------------------------------
Elected querier is : 192.168.2.23
--------------------------------------------
Admin state :Disabled
Admin version :3
Operational state :Non-Querier
Querier operational address :192.168.2.23
Querier configure address :192.168.2.23
Last-Member-Query-Interval (msec) :1000
Last-Member-Query-Count :2
Max-Query-Response-Time (sec) :10
Query-Interval (sec) :125
Querier-Timeout (sec) :255
Switch1# show running-config
Building configuration...
version 5.3.8
!
no service password-encryption
!
http server load flash:/FSOS-webImage-v5.3.8.r.bin
service http enable
service https enable
!
!
!
!
hostname Switch2
!
!
username admin privilege 4 password admin
!
!
vlan database
!
interface eth-0-1
!
interface eth-0-2
!
interface eth-0-3
!
interface eth-0-4
!
interface eth-0-5
!
interface eth-0-6
!
interface eth-0-7
!
interface eth-0-8
!
interface eth-0-9
!
interface eth-0-10
!
interface eth-0-11
!
interface eth-0-12
!
interface eth-0-13
!
interface eth-0-14
!
interface eth-0-15
!
interface eth-0-16
!
interface eth-0-17
!
interface eth-0-18
!
interface eth-0-19
!
interface eth-0-20
!
interface vlan1
ip address 192.168.2.23/24
!
ip igmp snooping querier tcn enable
no ip igmp snooping report-suppression
ip igmp snooping fast-leave
ip igmp snooping version 3
ip igmp snooping discard-unknown
ip igmp snooping vlan 1 querier address 192.168.2.10
!
lldp enable
!
line con 0
speed 115200
no line-password
no login
line vty 0 7
exec-timeout 35791 0
privilege level 4
no line-password
login local
!
end
In the process of 802.1x authentication transactions, such as EAP-PEAP, EAP-TLS, the ClearPass server includes the Radius server certificate in its communication with clients as per the protocol. However, because the certificate's size surpasses the interface MTU (Maximum Transmission Unit), it becomes necessary to fragment it into smaller segments, specifically using EAP-Fragments. The current need is to modify the size of these EAP-Fragments originating from ClearPass.
where to change the setting in clearpass?
Policy Manager>Administration>Server Manager>Server Configurations>Click on server>Service Parameter>Radius server:
EAP-TLS Fragment size :: default ist 1024 bytes
https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094111en_us&docLocale=en_US
cat /root/bin/countOpenFilesUser-username.sh
#!/bin/bash
mydate=`date`
num=`lsof -u username |wc -l`
echo "$mydate number of openfiles user username: $num"
#cron entry:
#openfile monitoring
*/5 * * * * /root/bin/countOpenFilesUser-username.sh >>/tmp/checkmk-username-open-files.log 2>/dev/null
ip fragmentation - how to capture some snmp fragments from a switch
wireshark filter:
(ip.addr == 172.23.99.210)&&(ip.fragment)
better filter:
(ip.addr == 172.23.99.210)&&(((ip.fragment)||(ip.flags.mf==1)||(ip.frag_offset!=0)))
how to produce fragment packets?
>> decrease your mtu size on your test system > in our case a switch and decrease the mtu on the switch.
Turn on snmp on the switch and query using snmpwalk
Switch > aruba cx
6100(config)# interface vlan 1
6100(config-if-vlan)# ip mtu
<68-9198> The IP payload MTU value in bytes (Default: 1500)
6100(config-if-vlan)# ip mtu 200
Value is less than the IPv6 minimum MTU of 1280.
Continue (y/n)? y
6100(config-if-vlan)# show ip interface
Interface vlan1 is up
Admin state is up
Hardware: Ethernet, MAC Address: xy:....
IP MTU 200
now run a snmpbulkwalk to the switch:
snmpbulkwalk -c public -v 2c 72.23.99.210
>> on wireshark, you see the fragments
-------------------------------------
more information about ip fragmentation:
- https://packetpushers.net/blog/ip-fragmentation-in-detail/
if you generate a notification and watch the notification log file:
OMD[SITE]:~$ tail -f ./var/log/notify.log
you see problems / errors:
2024-01-26 16:40:14,807 [10] [cmk.base.notify] Found 0 user specific rules
2024-01-26 16:40:14,807 [20] [cmk.base.notify] Global rule 'Notify all contacts of a host/service via HTML email'...
2024-01-26 16:40:14,807 [20] [cmk.base.notify] -> matches!
2024-01-26 16:40:14,807 [40] [cmk.base.notify] ERROR:
Traceback (most recent call last):
File "/omd/sites/SITE/lib/python3/cmk/base/notify.py", line 352, in locally_deliver_raw_context
return notify_rulebased(raw_context, analyse=analyse)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/omd/sites/SITE/lib/python3/cmk/base/notify.py", line 444, in notify_rulebased
notifications, rule_info = _create_notifications(
^^^^^^^^^^^^^^^^^^^^^^
File "/omd/sites/SITE/lib/python3/cmk/base/notify.py", line 465, in _create_notifications
contacts = rbn_rule_contacts(rule, raw_context)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/omd/sites/SITE/lib/python3/cmk/base/notify.py", line 968, in rbn_rule_contacts
if disable_notifications_opts.get("disable", False):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'get'
similar problems:
- https://forum.checkmk.com/t/notification-problems-since-upgrade-to-2-2-0p3-cre/39379
- https://forum.checkmk.com/t/trouble-with-notifications-in-2-2-0-cre/39120/3
---------
solution:
---------
new format of user attributes .. after I edited all users (in my case only about 5) and commited
the changes the errors from above disappeared
>> problems comes probably from upgrading from an old version, if you directly install 2.2.0 you probably will not have the problem ;-))
How to Access API Swagger documentation page?
https://developer.arubanetworks.com/aruba-central/docs/api-swagger-documentation
HPE GreenLake > Choose your Workspace > Aruba Central
in Aruba Central
- Global > Maintain > Organization > Platform Integration > API Gateway
>> hier you see:
>>> All Published APIs(1): https://apigw-eucentral3.central.arubanetworks.com/swagger/apps/nms/
>>> My Apps & Token / System Apps & Tokens: here you can create tokens to access the api
A token looks like:
Name: token-2024-01-26
Client ID: 5ojXi9VA2M....
Client Secret: weADaFKs....
Redirect URI: https://arubanetworks.com
{"access_token":"naMvrERSNB....",
"appname":"nms",
"authenticated_userid":"...."
,"created_at":1706258335937,
"credential_id":"afb0cc34-ceef-....",
"expires_in":7200,
"id":"164017b7-04dc-49a5-.....3",
"refresh_token":"mPYTOxctckc2J.......TihBVIeKiv",
"scope":"all",
"token_type":"bearer"}
After you created a token let's go to the API page:
https://apigw-eucentral3.central.arubanetworks.com/swagger/apps/nms/
example 1: get list of all access points
Request URL:
https://apigw-eucentral3.central.arubanetworks.com/monitoring/v2/aps
#########################################################
python mini script sample
#########################################################
#!/usr/bin/python3
import requests
# Aruba Central API details
#access_token: don't use the token id with dashes like "02828cde-2f1f-.....",
#use the access_token (click on download on webpage!)
access_token = "EHhi6Y18W....."
api_endpoint = "https://apigw-eucentral3.central.arubanetworks.com/monitoring/v2/aps"
# Make request to Aruba Central API for access points
headers = {"Authorization": f"Bearer {access_token}"}
api_response = requests.get(api_endpoint, headers=headers)
api_response.raise_for_status()
# Parse and print the response
access_points_data = api_response.json()
print("Aruba Central Access Points Information:")
print(access_points_data)
############################################################
use command:
checkpoint auto 3
the following messages is coming before end of time:
WARNING Please "checkpoint auto confirm" within 2 minutes
info from HPE page (see link below):
------------------------------------------------------
Usage
To save the runtime checkpoint permanently, run the checkpoint auto confirm command during the time lapse value set by the checkpoint auto <TIME-LAPSE-INTERVAL> command. The generated checkpoint name will be in the format AUTO<YYYYMMDDHHMMSS>. If the checkpoint auto confirm command is not entered during the specified time lapse interval, the previous runtime configuration is restored.
----
see also:
https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7851/Content/Chp_Cfg_FW_mgt/Chk_cmds/che-aut-con.htm
Siemens Scalance S615
- default IP: 192.168.1.1
- default user: admin/admin
- cli
>> show ip arp
>> documentation: Industrial Ethernet Security SCALANCE S615 Command Line Interface
>> show firewallnat masquerading
>> show mac-address-table
always use the order:
- first update PSM (virtual machine)
- then update the CX Operating system
The jobs created with mk-job are stored not in the site but in the agent of the host.
How to find the right directory:
> dpkg -l | grep check
> dpkg -L check-mk-agent
> cd /var/lib/check_mk_agent/job << thats the directory
> rm <job_name>
Always exercise caution when performing such actions and make sure to have backups in place before making changes to your system.
Tested with:
1) Connect Console Cable (ENET 0) / watch the output using Tera Term or another serial console tool
wait for:
Hit <Enter> to stop autoboot:
to enter apboot area!
apboot> factory_reset
apboot> boot
apboot> osinfo
apboot> setenv ipaddr 172.23.99.80
apboot> setenv netmask 255.255.255.0
apboot> setenv gatewayip 172.23.99.1
apboot> setenv serverip 172.23.99.99
apboot> upgrade os ArubaInstant_Centaurus_6.5.4.27_88283
or
apboot> upgrade os ArubaInstant_Centaurus_8.6.0.23_88342
if you want to upgrade partition 1 (default is partition 0), use this command:
for example:
apboot> upgrade os 1 ArubaInstant_Centaurus_6.5.4.27_88283
apboot> save
apboot> boot
- https://acmxguy.wordpress.com/2020/05/06/aruba-iap-ap-boot-image-upgrade/
- list ruleset:
> esxcli network firewall ruleset list
- enable ruleset (ex. sshClient):
> esxcli network firewall ruleset set --enabled=true --ruleset-id=sshClient
- disable ruleset (ex. sshClient):
> esxcli network firewall ruleset set --enabled=false --ruleset-id=sshClient
via the cli, issue the following command:
>> esxcli network nic stats get -n <vmnic>
By default diffie-hellman-group14-sha1 is disabled in Red Hat 9 or Rocky Linux.
