Enter into ROM monitor mode

When the router boots interrupt the boot sequence by pressing [CTRL] + [BREAK] and you should see something like this

Self decompressing the image :
##############
monitor: command "boot" aborted due to user interrupt
rommon 1 >

Now we’re inside the ROM monitor mode.

Change the configuration register

Change the configuration register to 0×2142 so that the device ignores the NVRAM contents and reboot it.

rommon 1 > confreg 0x2142
rommon 2 > reset

Copy the startup configuration

After the device reboots the running configuration doesn’t have anything but the bare minimal settings. Now you should copy the startup configuration so that you can modify the password in it.

Router>enable
Router#copy startup-config running-config

Reset the required password

Enter the command to reset the password you forgot. If you used local authentication

R0(config)#username jesin secret passwd

The above command will reset the password of the user “jesin”, if such a user doesn’t exist a new user is created by that name.

To reset an enable password or secret

R0(config)#enable password newpwd
R0(config)#enable secret newpwd

Reset a console password

Router(config)#line console 0
Router(config-line)#password newconsolepw

Reset a telnet password

Router(config)#line vty 0 4
Router(config-line)#password newtelnetpw

Save the running configuration

Make sure the changes made to the passwords are saved in the running configuration

Router#copy running-config startup-config

Reset the Configuration Register and reload

Now that the work is over reset the configuration register to its original value

Router(config)#config-register 0x2102

Now reboot the Cisco device.

The Hub and Spoke network topology is shown below

Only the FrameRelaySwtich configuratiuon will be explained in this article

As noted above the Hub and Spoke routers are DTEs and the FrameRelaySwitch Router is DCE. The commands are as follows

FrameRelaySwitch>enable
FrameRelaySwitch#configure terminal
FrameRelaySwitch(config)#frame-relay switching

FrameRelaySwitch(config)#interface serial 0/0
FrameRelaySwitch(config-if)#encapsulation frame-relay
FrameRelaySwitch(config-if)#frame-relay intf-type dce
FrameRelaySwitch(config-if)#clock rate 56000
FrameRelaySwitch(config-if)#frame-relay route 102 interface serial 0/1 201
FrameRelaySwitch(config-if)#frame-relay route 103 interface serial 0/2 301
FrameRelaySwitch(config-if)#no shutdown
FrameRelaySwitch(config-if)#exit

FrameRelaySwitch(config)#interface serial 0/1
FrameRelaySwitch(config-if)#encapsulation frame-relay
FrameRelaySwitch(config-if)#frame-relay intf-type dce
FrameRelaySwitch(config-if)#clock rate 56000
FrameRelaySwitch(config-if)#frame-relay route 201 interface serial 0/0 102
FrameRelaySwitch(config-if)#no shutdown
FrameRelaySwitch(config-if)#exit

FrameRelaySwitch(config)#interface serial 0/2
FrameRelaySwitch(config-if)#encapsulation frame-relay
FrameRelaySwitch(config-if)#frame-relay intf-type dce
FrameRelaySwitch(config-if)#clock rate 56000
FrameRelaySwitch(config-if)#frame-relay route 301 interface serial 0/0 103
FrameRelaySwitch(config-if)#no shutdown
FrameRelaySwitch(config-if)#exit

Now check the frame relay route by typing the following command in the privilege mode

FrameRelaySwitch#show frame-relay route

The following table is displayed

Initially the status is shown as inactive because the Hub and Spoke routers are yet to be configured, after configuration the status must be active. Configure the Hub and Spoke routers as outlined in the previous article.

The topology of this lab is shown below

The DCE end of the serial cable should be connected to the frame relay switch.

Frame Relay Switch Configuration

Configure the serial interfaces of the Frame Relay switch as follows

Serial0

Serial1

Serial2

Select the frame relay tab and create the following links

Configure the routers

The configuration of each router is shown below

Router0 (Hub)

R0>enable
R0#configure terminal
R0(config)#interface Serial 2/0
R0(config-if)#no shutdown
R0(config-if)#encapsulation frame-relay
R0(config-if)#exit
R0(config)#interface Serial 2/0.102 point-to-point
R0(config-subif)#ip address 1.1.1.1 255.255.255.252
R0(config-subif)#frame-relay interface-dlci 102
R0(config-subif)#exit
R0(config)#interface Serial 2/0.103 point-to-point
R0(config-subif)#ip address 1.1.1.5 255.255.255.252
R0(config-subif)#frame-relay interface-dlci 103

