FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s Click here to read more on FR tutorials …

Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Regard’s
Syed Jahanzaib~

Scenario:

• We have a generic FreeRADIUS Version 2.2.8 as a billing system in Ubuntu 16.04.3 LTS Server.
• Freeradius is installed by apt-get default repository.
• Mikrotik ver 6.43.x is being used as NAS.

Problem:

By default freeradius allows upper/lowercase in username, so If user configures  username in upper/lower mix case in his dialer/router then it will be logged same in RADACCT table. This is not a problem by design, but since we are using some external bash scripts to perform various operations like sending COA for bandwidth change on the fly/disconnection etc & the script is picking usernames from our user able which has all lowercase , the NAS does not recognize it for user who have uppercase defined.

Task:

We would like to restrict that all usernames must be entered in lowercase at user side , if not then reject the authentication to enforce our policy forcefully.

Solution:

Edit dialup.conf

nano /etc/freeradius/sql/mysql/dialup.conf

& search following … Comment below lines, this code allows upper/lower case in user names …

# The default queries are case insensitive. (for compatibility with
# older versions of FreeRADIUS)
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"

Now UN-COMMENT following …

# Use these for case sensitive usernames.
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = BINARY '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = BINARY '%{SQL-User-Name}' \
ORDER BY id"

So after editing it would be something like …

Now restart freeradius service one time

service freeradius restart

After this all users authentication with uppercase will be rejected by freeradius. Use it with caution !

This is all done by default in v3…
Alan DeKok.

Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.

As compared to `​BIND`​, which is a bit complex to configure for beginners, `DNSMASQ` is very easy and requires minimum configuration. This post is just a reference guide for myself.

Install DNSMASQ in Ubuntu !

sudo apt-get install dnsmasq

After this edit /etc/dnsmasq.conf file , I modified only 2 options as defined below

# Specify your interface
interface=eth1
# Cache size
cache-size=10000

After every change in the config, make sure to restart DNSMASQ service.

Forwarding Queries to Upstream DNS

By default, DNSMASQ forwards all requests which are not able to be resolved in /etc/hosts to the upstream DNS servers defined in /etc/resolve.conf like below

nameserver 8.8.8.8

Add DNS Records (static dns entries if required for local servers like media sharing etc)

Adding customized domain entries, dns spoofing i guess. Add the records in /etc/hosts file

127.0.0.1 localhost

1.2.3.4 mynetwork.com

service dnsmasq restart

Monitor DNS traffic

DSNTOP is your best friend. for full details read

http://dns.measurement-factory.com/tools/dnstop/dnstop.8.html

# ACL / Secure you DNS from open relay / flooding

To allow only specific ip series to query your dns server, you can use following bash script.

We have multiple ip pools, and we have made a small text file , we can small bash script to read from the file and add iptables rules accordingly

Sample of localips.txt

10.0.0.0/8
172.16.0.0/16
192.168.0.0/16

Now you can execute the bash script manually or add it in /etc/rc.local file to execute on every reboot.

cat /etc/fw.sh

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Very Basic Level of Firewall to allow DNS only for some ip range
# Script by Syed Jahanzaib
# 26-SEP-2018
#set -x

# Setting various Variables

#Local IP files which contains ip/ranges
IPFILE="/temp/localip.txt"

#Destination Port we want to restrict
DPORT="53"

#Destination Port type we want to restrict
DPORT_TYPE1="udp"
DPORT_TYPE2="tcp"

# Flush all previous iptables Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allow localhost access to query DNS service
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT

# LOOP - Read from localip.txt file , and apply iptables rules
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE1 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT; done
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE2 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT; done

# DROP all other requests going to DNS service
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP

# Script ends here
# Syed Jahanzaib

add this in /etc/rc.local so that it can run on every reboot!

Also note that if you have large ip pool, its better to use IPSET which is more efficient

Regard’s
Syed Jahanzaib

Following are some short reference notes to MYSelf on how to trace account lockout in active directory environment’. An audit policy must be set on all computers and domain controllers.

Scenario:

We are running two domain controller and some times account lock out issue appears at user end. To trace which workstation is the fault point we use different methods to sort it.

1# Examine Domain Controllers Event Viewer

open Event Viewer on the DC, and goto Security tab, right click and select Filter Current Log, in <All Event ID> type 4740 & hit Ok. and you will see details for the offending account/workstation.

2# Use Powershell Scripts

2a) Trace offending account/workstations using single liner PS cmd …

You can also use powershell to get event log information for account lockouts events …

Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message

Result:

TimeGenerated : 10/2/2018 9:37:34 AM
Message : A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: DC01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-664357565-1371172752-1124750213-14855
Account Name: testid
Additional Information:
Caller Computer Name: UNKNOWN-PC

2.b#) PS Script to fetch information from all DC

Read following guide

https://silentcrash.com/2018/06/using-powershell-to-trace-the-source-of-account-lockouts-in-active-directory/

in privilege powershell command prompt, create new script as below …

#script written by Alexandre Almeida
# for get user Account Lockout Host name, or ENTER to get all list
$username = Read-Host "Please Enter the Locked User Name: "

$DCCounter = 0
$LockedOutStats = @()

Try
{
Import-Module ActiveDirectory -ErrorAction Stop
}
Catch
{
Write-Warning $_
Break
}

#Get all domain controllers in domain
$DomainControllers = Get-ADDomainController -Filter *
$PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})

Write-Verbose "Finding the domain controllers in the domain"
Foreach($DC in $DomainControllers)
{
# $DCCounter++
# Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
Write-Verbose "Finding the Which domain controllers Authenticate the Password"
Try
{
$UserInfo = Get-ADUser -Identity $username -Server $DC.Hostname -Properties LastLogonDate -ErrorAction Stop
Write-Verbose "Bad Password Attempt count collected"
}
Catch
{
# Write-Warning $_
Continue
}
If($UserInfo.LastBadPasswordAttempt)
{
$LockedOutStats += New-Object -TypeName PSObject -Property @{
Name = $UserInfo.SamAccountName
SID = $UserInfo.SID.Value
LockedOut = $UserInfo.LockedOut
BadPwdCount = $UserInfo.BadPwdCount
BadPasswordTime = $UserInfo.BadPasswordTime
DomainController = $DC.Hostname
AccountLockoutTime = $UserInfo.AccountLockoutTime
LastLogonDate = ($UserInfo.LastLogonDate).ToLocalTime()
}
}#end if
}#end foreach DCs
$LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize

#Get User Info
Try
{
Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
Write-Verbose "Collecting Event Log"
$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
}
Catch
{
Write-Warning $_
Continue
}#end catch

Foreach($Event in $LockedOutEvents)
{
If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
{

$Event | Select-Object -Property @(
@{Label = 'User'; Expression = {$_.Properties[0].Value}}
@{Label = 'DomainController'; Expression = {$_.MachineName}}
@{Label = 'EventId'; Expression = {$_.Id}}
@{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
@{Label = 'Message'; Expression = {$_.Message -split "`r" | Select -First 1}}
@{Label = 'LockedOutLocation'; Expression = {$_.Properties[1].Value}}
)
Write-host $_.MachineName

}#end ifevent

}#end foreach lockedout event
Write-Verbose "Collected Details Update in the Text File. Please find the Text file for More Details"

echo "Cache Profile Removal Steps
1) Open Control Panel > Credential Manager > Remove all Saved Password.
2) Remove passwords by clicking on Start => Run => type (rundll32.exe keymgr.dll KRShowKeyMgr) without quotes and then delete the Domain-related passwords;
3) Remove passwords in Internet Explorer => Tools => Internet Options =>Content => Personal Information => Auto Complete => Clear Passwords;
4) Delete cookies in Internet Explorer => Tools => Internet Options =>General;
5) Disconnect (note the path before disconnecting) all networks drives, reboot, then map them again;
6) Start -> run ->type control userpasswords2 without quotes and go to advanced -> Manage passwords and remove all the stored passwords.
7) Reconfigure Your mobile Setting if your Active sync enabled.
8) Check if any saved or scheduled task is configured for user account

Microsoft Kwoledge Bytes Link for Cache profile Removal Steps:

https://social.technet.microsoft.com/Forums/windows/en-US/ced8eab6-87e2-4d20-9d18-7aaf5e9713a3/windows-7-clear-cached-credentials"

Result:

PS C:\temp> .\test2.ps1
Please Enter the Locked User Name: : testid

User : testid
DomainController : DC01.MYDOMAIN
EventId : 4740
LockedOutTimeStamp : 10/2/2018 9:54:35 AM
Message : A user account was locked out.
LockedOutLocation : UNKNOWN-PC

3) More Information:

https://activedirectorypro.com/account-lockout-tool/

“PAK Radius” is a customized ISP billing system developed to cater local market requirements. It’s built on concept where ISP have reseller / franchise / dealer & sub dealer base clientele. This system is continuously under development & new features / enhancements and improvements are begin made on a regular basis.

Workflow ….

• Admin cannot create users directly, Admin first creates reseller , assign him some services with desired rates, & transfer some amount in the reseller wallet/account,
• Reseller cannot create users directly, Reseller first creates Dealer, assign him some services with desired rates, & transfer some amount in the dealer wallet/account,
• Dealer can create his users upto the limit of his wallet/account, Dealer can also create his sub dealer and assign him required services and assign there rates to his sub-dealer.

