Re: [AFMUG] [OT] Weird MT situation

2014-11-15 Thread Nicholas Eastman via Af 
We use 5.25 and 5.26 on most of our routers. The main issues we've seen are
SSH brute force and DNS relay. We have a central DNS server that we send
everyone to located in our NOC, so we disabled "Allow remote requests."
This could easily be done with a firewall rule if you do use the routers
for DNS at the site, so they are not being hit from outside. As far as the
rest. We use an address list and firewall to block access to the router's
configuration interfaces except from our office or local management IPs.

As far as the ICMP packets being mis-ordered, you might try something like
Greg Sowell's implementation of a ping brute force block. We don't employ
it on site routers right now, but I have seen it catch some IPs on some
customer set ups we have done. They are part of his "Border Router Firewall
Script" example that can be found here: http://gregsowell.com/?p=4013
 On Nov 10, 2014 7:05 PM, "George Skorup (Cyber Broadcasting) via Af" <
af@afmug.com> wrote:

> I've got a RB1100AH running 5.26. Something has been happening every day
> for about the past week and it gets all screwy. I've confirmed there are no
> site temperature or power issues. Here's what happens in the screwy state.
> I can ping it and it responds fine. I can log into Winbox or the CLI and
> try to ping anything, even local same-subnet stuff and I get a bunch of
> packet loss. SNMP responses are hit or miss as well. I did a packet capture
> and it shows the ICMP packets all out of order. Reboot it and everything
> works fine again, until next time. The only thing I haven't tried yet is
> pinging 127.0.0.1 and see if the same packet loss happens.
>
> I see a bunch of SSH brute force attempts, but I'm using the brute force
> protection firewall scripts to add sequential attempts to an address list
> to stop them. And that works fine. But I'm wondering, since 5.26 is the
> "ssh - fixed denial of service;" version, did this "fix" break something
> else. I don't see this on any other routers running 5.25, RB1100's and
> 493's. This is a remote router so I do not want to try downgrading to 5.25
> or upgrading to v6 without someone there. And if I'm going to send someone
> there, probably better off replacing it, but then I'll never know WTF is
> causing this.
>

Re: [AFMUG] OT: Wireless headsets for office phone

2014-10-31 Thread Nicholas Eastman via Af 
We gave our technicians Plantronics wireless headsets... The main downfall
we've seen with them is that after a short time, the headset goes to
"sleep" and takes an extra second or two to re-connect to the base and pick
the call up, otherwise, the techs that use them are pleased with the
performance and ease of them. If you do decide to go with wireless ones,
make sure they come with lifters, otherwise it's pick up the phone and
press the button on the headset to pick up, and push the button and hang
the phone back on the hook when done. It can become a bit tedious depending
on the use of the headsets...

Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

On Fri, Oct 31, 2014 at 1:38 PM, Adam Moffett via Af  wrote:

>
> Last I checked, wired headsets were $100 or less (or much less).  Wireless
> headsets were like $1818283201.  Or approximately thatnot sure on the
> exact numbers, but it was a big enough difference that I figured I could
> live with a wire.
>
> After you get them, watch how many people really use them.  It's hard to
> break the habit of picking up the handset.
>
>
>  We've recently had requests for wireless headsets for office personnel to
>> use on their desk phones so they don't have to pin a phone against their
>> shoulder and type at the same time.  Is anyone using something that they
>> really like?
>>
>>

Re: [AFMUG] SNMP ObjectID for Registered SM Count

2014-10-31 Thread Nicholas Eastman via Af 
They haven't changed since version 9 (.1.3.6.1.4.1.161.19.3.1.7.1) index 0,
maybe that will work. Otherwise, I haven't seen version 7 firmware in over
5 years...

Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

On Fri, Oct 31, 2014 at 1:47 PM, Sam Kirsch via Af  wrote:

>  I can't seem to find the appropriate SNMP ObjectID for the current
> Registered SM Count for Canopy - specifically version 7.3.6 if that makes
> any difference.  Anyone have that info off-hand?
>
>
> *-- Samuel Kirsch, Tech Support/Web Development/SalesPlexicomm - Internet
> Solutions | www.plexicomm.net *
> *Office: 1.866.759.4678 x109 | Fax: 1.866.852.4688*
>  *Emergency Support: 1.866.759.9713 | sam...@plexicomm.net
> *
>
>

Re: [AFMUG] DNS server for guys who dont want to be gurus

2014-10-03 Thread Nicholas Eastman via Af 
To throw my 2 cents in, +1 for Ajenti for managing servers, I've used
webmin and ajenti both and like the performance/stripped down approach of
Ajenti better. Also +1 for cPanel once you get into allowing customers to
manage/update DNS on their own. We host our own DNS server that is locked
for our use, and sell hosting packages on another with cPanel, we've moved
several customers over, and besides the occasional enterprise with a random
computer trying to force a DNS update, it works well.

Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

On Fri, Oct 3, 2014 at 9:10 AM, Josh Baird via Af  wrote:

> If it's BIND 9.8.2 from the CentOS updates repositories, it's patched.  It
> won't contain non-security related features of later versions, but it has
> been patched for any security related stuff.  The internal patch/version
> level of the package is denoted in the RPM's filename for EL.
>
> On Fri, Oct 3, 2014 at 9:57 AM, Ken Hohhof via Af  wrote:
>
>>   I don’t think so.
>>
>>  *From:* Adam Moffett via Af 
>> *Sent:* Friday, October 03, 2014 8:34 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] DNS server for guys who dont want to be gurus
>>
>> It may be 9.8.2 with security fixes backported from later versions.
>>
>>
>>  I would disagree, didn’t Steve say the latest he updated to was 9.8.2?
>>
>> https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
>>
>> ISC shows 9.8.8 EOL as of September 2014, so 9.8.2 is quite a few
>> versions old.  With all the DNS amplification attacks and these zero day
>> exploits coming out all the time, I’d want to be pretty current, plus I
>> believe 9.10 gives you RRL in your toolbox to deal with attacks although
>> I’ll admit I haven’t had time to experiment with it.
>>
>>
>>  *From:* Mike Hammett via Af 
>> *Sent:* Friday, October 03, 2014 6:10 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] DNS server for guys who dont want to be gurus
>>
>>  The server based distributions like CentOS\RHEL and Debian generally
>> are close to current regarding security updates even if they don't have the
>> latest version.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>> --
>> *From: *"Ken Hohhof via Af" mailto:af@afmug.com 
>>
>> *To: *af@afmug.com
>> *Sent: *Thursday, October 2, 2014 5:30:01 PM
>> *Subject: *Re: [AFMUG] DNS server for guys who dont want to be gurus
>>
>>  You need a named.conf that defines the slave zones and the IP address
>> of the master.
>>
>> But first step is to download/compile/install the latest version of BIND,
>> it’s actually quite easy.  I doubt you can get the version you want via yum
>> update because CentOS is based on RHEL which is always a few steps behind.
>> Given the DNS attacks, you want the latest BIND.  You might then want to
>> lock out the package from being updated by yum.
>>
>>
>>  *From:* That One Guy via Af 
>> *Sent:* Thursday, October 02, 2014 4:36 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] DNS server for guys who dont want to be gurus
>>
>>  So Im at a new Centos with webmin fresh bind install.
>> We have one master, one slave server
>> I have never set up bind, this was done before me.
>> If I were to take down the old slave server and bring this one up on its
>> IP will the master update this one, or is there a config I need to move
>> over. Im more comfotable doing the slave first.
>> These are all webmin, but the original is ubuntu and the new is centos
>>
>> On Thu, Oct 2, 2014 at 2:00 PM, Paul Stewart via Af  wrote:
>>
>>>  I always install CentOS bare bones …. “minimal server” is what the
>>> installation will call it.  This way you can install whatever you like
>>> after installation and not worry about removing many dozen packages you
>>> don’t need…
>>>
>>>
>>>
>>> Just my preference anyways….
>>>
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *That One Guy
>>> via Af
>>> *Sent:* Thursday, October 02, 2014 2:24 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] DNS server for guys who dont want to be gurus
>>>
>>>
>>>
>>> 2 questions in this
>>>
>>> 1. when running through the current centos installation, what do i
>>> select for the server type, for powercode it says select basic server
>>>
>>> 2. is there a guide for building dedicated centos servers based on
>>> server purpose? I assume there are packages I dont need to install if its
>>> only got this purpose
>>>
>>>
>>>
>>> On Thu, Oct 2, 2014 at 1:13 PM, Paul Stewart via Af 
>>> wrote:
>>>
>>>  CentOS+BIND+Webmin J  I can’t remember but Usermin might be the part
>>> you’re looking for specific to users updating their own DNS…..
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *That One Guy
>>> via Af
>>> *Sent:* Thursday, October 02, 2014 1:21 PM
>>> *To:* af@afmug.com
>>> *Subject:* [AFMUG] DNS server for guys who dont want to be gurus
>>>
>>>
>>>
>>

