Issues installing Netbox web service

Hi all

Today I was trying to install netbox on a Linux server. I have done it before but just for testing and never connected it to apache or nginx for a production enviorment. I used the guide supplied in the official manual but I managed for some reason to fail completely. Not sure where the error was if I just did something completely stupid orthe manual was just incomplete. You can check the manual here if you need.

My issue was that when all the commands I had to run for the HTTPS server according to the manual I still got an error. The lovely 503 Service unavailable.

Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Apache/2.4.41 (Ubuntu) Server at netbox.example.com Port 443

When I checked the service I got the following response:

manager@ubuntults:~$ systemctl status netbox
● netbox.service - NetBox WSGI Service
     Loaded: loaded (/etc/systemd/system/netbox.service; enabled; vendor preset>
     Active: activating (auto-restart) (Result: exit-code) since Tue 2020-05-26>
       Docs: https://netbox.readthedocs.io/en/stable/
    Process: 1217 ExecStart=/usr/local/bin/gunico --pid /var/tmp/netbox.pid --p>
   Main PID: 1217 (code=exited, status=203/EXEC)
lines 1-6/6 (END)

In the active section you can see that it says activating and not activated and Main PID: gives me: (code=exited, status=203/EXEC)

This tells me that the system has issues executing the files for starting the service. I followed this up by going to the service file where all the settings are made for the service.

sudo nano /etc/systemd/system/netbox.service

I then continued to look at the execution parameters for the service.

ExecStart=/opt/netbox/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi

When I checked for the gunicorn file in the filesystem I couldn’t find the file gunicorn in /opt/netbox/venv/bin/. Therefor I entered the command “which gunicorn” that returns the correct path for gunicorn to me.

manager@ubuntults:~$ which gunicorn
/usr/local/bin/gunicorn

The correct syntax would then be:

ExecStart=/usr/local/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi

When you have done the change you need to update the service like I have done below:

manager@ubuntults:~$ sudo nano /etc/systemd/system/netbox.service
[sudo] password for manager:
manager@ubuntults:~$ sudo nano /etc/systemd/system/netbox.service
manager@ubuntults:~$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.
Authenticating as: manager
Password:
==== AUTHENTICATION COMPLETE ===
manager@ubuntults:~$ systemctl restart netbox
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to restart 'netbox.service'.
Authenticating as: manager
Password:
==== AUTHENTICATION COMPLETE ===
manager@ubuntults:~$

Now the server should work perfectly 🙂

I couldn’t have solved it hadn’t it been for this post and the answer from Russell Molimock. That put me on the correct track for finding the issue 🙂

Can’t upload image to wordpress due to large size

Hi

In my new job I have been working a little bit with cPanel and WordPress. It sounds easy enough and both of the products are easy enough normally. But there is always one of these fun errors that just makes you wonder. What the f*** could be the problem here. Everything seems fine but everything is so wrong.

When the users where going to upload files we changed the upload limit on the PHP server and everything should be working fine. The users should be able to upload files up to 250 MB. At least that was what I was thinking. But no matter what I did I got the following error up: “Post-processing of the image failed. If this is a photo or a large image, please scale it down to 2500 pixels and upload it again”

My picture was below this size and I belive I tried every single solution to this issue I could find on the internet. The only solution that worked for me was the plugin Add from Server, with this plugin I was able to get my pictures to the libary.

After hours of googling and talking to coworkers we suddenly discovered that cPanel is not delivered with mod_fcgid turned on in Apache. This simple feature took me ages to find out. In addition you need to install the imagick module.

imagick you can install in cPanel by go to Software -> Module Installer in the left menu. Manage the PHP PECL and search and install imagick for all needed PHP versions (at least where you run WordPress).

Then you need to enable mod_fcgid. This can be done in Software -> Easy Apache 4 on the left side menu and choose Customize on the menu showing. Now you can go to Apache modules and search for mod_fcgid. When this module is enabled you can try to upload again. Hopefully it works now!

Be aware that the changes done here needs to be done by your hosting provider and unless you have access to the WHM console you need to forward them this article to fix the issues.

