Syed Jahanzaib Personnel Blog to Share Knowledge !

March 14, 2014

WSUS Clients Getting Error Code 800b0001

Filed under: Microsoft Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 10:00 AM

In our company, we have a Windows 2003 base WSUS 3.0 with SP2 (Windows Update) server which is responsible to update all local clients and server base windows including 2000 / 2003 / 2008 / XP / W7  versions.

Recently we added four new IBM base servers with Windows 2008 R2 but unable to update, showing following error …

wsus-error-b0001

.

After doing few hours R&D, I found out that this is usually due to the WSUS Update Agent on the client being updated, but the WSUS server itself also needs to be upgraded to then allow communication with the newer agent. After installing SP2, you *MUST* also apply a later update “Update for Windows Server Update Services 3.0 SP2 (KB2720211

http://www.microsoft.com/en-us/download/details.aspx?id=29998

There was no need to reboot the server last time I ran this process, and the clients were able to communicate and obtain updates correctly.

.

Regard’s
Syed Jahanzaib

March 10, 2014

Mikrotik Hotspot: Different login page for Mobile Users

Filed under: Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 1:27 PM

Recently a Nigerian friend asked about how we can configure different login page for Mobile users , which could be a light weight and customized for mobile/pda screen size with customized welcome message. Following is a quick method on how you can display different login page if user is login from mobile or device, & default login page for desktop users.

This is quick method, but if you want more sophisticated method like detect client by device, then you can use variable functions and act accordingly.

First the logic: You have to create 3 html pages,

1-     login.html
2-    mobilelogin.html
3-    otherlogin.html

1- login.html [Re directer which check user device/screen size]

login.html page is a kind of re directer which will actually check the screen size of client device/screen. If it found it less then 800/600 , it will assume its a mobile device and will redirect to mobilelogin.html,
otherwise it will display another login page otherlogin.html which could be default login page for all.

First create login.html

<script type="text/javascript">
if ((screen.width<=800) && (screen.height<=600)) {
document.location="mobilelogin.html";
}
else {
document.location="otherlogin.html";
}
</script>

♦♦♦

2- mobilelogin.html [lightweight login page for mobile users]

mobilelogin.html is displayed if the client device/screen size is under 800/600. You can modify it as per requirements.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>
<title>internet hotspot > login</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<style type="text/css">
body {color: #737373; font-size: 10px; font-family: verdana;}

textarea,input,select {
background-color: #FDFBFB;
border: 1px solid #BBBBBB;
padding: 2px;
margin: 1px;
font-size: 14px;
color: #808080;
}

a, a:link, a:visited, a:active { color: #AAAAAA; text-decoration: none; font-size: 10px; }
a:hover { border-bottom: 1px dotted #c1c1c1; color: #AAAAAA; }
img {border: none;}
td { font-size: 14px; color: #7A7A7A; }
</style>

</head>

<html>
<body>

<div align="center">
<a href="$(link-login-only)?target=lv&amp;dst=$(link-orig-esc)">Latviski</a>
</div>
<div align="center">
<b><font size="4">mobile user</font></b></div>

<table width="100%" style="margin-top: 10%;">
<tr>
<td align="center" valign="middle">
<div style="color: #c1c1c1; font-size: 9px">Please log on to use the internet hotspot service<br />$(if trial == 'yes')Free trial available, <a style="color: #FF8080"href="$(link-login-only)?dst=$(link-orig-esc)&amp;username=T-$(mac-esc)">click here</a>.$(endif)</div><br />
<table width="280" height="280" style="border: 1px solid #cccccc; padding: 0px;" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="bottom" height="175" colspan="2">
<form name="login" action="$(link-login-only)" method="post"
$(if chap-id) onSubmit="return doLogin()" $(endif)>
<input type="hidden" name="dst" value="$(link-orig)" />
<input type="hidden" name="popup" value="true" />

<table width="100" style="background-color: #ffffff">
<tr><td align="right">login</td>
<td><input style="width: 80px" name="username" type="text" value="$(username)"/></td>
</tr>
<tr><td align="right">password</td>
<td><input style="width: 80px" name="password" type="password"/></td>
</tr>
<tr><td>&nbsp;</td>
<td><input type="submit" value="OK" /></td>
</tr>
</table>
</form>
</td>
</tr>
<tr><td align="center"><a href="http://www.mikrotik.com" target="_blank" style="border: none;"><img src="img/logobottom.png" alt="mikrotik" /></a></td></tr>
</table>