Re: [AFMUG] Cacti Template for ePMP?

2014-10-02 Thread Nicholas Eastman via Af 
Evidently ZIPs are still being scrubbed... here are the raw XML files.
cambium-epmp-sm.xml needs to be placed in the resource/snmp_queries folder.

Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

On Thu, Oct 2, 2014 at 10:49 AM, Nicholas Eastman via Af 
wrote:

> As promised, here is my very basic SM Host template.
>
> Copy the snmp_queries to your server and import the host template.
>
>
>
> Nicholas Eastman
> Royell Communications, Inc.
> (217) 965-3699
> 1-877-400-9319
> nic.east...@royell.org
>
> On Wed, Oct 1, 2014 at 1:26 PM, Nicholas Eastman via Af 
> wrote:
>
>> I just set up a basic one the other day. It grabs RSSI, SNR, MCS rates in
>> the default graph. I have a separate graph template that appears to be
>> polling traffic rates correctly as well. (ePMP doesn't report from the
>> standard interface table). I'm out working at a tower site today, but will
>> post the template asap, so you can take a look.
>>
>> On Wednesday, October 1, 2014, Eric Kuhnke via Af  wrote:
>>
>>> Could we get one of the Cambium people who watch this list to copy/paste
>>> a full (numeric) snmpwalk from an ePMP?  I'm curious to see what OIDs it
>>> exposes and what format it returns the data in. Need to figure out how much
>>> data massaging will be necessary via Cacti CDEF (RPN!) to chart an ePMP in
>>> a useful fashion.
>>>
>>> On Wed, Oct 1, 2014 at 10:06 AM, Adam Moffett via Af 
>>> wrote:
>>>
>>>>
>>>> They mentioned that in Albany.  It was mentioned along the lines of, "I
>>>> have no idea why our product doesn't already do that".  I don't recall
>>>> whether they said it was on the roadmap or not.
>>>>
>>>>
>>>>  Not that kind of compatibility.
>>>>>
>>>>> What I'm thinking of is where I could replace an existing 802.11 AP
>>>>> with an ePMP AP, and have existing 802.11 clients connect without having 
>>>>> to
>>>>> do a truck roll to every client.  At least not right away.
>>>>>
>>>>> bp
>>>>>
>>>>> On 10/1/2014 9:57 AM, SmarterBroadband via Af wrote:
>>>>>
>>>>>> At the ePMP training day I went on they said FSK sync compatibility
>>>>>> was high on there list.
>>>>>>
>>>>>> -Original Message-
>>>>>> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince via
>>>>>> Af
>>>>>> Sent: Wednesday, October 01, 2014 9:44 AM
>>>>>> To: af@afmug.com
>>>>>> Subject: Re: [AFMUG] Cacti Template for ePMP?
>>>>>>
>>>>>> Not yet.  We are not on the ePMP bandwagon yet.  I've got a couple of
>>>>>> sites that I would consider it for when it comes time to split existing
>>>>>> 802.11 sectors we have, but compatibility concerns are holding me
>>>>>> back.
>>>>>>
>>>>>> bp
>>>>>>
>>>>>> On 10/1/2014 8:57 AM, Matt Jenkins via Af wrote:
>>>>>>
>>>>>>> Has anyone made and willing to share a cacti template for ePMP?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>> --
>> Nicholas Eastman
>> Royell Communications, Inc.
>> (217) 965-3699
>> 1-877-400-9319
>> nic.east...@royell.org
>>
>>
>