Centos 7 with cPanel loose network config

Today I have been struggeling with cPanel. I did install an Centos 7 server with cPanel WHM on it. I followed the instructions from tecmint and it was pretty straight forward! I have to admit, that was my thought all the way until I rebooted the server with an software update.

At firdst I didn’t know what happened. I thought it was a firewall issue etc. But I couldn’t find any issues. When I finally started to check the server more closely I discovereed when running ifconfig that there where no network card configured with the correct IP. I then moved further and tried to restarting the network service with the command:

systemctl restart network.service

When doing this I got an error message :
Job for network.service failed because the control process exited with error code. See “systemctl status network.service” and “journalctl -xe” for details.

Checking “systemctl status network.service” gave me the following error message:

Failed to start LSB: Bring up/down networking.

This led me out on a desperate google search that lasted for a couple of hours. I found alot of articles that could be helpful but none that helped me. Or I did, in the end but it still felt like forever. I had read something similear to the solution below on my google searches. But those articles only said I needed to touch the network file (just create an empty file). But according to the forum post below I needed to add the commands below to /etc/sysconfig/network file.

NETWORKING=yes
GATEWAY=XXX.XXX.XXX.XXX

XXX.XXX.XXX.XXX represent the IP of the gateway for the CentOS server. When the file is edited I did a reboot and it all worked again! 🙂 I tried to restart the network.service but for some reason I had to do a complete reboot for it to work.

Forum post

Management access list on Juniper SRX

Sometimes you need to restrict access to your Juniper SRX firewall, or lets say you should always restrict the access to the firewall when it’s connected to the internet.

So now I’ll show you how to limit the traffic to your firewall to only be accessible from the allowed IP’s or IP ranges. In the first part we will insert the subnets and IP’s into a prefix list called manager.

set policy-options prefix-list manager-ip 192.168.4.254/32
set policy-options prefix-list manager-ip 10.0.0.0/8

The next part will tell the firewall to discard requests done to the firewall except to the IP’s in the prefix list above named manager. The filter will only apply to the services below so make sure to not remove any of the services you wan’t to limit access to. The last line in the snippet below is a block command to block off all the traffic hitting this term.

set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0
set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip except
set firewall filter manager-ip term block_non_manager from protocol tcp
set firewall filter manager-ip term block_non_manager from destination-port ssh
set firewall filter manager-ip term block_non_manager from destination-port https
set firewall filter manager-ip term block_non_manager from destination-port telnet
set firewall filter manager-ip term block_non_manager from destination-port http
set firewall filter manager-ip term block_non_manager then discard

In the end we will accept everything to allow everything and by that only allowing access to the IP’s mentioned since they where excepted from the prevoius term that was blocked in the end.

set firewall filter manager-ip term accept_everything_else then accept

At the very end we add the filter to the loopback interface. By doing this all traffic will hit the rule, you can also add it to seperate interfaces if you only want to limit the traffic from certain interfaces.

set interfaces lo0 unit 0 family inet filter input manager-ip

When you have done that the firewall is a bit more secure than before. Hopefully I will have the chance to write how to secure your Juniper SRX even more later on. Below is all the code in one snippet for easy cut and paste.

set policy-options prefix-list manager-ip 192.168.4.254/32
set policy-options prefix-list manager-ip 10.0.0.0/8
set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0
set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip except
set firewall filter manager-ip term block_non_manager from protocol tcp
set firewall filter manager-ip term block_non_manager from destination-port ssh
set firewall filter manager-ip term block_non_manager from destination-port https
set firewall filter manager-ip term block_non_manager from destination-port telnet
set firewall filter manager-ip term block_non_manager from destination-port http
set firewall filter manager-ip term block_non_manager then discard
set firewall filter manager-ip term accept_everything_else then accept
set interfaces lo0 unit 0 family inet filter input manager-ip

Source:
https://www.juniper.net/documentation/en_US/junos/topics/example/permitted-ip-configuring.html

Using python and SSH

Previously I have written a post about running telnet with Python. As everyone knows telnet is not the most secure protocol to manage devices. So I want to help you guys out with connecting to devices with SSH using python.

