Juniper SRX PPPoE Configuration

 未分类  No Responses »
11 月 072014
 

Summary:

This article provides Point-to-Point over Ethernet (PPPoE) configuration examples.

For other topics, go to the SRX Getting Started main page.

Problem or Goal:

Configure PPPoE.

Cause:

Solution:

This section contains the following:

Basic PPPoE Configuration Example

The following example illustrates a basic PPPoE configuration.

interfaces {
    fe-0/0/5 {
        unit 0 {
            encapsulation ppp-over-ether;
        }
    }
    pp0 {
        unit 0 {
            ppp-options {
                pap {
                    access-profile ppp-profile;
                    local-password "dkwoxslxqpz";##SECRET-DATA
                    local-name "username";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface fe-0/0/5.0;
                auto-reconnect 10;
                client;
                idle-timeout 0;
            }
            family inet {
                negotiate-address;
                mtu 1492;
            }
        }
    }
}

Complete PPPoE and ADSL Configuration Example

The following example is a complete working configuration example using the following settings:

  • ADSL is the primary WAN interface in the untrust zone.
  • A 3G is the backup interface, monitoring the primary ADSL (at) interface.
  • A dialup interface (external modem) is used as a failover.
  • The at-1/0/0 and pp0.0 interfaces are in the untrust zone.
  • For pp0.0, point-to-point is configured.
  • PAP is configured using the passive option.
  • The PPPoE underlying-interface and client options are configured.
  • All Ethernet ports are in a single VLAN group with a DHCP server providing service.
  • A default route to the DSL interface is configured.
  • Source NAT is enabled.
system {
    host-name SRX210;
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
	telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
	    domain-name jnpr.net;
            router {
                192.168.0.1;
            }
            pool 192.168.0.0/24 {
                address-range low 192.168.0.100 high 192.168.0.199;

            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range interfaces-trust {
	member ge-0/0/0;
        member ge-0/0/1;
        member fe-0/0/2;
        member fe-0/0/3;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    cl-0/0/8 {
        traceoptions {
            flag all;
        }
        modem-options {
            init-command-string "AT&C1";
        }
        dialer-options {
            pool 1 priority 23;
        }
    }
    dl0 {
        unit 0 {
            family inet {
                negotiate-address;
            }
            dialer-options {
                pool 1;
                dial-string 1234;
            }
        }
    }
    at-1/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 0;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 0.35;
            backup-options {
                interface dl0.0;
            }
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "$9$/Gav9u1RhrK871RNds2UDCtu1hr"; ## SECRET-DATA
                    local-name "phadu@sbcglobal.net";
                    local-password "$9$hWLceWLxdwgJWLZUHqzFSreWxd"; ## SECRET-DATA
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}
routing-options {
    static {
	route 0.0.0.0/0 next-hop pp0.0 metric 0;
        route 0.0.0.0/0 next-hop dl0.0;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
		at-1/0/0.0;
                pp0.0;
		dl0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
poe {
    interface all;
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Another configuration example is KB15347 – What will be the configuration for PPPoE over ATM on an ADSL interface?.

Technical Documentation

Interface Encapsulation Feature Guide for Security Devices

Troubleshooting

Use the show interfaces interface_name extensive command to review state and history information for the at and pp interfaces. For example:
user@host> show interfaces at-1/0/0 extensive
user@host> show interfaces pp0 extensive

ADSL interface modules have LEDs that show sync and traffic status. For more information, see http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/mini-pim-adsl2-srx-series-leds.html.

Purpose:

Implementation

Related Links:

Configure J-Series/SRX for dual ISP without dynamic routing protocols

 未分类  No Responses »
11 月 072014
 

Summary:

This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.

Problem or Goal:

Topology Assumptions Trust zone network is 192.168.1.0/24 on ge-0/0/0
DMZ zone network is 10.10.10.0/24 on ge-0/0/1

ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
ISP2 zone network is 2.2.2.0/29 on fe-0/0/7

Note:  ISP1 is in the default routing instance.  ISP2 is in the ISP2 routing instance.

Requirements

  • Trust and DMZ zones should egress out ISP1 with source-nat.
  • If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
  • If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
  • ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
  • ISP2 also has destination NAT for same web and mail servers.
  • When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.