Some major Features …

• Dynamic , responsive & appealing web design (advance responsive PHP designing)
• With Open source codes, you cam modify it as per your requirements
• Unlimited number of users / NAS support
• Generalized information on front panel for each manager, a glance window 
• Specially customized designed for local Internet Cable Services providers , with TO THE POINT options only, no hanky panky
• Purely Designed as a Reseller base system, Example – Admin > Reseller > Dealer / Sub-dealer base system
• Different services rates assignment for different re-sellers / dealers / sub-dealers
• Each Manager can view there dealer/sub-dealer billing easily.Good Financial modules for tracking all sort of transactions for dealer / sub-dealers
• Cash base system for reseller/dealer/sub-dealer charging
• `Get Back Cash` System to pull back cash sent to the managers
• Dynamic day & night bandwidth configuration available , compatible with all version of mikrotik routers
• Quota base packages configuration available
• Prevention of user DELETE action to prevent any misuse, user can be disabled only!
• Users unsuccessful dialing attempts for each manager
• Users connecting devices information recorded in user table , example tplink/tenda etc
• Reports for Package wise consumption
• Good reporting section for Users usage reports / graphs reports / User charges reports 
• Managers last login information
• Email/SMS Alerts for various actions & multiple users email/sms alert example expiry / renewal / general notification sending to active users etc [currently its being done via bash scripts, but soon they will be added in GUI]
• Strong Bug Free Back-end design, capable of connecting thousands of users in just few seconds ! 
• Years of experiences compiled in one single package ~

Many other features added based on local operators feedback to suite local market requirements !

Demo link: 

• http://pakrad.galaxy.net.pk/
  
• ID: admin
• Password: 123456

Regard’s
Syed Jahanzaib 

To edit Mikrotik Terminal Welcome Banner, Open Terminal & Issue following command,

/system note edit note

Now Design your graphics / or add texts of your choice, or paste your already copied data in this terminal window.

After Done, Press CTRL+O , & it will save/exit.

Now open Terminal again, and this time you will see your MOTD/Banner smiling

More Info here …

I wrote about this topic few years back, but forgot where it is now, So adding it again as Note to Self! This solution applies for following particular scenario.

Scenario:

We have 2 wan links configured with policy base routing. As we know that Mikrotik or any device can have only one default route active at a time. So if we will try to access mikrotik via wan2 link it will not work, because when request will arrive on wan2 link, and tries to return to its original requester, it will always route via WAN-1 link dueto default route. At this point remote client will receive packets with a source IP it didn’t initiate traffic with, so it reject that response.

Fair enough !

To sort we need to mark there connections, and make sure every packets should return via same route via which it came IN.

# Mirkotik IP Firewall Mangle Section
/ ip firewall mangle
# Mark traffic coming via WAN-1 link
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_incoming_conn
# Mark traffic coming via WAN-2 link
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_incoming_conn

# Mark traffic routing mark for above marked connection for WAN-1 , so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN1_incoming_conn action=mark-routing new-routing-mark=to_WAN1
# Mark traffic routing mark for above marked connection for WAN-2, so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN2_incoming_conn action=mark-routing new-routing-mark=to_WAN2

# Finally Add appropriate routes in ROUTE section
/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=to_WAN2 check-gateway=ping

For other scenario’s, you may want to look into prerouting !

Regard’s
Syed Jahanzaib

Following script was designed for an OP who wanted to monitor his cisco switch ports status via linux base bash script.

• Created: February, 2016
• Revision: January, 2019

OP Requirements:

• We need a bash script that can acquire ports status of Cisco switch using SNMP query & act accordingly based on the results, example send sms/email etc,
• The script should first check target device network connectivity by ping, if PING NOT responding, Exit,
• If ping OK, then check SNMP status, if SNMP NOT responding, then error report, & Exit,
• If Ping / SNMP responds OK, then check the port status, if port status is NOT UP , then send email/sms alert 1 time until next status change.

Hardware / Software Used in this post:

• Cisco 3750 24 Gigabit Ports Switch
• Ubuntu 12.4 Server Edition
• Bash Script
• SNMP support enabled on Cisco switch to query port status using MIB names

Solution:

I made following script which checks PING/SNMP status, and then Port Status of Cisco 3750 Switch. This is just an example. You can use your own techniques to acquire the same result. This is fully tested and working script. There are many other ways to do the same like using any NMS app like Nagios, or DUDE which have good GUI control so no need to do coding in the dark : )

Surely this contains too much junk or some unwanted sections, so you may want to trim it according to your taste and requirements.

Regard’s
Syed Jahanzaib

1. Install SNMP MIBS

First we need to make sure that MIB are installed, Do so by

sudo apt-get install -y snmp
apt-get install -y snmp-mibs-downloader
sudo download-mibs

After this , Add SNMP Mibs entry in

/etc/snmp/snmp.conf

by adding this line

mibs +ALL

Save & Exit

Now query your switch by following command to see if snmpwalk is working …

root@Radius:/temp# snmpwalk -v1 -c wl 10.0.0.1 IF-MIB::ifOperStatus

& you should see something line below if SNMP is working …

IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.17 = INTEGER: up(1)
IF-MIB::ifOperStatus.5182 = INTEGER: down(2)
IF-MIB::ifOperStatus.5183 = INTEGER: down(2)
IF-MIB::ifOperStatus.5184 = INTEGER: down(2)
IF-MIB::ifOperStatus.10601 = INTEGER: up(1)
IF-MIB::ifOperStatus.10602 = INTEGER: down(2)
IF-MIB::ifOperStatus.10603 = INTEGER: down(2)
IF-MIB::ifOperStatus.10604 = INTEGER: down(2)
IF-MIB::ifOperStatus.10605 = INTEGER: up(1)
IF-MIB::ifOperStatus.10606 = INTEGER: up(1)
IF-MIB::ifOperStatus.10607 = INTEGER: up(1)
IF-MIB::ifOperStatus.10608 = INTEGER: up(1)
IF-MIB::ifOperStatus.10609 = INTEGER: up(1)
IF-MIB::ifOperStatus.10610 = INTEGER: up(1)
IF-MIB::ifOperStatus.10611 = INTEGER: up(1)
IF-MIB::ifOperStatus.10612 = INTEGER: up(1)
IF-MIB::ifOperStatus.10613 = INTEGER: up(1)
IF-MIB::ifOperStatus.10614 = INTEGER: up(1)
IF-MIB::ifOperStatus.10615 = INTEGER: up(1)
IF-MIB::ifOperStatus.10616 = INTEGER: up(1)
IF-MIB::ifOperStatus.10617 = INTEGER: up(1)
IF-MIB::ifOperStatus.10618 = INTEGER: up(1)
IF-MIB::ifOperStatus.10619 = INTEGER: up(1)
IF-MIB::ifOperStatus.10620 = INTEGER: up(1)
IF-MIB::ifOperStatus.10621 = INTEGER: up(1)
IF-MIB::ifOperStatus.10622 = INTEGER: up(1)
IF-MIB::ifOperStatus.10623 = INTEGER: up(1)
IF-MIB::ifOperStatus.10624 = INTEGER: up(1)
IF-MIB::ifOperStatus.10625 = INTEGER: down(2)
IF-MIB::ifOperStatus.10626 = INTEGER: down(2)
IF-MIB::ifOperStatus.10627 = INTEGER: down(2)
IF-MIB::ifOperStatus.10628 = INTEGER: down(2)
IF-MIB::ifOperStatus.14501 = INTEGER: up(1)

OR getting UP/DOWN result for particular port (port 10)

snmpwalk -v1 -c wl 10.0.0.1 IF-MIB::ifOperStatus.10610 -Oqv

Output Result:

up

the Script!

• mkdir /temp
• cd /temp
• touch monitor_sw_port.sh
• chmod +x monitor_sw_port.sh
• nano monitor_sw_port.sh

