Ubiquiti UniFi the Next Botnet ?

I tested a Ubiquiti access point today. UAP-AC-Lite seems to be a very good and cheap access-point. When you take it out of the box and connect it to the network it gets an IP address using DHCP and waits for a configuration. In this mode it sends broadcasts to find a controller and listens on port …

Continue reading ‘Ubiquiti UniFi the Next Botnet ?’ »

Sophos UTM BGP Announces 0 Prefixes

Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix. Discussion: an outbound filter list is set to prevent sending other than the …

Continue reading ‘Sophos UTM BGP Announces 0 Prefixes’ »

PaloAlto Packet Loss of 1% and More

Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode. Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State” Discussion: Palo Alto uses only one MAC address …

Continue reading ‘PaloAlto Packet Loss of 1% and More’ »

Generate CSR using openssl

Browsers started to warn users about certificates with Sha1 signature. Sha256 is needed now a days. So it’s time to renew certificates from Thawte, Godaddy, etc You can generate a new Certificate Signing Request with openssl with this command: openssl req -nodes -newkey rsa:2048 -keyout servername.key -out servername.csr -sha256 “servername.csr” is an ascii file you can send …

Continue reading ‘Generate CSR using openssl’ »

F5 data flood

Problem: A F5 load balancer LTM sends lots of data to some clients. Sometimes this fills up all the available bandwidth with 1 Gbit or more. At the same time the input traffic does not raise. The traffic charts look like if F5 is attacking some clients (reversed DDoS :-) ) Discussion: After some time of staring …

Continue reading ‘F5 data flood’ »

Howto generate an SSL key and self signed cert with openssl

For SSH, HTTPS, TLS SMTP,POPS, IMAPS you need a RSA key pair. Most Linux package installers produce this pairs automatically, but if you like, you can generate them yourself. The quickest method I found is: openssl req -x509 -nodes -newkey rsa:2048 -keyout servername.key -out servername.crt -days 1024 This command asks you some questions. The most …

Continue reading ‘Howto generate an SSL key and self signed cert with openssl’ »

AVM Fritz!box DHCP Problem

Problem: I wanted to provide a CWMP (TR-069) ACS URL to an AVM modem using DHCP on the WAN Interface, but the DHCP server ignores this vendor-option. Discussion: Following the TR-069 specs, the CWMP-ACS Server can be included in an dhcp response using vendor-option (SubOption 1). Usually vendor options should work with isc-dhcp-servers like that: …

Continue reading ‘AVM Fritz!box DHCP Problem’ »

Update Cisco Catalyst Software

I had to update the software of a new Cisco Catalyst 4948 yesterday. As usual I did: copy tftp://<hostname>/<filename> bootflash: conf t boot system flash bootflash:<filename> exit reload But the switch ignored the new software image. During boot it said: Booting first image from bootflash Solution: The config-register was set to 0x2101 right out of …

Continue reading ‘Update Cisco Catalyst Software’ »

Pirelli Modem does allways NAT

When I restart my Pirelli modem it allways disconnects all TCP connections! After the connection table of the Pirelli is flushed (by rebooting) it sends a RST for the next packet of any TCP connection.Why doesn’t it simply forward this packet. Client and servers don’t care if a router on the way is rebooting. Pirelli …

Continue reading ‘Pirelli Modem does allways NAT’ »