AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.

pfSense1

pfSense2

pfSense3

att-config0

att-config1

att-config2

att-config3



Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!

Thanks!





VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up a TFTP server in Debian/Ubuntu

I’ve needed to setup a TFTP server for various reasons in the past. Most recently, I needed it in order to upload files (OS images, VPN clients, etc.) to Cisco routers, switches and ASA Firewalls. So this blog is for the sole purpose of setting up a TFTP server.

I need to stress and emphasis the security issues that TFTP servers have. There is no logon credentials, the protocol is all in plain text, and there is no file security for any files supplied by the TFTP server. So make sure that you are only putting files on this server that are considered “compromisable”. If you’re going to be backing up files on this server (running configs, especially), then you should do everything in your power to limit access to this machine by use of firewall rules. For large networks, I would recommend using a product like CatTools.

Alright, so lets see here. First off you’re going to need to install some software.

steve @ steve-G75VX ~ :) ##   sudo apt-get update
[sudo] password for steve:
...
...                                                                                                                                                                        
Fetched 916 kB in 8s (112 kB/s)                                                                                                                                                                                                            
Reading package lists... Done
steve @ steve-G75VX ~ :) ##   sudo apt-get install xinetd tftpd tftp
Reading package lists... Done
Building dependency tree      
Reading state information... Done
xinetd is already the newest version.
tftp is already the newest version.
tftpd is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
steve @ steve-G75VX ~ :) ##


Now that we have our software installed, we need to configure our TFTP daemon to run.

Start by creating a new file and paste in this info:

steve @ steve-G75VX ~ :) ##   sudo nano /etc/xinetd.d/tftp
service tftp
{
protocol        = udp
port            = 69
socket_type     = dgram
wait            = yes
user            = nobody
server          = /usr/sbin/in.tftpd
server_args     = /tftp
disable         = no
}
steve @ steve-G75VX ~ :) ##


Things to remember here are that you’re specifying the default port of 69/udp and that the user “nobody” is going to be the user of the files.


Now that we have that done, we can create our directory and set permissions:

steve @ steve-G75VX ~ :) ##   sudo mkdir /tftp
steve @ steve-G75VX ~ :) ##   sudo chmod -R 777 /tftp
steve @ steve-G75VX ~ :) ##   sudo chown -R nobody /tftp


All that’s left is that we need to start the service!

steve @ steve-G75VX ~ :) ##   sudo service xinetd restart

-OR-

steve @ steve-G75VX ~ :) ##   sudo /etc/init.d/xinetd restart


Just test to make sure that the service is running:

steve @ steve-G75VX ~ :) ##   ps aux | grep xinet
root      7049  0.0  0.0  15024   456 ?        Ss   Oct22   0:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
steve    16301  0.0  0.0  15188  1984 pts/3    S+   17:25   0:00 grep --color=auto xinet
steve @ steve-G75VX ~ :) ##  
steve @ steve-G75VX ~ :) ##   ports | grep 69
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
udp        0      0 0.0.0.0:69              0.0.0.0:*                           -              
steve @ steve-G75VX ~ :) ##


And we’re done!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Debian Backups, the Command Line Way…

I’ve been wanting to write a blog on this for a long time since I’ve actually had this backup method running in my environment for years. It’s super easy to setup and, while thank god I’ve never had to recover from a backup, I have been able to go back and recover individual files from my backups. What you’ll need from an environment setup is at least one Linux box that you need backed up, and at least one NAS or other file storage server that has an SSH server. I perform all my backups to online disk storage that is based on FreeNAS. There are plenty of NAS environment, and I’m not saying FreeNAS is the best or the worst, but I like it and it works for me. It works extremely well with Linux, Windows and Mac OS X.

There are two parts to this:

  • 1. manual backups
  • 2. automated backups

  • Let’s start with the manual backups, because once we have the manual backups performed, then we can easily turn that into a script and run it in CRON.


    First, we need to specify the directories we don’t want to backup in a file that is accessible to root. Let’s list the directories in “/” first.