<br /><div style="color: #c1c1c1; font-size: 9px">Powered by MikroTik RouterOS</div>
$(if error)<br /><div style="color: #FF8080; font-size: 9px">$(error)</div>$(endif)
</td>
</tr>
</table>

<script type="text/javascript">
<!--
document.login.username.focus();
//-->
</script>
</body>
</html>

♦♦♦

3- otherlogin.html [standard login page for ALL]

otherlogin.html /  This is standard login.html page which is default mikrotik login page. You can use your old default login.html and rename it as to otherlogin.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>
<title>internet hotspot > login</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<style type="text/css">
body {color: #737373; font-size: 10px; font-family: verdana;}

textarea,input,select {
background-color: #FDFBFB;
border: 1px solid #BBBBBB;
padding: 2px;
margin: 1px;
font-size: 14px;
color: #808080;
}

a, a:link, a:visited, a:active { color: #AAAAAA; text-decoration: none; font-size: 10px; }
a:hover { border-bottom: 1px dotted #c1c1c1; color: #AAAAAA; }
img {border: none;}
td { font-size: 14px; color: #7A7A7A; }
</style>

</head>

<html>
<body>

<div align="center">
<a href="$(link-login-only)?target=lv&amp;dst=$(link-orig-esc)">Latviski</a>
</div>
<div align="center">
<font size="4"><b>DESKTOP </b></font><b><font size="4">&nbsp;user</font></b></div>

<table width="100%" style="margin-top: 10%;">
<tr>
<td align="center" valign="middle">
<div style="color: #c1c1c1; font-size: 9px">Please log on to use the internet hotspot service<br />$(if trial == 'yes')Free trial available, <a style="color: #FF8080"href="$(link-login-only)?dst=$(link-orig-esc)&amp;username=T-$(mac-esc)">click here</a>.$(endif)</div><br />
<table width="280" height="280" style="border: 1px solid #cccccc; padding: 0px;" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="bottom" height="175" colspan="2">
<form name="login" action="$(link-login-only)" method="post"
$(if chap-id) onSubmit="return doLogin()" $(endif)>
<input type="hidden" name="dst" value="$(link-orig)" />
<input type="hidden" name="popup" value="true" />

<table width="100" style="background-color: #ffffff">
<tr><td align="right">login</td>
<td><input style="width: 80px" name="username" type="text" value="$(username)"/></td>
</tr>
<tr><td align="right">password</td>
<td><input style="width: 80px" name="password" type="password"/></td>
</tr>
<tr><td>&nbsp;</td>
<td><input type="submit" value="OK" /></td>
</tr>
</table>
</form>
</td>
</tr>
<tr><td align="center"><a href="http://www.mikrotik.com" target="_blank" style="border: none;"><img src="img/logobottom.png" alt="mikrotik" /></a></td></tr>
</table>

<br /><div style="color: #c1c1c1; font-size: 9px">Powered by MikroTik RouterOS/zaib</div>
$(if error)<br /><div style="color: #FF8080; font-size: 9px">$(error)</div>$(endif)
</td>
</tr>
</table>

<script type="text/javascript">
<!--
document.login.username.focus();
//-->
</script>
</body>
</html>

After three files have been created, Upload them to MIKROTIK / Files > Hotspot folders.

TEST DRIVE

First, From your mobile device try to connect to web and you should see yout mobilelogin.html page ,
Something like below …

Mikrotik HOTSPOT Mobile User Login Page

Mikrotik HOTSPOT Mobile User Login Page

Now, try to login from DESKTOP PC, and you should see otherlogin.html page.

Mikrotik HOTSPOT Desktop User Login Page

Mikrotik HOTSPOT Desktop User Login Page

TIPS:

If  user is unable to login, and you are seeing following error in LOG window

login failed: password is not chap encrypted

Then Go to IP > Hotspot > Server Profiles and edit the relevant profile, go to the Login tab and uncheck HTTP CHAP and check HTTP PAP. Then try again.