> ssh 10.0.0.1
> Unable to negotiate with 10.0.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1
You can enable the support for the key exchange method:
> update-crypto-policies --set DEFAULT:SHA1
> reboot the server
! you should consider updating the remote site thou !
it is possible to run v2 modules, but it depends on your configuration!
check v3-specific settings:
# show running-config v3-specific
No V3-specific settings are configured.
run command "allow-v2-modules" to enable support mode ...
>> the switch needs a reboot
see also from documentation:
- https://www.arubanetworks.com/techdocs/AOS-S/16.11/MCG/KB/content/kb/all-v2-mod.htm
Unconfigure all v3-only features before moving to compatibility mode.
If the v3-native configuration is not present, the device reboots with the non-v3 configuration and issues the following message:This command will save the running configuration and reboot the system with all V3 modules operating
in v2-compatibility mode.Continue (y/n)?
if you want to use syslog like logging, checkmk writes one logfile for the events like syslog or snmptraps per day. This logfile will not be deleted or compressed.
I like to use this approach via cron > compress the files oder than 30 days and delete the compressed files after 1000 days:
-------------------------------------------------
55 23 * * * find /omd/sites/mysite/var/mkeventd/messages/ -mtime +30 |grep log$ |xargs -n 1 gzip -f >/dev/null 2>/dev/null
55 23 * * * find /omd/sites/mysite/var/mkeventd/messages/ -mtime +1000 |grep gz$ |xargs -n 1 rm >/dev/null 2>/dev/null
- network scanning
- building a network map / topology?
>> good old tool called netdisco:
https://netdisco.org/
If your checkmk site backups are running at the wrong time and you already set the global timezone this may help you:
> go into the site
> vim etc/environment
> add the following line:
TZ=Europe/Berlin (your prefered timezone)
error message in file: /omd/sites/yoursite/var/log/mkeventd.log: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc4 in position 104: invalid continuation byte
>> no explanation found so far .. restarting the mkevent daemons helps
omd restart <sitename> mknotifyd
check network sockets
- use tool ss
>> ss - another utility to investigate sockets
- summary: ss -s
- all sockets: ss -a
- all udp sockets: ss -u -a
- all tcp sockets: ss -t -a
similar case: https://forum.checkmk.com/t/backup-successful-critical-alert-similar-to-two-other-cases/30279
If you encounter the following problem, where the site backups in checkmk are executed but at the wrong time, this might help:
> even thou the timezone on the os is configured correctly it may happen, that checkmk uses a wrong timezone
> to specify the timezone inside the checkmk site edit the following file:
> go into the site
> vim etc/environment
> add the following line and adjust for your timezone:
TZ=Europe/Berlin
Problem: Aruba Access Point 225 doesn't want to run in IAP mode .. two acces point come always up with beeing standalone "master" access point
here is a solution that worked for me to pair both AP's and building a IAP cluster!
>> in boot mode use "proginv system ccode CCODE-RW-<sha1 hash of your serial>" command!
EXAMPLE:
##Acces Point 1
- serial number is for example: abc111111
- get sha1 hash for serial abc111111: 453070444dc8fe85b75c8ce68e78f6aacf4753f6
- boot your access point using a console cable to access boot menu
- make sure that you have instant ap firmware installed
- now run the following commands (with the right sha1 hash of course, this is just an example)
proginv system ccode CCODE-RW-453070444dc8fe85b75c8ce68e78f6aacf4753f6
invent -w (unlocks flash)
saveenv
check the result using command mfginfo .. you should see the Country line now:
##Acces Point 2
- serial number is for example: abc22222
- get sha1 hash for serial abc22222: 44cff178ce69c297ce5be839cfd5067ce36bfb0d
- boot your access point using a console cable to access boot menu
- make sure that you have instant ap firmware installed
- now run the following commands (with the right sha1 hash of course, this is just an example)
proginv system ccode CCODE-RW-44cff178ce69c297ce5be839cfd5067ce36bfb0d
invent -w (unlocks flash)
saveenv
check the result using command mfginfo .. you should see the Country line now:
>>> after both access points have been prepared in that way the IAP cluster was build as it should be, both
access points joined the some cluster!!
------
useful links:
- http://www.sha1-online.com/
- https://forums.serverbuilds.net/t/aruba-ap-to-iap-conversion/8888/11
- https://computer2know.de/aruba-instant-ap-does-not-boot-anymore-how-to-fix-the-problem-:::980.html
default user virtual machine:
Login to the PSM as user root, with the password specified in the OVA properties
above (if one was not defined in the OVA properties, the default password is centos).
--------------------------------------------------
default user for webfrontend PSM
admin / Pensando0$
conf t
mirror session 1
source interface 1/1/2 both
destination cpu
enable
##############################################
diag
diag utilities tcpdump command -nt -v -w dumpfile01.pcap
##############################################
start-shell
cd /tmp
sftp sftp@server-ip
put dumpfile01.pcap
If it doesn't turn on without the battery in the charging dock even with pressing and holding button 4 and the place button (red button)
, either the C5 Fritz!Phone is screwed or the charging dock's power adapter is."
how to do that?
start cmd with administrator rights, then enter:
devmgmt.msc
checkmk linux agent >= 2.2 - how to allow only specific ip address to query the agent on port 6556?
tested with agent version 2.2:
check IP allowlist
cmk-agent-ctl status
Version: 2.2.0p22
Agent socket: operational
IP allowlist: any
Legacy mode: enabled
No connections
current solution: use agent bakery to restrict the access to specific ip address, not yet tested how to configure it manually - in the past / with older
clients it was very easy (xinetd settings etc.)
------------
see also:
- https://docs.checkmk.com/latest/en/agent_linux.html
> vim /etc/vimrc or vim /etc/vim/vimrc (create if not there)
> add the commands you want to set globally at the end of the file:
>> set number
>> set background=dark
to install the mysql connector for python via a binary distribution you need add the mysql yum repository
>> https://dev.mysql.com/doc/refman/8.0/en/linux-installation-yum-repo.html#yum-repo-setup
after that you can issue the following command to see the available packages:
>> sudo yum --disablerepo=\* --enablerepo='mysql*-community*' list available
to install the mysql connector for python issue the following command:
>> sudo dnf install mysql-connector-python3.x86_64
HPE Aruba-CX - How to create a local user to use as backup user
1) create a new role
6100(config)# user-group backupgroup
6100(config-usr-grp-backupgroup)# 10 permit cli command "show running*"
6100(config-usr-grp-backupgroup)# exit
6100(config)#
2)
6100(config)# user backupuser group backupgroup password plaintext backup1
3)
6100(config)# show user-list
USER GROUP
---------------------------------------
admin administrators
backupuser backupgroup
4) login using ssh and test
6100# configure
Cannot execute command. Command not allowed.
5) show running
!
user-group backupgroup
10 permit cli command "show running*"
!
user backupuser group backupgroup password ciphertext AQBapa8zrDZ/xycnlTHJ0HgeXwqeSLw0V8ubGe4EfwaaMy1eYgAAAFnN9embEbJuKGYMg/RPcZjO+Xwqmnvv+qF1OImig1/nWR6jiVfXGhFKfp2LBxS8JDhFgHrAOclF3Efva4o2KiptOBdDH5r6Kgx0mzIR95lCqSDwLiZk+fAWnQnggb9XbK8Z
hints:
----------------------------
- you cannot user backup as a username! if you want to create such a user, you will get this:
6100(config)# user backup group operators
Invalid username backup
How to monitor an IBM FlashSystem 5000 via checkmk?
1) on checkmk site console level > create a ssh private and public key
1.1: OMD[sitename]:~$ ssh-keygen
1.2: copy public file to your computer: .ssh/id_rsa.pub
2) connect to IBM FlashSystem 5000 Webfrontend
2.1: Go to Access > Monitor
2.2: create a user: cmkmonitor and upload the id_rsa.pub (don't use the password)
3) test access from checkmk site "sitename"
OMD[sitename]:~/.ssh$ ssh cmkmonitor@your-ip
> after you accept the ssh public key, you should be on the IBM system itself, run a help command there:
IBM_FlashSystem:SAN01:cmkmonitor>help
activatefeature - Activates a function using a trial period or license key.
addcontrolenclosure - Adds control enclosures to the system.
... many many options more
4) no lets have a look on the checkmk special check for this system
4.1: create a host object, let's say "storage-ibm01"
4.2: create a service rule
-setup: search for IBM svc > you should find the following:
>> Setup > Agents > Other integrations > IBM SVC / V7000 storage systems
>> create a new rule, in the field: IBM SVC / V7000 user name, enter the name you created on the IBM system, in your sample it is cmkmonitor
>> under Explicit hosts, select the created checkmk object, in the sample "storage-ibm01"
4.3: go to the host object "storage-ibm01" and run a discovery
>> that's it . you should see a lot of services
Cloud provider mail - security audit -> issues: Portmapper service is running > how to protect port 111 udp / tcp on a linux system?
>> Portmapper servers
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.
For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:
iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP
-------------------------------------------------------------------
How to enable persistant blocking on Debian 10?
=====================================
To add a firewall rule in Debian 10 that persists after a system reboot, you can use the iptables-persistent package. Here's how to do it:
First, make sure you have the iptables-persistent package installed. If not, you can install it using the following command:
sudo apt-get update
sudo apt-get install iptables-persistent
After installation, you can add your firewall rules using the iptables command as you did in your example:
sudo iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
sudo iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP
Once you've added your rules and tested them to make sure they're working as expected, you can save them to be persistent across reboots using the iptables-save command:
sudo iptables-save > /etc/iptables/rules.v4
This command saves the current iptables rules to the specified file (/etc/iptables/rules.v4 in this case).
