Re: [Vyatta-users] Bandwidth limitation
This example from Shane worked well for me with some slight adaptations to fit my environment. I'd suggest playing around with it. http://www.hackosis.com/index.php/2007/11/08/linux-router-bandwidth-management-example/ -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Feb 5, 2008, at 1:17 AM, Dams wrote: great :-) so, if i read well some previous post Alpha 2 should be up this month, and April for the release version. I may try the alpha 2 version, when its ready for download. Thanks Dams On Feb 5, 2008 12:53 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: Coming soon in a Glendale build near to you :-) Justin On Feb 4, 2008 9:26 PM, Dams <[EMAIL PROTECTED]> wrote: > Hi, > > I would like to know if there is an option in vyatta to limit the bandwidth > on specific ip or all ip ? > > Thanks > > -- > Cordialement / Sincerely > Dams > > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > -- Cordialement / Sincerely Damien HERITIER MEP Volunteer Indonesia / Volontaire MEP Indonesia http://www.mepasie.org ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] WAN Load Balancing
Hi , Thanks for your quick reply. I am agreed that we can test the multiple WAN load balancing feature before it is released to help with your testing. But one thing I forgot to mention about the broadband connection, is that it has a maximum data transfer of 20GB per month. That is why we were using the below plan: * The leased line connection is all traffic till 11 AM (it is set to the default gateway) * After 11:00AM, we switch the default gateway to the broadband connection for all internet traffic, and add a static route so that VPN traffic remains on the leased line. * After 5:00PM, we reset this back to the original configuration We don't want to exceed the maximum limit of 20GB on the broadband connection. Is it possible to limit the bandwidth usage of the broadband connection using the multiple WAN loadbalancing ? That is why we were thinking of using OSPF, so that we could increase the "cost" of the 2Mb connection as we approach the maximum. With this new requirement, does OSPF still make sense for us? If not, could you explain why OSPF may not be the choice for us? Thanks, Abhilash S Ascella Technologies, Inc. www.ascellatech.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Bandwidth limitation
great :-) so, if i read well some previous post Alpha 2 should be up this month, and April for the release version. I may try the alpha 2 version, when its ready for download. Thanks Dams On Feb 5, 2008 12:53 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > Coming soon in a Glendale build near to you :-) > > Justin > > On Feb 4, 2008 9:26 PM, Dams <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I would like to know if there is an option in vyatta to limit the > bandwidth > > on specific ip or all ip ? > > > > Thanks > > > > -- > > Cordialement / Sincerely > > Dams > > > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > -- Cordialement / Sincerely Damien HERITIER MEP Volunteer Indonesia / Volontaire MEP Indonesia http://www.mepasie.org ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] ps3
Port forwarding should be straight-forward with the Vyatta CLI; look for recent ssh examples on this list. Personally, I'd create a rule for each protocol and port/port range. Best, Justin On Feb 4, 2008 8:31 PM, Nathan McBride <[EMAIL PROTECTED]> wrote: > Hey guys, I finally got my old comp which is running vyatta to now be a > wireless vyatta router. So I can connect my Playstation 3 to the router > and it goes on the network and most things work. However it only has > what playstation calls nat3. This is because it isn't getting all the > ports it needs. The playstation 3 needs: > > • TCP Ports: 80, 443, 5223, and 10070 - 10080 > • UDP Ports: 3478, 3479, 3658, and 10070 > > I don't care about 80 and 443. However I really want to get nat2 > working because I'm having issues with Unreal III. What would be the > best way to do this? Can / should I create an iptables rule to make a > DMZ zone? I had to make the firewall with iptables not vyatta cause I > couldn't figure it out... :'( Should I just create a nat rule for each > port and forward it to my playstation's ip after setting it as static? > > Thanks, > Nate > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Bandwidth limitation
Coming soon in a Glendale build near to you :-) Justin On Feb 4, 2008 9:26 PM, Dams <[EMAIL PROTECTED]> wrote: > Hi, > > I would like to know if there is an option in vyatta to limit the bandwidth > on specific ip or all ip ? > > Thanks > > -- > Cordialement / Sincerely > Dams > > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vLAN & Switch
Definitely. It's part of the VLAN tag. Best, Justin On Feb 4, 2008 9:26 PM, Go Wow <[EMAIL PROTECTED]> wrote: > Hey > > I Have configured vlan in vyatta and bought a vlan enabled switch its > D-link DES-1226. I want to know when configuring the switch whether I > need to give the VID in switch the same as the vLAN ID is created in > vyatta? > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] vLAN & Switch
Yes, that's the purpose of vlans. All traffic in vlan ID XXX is tagged so the switch knows to send it to all members of Vlan XXX. You have to have matching tags on both ends. If you did not, most switch and host-nic will just discard any unrecognized vlan tag(s). ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] vLAN & Switch
Hey I Have configured vlan in vyatta and bought a vlan enabled switch its D-link DES-1226. I want to know when configuring the switch whether I need to give the VID in switch the same as the vLAN ID is created in vyatta? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Bandwidth limitation
Hi, I would like to know if there is an option in vyatta to limit the bandwidth on specific ip or all ip ? Thanks -- Cordialement / Sincerely Dams ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] ps3
Hey guys, I finally got my old comp which is running vyatta to now be a wireless vyatta router. So I can connect my Playstation 3 to the router and it goes on the network and most things work. However it only has what playstation calls nat3. This is because it isn't getting all the ports it needs. The playstation 3 needs: • TCP Ports: 80, 443, 5223, and 10070 - 10080 • UDP Ports: 3478, 3479, 3658, and 10070 I don't care about 80 and 443. However I really want to get nat2 working because I'm having issues with Unreal III. What would be the best way to do this? Can / should I create an iptables rule to make a DMZ zone? I had to make the firewall with iptables not vyatta cause I couldn't figure it out... :'( Should I just create a nat rule for each port and forward it to my playstation's ip after setting it as static? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta as a company
> Thank you very much for filling in those blanks for me! I > swear the more and more I learn about you guys the more in > love I fall ;) I'm just playing with Vyatta right now, but > once I feel comfortable enough with it to put it into > production, you best I will commit to a support contract! > Thanks again and go team! :p No problem. And thanks for your support, whatever you decide to do. If you're really falling in love with Vyatta, be sure to write a Dear John letter to those other guys ;-): http://www.vyatta.com/secret/dearjohn/ -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta as a company
