Posts Tagged ‘linux’

How Traceroute Works Its Magic

Friday, March 6th, 2009

Do you wonder about how traceroute works? Here is how the traditional traceroute works…

Time To Live (TTL) is a part of the IP header, it is designed to prevent packets from looping forever.
When you send a packet, each router (hop) on the way will decrement the TTL value by one.
When the TTL value reaches zero (0), the packet is said to be ‘expired’ and is discarded.
The router that discards this packet will send an ICMP ‘Time Exceeded’ back to the sender.

By launching a ‘traceroute’ in linux you will send a series of UDP packets towards your target with an TTL starting at 1, and increased with 1 until the target is reached.

Fully explained, let us say you have this path to


By sending a packet with TTL one, then will send you an ICMP Time Exceeded – and you have the first line in the traceroute.
TTL is set to 2 on the next packet, will reply with ICMP Time Exceeded and you can see hop number two.

This method of tracerouting depends on the practise of sending ICMP packets back when the TTL has expired and the packet is discarded, when the packet it only discarded you will often see just a * * * in the traceroute, this also happens if the path is down. That’s usually when you do not reach your target.

Using Tcpdump in Linux to Analyze Network Traffic

Wednesday, February 25th, 2009

Have you ever needed to see traffic in front of your eyes? There exists a tool in linux to do this. You can see it all, even .. passwords.

I will just give you the commands to see different types of traffic, use it for what you want.
You will not see network traffic going between other devices on the network, only to your workstation – assuming you are on a switched network, on a WLAN things are different.
If you want to monitor a network port, you can use a ‘mirror port’ in Cisco, configuration is as follows:

monitor session 1 source interface fastethernet 0/1
monitor session 1 destination interface fastethernet 0/2 encap ingress vlan 1

This will mirror all network traffic on FastEthernet 0/1 to FastEthernet 0/2.
There also exists methods for injecting ARP to a switched network to make network devices believe you are the gateway, so that you can inspect the packets before passing them on to the gateway.

Tcpdump commands
So back to tcpdump, to look at for example web traffic
Always remember that if you want to see the traffic as ASCII, just apply the argument ‘-A’ to tcpdump

I am assuming you are using eth0, -n turns off DNS.

tcpdump -i eth0 -n port 80

Now a little more fancy, using egrep – this will show all your web requests in real time!

tcpdump -i eth0 -A -n port 80 | egrep -i \(GET.\/\|POST.\/\|Host:\)

Did you know you can tcpdump for a subnet by just excluding the last octet?

tcpdump -i eth0 -n port 80 and host 10.0.5

You can see I used ‘and’ here to specify more filter, you can also use or
For example port 80 or port 81

If you forgot your pop3 password, but have it stored in the client

tcpdump -i eth0 -n port 110 -A | egrep -i \(user\|pass\)

This also applies to passwords for the web, I have used this a lot instead of the ‘forgot password’ mechanism.

If I forgot to mention anything, please let me know.

Configuring MySQL AAA Authentication and Accounting with Tacacs+ on Linux

Monday, November 10th, 2008

So, been experimenting more with tacacs+ and got everything working out nicely with MySQL – so here is my tutorial!

It seemed like I had to run out of my “Oh, I run ubuntu so I will just apt-get” luck sometime, as I actually had to take this one from source to make it work completely.
So I will start with the Linux end of this, the compiling of tac_plus

If you followed my previous tutorial, you will have to remove the old tac_plus package.

root@server:~# apt-get remove tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages will be REMOVED:
0 upgraded, 0 newly installed, 1 to remove and 104 not upgraded.
Need to get 0B of archives.
After unpacking 324kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database … 227395 files and directories currently installed.)
Removing tac-plus …
Stopping Tacacs+ server: tac_plus.
root@server:~# dpkg –purge tac-plus

The dpkg –purge command will remove all configuration files, so if you want to keep them just run

root@server:~# cp -r /etc/tac-plus /root/tac-plus-configuration

This will store the old configuration files in a folder named /root/tac-plus-configuration