Regard’s
Syed Jahanzaib

Display Maintenance Message To Users

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 8:57 AM

This is just a simple reference guide on howto display maintenance notice page for client when the the main internet link is down. You can add many advance functions in it, but I shared this method just to give you an idea that how it an be done. The result is that It can greatly help in reducing clients calls to help line in event of internet downtime.

As someone asked from the FB, I decided to make it public so those who don’t know about it should get a idea on how simple it is to achieve. I implemented this technique at a local network which had a fewer number of clients with an unstable PTCL DSL connectivity. It helped the operator to keep informed about the connectivity status via sms status (GSM modem was attached with mirkotik and the netwatch script also sends sms to the operator about the link status)

The theory is simple, First create a NAT rule that redirects http port 80 requests to your local/external proxy service which deny all requests and redirect to local web server page which shows the MAINTENANCE PAGE. make sure to disable this rule after its creation.

Now create a NETWATCH rule that can keep monitoring any reliable HOST on internet , probably your ISP DNS or GOOGLE DNS , if the link is down, then DOWN script should be triggered which enables the NAT Rule, so in case of any link down all users will be routed to maintenance page, and when the link gets UP, the up script will disable the NAT rule, and internet will start work at user end normally.

Example:

First the NAT rule which actually redirects port 80 requests to internet/external proxy server.
[Make sure the comments remains same in all rules of nat / netwatch, otherwise script will not work.

/ip firewall nat
add action=redirect chain=dstnat comment="Redirect to Proxy" disabled=yes dst-port=80 protocol=tcp to-ports=8080
Now ENABLE web proxy which will deny requests of all users port 80 requests and redirect them to local web server page showing the reason why internet is not working.
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=unlimited max-client-connections=600 \
max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0/ip proxy access</pre>
add action=deny disabled=no dst-port="" redirect-to=10.0.0.1/netdown.html

Now the Netwatch script which will keep monitoring the internet, and act accordingly

/tool netwatch
add disabled=no down-script=":log error \"ISP Link seems to be DOWN  , ENABLING  redirection to proxy so users will see mainteneace page / zaib\"\r\
\n/ip firewall nat enable [find comment=\"Redirect to Proxy\"]" host=8.8.8.8 interval=5s timeout=1s up-script=":log error \"ISP Link seems to be UP again , Disa\
bling redirection to proxy so users internet will start work again. / zaib\"\r\
\n/ip firewall nat disable [find comment=\"Redirect to Proxy\"]\r\
\n"

Result [when the internet link is down]:

Attachment:
rule.png

linkdown-cleint

 

You can achieve the same task with more elegance , more controlled way by using SCRIPTS to do various functions like frequency control , ping multiple hosts instead of single destination, Act according to latency load results, email / sms function, and much much more,
as someone said

Quote:

" SKY  IS  THE  ONLY  LIMIT "

.
.
Regard's
Syed Jahanzaib

March 7, 2014

Blocking Client ROUTER Access

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 4:21 PM

ttl

As requested by a virtual friend, who have a small network in a rural area with lower amount of bandwidth, & he wanted to block access to client who are using WIFI / Client ROUTER and doing sharing with other members. For this reason the operator is loosing ‘POTENTIAL’ customers. Following trick worked like a charm in order to block client router access.

At your main router, add following rule,

/ip firewall mangle
add action=change-ttl chain=forward comment="Block Client NAT/Router  / zaib" disabled=no in-interface=LAN new-ttl=set:1 passthrough=no

The above rule will decrement the TTL by value 1 . This way when the packet will move towards client router, it will not go beyond that point to client. BUT if the client uses normal PC, he will be able to access the internet.

1- block client router

DISCLAIMER:
Do remember one point, the above method is not 100%. There are always workaround for about anything. None of any security is 100% fool proof.
If client uses Mikrotik Router, he can create another mangle rule which can increment TTL value then above restrictions will be useless.Something like following

/ip firewall mangle add action=change-ttl chain=prerouting in-interface=WAN new-ttl=increment:1

lolz

But you can create a script that can keep tracking of another mikrotik box on your network by mikrotik discovery protocol, as only very few admins secure there Mikrotik Router at full extent by blocking discovery, change winbox default ports, block any access on WAN port etc etc.

Happy Fire-walling !!! Jz

Personally I am not in favor of imposing harsh restrictions on clients except for the Bandwidth or Quota, but since Mikrotik is capable of creating solutions out of the box, its just one tiny example ;)

.