    steve @ steve-G75VX ~ :) ##   ll /
    total 18M
    drwxr-xr-x  25 root   root 4.0K Oct 22 14:54 ./
    drwxr-xr-x  25 root   root 4.0K Oct 22 14:54 ../
    drwxr-xr-x   2 root   root 4.0K Aug 14 02:03 bin/
    drwxr-xr-x   4 root   root 3.0K Oct  3 11:39 boot/
    drwxrwxr-x   2 root   root 4.0K May 21 11:52 cdrom/
    -rw-------   1 root   root  18M Oct  3 11:40 core
    drwxr-xr-x  24 root   root 4.8K Oct 31 12:38 dev/
    drwxr-xr-x 148 root   root  12K Oct 27 20:37 etc/
    drwxr-xr-x   3 root   root 4.0K May 21 11:53 home/
    lrwxrwxrwx   1 root   root   33 Aug 14 02:06 initrd.img -> boot/initrd.img-3.19.0-25-generic
    lrwxrwxrwx   1 root   root   33 Jul 10 08:56 initrd.img.old -> boot/initrd.img-3.19.0-22-generic
    drwxr-xr-x  26 root   root 4.0K Oct 13 13:41 lib/
    drwxr-xr-x   2 root   root 4.0K May 21 12:41 lib32/
    drwxr-xr-x   2 root   root 4.0K Apr 22  2015 lib64/
    drwx------   2 root   root  16K May 21 11:47 lost+found/
    drwxr-xr-x   3 root   root 4.0K May 21 12:01 media/
    drwxr-xr-x   2 root   root 4.0K Apr 17  2015 mnt/
    drwxr-xr-x   6 root   root 4.0K Oct 20 11:28 opt/
    dr-xr-xr-x 283 root   root    0 Oct 21 20:30 proc/
    drwx------   4 root   root 4.0K Oct 27 16:57 root/
    drwxr-xr-x  30 root   root 1.1K Oct 27 20:50 run/
    drwxr-xr-x   2 root   root  12K Aug 14 02:03 sbin/
    drwxr-xr-x   2 root   root 4.0K Apr 22  2015 srv/
    dr-xr-xr-x  13 root   root    0 Oct 22 14:55 sys/
    drwxrwxrwx   2 nobody root 4.0K Oct 22 17:55 tftp/
    drwxrwxrwt  18 root   root 4.0K Nov  1 15:17 tmp/
    drwxr-xr-x  11 root   root 4.0K May 21 12:41 usr/
    drwxr-xr-x  13 root   root 4.0K Apr 22  2015 var/
    lrwxrwxrwx   1 root   root   30 Aug 14 02:06 vmlinuz -> boot/vmlinuz-3.19.0-25-generic
    lrwxrwxrwx   1 root   root   30 Jul 10 08:56 vmlinuz.old -> boot/vmlinuz-3.19.0-22-generic


    So, based on this, we’ll exclude like this:

    steve @ steve-G75VX ~ :) ##   sudo mkdir /backups
    [sudo] password for steve:
    steve @ steve-G75VX ~ :) ##   sudo touch /backups/exclude.list
    steve @ steve-G75VX ~ :) ##   sudo nano /backups/exclude.list
    steve @ steve-G75VX ~ :) ##  

    /cdrom
    /dev
    /lost+found
    /proc
    /run
    /sys
    /tmp

    (Ctrl+x to quit, then y to save)


    Now that we have our directory and exclude list setup, now we need to make sure RSYNC is installed on our system.

    steve @ steve-G75VX ~ :) ##   sudo apt-get update
    ...
    ...
    Fetched 1,743 kB in 21s (79.7 kB/s)
    Reading package lists... Done
    steve @ steve-G75VX ~ :) ##   sudo apt-get install rsync
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    rsync is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
    steve @ steve-G75VX ~ :) ##


    Now that we have RSYNC installed and our backup exclusions defined, lets get our backups started.

    First, edit your .bashrc file in your home directory and add this line:

    alias backupall='sudo rsync -athvz --delete / steve@1.1.1.1:/mnt/Backups/laptop/


    “What does all this do?” you might ask… well, it’s quite simple really.

    First, we create an alias for your shell named, “backupall”, because we’ll be performing full system backups from here.

    Next, we call “rsync” to run as root, and ask it to run with the switches -a, -t, -h, -v and -z.

  • -a = run in archive mode, which equals -rlptgoD (no -H,-A,-X)
  • -t = makes sure to preserve modification times on your files
  • -h = ensures that output numbers in a human-readable format
  • -v = trun verbosely.
  • -z = makes sure that file data is compressed during the transfer
  • And lastly, the “–delete” means, “This tells rsync to delete extraneous files from the receiving side (ones that aren’t on the sending side), but only for the directories that are being synchronized. You must have asked rsync to send the whole directory (e.g. lqdirrq or lqdir/rq) without using a wildcard for the directory’s contents (e.g. lqdir/*rq) since the wildcard is expanded by the shell and rsync thus gets a request to transfer individual files, not the files’ parent directory. Files that are excluded from the transfer are also excluded from being deleted unless you use the –delete-excluded option or mark the rules as only matching on the sending side (see the include/exclude modifiers in the FILTER RULES section).” — http://linux.die.net/man/1/rsync

    Next is the “/”, which means we’re backing up everything in “/”, which is everything.

    Lastly, we’re specifying the destination. In this case, we’re doing RSYNC over SSH, so we’ll be specifying a location in the way that you would specify a destination in SCP.