Re: [AFMUG] Cacti Template for ePMP?

2014-10-02 Thread Nicholas Eastman via Af 
As promised, here is my very basic SM Host template.

Copy the snmp_queries to your server and import the host template.



Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

On Wed, Oct 1, 2014 at 1:26 PM, Nicholas Eastman via Af 
wrote:

> I just set up a basic one the other day. It grabs RSSI, SNR, MCS rates in
> the default graph. I have a separate graph template that appears to be
> polling traffic rates correctly as well. (ePMP doesn't report from the
> standard interface table). I'm out working at a tower site today, but will
> post the template asap, so you can take a look.
>
> On Wednesday, October 1, 2014, Eric Kuhnke via Af  wrote:
>
>> Could we get one of the Cambium people who watch this list to copy/paste
>> a full (numeric) snmpwalk from an ePMP?  I'm curious to see what OIDs it
>> exposes and what format it returns the data in. Need to figure out how much
>> data massaging will be necessary via Cacti CDEF (RPN!) to chart an ePMP in
>> a useful fashion.
>>
>> On Wed, Oct 1, 2014 at 10:06 AM, Adam Moffett via Af 
>> wrote:
>>
>>>
>>> They mentioned that in Albany.  It was mentioned along the lines of, "I
>>> have no idea why our product doesn't already do that".  I don't recall
>>> whether they said it was on the roadmap or not.
>>>
>>>
>>>  Not that kind of compatibility.
>>>>
>>>> What I'm thinking of is where I could replace an existing 802.11 AP
>>>> with an ePMP AP, and have existing 802.11 clients connect without having to
>>>> do a truck roll to every client.  At least not right away.
>>>>
>>>> bp
>>>>
>>>> On 10/1/2014 9:57 AM, SmarterBroadband via Af wrote:
>>>>
>>>>> At the ePMP training day I went on they said FSK sync compatibility
>>>>> was high on there list.
>>>>>
>>>>> -Original Message-
>>>>> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince via Af
>>>>> Sent: Wednesday, October 01, 2014 9:44 AM
>>>>> To: af@afmug.com
>>>>> Subject: Re: [AFMUG] Cacti Template for ePMP?
>>>>>
>>>>> Not yet.  We are not on the ePMP bandwagon yet.  I've got a couple of
>>>>> sites that I would consider it for when it comes time to split existing
>>>>> 802.11 sectors we have, but compatibility concerns are holding me back.
>>>>>
>>>>> bp
>>>>>
>>>>> On 10/1/2014 8:57 AM, Matt Jenkins via Af wrote:
>>>>>
>>>>>> Has anyone made and willing to share a cacti template for ePMP?
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> --
> Nicholas Eastman
> Royell Communications, Inc.
> (217) 965-3699
> 1-877-400-9319
> nic.east...@royell.org
>
>

Re: [AFMUG] Cacti Template for ePMP?

2014-10-01 Thread Nicholas Eastman via Af 
I just set up a basic one the other day. It grabs RSSI, SNR, MCS rates in
the default graph. I have a separate graph template that appears to be
polling traffic rates correctly as well. (ePMP doesn't report from the
standard interface table). I'm out working at a tower site today, but will
post the template asap, so you can take a look.