and paste following, make sure to edit all info accordingly…

#!/bin/bash
#set -x
# Script to check Cisco Switch Port Status and send alert accordingly
# It will first check PING, then SNMP Status, then PORT status & act accordingly
# Email: aacable at hotmail dot com / http : // aacable . wordpress . com
# 15-Jan-2019
HOST="$1"
PORT="$2"
SNMP="public"
DEVNAME="ZAIB_Main_Switch"
HOSTNAME=`hostname`
TEMP="temp"
COMPANY="ZAIB (Pvt) Ltd."
DATE=`date`
# GMAIL DETAILS
GMAILID="MYGMAIL@gmail.com"
GMAILPASS="GMAIL_PASS"
ADMINMAIL1="aacableAThotmail.com"
SENDMAIL="/temp/sendEmail-v1.56/sendEmail"
# SMS RELATED and KANNEL INFO
# KANNEL SMS Gateway Info
KANNELURL="127.0.0.1:13013"
KANNELID="kannel"
KANNELPASS="KANNEL_PASS"
CELL1="03333021909"
PING_ATTEMPTS="2"
HOST_PING_STATUS="/$TEMP/$HOST.$PORT.ping"
HOST_PORT_STATUS="/$TEMP/$HOST.$PORT.port"
LAST_DOWNTIME_HOLDER="/$TEMP/$HOST.$PORT.last_down.status.txt"
touch $HOST_PING_STATUS
touch $HOST_PORT_STATUS
touch $LAST_DOWNTIME_HOLDER
# If ip parameters are missing, then inform & exit
if [ -z "$HOST" ];then
echo "Error: IP missing, Please use this,
./monitor_sw_port.sh 10.0.0.1 10601"
exit 1
fi
# If port parameters are missing, then inform & exit
if [ -z "$PORT" ];then
echo "Error: PORT number missing, Please use this,
./monitor_sw_port.sh 10.0.0.1 10601"
exit 1
fi
# Test PING to device
count=$(ping -c $PING_ATTEMPTS $HOST | awk -F, '/received/{print $2*1}')
if [ $count -eq 0 ]; then
echo "$HOST $DEVNAME is not responding to PING Attempts, cannot continue without , por disable ping check] !"
exit 1
else
echo "- PING Result : OK"
fi
# Test SNMP Result of device
snmpwalk -v1 -c $SNMP $HOST SNMPv2-MIB::sysDescr.0 > /tmp/$HOST.$PORT.snmp.status.txt
if [ ! -f "/tmp/$HOST.$PORT.snmp.status.txt" ]; then
echo "- ALERT: ..... $HOST $DEVNAME is not responding to SNMP Request, Cannot continue without it ... Exit"
exit 1
else
echo "- SNMP Result : OK"
fi
# If all OK, then pull Port Description
PORT_DERSCRIPTION=`snmpwalk -v1 -c $SNMP $HOST IF-MIB::ifDescr.$PORT -Oqv`
# Check if folder exists, if not create one and continue
if [ ! -d "/$TEMP" ]; then
echo
echo
echo "/$TEMP folder not found, Creating it so all ping results should be saved there . . ."
mkdir /$TEMP
fi
### START ACTION
################################
### CHECK PORT STATUS - for UP #
################################
CHKPORT=`snmpwalk -v1 -c $SNMP $HOST IF-MIB::ifOperStatus.$PORT -Oqv`
#CHKPORT="up"
# If Port number does not exists, then inform and exit
if [ -z "$CHKPORT" ]; then
echo "ALERT: .... Port number $PORT NOT found on $HOST $DEVNAME , Please check Port Number, Exiting ..."
exit 1
fi
#########################################
# SMS/EMAIL Messages for PORT UP / DOWN #
#########################################
# Temporary file holder for PORT DOWN/UP storing sms/email
PORT_DOWN_MSG_HOLDER="/$TEMP/$HOST.$PORT.down.msg"
PORT_UP_MSG_HOLDER="/$TEMP/$HOST.$PORT.up.msg"
echo "ALERT:
$DEVNAME $HOST port $PORT $PORT_DESCRIPTION is DOWN @ $DATE
$COMPANY" > $PORT_DOWN_MSG_HOLDER
echo "INFO:
$DEVNAME $HOST port $PORT $PORT_DESCRIPTION is OK @ $DATE!
$COMPANY" > $PORT_UP_MSG_HOLDER

PORT_DERSCRIPTION=`snmpwalk -v1 -c $SNMP $HOST IF-MIB::ifDescr.$PORT -Oqv`
HOST_PORT_DOWN_ALERTONSCREEN="ALERT: .... $HOST $DEVNAME port nummber $PORT $PORT_DERSCRIPTION is DOWN @ $DATE"
HOST_PORT_UP_ALERTONSCREEN="INFO: .... $HOST $DEVNAME port nummber $PORT $PORT_DERSCRIPTION is OK @ $DATE"
# Check if port is UP
if [ "$CHKPORT" = "up" ]; then
echo -e "$HOST_PORT_UP_ALERTONSCREEN"
# Check if port isUP and its previous state was DOWN, then send UP sms/email
if [ $(grep -c "$HOST" "$HOST_PORT_STATUS") -eq 1 ]; then
echo "INFO: This port was previosuly DOWN, and now its UP ,Sending UP SMS 1 time only"
# Sending PORT DOWN ALERT via EMAIL
$SENDMAIL -u "$HOST_PORT_UP_ALERTONSCREEN" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PORT_UP_MSG_HOLDER -o message-content-type=text
# Sending PORT DOWN ALERT via SMS using KANNEL SMS Gateway
cat $PORT_UP_MSG_HOLDER | curl "http://$KANNELURL/cgi-bin/sendsms?username=$KANNELID&password=$KANNELPASS&to=$CELL1" -G --data-urlencode text@-
sed -i "/$HOST/d" "$HOST_PORT_STATUS"
fi
fi
##################################
### CHECK PORT STATUS - for DOWN #
##################################
if [ "$CHKPORT" = "down" ]; then
echo "$HOST_PORT_DOWN_ALERTONSCREEN"
#check if port staus was previosly UP, then act
if [ $(grep -c "$HOST" "$HOST_PORT_STATUS") -eq 1 ]; then
echo "ALERT: ..... $HOST $DEVNAME port $PORT $PORT_DERSCRIPTION is DOWN. SMS have already been sent."
fi
if [ $(grep -c "$HOST" "$HOST_PORT_STATUS") -eq 0 ]; then
echo "ALERT: ..... $HOST $DEVNAME port $PORT $PORT_DERSCRIPTION is now down! - SENDING PORT DOWN SMS ..."
echo "$HOST" > $HOST_PORT_STATUS
echo "SMS Sent FOR $HOST $DEVNAME port $PORT $PORT_DERSCRIPTION DOWN have been sent only 1 time until next status change ..."
# Sending PORT DOWN ALERT via EMAIL
$SENDMAIL -u "$HOST_PORT_DOWN_ALERTONSCREEN" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PORT_DOWN_MSG_HOLDER -o message-content-type=text
# Sending PORT UP ALERT via SMS
cat $PORT_DOWN_MSG_HOLDER | curl "http://$KANNELURL/cgi-bin/sendsms?username=$KANNELID&password=$KANNELPASS&to=$CELL1" -G --data-urlencode text@-
fi
fi
####################
# SCRIPT ENDS HERE #
# SYED JAHANZAIB #
####################

Usage:

change the IP and port number.

• /temp/monitor_sw_port.sh 10.0.0.1 10610

You can add entry in cron like this

# Check for Service remote host port status
*/5 * * * * /temp/portmon.sh 10.0.0.1 10610

RESULT:

SMS result:
Email Result:

# Monitoring Port # 10 , when port is DOWN ...

root@Radius:/temp# ./monitor_sw_port.sh 10.0.0.1 10610
- PING Result : OK
- SNMP Result : OK
ALERT: .... 10.0.0.1 WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is DOWN @ Tue Jan 15 12:44:45 PKT 2019
ALERT: ..... 10.0.0.1 WL_Main_Switch port 10610 GigabitEthernet2/0/10 is DOWN. SMS have already been sent.

root@Radius:/temp# ./monitor_sw_port.sh 10.0.0.1 10610
- PING Result : OK
- SNMP Result : OK
ALERT: .... 10.0.0.1 WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is DOWN @ Tue Jan 15 12:44:51 PKT 2019
ALERT: ..... 10.0.0.1 WL_Main_Switch port 10610 GigabitEthernet2/0/10 is DOWN. SMS have already been sent.

# Monitoring Port # 10 , when port is UP now ...
root@Radius:/temp# ./monitor_sw_port.sh 10.0.0.1 10610
- PING Result : OK
- SNMP Result : OK
INFO: .... 10.0.0.1 WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is OK @ Tue Jan 15 12:45:01 PKT 2019
INFO: This port was previosuly DOWN, and now its UP ,Sending UP SMS 1 time only
Jan 15 12:45:11 radius sendEmail[18700]: Email was sent successfully!
0: Accepted for delivery

# Monitoring Port # 10 , when port is working UP ...
root@Radius:/temp# ./monitor_sw_port.sh 10.0.0.1 10610
- PING Result : OK
- SNMP Result : OK
INFO: .... 10.0.0.1 WL_Main_Switch port nummber 10610 GigabitEthernet2/0/10 is OK @ Tue Jan 15 12:45:12 PKT 2019

Scenario:

We have a LAN environment with our own email server [IBM Lotus Domino] hosted locally. Mikrotik router is acting as our gateway router with /29 public pool & port forwarding from mikrotik public ip to email server is configured. Barracuda Antispam gateway is in place as well.

Problem & Challenges :

Sometimes there are few email servers on the internet that does not accept our emails, either they bounce back or silently drop our emails despite our public IP is not listed in any of blacklisting on the internet[It happens commonly with microsoft hosted email servers as they silently drop our emails without informing any reason]. If we use our ISP SMTP as relay in the DOMINO configuration, then the emails delivers to those particular servers without problem. But we cannot use ISP SMTP for all emails routing/relaying as they have per day sending limit, and we donot get proper reports for delivered or hold emails.

Another BIG problem is that sometimes ISP’s SMTP server IP gets ban/added in the spamhaus or likewise SPAM blacklist database & when this happens 80-90% emails bounces back.

So we needed a solution where we should not use ISP SMTP relay all the time but only particular destination email server’s mails should be routed to ISP smtp. & it should all be controlled by our Mikrotik RouterOS dynamically/centrally.

Solution:

First created a address list which should contain IP addresses of remote email servers [that donot accept our emails directly]

/ip firewall address-list
add address=smtp.remotemail.server.com comment="remote company mail server X IP" list=few_mails_routing_2_primary_ISP_smtp

Now using NAT rule, we will forcefully route all emails [port 25 traffic] going to above address list, will be routed to ISP SMTP , with below rule …

# 1.2.3.4 is the ISP SMTP IP

/ip firewall nat
add action=dst-nat chain=dstnat comment="Few Mails Routing 2 primary ISP smtp" dst-address-list=few_mails_routing_2_primary_ISP_smtp dst-port=25 protocol=tcp to-addresses=1.2.3.4 to-ports=25

It’s done.

