SRX – Rollback

root> request system software rollback
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 40981 free (29 frags, 5119 blocks, 0.0% fragmentation)
junos-10.4R4.5-domestic will become active at next reboot

root> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 1288]

root>
*** FINAL System shutdown message from root@ ***

System going down IMMEDIATELY
JWaiting (max 60 seconds) for system process `vnlru_mem’ to stop…done
Waiting (max 60 seconds) for system process `vnlru’ to stop…done
Waiting (max 60 seconds) for system process `bufdaemon’ to stop…done
Waiting (max 60 seconds) for system process `syncer’ to stop…
Syncing disks, vnodes remaining…0 0 0 done

syncing disks… All buffers synced.
Uptime: 6m18s
Rebooting…

Amnesiac (ttyu0)

login: root
Password:

— JUNOS 10.4R4.5 built 2011-05-06 06:14:23 UTC
root@%

Hits: 24

SRX – Upgrade system

root> request system software add no-copy /var/tmp/junos-srxsme-10.4R7.5-domestic.tgz

NOTICE: Validating configuration against junos-srxsme-10.4R7.5-domestic.tgz.
NOTICE: Use the ‘no-validate’ option to skip this if desired.
Formatting alternate root (/dev/da0s2a)…
/dev/da0s2a: 298.0MB (610284 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 74.50MB, 4768 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152608, 305184, 457760
Checking compatibility with configuration
Initializing…
Verified manifest signed by PackageProduction_10_4_0
Verified junos-10.4R4.5-domestic signed by PackageProduction_10_4_0
Using junos-10.4R7.5-domestic from /altroot/cf/packages/install-tmp/junos-10.4R7.5-domestic
Copying package …
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.4R7.5.tgz
Verified manifest signed by PackageProduction_10_4_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
mgd: commit complete
Validation succeeded
Installing package ‘/altroot/cf/packages/install-tmp/junos-10.4R7.5-domestic’ …
Verified junos-boot-srxsme-10.4R7.5.tgz signed by PackageProduction_10_4_0
Verified junos-srxsme-10.4R7.5-domestic signed by PackageProduction_10_4_0
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.4R7.5.tgz
JUNOS 10.4R7.5 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING: Use the ‘request system reboot’ command
WARNING: when software installation is complete
Saving state for rollback …

root> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 2093]

root>
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
Waiting (max 60 seconds) for system process `vnlru’ to stop…done
Waiting (max 60 seconds) for system process `vnlru_mem’ to stop…done
Waiting (max 60 seconds) for system process `bufdaemon’ to stop…done
Waiting (max 60 seconds) for system process `syncer’ to stop…
Syncing disks, vnodes remaining…2 2 0 0 0 done

syncing disks… All buffers synced.
Uptime: 36m51s
Rebooting…

Hits: 43

SRX – Load new software

root> ftp 192.168.1.2
Connected to 192.168.1.2.
220 3Com 3CDaemon FTP Server Version 2.0
Name (192.168.1.2:root): anonymous
331 User name ok, need password
Password:
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> lcd /var/tmp
Local directory now /cf/var/tmp

ftp> bin
200 Type set to I.

ftp> get junos-srxsme-10.4R7.5-domestic.tgz
local: junos-srxsme-10.4R7.5-domestic.tgz remote: junos-srxsme-10.4R7.5-domestic.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 210 MB 00:00 ETA
226 Closing data connection; File transfer successful.
221075489 bytes received in 264.06 seconds (817.59 KB/s)

ftp> bye
221 Service closing control connection

root> request system software delete-backup
Delete backup system software package [yes,no] (no) yes

 

Hits: 27

SRX – Back to factory default

root@host# load factory-default
root@host# set system root-authentication plain-text-password
New password:
 Retype new password:
root@host# commit and-quit

After the commit, the factory default configuration is the running configuration.

Caution: Before you commit changes, if you do not assign an IP address for the ge-0/0/0 interface, create a local user account, and enter routing information, either from CLI configuration or using DHCP, the SRX device is no longer remotely accessible. To manage the SRX device, you must connect a PC or laptop to the physical console, or attach the PC or laptop to a subnet that is directly connected to the ge-0/0/0 interface, which is assigned an IP address of 192.168.2.1.

 

Hits: 22

procurve 2910: upgrade firmware from usb-stick

ProCurve 2910al-24G Switch# sh ver
Image stamp:    /sw/code/build/sbm(t4a)
                Nov  5 2009 18:02:07
                W.14.38
                51
Boot Image:     Primary
ProCurve 2910al-24G Switch# dir
Listing Directory /ufa0:
-rwxrwxrwx    1    8602885 Jun 30 15:50 W_14_49.SWI
ProCurve 2910al-24G Switch# copy usb flash W_14_49.SWI primary
The Primary OS Image will be deleted, continue [y/n]?  y
Validating and Writing System Software to the Filesystem ...
ProCurve 2910al-24G Switch# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 8602885   06/30/10 W.14.49
Secondary Image : 8482560   11/05/09 W.14.38
Boot Rom Version: W.14.04
Default Boot    : Primary
ProCurve 2910al-24G Switch#

Hits: 107

Windows server 2008 disable password security complexity requirements

When setting up a new Windows Server 2008 server either with or without Active Directory you will discover that it has a rather strong policy for passwords. If you are setting this up at home or in a small business environment and don’t want to deal with the complex passwords that are required to meet the policy guidelines, you can edit the policy to disable the complexity requirements. You can try going to a command prompt and typing ‘gpedit.msc’ then navigating to Computer Settings\Windows Settings\Security Settings\Account Policies\Password Policy\ section.

