CCNA Certified
Today I passed the CCNA exam. It was a lot of work and required more studying and practice than any of the previous exams I have taken, but it was worth it and I am excited to have passed the exam. I learned a lot of new things along the way and I hope to be able to apply them in my new position as the Network Systems Administrator at WAMU. Up until now most of my studies and experience have focused on Systems Administration tasks so this is my first real networking certification. The Network+ is really more of an entry level certification.
Next I will be setting up another ESXi lab and working on upgrading my MCSA to MCITP:SA, which hopefully will not take too long as I only would need to take a single exam upgrade the certification. The MCITP:SA covers Windows Server 2008, whereas the MCSA focuses mainly on Server 2003. After that I plan on venturing back into the networking world and working on a CCNA specialization like security.
CCNA Lab Update
Got 2 new 1721 routers in the mail this weekend. So far I have learned how to configure interfaces, enable telnet access, set passwords, create banners, enable ssh and generate ssh keys and connect routers together using the WIC-1DSU-T1 cards and a T1 crossover cable.
I have also learned how to flash the IOS images onto the routers and have backed up all of the original images that came with each device before upgrading them all to IOS 12.4. A lot of the labs/studying could be completed using a router simulator like Packet Tracer or GNS3, but I find having the equipment sitting in front of me next to my desk is motivating and a constant reminder to study. I will probably use the Cisco Packet Tracer to do some of the studying.
CCNA Lab
Just got the equipment in for the CCNA lab I am setting up. I have a Cisco 2610xm router, a Cisco 1760 router and two 2950 switches. I will need to buy one or two more routers to complete all the exercisces and labs, most likely one or two Cisco 1721 routers.
I am hoping to take the CCNA exam withint 2-3 months, afterward I will begin working on upgrading my MCSA certification to MCITP:SA. Check back later for updated photos of the home lab.
ISPConfig 2.2.37 and BIND 9.7
Just finished upgrading to the latest version if ISPConfig, version 2.2.37, which included some updates to ClamAV, SpamAssassin, and PHP. The control panel uses its own standalone versions of PHP and Apache. In the past I would usually just rebuild the server when a new version of ISPConfig was released, but I am hosting more sites now and the thought it might be easier to upgraded rather than trying to migrate every site and database as well as all of the e-mails, web stats, and config files. I think everything is working now. I had to change a few config files which were overwritten in order to setup the backup script and also re-open some ports in the iptables firewall.
I also upgraded BIND from 9.3 to 9.7, it was a bit more complicated than upgrading PHP but I think I got it. I am not currently using this server as an authoritative name server so it is not a big deal, but it was still a good learning experience.
RHEL 5.6 & PHP 5.3
This morning I upgraded the server to RHEL 5.6 which was just recently released. This included a number of updates to various packages, but the main two that were updated were PHP and BIND. The packages for PHP 5.3 and BIND 9.7 are named php53 and bind97 so that users could choose whether or not to upgrade or continue using the old version. In order to upgrade I had to run yum remove php-cli and php-common and then install php53-cli and php53-common and then re-install all PHP 5.3 add-ons. Afterwards I had to rebuilt and re-installed PHP eAccelerator 0.9.6.1.
I am looking to upgraded to BIND 9.7 this coming weekend, but wanted to install them separately in case any issues arose on the production web server. RHEL 6 was also recently released and I will be looking to upgrade the server and migrate all hosted sites over soon, just waiting for ISPConfig to confirm compatibility.
Windows 2003 VPN
I now have a Windows Server 2003 Virtual Private Network setup on my home network. A lot of the questions on the next Microsoft exam I am studying for are on routing and remote access and one of the practice labs was to setup a VPN. I created a new server with two virtual network adapters and installed the VPN role. I am using PPTP so I setup my router to forward port 1723 to the servers IP address. I also had to create a resource group and create a remote access policy and add that resource group to the allowed connections list. I was able to test it from a separate network and it is working well. I can use remote desktop or ssh to connect to any of the virtual servers or even my home PC from any external network with an Internet connection.
Mailhop Outbound
Today I changed my mail server to use a Mailhop outbound server for outgoing e-mails. Previously I was using the verizon SMTP server for sending messages. A lot of SPAM filters like Spamhaus block e-mails from dynamically allocated IP addresses, but an easy workaround is to configure an external mail relay service to send e-mails for the server. I can relay up to 300 e-mails per day for $20 dollars a year, which can also be upgraded to a higher value as the server gets more use.
Postfix, SASL, & Fail2Ban
I recently noticed that a lot of ISPs block outgoing SMTP connections on port 25 so I made some configuration changes to my server to allow SMTP connections on port 587. I configured Postfix to listen on port 587, added a new rule to the iptables firewall to allow the traffic through, and setup port 587 to be forwarded to the web server by my router.
I also modified the Fail2Ban rules for Postfix and SASL to monitor SMTP activity. The server is already configured to refuse relay requests for domains not hosted on the server unless the user has been authenticated. The rules I have setup now will notify me if anyone tries to perform a Denial of Service or Distributed Denial of Service attack. If I notice any increased activity I will change the Fail2Ban rules to block IP addresses instead of just sending me whois-lookup notifications.
Breaking WEP Encryption
This past weekend, as an education experiment I attempted to break into my own WEP protected wireless network. I had heard from multiple sources that WEP encrypted wireless networks were insecure, but was surprised how easy it was to break. With only a few tools, namely a Backtrack 3 live USB with Aircrack I was able to break into my own wireless network in about half an hour.
I changed my wireless network from WEP to WPA later that afternoon.
Windows Server 2003 Domain Setup
I just completed setting up my home testing lab. Right now I have one domain controller with Active Directory, DNS, and DHCP. I also setup a file server, a print server, and a WSUS (Windows Server Update Servies) server. All the servers are running Windows Server 2003. My next project wil be to get Microsoft Exchange up and running.