Cause:

Solution:

This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.254/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet {
                filter {
                    input isp1-in;
                }
                address 1.1.1.2/29;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                filter {
                    input isp2-in;
                }
                address 2.2.2.2/29;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 {
            next-hop 1.1.1.1;
            qualified-next-hop 2.2.2.1 {
                preference 10;
            }
        }
    }
    rib-groups {
        inside {
            import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ];
        }
    }
}
security {
    nat {
        source {
            rule-set interface-nat-out {
                from routing-instance INSIDE;
                to routing-instance [ ISP2 default ];
                rule interface-nat-out {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool web-server-trust {
                address 192.168.1.5/32 port 80;
            }
            pool mail-server-dmz {
                address 10.10.10.5/32 port 25;
            }
            rule-set isp1-to-trust {
                from interface fe-0/0/6.0;
                rule isp1-http-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.5/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool web-server-trust;
                    }
                }
                rule isp1-mail-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.5/32;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool mail-server-dmz;
                    }
                }
            }
            rule-set isp2-to-dmz {
                from interface fe-0/0/7.0;
                rule isp2-http-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.5/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool web-server-trust;
                    }
                }
                rule isp2-mail-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.5/32;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool mail-server-dmz;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/6.0 {
                address {
                    1.1.1.5/32;
                }
            }
            interface fe-0/0/7.0 {
                address {
                    2.2.2.5/32;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address web-server 192.168.1.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz {
            address-book {
                address mail-server 10.10.10.5/32;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone isp1 {
            interfaces {
                fe-0/0/6.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone isp2 {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone dmz {
            policy allow-trust-to-dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone isp1 {
            policy allow-trust-out-isp1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone isp2 {
            policy allow-trust-out-isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone trust {
            policy allow-dmz-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone isp1 {
            policy allow-dmz-out-isp1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone isp2 {
            policy allow-dmz-out-isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp1 to-zone trust {
            policy isp1-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp1 to-zone dmz {
            policy isp1-mail-incoming {
                match {
                    source-address any;
                    destination-address mail-server;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp2 to-zone trust {
            policy isp2-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp2 to-zone dmz {
            policy isp2-mail-incoming {
                match {
                    source-address any;
                    destination-address mail-server;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
        }
    }
}
firewall {
    filter isp1-in {
        term 1 {
            from {
                destination-address {
                    1.1.1.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
    filter isp2-in {
        term 1 {
            from {
                destination-address {
                    2.2.2.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
}
routing-instances {
    TRUST-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop 192.168.1.1;
                route 10.10.10.0/24 next-hop 10.10.10.1;
            }
        }
    }
    INSIDE {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }
    ISP2 {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 2.2.2.1;
                    qualified-next-hop 1.1.1.1 {
                        preference 10;
                    }
                }
            }
        }
    }
}

相关引用:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15545

Dynamic VPN对访问J-Web的影响

 未分类  No Responses »
11 月 072014
 

SRX240开启Dynamic VPN后无法访问J-Web的处理

目的:保持J-Web和Dynamic VPN使用独立的物理接口

访问http://192.168.192.1/或https://192.168.192.1/都自动跳转到https://192.168.192.1/dynamic-vpn/index.php

username@SRX240H2# show system services
ssh;
telnet;
xnm-clear-text;
web-management {
    http {
        interface [ vlan.0 vlan.1 vlan.2 ];
    }
    https {
        system-generated-certificate;
    }
}
dhcp {
    router {
        192.168.192.1;
    }
    pool 192.168.192.0/22 {
        address-range low 192.168.192.10 high 192.168.192.19;
    }
    propagate-settings ge-0/0/0.0;
}

[edit]
username@SRX240H2#

修改

set system services web-management management-url <path>

set system services web-management management-url consle

username@SRX240H2# show system services
ssh;
telnet;
xnm-clear-text;
web-management {
    management-url console;
    http {
        interface [ vlan.0 vlan.1 vlan.2 ];
    }
    https {
        system-generated-certificate;
    }
}
dhcp {
    router {
        192.168.192.1;
    }
    pool 192.168.192.0/22 {
        address-range low 192.168.192.10 high 192.168.192.19;
    }
    propagate-settings ge-0/0/0.0;
}