    Now test running your backup. I’ve run mine before, so my update is pretty quick. But this is going to backup your whole system for, so expect it to take a while.

    steve @ steve-G75VX ~ :( ᛤ>   backupallnas
    steve@1.1.1.1's password:
    sending incremental file list
    ./
    var/lib/mysql/blog/wp_AnalyticStats.MYD
    var/lib/mysql/blog/wp_AnalyticStats.MYI
    var/lib/mysql/blog/wp_options.MYD
    var/lib/mysql/blog/wp_options.MYI
    var/lib/mysql/blog/wp_postmeta.MYD
    var/lib/mysql/blog/wp_postmeta.MYI
    var/lib/sudo/steve/0
    var/log/auth.log
    var/log/apache2/access.log
    var/log/apache2/error.log

    sent 1.09M bytes  received 50.77K bytes  58.56K bytes/sec
    total size is 1.91G  speedup is 1673.17
    rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1070) [sender=3.0.9]
    steve @ steve-G75VX ~ :( ᛤ>



    Now we need to create our script, and make it executable.

    root @ steve-G75VX ~ :) ##   nano /backups/backupall
    root @ steve-G75VX ~ :) ##   chmod +x /backups/backupall
    root @ steve-G75VX ~ :) ##   ll /backups/backupall
    -rwxr-xr-x 1 root root 96 Nov  1 17:02 /backups/backupall*
    root @ steve-G75VX ~ :) ##


    I added this one line to the backup file:

    sudo rsync -athvz --delete / steve@1.1.1.1:/mnt/Backups/laptop/



    This looks pretty good! Now that we have a full backup of our machine, lets get this setup in CRON.

    steve @ steve-G75VX ~ :) ##   sudo su
    root @ steve-G75VX ~ :) ##   crontab -l
    no crontab for root
    root @ steve-G75VX ~ :( ##   crontab -e
    no crontab for root - using an empty one

    Select an editor.  To change later, run 'select-editor'.
      1. /bin/ed
      2. /bin/nano        <---- easiest
      3. /usr/bin/vim.tiny

    Choose 1-3 [2]: 2
    crontab: installing new crontab
    root @ steve-G75VX ~ :) ##


    The line that I added to CRON was this:

    0 3 * * * /backups/backupall >/dev/null 2&>1


    This basically states that every day at 3am, this script will be run.


    From here we need to make sure our local system can perform password-less logon to the SSH server. To do that we’ll be working off of a prior blog I wrote on SSH Keys, here: Using SSH Keys to simplify logins to remote systems.

    You’ll want to test that your system can SSH to your remote system without entering a password. As long as that works, we’re good to go!

    That’s it! It’s that simple!



    I have run into issues on some machines where SSH keys don’t work. I haven’t had the time to troubleshoot why, so I got a different way to figure out how to make backups work, without using SSH keys. The down side is that this is MUCH less secure, and I really don’t recommend running this in a production setting. But for home or non-business use, you’re probably just fine.

    So to do this, we’re going to use “SSHPASS” package. It’s out there for Debian and Ubuntu, so I’m sure it’s out there for other Linux/Unix systems as well.

    root @ steve-G75VX ~ :) ##   sudo apt-get install sshpass
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    The following NEW packages will be installed:
      sshpass
    0 upgraded, 1 newly installed, 0 to remove and 38 not upgraded.
    Need to get 10.5 kB of archives.
    After this operation, 56.3 kB of additional disk space will be used.
    Get:1 http://us.archive.ubuntu.com/ubuntu/ vivid/universe sshpass amd64 1.05-1 [10.5 kB]
    Fetched 10.5 kB in 0s (65.3 kB/s)  
    Selecting previously unselected package sshpass.
    (Reading database ... 258807 files and directories currently installed.)
    Preparing to unpack .../sshpass_1.05-1_amd64.deb ...
    Unpacking sshpass (1.05-1) ...
    Processing triggers for man-db (2.7.0.2-5) ...
    Setting up sshpass (1.05-1) ...
    root @ steve-G75VX ~ :) ##


    Go ahead and test logging into your NAS box, or any box really, with this. The idea is that, when you’re scripting you need to logon to remote systems without a password. If you can’t use SSH keys, then this is your next best bet. Create a file in “root’s” home dir and name it whatever you want. I named mine, “backup.dat”. It must contain only the password you use to log into your remote machine, on one line, all by itself.

    root @ steve-G75VX ~ :) ##   nano ~/backup.dat
    root @ steve-G75VX ~ :) ##   chmod 600 backup.dat


    You’ll call “sshpass”, -f for the file with the password, the location of your “ssh” program, -p and the port number (default port for ssh is 22), followed by the username you login with (make sure it’s in the format of, “user@machine-ip”).

    root @ steve-G75VX ~ :) ##   sshpass -f /root/backup.dat /usr/bin/ssh -p 22 steve@1.1.1.1
    Last login: Sun Nov  1 17:22:08 2015 from 1.1.1.2
    FreeBSD 9.2-RELEASE (FREENAS.amd64) #0 r+2315ea3: Fri Dec 20 12:48:50 PST 2013

        FreeNAS (c) 2009-2013, The FreeNAS Development Team
        All rights reserved.
        FreeNAS is released under the modified BSD license.