On Wednesday, October 1, 2014, Eric Kuhnke via Af  wrote:

> Could we get one of the Cambium people who watch this list to copy/paste a
> full (numeric) snmpwalk from an ePMP?  I'm curious to see what OIDs it
> exposes and what format it returns the data in. Need to figure out how much
> data massaging will be necessary via Cacti CDEF (RPN!) to chart an ePMP in
> a useful fashion.
>
> On Wed, Oct 1, 2014 at 10:06 AM, Adam Moffett via Af  > wrote:
>
>>
>> They mentioned that in Albany.  It was mentioned along the lines of, "I
>> have no idea why our product doesn't already do that".  I don't recall
>> whether they said it was on the roadmap or not.
>>
>>
>>  Not that kind of compatibility.
>>>
>>> What I'm thinking of is where I could replace an existing 802.11 AP with
>>> an ePMP AP, and have existing 802.11 clients connect without having to do a
>>> truck roll to every client.  At least not right away.
>>>
>>> bp
>>>
>>> On 10/1/2014 9:57 AM, SmarterBroadband via Af wrote:
>>>
 At the ePMP training day I went on they said FSK sync compatibility was
 high on there list.

 -Original Message-
 From: Af [mailto:af-boun...@afmug.com
 ] On Behalf Of
 Bill Prince via Af
 Sent: Wednesday, October 01, 2014 9:44 AM
 To: af@afmug.com 
 Subject: Re: [AFMUG] Cacti Template for ePMP?

 Not yet.  We are not on the ePMP bandwagon yet.  I've got a couple of
 sites that I would consider it for when it comes time to split existing
 802.11 sectors we have, but compatibility concerns are holding me back.

 bp

 On 10/1/2014 8:57 AM, Matt Jenkins via Af wrote:

> Has anyone made and willing to share a cacti template for ePMP?
>
>

>>>
>>
>

-- 
Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

Re: [AFMUG] Physically hardened routers for tower installation

2014-09-27 Thread Nicholas Eastman via Af 
We have a few 4xx series and some 1200s out there that do loose ports every
once and a while randomly (why we've been switching to 1100s). Most of the
1100s are after a storm, or at least that seems to be the timing, whether
or not that's the culprit is up to interpretation.

Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org

On Sat, Sep 27, 2014 at 11:34 AM, Nate Burke via Af  wrote:

>  Do they always fail after storms, or are you just seeing ports randomly
> fail?  I used to have ports fail after storms with the 4xx series, but with
> 700's, 1100's, 2011's, and CRS, haven't seen any issues.  Unless the site
> took a direct or near hit, then all bets are off.
>
> Nate
>
>
> On 9/27/2014 11:29 AM, Nicholas Eastman via Af wrote:
>
> We have been using Mikrotiks (RB110AHx2) for tower sites that we have put
> in place over the past couple years. With that being said, we have started
> to notice more and more ports failing even with surge suppression in place.
> I know that certain issues are unavoidable, but it has brought up the age
> old "Is there something better?" question. So, I pose it to the mailing
> list. What is everyone using in terms of tower routers? Does anyone know of
> a product (mikrotik based or other) that would possibly be a little more
> resilient within a close price range to the Tiks?
>
>   Nicholas Eastman
> Royell Communications, Inc.
> (217) 965-3699
> 1-877-400-9319
> nic.east...@royell.org
>
>

[AFMUG] Physically hardened routers for tower installation

2014-09-27 Thread Nicholas Eastman via Af 
We have been using Mikrotiks (RB110AHx2) for tower sites that we have put
in place over the past couple years. With that being said, we have started
to notice more and more ports failing even with surge suppression in place.
I know that certain issues are unavoidable, but it has brought up the age
old "Is there something better?" question. So, I pose it to the mailing
list. What is everyone using in terms of tower routers? Does anyone know of
a product (mikrotik based or other) that would possibly be a little more
resilient within a close price range to the Tiks?

Nicholas Eastman
Royell Communications, Inc.
(217) 965-3699
1-877-400-9319
nic.east...@royell.org