Thank you very much for filling in those blanks for me! I swear the more and more I learn about you guys the more in love I fall ;) I'm just playing with Vyatta right now, but once I feel comfortable enough with it to put it into production, you best I will commit to a support contract! Thanks again and go team! :p On Feb 4, 2008 6:40 PM, Dave Roberts <[EMAIL PROTECTED]> wrote: > The Vyatta business model is essentially very Red Hat-like: we sell > subscriptions, professional services, training, etc. Yes, we have real > (talented!) staff. Yes, we pay salaries. ;-) The fact is, the Vyatta team > comprises veterans from Cisco, Juniper, Nortel, and other leading > networking companies, as well as Linux kernel experts, and on and on. This > is a talented crew that have previously build many of the products that > compete with Vyatta. Our support staff have built and supported large > networks and consistently receive high marks for their 'can do' support > levels. > > And yes, customers definitely pay us for all this. As John confirms, our > customers are quite satisfied with our services. In the same way that some > people use a free version of Linux such as Fedora, there are many others > who are developing business-critical infrastructure and want the services > of a supported product to help them. This leads them to choose supported > products like RHEL (or SuSE, or Ubuntu LTS, etc.). In the same way, Vyatta > customers choose the subscription edition rather than the community > edition. > > The great thing about open source is that you can get the best of both > worlds: the support of a commercial offering with the open community and > rapid innovation of an open source code base. > > As for funding, yes, we are venture-funded. > > If you're interested in Vyatta-the-company, you can find out more about us > on the Vyatta web site. We hope you'll look past the dodgy backgrounds of > the management team ( ;-) ). Believe me when I say that it's the Vyatta > staff that makes this place so great. > > So, finally, while this is our community mailing list and I don't want to > make anybody feel guilty for using the community version of our code, let > me respectfully ask for your business. If you're using Vyatta in a > commercial setting, please consider purchasing subscriptions. I think > you'll be tremendously satisfied with the value you receive. We're not a > charity and we earn every sale. > > Apologies for the rampant commercialism. We now return you to your regular > series of technical questions and community discussion. > > -- Dave > > > > > Well I expected that! Are there really that many commercial > > subscribers to pay for a full time staff? > > Did you guys need to get funding to get started? Venture capital? > > > > > > On Feb 4, 2008 5:47 PM, John Jolet <[EMAIL PROTECTED]> wrote: > > > From people like me that pay for supported version :) and > > they have > > > real staff, I've talked to some of themespecially the > > tech support > > > folks who have consistently gone above and beyond to help me with > > > issuesRobyn rocks! > > > > > > > > > Max wrote: > > > > This is kind of a weird question, but I'm curious how you > > guys make > > > > any money? I mean, you have this wonderful product, 100% open > > > > source, but how to you guys keep the lights on at the office? > > > > Support contracts? Do you guys have a real staff? Employees with > > > > salaries? A bulletin board in the break room with all the human > > > > resources crap on it? > > > > Haha! seriously guys? > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Ken, You are right that changing the "auto=start" line will change this behavior. Initially our goal was to have a fairly simple configuration to bring-up a tunnel, but over time we'll need to add more options to the vpn cli. The last time this came up I opened an enhancement request to make this configurable (https://bugzilla.vyatta.com/show_bug.cgi?id=2506). Maybe I should increase the priority of that bug? Note: changes to /etc/ipsec.conf will be lost on a reboot. If you want to change the behavior such that it will survive a reboot you can edit /opt/vyatta/libexec/xorp/vpn-config.pl (search for "auto=start"). stig > Couldn't you get the same thing with the VPN dead peer-detect set to > HOLD? > > Under strongswan for example, their's a setting that would allow you to > auto=start or auto=ignore, if you could add this, you should be okay. > Here's how my vyatta ipsec.conf looks; > > conn peer-1.1.1.1-tunnel-1 > left=1.1.1.1. > right=2.2.2.2 > leftsubnet=192.168.254.0/24 > rightsubnet=192.168.255.0/24 > ike=3des-md5-modp1024 > ikelifetime=28800s > aggrmode=no > dpddelay=30s > dpdtimeout=60s > dpdaction=restart > esp=3des-md5 > keylife=3000s > rekeymargin=540s > type=tunnel > pfs=no > compress=yes > authby=secret > auto=start > > If the last line was set to auto=ignore, than I would think ipsec would > be started and the host would wait for the far-end ( right ) to > initiated the session. > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta as a company
The Vyatta business model is essentially very Red Hat-like: we sell subscriptions, professional services, training, etc. Yes, we have real (talented!) staff. Yes, we pay salaries. ;-) The fact is, the Vyatta team comprises veterans from Cisco, Juniper, Nortel, and other leading networking companies, as well as Linux kernel experts, and on and on. This is a talented crew that have previously build many of the products that compete with Vyatta. Our support staff have built and supported large networks and consistently receive high marks for their 'can do' support levels. And yes, customers definitely pay us for all this. As John confirms, our customers are quite satisfied with our services. In the same way that some people use a free version of Linux such as Fedora, there are many others who are developing business-critical infrastructure and want the services of a supported product to help them. This leads them to choose supported products like RHEL (or SuSE, or Ubuntu LTS, etc.). In the same way, Vyatta customers choose the subscription edition rather than the community edition. The great thing about open source is that you can get the best of both worlds: the support of a commercial offering with the open community and rapid innovation of an open source code base. As for funding, yes, we are venture-funded. If you're interested in Vyatta-the-company, you can find out more about us on the Vyatta web site. We hope you'll look past the dodgy backgrounds of the management team ( ;-) ). Believe me when I say that it's the Vyatta staff that makes this place so great. So, finally, while this is our community mailing list and I don't want to make anybody feel guilty for using the community version of our code, let me respectfully ask for your business. If you're using Vyatta in a commercial setting, please consider purchasing