BUT next challenge is to overcome issue when ISP changes it’s SMTP IP address for whatsoever reason, so we need to schedule a script that will keep checking the ISP SMTP IP by resolving it via google dns, and update the ISP SMTP IP in the NAT rule. [As per my knowledge we cannot put DNS name in TO-ADDRESS field, this is why putting IP is necessary, & update it dynamically is also essential to avoid bouncing email dueot blacklisting for ISP old SMTP IP]

the Script !

or workaround I suggest for very particular problem?

# Mikrotik routerOS script to resolve ISP SMTP, and add it to variables & in NAT rules
# Useful in scneario where ISP change its smtp IP frequently (to avoid SMTP Blacklisting)
# Script by Syed Jahanzaib / aacable at hotmail dot com / https : // aacable . wordpress . com
# 31-January-2019

# Find rule with following comments
:local COMMENT "few_mails_routing_2_primary_ISP_smtp";
# DNS Name of SMTP for resolving
:local ISP1SMTPDNSNAME "smtp.isp1.net.pk";
# Which DNS server to be used for resolving
:local DNSSERVER "8.8.8.8";
# Default IP of SMTP Server, so that if resolving cannot be done for what so ever reason, set this IP as DEFAULT SMTP
:local DEFAULTSMTP "1.2.3.4";
# Destination port that need to be redirected
:local DSTPORT "25";

# Set global variables to store for ISP SMTP & its last resolved status
:global ISP1ACTIVEIP4SMTP;
:global ISP1SMTPLASTRESOLVERESULT;

# Check if resolving is done, then act accordingly
:local RESOLVELIST {"$ISP1SMTPDNSNAME"}
:foreach addr in $RESOLVELIST do={
:do {:resolve server=$DNSSERVER $addr} on-error={
:set ISP1ACTIVEIP4SMTP "0";}}
# if result failed, then set variable, and NAT rule adjustment
:if ($ISP1ACTIVEIP4SMTP = 0) do={
:set ISP1ACTIVEIP4SMTP "$DEFAULTSMTP";
:set ISP1SMTPLASTRESOLVERESULT "FAILED";
:log error "$ISP1SMTPDNSNAME resolved result: FAILED !"
/ip firewall nat set to-addresses=$ISP1ACTIVEIP4SMTP to-ports=$DSTPORT [find comment="$COMMENT"]
} else={
:set ISP1ACTIVEIP4SMTP [:resolve "$ISP1SMTPDNSNAME"];
:set ISP1SMTPLASTRESOLVERESULT "SUCCESS";
:log warning "$ISP1SMTPDNSNAME resolved result: SUCCESS !"
/ip firewall nat set to-addresses=$ISP1ACTIVEIP4SMTP to-ports=$DSTPORT [find comment="$COMMENT"]
}

We can add dynamic names in the ISP SMTP address list.

Regard’s
SYED JAHANZAIB

We have some folders shared on old windows 2003 box, while trying to access them from windows 10 workstation, we are seeing following error …

In Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3) and later versions, the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. To enable it , Start powershell with privilege mode (on your windows 10 workstation)

First get status of ​SMB1Protocol

Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol

Probably it will be in Disabled State, change it to enable using following cmd,

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Afterwards, it may ask you to reboot machine, Do it to restart so that changes can take effect.

Status after enabling SMB1Protocol

PS C:\> Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol

FeatureName : SMB1Protocol
DisplayName : SMB 1.0/CIFS File Sharing Support
Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol.
RestartRequired : Possible
State : Enabled
CustomProperties :
ServerComponent\Description : Support for the SMB 1.0/CIFS file sharing protocol, and the Computer
Browser protocol.
ServerComponent\DisplayName : SMB 1.0/CIFS File Sharing Support
ServerComponent\Id : 487 
ServerComponent\Type : Feature
ServerComponent\UniqueName : FS-SMB1
ServerComponent\Deploys\Update\Name : SMB1Protocol

Now try to access windows 2003 sharing folder & hopefully it will work fine.

Regard’s
Syed Jahanzaib

We are running our own email server hosted locally using IBM Lotus Domino Server. Last year we acquired Barracuda Email Security Gateway hardware device (BSFI300a) to filter spam/junk emails. Its acquisition cost (in March-2018) was around 6000 USD along with 1 Year Total Protection Plus & 1 Year IR (instant replacement). Hardware quality is enterprise grade & we haven’t encountered any failure so far.

Barracuda usage in our organization ~

For some reasons, we are only using this device to filter incoming emails only. Outgoing emails are delivered to recipient directly from our domaino through main gateway router (bypassing barracuda). This was done for better tracking of sent emails as domino provides more detailed log as compared to barracuda. But we recommend to use any antispam device/app as centralized gateway for both incoming/outgoing email transactions.

Barracuda effectiveness in filtering Spam ~

If we talk in percentage basis, it is blocking spam upto 95-97 % effectively. We review its message logs and report uncatched spam to Barracuda central spam & we usually never receive such email from that host further, so there monitoring team is reviewing the submission actively I suppose.

Past experience with Symantec SMSDOM ~

Before this we were using Symantec Mail security for domino base application  for about 10 years but it got discontinued & declared EOL. SMSDOM filtering was not much effective & was a constant headache for us.

Some Snapshots …

Tip’s & Common Usage

Following are few short notes for reference purposes. First Login to Barracuda with admin account,

Device Web Management Port

• 34000

View Messages LOG

Goto Basic > Message Log

SMTP Banner / Attachment Size Limit / SFP,Helo,Ehlo settings

Goto  ADVANCED > Email Protocol

Ping/Dig/Telnet Test / View LIVE Mail process Log

Goto  ADVANCED > Troubleshooting

Firmware Update

Goto ADVANCED > Firmware Update

IP + DNS configuration / Destination Mail Server / Barracuda Hostname Page

Goto Basic > IP Configuration

Password Change / Log Management / System Management like reset logs,restart,shutdown

Goto Basic > IP Configuration > Administration

Allow/Block Domain

Goto Basic > BASIC > BLOCK/ACCEPT > Sender Filters

Block specific extensions

Goto BASIC > BLOCK/ACCEPT > Attachment Filters

Check Queued emails

Goto Advanced > Queue Management

Device Backup/Restore/Scheduled

Goto Advanced > Backups

NTP configuration

Goto Advanced >Advanced Networking

Will keep adding more information as explored or requested.

General Tips for better email acceptance at internet

Following are general tips every email administrator must follow to avoid there email rejection at different internet hosts.

• Make sure your ISP have reverse DNS entry against your email server IP, example if you have acquire public IP from the ISP, ask them to create reverse DNS / PTR record for this IP against your MAIL Server public ip
• SMTP welcome banner should be your email server FQDN
• Make sure you have valid SPF record to avoid spoofing your domain name by spammers, Gmail highly recommend it as well.
• Adding DKIM/DMARC against your domain name is a good addition.
• Try using your ISP SMTP as relay as first line,

Regard’s
Syed Jahanzaib

• FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s>

Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Regard’s
Syed Jahanzaib~

Scenario:

• We have DMASOFTLAB radius manager installed as a billing system in Ubuntu 12.04 server
• Mikrotik version 6.4x.x is acting as Hotspot NAS and connected with radius for AAA

Requirement: [A Weird one really]

As operator demanded

“We are running Hotspot on mikrotik, & client login to hotspot using his mobile/laptop. If logged-in client leaves his primary location without logout, & move to another location, & if he try to login from another device, his request will gets DENY because of Single user limit. We increased it to 2 by using SIM-USE=2 directive in user properties,It allows second session to login, but both sessions can use the bandwidth, therefore we want that once second session is established its old first live session should get kicked. If it was single Hotspot we could have used the script on LOGIN, but there are several NAS spreaded across various location using single radius.”

if the user uses same device then we could have used

but things are different in hotspot as I have observed, if devices are different then it will give us already logged-in error, if we use sim-use=2 then second device can be logged-in but old session will also be alive and both ids will suck the bandwidth at a time.

Also using idle-timeout or keep-alive timeout is the simplest way to achieve this , but for some weird reasons and to avoid long arguments dueto accent issues, I made one customized solution for the operator.

Solution:

Login to mysql with root

mysql -uroot -pXXXX

and switch to radius database

use radius;

Now create new table that will hold duplicate users record

MYSQL Table to hold duplicate users list

--
-- Table structure for table `rm_dupusers`
--

DROP TABLE IF EXISTS `rm_dupusers`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `rm_dupusers` (
`dupid` int(9) NOT NULL AUTO_INCREMENT,
`datetime` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`username` varchar(64) NOT NULL,
`ip` varchar(16) NOT NULL,
`nas` varchar(16) NOT NULL,
`comments` varchar(64) DEFAULT NULL,
KEY `dupid` (`dupid`)
) ENGINE=InnoDB AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `rm_dupusers`
--

MYSQL TRIGGER to check duplicate users sessions

Now we will create a new Trigger that will be executed when any record is inserted in radacct, it will check for existing duplicate session of user and if it found , it will add its entry in the mysql table of rm_dupusers

drop trigger chk_dup_user;
DELIMITER ;;
/*!50003 CREATE*/ /*!50017 DEFINER=`root`@`localhost`*/ /*!50003 TRIGGER `chk_dup_user` BEFORE INSERT ON `radacct` FOR EACH ROW BEGIN
SET @dupuserchk = (SELECT count(*) from radacct where username=New.username and acctstoptime is NULL);
IF (@dupuserchk = 1) THEN
SET @dupusername = (SELECT username from radacct where username=New.username and acctstoptime is NULL);
SET @dupuserip = (SELECT framedipaddress from radacct where username=New.username and acctstoptime is NULL);
SET @dupusernas = (SELECT nasipaddress from radacct where username=New.username and acctstoptime is NULL);
INSERT into rm_dupusers (dupid,username,ip,nas,comments) values ('',@dupusername,@dupuserip,@dupusernas,'Duplicate User');
END IF;
END */;;
DELIMITER ;

Mysql Part is Done.

