Archive for the ‘ Net/Sys Admin ’ Category

Asterisk behind NAT for DUMMiES

Author: LiNTEK

May 1

I have been searching the web for an asterisk behind NAT configuration but couldn’t find a short but definite example so I decided to create a working example configuration of asterisk behind NAT. So if you guys are currently having problems configuring your asterisk behind NAT, please feel free to use my example below:

 

Put the following in your rc.local:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to your.public.ip.here
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp –dport 10000:20000 -j DNAT –to-destination 192.168.30.1
iptables -t nat -A PREROUTING -p udp –dport 5060 -j DNAT –to-destination 192.168.30.1
iptables -A FORWARD -p udp -s 192.168.30.1 -j ACCEPT
iptables -A FORWARD -p udp –dport 10000:20000 -d 192.168.30.1 -j ACCEPT
iptables -A FORWARD -p udp –dport 5060 -d 192.168.30.1 -j ACCEPT

your sip.conf should be:
[general]
context=default
port = 5060
bindaddr = 0.0.0.0
context = default
externip = your.public.ip.here
nat=yes
localnet=192.168.30.0/255.255.255.0
canreinvite=no

Sample gateway-to-gateway SIP config for sip.conf:
[toyoursipprovider]
type=friend
host= sip.provider.gateway.ip
canreinvite=no
disallow=all
allow=g729
allow=ulaw
dtmfmode=rfc2833

ENJOY!

  • 2 Comments
  • Filed under: Asterisk, Net/Sys Admin, Tech Tips, VoIP

    • IBM System z10 Mainframe

    Author: LiNTEK

    Feb 27

    IBM announced the System z10 mainframe that will help clients create a new enterprise data center with increased efficiency. z10 will significantly improve the performance of data centers by reducing power consumption, cooling costs, and floor space requirements. It also offers unmatched levels of security and automates the management and tracking of IT resources to respond to ever-changing business conditions.

    The z10’s capacity is equivalent to 1,500 servers based on the popular x86 design, IBM says, though it has 85% lower energy costs and takes up 85% less space than the batch of x86 servers. IBM also says that the system allows the consolidation of x86 software license at up to a 30:1 ratio.

    The new machines also boast more processing horsepower, using 64 quad-core processors compared to the 54 processors used in its predecessor, the z9. The z10 also supports a broad range of workloads. In addition to Linux, XML, Java, WebSphere and increased workloads from Service Oriented Architecture implementations, IBM is working with Sun Microsystems and Sine Nomine Associates to pilot the Open Solaris operating system on System z, demonstrating the openness and flexibility of the mainframe.

    Here are some of z10’s great features:

    • Single z10 equal to nearly 1,500 x86 servers
    • Up to 85% less energy costs
    • Up to 85% smaller footprint
    • Consolidates x86 software licenses at up to a 30-to-1 ratio.
    • Mainframe goes Quad-Core
    • z10 brings discipline to data center chaos:
    • Just-in-time capacity to meet ever-changing business conditions
    • Automated management of system performance to favor high-value transactions

  • 0 Comments
  • Filed under: Net/Sys Admin, Processors, Tech News

    • Linux Kernel Flaw gives ROOT privileges to local users

    Author: LiNTEK

    Feb 12

    A flaw in Linux kernel versions 2.6.17 to 2.6.24.1 can give local users access to root privileges. The vulnerability is caused by a missing verification of parameters within the Linux kernel’s “vmsplice” function which appears in versions 2.6.17 to 2.6.24.1. This flaw can be used to steal data or mount denials of service on any Linux-based system running on the affected kernel versions.

    A researcher, calling himself “qaaz” has released two exploit codes namely “Linux kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit” and “Linux kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit” for this newly discovered flaw and posted them on milw0rm.com website.

    DONT PANIC! This Linux kernel flaw has been labeled as “moderate risk” by FrSIRT, the French security response team, and “less critical” by Danish vulnerability clearinghouse Secunia – apparently already have been fixed in newer versions of Linux kernel 2.6, researchers said. Secunia also said in its advisory that the Linux flaws can only be exploited from local systems.

  • 0 Comments
  • Filed under: Linux, Net/Sys Admin, Security, Tech News

    • Cisco Router Basics

    Author: LiNTEK

    Feb 12

    Cisco Router Configuration Commands

    Tasks Cisco Command
    Set a console password to cisco Router(config)#line con 0Router(config-line)#login
    Router(config-line)#password cisco
    Set a telnet password Router(config)#line vty 0 4Router(config-line)#login
    Router(config-line)#password cisco
    Stop console timing out Router(config)#line con 0Router(config-line)#exec-timeout 0 0
    Set the enable password to cisco Router(config)#enable password cisco
    Set the enable secret password to cisco.This password overrides the enable password and is encypted within the config file Router(config)#enable secret cisco
    Enable an interface Router(config-if)#no shutdown
    To disable an interface Router(config-if)#shutdown
    Set the clock rate for a router with a DCE cable to 64K Router(config-if)clock rate 64000
    Set a logical bandwidth assignment of 64K to the serial interface Router(config-if)bandwidth 64Note that the zeroes are not missing
    To add an IP address to a interface Router(config-if)#ip addr 10.1.1.1 255.255.255.0
    To enable RIP on all 172.16.x.y interfaces Router(config)#router rip
    Router(config-router)#network 172.16.0.0
    Disable RIP Router(config)#no router rip
    To enable IRGP with a AS of 200, to all interfaces Router(config)#router igrp 200
    Router(config-router)#network 172.16.0.0
    Disable IGRP Router(config)#no router igrp 200
    Static route the remote network is 172.16.1.0, with a mask of 255.255.255.0, the next hop is 172.16.2.1, at a cost of 5 hops Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1 5
    Disable CDP for the whole router Router(config)#no cdp run
    Enable CDP for he whole router Router(config)#cdp run
    Disable CDP on an interface Router(config-if)#no cdp enable