Router1 (Spoke)

R1>enable
R1#configure terminal
R1(config)#interface Serial 2/0
R1(config-if)#no shutdown
R1(config-if)#encapsulation frame-relay
R1(config-if)#exit
R1(config)#interface Serial 2/0.201 point-to-point
R1(config-subif)#ip address 1.1.1.2 255.255.255.252
R1(config-subif)#frame-relay interface
R1(config-subif)#frame-relay interface-dlci 201

Router2 (Spoke)

R2>enable
R2#configure terminal
R2(config)#interface Serial 2/0
R2(config-if)#no shutdown
R2(config-if)#encapsulation frame-relay
R2(config-if)#exit
R2(config)#interface Serial 2/0.301 point-to-point
R2(config-subif)#ip address 1.1.1.6 255.255.255.252
R2(config-subif)#frame-relay interface-dlci 301

Configure routing on the spoke routers

Unless routing is configured the spoke routers cannot communicate among themselves. You can use any routing protocols. For this tutorial I will use static routing

Router1

R1(config)#ip route 1.1.1.4 255.255.255.252 1.1.1.1

Router2

R2(config)#ip route 1.1.1.0 255.255.255.252 1.1.1.5

Ping the routers to test connectivity among themselves.

Fedora/Red Hat/CentOS PPTP Client Installation

Install the pptp client

yum install pptp

Debian/Ubuntu PPTP Client Installation

Use the apt-get command

apt-get install pptp-linux

Configuring VPN credentials and server settings

Edit the following file and enter your VPN username and password

vi /etc/ppp/chap-secrets

The syntax of the file is as follows

DOMAIN\\username      PPTP      vpnpassword     *

For example to configure a user named jesin on example.com with pass1 as the password enter

EXAMPLE\\jesin        PPTP      pass1           *

If your VPN network doesn’t come under a domain replace DOMAIN with your VPNSERVER name.

Next is to configure the VPN server settings. Create and edit a new file under the peers directory

vi /etc/ppp/peers/vpnconnection1

Add content according to the syntax below

pty "pptp vpn-server-hostname-or-ip-address --nolaunchpppd"
name DOMAIN\\username
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam vpnconnection1

Here “DOMAIN\\username” is the same as the one entered in the chap-secrets file. The ipparam should contain the name of the newly created file, in this case it is “vpnconnection1″

Adding a route to the routing table

All traffic for the VPN network should pass through the VPN interface so an entry has to be added to the routing table. To automatically add an entry whenever a VPN connection is established create and edit the following file

vi /etc/ppp/ip-up.d/vpn1-route

Add the following content

#!/bin/bash
route add -net 10.0.0.0/8 dev ppp0

Make the file executable

chmod +x /etc/ppp/ip-up.d/vpn1-route

Testing the connection

To connect using the newly created VPN connection use the following command

pppd call vpnconnection1

Take a peek into the messages log file using the following command

tail -f /var/log/messages

you should see something similar to this

Nov 27 13:46:20 server1 kernel: [ 800.071028] PPP generic driver version 2.4.2
Nov 27 13:46:20 server1 pppd[1083]: pppd 2.4.5 started by root, uid 0
Nov 27 13:46:20 server1 pppd[1083]: Using interface ppp0
Nov 27 13:46:20 server1 pppd[1083]: Connect: ppp0 /dev/pts/0
Nov 27 13:46:25 server1 pppd[1083]: CHAP authentication succeeded
Nov 27 13:46:25 server1 kernel: [ 804.683790] padlock: VIA PadLock Hash Engine not detected.
Nov 27 13:46:25 server1 kernel: [ 804.687408] PPP MPPE Compression module registered
Nov 27 13:46:25 server1 pppd[1083]: MPPE 128-bit stateless compression enabled
Nov 27 13:46:26 server1 pppd[1083]: local IP address 10.0.0.11
Nov 27 13:46:26 server1 pppd[1083]: remote IP address 10.0.0.12

Try pinging a system in the VPN network and you should get proper replies.