Now we will create a BASH script that will scheduled to run every minute.

BASH script !

Create bash script in desired folder, in this example I am using /temp folder as default

mkdir /temp
touch /temp/kickdupuser.sh
chmod +x /temp/kickdupuser.sh
nano /temp/kickdupuser.sh

& paste following, make sure to modify credentials

#!/bin/bash
#set -x
# Following script is made specifically for Dmasoftlab radius manager 4.1.x
# When any new user will login, it will simply check if exists session of same user found, it will kick previous session
# it requires custom trigger on radacct table, this script will be schedule to run every minute
# Created: 25-MARCH-2019
# Tested on Ubuntu OS Only
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
#################
# CHANGE these
HOSTNAME=`hostname`
SQLID="root"
SQLPASS="XXXXXX"
NAS_COA_PORT="1700"
DB="radius"
SRV="mysql"
DUP_TABLE="rm_dupusers"
INT="1"
RADCLIENT="/usr/local/bin/radclient"
#################
#DATE TIME FUNCTIONS
currenttime=$(date +%H:%M:%S)
# Add Script start execution entry in the /var/log/syslog to see if the script got executed or not
logger "Duplicate User poller script Started @ $currenttime by the CRON scheduler ... Powered by SYED.JAHANZAIB"
echo "- Script Start Time - $currenttime"
echo "- Checking Duplicate Users in $DUP_TABLE table ..."
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLID --skip-column-names -s -e"
#Table which contain main users information
TMPUSRINFO=/tmp/userpass.txt
TEMP="/temp"

# Checking if /temp folder is previously present or not . . .
{
if [ ! -d "$TEMP" ]; then
echo
echo "- INFO: $TEMP folder not found, Creating it now to store logs ..."
mkdir $TEMP
else
echo -e "- INFO: $TEMP folder is already present to store logs."
echo
fi
}

DUP_LIST_FILE=$TEMP/duplicate_users_list.txt
SYSLOG="/var/log/syslog"
> $TMPUSRINFO

# KANNEL DETAILS
KHOST="127.0.0.1:13013"
KID="kannel"
KPASS="KANNEL_PASSWORD"

IPADD=`ip route get 1 | awk '{print $NF;exit}'`
SRVSTATUS=`service $SRV status |grep running |wc -l`
if [ "$SRVSTATUS" -ne 1 ];
#if [ -z "$SRVSTATUS" ];
then
echo "- ALERT: $HOSTNAME - $IPADD - $SRV NOT RESPONDING CHECK - $DATE $DT .Exiting ..."
echo "- ALERT: $HOSTNAME - $IPADD - $SRV NOT RESPONDING CHECK - $DATE $DT .Exiting ..." >> $SYSLOG
echo "- ALERT:

- $HOSTNAME
- $IPADD
- $SRV not responding ***
- $currenttime

Exiting ..."
exit 1
else
echo "- INFO: $SRV service is accessible. Proceeding further ... OK"
fi

# Check if table exists
if [ $($CMD \
"select count(*) from information_schema.tables where \
table_schema='$DB' and table_name='$DUP_TABLE';") -eq 1 ]; then
echo "- INFO: $DUP_TABLE Table exists ..."
else
echo "- WARNING: $DUP_TABLE Table does not exists ..."
fi
##########
# Enable following line so that it will update all users simultanous-use to '2' so that two sessions can be established
# UPDATE  radius.radcheck SET value = '2' where Attribute = 'Simultaneous-Use';
##########
# pull user record
$CMD "use $DB; select username,ip,nas from $DUP_TABLE WHERE datetime >= NOW() - INTERVAL $INT MINUTE;" >> $TMPUSRINFO
if [ ! -s $TMPUSRINFO ]
then
endtime=$(date +%H:%M:%S)

echo "
- INFO: No Duplicate User found in DMA RADIUS MANAGER TABLE '$DUP_TABLE' , Sending EXIT signals ...

- Script Ends Here...
- EXITING peacefully...
- Script End Time - $endtime
"
exit 1
fi

# Apply Count Loop Formula while deleting first line which have junk text
num=0
cat $TMPUSRINFO | while read users
do
num=$[$num+1]
username=`echo $users | awk '{print $1}'`
USER_IP=`echo $users | awk '{print $2}'`
ACCTSESID=`$CMD "use $DB; select acctsessionid from radacct where framedipaddress ='$USER_IP' AND acctstoptime is NULL;"`
NAS_IP=`echo $users | awk '{print $3}'`
NAS_SECRET=`$CMD "use $DB; select secret from nas where nasname = '$NAS_IP' ;"`

# Print Info on screen
echo "Duplicate User Found: USER: $username , IP: $USER_IP, ID: $ACCTSESID, $NAS: $NAS+IP @ $currenttime ... KICKING him now ..."
echo "Duplicate User Found: USER: $username , IP: $USER_IP, ID: $ACCTSESID, $NAS: $NAS+IP @ $currenttime ... KICKING him now ..." >> $DUP_LIST_FILE
#echo User-Name=$USERNAME,Acct-Session-Id=$ACCTSESID,Framed-IP-Address=$USER_IP,Mikrotik-Rate-Limit=\"$DN_BWPKG\" | $RADCLIENT -q -c 1 $NAS_IP:$NAS_COA_PORT coa $NAS_SECRET
#for hotspot, enable following line
echo Framed-IP-Address=$USER_IP | radclient -x -c 1 $NAS_IP:$NAS_COA_PORT disconnect $NAS_SECRET
done
# once done, we should delete the tmp files to clear the garbage
rm $TMPUSRINFO

CRON scheduler to run the above script every minute. Edit crontab by

crontab -e

& add following entry

* * * * * /temp/kickdupuser.sh >/dev/null 2>&1

Testing …

Using same credentials, Login to first device, and then on second ,

& run this script,

root@radius:/temp# /temp/kickdupuser.sh
- Script Start Time - 10:52:03
- Checking Duplicate Users in rm_dupusers table ...
- INFO: /temp folder is already present to store logs.
- INFO: mysql service is accessible. Proceeding further ... OK
- INFO: rm_dupusers Table exists ...
Duplicate User Found: USER: test , IP: 172.16.0.253, ID: 81d00057, : +IP @ 10:52:03 ... KICKING him now ...
Sending Disconnect-Request of id 58 to 10.0.0.1 port 1700
Framed-IP-Address = 172.16.0.253
rad_recv: Disconnect-ACK packet from host 10.0.0.1 port 1700, id=58, length=32
NAS-Identifier = "ZAIB_CCR_GW"
root@radius:/temp#

older session will be removed

Weirdo …. but its fun to learn !

Regard’s
Syed Jahanzaib

We are using Windows 2016 based Active Directory Domain Controller (2 of them) in our organization & have configured [powershell based scripts] email alerts on any account locked-out which occurs dueto 3 incorrect login attempts. We have also enabled audit on failed/success login under group policy.

Since yesterday I was receiving frequent email alerts for a user account locked-out which is used on four different oracle servers & the headache was that it had not any CALLING COMPUTER , I tried various tools to track the culprit but failed. Tested all services / task schedulers / saved credentials but no use. I also tried TCPVIEW on all four servers but did not found any nu-usual activities.

Security ID: S-1-5-18
Account Name: DC01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7

Account That Was Locked Out:
Security ID: S-1-5-21-664357565-1371172752-1124750213-14679
Account Name: USERX

Additional Information:
Caller Computer Name: .

First lets see Possible causes of account locked-out …

• Mapped drives using old credentials
• Systems using old cached credentials
• Applications using old credentials
• Windows Services using expired credentials
• Scheduled Tasks
• Persistent drive mappings
• Mobile devices using domain services like Exchange mailbox
• Service Accounts using cached passwords
• Scheduled tasks
• Programs using stored credentials
• Misconfigured domain policy settings issues
• Disconnected Terminal Server sessions
• Active Directory delayed or failed replication

I sorted it by first enabling the NETLOGON debug on both Domain Controllers, and then examine both logs side by side closely for an hour using WINTAIL.

