Change Red Hat 7.x/CentOS 7.x SSH Default Port (SELinux Involved)

This article describes how to change your SSH port on Linux system (in this excercise we use CentOS 7.3) to listen to non default SSH port (TCP Port 22). We will involve SELinux modification to accomodate this change.

1. At the first time let’s verify default configuration and output of sshd service.

    1.1 Verify sshd_config for port configuration.

[root@system1 ~]# cat /etc/ssh/sshd_config | grep "Port 22"  
#Port 22

          Even port 22 is being commented, By default it will use port 22.

    1.2 Confirm that system is now listening on port 22.

[[root@server ~]# ss -tulpn | grep sshd
tcp    LISTEN     0      128       *:22            *:*                   users:(("sshd",pid=5485,fd=3))
tcp    LISTEN     0      128      :::22           :::*                   users:(("sshd",pid=5485,fd=4))

    1.3 SELinux should on Enforcing mode. If not go to /etc/sysconfig/selinux and change the SELinux mode.

[root@system1 ~]# getenforce 
Enforcing

2. Change the default SSH port and restart the service.

    2.1 Modify sshd_config file to use port 20002 as the default port.

[root@system1 ~]# vim /etc/ssh/sshd_config  
...........
Port 20002
...........

    2.2 Restart sshd service.

[root@server ~]# systemctl restart -l sshd
Job for sshd.service failed because a configured resource limit was exceeded. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@server ~]# systemctl status -l sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: resources) since Sun 2017-02-26 23:43:51 WIB; 6s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 5534 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5485 (code=exited, status=0/SUCCESS)

Feb 26 23:43:51 server.mylab.com systemd[1]: sshd.service never wrote its PID file. Failing.
Feb 26 23:43:51 server.mylab.com systemd[1]: Failed to start OpenSSH server daemon.
Feb 26 23:43:51 server.mylab.com systemd[1]: Unit sshd.service entered failed state.
Feb 26 23:43:51 server.mylab.com systemd[1]: sshd.service failed.

          You may see the service was failed to start. The easiest thing to troubleshoot this issue is to disable the SELinux (setenforce 0) to get an idea whether it is the reason why it block the sshd service. In this excercise we are going to identify using sealert to get more information regarding it.

    2.3 Check if SELinux is blocking sshd from binding to port 20002/TCP.

[root@server ~]# sealert -a /var/log/audit/audit.log 
100% done
found 3 alerts in /var/log/audit/audit.log
...
SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 20002.

*****  Plugin bind_ports (92.2 confidence) suggests   ************************

If you want to allow /usr/sbin/sshd to bind to network port 20002
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 20002
    where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that sshd should be allowed name_bind access on the port 20002 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 20002 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          20002
Host                          
Source RPM Packages           openssh-server-6.6.1p1-33.el7_3.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.mylab.com
Platform                      Linux server.mylab.com 3.10.0-514.6.1.el7.x86_64
                              #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64
Alert Count                   5
First Seen                    2017-02-26 23:43:47 WIB
Last Seen                     2017-02-26 23:44:33 WIB
Local ID                      b4e40db1-4036-4c63-b35e-6ea5f7bb01c8
...

          sealert output gives us a complete information regarding the issue we are facing. Several important information we have highlighted above can be the clue to fix the issue.

    2.4 Verify SELinux port for ssh and do a necessary changes.

[root@server ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      22

          by default SELinux port for ssh is bind to port 22. Add non default port on it.

[root@server ~]# semanage port -a -t ssh_port_t -p tcp 20002
[root@server ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      20002, 22

    2.5 Restart sshd service.

[root@server ~]# systemctl restart sshd
[root@server ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-02-26 23:46:43 WIB; 5s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 5689 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5690 (sshd)
   CGroup: /system.slice/sshd.service
           └─5690 /usr/sbin/sshd

Feb 26 23:46:43 server.mylab.com systemd[1]: Starting OpenSSH server daemon...
Feb 26 23:46:43 server.mylab.com systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.
Feb 26 23:46:43 server.mylab.com sshd[5690]: Server listening on 0.0.0.0 port 20002.
Feb 26 23:46:43 server.mylab.com sshd[5690]: Server listening on :: port 20002.
Feb 26 23:46:43 server.mylab.com systemd[1]: Started OpenSSH server daemon.