Disconnecting the connection

To disconnect the PPTP VPN connection use the killall command

killall pppd

1. Configure IP addresses on the VPN server
2. Join the VPN server to the domain
3. Install Network Policy and Access Server Role
4. Configure Routing and Remote Access
5. Allow users to login via VPN
6. Setup a VPN connection on the remote client PC

The network topology used in this setup is shown below

Configure IP addresses on the VPN Server

The VPN server will have two interfaces, private and public with the following IP configuration

private
IP address – 10.0.0.1
Subnet Mask – 255.0.0.0
Preferred DNS – 10.0.0.2 (Assuming DNS runs on the Active Directory Server)

public
Obtain the public IP information from your ISP (Internet Service Provider)

Join the VPN server to the domain

Right Click computer -> Properties -> Change Settings -> Change -> Select Domain and enter your domain name you’ll be asked for credentials enter them also and reboot.

Install Network Policy and Access Server Role

Login to the VPN server as the administrator, go to Start -> Administrative Tools -> Server Manager. Click Add Roles and Check “Network Policy and Access Server”

In the role services section check “Routing and Remote Access”

Confirm your selections and install.

Configure Routing and Remote Access

After installation Go to Start -> Run and type rrasmgmt.msc. In the console that opens right click your server name and click “Configure and Enable Routing and Remote Access”

In the Wizard that appears click Next and Select Custom Configuration

Select the Check Box VPN access

Click Next -> Finish. In the message box that appears click “Start Service”. If you have a DHCP server configured in the network in the same subnet you can go ahead with the final step.

Networks which have a DHCP server in a different subnet, should have the DHCP relay agent configured. Expand IPv4 -> right click DHCP relay agent and go to properties

In the window that appears enter the IP address of the DHCP server. The appropriate DHCP scope should be configured in the DHCP server.

If your network doesn’t have a DHCP server the VPN server itself can assign IP addresses to VPN clients. Right click your Server name -> properties -> IPv4 tab -> select “static address pool” -> click Add. Enter the start and end IP ranges.

Allow users to login via VPN

On the Active Directory Server go to Start -> Administrative Tools -> Active Directory Users and Computers -> Right Click the properties of an user -> Dial-In tab and click “Allow access”

Setup a VPN connection on the remote client PC

On the VPN client PC go to start -> Run and type ncpa.cpl, open “New Connection Wizard”, in the wizard that appears click next and select “Connect to the network at my workplace”

In the next step select Virtual Private Network Connection.

Enter a company name which is used to name the connection and in the final step enter the IP address of the PUBLIC IP address of the VPN server. After the connection is created enter the username and password of a user in the active directory database and click connect.

Here is the entire code for a horizontal drop down menu

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CSS Menu</title>
<style type="text/css">
ul#navbar {
list-style-type: none;
margin: 0;
padding: 0;
}
ul#navbar li {
float: left;
border: 1px solid black;
text-align: center;
}
ul#navbar a {
background-color: #CCC;
color: #000;
text-decoration: none;
display: block;
width: 120px;
padding: 4px;
}
ul#navbar a:hover {
background-color: #CFF;
text-decoration: underline;
}
ul#navbar ul {
display: none;
list-style-type: none;
}
ul#navbar li:hover ul {
display: block;
position: absolute;
margin: 0;
padding: 0;
}
ul#navbar li:hover li {
float: none;
}
</style>
</head>
<body>
<ul id="navbar">
<li><a href="#">Home</a></li>
<li><a href="#">Parent 1</a>
<ul>
<li><a href="#">Child 1</a></li>
<li><a href="#">Child 2</a></li>
<li><a href="#">Child 3</a></li>
</ul></li>
<li><a href="#">Parent 2</a>
<ul>
<li><a href="#">Child 1</a></li>
<li><a href="#">Child 2</a></li>
<li><a href="#">Child 3</a></li>
</ul></li>
</ul>
</body>
</html>

Notice the DOCTYPE declaration at the beginning, without this the code will not work in Internet Explorer. See a live demo

CSS Horizontal drop down menu DEMO

• Configuring the Timezone
• Selecting locales
• Creating a sudo user
• Securing SSH
• Adding firewall rules

The first task is to update the apt database and check if any installed packages can be upgraded.

apt-get update && apt-get upgrade

Configuring the Timezone

The dpkg-reconfigure command is used to reconfigure the timezone

dpkg-reconfigure tzdata

Selecting locales

The same dpkg-reconfigure is used to select the locales too.

dpkg-reconfigure locales

Creating a sudo user

Using a production server as a root user is the most dangerous thing you can do. So create a normal user and add it to the list of sudoers.

useradd --shell /bin/bash username
passwd username
visudo

Now add the following line to the end of this file

username ALL=(ALL) ALL

Securing SSH

To secure SSH the default port 22 has to be changed and root user login via SSH has to be disabled. Open the SSH configuration

vi /etc/ssh/sshd_config

and edit the following

Port 22

change this to any number between 49152 and 65535

Port 53474

Also search for

PermitRootLogin yes

and change this to

PermitRootLogin no

For the changes to take place you have to restart the SSH service. If you’ve been doing all these things via SSH you should add the exit command so that the current SSH session closes.