        For more information, documentation, help or support, go here:
        http://freenas.org
    Welcome to FreeNAS
    [steve@freenas ~]$ exit
    logout
    Connection to 1.1.1.1 closed.
    root @ steve-G75VX ~ :) ##


    Okay, now that we’ve tested this and know it’s working, lets modify our script here and get this working with “sshpass”.

    root @ steve-G75VX ~ :) ##   /usr/bin/rsync -athvz --delete --rsh="/usr/bin/sshpass -f /root/backup.dat ssh -o StrictHostKeyChecking=no -l YourUserN@me" /home/steve steve@1.1.1.1:/mnt/Backups/laptop/


    Now test to make sure the script is working (as soon as you see the incremental file list being sent, you know it’s working properly):

    root @ steve-G75VX ~ :) ##   /usr/bin/rsync -athvz --delete --rsh="/usr/bin/sshpass -f /root/backup.dat ssh -o StrictHostKeyChecking=no -l steve" /home/steve steve@1.1.1.1:/mnt/Backups/laptop
    sending incremental file list
    ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(632) [sender=3.1.1]
    root @ steve-G75VX ~ :) ##
    root @ steve-G75VX ~ :) ##
    root @ steve-G75VX ~ :) ##   /backups/backupall
    sending incremental file list
    steve/.cache/google-chrome/Default/Cache/
    ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(632) [sender=3.1.1]
    root @ steve-G75VX ~ :( ##

    Success!







    http://linux.die.net/man/1/rsync
    https://www.debian-administration.org/article/56/Command_scheduling_with_cron

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Bash Shell Customizing

    I’ve had a request for a blog on how to update bash shell. I’ll put more into this in the future, but for now, here is the actual code in my .bashrc file.

    Basically, I like to have my command line environment customized to my liking, just like any other user/administrator. So what I’ve done here is added some color to my shell, as well as added some nice, helpful and easy to remember aliases that really save time in typing.

    Here is a screenshot of what my shell looks like:

    Screenshot

    #PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

    # mint-fortune - If you like the fortunes, keep this on, otherwise delete it.
    # you will need to have Mint Fortunes installed on your system for this to work
    /usr/bin/mint-fortune

    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------


    #[Color Prompt] This adds color prompt to your shell.
    #    I've gone through and figured out a whole bunch
    #    of colors so you can go ahead and customize to
    #    your heart's content.

    force_color_prompt=yes

    #[Variables]
    RESET="\[\017\]"
    NORMAL="\[\033[;m\]"
    LGREEN="\[\033[1;32m\]"
    LGREEN0="\[\033[0;32m\]"
    LBLUE="\[\033[1;34m\]"
    LCYAN="\[\033[1;36m\]"
    LRED="\[\033[1;31m\]"
    LPURPLE="\[\033[1;35m\]"
    BLACK="\[\033[0;30m\]"
    BLUE="\[\033[0;34m\]"
    GREEN="\[\033[0;32m\]"
    CYAN="\[\033[0;36m\]"
    PURPLE="\[\033[0;35m\]"
    BROWN="\[\033[0;33m\]"
    LGRAY="\[\033[0;37m\]"
    DGREY="\[\033[01;30m\]"
    RED="\[\033[0;31m\]"
    YELLOW="\[\033[01;33m\]"
    WHITE="\[\033[01;37m\]"


    #[Good Command]
    SMILEY="${GREEN}:)${NORMAL}"

    #[Bad Command]
    FROWNY="${RED}:(${NORMAL}"

    #[Command Judge]
    SELECT="if [ \$? = 0 ]; then echo \"${SMILEY}\"; else echo \"${FROWNY}\"; fi"

    #[Working PS1 output]
    PS1="${RESET}${LCYAN}\u ${RED}@ ${LCYAN}\h: ${YELLOW}\w\a~ \`${SELECT}\` ${YELLOW}\$ ${GREEN} ${NORMAL} "


    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------


    #[Aliases]
    alias du="du -bchsS"
    alias ll="ls -alhF --color=auto"
    alias ..='cd ..'
    alias ...='cd ../..'
    alias dfah='df -ah'
    alias mount='mount |column -t'
    alias now='date +"%T'
    alias nowdate='date +"%d-%m-%Y"'
    alias vlspci='sudo lspci -vvnn'
    alias vi=vim
    alias disks='sudo blkid && sudo fdisk -l'

    alias svi='sudo vi'
    alias vis='vim "+set si"'
    alias edit='vim'
    alias ports='netstat -tulanp'
    alias apt-get="sudo apt-get"
    alias updatey="sudo apt-get --yes"
    alias update='sudo apt-get update && sudo apt-get upgrade'
    alias meminfo='free -m -l -t'
    alias psmem='ps auxf | sort -nr -k 4'
    alias psmem10='ps auxf | sort -nr -k 4 | head -10'
    alias pscpu='ps auxf | sort -nr -k 3'
    alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
    alias cpuinfo='lscpu'
    ##alias cpuinfo='less /proc/cpuinfo' ##
    alias gpumeminfo='grep -i --color memory /var/log/Xorg.0.log'
    alias reboot='sudo /sbin/reboot'
    alias poweroff='sudo /sbin/poweroff'
    alias halt='sudo /sbin/halt'
    alias shutdown='sudo /sbin/shutdown'
    alias tftpstuff='sudo chmod 777 /tftp/* && sudo chown root:root /tftp/*'