>> you can check the saved file, if there are the rules that you expected, my files look like:
rules.v4:
-----------
cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Mon Mar 4 11:41:03 2024
*filter
:INPUT ACCEPT [423811499:394356840419]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [465873471:475296529519]
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
COMMIT
# Completed on Mon Mar 4 11:41:03 2024
After saving the rules, you can ensure that they are loaded at boot time by enabling the netfilter-persistent service:
sudo systemctl enable netfilter-persistent
>>> now you can reboot your server and the rules from rules.v4 file should be loaded
- os: rocky linux 9 / like red hat linux 9
- mysql client in use: package: mysql
- database is running in a docker container .. on local tcp port 3307
- when trying to connect to the local 3307 port - the command line says:
mysql -u root -p -h 127.0.0.1 -P 3307
Enter password:
ERROR 1043 (08S01): Bad handshake
found solution:
-----------------------
1) remove mysql client: yum remove mysql
1.1) install mariadb client: yum install mariadb
1.2) try again >> works
[root@my-system]# mysql -u root -p -h 127.0.0.1 -P 3307
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.1.73 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
------------------------------
hints
------------------------------
it does not work if I try to use localhost instead of 127.0.0.1 > because the local socket is beeing used:
[root@my-system]# mysql -u root -p -h localhost -P 3307
Enter password:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
>> therefore use: 127.0.0.1 as host, if you want to use tcp socket!
ArubaCx - how to improve arp security by using arp inspection?
###################################
How to enable security / arp inspection on vlan 1 ?
- Turn on dhcpv4-snooping
- Turn on arp inspection
###################################
6100(config)# dhcpv4-snooping
6100(config)# vlan 1
6100(config-vlan-1)# dhcpv4-snooping
6100(config-vlan-1)# arp inspection
6100(config-vlan-1)# exit
6100(config)# interface 1/1/12
6100(config-if)# description uplink
6100(config-if)# arp inspection trust
6100(config-if)# exit
###################################
##monitor commands
###################################
6100# show arp summary
ARP Entry's State IPv4
----------------------------------------
Number of Reachable ARP entries 2
Number of Stale ARP entries 0
Number of Failed ARP entries 0
Number of Incomplete ARP entries 0
Number of Permanent ARP entries 0
----------------------------------------
Total ARP Entries 2
----------------------------------------
6100# show arp inspection statistics vlan 1
-----------------------------------------------------------------
VLAN Name Forwarded Dropped
-----------------------------------------------------------------
1 DEFAULT_VLAN_1 1238 3742
6100# show arp inspection interface
-----------------------------------------------------------------
Interface Trust-State
-----------------------------------------------------------------
1/1/1 Untrusted
1/1/2 Untrusted
1/1/3 Untrusted
1/1/4 Untrusted
1/1/5 Untrusted
1/1/6 Untrusted
1/1/7 Untrusted
1/1/8 Untrusted
1/1/9 Untrusted
1/1/10 Untrusted
1/1/11 Untrusted
1/1/12 Trusted
1/1/13 Untrusted
1/1/14 Untrusted
1/1/15 Untrusted
1/1/16 Untrusted
-----------------------------------------------------------------
6100# show dhcpv4-snooping
6100# show dhcpv4-snooping binding
###################################
##debug
###################################
6100(config)# debug destination console
6100(config)# debug arp inspection
6100(config)# no debug all
##read more:
https://kb.netgear.com/de/21808/Was-ist-dynamische-ARP-Inspektion-DAI-und-wie-funktioniert-es-mit-meinem-Managed-Switch?language=de
error message:
------------------
TYPO3 Fatal Error: Error: This host address ("127.0.0.1") and the referer host ("10.99.99.2") mismatches!<br /> It's possible that the environment variable HTTP_REFERER is not passed to the script because of a proxy.<br /> The site administrator can disable this check in the "All Configuration" section of the Install Tool (flag: TYPO3_CONF_VARS[SYS][doNotCheckReferer]).
solution:
------------------
add line to file: typo3conf/localconf.php
$TYPO3_CONF_VARS['SYS']['doNotCheckReferer'] = '1';
yum install httpd-tools
#install
sudo dnf install epel-release –y
sudo dnf install fail2ban –y
systemctl status fail2ban.service
#configuration
/etc/fail2ban
cp jail.conf jail.local
in nginx section enable: enabled = true
#system restart
sudo systemctl enable fail2ban
activating fail2ban: sudo systemctl enable fail2ban
#start
start: systemctl start fail2ban
#checking status
check client status: fail2ban-client status
detail status: fail2ban-client status nginx-http-auth
#how to unban an ip address?
fail2ban-client set nginx-http-auth unbanip 188.22.34.13
#want more log files?
fail2ban log file: /var/log/fail2ban.log
--------
see also
- https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-rocky-linux-9
we talk about Menekes 720580 nri06 Wallboxes
>> things we found out:
#Wifi
- each wallbox has an 2,4Ghz wifi acces point
- if you connect to the wifi you get an ip address in range 172.31.0.*
- you can access a webfrontend using http://172.31.0.1
- on the webfontend you can connect the device to an existing 2.4GHz wifi
#LAN on Mennekes HCC3 controller
- if you connect via LAN you need to give your device an static ip in range 192.168.0.*/24 but not 192.168.0.100
- you can ping 192.168.0.100
- you can access a webfrontend on http://192.168.0.100:25000/, to change settings you need a ping
- you can change the lan ip address here
#software updates and more
- https://www.mennekes.de/emobility/services/software-updates/ >> Amtron professional
- Software Update 1.13 für AMTRON® Xtra (E/R) und AMTRON® Premium (E/R/W) can be uploaded via http://..:25000/ port tcp 25000
error message seen in typo3 backend, when something is selected on page tree:
Connection Problem
Sorry, but an error occurred while connecting to the server. Please check your network connection.
>> see solutions here .. it seams to be a reverse proxy issue:
https://forge.typo3.org/issues/26088
use this plugin: OMGF
Download OMGF | Optimize My Google Fonts from the WordPress repository like you would any other plugin. Activate and go to Settings > Optimize Google Fonts.
problem: you want to connecto to a legacy / old client something like an old switch > but you get the message: Bad server host key: Invalid key length
>> you probably need to allow key lenght with 1024, the default is >= 2024
things you can do:
- update-crypto-policies --set DEFAULT:SHA1
create a file: /etc/ssh/ssh_config.d/my.conf
Ciphers=+3des-cbc
RSAMinSize=1024
default setting is to have chrony installed
you can check with: rpm -qa |grep chrony
check file /etc/chrony.conf
in may case this was the ntp setting:
pool 2.rocky.pool.ntp.org iburst
comment out this line and change to your preferred ntp server
>> replace pool line with your ntp server
-------------------------------------------------------------
show update interval and other ntp status:
chronyc tracking
--------------------------------------------------------------
configure shorter update interval (default is 1024 seconds):
server ptbtime1.ptb.de iburst minpoll 4 maxpoll 6
server ptbtime2.ptb.de iburst minpoll 4 maxpoll 6
server ptbtime3.ptb.de iburst minpoll 4 maxpoll 6
poll explanation:
minpoll poll
This option specifies the minimum interval between requests sent to the server as a power of 2 in seconds. For example, minpoll 5 would mean that the polling interval should not drop below 32 seconds. The default is 6 (64 seconds), the minimum is -6 (1/64th of a second), and the maximum is 24 (6 months). Note that intervals shorter than 6 (64 seconds) should generally not be used with public servers on the Internet, because it might be considered abuse. A sub-second interval will be enabled only when the server is reachable and the round-trip delay is shorter than 10 milliseconds, i.e. the server should be in a local network.
maxpoll poll
This option specifies the maximum interval between requests sent to the server as a power of 2 in seconds. For example, maxpoll 9 indicates that the polling interval should stay at or below 9 (512 seconds). The default is 10 (1024 seconds), the minimum is -6 (1/64th of a second), and the maximum is 24 (6 months).
----------------------------------------------------------------
show sources:
chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ptbtime1.ptb.de 1 6 17 23 +179us[+1141us] +/- 6840us
^- ptbtime2.ptb.de 1 6 17 23 +1743us[+1743us] +/- 5624us
^- ptbtime3.ptb.de 1 6 17 22 +950us[ +950us] +/- 6064us
#!/bin/bash
# Run MariaDB status command
/etc/init.d/mariadb status
# Check the exit code
if [ $? -ne 0 ]; then
# Restart MariaDB server
/etc/init.d/mariadb restart
# Send an email notification
echo "MariaDB server restarted due to an issue. Please check." | mail -s "MariaDB Server Restarted" your_email@example.com
fi
######
# crontab
#####
0 * * * * /path/to/mariadb_monitor.sh >/dev/null 2>&1
normal vswitch:
--------------------------------
- properties of your vswitch .. for example vSwitch0
>> enable CDP
- on cli:
show status:
>> [root@server root]# esxcfg-vswitch -b vSwitch1
enable:
>> [root@server root]# esxcfg-vswitch -B both vSwitch1
see also:
https://docs.vmware.com/en/VMware-Smart-Assurance/10.1.12/esm-user-configuration-guide-10112/GUID-338EBA5A-36C1-4A51-AD55-31524524AA52.html
distributed vswitch:
--------------------------------
https://docs.vmware.com/de/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-0A6E5650-D05B-41FA-9A4B-E2354DAB64F7.html
- use google take out to export the google pictures
- if the export contains json files, you need to merge the properties data to the pictures - use the GooglePhotosTakeoutHelper tool for that!
-- see also ---:
-- https://kb.synology.com/de-de/DSM/tutorial/How_do_I_migrate_photos_from_Google_Photos
-- https://github.com/TheLastGimbus/GooglePhotosTakeoutHelper/releases
2024-03:
------------
https://www.arubanetworks.com/techdocs/central/2.5.8/content/whats_new/central258.htm
HTTPS Service
- use a public certificate for https (guest + captive portal)
- wildcard or multi-san recommended
- decide to use ECC or not! disable on all subscribers
- subject should be: cn=*.your-org.com
>> solution is "disable the ECC https certificate"
<strg> + <alt> + <q>
(1) Aruba Central: Global > Organization > Platform Integration > Webhook
(2)https://webhook.site >> WebHook.site allows you to easily test webhooks and monitor the outputs.