Reagard’s
Syed Jahanzaib

March 4, 2014

IBM Lotus Domino Fix Packs Upgrade Error

Filed under: IBM Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:20 AM

Few days back, I was upgrading Lotus Domino 8.5.3 Fix pack 4 to Fix Pack 6, and during upgrade, I encountered following error …

lotus-upgrade-error

.

To solve it, Make sure that

  • Lotus DOMINO is stopped by using QUITE command in domino console,
  • Lotus Services are STOPPED in services before running the upgrade package
  • Any Lotus CONSOLE is closed
    [I forgot to close the console which resulted in wastage of precious 15 minutes on Live Production Server, anyway this is how you learn things in real life,]

http://www-10.lotus.com/ldd%5Cfixlist.nsf/WhatsNew/2ca7aa993e50ba8285257c1d006472bd?OpenDocument

8.5.3 Fix Pack 6 Preliminary Fix List descriptions:

Client

  • SPR# TSHI8SD538(LO68047) – Fixed an intermittent Notes client crash when opening a corrupted Notes document.
  • +SPR# MLAT99RKAG(LO76668) – Improved javascript disablement and disabled for HTML Email messages (body field and memo form) only. This regression was introduced in 8.5.3 FP5.
  • SPR# ACHG8STC6T(LO68380) – Fixes intermittent Notes Client crash when the user hits “send” on a large email (also the email is lost).
  • SPR# MCHZ8R4HPK(LO67040) – “Search Directory For” results in Typeahead are displayed in Alphabetical Order. (technote 1580001)

Server

  • SPR# KBRN8Q6JXC(LO71360) – Performance and reliability fix to network session code.Prior to this fix, many users accessing a Domino server simultaneously could cause a performance bottleneck resulting in slow server response or timeouts attempting to connect to the server. The error ‘Unable to redirect failover from <SERVERNAME>’ could also appear where SERVERNAME is the same name of the server encountering the issue.
  • SPR# JPAI94HR3N(LO75003) – Fixes potential deadlock on process startup between LkMgr locker and semaphore locker(Directory manager queue semaphore). (technote 1644240)
  • SPR# MYAA8LV385(LO64012) – Fixes an issue where an incorrect warning for a database over quota threshold could be generated.
  • +SPR# RMAA94WKMG(LO73956) – Fixes intermittent Domino Server crash when closing a database. This regression was introduced in 8.5.2. (technote 1644232)
  • SPR# VPRS8YBRZ6(LO71728) – Fixes Domino Server mail relay host crash on router on Jonah::asn_sorted::encode_value
  • +SPR# AJMO8NVM8F(LO66491) – Prevent Directory Assistance on Domino 64-bit servers from doing unnecessary search references and referrals which were leading to “81″ LDAP timeout errors. This regression was introduced in 8.5.
  • SPR# JPMS8KZLLC(LO63217) – Fixes Domino Server crash during database cache maintenance with PANIC: ERROR – LockMemHandle() Handle 0xF0259F47 is not allocated
  • SPR# PPET98CPBN(LO7562) – Security enhancement to scrub query strings causing search to fail; work around is to add the following notes.ini: HTTP_QUERY_STRING_SCRUB=0. This fix changes the default to be off instead of being on and adds new code to prevent security X-Site script attacks against search urls.
  • SPR# AJAS8WSB9B(LO70861) – Prior to this fix multiple “Received” headers could be overwritten by one when retrieving e-Mails with IMAP client.
  • SPR# KHAN87ZUTS(LO55991) – Prevents excessive InsertPermutations recursion that can lead to a Domino Server crash. The new notes.ini variable MAX_PERMUTE_RECURSE=<number>, where <number> limits the number of hierarchical responses that can be added to a given collection, is recommended to be set to 200. (technote 1600317)
  • +SPR# PHEY8UDJYW(LO65911) – Fixes ACL corruption with: “ACL Corrupt in database <Database_Name> creating new ACL with default set to no access”. Now we block unintended deletion of ACL Note that would leave to a DB set to no access.This was a regression introduced in 8.5.3.