Finally I collected the following entries …

03/29 09:52:57 [LOGON] [5076] MYDOMAIN: SamLogon: Transitive Network logon of (null)\VMWARE from (via MYADMINPC) Entered
03/29 09:52:57 [LOGON] [5076] MYDOMAIN: SamLogon: Transitive Network logon of (null)\VMWARE from (via MYADMINPC) Returns 0xC0000064
03/29 09:52:57 [LOGON] [5076] MYDOMAIN: SamLogon: Transitive Network logon of (null)\PRAXIS from (via MYADMINPC) Entered
03/29 09:52:57 [LOGON] [5076] MYDOMAIN: SamLogon: Transitive Network logon of (null)\PRAXIS from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:01 [LOGON] [5076] MYDOMAIN: SamLogon: Transitive Network logon of (null)\NAS from (via MYADMINPC) Entered
03/29 09:53:01 [LOGON] [5076] MYDOMAIN: SamLogon: Transitive Network logon of (null)\NAS from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:01 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\VEEAMSERVER from (via MYADMINPC) Entered
03/29 09:53:01 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\VEEAMSERVER from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:10 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\LENOVO from (via MYADMINPC) Entered
03/29 09:53:10 [LOGON] [4796] MYDOMAIN: NlPickDomainWithAccount: LENOVO: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:14 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\DBADMIN from (via MYADMINPC) Entered
03/29 09:53:14 [LOGON] [2136] MYDOMAIN: NlPickDomainWithAccount: DBADMIN: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:14 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\DBADMIN from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:16 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\HARDADMIN from (via MYADMINPC) Entered
03/29 09:53:16 [LOGON] [4796] MYDOMAIN: NlPickDomainWithAccount: HARDADMIN: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:16 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\HARDADMIN from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:19 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\ADMIN01 from (via MYADMINPC) Entered
03/29 09:53:19 [LOGON] [4796] MYDOMAIN: NlPickDomainWithAccount: ADMIN01: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:19 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\ADMIN01 from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:19 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\NETWORK from (via MYADMINPC) Entered
03/29 09:53:19 [LOGON] [4796] MYDOMAIN: NlPickDomainWithAccount: NETWORK: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:19 [LOGON] [4796] MYDOMAIN: SamLogon: Transitive Network logon of (null)\NETWORK from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:22 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\BACKUP from (via MYADMINPC) Entered
03/29 09:53:22 [LOGON] [2136] MYDOMAIN: NlPickDomainWithAccount: BACKUP: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:22 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\BACKUP from (via MYADMINPC) Returns 0xC0000064
03/29 09:53:22 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\COMMON from (via MYADMINPC) Entered
03/29 09:53:22 [LOGON] [2136] MYDOMAIN: NlPickDomainWithAccount: COMMON: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
03/29 09:53:22 [LOGON] [2136] MYDOMAIN: SamLogon: Transitive Network logon of (null)\COMMON from (via MYADMINPC) Returns 0xC0000064 

so it found out that my admin PC was the culprit and then I scanned my admin pc with Malware-Bytes and although it did not detected any critical threat (except for some normal low level cookies etc) but the problem went right away.

I will keep monitoring the logs for next few days & will update here.

In short NETLOGON Debugging saved my Day !

Command to enable NETLOGON DEBUG

netlogon.log Log Location:

C:\Windows\debug\netlogon.log

To enable LOG, issue following CMD on on Domain Controller CMD

nltest /dbflag:0x2080ffff

It will start logging the file right away (at least in server 2016 I saw it happened immediately without needing of netlogon service restart)

When your task is finished, disable NetLogon Logging with below command:

nltest /dbflag:0x0

Note: You may disable NETLOGON logging after resolved the issues to avoid server performance issue

You may want to look into Microsoft message analyzer as well. read it here

https://blogs.technet.microsoft.com/askpfeplat/2015/08/02/diving-into-the-netlogon-parser-v3-5-for-message-analyzer/

Note: to test share using another user,
runas /u:DOMAIN\username notepad

Regard’s
Syed Jahanzaib

• FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s>

Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Regard’s
Syed Jahanzaib~

Scenario:

• We have FREERADIUS installed as a AAA system in Ubuntu 16.04 server
• Mikrotik version 6.44 is acting as PPPoE NAS connected with radius for AAA

Requirement:

When any user connects with our NAS, he should be added to mikrotik dynamic address list under IP > firewall > address list, so that we can manipulate this address list for different tasks, example mark connections/packets/routing and use them in Queues / Routes section or perform different sort of filtering as required.

In this particular task we are dynamically adding user in particular address list using radius attributes, then using this address list packet marking is being made, and then in Queues we are using these marked packets for different sort of bandwidth policies, example for normal internet we will limit 1mb per user , and for CDN traffic we will add addition 2mb for YT & FB. [and vice versa for different packages accordingly]

Solution:

We will use Mikrotik-Address-List attribute in radgroupreply section. as shown here.

1# Adding User entry in RADCHECK table so user can authenticate …

mysql> select * from radcheck;
+----+----------+--------------------+----+-------------------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-------------------+
| 1 | zaib | Cleartext-Password | := | zaib |
+----+----------+--------------------+----+-------------------+
1 rows in set (0.01 sec)

2# Adding Radius Group Reply for 1mb Group, Example 1mb group user will get 1mb dynamic queue plus they will be added dynamically in address list name 1mb

mysql> select * from radgroupreply;
+----+-----------+-----------------------+----+--------------+
| id | groupname | attribute | op | value |
+----+-----------+-----------------------+----+--------------+
| 21 | 1mb | Mikrotik-Rate-Limit | == | 1024k/1024k |
| 22 | 1mb | Mikrotik-Address-List | := | 1mb |
+----+-----------+-----------------------+----+--------------+
2 rows in set (0.00 sec)

2# Adding username ZAIB in the Radius user group & assign him 1mb Group.

mysql> select * from radusergroup;
+----+----------+-----------+----------+
| id | username | groupname | priority |
+----+----------+-----------+----------+
| 5 | zaib | 1mb | 1 |
+----+----------+-----------+----------+
1 row in set (0.00 sec)

RADTEST:

Now we will test user via RADTEST cmd …

radtest zaib zaib localhost 1812 testing123

Result:

Sending Access-Request of id 130 to 127.0.0.1 port 1812
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address = 101.11.11.254
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=130, length=50

Mikrotik-Rate-Limit = "1024k/1024k"
Mikrotik-Address-List = "1mb"

Freeradius Debug Result:

Sending Access-Accept of id 156 to 127.0.0.1 port 34563
Mikrotik-Rate-Limit == "1024k/1024k"
Mikrotik-Address-List := "1mb"
Finished request 32.

Now try to connect user from your user device, & upon connection you will see new address list entry for this user IP ..

& its 1mb queues have been created as well

# Mikrotik Mangling & Queueing Section !

Now we will move towards Mikrotik related configuration for mangling & queue. in above steps we added DYNAMIC queue for test purposes, & as we will be using simple queues therefore we need to remove the dynamic queue, Do so , then we will move further …

• Marking upload & download separately for 1mb user address list …

/ip firewall mangle
add action=mark-packet chain=forward comment="1mb users UPLOAD" new-packet-mark=1mb_users_up passthrough=no src-address-list=1mb passthrough=no
add action=mark-packet chain=forward comment="1mb users DOWNLOAD" dst-address-list=1mb new-packet-mark=1mb_users_down passthrough=no

• Creating PCQ base 1mb download/upload limit variable …

/queue type
add kind=pcq name=download-1mb pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64
add kind=pcq name=upload-1mb pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64

• Creating PCQ base simple Queues to actual limit each user with 1mb download/upload …

/queue simple
add name="1mb user DOWN - PCQ" packet-marks=1mb_users_down queue=upload-1mb/download-1mb target=""
add name="1mb user UP - PCQ" packet-marks=1mb_users_up queue=128k-per-user/128k-per-user target=""

PC#1

PC#2

Conclusion:

As we can see that address list have been created successfully, now we can manipulate it for our different tasks using marked packets for customized PCQ base queues for policy base queueing.

I will write more on it later if manage to get some spare time.

Regard’s
Syed Jahanzaib

Case#1

We have few ESXI machines managed by Vcenter (all have same 6.5 version). Today when we tried to upgrade compatibility on one vm guest using Vcenter, it gave following error.

Cannot complete operation due to concurrent modification by another operation

After some troubleshooting, it came to my knowledge that there was a pending snapshot made by Veeam B&R software, that was causing the issue. After removal of this snapshot, the compatibility upgraded worked fine, & later we moved this VM from one esxi to another dueto resource strains.

Case#2

In one another encounter, whenever we tried to edit the guest VM setting, it gave error “Invalid configuration for device ‘1’.” , for this particular case we simply remove the affected guest VM from the inventory & re-added it and the problem got solve.

Disclaimer: This worked under particular case. It may or may not work for everyone.

Scenario:

OS: Ubuntu 12.4 Servedit Edition / x86

MYSQL: Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (i686) using readline 6.2

The OP was running radius for AAA. The disk got faulty for some unknown reasons and were unable to boot from it. There was no database backup [Real example of bad practices] So restoration from mysqldump to new system was not an option there !

Requirements:

We need to restore the Database using mysql raw files. Luckily the faulty disk was able to got attached to other system & we were able to copy the core /var/lib/mysql/ folders (along with all sub folders in it)

Quick & Dirty Restoration Step !