[edit]
username@SRX240H2#

火狐浏览器无法正常显示页面
juniper-srx240h2-jweb-dynamic-vpn-01 juniper-srx240h2-jweb-dynamic-vpn-02 juniper-srx240h2-jweb-dynamic-vpn-03

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19411

Juniper SRX240H2 Source NAT配置

 未分类  No Responses »
11 月 052014
 

默认SNAT规则

username@SRX240H2# show security nat source
rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

新增SNAT规则(内网主机访问外网使用IP地址
新增地址池

pool SNAT_100_165 {
    address {
        113.106.100.165/32;
    }
}

新增规则

    rule single-ip-nat {
        match {
            source-address 192.168.153.110/22;
        }
        then {
            source-nat {
                pool {
                    SNAT_100_165;
                }
            }
        }
    }

调整SNAT规则顺序

username@SRX240H2# insert rule single-ip-nat before rule source-nat-rule

查看SNAT配置

username@SRX240H2# show security nat source
pool SNAT_100_165 {
    address {
        113.106.100.165/32;
    }
}
rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule single-ip-nat {
        match {
            source-address 192.168.153.110/22;
        }
        then {
            source-nat {
                pool {
                    SNAT_100_165;
                }
            }
        }
    }
    rule source-nat-rule {
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

查看和验证

username@SRX240H2# run show security nat source summary
Total port number usage for port translation pool: 645120
Maximum port number for port translation pool: 67108864
Total pools: 10
Pool                 Address                  Routing              PAT  Total
Name                 Range                    Instance                  Address
SNAT_100_165         113.106.100.165-113.106.100.165 default           yes  1
SNAT_100_164         113.106.100.164-113.106.100.164 default           yes  1
SNAT_100_196         113.106.100.196-113.106.100.196 default           yes  1
SNAT_100_197         113.106.100.197-113.106.100.197 default           yes  1
SNAT_100_198         113.106.100.198-113.106.100.198 default           yes  1
SNAT_100_199         113.106.100.199-113.106.100.199 default           yes  1
SNAT_100_200         113.106.100.200-113.106.100.200 default           yes  1
SNAT_100_201         113.106.100.201-113.106.100.201 default           yes  1
SNAT_100_202         113.106.100.202-113.106.100.202 default           yes  1
SNAT_100_203         113.106.100.203-113.106.100.203 default           yes  1

Total rules: 2
Rule name          Rule set       From              To                   Action
single-ip-nat      trust-to-untrust trust           untrust              SNAT_100_165
source-nat-rule    trust-to-untrust trust           untrust              interface

[edit]
username@SRX240H2#

Juniper SRX240H2 Dynamic VPN 配置

 未分类  No Responses »
11 月 032014
 

Juniper SRX240H2 JunOS 11.4R7.5

Configuring the Remote User Authentication and Address Assignment

1,Create the address assignment pool.

[edit access address-assignment]
user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24
user@host# set pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32

2,Configure the XAuth profile.

[edit access]
user@host# set profile dyn-vpn-access-profile client client1 firewall-user password "$9$uY4o0EyMWxdwgX7"
user@host# set profile dyn-vpn-access-profile client client2 firewall-user password "$9$neNM9CuB1hyrv5Q39"
user@host# set profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool

3,Configure Web authentication using the XAuth profile.

[edit access firewall-authentication]
user@host# set web-authentication default-profile dyn-vpn-access-profile

Configuring the VPN Tunnel

1,Configure the IKE policy.

[edit security ike]
user@host# set policy ike-dyn-vpn-policy mode aggressive
user@host# set policy ike-dyn-vpn-policy proposal-set standard
user@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$KHxWXNs2aikPdbkP5Q9CKM8"

2,Configure the IKE gateway.

[edit security ike]
user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
user@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpn
user@host# set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
user@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10
user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0
user@host# set gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

3,Configure IPsec.

[edit security ipsec]
user@host# set policy ipsec-dyn-vpn-policy proposal-set standard
user@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gw
user@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

4,Configure the security policy.

[edit security policies from-zone untrust to-zone trust]
user@host# set policy dyn-vpn-policy match source-address any destination-address any application any
user@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

5,Configure host inbound traffic.(https ike)

[edit security zones security-zone untrust interfaces ge-0/0/15.0]
user@host# set host-inbound-traffic system-services ike
user@host# set host-inbound-traffic system-services https
user@host# set host-inbound-traffic system-services ping
user@host# set host-inbound-traffic system-services ssh

Associate the Dynamic VPN with Remote Clients

1,Specify the access profile to use with dynamic VPN.