subscriptions. I think you'll be tremendously satisfied with the value you receive. We're not a charity and we earn every sale. Apologies for the rampant commercialism. We now return you to your regular series of technical questions and community discussion. -- Dave > Well I expected that! Are there really that many commercial > subscribers to pay for a full time staff? > Did you guys need to get funding to get started? Venture capital? > > > On Feb 4, 2008 5:47 PM, John Jolet <[EMAIL PROTECTED]> wrote: > > From people like me that pay for supported version :) and > they have > > real staff, I've talked to some of themespecially the > tech support > > folks who have consistently gone above and beyond to help me with > > issuesRobyn rocks! > > > > > > Max wrote: > > > This is kind of a weird question, but I'm curious how you > guys make > > > any money? I mean, you have this wonderful product, 100% open > > > source, but how to you guys keep the lights on at the office? > > > Support contracts? Do you guys have a real staff? Employees with > > > salaries? A bulletin board in the break room with all the human > > > resources crap on it? > > > Haha! seriously guys? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Vyatta as a company
If you look at the services on vyatta website then it would be clear that they offer more than just OpenSources. http://www.vyatta.com/products/index.php They have support, appliance,services,etc A lot of business have no problems paying their fees. In reality a vyatta solution is much much less than cisco or juniper. To give you and ideal, my last 2 jobs we had over 30K in support services fees going to cisco ;( ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] IPSec Termination
Couldn't you get the same thing with the VPN dead peer-detect set to HOLD? Under strongswan for example, their's a setting that would allow you to auto=start or auto=ignore, if you could add this, you should be okay. Here's how my vyatta ipsec.conf looks; conn peer-1.1.1.1-tunnel-1 left=1.1.1.1. right=2.2.2.2 leftsubnet=192.168.254.0/24 rightsubnet=192.168.255.0/24 ike=3des-md5-modp1024 ikelifetime=28800s aggrmode=no dpddelay=30s dpdtimeout=60s dpdaction=restart esp=3des-md5 keylife=3000s rekeymargin=540s type=tunnel pfs=no compress=yes authby=secret auto=start If the last line was set to auto=ignore, than I would think ipsec would be started and the host would wait for the far-end ( right ) to initiated the session. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta as a company
Well I expected that! Are there really that many commercial subscribers to pay for a full time staff? Did you guys need to get funding to get started? Venture capital? On Feb 4, 2008 5:47 PM, John Jolet <[EMAIL PROTECTED]> wrote: > From people like me that pay for supported version :) > and they have real staff, I've talked to some of themespecially the > tech support folks who have consistently gone above and beyond to help > me with issuesRobyn rocks! > > > Max wrote: > > This is kind of a weird question, but I'm curious how you guys make > > any money? I mean, you have this wonderful product, 100% open source, > > but how to you guys keep the lights on at the office? Support > > contracts? Do you guys have a real staff? Employees with salaries? A > > bulletin board in the break room with all the human resources crap on > > it? > > Haha! seriously guys? > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta as a company
From people like me that pay for supported version :) and they have real staff, I've talked to some of themespecially the tech support folks who have consistently gone above and beyond to help me with issuesRobyn rocks! Max wrote: > This is kind of a weird question, but I'm curious how you guys make > any money? I mean, you have this wonderful product, 100% open source, > but how to you guys keep the lights on at the office? Support > contracts? Do you guys have a real staff? Employees with salaries? A > bulletin board in the break room with all the human resources crap on > it? > Haha! seriously guys? > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Vyatta as a company
This is kind of a weird question, but I'm curious how you guys make any money? I mean, you have this wonderful product, 100% open source, but how to you guys keep the lights on at the office? Support contracts? Do you guys have a real staff? Employees with salaries? A bulletin board in the break room with all the human resources crap on it? Haha! seriously guys? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] help: how to configure ssh login only one ip
Enable the ssh from command line for webgui and then add firewall settings to allow ssh from only one ip that you desire, rest all will be blocked automatically. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
No problemo, will do.
I'm still annoyed that someone managed to get in.
Maybe tripwire would be nice on the box?
2008/2/4, Nathan McBride <[EMAIL PROTECTED]>:
>
> Correct, you have to drop down to the linux cli, not vyatta's.
>
> On Mon, 2008-02-04 at 14:08 -0500, Aubrey Wells wrote:
> > As far as I could tell, you cant set up key-only auth in the CLI. If
> > you drop an authorized_keys file in to each user's ~/.ssh directory,
> > and set PasswordAuthentication=no in sshd.conf you will enable
> > key-only auth.
> >
> > --
> > Aubrey Wells
> > Senior Engineer
> > Shelton | Johns Technology Group
> > 404.478.2790
> > Support: [EMAIL PROTECTED]
> > www.sheltonjohns.com
> >
> >
> >
> >
> >
> >
> > On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote:
> >
> > > Yes, i did change the root password asap!
> > >
> > > I would much like to see a configuration snippet on how to use
> > > rsa-keys.
> > > Can I use several rsa-keys so i can login as different users?
> > >
> > > 2008/2/4, Nathan McBride <[EMAIL PROTECTED]>:
> > > Yup sure is. I have setup my vyatta router to only allow
> > > rsa keys.
> > > Did you change your root password from 'vyatta'?
> > >
> > > Nate
> > >
> > > On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
> > > wrote:
> > > > Hi
> > > > I am only using ssh. Is it possible to have rsa-keys for
> > > all users,
> > > > including vyatta?
> > > > Maybe the attackers managed to brute force my password?
> > > > This is very anoying since I have to reinstall the machine
> > > tomorrow
> > > > and doesn't know what went wrong. Haven't had time to
> > > check the logs
> > > > either.
> > > >
> > > > How does the user configuration look for you other guys
> > > and girls?
> > > >
> > > >
> > > > 2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
> > > > Hi Jostein,
> > > >
> > > >
> > > >
> > > > Are you using telnet or ssh to access the
> > > box? Using telnet
> > > > in not secure from a public network as the
> > > username/password
> > > > is in clear text.
> > > >
> > > >
> > > >
> > > > stig
> > > >
> > > >
> > > >
> > > >
> > > >
> > > __
> > > > From:[EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of
> > > > Jostein Martinsen-Jones
> > > > Sent: Monday, February 04, 2008 2:43 AM
> > > > To: Dave Strydom
> > > > Cc: vyatta-users@mailman.vyatta.com
> > > > Subject: Re: [Vyatta-users] Vyatta box hacked?