Requires some good level of Linux / DB knowledge]

• Setup a test SANDBOX, Install same level of OS along with MYSQL on new system/disk. Create databases / tables as required. Verify all is working by logging to mysql
• Stop the MYSQL service.
• Copy the folder /var/lib/mysql/  [copied from faulty disk] to this new box under /var/lib/mysql/  
• Set the permission on newly copied files/folders
  chown mysql -R /var/lib/mysql/
  

After this point Try to start the MYSQL service , IF it starts successfully & you can see your DATA , then skip below steps , ELSE continue through below steps …

• Edit the /etc/mysql/my.cnf & add following line under [mysqld] section
  innodb_force_recovery = 6
  
• Start MYSQL service & the service will start in Safe Mode with limited working support. Verify if you can able to login to MYSQL service by
  mysql -uroot -pPASS 
• If above step works, Export the Database backup using mysqldump cmd e.g:
  mysqldump -uroot -pSQLPASS   radius  >  radius_db_dump_.sql
• Once done, Open the file in nano or any other text editor, & verify if it contains the required data.

Now copy the radius_db_dump_.sql to safe location & you know what to do next

• Import this mysqldump file to your working radius system !

TIPS:

Make sure you have multistage backup strategies in place for any mission critical server.

Example for mysql Database, You can do following

• If your server is VM, then VEEAM B&R will be your best friend & guardian, go for it
• 1st Stage Backup: [Highly recommended for live replication]
  Have at least 2 Replica servers & configure either Master-Master or Master-Slave Replication
• 2nd Stage backup:
  Create bash scripts to export DB backup in local folder on a daily basis, (or hourly basis if required]
• 3rd Stage backup:
  Attach external USB disk to the server, and in your backup script, add this usb as secondary backup repository
• 4th Stage backup:
  Configure DROPBOX and add it as 3rd stage backup repository
• 5th Stage backup:
  The admin should manually copy the backup folders to his desktop so that if all other backups gets failed , this should come in handy.

Regard’s
Syed Jahanzaib

Control / Facilitate CDN traffic with

~ Mikrotik Router ~

First some DRY theory !

CDNs replicate content in multiple places. There’s a better chance of content being closer to the user, with fewer hops, and content will run over a more friendly network. The general idea of a CDN is to deliver content as fast as possible to the user without compromising the user’s experience. Usually, a CDN have global location servers, called Point of Presence. These PoPs store data as cache. When a user requests for a website, the nearest PoP will handle the request using stored cache.

The BIG players such as Google in order to enhance user experience have tried to get as close to the user as possible by direct peering with the regional service providers and provide contents using CDN (Content delivery network) providers. Google is having its own CDN network branded as a service called Google Global Cache (GGC)

Nowadays all the major ISPs have CDN facility , which tremendously helps them to reduce burden on there internet feed. Without CDN, cost of real internet bandwidth will be a heavy burden for any OP. With CDN user will get better video streaming experience.

I know few ISP’s here in Karachi (& one particularly originated from Gulshan Area) which totally relies on CDN (more than 50-60% of there internet data is routing via CDN) , I have used one of them, there real internet speed is pathetic but if you browse YT/FB they works excellent.

Scenario:

Our upstream ISP have CDN server installed in there data center & traffic going to CDN have no limit. But we want to control the traffic as following

1 Mb package Users break up for bandwidth controlling …

• 1mb internet bandwidth
• 1mb CDN bandwidth

So if a user is surfing the internet he will get full 1mb internet speed, & if he uses the traffic going to YOUTUBE CDN ,  He will get another 1 mb (additional).
Virtually he will get 2mb in total.

Using Mikrotik, we can achieve this task by using Firewall Mangle & Queues Tree. Same can be done with Mangle & PCQ base simple queues too. It’s a debatable topic on what to use, & depends on the selection, mangle marking method would also be changed.

Every network is different so one configuration cannot fit all. Number of users & traffic volume plays vital role in selection of marking / queue type to use.

Choose the marking/queue type wisely to save your Mikrotik CPU from becoming Mr. SPIKY YKWIM

Disclaimer: This is just an example for sharing purposes ONLY & yes there are many other methods and tuning techniques you can adopt to make this process much more efficient.

Script !

#===================================================
# CDN PACKET MARKING SCRIPT using Mangle/Queue.Tree
# By Syed.Jahanzaib
# Email: aacableAThotmailDOTcom
# https://aacableDOTwordpressDOTcom
# March 2019
#===================================================
# Address list name which is created dynamically by radius or you can go with manual method too
# This is important ... it can be done by varieties of ways, select one that matches your network design
#1Mb
#2Mb

#Create Address List which will contain CDN server's IP addresses
/ip firewall address-list
add address=1.2.3.4/24 list=cdn_list
add address=5.6.7.8/32 list=cdn_list

# Copy paste following rules & make sure to move these MANGLE rules to TOP position,
# so that they can be applied before any other rule, (for cdn)

/ip firewall mangle
add action=mark-packet chain=postrouting dst-address-list=cdn_list new-packet-mark=cdn_1mb_up passthrough=no src-address-list=1Mb
add action=mark-packet chain=postrouting dst-address-list=1Mb new-packet-mark=cdn_1mb_down passthrough=no src-address-list=cdn_list

add action=mark-packet chain=postrouting dst-address-list=cdn_list new-packet-mark=cdn_2mb_up passthrough=no src-address-list=2Mb
add action=mark-packet chain=postrouting dst-address-list=2Mb new-packet-mark=cdn_2mb_down passthrough=no src-address-list=cdn_list

# Define Queue Type & limitation that we want to provide to each package
/queue type
add kind=pcq name=1mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64 pcq-total-limit=1024KiB
add kind=pcq name=1mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64 pcq-total-limit=1024KiB

add kind=pcq name=2mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64 pcq-total-limit=2048KiB
add kind=pcq name=2mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64 pcq-total-limit=2048KiB

# Add Queue/Speed Limitation using above Queue Types to firewall mangled/marked packets

/queue tree
add name="CDN - 1mb - upload" packet-mark=cdn_1mb_up parent=global priority=1 queue=1mb-cdn-upload
add name="CDN - 1mb - download" packet-mark=cdn_1mb_down parent=global priority=1 queue=1mb-cdn-download

add name="CDN - 2mb - upload" packet-mark=cdn_2mb_up parent=global priority=1 queue=2mb-cdn-upload
add name="CDN - 2mb - download" packet-mark=cdn_2mb_down parent=global priority=1 queue=2mb-cdn-download

# Script Ends Here.

1mb users CDN usage Graph.

As shown in above example image, 1mb users are using 227 mb of CDN (YT) bandwidth,  (it was off time with lesser number of users, in peak traffic reaches in Gb’s) & real internet bandwidth is free OR available for other tasks/users,  thus providing relief to the real internet bandwidth pipe.

Regard’s
Syed Jahanzaib

We are using IBM lotus Domino server as per following

[13FC:000A-1574] 07/01/2019 12:45:02 PM HTTP Web Server: Access Denied Exception [/traveler?action=sync&orig=sp&deviceId=Android_a41df4vf3fe46a8e3a] CN=MY USER/O=MYCOMP

Disclaimer: This post is shared just for reference & learning purposes.

Scenario:

We are using Freeradius server which uses mySQL as its backend DB. Ideally the mysql server should have replica server so that if Primary goes down dueto any fault, the secondary replica should come in action.

For high availability purposes we we want to have a standby server. Mysql Master-Slave or Master-Master replication is ideal for real time replication. We successfully implemented this model at few sites, but yes replication requires constant monitoring, and at one place the secondary replica server backfired & caused data loss.

For one particular Remote Site we wanted to avoid the complications of REPLICATION. What we wanted is a standby server, and the DB from primary should be exported to secondary replica server daily in morning and emails for the actions taken by the script should be emailed to us.

We made custom script that is running successfully from quite some time.

The BASH script performs following function …

• Checks secondary server PING response
• Check secondary server SSH access
• Checks primary server MYSQL DB access
• Checks secondary server MYSQL DB access
• Check if exported DB is of valid size, (I set it to min 10 KB, yes you may want to adjust it according to your setup)
• If all OK, then export primary server DB, and import it to secondary server

Script Requirements:

• Sendemail tool to send email alerts/info
• passwordless login to secondary server (using SSH keys)

Please visit following link

https://aacable.wordpress.com/2011/11/25/howto-login-on-remote-mikrotik-linux-without-password-to-execute-commands/

BASH Script Code:

• touch /temp/update_radius_from_10.0.0.1__TO__192.168.0.1.sh
• chmod +x /temp/update_radius_from_10.0.0.1__TO__192.168.0.1.sh
• nano /temp/update_radius_from_10.0.0.1__TO__192.168.0.1.sh

#!/bin/bash
#set -x
# Version 1.0 / 10-July-2019
# Syed Jahanzaib / Web: https://aacable.wordpress.com / Email: aacable@hotmail.com
# This script exports mysqldb and restores it to second remote server
# Requires passwordless login on remote server using SSH keys
# Settings various VARIABLES for the script
# adding dns for resolving
echo "nameserver 8.8.8.8" > /etc/resolv.conf
#SET DATE TIME
set $(date)
time=`date |awk '{print $4}'`
YESTERDAY=`date --date='yesterday' +%Y-%m-%d`
IP1=10.0.0.1
IP2=192.168.0.1
IP2ROLE="RADIUS"
IP2_SSH_PORT=22
SQL_DIR="sql_replica"
#MYSQL DETAILS
SQLUSER="root"
SQLPASS="MYPASSWORD"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
DB="radius"
FILE="/$SQL_DIR/$YESTERDAY.ip.$IP1.sql"
GMAILID="MYGMAILID@gmail.com"
GMAILPASS="PASSWD"
ADMINMAIL1="ADMINMAIL1@hotmail.com"
COMPANY="zaib (Pvt) Ltd."
RESULT="/tmp/$IP2.$IP2ROLE.txt"
PING_ATTEMPTS="2"
PING_RESULT="/tmp/$IP2.$IP2ROLE.ping.result.txt"
IP2_SSH_CHK="/tmp/$IP2.ssh.chk.txt"
touch $RESULT
touch $PING_RESULT
> $RESULT
> $PING_RESULT
rm /$SQL_DIR/*.sql
# Test PING to device
count=$(ping -c $PING_ATTEMPTS $IP2 | awk -F, '/received/{print $2*1}')
if [ $count -eq 0 ]; then
echo "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to PING Attempts, cannot continue without it , Please check !"
echo "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to PING Attempts, cannot continue without it , Please check !" > $PING_RESULT
sendemail -t $email -u "ALERT: $IP2 $IPROLE NOT RESPONDING!" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PING_RESULT -o message-content-type=text
exit 1
fi
echo "- PING Result to $IP2 : OK"
echo "- PING Result to $IP2 : OK" >> $RESULT