    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------

    #[Backups] This section is where I have my backups defined.
    #    For more information, please check out my "Backups"
    #    blog. You can find it here:
    #    http://www.erdmanor.com/blog/debian-backups-command-line-way/

    alias backupall='sudo rsync -athvz --delete --exclude-from='backups/exclude.list' / /backups/computername/path/to/save/backups'

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VN:F [1.9.22_1171]
    Rating: +1 (from 1 vote)

    Backing up Cisco Configurations for Routers, Switches and Firewalls

    I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

    This should give you all the software you need:

    sudo apt-get update
    sudo apt-get install python python-pexpect python-paramiko

    I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

    I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

    Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

    #!/usr/bin/python
    import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



    ### DEFINE VARIABLES

    currentdate="10-16-2014"
    hostnamesfile='vpnhosts'
    asahost="192.168.222.1"
    tacacsuser='testuser'
    userpass='Password1'
    enpass='Password2'
    currentipaddress="192.168.222.1"
    currenthostname="TESTASA"


    #dummy=sys.argv[0]
    #currentdate=sys.argv[1]
    #currentipaddress=sys.argv[2]
    #tacacsuser=sys.argv[3]
    #userpass=sys.argv[4]
    #enpass=sys.argv[5]
    #currenthostname=sys.argv[6]

    parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
    parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
    parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
    parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
    parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
    args = parser.parse_args()

       


    #python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



    def asaLogin():
       
        #start ssh")
        child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
       
        #testing to see if I can increase the buffer
        child.maxread=9999999
       
        #expect password prompt")
        child.expect ('.*assword:.*')
        #send password")
        child.sendline (userpass)
        #expect user mode prompt")
        child.expect ('.*>.*')
        #send enable command")
        child.sendline ('enable')
        #expect password prompt")
        child.expect ('.*assword:.*')
        #send enable password")
        child.sendline (enpass)
        #expect enable mode prompt = timeout 5")
        child.expect ('#.*', timeout=10)
        #set term pager to 0")
        child.sendline ('terminal pager 0')
        #expect enable mode prompt = timeout 5")
        child.expect ('#.*', timeout=10)
        #run create dir function")
        createDir()
        #run create show version")
        showVersion(child)
        #run create show run")
        showRun(child)
        # run showCryptoIsakmp(child)
        showCryptoIsakmp(child)
        # run dirDisk0(child)
        dirDisk0(child)
        # run showInterfaces(child)
        showInterfaces(child)
        #run  showRoute")
        showRoute(child)
        #run showVpnSessionDetail")
        showVpnSessionDetail(child)
        # run showVpnActiveSessions(child)
        showWebVpnSessions(child)
        # run showVpnActiveSessions(child)
        showAnyConnectSessions(child)
        #send exit")
        child.sendline('exit')
        #close the ssh session")
        child.close()
       
       
    def createDir():
        if not os.path.exists(currentdate):
            os.makedirs(currentdate)
        if not os.path.exists(currentdate+"/"+currenthostname):
            os.makedirs(currentdate+"/"+currenthostname)
       
       
       
    def showVersion(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show version")
        child.sendline('show version')
        #expect enable mode prompt = timeout 400")
        child.expect(".*# ", timeout=50)
        #closing the log file")
        fout.close()
       
       
    def showRun(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending more system running-config")
        child.sendline('more system:running-config')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=999)
        #closing the log file
        fout.close()   
       

    def showCryptoIsakmp(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show crypto isakmp sa")
        child.sendline('show crypto isakmp sa')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=50)
        #closing the log file
        fout.close()   


    def dirDisk0(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending dir disk0:")
        child.sendline('dir disk0:')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=75)
        #closing the log file
        fout.close()


    def showInterfaces(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show interface")
        child.sendline('show interface')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=100)
        #closing the log file
        fout.close()


    def showRoute(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show route")
        child.sendline('show route')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=300)
        #closing the log file
        fout.close()


    def showVpnSessionDetail(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb detail")
        child.sendline('show vpn-sessiondb detail')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=50)
        #closing the log file
        fout.close()


    def showWebVpnSessions(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb webvpn")
        child.sendline('show vpn-sessiondb webvpn')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=200)
        #closing the log file
        fout.close()


    def showAnyConnectSessions(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb anyconnect")
        child.sendline('show vpn-sessiondb anyconnect')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=999)
        #closing the log file
        fout.close()




    def main():
        #Nothing has been executed yet
        #executing asaLogin function
        asaLogin()
        #Finished running parTest\n\n Now exiting
       

    main()