    Cisco Router Show Commands

    Tasks Cisco Command
    View version information show version
    View current configuration (DRAM) show running-config
    View startup configuration (NVRAM) show startup-config
    Show IOS file and flash space show flash
    Shows all logs that the router has in its memory show log
    View the interface status of interface e0 show interface e0
    Overview all interfaces on the router show ip interfaces brief
    View type of serial cable on s0 show controllers 0 (note the space between the ’s’ and the ‘0′)
    Display a summary of connected cdp devices show cdp neighbor
    Display detailed information on all devices show cdp entry *
    Display current routing protocols show ip protocols
    Display IP routing table show ip route
    Display access lists, this includes the number of displayed matches show access-lists
    Check the router can see the ISDN switch show isdn status
    Check a Frame Relay PVC connections show frame-relay pvc
    show lmi traffic stats show frame-relay lmi
    Display the frame inverse ARP table show frame-relay map

    Cisco Router Basic Operations

    Tasks Cisco Command
    Enable Enter privileged mode
    Return to user mode from privileged disable
    Exit Router Logout or exit or quit
    Recall last command up arrow or <Ctrl-P>
    Recall next command down arrow or <Ctrl-N>
    Suspend or abort <Shift> and <Ctrl> and 6 then x
    Refresh screen output <Ctrl-R>
    Compleat Command TAB

    Cisco Router Copy Commands

    Tasks Cisco Command
    Save the current configuration from DRAM to NVRAM copy running-config startup-config
    Merge NVRAM configuration to DRAM copy startup-config running-config
    Copy DRAM configuration to a TFTP server copy runing-config tftp
    Merge TFTP configuration with current router configuration held in DRAM copy tftp runing-config
    Backup the IOS onto a TFTP server copy flash tftp
    Upgrade the router IOS from a TFTP server copy tftp flash

    Cisco Router Debug Commands

    Tasks Cisco Command
    Enable debug for RIP debug ip rip
    Enable summary IGRP debug information debug ip igrp events
    Enable detailed IGRP debug information debug ip igrp transactions
    Debug IPX RIP debug ipx routing activity
    Debug IPX SAP debug IPX SAP
    Enable debug for CHAP or PAP debug ppp authentication
    Switch all debugging off no debug allundebug all

  • 0 Comments
  • Filed under: Net/Sys Admin, Tech Tips

    • Port Scan Attack Detection

    Author: LiNTEK

    Feb 8

    Port Scan Attack Detection (PSAD) is a collection of three lightweight system daemons written in Perl and C and is designed to work with Linux firewalls like iptables (for Linux 2.4.x kernels) and ipchains (for the 2.2.x kernels) to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

    PSAD has verbose alert messages which include the source IP, destination IP, scanned port range, timestamps, tcp flags and corresponding nmap options used (for 2.4.x kernels only), reverse DNS info, email alerting, and automatic blocking of offending ip addresses via dynamic configuration of ipchains/iptables firewall rulesets. PSAD incorporates many of the tcp signatures included in Snort to detect highly suspect scans (for kernel 2.4.x only).

    PSAD is developed around three main principles:

    • Good network security starts with a properly configured firewall.
    • A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilter’s case).
    • Suspicious traffic should not be detected at the expense of trying to also block such traffic.

  • 0 Comments
  • Filed under: Net/Sys Admin, Security

    • ICANN brings six IPv6 nameservers online

    Author: LiNTEK

    Feb 6

    We all know that IPv6 has existed a long time ago and that it is not being utilized in many parts of the world. However, the Internet Corporation for Assigned Names and Numbers (ICANN) has deployed half dozen new root DNS servers to answer for IPv6 requests. IPv6 addresses were added for six of the world’s 13 root server networks (A, F, H, J, K, M) to the appropriate files and databases. This move allows for the possibility of fuller IPv6 usage of the Domain Name System (DNS). Prior to today, those using IPv6 had needed to retain the older IPv4 addressing system in order to be able to use domain names.

    This move will add the ability of an IPv6 host to connect to another IPv6 host without needing to resolve an address on an older IPv4 server.

    “Today’s addition of IPv6 addresses for the root servers enhances the end-to-end connectivity for IPv6 networks, and furthers the growth of the global interoperable Internet,” added David Conrad, ICANN’s Vice President of Research and IANA Strategy. “This is a major step forward for IPv6-only connectivity and the global migration to IPv6.”

    Four of the five Regional Internet Registries were accessible via IPv6 except the American Registry for Internet Numbers (ARIN) because ARIN is not yet operating public IPv6 nameservers.

  • 2 Comments
  • Filed under: Net/Sys Admin, Tech News
    • View more posts »