4. Confirm that system is now listening on port 20002.

[root@server ~]# ss -tulpn | grep sshd
tcp    LISTEN     0      128       *:20002                 *:*              users:(("sshd",pid=5690,fd=3))
tcp    LISTEN     0      128      :::20002                :::*              users:(("sshd",pid=5690,fd=4))

5. Add firewall rule to allow other system accessing this system on port 20002/TCP.

    5.1 Verify current firewall rule.

[root@server ~]# firewall-cmd  --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https samba ssh
  ports: 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

          You may see ssh service already allowed, but do notice that this is for ssh with default TCP port ( port 22). Hence you need to add port 20002.

    5.2 Add port 20002 on the firewall and verify it.

[root@server ~]# firewall-cmd --permanent --add-port=20002/tcp
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd  --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https samba ssh
  ports: 20002/tcp 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

Happy labbing!!!

Source: Red Hat System Administration III

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com

Reset Root Password on Red Hat7.x/CentOS7.x

Recovering the root password is a trivial task while still logged in as an administrator or a user with full sudo access, but is slightly more involved when an administrator is not logged in. To recover the root password, use the following procedure:

  1. Reboot the system, press e to edit the selected entry. Move the cursor to the kernel command line (the line that starts with linux16). Append rd.break (this will break just before control is handed from the init ramfs to the actual system). Press Crtl+x to boot with the changes. At this point, a root shell will be presented, with the root file system for the actual system mounted read-only on /sysroot.
  2. Remount /sysroot as read-write.
    switch_root:/# mount -oremount,rw /sysroot
  3. Switch into a chroot jail, where /sysroot is treated as the root of the file system tree.
    switch_root:/# chroot /sysroot
  4. Set a new root password
    sh-4.2# passwd root
  5. Make sure that all unlabeled files (including /etc/shadow at this point) get relabeled during boot.
    sh-4.2# touch /.autorelabel
  6. Type exit twice. The first will exit the chroot jail, and the second will exit the initramfs debug shell.

source:
Red Hat System Administration III

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com

SSH Key Exchange fails from CentOS 7 to Cisco IOS

This issue was happened when I tried to build a lab using several Cisco devices. I am using CentOS 7 as a SSH terminal server. I was faced the issue only for Cisco devices using IOS, any OSes (IOS-XR and IOS-XE) didn’t shows the same issue.

I did some debug both on the CentOS and the IOS device. You may see these output if you run the same system.

CentOS 7

[root@terminal ~]# ssh -v 172.16.0.21
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.16.0.21 [172.16.0.21] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST (1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 172.16.0.21

Cisco IOS

SSH1: starting SSH control process
SSH1: sent protocol version id SSH-2.0-Cisco-1.25
SSH1: protocol version id is - SSH-2.0-OpenSSH_6.6.1
SSH2 1: send:packet of  length 368 (length also includes padlen of 5)
SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2 1: kex: client->server enc:aes128-ctr mac:hmac-sha1 
SSH2 1: kex: server->client enc:aes128-ctr mac:hmac-sha1 
SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
SSH2 1: Range sent by client is - 1024 < 7680 < 8192 
SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
SSH-5-SSH2_SESSION: SSH2 Session request from 172.16.254.67 (tty = 1) using crypto cipher '', hmac '' Failed
SSH-5-SSH2_CLOSE: SSH2 Session from 172.16.254.67 (tty = 1) for user '' using crypto cipher '', hmac '' closed
SSH1: Session disconnected - error 0x00

Cisco device that I am using supports a maximum key length of 4096 like below. Where as the client is requesting a keylength of 7680.

R1(config)#crypto key generate rsa modulus ?
    size of the key modulus [360-4096]

This seems that the issue is happen in modern SSH Client on my case OpenSSH v6.6.1. Regarding this issue Cisco has registered a bug CSCuo76464 for this.

I did some google search on this case and found that you need to reorganize the KexAlgorithms in /etc/ssh/ssh_config. by adding the following line:

KexAlgorithms diffie-hellman-group14-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Once it done, you may try again the ssh connection. Below is the ssh debug from my terminal server.