[edit security dynamic-vpn]
user@host# set access-profile dyn-vpn-access-profile

2,Configure the clients who can use the dynamic VPN.

[edit security dynamic-vpn]
user@host# set clients all ipsec-vpn dyn-vpn
user@host# set clients all user client1
user@host# set clients all user client2
user@host# set clients all remote-protected-resources 10.0.0.0/8
user@host# set clients all remote-exceptions 0.0.0.0/0

juniper-srx240h2-dynamic-vpn-01

 

 

验证:

juniper-srx240h2-dynamic-vpn-02 juniper-srx240h2-dynamic-vpn-03 juniper-srx240h2-dynamic-vpn-04 juniper-srx240h2-dynamic-vpn-05

客户端配置:

juniper-srx240h2-dynamic-vpn-06 juniper-srx240h2-dynamic-vpn-07

juniper-srx240h2-dynamic-vpn-08

相关引用:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/vpn-security-dynamic-example-configuring.html

停止nrpe服务在xinetd下的日志输出

 未分类  No Responses »
10 月 312014
 

查看系统日志,发现大量xinetd下nrpe日志

[root@localhost ~]# less /var/log/messages
 Oct 31 11:49:30 localhost xinetd[9646]: START: nrpe pid=10372 from=::ffff:192.168.153.110
 Oct 31 11:49:30 localhost xinetd[9646]: EXIT: nrpe status=0 pid=10372 duration=0(sec)
 Oct 31 11:51:15 localhost xinetd[9646]: START: nrpe pid=10642 from=::ffff:192.168.153.110
 Oct 31 11:51:15 localhost xinetd[9646]: EXIT: nrpe status=0 pid=10642 duration=0(sec)

修改配置文件,禁用成功状态下的日志

[root@localhost ~]# vi /etc/xinetd.conf
 # Define general logging characteristics.
                log_type        = SYSLOG daemon info
                log_on_failure  = HOST
 #              log_on_success  = PID HOST DURATION EXIT

nrpe-xinetd-log-disable

重新服务xinetd后再次查看日志,不再出现nrpe相关日志

Oct 31 11:52:05 localhost xinetd[9646]: Exiting...
Oct 31 11:52:05 localhost xinetd[10785]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Oct 31 11:52:05 localhost xinetd[10785]: Started working: 1 available service

Juniper SRX远程SSH性能故障分析

 未分类  No Responses »
10 月 312014
 

Oct 30 09:44:57  SRX240H2 sshd[31743]: Received disconnect from 60.173.26.173: 11: Normal Shutdown, Thank you for

playing
Oct 30 09:44:57  SRX240H2 sshd[31742]: Received disconnect from 60.173.14.143: 11: Normal Shutdown, Thank you for

playing
Oct 30 09:44:57  SRX240H2 /kernel: nearing maxproc limit by uid 0, please see tuning(7) and login.conf(5).
Oct 30 09:44:57  SRX240H2 /kernel: Process with Most Children- 1356:inetd – Children – 75

Oct 30 10:30:13  SRX240H2 /kernel: nearing maxproc limit by uid 0, please see tuning(7) and login.conf(5).
Oct 30 10:30:13  SRX240H2 /kernel: Process with Most Children- 1356:inetd – Children – 74
Oct 30 10:30:13  SRX240H2 sshd[39713]: Failed password for root from 60.173.14.143 port 11945 ssh2
Oct 30 10:30:13  SRX240H2 sshd: SSHD_LOGIN_FAILED: Login failed for user ‘root’ from host ‘60.173.26.173’
Oct 30 10:30:13  SRX240H2 sshd[39748]: Received disconnect from 60.173.14.143: 11: Normal Shutdown, Thank you for

playing
Oct 30 10:30:13  SRX240H2 sshd: SSHD_LOGIN_FAILED: Login failed for user ‘root’ from host ‘60.173.14.143’