>> here you can copy the unique url and add it to (1) for some testing
(3) Aruba Central: Global > Alerts & Events > Config > AP Disconnect > choose created webhook name
(4) now go to your webhook test site and watch the events coming in
- logon to the switch
- in the menu dialog select "Run Setup"
- use the keys to go to position:Logon Default:Menu
- press space bar to change this value to CLI
- hit enter key to go back to the action menu
- select save and press again enter
- if you logon to the switch again via ssh or telet you should directly see the cli
*cli = command line interface
The livelogsyslog script is a utility designed for real-time monitoring of the most recent Syslog messages. It dynamically identifies and tails the latest Syslog file, providing administrators and users with immediate, live access to new log entries as they are recorded. This is particularly useful for troubleshooting, monitoring system activities, or auditing in environments where Syslog is used for logging system and application messages.
#!/bin/bash
###########################################################################
#
# syslogLivelog.sh
#
# you can add an alias command for that script:
# add to file /etc/bashrc
# alias syslogLivelog='/opt/myprog/bin/syslogLivelog.sh'
#
###########################################################################
# checkmk site name to check syslog files
SITE="your-site"
# Directory to monitor
DIRECTORY="/omd/sites/$SITE/var/mkeventd/messages"
# Find the most recent file in the specified directory
LATEST_FILE=$(find "$DIRECTORY" -type f -printf "%T@ %p\n" | sort -n | tail -1 | cut -d' ' -f2-)
if [ -z "$LATEST_FILE" ]; then
echo "No files found in the directory."
else
echo "Tailing the latest file: $LATEST_FILE"
tail -f "$LATEST_FILE"
fi
press:
<Ctrl> + <Alt> + <Shift> + <F>
solution in firefox:
about:config
> change setting:
security.tls.version.enable-deprecated to true
download them from HPE if you have a support contract
or have a look here:
- https://www.brainattic.org/static/hpe-spp/
good documentation is here: https://docs.checkmk.com/latest/en/omd_basics.html#omd_backup_restore
- you don't have to stop the site to backup, the rrd data will be cached
- just use command: "omd backup <sitename> your-backupfile.tar.gz
- you can backup directly over network to the new system:
.. omd backup <sitename> - | ssh username@new-system "cat >/tmp/sitename-backup.tar.gz"
.. once the backup is finised use "omd restore /tmp/sitename-backup.tar.gz" on the new system
use s-nail instead!!
- dnf install s-nail
- echo "testmail" | s-nail -s test mymail@mailer.org
---
see also:
https://www.claudiokuenzler.com/blog/1360/where-is-mailx-command-rocky-linux-el-9-s-nail-package
<strg> <r> ... start command line with Administrator rights
use the following command to see the windows 10 license code:
wmic path softwarelicensingservice get OA3xOriginalProductKey
systemctl status systemd-timesyncd.service
#add ntp server, comment out line #NTP and specify your ntp server
vi /etc/systemd/timesyncd.conf
[Time]
NTP=your-ntp-name or ip
#FallbackNTP=ntp.ubuntu.com
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
systemctl restart systemd-timesyncd
systemctl status systemd-timesyncd.service
---
see also:
https://www.server-world.info/en/note?os=Ubuntu_22.04&p=ntp&f=3
installation via docker ...
-------------------------------------------------------
cd /opt/
mkdir netdisco
mkdir netdisco/logs
mkdir netdisco/config
mkdir netdisco/nd-site-local
chown -R 901:901 netdisco/
#the cursor is still in /opt directory
curl -Ls -o docker-compose.yml https://tinyurl.com/nd2-dockercompose
vi docker-compose.yml (just check the file)
netstat -nat (check if tcp 5000 Listening port is free)
apt-get install docker.io (ubuntu 20)
apt-get install docker-compose
apt-get install docker-compose-v2
#build the docker:
root@linux:/opt/netdisco# docker-compose up
ERROR: The Compose file './docker-compose.yml' is invalid because:
Unsupported config option for services.netdisco-do: 'profiles'
>> comment out line with profiles! after that try again!
#build the docker > when error message "no configuration file provided: not found" appears:
root@linux: /usr/libexec/docker/cli-plugins/docker-compose up
#check docker
docker ps
#check if port 5000 comes up!
http://server-name:5000/
#on webfrontend enter a subnet to discover like
#192.168.2.0/24
#under Admin > Discover All you see the status of the discovery
#under Admin > User Management
>> add an admin user + password and remove the guest account
#disable anoymous logon:
./netdisco/config/deployment.yml
#see also:
- https://hub.docker.com/r/netdisco/netdisco
- https://stackoverflow.com/questions/45764477/docker-compose-error-while-creating-mount-source-path (when read-only filesystem error occurs)
>> dependencies:
dnf install jq
>> add the following lines to the bottom of /etc/profile:
# Function to fetch and display a random quote
display_daily_quote() {
quote=$(curl -s "https://api.quotable.io/random" | jq -r '.content + " - " + .author')
echo
echo "Daily Quote:"
echo "-------------"
echo "$quote"
echo
}
# Call the function to display the
display_daily_quote()
- download nicehash os image file, you get for example: nhos-2.0.0-beta-06.img.xz
- extract the file using 7zip software
- use a flash tool to write the file to a hdd or to a usb stick, like balenaEtcher
- edit the configuration file in json format on the created drive
mining_address: <enter here the address you get from your hivehash account>
worker_name: <your name> (optional file .. maximum 15 characters)
---
see also:
https://www.nicehash.com/guide/nicehash-os-user-guide
https://www.nicehash.com/guide/nicehash-os-user-guide
debug import:
- ssh login to sophos
- Advanced Shell
- tail –f /log/apiparser.log
--- see also:
https://it-tech.wiki/2023/06/11/sophos-firewall-m365-ausnahmen/
https://community.sophos.com/sophos-xg-firewall/f/discussions/122441/is-there-no-way-to-import-fqdn-s-or-ip-addresses-to-an-xg
Problem: Rechnung konnte nicht gemahnt werden
Lösung: SQL Editor >
tabelle mahnung: MAHN_Status auf O gesetzt
Extras - Registrierungseditor "Main" - "Report"
>> for example Mahnung > delete reports from the list
Upload example:
1Mbps = 128KB (1 * 1024 / 8 = 128)
10Mbps = 1280KB (10 * 1024 / 8 = 1280)
- https://www.youtube.com/watch?v=libVbzJwxhY
- https://docs.sophos.com/nsg/sophos-utm/utm/9.717/help/en-us/Content/utm/utmAdminGuide/howTos/RoutingQoSHowToUseQoS.htm
some HPE switches allow only 17W per port as a default value, you can increment that value:
HPE Aruba Switch sample:
interface 24
name "Mimosa-Radio-Link"
power-over-ethernet critical
poe-allocate-by value
poe-value 33
tagged vlan 99
untagged vlan 1
loop-protect
exit
----------------------------------
cx-switches
----------------------------------
spanning-tree mode mstp
loop-protect re-enable-timer 900
edge-ports (for example 1-24 / 1-48)
- spanning-tree bpdu-guard
- spanning-tree port-type admin-edge
- loop-protect
Uplink -> Core SW (SFP Ports)
- spanning-tree loop-guard
Uplink -> Edge SW (SFP Ports)
- spanning-tree root-guard
----------------------------------
procurve:
----------------------------------
edge-ports (for example 1-24 / 1-48)
- spanning-tree 1-24 bpdu-protection admin-edge-port
- loop-protect 1-24
- loop-protect disable-timer 900
Uplink -> Core SW (SFP Ports) (for example 27 is uplink to core)
- spanning-tree 27 loop-guard
Uplink -> Core SW (SFP Ports) (for example 25,26,28 is uplink to other edge switches)
- spanning-tree 25,26,28 root-guard
How to pull logs from a HPE Aruba CX switch?
How to pull logs via Putty:
- Open a Putty window and select SESSION and LOGGING.
- Click the PRINTABLE OUTPUT radial dial.
- The default file name will be putty.log. Browse for the location you want to place this file (Desktop is usually the easiest to find).
- Now use Putty to connect to the switch via telnet or SSH, and issue the no page command first and execute SHOW TECH command to collect logs.
- The switch will display the contents of the log file while it is also sending it to the file and location you
selected.
How to pull logs via TFTP server:
- You can send the show tech file to a TFTP server by issuing the following command:
- Copy command-output 'show tech ' tftp <tftp ip address> <filename>
- The switch will take a moment to generate the show tech output, and then send it to the TFTP server as a file.
- Attach the file.
How to pull logs via HperTerminal:
Double-click the HyperTerminal icon
- Enter a name for the connection - click OK
- Select TCP/IP (Winsock)
- Enter the IP Address of the switch and enter 23 for the port number - click OK
- Enter the password for the switch
- Select Transfer - Capture Text
- Click on Browse and select Desktop (or another location if you'd prefer)
- Enter a File name and Save as type: Text file (*.TXT) - click Save - click Start
- At the command prompt (#) enter - show tech
- Once the data stops scrolling, stop the capture (Transfer - Capture Text - Stop)
- Connect to the switch using HyperTerminal with the Capture File option enabled
- Attach the file.
How to pull logs from HPE ArubaOS switch?
How to pull logs via Putty:
- Open a Putty window and select SESSION and LOGGING.
- Click the PRINTABLE OUTPUT radial dial.
- The default file name will be putty.log. Browse for the location you want to place this file (Desktop is usually the easiest to find).
- Now use Putty to connect to the switch via telnet or SSH, and issue the SHOW TECH ALL command.
- The switch will display the contents of the log file while it is also sending it to the file and location you
selected.
How to pull logs via TFTP server:
- You can send the show tech file to a TFTP server by issuing the following command:
- Copy command-output 'show tech all' tftp <tftp ip address> <filename>
- The switch will take a moment to generate the show tech output, and then send it to the TFTP server as a file.
- Attach the file.
How to pull logs via HperTerminal:
Double-click the HyperTerminal icon
- Enter a name for the connection - click OK
- Select TCP/IP (Winsock)
- Enter the IP Address of the switch and enter 23 for the port number - click OK
- Enter the password for the switch
- Select Transfer - Capture Text
- Click on Browse and select Desktop (or another location if you'd prefer)
- Enter a File name and Save as type: Text file (*.TXT) - click Save - click Start
- At the command prompt (#) enter - show tech all
- Once the data stops scrolling, stop the capture (Transfer - Capture Text - Stop)
- Connect to the switch using HyperTerminal with the Capture File option enabled
- Attach the file.