> > > >
> > > >
> > > >
> > > >
> > > > Jupp, I think i have an intruder, the ip
> > > 202.172.171.217 isn't
> > > > known to me at all.
> > > > I am the only one knowing the root password, and I
> > > have not
> > > > logged in those times that last are showing.
> > > >
> > > > root pts/0202.172.171.217 Mon Feb 4
> > > 05:21 -
> > > > 07:38 (02:16)
> > > > root pts/0202.172.171.217 Sat Feb 2
> > > 14:54 -
> > > > 16:05 (01:11)
> > > > root pts/0202.172.171.217 Fri Feb 1
> > > 23:51 -
> > > > 23:57 (00:05)
> > > > root pts/0202.172.171.217 Fri Feb 1
> > > 13:49 -
> > > > 17:18 (03:29)
> > > >
> > > > How did this happen?
> > > > I changed all the passwords on install to 8
> > > character long,
> > > > using numbers and letters.
> > > > This is from my old config, are plaintext-password
> > > supposed to
> > > > be blank?
> > > >
> > > > # show system login
> > > > user root {
> > > > authentication {
> > > > encrypted-password: "$1$nZxxsgXC/"
> > > > plaintext-password: ""
> > > > }
> > > > }
> > > > user vyatta {
> > > > authentication {
> > > > encrypted-password: "$1
> > > $yyyt0/"
> > > > plaintext-password: ""
> > > > }
> > > > }
> > > >
> > > > 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
> > > >
> > > >
Re: [Vyatta-users] Vyatta box hacked?
Correct, you have to drop down to the linux cli, not vyatta's.
On Mon, 2008-02-04 at 14:08 -0500, Aubrey Wells wrote:
> As far as I could tell, you cant set up key-only auth in the CLI. If
> you drop an authorized_keys file in to each user's ~/.ssh directory,
> and set PasswordAuthentication=no in sshd.conf you will enable
> key-only auth.
>
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> 404.478.2790
> Support: [EMAIL PROTECTED]
> www.sheltonjohns.com
>
>
>
>
>
>
> On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote:
>
> > Yes, i did change the root password asap!
> >
> > I would much like to see a configuration snippet on how to use
> > rsa-keys.
> > Can I use several rsa-keys so i can login as different users?
> >
> > 2008/2/4, Nathan McBride <[EMAIL PROTECTED]>:
> > Yup sure is. I have setup my vyatta router to only allow
> > rsa keys.
> > Did you change your root password from 'vyatta'?
> >
> > Nate
> >
> > On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
> > wrote:
> > > Hi
> > > I am only using ssh. Is it possible to have rsa-keys for
> > all users,
> > > including vyatta?
> > > Maybe the attackers managed to brute force my password?
> > > This is very anoying since I have to reinstall the machine
> > tomorrow
> > > and doesn't know what went wrong. Haven't had time to
> > check the logs
> > > either.
> > >
> > > How does the user configuration look for you other guys
> > and girls?
> > >
> > >
> > > 2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
> > > Hi Jostein,
> > >
> > >
> > >
> > > Are you using telnet or ssh to access the
> > box? Using telnet
> > > in not secure from a public network as the
> > username/password
> > > is in clear text.
> > >
> > >
> > >
> > > stig
> > >
> > >
> > >
> > >
> > >
> > __
> > > From:[EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > On Behalf Of
> > > Jostein Martinsen-Jones
> > > Sent: Monday, February 04, 2008 2:43 AM
> > > To: Dave Strydom
> > > Cc: vyatta-users@mailman.vyatta.com
> > > Subject: Re: [Vyatta-users] Vyatta box hacked?
> > >
> > >
> > >
> > >
> > > Jupp, I think i have an intruder, the ip
> > 202.172.171.217 isn't
> > > known to me at all.
> > > I am the only one knowing the root password, and I
> > have not
> > > logged in those times that last are showing.
> > >
> > > root pts/0202.172.171.217 Mon Feb 4
> > 05:21 -
> > > 07:38 (02:16)
> > > root pts/0202.172.171.217 Sat Feb 2
> > 14:54 -
> > > 16:05 (01:11)
> > > root pts/0202.172.171.217 Fri Feb 1
> > 23:51 -
> > > 23:57 (00:05)
> > > root pts/0202.172.171.217 Fri Feb 1
> > 13:49 -
> > > 17:18 (03:29)
> > >
> > > How did this happen?
> > > I changed all the passwords on install to 8
> > character long,
> > > using numbers and letters.
> > > This is from my old config, are plaintext-password
> > supposed to
> > > be blank?
> > >
> > > # show system login
> > > user root {
> > > authentication {
> > > encrypted-password: "$1$nZxxsgXC/"
> > > plaintext-password: ""
> > > }
> > > }
> > > user vyatta {
> > > authentication {
> > > encrypted-password: "$1
> > $yyyt0/"
> > > plaintext-password: ""
> > > }
> > > }
> > >
> > > 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
> > >
> > > Login to your router as root and run:
> > >
> > > # last | more
> > >
> > > and see if there are any logins to your machine
> > which you do
> > > not recognize.
> > >
> > >
> > >
> > > On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
> > > <[EMAIL PROTECTED]>
Re: [Vyatta-users] Vyatta box hacked?
As far as I could tell, you cant set up key-only auth in the CLI. If
you drop an authorized_keys file in to each user's ~/.ssh directory,
and set PasswordAuthentication=no in sshd.conf you will enable key-
only auth.
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
404.478.2790
Support: [EMAIL PROTECTED]
www.sheltonjohns.com
On Feb 4, 2008, at 2:00 PM, Jostein Martinsen-Jones wrote:
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use rsa-
keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride <[EMAIL PROTECTED]>:
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
> Hi
> I am only using ssh. Is it possible to have rsa-keys for all users,
> including vyatta?
> Maybe the attackers managed to brute force my password?
> This is very anoying since I have to reinstall the machine tomorrow
> and doesn't know what went wrong. Haven't had time to check the logs
> either.
>
> How does the user configuration look for you other guys and girls?
>
>
> 2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
> Hi Jostein,
>
>
>
> Are you using telnet or ssh to access the box? Using telnet
> in not secure from a public network as the username/password
> is in clear text.