[root@terminal ~]# ssh -v cisco@172.16.0.21
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.16.0.21 [172.16.0.21] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: kex: diffie-hellman-group14-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group14-sha1 need=20 dh_need=20
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA bb:62:4e:54:f7:c5:e8:c1:bd:03:40:cc:2d:bd:81:28
debug1: Host '172.16.0.21' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 172.16.0.21 ([172.16.0.21]:22).
R1#
Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

When you dealing with *nix system, you may sometimes face below issue when using ssh to the remote host.

user@ubuntu14:~$ ssh user@192.168.56.101
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
b6:72:0b:92:f3:fa:e4:f8:d3:31:59:21:77:9c:f7:64.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:1
  remove with: ssh-keygen -f "/home/user/.ssh/known_hosts" -R 192.168.56.101
ECDSA host key for 192.168.56.101 has changed and you have requested strict checking.
Host key verification failed.
user@ubuntu14:~$ 

It was failed your connection, you were not able to connect and manage your system remotely. Luckly on the information above you will know how it was happened and how to solve it.

You may see below information when it fails. known_host:1 means line one on the known_host file.

Offending ECDSA key in /home/user/.ssh/known_hosts:1

Before I got this issue, I already had my connection established to 192.168.56.102 host. This is same system with this current system that I face the issue. The only change was happened on the system is the IP address. Right now I am using 192.168.56.101 for the host machine.

With this condition, remote host send new fingerprint information for the ECDSA key to the ssh client. I am not quite understand how the key formed, you may find it on the hyperlink for further reading.

Now then, Lets see the key information on the known_host file.

user@ubuntu14:~$ cat /home/user/.ssh/known_hosts
|1|9DcAMV4Wrk5TnbMs1tBLOyrbpn8=|dJo4ObTaDRdCErOfRIacjls6b9k= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCTkPQwqO3p99rLkw7A922WQ8Q6fopWnvNmAPkHjRhSmqbYvCSKcQwLVQTV7ceQXWKYQ+3PTQ68xQLWapePyeu8= 

To get rid of this issue you may have two options. The first one is by deleting the key on the file. It was informed on the error messages above.

ssh-keygen -f "/home/user/.ssh/known_hosts" -R 192.168.56.101

The second one is by deleting the known_host file. With this method, it will delete all keys for other hosts.

sudo rm /home/user/.ssh/known_hosts

Once it done, you can re-establish the ssh connection. It will ask your permission to add the new ECDSA key fingerprint to your system.

user@ubuntu14:~$ ssh user@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is b6:72:0b:92:f3:fa:e4:f8:d3:31:59:21:77:9c:f7:64.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
nantoyudi@192.168.56.101's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
...
Last login: Fri Apr 15 06:00:38 2016
user@VM1:~$

Contributor:

Ananto Yudi, CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Ubuntu 12.04 Kernel Upgrade/Downgrade

When we work with Linux, sometimes we need to upgrade or downgrade the kernel as part of the software installation requirements. Now I want to share my experience when I was downgraded Ubuntu12.04 kernel.

below is my kernel code:

root@ubuntu12:~# uname -a
Linux ubuntu12.04 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:51:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Now, you need to download some kernel files from the site here. I am going to use 3.2.1 code.

root@ubuntu12:~# dpkg -i linux-headers-3.2.1-030201_3.2.1-030201.201201121644_all.deb linux-headers-3.2.1-030201-generic_3.2.1-030201.201201121644_amd64.deb linux-image-3.2.1-030201-generic_3.2.1-030201.201201121644_amd64.deb
...
Found linux image: /boot/vmlinuz-3.13.0-32-generic
Found initrd image: /boot/initrd.img-3.13.0-32-generic
Found linux image: /boot/vmlinuz-3.2.1-030201-generic
Found initrd image: /boot/initrd.img-3.2.1-030201-generic
Found memtest86+ image: /boot/memtest86+.bin
done

At this stage you still have your old kernel. You can verify it like below to grab only the kernel code.

root@ubuntu12:~# uname -r
3.13.0-32-generic

Now lets remove the old kernel.