iNotes

  • SPR# WRAY8QKLTQ(LO66604) – Fixed issue where when opening messages in iNotes Ultra Light Mode, that have mixed case mail file names specified in the URL, the mail message fails to open.
  • SPR# KRAU8Y2MX6(LO71593) – Fixes issue where the iNotes UI window shrinks to a small size when the iNotes UI is resized several times.
  • SPR# HKOA7T4DN5(LO49113) – Notes web: Fixed an issue where the web browser could hang if a window is resized to or from a very small size.
  • SPR# PTHN96NRTP(LO45468) – Notes web: Fixed an issue where the unread count on a folder is not updated automatically when new messages were transferred into it via a mail rule. Clicking on the folder or using F5 to refresh would update the count.
  • +SPR# HSKM8TN39T(LO68949) – Fixed problem which caused a custom sized table to be inserted in the wrong place in the Rich Text Editor. This is a regression in 8.5.3.

Regard’s
Syed Jahanzaib

February 28, 2014

Radius Manager 4.1 Patch5 Deployment

Filed under: Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:11 AM

dma415

DMASOFTLAB released patch 5 for Radius Manager 4.1 version. [Release Date: 10 Feb, 2014]

FIXES, IMPROVEMENTS:

-default service (srvid 0) find users issue problem fixed
-verification code and mobile number fixed in ACP / edit user
-invalid menu.css reference removed (buyiasmain_tpl.htm, adminmainblank_tpl.htm)
-traffic summary per NAS issue fixed
-connection allowed bug fixed
-multiple email address problem fixed in edit and new user forms
-privileged sim-use edit problem fixed
-enhanced syslog alerts [Helped a lot in troubleshooting now]
-swapped SMS / email alerts fixed (ACP / edit user)
-self registration welcome SMS / email issue fixed
-upon user removal accounting details are also deleted from rm_radacct
-duplicate batch billing problem fixed
-auto renewal uses unit fields instead of initial fields
-expired online time yellow color problem fixed in ACP / List users view
-password recovery updates radcheck for regular users only
-hotspot MAC account password change problem fixed (UCP)
-corrected user name in password recovery email
-bulk SMS custom tag issue fixed
-convert card prefixes to lower case in radcheck
-self registration displays user name, password
-zero gigawords issue fixed with a non Mikrotik NAS
-search users leading and trailing space issue fixed
-SMS, email expiry alerts issue fixed
-grace period account disable bug fixed
-negative deposit addition problem fixed [Good news for Alex]
-IAS duplicate mobile number problem fixed
-card generator issue fixed (PIN length > 10)
-next service issue fixed **** This bug was quite annoying and wasted many hours in useless troubleshoot :( Jz
-properly logout grace period expired users
-rmauth IAS and card setup crash fixed
-increased CTS logging capacity (rmconntrack DELAY_KEY_WRITE option)

DEPLOYMENT:

Deployment is fairly simple.
First download the radiusmanager-4.1-cumulative_patch.tgz
Extract it any temp folder

mkdir /temp
cd /temp
wget http://wifismartzone.com/files/rm_related/radiusmanager-4.1-cumulative_patch.tgz
tar zxvf /temp/radiusmanager-4.1-cumulative_patch.tgz
cd radiusmanager-4.1-cumulative_patch.tgz/
ls

You may see following contents

root@rm:/temp/radiusmanager-4.1-cumulative_patch# ls
bin  raddb  readme.txt  www

1. Copy PHP files to /var/www/html/radiusmanager (Fedora) or /var/www/radiusmanager [Debian, Oh yeah, That's my Boy ;)] directory.

For Ubuntu
cp -vrf  www/radiusmanager/*  /var/www/radiusmanager

For Fedora
cp -vrf  www/radiusmanager/*  /var/www/html/radiusmaanger

2. Chmod all binaries to 755:

chmod 755 bin/rm*

3. Stop rmpoller and copy the binaries to /usr/local/bin directory, overwriting the old versions.

service rmpoller stop
cp bin/* /usr/local/bin

4. Copy acct_users to /usr/local/etc/raddb directory.

cp raddb/acct_users /usr/local/etc/raddb

5. Change permission of acct_users by chmod:

chmod 640 /usr/local/etc/raddb/acct_users
chown root.root /usr/local/etc/raddb/acct_users

7. Restart radiusd

service radiusd restart

.