>
>
>
> stig
>
>
>
>
>
__
> From:[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
Of
> Jostein Martinsen-Jones
> Sent: Monday, February 04, 2008 2:43 AM
> To: Dave Strydom
> Cc: vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Vyatta box hacked?
>
>
>
>
> Jupp, I think i have an intruder, the ip 202.172.171.217
isn't
> known to me at all.
> I am the only one knowing the root password, and I have not
> logged in those times that last are showing.
>
> root pts/0202.172.171.217 Mon Feb 4 05:21 -
> 07:38 (02:16)
> root pts/0202.172.171.217 Sat Feb 2 14:54 -
> 16:05 (01:11)
> root pts/0202.172.171.217 Fri Feb 1 23:51 -
> 23:57 (00:05)
> root pts/0202.172.171.217 Fri Feb 1 13:49 -
> 17:18 (03:29)
>
> How did this happen?
> I changed all the passwords on install to 8 character long,
> using numbers and letters.
> This is from my old config, are plaintext-password
supposed to
> be blank?
>
> # show system login
> user root {
> authentication {
> encrypted-password: "$1$nZxxsgXC/"
> plaintext-password: ""
> }
> }
> user vyatta {
> authentication {
> encrypted-password: "$1$yyyt0/"
> plaintext-password: ""
> }
> }
>
> 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
>
> Login to your router as root and run:
>
> # last | more
>
> and see if there are any logins to your machine which you do
> not recognize.
>
>
>
> On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
> <[EMAIL PROTECTED]> wrote:
> > I got mail from another linux user today. He complained
> about login attempts
> > to his boxes, from my vyatta router!
> > Am I haxored or what? This is from his log and the "ip"
> 12.34.56.78 are my
> > router.
> >
> > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=12.34.56.78 user=root
> > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
> for invalid user
> > root from 12.34.56.78 port 42492 ssh2
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
> 12.34.56.78 not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=12.34.56.78 user=root
> > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed
password
> for invalid user
> > root from 12.34.56.78 port 42926 ssh2
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
> 12.34.56.78 not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=12.34.56.78 user=root
> > Feb 2 18:11:56 88.191.40.120 sshd[30456]:
Re: [Vyatta-users] Vyatta box hacked?
Yup you can have a key for each user. Take a look at:
http://suso.org/docs/shell/ssh.sdf
Nate
On Mon, 2008-02-04 at 20:00 +0100, Jostein Martinsen-Jones wrote:
> Yes, i did change the root password asap!
>
> I would much like to see a configuration snippet on how to use
> rsa-keys.
> Can I use several rsa-keys so i can login as different users?
>
> 2008/2/4, Nathan McBride <[EMAIL PROTECTED]>:
> Yup sure is. I have setup my vyatta router to only allow rsa
> keys.
> Did you change your root password from 'vyatta'?
>
> Nate
>
> On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones
> wrote:
> > Hi
> > I am only using ssh. Is it possible to have rsa-keys for all
> users,
> > including vyatta?
> > Maybe the attackers managed to brute force my password?
> > This is very anoying since I have to reinstall the machine
> tomorrow
> > and doesn't know what went wrong. Haven't had time to check
> the logs
> > either.
> >
> > How does the user configuration look for you other guys and
> girls?
> >
> >
> > 2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
> > Hi Jostein,
> >
> >
> >
> > Are you using telnet or ssh to access the
> box? Using telnet
> > in not secure from a public network as the
> username/password
> > is in clear text.
> >
> >
> >
> > stig
> >
> >
> >
> >
> >
> __
> > From:[EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> Behalf Of
> > Jostein Martinsen-Jones
> > Sent: Monday, February 04, 2008 2:43 AM
> > To: Dave Strydom
> > Cc: vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Vyatta box hacked?
> >
> >
> >
> >
> > Jupp, I think i have an intruder, the ip
> 202.172.171.217 isn't
> > known to me at all.
> > I am the only one knowing the root password, and I
> have not
> > logged in those times that last are showing.
> >
> > root pts/0202.172.171.217 Mon Feb 4
> 05:21 -
> > 07:38 (02:16)
> > root pts/0202.172.171.217 Sat Feb 2
> 14:54 -
> > 16:05 (01:11)
> > root pts/0202.172.171.217 Fri Feb 1
> 23:51 -
> > 23:57 (00:05)
> > root pts/0202.172.171.217 Fri Feb 1
> 13:49 -
> > 17:18 (03:29)
> >
> > How did this happen?
> > I changed all the passwords on install to 8
> character long,
> > using numbers and letters.
> > This is from my old config, are plaintext-password
> supposed to
> > be blank?
> >
> > # show system login
> > user root {
> > authentication {
> > encrypted-password: "$1$nZxxsgXC/"
> > plaintext-password: ""
> > }
> > }
> > user vyatta {
> > authentication {
> > encrypted-password: "$1$yyyt0/"
> > plaintext-password: ""
> > }
> > }
> >
> > 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
> >
> > Login to your router as root and run:
> >
> > # last | more
> >
> > and see if there are any logins to your machine
> which you do
> > not recognize.
> >
> >
> >
> > On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
> > <[EMAIL PROTECTED]> wrote:
> > > I got mail from another linux user today. He
> complained
> > about login attempts
> > > to his boxes, from my vyatta router!
> > > Am I haxored or what? This is from his log and the
> "ip"
> > 12.34.56.78 are my
> > > router.
> > >
> > > Feb 2 18:11:39 88.191.40.120 sshd[30444]:
> (pam_unix)
> > authentication
> > > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=12.34.56.78 user=root
> > > Feb 2 18:11:40 88.191.40.120 sshd[3
Re: [Vyatta-users] Vyatta box hacked?
Yes, i did change the root password asap!
I would much like to see a configuration snippet on how to use rsa-keys.
Can I use several rsa-keys so i can login as different users?
2008/2/4, Nathan McBride <[EMAIL PROTECTED]>:
>
> Yup sure is. I have setup my vyatta router to only allow rsa keys.
> Did you change your root password from 'vyatta'?
>
> Nate
>
> On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
> > Hi
> > I am only using ssh. Is it possible to have rsa-keys for all users,
> > including vyatta?