Problem:
------------------------------------
in HPE IMC it happens that you get temperature warning and critical alerts because the temperature is 40000 Celcius high, when the target switch device is an CX switch
Solution
------------------------------------
you need to make same special configurations! (see details in the document below):
For temperature monitoring, IMC reads a standard MIB object in the Entity table in Celsius. This MIB object is not supported by Aruba OS CX, the following private MIB object is recommended. Therefore we need to remove the standard temperature monitor from CX devices and set up a special global index monitor on arubaWiredTempSensorTemperature. MIB object.
- cx temp sensor: OID 1.3.6.1.4.1.25506.4.1.2.2.0.8
Global index: Name: arubaWiredTempSensorTemperature Custom Measurement: MillidegreesCelsius
Type:
[index1[2]:arubaWiredTempSensorGroupIndex:1:0].[index2[2]: arubaWiredTempSensorSlotTypeIndex:1:0].[index3[2]:arubaWiredTempSensorSlotIndex:1:0].[ index4[2]:arubaWiredTempSensorIndex:1:0]]
Label: 1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1
Formula: 1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.7 OR, If it is required for the monitor to be displayed in Celsius use this:
Formula: 1.3.6.1.4.1.47196.4.1.1.3.11.3.1.1.7/1000
Documentation
------------------------------------
HPE_IMC7.3_ArubaOS-CX_Config_Guide_E0710.pdf
see actual kerberos tickets:
klist tickets
delete actual tickets from cache
klist purge
wireshare filter to use:
kerberos
HPE Aruba > port access > client inactivity timeout problem > for example a printer that sleeps
problem: if you have a device that does not initiate any periodic network traffic, since it sleeps will be forgotten
by the switch, since the default inactivity timer is 5 minutes (300 seconds)
>> you can change this using a local role!
#create a new local role
cx-switch(config)# port-access role printer
cx-switch(config-pa-role)# client-inactivity timeout 4294967295
cx-switch(config-pa-role)# exit
#assign the role to a interface
cx-switch(config)# interface 1/1/16
cx-switch(config-if)# aaa authentication port-access auth-role printer
#sample of a whole interface config, with mac authentication
cx-switch# show running-config interface 1/1/16
interface 1/1/16
no shutdown
no routing
vlan access 14
aaa authentication port-access client-limit 2
aaa authentication port-access reject-role unknown
aaa authentication port-access auth-role printer
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
enable
dhcpv4-snooping trust
dhcpv6-snooping trust
loop-protect
exit
#how to mix the role parameters with radius parameters? >> use aaa authentication port-access radius-override
aaa authentication port-access radius-override enable
Description
Enables or disables radius-override support at the interface context. When radius-override support is enabled, a new RADIUS overridden role is created with a combination of LUR/DUR along with RADIUS attributes for the corresponding client-role attributes such as VLANs, captive portal URL, and downloadable gateway role. When the RADIUS override support is disabled, then only the user-roles get applied to the client.
-----------------------------------
documentation
- https://www.arubanetworks.com/techdocs/AOS-CX/10.11/HTML/security_6200-6300-6400/Content/Chp_Port_acc/Port_acc_gen_cmds/aaa-aut-por-acc-rad-ove.htm
Client-inactivity/idle timeout
-----------------------------------------------------
1: Local User Role
6300-VSF(config)# port-access role silent
6300-VSF(config-pa-role)# client-inactivity timeout
<300-4294967295> Set client inactivity timeout value in seconds.
none
2: Radius
Radius:IETF Idle-Timeout = 0
Allow-Flood-Traffic
---------------------------------
>> wol etc ...
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)# port-access allow-flood-traffic enable
6300-VSF(config-if)# exit
• Caveat
>> Custom Port vlan membership , as the admin must configure the right broadcast/wol server vlan in the silent end client connected ports even before
authentication.
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)# vlan access <>
6300-VSF(config-if)# exit
Client IP Tracker
----------------------------------
Recommended for Client Types – All client types
6300-VSF(config)# client track ip
6300-VSF(config)# client track ip all-vlans
Or
6300-VSF(config)# vlan 2
6300-VSF(config-vlan-2)# client track ip
6300-VSF(config-vlan-2)# exit
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)#client track ip update-interval <60-28000s>(Default: 1800)
6300-VSF(config-if)#exit
6300-VSF(config)# show client ip
how the switch tracks the ip?
>>
• After the configured update interval , switch will start sniffing for packets from the client mac-address for 15s.
• If there are no packets received after 15s, it will start the ARP probe – 3 times with each 3s delay
• Client will respond back to arp probe and it will not age out.
################################################################################################
see the original document on:
https://community.arubanetworks.com/discussion/hpe-anw-cx-switches-silent-client-support
document: Silent Client Support – AOS-CX.pdf
restart_check_mk.cmd
rem runs with agent version v2.2
net stop CheckmkService
net start CheckmkService
pause
exit
rem runs with agent <= v1.6
rem net stop Check_MK_Agent
rem net start Check_MK_Agent
rem pause
#see status of a user
net user /dom username
#lock the user
net user username /dom /active:no
#unlock user
net user username /dom /active:yes
>> apply change:
nmcli con down enp0s3 && nmcli con up enp0s3
>> check actual configuration
ip addr
error: dnf-makecache.service loaded failed failed dnf makecache
solution (if you don't need the automatic cache update service):
===============================================
systemctl --failed
systemctl disable dnf-makecache.service
systemctl disable dnf-makecache.timer
systemctl reset-failed
https://docs.checkmk.com/latest/en/agent_windows.html
https://docs.checkmk.com/latest/en/agent_deployment.html
Automatic agent updates
- Signature keys for signing agents
- Passphrase for signing key: xyz (don't forget to save this signing key!)
>> bake agent
>> install agent
>> register the agent from windows commandline
C:\Windows\system32> "C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe" ^
register ^
--hostname mynewhost ^
--server cmkserver --site mysite ^
--user agent_registration --password "xyz..."
>> register for automatic update
"C:\Program Files (x86)\checkmk\service\check_mk_agent.exe" updater register
>> with automation user
solution:
RockyLinux9 / Redhat Linux9:
sudo dnf install net-snmp-utils
tested with a MikroTik | Cube 60Pro AC
RouterOS RB CubeG-5ac60ay
snmpwalk -v 2c -c public 192.168.88.2 .1.3.6.1.4.1.14988.1.1.1.2
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.1.120.154.24.192.44.11.2 = Hex-STRING: 78 9A 18 00 01 02
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.3.120.154.24.192.44.11.2 = INTEGER: -28
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.4.120.154.24.192.44.11.2 = Counter32: 98131
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.5.120.154.24.192.44.11.2 = Counter32: 40600
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.6.120.154.24.192.44.11.2 = Counter32: 5752
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.7.120.154.24.192.44.11.2 = Counter32: 2900
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.8.120.154.24.192.44.11.2 = Gauge32: 433300000
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.9.120.154.24.192.44.11.2 = Gauge32: 6000000
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.10.120.154.24.192.44.11.2 = STRING: "6.49.15"
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.11.120.154.24.192.44.11.2 = Timeticks: (8613500) 23:55:35.00
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.12.120.154.24.192.44.11.2 = INTEGER: 80
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.13.120.154.24.192.44.11.2 = INTEGER: -29
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.14.120.154.24.192.44.11.2 = INTEGER: -28
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.15.120.154.24.192.44.11.2 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.16.120.154.24.192.44.11.2 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.17.120.154.24.192.44.11.2 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.18.120.154.24.192.44.11.2 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.19.120.154.24.192.44.11.2 = INTEGER: -29
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.20.120.154.24.192.44.11.2 = STRING: "789A18000102"
#Tx Signal Strength in dBm seams to be:
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.13.120.154.24.192.44.11.2 = INTEGER: -29
#Rx Signal Strength in dBm seams to be:
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.14.120.154.24.192.44.11.2 = INTEGER: -28
#link uptime seams to be:
SNMPv2-SMI::enterprises.14988.1.1.1.2.1.11.120.154.24.192.44.11.2 = Timeticks: (8613500) 23:55:35.00
simple approach:
>> Active directory > User > Attribute Editor > proxyAddresses
>>>> add a new entry: smtp:aliasemail@your-domain.de
---------
see also:
https://blog.netwrix.de/2020/04/13/so-fuegen-sie-mit-active-directory-einen-alias-zu-einem-e-mail-konto-in-office-365-hinzu/
I) global config:
port-access role client-inactivity
client-inactivity timeout none
port-access role unknown
vlan access 1
II) port config:
interface 1/1/1
no shutdown
no routing
vlan access 2
aaa authentication port-access reject-role unknown
aaa authentication port-access auth-role client-inactivity
aaa authentication port-access radius-override enable
aaa authentication port-access mac-auth
enable
certbot / letsencrypt - daily cronjob to renew certificate with webserver reload if cert was renewed
#crontab for renew letsencrypt certificate
9 10 * * * (echo "-------" && date && python -c 'import random; import time; time.sleep(random.random() * 60)' && certbot renew --deploy-hook "systemctl reload nginx") >>/var/log/certbotrenew.log 2>&1
5 0 1 * * gzip -f /var/log/certbotrenew.log >/dev/null 2>&1
CredSSP is used within remote desktop (rdp) connections ...
how to check the CredSSP (Credential Security Support Provider) encryption oracle setting?
(1)
command prompt - with administrative privileges:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle
(2)
powershell:
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -Name AllowEncryptionOracle
(INFO)
Here is what the different values for AllowEncryptionOracle mean:
0 (Force Updated Clients): Only updated clients (with the CredSSP update) can connect.
1 (Mitigated): Clients without the update can connect, but without CredSSP encryption (less secure).
2 (Vulnerable): No protection, allowing any client to connect (least secure).
In this example, the AllowEncryptionOracle value is 0x2, which corresponds to 2 (Vulnerable).
If the setting is not present, it means the default configuration is being used, which typically corresponds to the most secure setting (i.e., only updated clients are allowed).
