OPNsense, filtrage basé sur la géolocalisation.

Qui n’a jamais été victime d’un scan de son firewall/parefeu à la recherche d’un accès ssh ?

Dans mon cas, je dois impérativement passer par le port standard(22) pour me connecter, sinon, les firewalls des firmes pour lesquelles je travaille ne me laissent pas passer.

Dés lors, les “scans” pleuvent de partout:

  • Asie
  • Russie
  • Allemagne (souvent en provenance de machines mal configurées chez Hetzner(par exemple)).
  • Afrique

A fin de limiter la taille de mes logs,

sur mon petit APU 2C4, j’ai installé OPNsense (un firewall/parefeu open source et gratuit, developpé par la société Deciso B.V.), et j’ai mis en place le filtrage par “GeoIP”.

Ainsi,

En créant un alias avec comme type “GeoIP”, on peut selectionner les zones que l’on accepte basé sur une liste “communautaire”. Il peut y avoir des erreurs, mais des tests effectués pendant quelques heures, aucune des IPs geolocalisées en Belgique, France, Luxembourd et aux Pays-Bas ne semble bloquée, ou mal référencée.

Move VM in yavijava/vijava

This is an example how to move a Virtual Machine in yavijava:

 

Upload file via VMware VM Agent – Java

 

Upgrade UCS Performance Manager from 2.0.0 to 2.0.2

UCS Performance Manager is another “wonderful” product of Cisco for monitoring your physical and virtual infrastructure.

Requirements:

  • 8 vCPUs
  • 40 GB of memory

The upgrade should be easy, but it’s not. My upgrade process was stuck due to the process zenmail blocked in running mode. Then to be able to upgrade I had to open 2 shell sessions:

  • 1 with the upgrade process
  • 1 with the root shell

During the process, I have got a quick look at /mnt/cdrom/update-zenoss.sh

The script was hanging every time, it had to stop all services with serviced daemon.

After a quick look, the interesting line was: serviced service status --show-fields 'Status' 2>/dev/null | grep -v "Stopped" | grep -v "Status" | grep -v ^[[:space:]]*$

During 60 retries, the result was “Running” but to go further, it should be “Stopped”.

One service was still running every time: zenmail

To stop the zenmail process:

Select the serviceID and execute the following command:

serviced service stop 6bnlfl5qzog18j4mrnxszllyx

Then wait till the end of the upgrade process and enjoy your upgraded UCS Performance Manager (and thanks Cisco for not providing any kind of document for the upgrade …).

Cisco Prime Service Catalog – Management Console of ServiceCatalog on Active Directory

Instead of passwords managed locally,

It’s time to use an LDAP/Active Directory to be able to manage users without restarting the Prime Service Catalog.

This modification has been done on a Custom Installation of Cisco Prime Service Catalog 11.1.1 Patch 3 and should be compatible with 11.2 (future version) as well.

First, make a backup of your configuration directory (on our environment, we use git with gitlab Community Edition, to keep an history of all our modifications).

Location:  /opt/cisco-psc/wildfly-8.2.0.Final/ServiceCatalogServer/configuration

File to edit:  standalone-full.xml

Edit the section security-realm and change the subsection ManagementRealm like this:

Edith the section security-domains and add a subsection security-domain like this:

And a file AD_GroupsMapping.properties containing the mapping between a specific usersgroup and the management group in Wildfly like this:

Then restart the Service Catalog with  systemctl restart servicecatalog

And you should be able to log in with an user defined on your LDAP/ActiveDIrectory server.

Add JAVA libraries in Cisco UCS Director 5.5

In the file “inframgr.env”, located in “/opt/infra/bin/”:

Add in the variable ORDERED_JARS, the path of all your libraries.

Example here, we added the Jersey Client Libraries:

Save the file and then call /opt/shelladmin

Stop Services and Start Services.

Wait until the “cloud page” has disappeared.

Cisco Prime Service Catalog stop working after JAVA upgrade

Have a look at:  /opt/CiscoPrimeServiceCatalog  and in the directory  bin ,

open the file  setEnv.sh and you should have something like this:

and change the variable  JAVA_HOME with the new path of your JAVA jre.

Tips

Use the command  update-alternatives --display java

Take the value following the Current ‘best’ version  /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.el7_2.x86_64/jre

Get vmId by vmName in Cloupia Script

How to get the Virtual Machine Identity (vmId) with its name.

Create a custom task with this code:

Inputs:

  • VMname (Virtual machine Name) in a string
  • accountName (vCenter Account Name in UCS Director)

Outputs:

  • vmId (Virtual Machine Identity for UCS Director)

Cisco UCS Director – Hello World in Cloupia script

Cloupia script is THE scripting language from Cisco UCS Director.

Cloupia is a mix between Javascript and Java. The code is interpreted by Nashorn (the Javascript engine from JRE/JDK).

imporPackage has the same role as import from a pure Java code.

import java.lang.*  is in cloupia importPackage(java.lang);