#Cehck if SSH is accessible
scp -q -P $IP2_SSH_PORT root@$IP2:/etc/lsb-release $IP2_SSH_CHK
# Verify if file is downloaded from remote server via ssh
if [ ! -f $IP2_SSH_CHK ]; then
echo -e "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to SSH ACCESS, cannot continue without it , Please check !"
exit 1
fi
echo -e "- SSH Access to $IP2 Result: OK"
echo -e "- SSH Access to $IP2 Result: OK" >> $RESULT

# Check if $DB (in this case radius )is accessible or not, if NOT, then exit the script
RESULT_DB_CHK=`$CMD "SHOW DATABASES LIKE '$DB'"`
if [ "$RESULT_DB_CHK" != "$DB" ]; then
echo "- ALERT: $IP2 - DB $DB not accessible."
echo "- ALERT: $IP2 - DB $DB not accessible." >> $RESULT
sendemail -t $email -u "- ALERT: $IP2 - DB $DB not accessible" -o tls=yes -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text
exit 1
fi

echo "- $DB - Database accessed OK" >> $RESULT

#############################################
######## START the BACKUP PROCESS ... #######
#############################################
# Checking if $SQL_DIR folder is previously present or not . . .
{
if [ ! -d "/$SQL_DIR" ]; then
echo -e "- ALERT: /$SQL_DIR folder not found, Creating it MYSQL EXPORT/DUMP backup should be placed there . . ."
mkdir /$SQL_DIR
else
echo -e "- INFO: $SQL_DIR folder is already present , so no need to create it, Proceeding further . . ."
fi
}

mysqldump -u$SQLUSER -p$SQLPASS --ignore-table={radius.radacct} $DB > $FILE
# CHECK FILE SIZE AND COMPARE, IF ITS LESS , THEN ALERT
SIZE=`ls -lh $FILE | awk '{print $5}'`
SIZEB=`ls -l $FILE | awk '{print $5}'`
if [ $SIZEB -lt 1 ]
then
echo "- ALERT: DMA REPLICA failed on $IP1 - Size = $SIZE OR $SIZEB Bytes"
echo "- ALERT: DMA REPLICA failed on $IP1 - Size = $SIZE OR $SIZEB Bytes" >> $RESULT
sendemail -t $email -u "DMA REPLICA ALERT for $YESTERDAY / Size=$SIZE" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text
exit 1
else
echo "- BACKUP file name $FILE Size is $SIZE"
echo "- BACKUP file name $FILE Size is $SIZE" >> $RESULT
fi
#ssh -p $IP2_SSH_PORT root@$IP2 mkdir /$SQL_DIR
#scp -P $IP2_SSH_PORT $FILE_FINAL root@$IP2:/$SQL_DIR
#ssh -p $IP2_SSH_PORT root@$IP2 ls -lh /$SQL_DIR
# Import file in secondary radius
#ssh -p $IP2_SSH_PORT root@$IP2 "mysql -u$SQLUSER -p$SQLPASS $DB < $FILE
#mysql -h $IP2 -u$SQLUSER -p$SQLPASS $DB < $FILE

ssh -p $IP2_SSH_PORT root@$IP2 mysql -u$SQLUSER -p$SQLPASS $DB  output
sendemail -t $email -u "INFO: DMA Replica Report OK: From $IP1 to $IP2 - $YESTERDAY" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text

rm $IP2_SSH_CHK
rm $RESULT
rm $PING_RESULT
rm $FILE

Email Report Sample:

Cron schedule to run the script Daily at 7am

00 07 * * * /temp/update_radius_from_10.0.0.1__TO__192.168.0.1.sh

Regard’s
Syed Jahanzaib

Following script was made for DMA Radius Manager 4.1.x. It can delete X months old Expired users record from the mysql DB.

Sharing for reference purposes …

#!/bin/sh
#set -x
SQLPASS="MYSQLPASSW0RD"
MONTHSNUMBER="2"
export MYSQL_PWD=$SQLPASS
> /tmp/expired.users.txt
###mysql -uroot -e "use radius; select username from rm_users where expiration BETWEEN '2010-01-01' AND '2019-04-30';" |sort > /tmp/expired.users.txt

# Fetch users who have expired 2 months ago & before, (using expired date), BE CAREFUL WHEN USING THIS

mysql -uroot -e "use radius; select username from rm_users where expiration  /tmp/expired.users.txt
num=0
cat /tmp/expired.users.txt | while read users
do
num=$[$num+1]
USERNAME=`echo $users | awk '{print $1}'`

# Start Deleting account records ...
echo "$USERNAME ---- user record from all relevant tables"
mysql -uroot -e "use radius; DELETE FROM rm_cards WHERE cardnum = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM rm_users WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM rm_changesrv WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM radcheck WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM radacct WHERE username = '$USERNAME';"
mysql -uroot -e "use radius; DELETE FROM rm_radacct WHERE username = '$USERNAME';"
done

Jz

Last updated: 7-AUGUST-2019 / 1400 hours

Note: Lot have been written on this vulnerability & this is not something NEW, but this vulnerability helped us in accessing one of our remote site old router with forgotten credentials.

In our remote branch network , we had installed one Mikrotik small box RB750 for branch to HO connectivity. This small unit was installed few years back & we never looked into it again. Recently we needed to make some configuration changes but following some bad practices we didn’t added this particular mikrotik in our centralized automated backup system & we didn’t noted down the credentials & IP configurations of its VPN settings after its deployment considering it less important.

Luckily it was running old firmware which was exploitable dueto to its critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords.

Index of this post

1. Vulnerable Versions
2. Requirements
3. Executing scripts in linux
4. Results
5. Securing older version with firewalling
6. Securing the Mikrotik Router at basics

Vulnerable Versions

Versions affected:

• Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
• Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
• Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23

For more information see: https://blog.mikrotik.com/security/winbox-vulnerability.html

Using this exploit we were able to recover the password and after changes we upgraded it immediately.

We can use Windows or Linux to remotely exploit the older mikrotik firmware to query for all user accounts.

Requirements:

The scripts can be run using PYTHON version 3+ & I have uploaded the scripts @ my Google Drive.

Driving in Linux !

• I have tested it with Ubuntu ver 12 & 16

sudo apt-get update
sudo apt-get install python3

Now extract scripts in any temp folder.

Executing the scripts …

Extract users details using the Remote Mikrotik IP address [default 8291 port]

python3 WinboxExploit.py 10.0.0.1

Extract users details using the Remote Mikrotik IP address [custom port]

python3 WinboxExploit.py 10.0.0.1 1122

Discover Mikrotik on the network

(it will scan the network for Mikrotik, may take some time, or you can press CTRL+C to exit)

python3 MACServerDiscover.py

Extract users details using the Remote Mikrotik MAC Address

python3 MACServerExploit.py e4:8d:8c:9a:ed:11

Results:

If the firmware is latest or not exploitable, it will give error “Exploit failed“

# Securing older version with firewalling

If you dont want to upgrade, than at least use firewall filter to secure older versions……

/ip firewall filter
add action=reject chain=input comment="block CVE-2018-14847 exploit by z@ib" content=user.dat
add action=drop chain=input content="user.dat"

# Securing the Mikrotik Router at basics

• TOP OF THE LINE THING TO DO : apply port scanning filtering !
• Remotely Accessible Router Services should be limited to few addresses/interfaces
• Never use default ports for Winbox / SSH & other services
• Change there ports number to preferably higher unused ports like 50000 or above or likewise
• If not in use, Disable all services like FTP / SSH & others
• Never use default usernames like ADMIN , disable or delete them, and make alternate admin accounts with difficult passwords

Disable following

• MAC-telnet services
  /tool mac-server set allowed-interface-list=none
• MAC-Winbox
  /tool mac-server mac-winbox set allowed-interface-list=none
• MAC-Ping service
  /tool mac-server ping set enabled=no
• MikroTik Neighbor discovery protocol
  /ip neighbor discovery-settings set discover-interface-list=none
  /ipv6 nd set [find] disabled=yes
• DNS cache
  /ip dns set allow-remote-requests=no
• Socks proxy
  /ip proxy set enabled=no
  /ip socks set enabled=no
• UPNP service
  /ip upnp set enabled=no
• MikroTik dynamic name service or ip cloud
  /ip cloud set ddns-enabled=no update-time=no
• Enable More Secure SSH access
  /ip ssh set strong-crypto=yes

Regard’s
Syed Jahanzaib