HPE IMC - how to get backup working for a HPE Aruba cx switch if a mgmt or different vrf is used?
>> if the ip address is defined in another vrf than the default vrf you need to configure that in imc!
Service > Configuration Center > Options: VPN Instance
>> select the devices and define VPN instance name (for example: management) and save the config
>> test configuration backup afterwards
hint:
- more details are in document: HPE iMC 7.3 and Aruba OS-CX Switches Configuration Guide (IMC 7.3 E0710 edition)
- when testing backup, check the switch logs (terminal monitor command on cx), to see if everything works fine
szenario: update iMC to version E710P04 on a new operating system
before: iMC PLAT 7.3 (E0705P02) on Windows 2016
after: iMC Plat 7.3 (E0710P04) on Windows 2022
there is some documentation about this migration from HPE:
- HPE_IMC_Windows_Migration_Guide.pdf (from 2023)
- HPE IMC Windows Migration Guide - HPE IMC Windows Migration Guide-a00038008en_us.pdf
update steps:
-> update the old imc version on the old server to the latest server, we needed this steps:
update steps:
iMC PLAT 7.3 (E0705P02) > iMC PLAT 7.3 (E0705P12) [success] > iMC PLAT 7.3 (E0706) [success]
> iMC PLAT 7.3 (E0706P11) [success] > iMC PLAT 7.3 (E0708) > iMC PLAT 7.3 (E0708P3)
> iMC PLAT 7.3 (0710) > iMC PLAT 7.3 (071004)
-> after that run a final database backup, and prepare the new server with the latest iMC version
==================================================
!! before restore the database make sure to follow this steps!!
==================================================
From Relase Notes of the latest version
Before restoring the old database on the new migrated system, please copy $iMC/common/conf/ks.dat and$iMC/server/conf/imchw.conf files from the old IMC server to the corresponding directories on all IMC platform andsubordinate servers, including the remote database server.
Reboot all the servers so the encryption keys take effect.
Restore the database.
" Since Aruba CX software version 10.12 the device fingerprint information learnt by the switch can be sent as Vendor Specific Attributes (VSA) to ClearPass RADIUS server in RADIUS accounting packets."
>> see the following blog entry:
https://integratingit.wordpress.com/2023/10/31/aruba-cx-device-fingerprinting/
---------------------------------------------------------------------------------------
how to?
1) create a device fingerprint:
client device-fingerprint profile FINGERPRINT-PROFILE
dhcp option-num 55
dhcp options-list
cdp tlv-name capabilities
cdp tlv-name device-id
cdp tlv-num 4
lldp tlv-name system-name
lldp tlv-num 5
lldp tlv-name port-description
lldp tlv-name system-capabilities
2.) enable the fingerprint profile
To enable the device fingerprint profile this can be enabled globally or under specific interfaces using the command client device-fingerprint apply-profile FINGERPRINT-PROFILE
interface 1/1/1
client device-fingerprint apply-profile FINGERPRINT-PROFILE
3.) send the fingerprint information, to clearpass
aaa radius-attribute group CPPM-RADIUS
vsa vendor aruba type avpair group dfp-client-info
4.) verification:
- DEVSWI# show client device-fingerprint active
- DEVSWI# show client device-fingerprint
- on clearpass you should see the fingerprint information under Configuration > Identity > Endpoints
- you can debug the radius flow and should see the attribute information in a Radius Accouting Request (Vendor Specific (VSA) attribute
for HPE Aruba solutions for example how to configure radius logon authentication, use this nice page:
- https://ase.arubanetworks.com/
================================================================================
solution example:
Creates a Aruba ClearPass Policy Manager (CPPM) XML files and CLI to enable TACACS+ or RADIUS.
Configuration Notes
This will configure the basic TACACS+ or RADIUS on an ArubaOS switch and generate the ClearPass Policy Manager (CPPM) service, enforcement profile and policy for importing into the ClearPass server
https://ase.arubanetworks.com/solutions/id/126
On Friday June 21st 2024, the My Networking Portal (MNP) got renamed to IMC Licensing Tool (ILT), while the functionality remains unchanged.
You can continue using this portal for MSR router licenses management as well.
>> link to portal is: https://www.hpe.com/networking/mynetworking
>> script:
# Define the certificate stores to search
$stores = @("My", "Root", "CA", "TrustedPublisher", "AuthRoot", "TrustedPeople", "Disallowed")
# Print the header line
Write-Host "<<<local>>>"
foreach ($storeName in $stores) {
try {
# Open the certificate store
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, 'LocalMachine')
$store.Open("ReadOnly")
# Get certificates from the store
$certificates = $store.Certificates
foreach ($cert in $certificates) {
# Extract the first Common Name (CN) from the certificate's subject and remove all
$firstCN = ($cert.Subject -split ',').Trim() | Where-Object { $_ -like 'CN=*' } | Select-Object -First 1 | ForEach-Object {
($_ -replace 'CN=', '').Trim() -replace '[^\x20-\x7E]', '' -replace '[^\w\s.*-]', '' -replace '\s+', '-'
}
# Replace multiple hyphens with a single hyphen
$firstCN = $firstCN -replace '-+', '-'
# Skip certificates without a CN
if ([string]::IsNullOrWhiteSpace($firstCN)) {
continue
}
# Use the first CN as the name
$name = $firstCN
# Calculate the number of days until the certificate expires
$daysUntilExpiry = ($cert.NotAfter - (Get-Date)).Days
# Format the output based on days until expiry
if ($daysUntilExpiry -gt 14) {
Write-Host "0 `"cert-store-$name`" - NotAfter-Date: $($cert.NotAfter) - The cert will expire in $daysUntilExpiry days"
} elseif ($daysUntilExpiry -le 14 -and $daysUntilExpiry -gt 7) {
Write-Host "1 `"cert-store-$name`" - NotAfter-Date: $($cert.NotAfter) - Warning the cert will expire in $daysUntilExpiry days"
} elseif ($daysUntilExpiry -le 7 -and $daysUntilExpiry -ge 0) {
Write-Host "2 `"cert-store-$name`" - NotAfter-Date: $($cert.NotAfter) - Warning the cert will expire in $daysUntilExpiry days"
} elseif ($daysUntilExpiry -lt 0) {
Write-Host "2 `"cert-store-$name`" - NotAfter-Date: $($cert.NotAfter) - Warning the cert is expired!"
}
}
# Close the certificate store
$store.Close()
} catch {
#Write-Host "Failed to open store: $storeName" -ForegroundColor Red
}
}
#Write-Host "Certificate enumeration completed." -ForegroundColor Green
--------------------------------------------
> place the script in: C:\ProgramData\checkmk\agent\plugins
> modify the check_mk.user.yml:
plugins:
enabled: yes
execution:
- pattern : '$CUSTOM_PLUGINS_PATH$\check_cert_store.ps1'
async : yes
run : yes
cache_age : 86400
> restart the checkmk service!
> view the output of the checkmk agent to see if the values are cached
1) under internet / access type / port configuration, you can now select which lan port you would like to use for a static client. all lan ports (except port 1) are always activated in the default settings. please note that dhcp is activated on the lan ports without a check mark. you can now connect the client set up with static ip to the configured lan port connect. please check whether the client you have set up with the static ip address is visible in the "network" tab in the "home network" area.
2) if the client is stored with a private ip address, then this must first be manually with the static ip. to do this, call up the details.
3) then enter the static ip in the "ip address" field and confirm with ok.
4) a second entry is now created in the network overview, which shows the client with the static ip.
5) now please call up the port sharing page
6) select the appropriate client from the drop-down menu. please note that the ipv4 address cannot be entered manually.
7) you have the option of setting up the port individually or via "exposed host". exposed host, individual port releases are no longer necessary, as the entire data traffic is traffic is forwarded to the static ip client. for "exposed host", check the box next to ipv4 settings.
------------
link: https://forum.vodafone.de/vodafonede/attachments/vodafonede/Internet-Endgeraete/198842/1/FB_Client_mit_static-IP_2020.pdf
documentation:
https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094624en_us&docLocale=en_US
-------------------------------------------------------
on switch:
--------------
6200(config)# mirror session 1
6200(config-mirror-1)# source interface 1/1/1 both
6200(config-mirror-1)# destination tunnel 20.20.20.10 source 20.20.20.1
6200(config-mirror-1)# enable
This is the data captured by Wireshark on the 20.20.20.10 workstation. A filter of "ip.proto == 0x2f" is applied to see traffic with a GRE header which is what the switch applies to the mirrored traffic before sending to the destination.
problem: an old client cannot login to a ssh server anymore, the old client could be an Aruba Mobility wlan controler with an old firmware
solution: enable ssh-rsa temporary on your linux server, or leave it enabled it there are no security concerns
#add ssh-rsa to sshd_config file
/etc/ssh/sshd_config
HostKeyAlgorithms +ssh-rsa
#dont'f forget to restart the ssh service, so that the new configuration is activated
service sshd restart
documentation:
- https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=583911d8-9723-4be9-9807-75c4690d339b&CommunityKey=3dd64143-3ac3-4152-9abd-06dc0b4ecdd1&tab=librarydocuments
- Aruba ClearPass Workshop - Wireless #4 - AD Client Certificates EAP-TLS: https://www.youtube.com/watch?v=buNyG5WneKY
use command namei:
>> namei - follow a pathname until a terminal point is found
>> with using "--modes"
============================================
sample:
namei --modes /omd/sites/mysite/var/mkeventd/messages/1703631600.log.gz
f: /omd/sites/mysite/var/mkeventd/messages/1703631600.log.gz
drwxr-xr-x /
lrwxrwxrwx omd -> /opt/omd
drwxr-xr-x /
drwxr-xr-x opt
drwxr-xr-x omd
drwxr-xr-x sites
drwxr-x--x mysite
drwxr-x--- var
drwxr--r-- mkeventd
drwxr-xr-x messages
-rw-r--r-- 1703631600.log.gz
/etc/apache2/conf-enabled/my-apache-syslog.conf
### access to syslog
## mkdir /var/www/html/mysite-syslog/
## mkdir /var/www/html/mysite-syslog/messages/
## how to mount
## mount --bind /omd/sites/mysite/var/mkeventd/messages/ /var/www/html/mysite-syslog/messages/
## >> better in /etc/fstab: /omd/sites/mysite/var/mkeventd/messages/ /var/www/html/mysite-syslog/messages/ none bind 0 0
Alias /mysite-syslog /var/www/html/mysite-syslog/
<Directory "/var/www/html/mysite-syslog/">
DirectoryIndex disabled
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
-------------------
of course you need to run the mount and restart apache ;-))
The issue may just be how the firebox and management server communicate in fully managed mode.