Here you will see the ‘Password must meet complexity requirements’ item. When viewing the properties of it, usually the Enabled/Disabled radio buttons will be grayed out and you cannot change the values. If they are able to be changed, go ahead and do it, and save out of the dialog boxes. If it is grayed out and you cannot change it here, this is how you do it:

Go to a command prompt
Type ‘secedit /export /cfg c:\local.cfg’ and hit enter
Using notepad, edit c:\local.cfg
Look for the line “PasswordComplexity = 1” and change it to “PasswordComplexity = 0”
You can also edit “MinimumPasswordLength = 7” to a lesser value if you like.
Save the file
At a command prompt type ‘secedit /configure /db %windir%\security\local.sdb /cfg c:\local.cfg /areas SECURITYPOLICY
This will apply the new settings and refreshing the gpedit.msc should reflect the new settings
Set your new less complex password!

Hits: 25

wireshark filters

found here: http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html

ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]

3. http or dns [sets a filter to display all http and dns]

4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

5. tcp.flags.reset==1 [displays all TCP resets]

6. http.request [displays all HTTP GET requests]

7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]

8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]

10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]

Hits: 37

SRX config – ipsec vpn asa – srx multiple subnets

version 10.1R2.8;
interfaces {
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.34.2/16;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 10.0.2.254/24;
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family inet {
                address 2.2.2.2/28;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 2.2.2.1;
    }
}
security {
    ike {
        proposal ikep1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy IkePolicy1 {
            mode main;
            proposals ikep1;
            pre-shared-key ascii-text “$9$JgGHm36AB1h/CMX7d4o”; ## SECRET-DATA
        }
        gateway IkeGateway1 {
            ike-policy IkePolicy1;
            address 64.61.147.206;
            dead-peer-detection;
            no-nat-traversal;
            external-interface ge-0/0/14.0;
        }
    }
    ipsec {
        vpn-monitor-options {
            interval 10;
            threshold 10;
        }
        proposal ipsecp2 {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy VpnPolicy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsecp2;
        }
        vpn Vpn1 {
            ike {
                gateway IkeGateway1;
                ipsec-policy VpnPolicy1;
            }
        }
    }
    nat {
        source {
            rule-set hide-nat {
                from zone [ Dmz2 Trust ];
                to zone Untrust;
                rule Except {
                    match {
                        destination-address 172.16.1.0/24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule hide-nat-rule {
                    match {
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone Trust {
            tcp-rst;
            address-book {
                address local_lan 192.168.0.0/16;
            interfaces {
                ge-0/0/3.0;
            }
        }
        security-zone Untrust {
            address-book {
                address ASA_lan 172.16.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/14.0;
            }
        }
        security-zone Dmz2 {
            tcp-rst;
            address-book {
                address dmz2_lan 10.0.2.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
    }
    policies {
        from-zone Untrust to-zone Dmz2 {
            policy ASADmz2 {
                match {
                    source-address ASA_lan;
                    destination-address dmz2_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy Dmz2ASA;
                        }
                    }
                }
            }
        }
        from-zone Trust to-zone Untrust {
            policy VpnASA {
                match {
                    source-address local_lan;
                    destination-address ASA_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy ASAVpn;
                        }
                    }
                }
            }
            policy 56 {
                match {
                    source-address Full_Access;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        from-zone Dmz2 to-zone Untrust {
            policy Dmz2ASA {
                match {
                    source-address dmz2_lan;
                    destination-address ASA_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy ASADmz2;
                        }
                    }
                }
            }
            policy sslvpn2any {
                match {
                    source-address sslvpn_10.0.2.10;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Untrust to-zone Trust {
            policy ASAVpn {
                match {
                    source-address ASA_lan;
                    destination-address local_lan;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn Vpn1;
                            pair-policy VpnASA;
                        }
                    }
                }
            }
    }
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}

Hits: 33

ASA config – ipsec vpn asa – srx multiple subnets

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
names
name 192.168.0.0 NLLan
name 10.0.2.0 NLLan2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
object-group network VPNSubnets
 network-object NLLan2 255.255.255.0
 network-object NLLan 255.255.0.0
access-list outside_1_cryptomap extended permit ip 172.16.1.0 255.255.255.0 object-group VPNSubnets
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 object-group VPNSubnets
access-list inside_access_in extended permit ip any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
webvpn
group-policy DfltGrpPolicy attributes
 vpn-filter value inside_access_in
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
!

Hits: 31