> > Maybe the attackers managed to brute force my password?
> > This is very anoying since I have to reinstall the machine tomorrow
> > and doesn't know what went wrong. Haven't had time to check the logs
> > either.
> >
> > How does the user configuration look for you other guys and girls?
> >
> >
> > 2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
> > Hi Jostein,
> >
> >
> >
> > Are you using telnet or ssh to access the box? Using telnet
> > in not secure from a public network as the username/password
> > is in clear text.
> >
> >
> >
> > stig
> >
> >
> >
> >
> > __
> > From:[EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Jostein Martinsen-Jones
> > Sent: Monday, February 04, 2008 2:43 AM
> > To: Dave Strydom
> > Cc: vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Vyatta box hacked?
> >
> >
> >
> >
> > Jupp, I think i have an intruder, the ip 202.172.171.217 isn't
> > known to me at all.
> > I am the only one knowing the root password, and I have not
> > logged in those times that last are showing.
> >
> > root pts/0202.172.171.217 Mon Feb 4 05:21 -
> > 07:38 (02:16)
> > root pts/0202.172.171.217 Sat Feb 2 14:54 -
> > 16:05 (01:11)
> > root pts/0202.172.171.217 Fri Feb 1 23:51 -
> > 23:57 (00:05)
> > root pts/0202.172.171.217 Fri Feb 1 13:49 -
> > 17:18 (03:29)
> >
> > How did this happen?
> > I changed all the passwords on install to 8 character long,
> > using numbers and letters.
> > This is from my old config, are plaintext-password supposed to
> > be blank?
> >
> > # show system login
> > user root {
> > authentication {
> > encrypted-password: "$1$nZxxsgXC/"
> > plaintext-password: ""
> > }
> > }
> > user vyatta {
> > authentication {
> > encrypted-password: "$1$yyyt0/"
> > plaintext-password: ""
> > }
> > }
> >
> > 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
> >
> > Login to your router as root and run:
> >
> > # last | more
> >
> > and see if there are any logins to your machine which you do
> > not recognize.
> >
> >
> >
> > On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
> > <[EMAIL PROTECTED]> wrote:
> > > I got mail from another linux user today. He complained
> > about login attempts
> > > to his boxes, from my vyatta router!
> > > Am I haxored or what? This is from his log and the "ip"
> > 12.34.56.78 are my
> > > router.
> > >
> > > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
> > authentication
> > > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=12.34.56.78 user=root
> > > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
> > for invalid user
> > > root from 12.34.56.78 port 42492 ssh2
> > > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
> > 12.34.56.78 not
> > > allowed because not listed in AllowUsers
> > > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
> > authentication
> > > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=12.34.56.78 user=root
> > > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password
> > for invalid user
> > > root from 12.34.56.78 port 42926 ssh2
> > > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
> > 12.34.56.78 not
> > > allowed because not listed in AllowUsers
> > > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
> > authentication
> > > failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=12.34.56.78 user=root
> > > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
> > for invalid user
> > > root from 12.34.56.78 port 43408 ssh2
> > > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect
> > from 12.34.56.78
>
Re: [Vyatta-users] WAN Load Balancing
> We are planning to do some upgrade in our network. The > present network has one vyatta router and two internet > connections (one is 1Mb leased line and the other is 2Mb > Broadband), Since the broadband connection is limited, we are > manually changing the default gateway Abhilash, You should check out the WAN Load Balancing feature that will arrive with Glendale Alpha 2 later in February and see if that will help you out. We designed it to help with cases where customers have multiple WAN connections but aren't running something sophisticated like BGP. It essentially spreads outbound traffic across multiple WAN connections in a semi-random fashion based on a weighting. In this case, you could give one line a weight of 200 (the 2 Mbps link) and the other a weight of 100 (the 1 Mbps link) and the system would "do the right thing" by sending twice as many flows to the 2 Mbps link as the 1 Mbps link. Now, things are flow-based, so the spreading is not necessarily optimal in terms of bandwidth over a short period of time (you could have multiple high-bandwidth flows mapped to the smaller link while low bandwidth flows are mapped to the larger link, for instance), but it should average out over time and allows you to use both links simultaneously. The functionality also allows you to check the health of the link using a ping test to another (possibly very remote) destination. By pinging to a remote destination, you can check the health of not only the local link (which may be up), but also your service provider network (which may have routing issues). When a link/network goes down, new flows will be mapped to the remaining links. As I said, the functionality isn't out yet, but it will be there in Glendale Alpha 2 and you should take a look. Given that it's new functionality, we're interested in getting as much testing and feedback on the feature as possible. Personally, I think it's going to be very cool. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Book published for Vyatta & logo/mascot
> I posted a thread a month ago about getting the equivalent jdocs > for vyatta, have anybody from the Vyatta team approached > Oreiley in just getting a book produced? A paper back > edition crafted by them, would do wonders in promoting > vyatta to the networking community. > > next , does vyatta plan on getting a mascot of some sort? We > have a devil for BSD, Penguin for Linux, Cisco has the silly > bridge, and Juniper the leaf. > > > Is the vyatta logo or mascot really just the Circle that's > found on the main website banner? and can somebody explain > this ? I remember seeing something somewhere that it > indicates open-source. Excellent questions! 1. On getting an O'Reilly book published, yep, I think that time has come. We had a couple of people say that they were interested in writing books about Vyatta, but it was early on and I think people decided to hold off a bit. To be honest, before Glendale, I don't think it would have been worth it. There was so much functionality changing all the time and it would have all broken with the new CLI (witness the work being done by Vyatta on the docs, for instance). But, I think now would be a great time to start on that stuff. 2. On a mascot, we have talked about that in the past. It's probably time to run a contest for that. ;-) Frankly, the best ideas come from the community. We do have some artistic talent available to us that could help refine a raw idea, so I think everybody could participate in a competition for suggestions without having to be an artist. 3. The Vyatta logo is a stylized eclipse, the meaning of which can be found here: http://www.vyatta.com/about/index.php But I'll admit that it lacks the cuddly nature of a penguin or a little daemon. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Yup sure is. I have setup my vyatta router to only allow rsa keys.
Did you change your root password from 'vyatta'?