The management server holds the policy manager config locally when fully managed.
If you connect to a firebox directly, and then open Policy Manager, the cert list is what was pulled from the Firebox when policy manager is opened. Policy manager will query the firebox and pull the active certs and populate that list.
With fully managed, the policy manager does not actively pull information from the Firebox, it's all stored on the management server.
how to fix
-------------
>> To get the policy manager to update. We need to flip the device from fully managed mode to basic. Then back to fully managed.
>> When going from basic managed mode to fully managed mode, the policy manager on the management server will pull from the firebox to update the config and pull an updated list.
>> If we do that, we see it updated.
wifi name is: RE_.....
>> connect the box with the wifi of the belonging inverter
access webfrontend of relay box: 10.10.101.254
very good video:
https://www.youtube.com/watch?v=7iTLBtdSs7w
https://github.com/s10l/deye-logger-at-cmd/releases
download deyeat.exe and run it,
example:
C:\Users\mgreger\Downloads\windows_amd64>deyeat.exe -t 10.20.4.132:48899 -xv
2024/08/01 12:55:50 * Connecting :0 -> 10.20.4.132:48899...
2024/08/01 12:55:51 > WIFIKIT-214028-READ
2024/08/01 12:55:52 < 10.20.4.132,402A8F035FBE,3936670022
2024/08/01 12:55:52 > +ok
2024/08/01 12:55:53 > AT+WAP
2024/08/01 12:55:54 < +ok=11BGN,AP_3936670022,AUTO
2024/08/01 12:55:54 > AT+WAKEY
2024/08/01 12:55:55 < +ok=WPA2PSK,AES,12345678
2024/08/01 12:55:55 > AT+WSSSID
2024/08/01 12:55:56 < +ok=mgkfz
2024/08/01 12:55:56 > AT+WSKEY
2024/08/01 12:55:57 < +ok=WPA2PSK,AES,wlan-key
2024/08/01 12:55:57 > AT+WANN
2024/08/01 12:55:58 < +ok=DHCP,10.20.4.132,255.255.255.0,10.20.4.1
2024/08/01 12:55:58 > AT+WEBU
2024/08/01 12:55:59 < +ok=username,password
2024/08/01 12:55:59 AP settings
2024/08/01 12:55:59 Mode, SSID and Chanel: 11BGN,AP_49366733022,AUTO
2024/08/01 12:55:59 Encryption: WPA2PSK,AES,12345678
2024/08/01 12:55:59 Station settings
2024/08/01 12:55:59 SSID: myssid
2024/08/01 12:55:59 Key: WPA2PSK,AES,mypassword
2024/08/01 12:55:59 IP: DHCP,10.20.4.132,255.255.255.0,10.20.4.1
2024/08/01 12:55:59 Web settings
2024/08/01 12:55:59 Login: username,pwd
2024/08/01 12:55:59 > AT+Q
2024/08/01 12:56:00
#!/usr/bin/env python3
"""
##############################################################################################
# Mikrotik SNMP Query Script - checkmk localcheck
#
# Description:
# This script queries SNMP OIDs for Tx signal strength, Rx signal strength, and link uptime from a specified SNMP-enabled device.
#
# Tested with device:
# - MikroTik | Cube 60Pro AC
#
# Usage:
# ./snmp_query.py --host <device_ip> [--snmp-v2c <community_string>]
#
# Examples:
# ./snmp_query.py --host 192.168.1.1 --snmp-v2c private
# ./snmp_query.py --host 192.168.1.1
#
# Author:
# mw
#
# Version:
# >>see variable version
#
# Installation
# make sure to have pysnmp installed: pip install pysnmp
#
##############################################################################################
"""
import argparse
from pysnmp.hlapi import *
import sys
version="pn-v2024-08-12"
def snmp_query(oid, target, community='public', port=161):
iterator = getCmd(
SnmpEngine(),
CommunityData(community, mpModel=0),
UdpTransportTarget((target, port)),
ContextData(),
ObjectType(ObjectIdentity(oid))
)
errorIndication, errorStatus, errorIndex, varBinds = next(iterator)
if errorIndication:
print(errorIndication)
return None
elif errorStatus:
print('%s at %s' % (errorStatus.prettyPrint(),
errorIndex and varBinds[int(errorIndex) - 1][0] or '?'))
return None
else:
for varBind in varBinds:
return varBind.prettyPrint().split(' = ')[1]
def is_number(s):
try:
float(s)
return True
except ValueError:
return False
def main():
parser = argparse.ArgumentParser(description="SNMP query script")
parser.add_argument('--host', required=True, help='The IP address of the SNMP device')
parser.add_argument('--snmp-v2c', default='public', help='The SNMP community string')
args = parser.parse_args()
target = args.host
community = args.snmp_v2c
# OIDs
tx_oid = '1.3.6.1.4.1.14988.1.1.1.2.1.13.120.154.24.192.44.11.2'
rx_oid = '1.3.6.1.4.1.14988.1.1.1.2.1.14.120.154.24.192.44.11.2'
uptime_oid = '1.3.6.1.4.1.14988.1.1.1.2.1.11.120.154.24.192.44.11.2'
# Query the OIDs
tx_signal_strength = snmp_query(tx_oid, target, community)
rx_signal_strength = snmp_query(rx_oid, target, community)
link_uptime = snmp_query(uptime_oid, target, community)
if is_number(link_uptime) and int(link_uptime) > 0:
link_uptime = int(link_uptime) / 100
link_uptime = int(link_uptime)
# Print the results
print("<<<check_mk>>>")
print(f"Version: {version}")
print("<<<local>>>")
if tx_signal_strength is None or not is_number(tx_signal_strength) or rx_signal_strength is None or not is_number(rx_signal_strength):
print(f"3 Air-Signal-dBm Tx-dBm=0|Rx-dBm=0 Tx Signal Strength in dBm: no value retrieved, Rx Signal Strength in dBm: no value retrieved")
else:
print(f"0 Air-Signal-dBm Tx-dBm={tx_signal_strength}|Rx-dBm={rx_signal_strength} Tx Signal Strength in dBm: {tx_signal_strength}, Rx Signal Strength in dBm: {rx_signal_strength}")
if link_uptime is None or not is_number(link_uptime):
print(f"3 Air-Link-Uptime uptime=0 Link Uptime in seconds: no value retrieved")
else:
print(f"0 Air-Link-Uptime uptime={link_uptime} Link Uptime in seconds: {link_uptime}")
if __name__ == '__main__':
main()
not magic way:
use winscp to copy the right agent onto the server
use tool like dnf or yum to install the package on linux
or use some magic:
#example for rpm package
find /omd/versions/default/ |grep rpm$ | xargs -n 1 dnf install
You are probably missing the "epel" repository.
Follow these steps to enable the "epel" repository:
> sudo dnf upgrade --refresh
> sudo dnf config-manager --set-enabled crb
> sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
> sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm
verify:
>> dnf repolist | grep epel
source: https://computingpost.medium.com/how-to-install-epel-on-rocky-linux-9-8-5efffda6a284
C:\ProgramData\checkmk\agent\log
- make sure to have the certificate of the checkmk host itself included in the agent rule if the update is running over https
- on target system run: check_mk_agent.exe updater -x
(this will ignore the certificate once and upload an updated agent)
>> in apple you can keep configuration settings in files, that end with .mobileconfig. In this file you have to entered valid information in xml format.
you can use tools like apple configuration to generate such files!
- https://support.apple.com/de-de/apple-configurator
or there are also other tools around like that one:
- https://github.com/andris9/mobileconfig?tab=readme-ov-file#readme
- https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
further links about mobileconfig files:
- https://www.webquarry.com/client/knowledgebase/16/Iphone-email-configuration-with-mobileconfig-file.html
failed auhtpoint login
--------------------------
2024-08-30 13:20:53 firecluster-m390-m2 wgcgi SSL VPN user pronexon@AuthPoint from 10.0.0.1 was rejected - invalid credentials or user doesn't exist.
for example:
Gummileitung H07RN-F 3G1,5
Die Gummileitung H07RN-F 3G1,5 Schwarz ist für die ständige Verwendung im Freien sowie in trocken und feuchten Räumen geeignet. Anwendbar für Elektrogeräte der mittleren mechanischen Beanspruchungen.
The rubber cable H07RN-F 3G1.5 Black is suitable for permanent use outdoors as well as in dry and damp rooms. Suitable for electrical appliances subject to medium mechanical stresses.
nice tool to read out lldp (link level discovery protocol) data:
- LDWin: https://github.com/chall32/LDWin?tab=readme-ov-file
- or just use wireshark and filter for "lldp" ;-)
RustDesk
The open source alternative to TeamViewer
RustDesk is a full-featured open source remote control alternative for self-hosting and security with minimal configuration.
kb article: Deploying baked agents via remote sites within a distributed monitoring configuration is now possible.
https://checkmk.atlassian.net/wiki/spaces/KB/pages/9473359/Working+with+Distributed+Agent+Bakery
official documentation:
https://docs.checkmk.com/latest/en/agent_deployment.html
>> section: 5. Agent updates in distributed monitoring
NTRadPing ist a cool old Radius test utility, that can be downloaded on several places. I just used it - version 1.5 from 2003 on Windows 11 ;-)
if you need to add some new Radius Attributes to the dictonary, here is an example.
dictonary file is: raddict.dat
example of some HP / Aruba specific attributes, just add this lines a the end of the file and restart NTRadPing Test Utility:
ATTRIBUTE Port-MA-Port-Mode 14 integer HP
VENDOR Aruba 14823
ATTRIBUTE Aruba-Port-Auth-Mode 50 integer Aruba
> use nmap, example:
nmap -sU -p 161 --script=snmp-info --script-args snmpcommunity=mytestcommunity 192.168.2.0/24
problem: php script timeouts always after 60 seconds
in log file you see probably something like that:
>> /var/log/httpd/error.log
[proxy_fcgi:error] [pid 902:tid 139997042652928] (70007)The timeout specified has expired: [client 192.168.2.99:62467] AH01075: Error dispatching request to : (polling)
solution:
/etc/httpd/conf/httpd.conf
Timeout 600
ProxyTimeout 600
restart apache + php-fpm service
just follow this great guide:
https://wiki.crowncloud.net/?How_to_Install_PHP_8_2_in_Rocky_Linux_8
situation:
server a (old server)
server b (new server - which already has been upgraded - php version - database etc..)