/etc/init.d/ssh restart && exit

Reconnect to the server as the newly created sudo user through the new port.

ssh username@servername -p 53474

Now whenever you want to execute commands as root add the word “sudo” to the beginning of the command

Adding firewall rules

A server becomes to attack vulnerable if it allows access to all open ports in the system, so configuring the firewall is very crucial. Most new Debian installations have no firewall rules. But it is better to flush all rules. Since you’re logged in as the sudo user add the word sudo before each command

sudo iptables -F

Now lets add the rules

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT ! -i lo -d 127.0.0.1/8 -j REJECT
sudo iptables -N MYRULES
sudo iptables -A INPUT -j MYRULES
sudo iptables -A MYRULES -m state --state NEW -p tcp --dport 53474 -j ACCEPT
sudo iptables -A MYRULES -m state --state NEW -p tcp --dport 80 -j ACCEPT
sudo iptables -A MYRULES -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -j DROP

You can probably replace “DROP” in the last line with “REJECT” but I personally prefer “DROP” because when you reject packets the system sends the rejected packets back which might , but “DROP” just ignores the packets. The rules above drop icmp packets also which means you won’t get any reply if you ping the server. If you want the the server to reply to incoming pings execute the following command also

sudo iptables -A MYRULES -p icmp -m icmp --icmp-type 8 -j ACCEPT

Anymore rules you want to add can be appended to the MYRULES table. Time to save the rules and make sure they load when the server reboots

iptables-save > /etc/iptables.rules
sudo vi /etc/network/if-pre-up.d/firewall

Add the following lines to this file

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Save the file and make it executable

sudo chmod +x /etc/network/if-pre-up.d/firewall

Conclusion

This is just the basic setup guide for a Debian server, expect to see more articles on setting up other flavors of Linux and advanced guides on setting up network services. Here is an interactive shell script coded by me which automates all the processes outlined above.

Download unmanaged Debian VPS/Dedicated server basic setup script

To use this script upload it to your server, login as the root user

chmod +x /path/to/script/unmanaged-debian-server-basic-setup.sh
/path/to/script/unmanaged-debian-server-basic-setup.sh

I tested the script with the following Linux flavors

• Debian 6 (Squeeze): This script works perfectly
• Debian 5 (Lenny): Except setting up locales everything works
• Ubuntu 11.04 (Natty Narwhal): Except locales everything works

This script was tested on a Rackspace cloud server and a Virtual Machine in VMware player. It should work on all VPSes and dedicated servers if you’re facing any problems please write about it in the comment form or contact me.

Installing msmtp

To install msmtp on Red Hat/CentOS/Fedora type of distributions

yum install msmtp

To install msmtp on Debian/Ubuntu type of distributions

apt-get install msmtp

Configuring msmtp with Gmail and Yahoo

Create or edit the msmtp configuration file in the user’s home directory. I use VI editor to achieve this

vi ~/.msmtprc

Add the following lines to the file, it configures msmtp for both Gmail and Yahoo

account yahoo
tls on
tls_starttls off
auth on
host smtp.mail.yahoo.com
user user1
from user1@yahoo.com
password ******

account gmail
tls on
auth on
host smtp.gmail.com
port 587
user user1@gmail.com
from user1@gmail.com
password ******

Since the file contains sensitive data like passwords you should assign secure permissions

chmod 600 ~/.msmtprc

Testing msmtp

First create a text file containing an email

vi demo_email

From: Jesin <jesin@example.com>
To: Bob <bob@domain.com>
Subject: Hello World
Email sent using MSMTP

To send this email via gmail

cat demo_email | msmtp -a gmail bob@domain.com

To send this email via yahoo

cat demo_email | msmtp -a yahoo bob@domain.com

Using msmtp with PHP mail()

Here comes the juicy part of the tutorial how to use msmtp to send email via PHP’s mail() function. Place the msmtp configuration file in a common place

cp ~/.msmtprc /etc/msmtprc

Change the ownership of the so that username under which the web server process is running can read the file. You should check this with the documentation of your web server software. I’m specifying the settings for Apache running on Red Hat/CentOS/Fedora

chown apache /etc/msmtprc
chmod 600/etc/msmtprc

For Apache on Debian/Ubuntu

chown www-data /etc/msmtprc
chmod 600 /etc/msmtprc

Edit the php configuration file. The path of the file varies according to the server API (mod_php, fastCGI etc), so view the contents of phpinfo() and look for “Loaded Configuration file” and edit it. The following is the location of php.ini in a FastCGI environment

vi /etc/php5/cgi/php.ini

Search and edit the sendmail_path

sendmail_path = "/usr/bin/msmtp -C /etc/msmtprc -a yahoo -t"

You can replace yahoo with gmail. Save the file and reload your web server software

Create a php file demo_mail.php with the following contents to test the configuration inside your web server’s document root

<?php
mail("bob@domain.com","Hello World","Email sent using PHP via msmtp");
?>

Open this file by accessing it via URL and the email should be sent. If the mail is not sent take a look at your web server’s error log.

Sometimes you might encounter the following errors in your web server’s error log

msmtp: /etc/msmtprc: must have no more than user read/write permissions

This is because the msmtp configuration file isn’t chmoded properly and can be read by users other than the owner. So do the following

chmod 600 /etc/msmtprc

If you encounter some other errors post them in the comment form.

First view the list of rules in IPtables

iptables -L

If its a new installation there will be no rules. So add some firewall rules, the following rules will allow HTTP, HTTPS, FTP, SMTP, SSH incoming connections and rejects all other incoming connections including ICMP ping packets.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT

View the firewall rules once more

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Write these rules to a file using the following command.

iptables-save > /etc/iptables.rules

Now each time Debian boots iptables-restore command has to be called with these rules, so create and edit a new file as shown below. This file does NOT exist and you have to create it. I’m using VI editor to edit it

vi /etc/network/if-pre-up.d/firewall

Add the following text to that file

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Save the file and grant executable permissions on that file.

chmod +x /etc/network/if-pre-up.d/firewall

Reboot the system and list the iptables rules to check if it has been applied.

reboot

After reboot

iptables -L

IMPORTANT: Whenever you add or delete rules you should overwrite the changes to the iptables.rules file using the following command

iptables-save > /etc/iptables.rules

Red Hat variants

Some of the Red Hat variant Linux OSes are CentOS, Fedora, SUSE Linux etc. If you’re using YUM to install packages then you have a Red Hat based OS. Use the VI editor and edit the following file

vi /etc/sysconfig/network-scripts/ifcfg-eth0

A machine having multiple Ethernet cards will have files named ifcfg-eth1, ifcfg-eth2 and so on. Add or edit the following lines

ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.1

By default BOOTPROTO is set to dhcp which should be changed, setting ONBOOT to yes will activate this network adapter when Linux boots and the care should be taken when entering the NETMASK value. Because unlike Windows OSes which automatically assign Subnet masks based on the class of the IP address manual assigning is required in Linux. Even though the interface will work if classless NETMASK is entered, the system might have problems in communicating with other network devices as they have a classful subnet mask. Refer to the Wikipedia article on Classful network to check in which class your IP address lies.

Debian variants

If you use dpkg to install packages then you’re using a Debian based Linux OS. Using VI editor open the following file.

vi /etc/network/interfaces

If you’re using DHCP (which is the default) the following is shown

auto eth0
iface eth0 inet dhcp

To assign an IP address statically delete those lines and enter the following

iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1

Here again you should keep an eye when entering the netmask.

Assigning the DNS IP addresses

Assigning DNS addresses is similar in both types of Linux OSes. Edit the following file using the VI editor

vi /etc/resolv.conf

The nameserver keyword is used to mention the DNS service IP address. If more than one DNS IP is to be specified use multiple entries

nameserver 8.8.8.8
nameserver 8.8.4.4

Restarting the interface and verifying the settings

For the changes to apply the interface has to be shutdown and brought up

ifdown eth0
ifup eth0
ifconfig

The ifconfig command should display the IP address and netmask assigned by you. Ping different IP addresses to check connectivity. To check the DNS ping a hostname or a domain name

ping google.com

You should get a reply.