Nate
On Mon, 2008-02-04 at 18:13 +0100, Jostein Martinsen-Jones wrote:
> Hi
> I am only using ssh. Is it possible to have rsa-keys for all users,
> including vyatta?
> Maybe the attackers managed to brute force my password?
> This is very anoying since I have to reinstall the machine tomorrow
> and doesn't know what went wrong. Haven't had time to check the logs
> either.
>
> How does the user configuration look for you other guys and girls?
>
>
> 2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
> Hi Jostein,
>
>
>
> Are you using telnet or ssh to access the box? Using telnet
> in not secure from a public network as the username/password
> is in clear text.
>
>
>
> stig
>
>
>
>
> __
> From:[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Jostein Martinsen-Jones
> Sent: Monday, February 04, 2008 2:43 AM
> To: Dave Strydom
> Cc: vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Vyatta box hacked?
>
>
>
>
> Jupp, I think i have an intruder, the ip 202.172.171.217 isn't
> known to me at all.
> I am the only one knowing the root password, and I have not
> logged in those times that last are showing.
>
> root pts/0202.172.171.217 Mon Feb 4 05:21 -
> 07:38 (02:16)
> root pts/0202.172.171.217 Sat Feb 2 14:54 -
> 16:05 (01:11)
> root pts/0202.172.171.217 Fri Feb 1 23:51 -
> 23:57 (00:05)
> root pts/0202.172.171.217 Fri Feb 1 13:49 -
> 17:18 (03:29)
>
> How did this happen?
> I changed all the passwords on install to 8 character long,
> using numbers and letters.
> This is from my old config, are plaintext-password supposed to
> be blank?
>
> # show system login
> user root {
> authentication {
> encrypted-password: "$1$nZxxsgXC/"
> plaintext-password: ""
> }
> }
> user vyatta {
> authentication {
> encrypted-password: "$1$yyyt0/"
> plaintext-password: ""
> }
> }
>
> 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
>
> Login to your router as root and run:
>
> # last | more
>
> and see if there are any logins to your machine which you do
> not recognize.
>
>
>
> On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones
> <[EMAIL PROTECTED]> wrote:
> > I got mail from another linux user today. He complained
> about login attempts
> > to his boxes, from my vyatta router!
> > Am I haxored or what? This is from his log and the "ip"
> 12.34.56.78 are my
> > router.
> >
> > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix)
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=12.34.56.78 user=root
> > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password
> for invalid user
> > root from 12.34.56.78 port 42492 ssh2
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from
> 12.34.56.78 not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix)
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=12.34.56.78 user=root
> > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password
> for invalid user
> > root from 12.34.56.78 port 42926 ssh2
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from
> 12.34.56.78 not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix)
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=12.34.56.78 user=root
> > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password
> for invalid user
> > root from 12.34.56.78 port 43408 ssh2
> > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect
> from 12.34.56.78
> > (12.34.56.78)
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta
Re: [Vyatta-users] Vyatta box hacked?
Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow and
doesn't know what went wrong. Haven't had time to check the logs either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
>
> Hi Jostein,
>
>
>
> Are you using telnet or ssh to access the box? Using telnet in not secure
> from a public network as the username/password is in clear text.
>
>
>
> stig
>
>
> --
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Jostein
> Martinsen-Jones
> *Sent:* Monday, February 04, 2008 2:43 AM
> *To:* Dave Strydom
> *Cc:* vyatta-users@mailman.vyatta.com
> *Subject:* Re: [Vyatta-users] Vyatta box hacked?
>
>
>
> Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
> at all.
> I am the only one knowing the root password, and I have not logged in
> those times that last are showing.
>
> root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
> root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
> root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
> root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
>
> How did this happen?
> I changed all the passwords on install to 8 character long, using numbers
> and letters.
> This is from my old config, are plaintext-password supposed to be blank?
>
> # show system login
> user root {
> authentication {
> encrypted-password: "$1$nZxxsgXC/"
> plaintext-password: ""
> }
> }
> user vyatta {
> authentication {
> encrypted-password: "$1$yyyt0/"
> plaintext-password: ""
> }
> }
>
> 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
>
> Login to your router as root and run:
>
> # last | more
>
> and see if there are any logins to your machine which you do not
> recognize.
>
>
>
> On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > I got mail from another linux user today. He complained about login
> attempts
> > to his boxes, from my vyatta router!
> > Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are
> my
> > router.
> >
> > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42492 ssh2
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42926 ssh2
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
> user
> > root from 12.34.56.78 port 43408 ssh2
> > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
> 12.34.56.78
> > (12.34.56.78)
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
One workaround that may or may not work for you is a 0.0.0.0 peer. When the vyatta is configured with a 0.0.0.0 peer it can not initiate since it doesn't know which address it's coming from. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dunmoodie, Carlos Sent: Monday, February 04, 2008 6:39 AM To: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] IPSec Termination I'm trying to establish an IPSec tunnel with a wireless modem on the right and vyatta on the left. Problem I'm running into is the Vyatta is suppose the terminate the tunnel and the wireless modem is the initiator. However, when you look at the logs and the ipsec.conf file, Vyatta is also attempting to initiate the tunnel. Is there a parameter in the config that will allow the Vyatta to be used as a terminator. Please assist ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Hi Jostein,
Are you using telnet or ssh to access the box? Using telnet in not secure
from a public network as the username/password is in clear text.
stig
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jostein
Martinsen-Jones
Sent: Monday, February 04, 2008 2:43 AM
To: Dave Strydom
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in
those times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: "$1$nZxxsgXC/"
plaintext-password: ""
}
}
user vyatta {
authentication {
encrypted-password: "$1$yyyt0/"
plaintext-password: ""
}
}
2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
Login to your router as root and run:
# last | more
and see if there are any logins to your machine which you do not
recognize.
On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
wrote:
> I got mail from another linux user today. He complained about login
attempts
> to his boxes, from my vyatta router!
> Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are
my
> router.