root@ubuntu12:~# apt-get remove linux-image-3.13.0-3* linux-headers-3.13.0-3*
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'linux-image-3.13.0-24-generic-lpae' for regex 'linux-image-3.13.0-3*'
Note, selecting 'linux-image-3.13.0-41-generic' for regex 'linux-image-3.13.0-3*'
....
....
The following packages will be REMOVED:
  linux-generic-lts-trusty linux-headers-3.13.0-32 linux-headers-3.13.0-32-generic linux-headers-generic-lts-trusty linux-image-3.13.0-32-generic
  linux-image-generic-lts-trusty
0 upgraded, 0 newly installed, 6 to remove and 287 not upgraded.
After this operation, 274 MB disk space will be freed.
Do you want to continue [Y/n]? Y
(Reading database ... 170424 files and directories currently installed.)
Removing linux-generic-lts-trusty ...
Removing linux-headers-generic-lts-trusty ...
Removing linux-headers-3.13.0-32-generic ...
Removing linux-headers-3.13.0-32 ...
Removing linux-image-generic-lts-trusty ...
Removing linux-image-3.13.0-32-generic ...
WARN: Proceeding with removing running kernel image.
Examining /etc/kernel/postrm.d .
run-parts: executing /etc/kernel/postrm.d/initramfs-tools 3.13.0-32-generic /boot/vmlinuz-3.13.0-32-generic
update-initramfs: Deleting /boot/initrd.img-3.13.0-32-generic
run-parts: executing /etc/kernel/postrm.d/zz-update-grub 3.13.0-32-generic /boot/vmlinuz-3.13.0-32-generic
Generating grub.cfg ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-3.2.1-030201-generic
Found initrd image: /boot/initrd.img-3.2.1-030201-generic
Found memtest86+ image: /boot/memtest86+.bin
done

Reboot your system and now you are using your new kernel.

root@ubuntu12:~# sudo reboot 
Broadcast message from nantoyudi@ubuntu12.04
 (/dev/pts/1) at 0:45 ...

The system is going down for reboot NOW!
root@ubuntu12:~# uname -r
3.2.1-030201-generic

Happy labbing!!!.

Contributor:

Ananto Yudi, CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Ubuntu 14.04 Tips and Tricks

In this section I am going to share some tips and tricks using linux Ubuntu. In this particular lab I am using Ubuntu 14.04. This section will be updated regularly.

Network Manager

In linux environment we are very familliar with ifconfig command. In this section I want to show you another service that Ubuntu own to manage its networking services.

Install NetworkManager

sudo apt-get install network-manager

Verify NetworkManager status

user@ubuntu14:~$ nmcli nm
RUNNING         STATE           WIFI-HARDWARE   WIFI       WWAN-HARDWARE   WWAN      
running         connected       enabled         enabled    enabled         disabled  

Verify your network device status

user@ubuntu14:~$ nmcli dev status 
DEVICE     TYPE              STATE        
eth0       802-3-ethernet    connected    

Detail info regarding your adapter

user@ubuntu14:~$ nmcli dev list 
GENERAL.DEVICE:                         eth0
GENERAL.TYPE:                           802-3-ethernet
GENERAL.VENDOR:                         Intel Corporation
GENERAL.PRODUCT:                        PRO/1000 MT Single Port Adapter
GENERAL.DRIVER:                         e1000
GENERAL.DRIVER-VERSION:                 7.3.21-k8-NAPI
GENERAL.FIRMWARE-VERSION:               
GENERAL.HWADDR:                         00:50:56:BF:F1:C5
GENERAL.STATE:                          100 (connected)
GENERAL.REASON:                         0 (No reason given)
GENERAL.UDI:                            /sys/devices/pci0000:00/0000:00:11.0/0000:02:00.0/net/eth0
GENERAL.IP-IFACE:                       eth0
GENERAL.NM-MANAGED:                     yes
GENERAL.AUTOCONNECT:                    yes
GENERAL.FIRMWARE-MISSING:               no
GENERAL.CONNECTION:                     /org/freedesktop/NetworkManager/ActiveConnection/0
CAPABILITIES.CARRIER-DETECT:            yes
CAPABILITIES.SPEED:                     1000 Mb/s
CONNECTIONS.AVAILABLE-CONNECTION-PATHS: /org/freedesktop/NetworkManager/Settings/{0}
CONNECTIONS.AVAILABLE-CONNECTIONS[1]:   193d55e7-ddba-47b0-9dd2-341e2e1800a6 | Upstream
WIRED-PROPERTIES.CARRIER:               on
IP4.ADDRESS[1]:                         ip = 172.16.0.41/16, gw = 172.16.0.1
IP4.DNS[1]:                             8.8.8.8

Repository

Edit Repository

If you want to add or delete some repository sources you can do the following action.

sudo nano /etc/apt/sources.list

You can use your favourite text editor (e.g vi, gedit) for above purpose

Repository Update

After you add or remove some repository sources you may update the list using below command.

sudo apt-get update

Contributor:

Ananto Yudi, CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Cisco 2950 Password Recovery

Hi Folks, today I want to share something in common. Yes it is about password recovery. Agree that this is not a business as usual activity. But when it happens it could be a troublesome. You may find the official documentation here for more detail.