Now compile the tac_plus daemon, remember to have the libmysql++-dev installed before you do this. It should also bring along libmysql++2c2a libmysqlclient15-dev by itself.

root@server:~# cd /usr/local/src
root@server:/usr/local/src# wget -q
root@server:/usr/local/src# tar -zxf tac_plus-4.4.tgz
root@server:/usr/local/src# cd tac_plus-4.4
root@server:/usr/local/src/tac_plus-4.4# wget -q
root@server:/usr/local/src/tac_plus-4.4# tar -zxf securid.tgz
root@server:/usr/local/src/tac_plus-4.4# ./configure –with-mysql –with-db

It should now print a lot of ‘checking for’ or ‘checking wheter’ lines, just let it run.
The last couple of lines you should see should be:

creating Makefile
creating tac_plus.spec
creating config.h
config.h is unchanged

Then it’s time to run make to compile the source code into a binary file.

root@server:/usr/local/src/tac_plus-4.4# make
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c config.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c choose_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c default_v0_fn.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_acct.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c do_author.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c dump.c
dump.c: In function ‘dump_nas_pak’:
dump.c:159: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c enable.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c encrypt.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c expire.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c hash.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c tac_plus.c
tac_plus.c: In function ‘main’:
tac_plus.c:364: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c md5.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c packet.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c parse.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c programs.c
programs.c: In function ‘my_popen’:
programs.c:282: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:287: warning: incompatible implicit declaration of built-in function ‘exit’
programs.c:292: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pw.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c pwlib.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c report.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendauth.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c sendpass.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c time_limit.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c utils.c
utils.c: In function ‘tac_exit’:
utils.c:79: warning: incompatible implicit declaration of built-in function ‘exit’
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c accesslog.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c ext_authen.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_ext.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_null.c
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/mysql -g -O2 -c db_mysql.c
gcc -g -O2 -L/usr/lib/mysql -o tac_plus -L/usr/lib/mysql acct.o authen.o author.o config.o choose_authen.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o tac_plus.o md5.o packet.o parse.o programs.o pw.o pwlib.o report.o sendauth.o sendpass.o time_limit.o utils.o accesslog.o ext_authen.o db.o db_ext.o db_null.o db_mysql.o -lmysqlclient -lz -lnsl -lpthread -lc -lcrypt -Llib/lnx -laceclnt
root@server:/usr/local/src/tac_plus-4.4# cp tac_plus /usr/sbin/

Now, I just did a quick hack with copying the tac_plus binary to /usr/sbin, if you choose to install it with make install, be aware that it will spread files all around your system that you really don’t need.

I got a library error, this is my fix.

root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
/usr/sbin/tac_plus: error while loading shared libraries: cannot open shared object file: No such file or directory
root@server:/usr/local/src/tac_plus-4.4# cp lib/lnx/ /usr/lib && ldconfig
root@server:/usr/local/src/tac_plus-4.4# /usr/sbin/tac_plus -v
tac_plus version 4.4rc2-3 (Extended Tac_plus)

Perfect, shared libraries installed and the tacacs daemon seems to be working!
Now to create the configuration file and everything.

root@server:/usr/local/src/tac_plus-4.4# cd /etc
root@server:/etc# mkdir tac-plus && chmod 700 tac-plus
root@server:/etc# cd tac-plus
root@server:/etc/tac-plus# touch tacacs.conf && chmod 700 tacacs.conf

Edit the /etc/tacacs.conf file with your favourite editor, I as always love vim.
For simplicity, let us keep it to a small amount of lines.

The contents of /etc/tacacs.conf

key mykey
default db = mysql://tacacs:tacacspassword@localhost/tacacs

The logics of the MySQL URI is mysql://username:password@databasehost/database, so the username will now be tacacs, the password will be ‘password’ and the database ‘tacacs’ on the MySQL server on localhost.