Oct 30 16:38:17  SRX240H2 sshd[6327]: Received disconnect from 60.173.26.173: 11: Normal Shutdown, Thank you for

playing
Oct 30 16:38:17  SRX240H2 sshd[6321]: Failed password for  from 222.186.58.204 port 1911 ssh2
Oct 30 16:38:17  SRX240H2 sshd: SSHD_LOGIN_FAILED: Login failed for user ” from host ‘222.186.58.204’
Oct 30 16:38:18  SRX240H2 sshd[6329]: Received disconnect from 60.173.14.143: 11: Normal Shutdown, Thank you for

playing
Oct 30 16:38:18  SRX240H2 sshd[6325]: Failed password for root from 60.173.26.173 port 30298 ssh2
Oct 30 16:38:18  SRX240H2 sshd: SSHD_LOGIN_FAILED: Login failed for user ‘root’ from host ‘60.173.26.173’
Oct 30 16:38:18  SRX240H2 sshd[6323]: failed to copy /var/db/login-attempts+ to /var/db/login-attempts

juniper-srx-attack-ssh-01 juniper-srx-attack-ssh-02 juniper-srx-attack-ssh-03 juniper-srx-attack-ssh-04 juniper-srx-attack-ssh-05

Cacti Web安装过程错误分析

 未分类  No Responses »
10 月 292014
 

安装cacti过程中,由于未导入数据库,而直接在浏览器中请求cacti页面导致的错误日志

[Wed Oct 29 23:15:26 2014] [error] [client 113.118.48.124] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 523800 bytes) in /usr/local/cacti/lib/adodb/adodb.inc.php on line 833
[Wed Oct 29 23:15:34 2014] [error] [client 113.118.48.124] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 523800 bytes) in /usr/local/cacti/lib/adodb/adodb.inc.php on line 833
[Wed Oct 29 23:16:49 2014] [error] [client 113.118.48.124] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 523800 bytes) in /usr/local/cacti/lib/adodb/adodb.inc.php on line 833
[Wed Oct 29 23:17:01 2014] [error] [client 113.118.48.124] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 523800 bytes) in /usr/local/cacti/lib/adodb/adodb.inc.php on line 833

执行以下操作后再次访问cacti安装页面

mysql -u root -ppasswd cacti < /usr/local/cacti/cacti.sql

使用check_multipath.pl检测多路径状态

 未分类  No Responses »
10 月 292014
 

检测多路径数量状态
[root@rtmp01 libexec]# ./check_multipath.pl -m 1 -o 2
OK
LUN mpathc: 2/2.
[root@rtmp01 libexec]#

执行multipath需root权限

修改NRPE配置文件
# command_prefix=/usr/bin/sudo
command_prefix=/usr/bin/sudo

修改sudoer配置文件
#Defaults    requiretty

nagios  ALL=(ALL)       NOPASSWD: ALL

保持nagios用户为可登录状态
/etc/passwd
/bin/bash

错误分析一
[root@monitor libexec]# ./check_nrpe -H 192.168.155.114 -c check_multipath

ERROR: Command failed, ‘sudo’ not configured for command: ‘/sbin/multipath -l’? |Host: rtmp01|
[root@monitor libexec]#

错误分析二
[root@monitor libexec]# ./check_nrpe -H 192.168.155.114 -c check_multipath
NRPE: Unable to read output
[root@monitor libexec]# ./check_nrpe -H 192.168.155.114 -c check_multipath
OK<br/>LUN mpathc: 2/2.<br/>
[root@monitor libexec]#

定义命令
command[check_multipath]=/usr/local/nagios/libexec/check_multipath.pl -m 1 -o 2

定义服务
define service{
use                             generic-service
host_name                       rtmp01
service_description             Multipath Status
check_command                   check_nrpe!check_multipath
}

Linux下查看CPU物理逻辑及核心数量

 未分类  No Responses »
10 月 292014
 

Intel(R) Xeon(R) CPU E5-2603 v2 @ 1.80GHz

物理处理器数量
[harveymei@monitor ~]$ cat /proc/cpuinfo |grep “physical id”|sort |uniq|wc -l
1
逻辑处理器数量(包括多核和多线程)
[harveymei@monitor ~]$ cat /proc/cpuinfo |grep “processor”|wc -l
4
物理核心数量
[harveymei@monitor ~]$ cat /proc/cpuinfo |grep “cores”|uniq
cpu cores       : 4
[harveymei@monitor ~]$

 Older Entries  Newer Entries