Below is step-by-step activities to accomplish this task.

  • Attach a terminal or PC with terminal emulation (for example, Hyper Terminal) to see the console port of the switch. Use the following terminal setting:
    • Bits per second (baud): 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow control: Xon/Xoff
  • Unplug power cable.
  • Power on the switch and bring it to the switch: prompt. Hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch. Below picture is mine.

cat2950

  • Issue flash_init on the command line and you will see below outputs.
	switch: flash_init
	Initializing Flash...
	flashfs[0]: 360 files, 4 directories
	flashfs[0]: 0 orphaned files, 0 orphaned directories
	flashfs[0]: Total bytes: 7741440
	flashfs[0]: Bytes used: 4692992
	flashfs[0]: Bytes available: 3048448
	flashfs[0]: flashfs fsck took 7 seconds.
	...done initializing flash.
	Boot Sector Filesystem (bs:) installed, fsid: 3
	Parameter Block Filesystem (pb:) installed, fsid: 4
	switch:
  • Issue the load_helper command.
    switch: load_helper
  • Issue dir flash: command. The switch file system is displayed. Current running configuration is on the config.text file.
	switch: dir flash:
	Unknown cmd: dir
	switch: dir flash:
	Directory of flash:/
	
	2    -rwx  109                      info
	3    -rwx  676                      vlan.dat
	4    -rwx  548                      env_vars
	5    -rwx  1929                     wgswf.cfg
	7    -rwx  3097872                  c2950-i6q4l2-mz.121-22.EA4.bin
	8    drwx  4032                     html
	362  -rwx  109                      info.ver
	363  -rwx  2722                     config.text
	364  -rwx  5                        private-config.text
	
	3074560 bytes available (4666880 bytes used)
	switch:

  • Rename config.text file to config.old. we will use it later.
	switch: rename flash:config.text flash:config.old
	switch: dir flash:
	Directory of flash:/
	
	2    -rwx  109                      info
	3    -rwx  676                      vlan.dat
	4    -rwx  548                      env_vars
	5    -rwx  1929                     wgswf.cfg
	7    -rwx  3097872                  c2950-i6q4l2-mz.121-22.EA4.bin
	8    drwx  4032                     html
	362  -rwx  109                      info.ver
	363  -rwx  2722                     config.old
	364  -rwx  5                        private-config.text
	
	3074560 bytes available (4666880 bytes used)
	switch:

  • Issue the boot command to boot the system.
	switch: boot
	Loading "flash:/c2950-i6q4l2-mz.121-22.EA4.bin"...########################
        ##########################################################################
        ##########################################################################
        ###############################
	
	File "flash:/c2950-i6q4l2-mz.121-22.EA4.bin" uncompressed and installed, 
        entry point: 0x80010000
	executing...
	!-----output suppressed.

  • Enter “n” at the prompt to abort the initial configuration dialog.
	 --- System Configuration Dialog ---
	
	Would you like to enter the initial configuration dialog? [yes/no]: no
	
	
	
	Press RETURN to get started!

  • Enter enable mode.
        Switch>en
        Switch#	
  • Replace the current configuration with the config.old file.
	switch#config replace flash:config.old 
        This will apply all necessary additions and deletions to replace 
        the current running configuration with the contents of the specified
        configuration file, which is assumed to be a complete configuration,
        not a    partial configuration. Enter Y if you are sure you want to 
        proceed. ? [no]: Y 
        Total number of passes: 1
        Rollback Done
        switch#         
  • Change user password and enable password.
	switch(config)#username cisco priviledge 15 secret cisco123
	switch(config)#enable secret cisco123
        switch(config)#end
  • Save your current configuration to the system.
	switch#wr
	Building configuration...
	[OK]
	switch#

Happy labbing!!!

 

Contributor:

Ananto Yudi, CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com