    Here are all the websites that have provided help to me writing these scripts:
    http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
    http://yourlinuxguy.com/?p=300
    http://content.hccfl.edu/pollock/Unix/FindCmd.htm
    http://paulgporter.net/2012/12/08/30/
    http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
    http://ubuntuforums.org/archive/index.php/t-106287.html
    http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
    http://stackoverflow.com/questions/9806944/grep-only-text-files
    http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
    http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
    http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
    http://pastebin.com/qGRdQwpa
    http://blog.pythonicneteng.com/2012/11/pexpect-module.html
    https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
    http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
    http://www.lag.net/paramiko/
    http://www.lag.net/paramiko/docs/
    http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
    http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
    http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
    http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
    http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
    http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
    http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
    https://github.com/npug/asa-capture/blob/master/asa-capture.py
    http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Creating a Reverse Proxy with Apache2

    Sometimes there is a need for hosting multiple websites from one server, or from one external IP address. For whatever your reason or need is, in this tutorial, I’ll just go through what I did to setup Apache server to forward requests.

    In my setup here, I have a Debian Wheezy server in my DMZ, and in my tier 2 DMZ I have 5 Web servers. My objective is to host all these server from 1 IP address, and introduce some security.

    I found a ton of info out there on setting up Apache as a reverse proxy, but none of them really spelled out exactly what to do, and what the results would be. Some of them did, but it wasn’t what I was looking for. So I took a bunch of stuff I see others doing, modify it to fit my needs and report back to you. I hope this helps.

    Lets get started.

    You’ll want a base install of Debian Wheezy which you can find at www.debian.org. After you download that, just follow my guide for install if you need: Debian Minimal Install: The base for all operations

    As I stated before, I have a bunch of web servers in my tier 2 DMZ, and a Debian box in my Internet facing DMZ. It is my intention that the web servers never actually communicate with the end users. I want my end users to talk to my Debian box, the Debian box to sanitize and optimize the web request, and then forward that request on to the web server. The web server will receive the request from the Debian box, process it, and send back all the necessary data to the Debian server, which will in turn reply to the end user who originally made the request.

    It sounds complicated to some people, but in reality it’s pretty simple, and the reverse proxy is transparent to the end user. Most people out there don’t even realize that many sites out there utilize this type of technology.

    My Debian server needs some software, so I installed these packages:

    sudo apt-get install apache2 libapache2-mod-evasive libapache2-mod-auth-openid libapache2-mod-geoip
    libapache2-mod-proxy-html libapache2-mod-spamhaus libapache2-mod-vhost-hash-alias libapache2-modsecurity

    From here you’ll want to get into the Apache directory.

    cd /etc/apache2

    Let’s get going with editing the main Apache config file. These are just recommendations, so you’ll want to tweak these for what ever is best for your environment.

    sudo vim apache2.conf

    I modified my connections for performance reasons. The default is 100.

    # MaxKeepAliveRequests: The maximum number of requests to allow
    # during a persistent connection. Set to 0 to allow an unlimited amount.
    # We recommend you leave this number high, for maximum performance.
    #
    MaxKeepAliveRequests 500

    Also, what security engineer out there doesn’t know that without logs you have no proof that anything is happening. We’ll cover log rotation and retention in another blog, but for now, I set my logging to “notice”. Default was “warn”.

    # LogLevel: Control the number of messages logged to the error_log.
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    #
    LogLevel notice

    Perfect. Now, you may want to tweak your server a little differently, but for now this is all we need for here.

    Now let’s get into some security hardening of the server.

    sudo vim /etc/apache2/conf.d/security

    We do have security in mind, so let’s not divulge any information that we don’t need to. Set “ServerTokens Prod”

    # ServerTokens
    # This directive configures what you return as the Server HTTP response
    # Header. The default is 'Full' which sends information about the OS-Type
    # and compiled in modules.
    # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    #
    #ServerTokens Minimal
    #ServerTokens OS
    #ServerTokens Full
    ServerTokens Prod

    Now let’s set “ServerSignature Off”

    # Optionally add a line containing the server version and virtual host
    # name to server-generated pages (internal error documents, FTP directory
    # listings, mod_status and mod_info output etc., but not CGI generated
    # documents or custom error documents).
    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
    # Set to one of:  On | Off | EMail
    #
    #ServerSignature Off
    ServerSignature On

    And lastly, go ahead and uncomment these three lines in your config. We’ll configure “mod_headers” later.

    Header set X-Content-Type-Options: "nosniff"

    Header set X-XSS-Protection: "1; mode=block"

    Header set X-Frame-Options: "sameorigin"

    Sweet, looking good. Go ahead and save that, and we can get “mod_headers” activated. First, I’d like to point out that you can view what modules you have installed by using the “a2dismod” program. Simply enter the command, and it will ask you what modules you’d like to disable. Obviously, if you see it in the list, it’s already enabled. just hit “Ctrl+C” to stop the program.

