Saturday, November 30, 2013

Why namecheap should be avoided

I registered one of my domain to namecheap to checkit out. I heard alot about namecheap but never really used them.  They had a simple to use DNS manager and that's about the only positive thing I can say.

All support is via a web chat channel and some times that could be as  1 -5 min wait.  You can't  speak to anybody via any voice call or directly via email. Which plain out sucks. How can a  name registrar can claim "making customers happy" is beyond me.




And their webchat is not all that cool, here's snippets of a dialog that I execute while on the road traveling & via a webchat support person name Olga, for attempts to recover a  email-password on my account  &  after I sent both  photos of driver and passsport identification to  namecheap staff.

This is what you should expect




and



and



and



And the kicker , I 've sent 2 emails to namecheap both a  director and CEO  officers, and they don't even have the professionalism to respond to customer issues.


So I'm sorry to say ,   Namecheap.................. is  just that..... CHEAP!




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \


Friday, November 29, 2013

how to convert a image from raw to qcow2 format with qemu-img

Qemu-img  is a tool within kvm that allows you convert  a image  to qcow2 format. Qcow format vm-image  are needed  in  order to  create snapshot. These  quick steps will allow you create  a qcow2  image that you can  install  in a server for loading.



1st  let's review  the raw image 

2nd now you can use the qemu-img convert  option to convert the  images for later use


3rd after conversion you can review the images



Note the  virtual disk file size is has not been changed? And a quick review of the new qcow2 image will show the diskspace.




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \



Wednesday, November 20, 2013

ASR1K and non cisco transceivers

In this post we will look at using a huawei badge 1gig sfp transceiver in a ASR1002.

If you  recall the NHR-T copper transceiver ( GLC-T )  not working within a ASR1K, will a huawei 1GIGE 1310nm SM transceiver does work in the cisco ASR1K. Let's see how we made this happen.



1st you have to deploy the hidden service command;  service unsupported-transceiver

And now for the port configurations. In this case I ran these back2back in 2 unique vrf for testing and evaluation;

( onboard integral gige ports )


!
interface GigabitEthernet0/0/2
 ip vrf forwarding test1
 ip address 192.0.2.1 255.255.255.0
 negotiation auto
end


and

( SPA 10x1gige )

!

interface GigabitEthernet0/1/0
 ip vrf forwarding test2
 ip address 192.0.2.2 255.255.255.0
 negotiation auto
end



Now before I continue. Cisco/TAC will swear this would not work, and if so would not support  the transceivers, so your on your own with this.


As you can see, the transceivers do work and provides optical connectivity. I also check these same  transceiver in a WS-X6724-SFP card and they worked flawlessly.  




One more word of advice, you will not get optic power statistics,  that you would commonly received when issuing the  show hw-module commands 




( look here )






Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \





Tuesday, November 19, 2013

sending a cisco config via email but securing your passwords ( openssl and type 5 )

If you haven't been using  a type5 ( secret ) in your configurations and sending copies of your config via a unsecured channel ( aka  email ),  than your passwords are mostly likely compromised.


By using openssl, you can install type5 hashed passwords within the cisco ios configuration files for most IOS based routers. This will allow you to deliver a configuration file for installation and trust that the password is hashed and secured.

e.g

A ios configuration with the following lines in the cfg;


!
!
enable password socdude
!
enable secret socgal
!
!
!

Would not be as secured as ;
!
!
enable secret $1$6XXp$YXBalUFqXfY0Ui4mn9lZx0
!
!


btw: When I review or pass cfg files around, I typically hash out  enable password if they are present and before sending back to the originator or to another colleague if he/she is reviewing the config file. This good practices or better yet sanitized the configuration file of all confidential data ( radius/tacacs keys, snmp community, username, etc.....)


Now, with openssl we can easily replicate the same type5 hash that cisco deploys.

The following screenshot shows this function  & with two crafted  type5 hashes



Here's me using the highlight blue  hash that was generated from  openssl from the above image ;


And finally, don't forget that all username can be secured using a type5 hash. In this example, the user socpuppets has a type5 hash vrs the plain old password




Okay one might argue that you could just login into any old cisco router and generate the type5 password and then copy it down &  into the configuration file that you are sending.

Well yes you could do exactly this, but if you the need for automation script building & for generation of type5 type of hashes, don't over look the capabilities that  openssl has in regards to generation of type5 hashes.


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

followup: Unsupported transceivers ( cisco ASR routers )

I would like to follow up on an earlier post with regards to my  GLC-T and our ASR1Ks. NHR came back with some good information. Per cisco own documentation, the GLC-T are not a supported transceivers on a  ASR1K.






Now what's a big surprise;  all of the ASR1K I'm  currently working with,  all supports the cisco GLC-T without the need for the service un-support transceiver hidden command.

NHR did offer to exchange these, but  we are on a time crunch and couldn't wait for shipping these back or executing a RMA. So we moved some other cisco OEM GLC-T around to  use in our ASR.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \