AgentX Tutorial using Net-SNMP – Trap implementation

Third one in this series is implementation of SNMP Traps, the method which is the main strength of SNMP. These Traps provide an event based system where NMS relies heavily on the monitored stations to tell them if something of interest has happened. mib2c again provides an easy way to implement traps. This is actually one of the easiest ones of the three in this series. Again as I said before clone my repository and checkout the code to find what was done and how. Following are three commands of interest.


git clone https://github.com/jainvishal/agentx-tutorial.git
git checkout step3_traps_autogenerated
git checkout step3_traps_implement

mib2c provides mib2c.notify.conf to compile the MIB and generate C code. By default it uses SNMPv2 for traps and I leave it as is. Implementation is as simple as copying the data into right variables when time comes and they will be delivered. Continue reading

Net-SNMP configuration for non-root AgentX application

It is imperative to run the application when developing it. You may be testing it, debugging it or troubleshooting something. By default Net-SNMP uses named socket for AgentX communication which does not allow a non-root user to connect making troubleshooting difficult. There are security reasons for not allowing this kind of widely open access so do not set this up in your production environment. There are other ways to control the access which I will narrate in future posts.

To enable AgentX and allow non-root applications/Agents to connect to snmpd you can setup TCP socket as follows. TCP socket provides a cleaner access and allows easier troubleshooting e.g you could capture network traffic between snmpd and the AgentX application. Update /etc/snmp/snmpd.conf and ensure that following directives are set for TCP based AgentX communication.

rocommunity public default # or whatever community string/access control you want
master agentx # Run as an AgentX master agent
agentXSocket tcp:localhost:705 # Listen for localhost network connections instead of /var/agentx/master

Restart snmpd (/etc/init.d/snmpd restart)

Alternate is to set correct permissions for /var/agentx/master named socket or whatever you have configured.

Create Post Excerpt Intelligently in Jekyll

meta-descriptions or OpenGraph Descriptions are the short descriptions that Search Engines/Facebook display on result pages. They provide a brief introduction to the content and grab user attention. So when possible, try to use keywords in meta description that describes in short what that page is about. Ensure to limit meta description length to 160 characters which seems to be a norm for SEO now-a-days.

Jekyll by default supports post.excerpt which would automatically take the value of excerpt from Front Matter (if present). Otherwise it will fall-back to post content from beginning till excerpt_separator or end of post. Whatever separator you choose, have it defined as excerpt_separator in _config.yaml. With this done you can use {% raw %}{{ post.excerpt | strip_html }}{% endraw %} wherever you need to show it (e.g. meta-description/og-description). I use strip_html to remove any html which will cause issues with description tags.

I personally like to show a bigger teaser on my main page to entice user attention. And on other pages (like search results, Category/Tag index) show a brief description. Here is how I do it.

  1. Define meta-description tag in Front Matter of the post and describe in few words what the post is about. Then use {% raw %}{{ post.meta-description }}{% endraw %} during publishing HTTP headers for the post and on Category/Tag index pages. And on main page OR index.html use {% raw %}{{ post.excerpt }}{% endraw %} which is auto-generated by Jekyll based on Front Matter or excerpt_separator. I personally stopped defining excerpt in Front Matter to avoid namespace collision with Jekyll.
    Continue reading

mimikatz : Export non-exporteable Private certificate from Symantec PKI

Recently our organization started to provision Private certificates using Symantec Managed PKI Service. It has lot more appeal for IT admins because it takes out all user intervention which always creates support nightmares.

Previously I had direct access to the private key so it was easy to export it to all my devices and use for VPN and other secure stuff that needed to verify that I am indeed the real user. Because Symantec PKI is not available for Linux, it broke the VPN access from my Ubuntu system. Naturally I started to look for ways to export the key out of windows system. So here is what I did to get me out of the bind.

How to export certificates

First I installed Symantec PKI client on a windows 7 system. That was a no brainer because there was no other choice. I did not try with Windows 8 so YMMV. The main issue was that Windows certificate manager showed that the private key was not exportable. If it was then my quest would have been over right there. But I had to take another step. Mimikatz was the answer which marks them exportable and also allows to export them. Note: The patching that it does only lasts for that session. Once you reboot windows system you have to patch again using mimikatz. I used latest version which is 2.0 at the writing of this post. Continue reading

vpn : Split Tunnel Concept

Once a user starts a vpn client to connect to company extranet, all network traffic is diverted to the vpn tunnel. Routing gets setup by VPN client such that everything would go down the tunnel. Split tunnel can fix that by keeping traffic for internet from tunnel and only direct extranet traffic to the tunnel. But it comes with few risks on its own. Lets review the concept for a minute.

The VPN tunnel can be configured to work in two modes.

  1. Mandatory (default)
    While a client tunnel is established in mandatory mode, all client traffic is tunneled through it by default. This is the default vpn mode. So accessing yahoo.com will go through vpn tunnel to company extranet which will then route it via its own internet connection after applying access policy etc.
  2. Split Tunneled mode
    Split Tunneling allows configuring specific network routes that are then tunneled and sent to the client’s Extranet adapter; any other traffic goes to the local PC Ethernet or Dialup adapter interface. So Split tunneling allows the user to get access to the Internet or print locally even while the system is tunneled into the company Extranet. But this comes with a security issue because it opens a backdoor into the secure office network from internet via the home system. A hacker can exploit the home system and can use that as a jump box to get into the company network. Or if the system at home is infected it will further that infection into office network. That is why organizations want vpn users to ensure they are up to date and have anti-virus installed and most will provide vpn clients that are tightly controlled to enable the Default mode. Continue reading