#sync files from server a > to b:
#!/bin/bash
rsync --dry-run -v -uzae ssh /var/www/html/nextcloud/ root@server-b:/var/www/html/nextcloud/
#rsync -v -uzae ssh /var/www/html/nextcloud/ root@server-b:/var/www/html/nextcloud/
#don't forget to backup the database using mysql command on server a, copy the sql file to server b and restore it there
using a command like "mysql -u root -p nextcloud <backup-of-server-a-database.sql"
#update nextcloud on commandline (rocky linux)
cd /var/www/html/nextcloud
[root@cloud nextcloud]# sudo -u apache php updater/updater.phar
sample commands:
#show current ruleset
firewall-cmd --list-all
#show actual rules (permanent means > rules are there also after reboot)
firewall-cmd --list-service
firewall-cmd --list-service --permanent
firewall-cmd --add-service=http
firewall-cmd --remove-service=http
firewall-cmd --runtime-to-permanent
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
#handle icmp types
firewall-cmd --add-icmp-block=echo-request
firewall-cmd --list-icmp-blocks
firewall-cmd --remove-icmp-block=echo-request
firewall-cmd --get-icmptypes
further reading:
- https://www.server-world.info/en/note?os=Rocky_Linux_8&p=firewalld&f=1
rocky linux 9 - how to extend partition
- you increased the virtual harddisk for example on esxi host
- the harddisk is /dev/sda for example
- use command: cfdisk /dev/sda
-- use resize to increase for example /dev/sda5
-- make sure to leave cfdisk using write
- use command "vgs" to check the volume group, example:
VG #PV #LV #SN Attr VSize VFree
rl 1 2 0 wz--n- 46.82g 0
- now run pvrsize /dev/sda5
pvresize /dev/sda5
Physical volume "/dev/sda5" changed
1 physical volume(s) resized or updated / 0 physical volume(s) not resized
- now run "vgs" again > you should see the increased hdd:
vgs
VG #PV #LV #SN Attr VSize VFree
rl 1 2 0 wz--n- 146.82g 100.00g
- now increase the locical volume
lvextend -l +100%FREE /dev/mapper/rl-root
Size of logical volume rl/root changed from 41.98 GiB (10747 extents) to 141.98 GiB (36347 extents).
Logical volume rl/root successfully resized.
- last step: increase the filesystem
if filesystem is ext use: resize2fs /dev/mapper/rl-root
if xfs - here comes a sample:
xfs_growfs /dev/mapper/rl-root
meta-data=/dev/mapper/rl-root isize=512 agcount=4, agsize=2751232 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=0
= reflink=1 bigtime=1 inobtcount=1 nrext64=0
data = bsize=4096 blocks=11004928, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
data blocks changed from 11004928 to 37219328
see also:
https://www.onesystems.ch/blog/lvm-festplatte-vergroessern-ohne-neue-partition/
omd backup yoursitename - | ssh root@other-server ‘omd restore -’
or backup to tar.gz file:
omd backup yoursitename - | ssh root@other-server "cat > /opt/backup/testsite/backup.tar.gz"
forther reading:
https://docs.checkmk.com/latest/de/omd_basics.html
#on switch
#configure radius-server
radius-server host <ip or dns>
radius-server key plaintext <shared radius secret>
aaa authentication login default group local radius
aaa accounting all-mgmt default start-stop group radius
aaa authentication allow-fail-through
#on clearpass you need a generic Radius rule and the following profile's:
profile: <customer>_Radius_Switch_Operator + Admin
>> Operator: NAS-Prompt-User (7)
>> Administrator: Administrative-User(6)
#further reading > see hpe security guide, for example search for:
arubaos cx 10.13 security guide
Multimode
OM1 > Wavelength 850 > 10G Support up to 33 meters (color orange)
OM2 > Wavelength 850 > 10G Support up to 82 meters (color orange)
OM3 > Wavelength 850 > 10G Support: up to 300 meters (color aqua)
OM4 > Wavelength 850 > 10G Support: up to 550 meters (color aqua or magenta)
Single Mode
OS1 > Wavelength 1310 > 10G Support up to 10000 meters (color yellow)
see also:
https://medium.com/@fiberstoreorenda/comparison-of-om1-om2-om3-om4-7092499ba656
https://www.lightoptics.co.uk/blogs/news/fiber-color-code
ptbtime1.ptb.de
ptbtime2.ptb.de
ptbtime3.ptb.de
ptbtime4.ptb.de
(best performance!!)
to use livestatus command, you need to access the linux shell and login via ssh: now you have the command "lc:
########################
#sample to query hosts
########################
lq "GET hosts\nColumns: host_name description address state"
lq "GET hosts\nColumns: host_name description address state host_hard_state"
my-first-ap1;;10.199.0.247;1;1
########################
#sample to query services
########################
#sample when service ping / is ok
lq "GET services\nColumns: host_name description state host_hard_state service_hard_state"
my-first-ap1;PING;0;0;0
#sample when host + service ping is in hard_state
lq "GET services\nColumns: host_name description state host_hard_state service_hard_state"
my-first-ap1;PING;2;1;2
further documentation:
https://docs.checkmk.com/latest/en/livestatus.html
SOGo, an Open Source Webmail for businesses and communities
https://www.sogo.nu/
works with Active Sync !!
- information about how to sell or buy:
https://www.daytrading.com/chia
If you encounter performance problems trough a bovpn with a WatchGuard nv5 this might be a solution:
HQ: T45
Branch: NV5
Here are some iperf tests:
IKEV2 Phase1: AES-GCM128 DH20 Phase2: ESP AES-GCM128
-----
Branch > HQ
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 6.15 MBytes 5.16 Mbits/sec sender
[ 4] 0.00-10.00 sec 6.10 MBytes 5.11 Mbits/sec receiver
HQ > Branch
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 16.0 MBytes 13.4 Mbits/sec sender
[ 4] 0.00-10.00 sec 16.0 MBytes 13.4 Mbits/sec receiver
IKEV1 Phase1: SHA1 AES128 DF2 Phase2: ESP AES-GCM128
-----
Branch > HQ
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 8.98 MBytes 7.53 Mbits/sec sender
[ 4] 0.00-10.00 sec 8.88 MBytes 7.45 Mbits/sec receiver
IKEV1 Phase1: SHA2-256 AES128 DF14 Phase 2: ESP SHA2-256 AES128
-----
Branch > HQ
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 20.3 MBytes 17.0 Mbits/sec sender
[ 4] 0.00-10.01 sec 20.3 MBytes 17.0 Mbits/sec receiver
IKEV2 Phase1: SHA2-256 AES128 DF14 Phase 2: ESP SHA2-256 AES128
-----
Branch > HQ
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 20.4 MBytes 17.1 Mbits/sec sender
[ 4] 0.00-10.01 sec 20.4 MBytes 17.1 Mbits/sec receiver
HQ> Branch
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 21.3 MBytes 17.9 Mbits/sec sender
[ 4] 0.00-10.00 sec 21.3 MBytes 17.8 Mbits/sec receiver
>> against the recommendation from WatchGuard there will be better performance without AES-GCM
>> this could be due to the missing hardware crypto chip (only a supposition)
https://green.cloud/docs/how-to-upgrade-from-debian-11-to-debian-12/
Problem:
automysqlbackup error: couldn execute show events because event scheduler is disabled (seen after upgrade debina 11 to debian 12)
how to fix this mysql / event error:
mysql_upgrade -u root -h localhost -p --verbose
https://stackoverflow.com/questions/46668403/couldnt-execute-show-events-15777
https://www.robware.net/ >> RVTools
directory: /opt/omd/sites/<site>/lib/check_mk/base/plugins/agent_based
change the following line:
if section.reboot_required:
yield Result(state=State.OK, summary="Reboot required to finish updates")
>> restart the cmk site!
turn on ldap directory logging:
------------------------------------------------
Reg Add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2
Reg Add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Directory Service" /v "MaxSize" /t REG_DWORD /d "2147483648"
(2147483648 = 2GB)
ldap test tool:
------------------------------------------------
C:\Windows\SYSTEM32\ ldp.exe
=====================================
https://blog.it-koehler.com/en/Archive/2951
== EtherApe: tool to display network activity
- install with apt install etherape
- run with "etherape -i eth0"
- or run with "etherape -f tcp" to see only tcp traffic
- there is a graphical interface or you can log it a file using command: "etherape -p -w output_file"
- stop etherape after number of packets: etherape -c 1000
- use it with pcap: "etherape -r input_file.pcap"
- get remote data using ssh: "etherape -r ssh://username@remote_host/"
== ARPwatch: tool to monitor arp activity
- install: apt get install arpwatch
- watch log file: "tail -f /var/log/arpwatch.log"
links:
- https://www.ip-insider.de/so-nutzen-sie-den-arp-cache-fuer-die-netzwerkdiagnose-a-c4ce2ba83d76eae190a0776208c01e11/
- https://www.ip-insider.de/troubleshooting-und-sicherheitsanalyse-im-netzwerk-a-cd1bbf617b71b76920894db7a09a00e7/
install proxmox guest tools:
dnf -y install qemu-guest-agent
systemctl enable qemu-guest-agent
systemctl start qemu-guest-agent
please make sure that you have enabled the: Use QEMU Guest Agent setting under the virtual machine options
-------------------------------------
- https://hotkey404.com/installing-rocky-9-on-proxmox/
computer2know :: thank you for your visit :: have a nice day :: © 2024