    To enable a module in Apache, you need to first made sure it’s installed, then you can just use the program “a2enmod”… like this:

    sudo a2enmod headers

    Now that we’ve enabled “mod_header”, lets verify we have the other necessary modules enabled as well.

    steve @ reverseproxy ~ :) ᛤ>   a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    cache
    Enabling module cache.
    Could not create /etc/apache2/mods-enabled/cache.load: Permission denied
    steve @ reverseproxy ~ :( ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    cache
    Enabling module cache.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_ajp
    Considering dependency proxy for proxy_ajp:
    Module proxy already enabled
    Enabling module proxy_ajp.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_balancer
    Considering dependency proxy for proxy_balancer:
    Module proxy already enabled
    Enabling module proxy_balancer.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_connect
    Considering dependency proxy for proxy_connect:
    Module proxy already enabled
    Enabling module proxy_connect.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_ftp
    Considering dependency proxy for proxy_ftp:
    Module proxy already enabled
    Enabling module proxy_ftp.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    proxy_http
    Considering dependency proxy for proxy_http:
    Module proxy already enabled
    Enabling module proxy_http.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    rewrite
    Enabling module rewrite.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    vhost_alias
    Enabling module vhost_alias.
    To activate the new configuration, you need to run:
      service apache2 restart
    steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
    Which module(s) do you want to enable (wildcards ok)?
    vhost_hash_alias
    Enabling module vhost_hash_alias.
    To activate the new configuration, you need to run:
      service apache2 restart

    Here is a list of the Modules I just enabled:
    cache proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite vhost_alias vhost_hash_alias

    Now let’s just restart Apache, and keep going.

    steve @ reverseproxy ~ :) ᛤ>   sudo service apache2 restart
    [ ok ] Restarting web server: apache2 ... waiting .

    Perfect, moving right along… Now what we need to do is setup a new file in the “/etc/apache2/conf.d/sites-available” directory. I named mine, “reverseproxy”, as it’s easy to figure out what it is.

    Now, to correctly setup your reverse proxy, this server should not be hosting ANY websites. This is a proxy server, not a web host. So go ahead and delete the config sym link for the default website. We don’t want to host that.

    sudo rm /etc/apache2/sites-enabled/000-default

    Now we can edit our “reverseproxy” file.

    sudo vim /etc/apache2/sites-available/reverseproxy

    #enter this code into your file

    <VirtualHost *:80>
      ServerName yoursite.info
      ServerAlias www.yoursite.info yoursite.info
      ServerAdmin info@yoursite.info
      ProxyPreserveHost On
      ProxyPass / http://www.yoursite.info/
      ProxyPassReverse / http://www.yoursite.info/
      <Proxy *>
            Order allow,deny
            Allow from all
      </Proxy>
      ErrorLog /var/log/apache2/yoursite.info.log
      CustomLog /var/log/apache2/yoursite.info.log combined
    </VirtualHost>



    <VirtualHost *:80>
      ServerName anothersite.com
      ServerAlias anothersite.com www.anothersite.com
      ServerAdmin info@anothersite.com
      ProxyPreserveHost On
      ProxyPass / http://www.anothersite.com/
      ProxyPassReverse / http://www.anothersite.com/
      <Proxy *>
            Order allow,deny
            Allow from all
      </Proxy>
      ErrorLog /var/log/apache2/anothersite.com.log
      CustomLog /var/log/apache2/anothersite.com.log combined
    </VirtualHost>




    <VirtualHost *:80>
      ServerName thirdsite.cc
      ServerAlias thirdsite.cc www.thirdsite.cc
      ServerAdmin info@thirdsite.cc
      ProxyPreserveHost On
      ProxyPass / http://www.thirdsite.cc/
      ProxyPassReverse / http://www.thirdsite.cc/
      <Proxy *>
            Order allow,deny
            Allow from all
      </Proxy>
      ErrorLog /var/log/apache2/thirdsite.cc.log
      CustomLog /var/log/apache2/thirdsite.cc.log combined
    </VirtualHost>

    Awesome, now save that file and we can get it enabled. Just like setting up new modules, we’re going to sym-link our new file to the “sites-enabled” folder.

    sudo ln -s /etc/apache2/sites-available/reverseproxy /etc/apache2/sites-enabled

    Now we can just reload the Apache server (no restart required) the server so that it picks up the new settings.

    sudo service apache2 reload

    Now we need to edit the /etc/hosts file so that our reverse proxy server knows where to push site traffic to on our DMZ. So lets do that:

    127.0.0.1       localhost
    127.0.1.1       reverseproxy.internal.dmz  reverseproxy
    192.168.0.26   www.thirdsite.cc
    192.168.0.26   thirdsite.cc
    192.168.0.26   www.anothersite.com
    192.168.0.26   anothersite.com
    192.168.0.65   www.yoursite.info
    192.168.0.65   yoursite.info

    # The following lines are desirable for IPv6 capable hosts
    ::1     localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    Sweet, all done!
    Now you can test from a computer that all your sites are working. They *should* be! 🙂

    I’ll work on a blog eventually to show how to enable mod_security with this setup so that we can sanitize user interaction with our site. Our visitors are probably good people, but attackers and skiddies are always out there trying to damage stuff.