>
> Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
> Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
user
> root from 12.34.56.78 port 42492 ssh2
> Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78
not
> allowed because not listed in AllowUsers
> Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
> Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
user
> root from 12.34.56.78 port 42926 ssh2
> Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78
not
> allowed because not listed in AllowUsers
> Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
user=root
> Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
user
> root from 12.34.56.78 port 43408 ssh2
> Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
12.34.56.78
> (12.34.56.78)
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
I'm trying to establish an IPSec tunnel with a wireless modem on the right and vyatta on the left. Problem I'm running into is the Vyatta is suppose the terminate the tunnel and the wireless modem is the initiator. However, when you look at the logs and the ipsec.conf file, Vyatta is also attempting to initiate the tunnel. Is there a parameter in the config that will allow the Vyatta to be used as a terminator. Please assist ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] help: how to configure ssh login only one ip
hi, help: how to configure ssh login only one ip -- Regards -- Amit Shrivastava Linux Engineer Tetra Information Services Pvt. Ltd. 136 Ground Floor, Sant Nagar, East of Kailash, New Delhi - 110065, India. Email : [EMAIL PROTECTED] Website : www.tetrain.com, www.linux4e.com Phone : 91-11-66604033, 91-11-66604034, 91-11-66604035 Mobile : 91-060913 Fax : 91-11-26225293 ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Vyatta network architecture / OSPF
Hi All, We are planning to do some upgrade in our network. The present network has one vyatta router and two internet connections (one is 1Mb leased line and the other is 2Mb Broadband), Since the broadband connection is limited, we are manually changing the default gateway * The leased line connection is all traffic till 11 AM (it is set to the default gateway) * After 11:00AM, we switch the default gateway to the broadband connection for all internet traffic, and add a static route so that VPN traffic remains on the leased line. * After 5:00PM, we reset this back to the original configuraton Here are the drawbacks of the system we currently use: * Requires manual shifting of routes (twice a day) * If the leased line connection goes down then we have to remove the static route and restart the VPN process so that it utilizes the broadband connection * If the broadband connection goes down between 11-5, then we have to switch the default gateway to the leased line. In an attempt to fix these issues we were thinking about something like the below diagram (3 Router setup) and utilize dynamic routing protocols. Router A (ISP1-Leased Line) Router B(ISP2-Broadband) | | | | | | Router C (Connected to LAN) The first idea we had was to configure Router A and B so that both servers have the VPN process started (so both can reach the server). This way there are two paths to reach the same destination. We were then planning on setting the cost of the VPN route through Router A as the lowest cost so that is used by default. If Router A goes down, then Router C knows to automatically route VPN traffic from the LAN to Router B. Can we use OSPF to perform this? The second idea that we would like to try is to modify route cost based on time of day. For example, between 11-5, we want Router C to shift Internet traffic from Router A to Router B with the exception of VPN. Can this be done by utilizing OSPF? What is the best way to update the cost dynamically? Is there a way to do it within Vyatta OFR or do we need to utilize a bash/perl script? Has anyone created rules like this that take into account bandwidth or latency? Any suggestions that can be offered about this architecture would be great before we start testing this. Thanks Abhilash S Ascella Technologies, Inc www.ascellatech.com ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
at all.
I am the only one knowing the root password, and I have not logged in those
times that last are showing.
root pts/0202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
root pts/0202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
root pts/0202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
root pts/0202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
How did this happen?
I changed all the passwords on install to 8 character long, using numbers
and letters.
This is from my old config, are plaintext-password supposed to be blank?
# show system login
user root {
authentication {
encrypted-password: "$1$nZxxsgXC/"
plaintext-password: ""
}
}
user vyatta {
authentication {
encrypted-password: "$1$yyyt0/"
plaintext-password: ""
}
}
2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
>
> Login to your router as root and run:
>
> # last | more
>
> and see if there are any logins to your machine which you do not
> recognize.
>
>
>
> On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > I got mail from another linux user today. He complained about login
> attempts
> > to his boxes, from my vyatta router!
> > Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are
> my
> > router.
> >
> > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42492 ssh2
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42926 ssh2
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
> user
> > root from 12.34.56.78 port 43408 ssh2
> > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
> 12.34.56.78
> > (12.34.56.78)
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta box hacked?
Login to your router as root and run: # last | more and see if there are any logins to your machine which you do not recognize. On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote: > I got mail from another linux user today. He complained about login attempts > to his boxes, from my vyatta router! > Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are my > router. > > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user > root from 12.34.56.78 port 42492 ssh2 > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not > allowed because not listed in AllowUsers > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user > root from 12.34.56.78 port 42926 ssh2 > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not > allowed because not listed in AllowUsers > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user > root from 12.34.56.78 port 43408 ssh2 > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78 > (12.34.56.78) > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Vyatta box hacked?
I got mail from another linux user today. He complained about login attempts to his boxes, from my vyatta router! Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are my router. Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid user root from 12.34.56.78 port 42492 ssh2 Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid user root from 12.34.56.78 port 42926 ssh2 Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78 not allowed because not listed in AllowUsers Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78 user=root Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid user root from 12.34.56.78 port 43408 ssh2 Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from 12.34.56.78( 12.34.56.78) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting access to default route
Hi Robert, Thnx for the answers. On Sat, 2008-02-02 at 18:01 -0800, Robert Bays wrote: > No. Policy routing is not included in the CLI right now. You must use > the ip command in the linux shell. Okay, so what's in the docs is not usable yet? > You will have to break that range into smaller ranges for your ip rule > statements. For example, the first range of 10.10 to 10.50 would be > something like this... > > ip rule add from 192.168.10.10/31 tab 1 > ip rule add from 192.168.10.12/30 tab 1 > ip rule add from 192.168.10.16/28 tab 1 > ip rule add from 192.168.10.32/28 tab 1 > ip rule add from 192.168.10.48/31 tab 1 > ip rule add from 192.168.10.50/32 tab 1 Okay I'll give that a try. > Cheers, > Robert. SeeYa, Michel Wij zijn verhuisd naar een pand aan het Surinameplein. Ons bezoekadres is niet langer Jacques Veltmanstraat 463, maar SURINAMEPLEIN 122, 1058 GV Amsterdam. Alle overige gegevens zoals telefoonnummers, faxnummer, postadres zijn ongewijzigd. We moved to a new office. Our visiting address changed from Jacques Veltmanstraat 463 to SURINAMEPLEIN 122, 1058 GV Amsterdam, the Netherlands. All our other contact details such as phone and fax numbers and mail address will remain the same. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