MySQL Setup
We now need to setup the backend databases for tac_plus to communicate with.

root@server:/etc/tac-plus# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11335
Server version: 5.0.38-Ubuntu_0ubuntu1.4-log Ubuntu 7.04 distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> \. /usr/local/src/tac_plus-4.4/tac_plus.sql
Query OK, 1 row affected (0.36 sec)

Database changed
Query OK, 0 rows affected (0.19 sec)

#… You should get a lot of these lines and return to the prompt, verify the structure:
mysql> show tables;
| Tables_in_tacacs |
| access |
| accounting |
| acl |
| admin |
| attribute |
| contact_info |
| host |
| node |
| user |
| vendor |
10 rows in set (0.08 sec)

# You now need to grant access to tacacs
mysql> GRANT ALL PRIVILEGES ON tacacs.* to tacacs@localhost IDENTIFIED BY ‘tacacspassword’;
Query OK, 0 rows affected (0.00 sec)

You could grant SELECT on the user and host tables, while letting it modify for example only the accounting and access tables which it uses for .. well, accounting records. It records logins/logouts and commands written if you want to. Tac-plus will automagically do this for you, and the Cisco Configuration is well documented in my article about Log Commands on Your Cisco Routers and Switches With Tacacs On Linux. Oh well, let us go on.

Let us insert just a user and a host.

INSERT INTO user (uid, gid, password, expires) values (‘username’, ‘100’, ENCRYPT(‘testtest’), ‘0000-00-00’);
INSERT INTO host (ip, hostgroup, hkey, network, submask, loginacl, host) VALUES (‘’, ‘Routers’, ‘tercesym’, ‘0’, ‘0’, ‘666’, ‘1’);
INSERT INTO acl (id, type, seq, permission, value, value1, submask) VALUES (‘666’, ‘2’, ‘1’, ’57’, ‘allusers’, ‘0’, ‘0’);

That should be it, we are done with this and we can now start the daemon.

root@server:~# /usr/sbin/tac_plus -C /etc/tac-plus/tacacs.conf -d254 -l tac.log

You can now monitor tac.log which resides in your current working directory (pwd), with tail -f tac.log and you can remove the -d254 when you are sure this is working.
You should now be able to login with user username and password testtest.

To configure your Cisco IOS running Switch or Router

Router(config)#aaa authentication login default local group tacacs+
Router(config)#tacacs-server host key mykey

As long as you keep the ‘local’ in the authentication line, you will still be able to fall back to local user authentication.

If you get any weird errors or warnings, post them as a comment and I will have a look at it!

Log Commands on your Cisco Routers and Switches with Tacacs+ on Linux

Sunday, November 9th, 2008

I setup command logging with Tacacs+ on Linux this week. Let me show you how easy it is!

I am (as always) doing this with Ubuntu linux and so I just have to apt-get the packages I need.

espen@server:~$ sudo apt-get install tac-plus
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 104 not upgraded.
Need to get 105kB of archives.
After unpacking 324kB of additional disk space will be used.
Get:1 feisty/universe tac-plus 1:4.0.4.alpha-14 [105kB]
Fetched 105kB in 0s (331kB/s)
Selecting previously deselected package tac-plus.
(Reading database … 227388 files and directories currently installed.)
Unpacking tac-plus (from …/tac-plus_1%3a4.0.4.alpha-14_i386.deb) …
Adding system user `tacacs’ (UID 64005) …
Adding new group `tacacs’ (GID 64005) …
Adding new user `tacacs’ (UID 64005) with group `tacacs’ …
Not creating home directory `/home/tacacs’.
Setting up tac-plus (4.0.4.alpha-14) …
Starting Tacacs+ server: tac_plus.

Wow, that was quick… The tacacs+ server is already running!
But wait, we have to configure it just a bit.

For this article I will just focus on the logging part (accounting), but I will continue to write about authentication and authorization to fully comply fully with AAA.