In this example I will be using fabric. Fabric is a python libary that helps you send SSH commands to devices. You can read more on their website about the libary: http://www.fabfile.org/

pip3 install fabric

Since I’m running python3 on my computer I run pip3, if you have installed python2.X you just need to have pip as the first word and not pip3 in the command.

from fabric import Connection
c = Connection(host = '10.78.23.12', user = 'username', connect_kwargs = {'password':'password'})
result = c.run('show version')
print(result)

The first line imports the module needed for connecting using SSH from the fabric libary.
Then the connection to the host is performed with ip, username and password. The last two lines is a variable where the command is added to and a print command to display the information in the variable. The command in this script is just a simple show version to display the information on a cisco switch.

Convert from Mobility Express to Lightweight AP (CAPWAP)

If you have an Mobility Express AP that you wan’t to connect to another ME or a WLC controller you can easily convert it to a lighweight or a CAPWAP AP.

Connect to the AP using SSH or the console port. When you are connected go to the enable mode and enter the following command.

ap-type capwap

The AP will now restart, when it’s booted it will connect to a WLC or another ME AP on the network.

Site to Site VPN between Meraki MX and Cisco ASA 5508

Hi all

VPN’s are always a pain in the ass when it comes to different vendors and OS. Even if both Meraki and ASA is part of the Cisco brand there is still quite a few differences in the setup and as always alot of ways to do it incorrectly.

Let’s start with the ASA end of the link. The first thing we need to do is set up the IKE profile. Meraki uses only IKEv1 so there is no need for IKEv2.

crypto ikev1 enable outside
 crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 12800

Define the networks you wan’t to have on each end of the Meraki firewall.

 object network OBJ-ASA-Site
 subnet 192.168.10.0 255.255.255.0
 object network OBJ-Meraki-Site
 subnet 192.168.1.0 255.255.255.0

Now we will make sure that the traffic that is intended for the VPN is passed trough the tunnel. In the NAT rule the traffic is originating from the interface labeled server.

access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-ASA-Site object OBJ-Meraki-Site
nat (server,outside) source static OBJ-ASA-Site OBJ-ASA-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup

We will have to let the ASA know where to terminate the tunnel. Including the preshared key. It’s important to change the preshared key and use something a bit more secure.

tunnel-group 123.123.123.123 type ipsec-l2l
 tunnel-group  123.123.123.123  ipsec-attributes
 pre-shared-key supersecret
 isakmp keepalive threshold 10 retry 2

Finally we have to put everything together and let the ASA know where to terminate the VPN tunnel.

crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
 !
 crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
 crypto map CRYPTO-MAP 1 set peer 123.123.123.123
 crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
 crypto map CRYPTO-MAP interface outside

Below is all the commands in one go to make it easier for a copy/paste.

crypto ikev1 enable outside
 crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 12800
 !
 object network OBJ-ASA-Site
 subnet 192.168.10.0 255.255.255.0
 object network OBJ-Meraki-Site
 subnet 192.168.1.0 255.255.255.0
 !
 access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-ASA-Site object OBJ-Meraki-Site
 nat (server,outside) source static OBJ-ASA-Site OBJ-ASA-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup
 !
 tunnel-group 123.123.123.123 type ipsec-l2l
 tunnel-group  123.123.123.123  ipsec-attributes
 pre-shared-key supersecret
 isakmp keepalive threshold 10 retry 2
 !
 crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
 !
 crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
 crypto map CRYPTO-MAP 1 set peer 123.123.123.123
 crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
 crypto map CRYPTO-MAP interface outside

Then let’s move over to the Meraki part. This part is really easy compared to the ASA part. There isn’t much configuration to do on the Meraki to get everything up and working,.

The first thing you need to do is go to Security Appliance -> Configure -> Site-to-.Site VPN. Select Hub in the options list.

Select the networks that should be routed trough the VPN. In the previous config we said that 192.168.1.0/24 should be routed from the Meraki site.

The last part would be to configure the VPN settings on the Meraki. First column you enter a name for the connection. Secondly you need to enter the IP for the ASA firewall. In the third column you decide what networks should be sent over the VPN. The same network that we defined as OBJ-ASA-Site in the ASA config. Leave the IPSec policies as Default, the connection should come up with the Default setting. At last you enter the pre shared key, press save and you should have a VPN connection.