    Thanks for reading!!

    References:
    http://ubuntuguide.org/wiki/Apache2_reverse_proxies
    http://www.raskas.be/blog/2006/04/21/reverse-proxy-of-virtual-hosts-with-apache-2/
    http://www.askapache.com/hosting/reverse-proxy-apache.html
    http://www.integratedwebsystems.com/2010/06/multiple-web-servers-over-a-single-ip-using-apache-as-a-reverse-proxy/
    http://httpd.apache.org/docs/current/vhosts/examples.html
    http://geek-gogie.blogspot.com/2013/01/using-reverse-proxy-in-apache-to-allow.html
    http://www.ducea.com/2006/05/30/managing-apache2-modules-the-debian-way/
    http://www.akadia.com/services/apache_redirect.html
    http://unixhelp.ed.ac.uk/manual/mod/mod_proxy.html
    https://httpd.apache.org/docs/2.2/vhosts/
    https://httpd.apache.org/docs/2.2/vhosts/name-based.html
    https://httpd.apache.org/docs/2.2/vhosts/examples.html
    https://httpd.apache.org/docs/2.2/vhosts/mass.html
    https://httpd.apache.org/docs/2.2/vhosts/details.html

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Open Source can save you millions: Part 1, the intro…

    After dealing with some vendors in the last couple years, I’ve come to realize one major tone keeps rearing it’s ugly head: Vendor sales people will tell you anything to get you to buy their product or service, regardless as to whether or not their product/service is the best solution at the best price out there.

    Now, wait just a minute. I’m not going to demonize salesmen or be some hippie tree hugger and say, “don’t buy commercial products, man!”. Some companies and products are pretty damn good. Some are definitely not. Some are ridiculously expensive; some are not. But How do you know which ones to actually spend money on, or not to spend money on, if your company, or personal outlook on life, is telling you to just listen to a vendor and buy his products? When was the last time you went to your grey beards and asked them if they have a solution to your problem?

    Well, I’m not a grey beard, but I am a big proponent of the “DIY” projects. I try to do things around my house all the time, and that includes my home network. I also carry that philosophy into work.

    This is a multi-part blog that is going to attempt to outline why I’d rather spend $100,000/yr on a Salary for a good worker than to spend that same amount on some appliance to install in the Data Center. Here we’ll be talking about replacing products from companies like CA, Centrify and others with some already built-in modules in your Linux/Unix environments that many people don’t even know they have. We’ll talk about that topic in the next blog though, because I really want to focus on the fact that good Security and IT products can be difficult to come by. And sometimes you have a solution to your problem inside your organization already, but don’t know it yet. Don’t automatically think that if there is a problem, your solution is to buy another product or service from your vendor supply chain. Stop throwing money at the solution hoping it will work out!

    Here’s what I started with. There is a large need to get all of our Linux/Unix environment to authenticate to Active Directory (AD). Just like the VAST majority of companies out there, we are largely a Microsoft shop. News Flash: Almost everyone is. And that’s because AD is the best at what it does; no one comes close. Same for Microsoft Exchange; I beg you to tell me who makes a product that comes anywhere close to what Exchange does. Regardless, we need to auth to AD from Linux/Unix, and the costs surrounding 3rd party vendors is ridiculous. Now I know people need to make money, but over $100 grand every couple years for software and support is insane to do such a simple task as this. I talked to a co-worker and he led me down the path of, “Why pay to do it when you can do it for, well, basically free?”

    Free is a relative term, right? I mean, “there is no such thing as a free lunch.” So you’re paying my salary, and the salary of a Linux/Unix admin, and whoever else, but weren’t you already paying those salaries? And How much does it cost your company to have a (most likely well paid) Linux/Unix admin sitting around all day doing account provisioning, password resets and setting up users to have the specific access they need? Shouldn’t your account provisioning team be doing that? The costs of that are pretty high. According to a Gartner study it could cost up to $600,000/yr just sitting there resetting passwords on 300 Linux/Unix systems. Now, that number is pretty high. They are basing that on $17/password reset X 300 servers X 30 accounts per server which is $153,000/yr times 4 times a year = $612 grand.

    Whether or not you’re doing that many password resets is irrelevant, and lets say a password reset costs $10 in time, and lets say you’re resetting 50 passwords a week. You’re still spending over $25,000/year on performing password resets! And that doesn’t even account for user account management, managing the rest of your server fleet, managing all the “passwd” and “shadow” files on those servers, etc… So in reality, are you going to spend $125 grand on a solution to save $25 grand? I don’t think so. But How about spending $0 to save $25 grand? 🙂

    So, at the end of the day, all I’m trying to convey here is that you need to rely on your employees. If you give them the tools to succeed, you allow them the latitude to innovate  and you treat your business like a small business, I promise you that you’ll get cost savings and better service.

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VN:F [1.9.22_1171]
    Rating: +1 (from 1 vote)