Now, open up /etc/tac-plus/tacacs.conf in your favourite editor, mine is vim.
Be sure to uncomment and set the key, set the accounting file and you should be ready to roll.

key = tercesym
accounting file = /var/log/tac-plus/account

Just restart the tacacs daemon:

espen@server:/etc/tac-plus# sudo /etc/init.d/tac-plus restart
Restarting Tacacs+ server: tac_plus.

Now to configure this on your cisco equipment, please follow the steps in this article first.
Then to make sure the Cisco IOS Switch or Router will notify your tacacs deamon of accounting events, this is the configuration you need.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa accounting delay-start
Router(config)#aaa accounting exec default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+
Router(config)#tacacs-server host key tercesym

! If you want the Router to source from a specific IP address
Router(config)#ip tacacs source-interface Loopback 1


Now you can verify accounting

Router#show accounting

Active Accounted actions on tty1, User admin Priv 1
Task ID 17, EXEC Accounting record, 00:16:58 Elapsed
task_id=17 start_time=1226261207 timezone=CET service=shell

There is one accounting session running, and you can also check the server to see if any accounting records are recorded.

espen@server:~# sudo tail /var/log/tac-plus/account
Sun Nov 9 21:26:58 2008 admin tty1 stop task_id=26 start_time=1226262225 timezone=CET service=shell priv-lvl=15 cmd=show accounting

Perfect, now there will be no doubt about who dropped that ‘no router bgp’ command on your Cisco Router!

syslog-ng | Cisco: Setting Up Remote Syslog To MySQL in Linux

Thursday, October 16th, 2008

We are all in the need of a good method of keeping track of our log messages.

It’s a good feeling to know that all the syslog messages from all the equipment I manage are safely deposited into a MySQL database which is backed up daily by our backup software.

First, syslog-ng
I use Ubuntu, so I can also use their practical package manager and run

apt-get install syslog-ng

Then whip up /etc/syslog-ng/syslog-ng.conf in your favourite editor and add this to the configuration.

source s_net {
udp(ip( port(514));
tcp(ip( port(51400));

The should be the IP address that you want syslog-ng to listen on, it has to be bound up to the server that runs syslog-ng.

Also add this to make syslog-ng write to a special pipe:

destination d_mysql {
template(“INSERT INTO logs (host, facility, priority, level, tag, date,
time, program, msg) VALUES ( ‘$HOST’, ‘$FACILITY’, ‘$PRIORITY’, ‘$LEVEL’,’$TAG’,
‘$YEAR-$MONTH-$DAY’, ‘$HOUR:$MIN:$SEC’, ‘$PROGRAM’, ‘$MSG’ );\n”) template-escape(yes));

And to make things that comes from s_net go to d_mysql to make the
messages from the cisco device go to mysql instead:

log {

Make a pipe that syslog-ng can write to with this command:

mkfifo /tmp/mysql.pipe

Almost ready for the Cisco configuration, just get the database up first.
Setup the MySQL database like this:

USE syslog

host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)

# Also create the user, replace username and password
GRANT ALL PRIVILEGES ON syslog.* TO syslogng@localhost IDENTIFIED BY ‘mypassword’;

Run this command to pipe the queries to MySQL, preferably in a screen or make a script that can run it in the background.

mysql -u syslogng –password=mypassword syslog < /tmp/mysql.pipe

Restart the syslog-ng process now:

/etc/init.d/syslog-ng stop
/etc/init.d/syslog-ng start

Cisco Syslog Configuration
Now all you have to do on the cisco router is one simple command to make it log to the syslog database.

Router(config)# logging

This will make the Cisco Router send all logging output to the syslog-ng process on

I have made a simple PHP page that makes the syslog output more viewable, it is not very pretty – but it works.
I am sure anyone of you can improve it, if you do please send me the change and if it is generally usefull I will update the package here with your improvement and leave a credit for you in it!

You can download the package syslog-ng PHP page