Now relogin to ACP, and hopefully you see the 4.1.5 :D
As showed in the image below …

dma415

Regard’s
Syed Jahanzai

February 25, 2014

Mikrotik Script to Export PPP users to USER MANAGER

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:46 AM

As requested Following is a quick and dirty way to export Mikrotik Local PPP (pppoe) users to USER MANAGER with same profile assigned as LOCAL profile section . I used the word dirty because there is no officially supported method that we can use by single CLI command or one window GUI.

Consider the following scenario:

Mikrotik is configured with PPPoE Server , and have two profiles with the name of 512k and 1mb and 6 users in ppp section …
As showed in the image below …

2-mt-profile

3-users-mt.

Our task is to migrate all local ppp users to USERMAN with minimum overhead management of manual workout.

First Open User Manager, and configure /add the NAS , so that Mikrotik can communicate with the UserMAN and wise-verse.

Now add same profiles in User Manager as present in the local Mikrotik PPP Section.
[This task can be done via CLI too, example is in the end]
As showed in the image below …

1b-userman-profiles.

.

Now as far as my dumb mind goes, I couldn’t found a way to assign profile to user using /tool userman menu, so to overcome this issue, I first created two users with same profile name and id.

Example if profile name is 512k, then create a user with name”512k” , it will be used as a master copy for cloning :D
As showed in the image below …

1-userman.

.

Userman section is done , moving to Mikrotik Section…

Goto System > Scripts and add new script, use the following code…

# PPP Export to USERMAN SCRIPT START
:log error "Make sure you have usermanager configured properly and created same profile names with same user name (master users for cloning) in USERMAN / Jz"

# Applying Loop for ppp secret section to fetch all user details
/ppp secret
:foreach i in=[find] do={
:local username [get $i username]
:local pass [get $i password]
:local profile [get $i profile]
:local comment [get $i comment]

#Printing User names and other details for record purpose ...
:log warning "Fetching USER details from /ppp secret section , Found $name $pass $profile $comment for EXPORT"

#Creating Users in User Manager with ID / Password / Profile and Comments ...
/tool user-manager user add name=$name password=$pass customer=admin copy-from=$profile comment=$comment
}
:log error "DONE. Script END. Now logout from USERMAN and RE login and check users section"

# Script End.

the result would be something like …
As showed in the image below …

4-log.

.

Now log-out from the User-manager, and re login , and check USERS Section again :)
the result would be something like …
As showed in the image below …

5- user-end.

.

This is just an example, you can do much more by adding various functions or variables/constrains to the script :)

Example for CLI base profile addition.

/tool user-manager profile
 add name=512k name-for-users="512k Package" override-shared-users=off owner=admin \
 price=500 starts-at=logon validity=4w2d
 add name=1mb name-for-users=1mb override-shared-users=off owner=admin price=500 \
 starts-at=logon validity=4w2d

/tool user-manager profile limitation
 add address-list="" download-limit=0B group-name="" ip-pool="" name=512k \
 rate-limit-min-rx=524288B rate-limit-min-tx=524288B rate-limit-rx=524288B \
 rate-limit-tx=524288B transfer-limit=0B upload-limit=0B uptime-limit=0s
 add address-list="" download-limit=0B group-name="" ip-pool="" name=1mb \
 rate-limit-min-rx=1048576B rate-limit-min-tx=1048576B rate-limit-rx=1048576B \
 rate-limit-tx=1048576B transfer-limit=0B upload-limit=0B uptime-limit=0s
 /tool user-manager profile profile-limitation
 add from-time=0s limitation=512k profile=512k till-time=23h59m59s weekdays=\
 sunday,monday,tuesday,wednesday,thursday,friday,saturday
 add from-time=0s limitation=1mb profile=1mb till-time=23h59m59s weekdays=\
 sunday,monday,tuesday,wednesday,thursday,friday,saturday

.

Remember ….

Sky is the only limit …

.

.

Regard’s
Syed Jahanzaib

February 13, 2014

Quick Note on Winbox Save Password Security Issue.

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 11:47 AM

I know its not recommended to save the password in mikrotik WINBOX (as password are stored in clear text form in winbox.cfg in local pc user profile), But we HUMANS love being lazy enough or with weak memory sometimes prefer to save the password and the management PC and sometimes this PC is also shared by some other co-admins/colleagues dueto lack of resources :p

In my opinion, It could be annoying backdoor / password leak issue by WINBOX.

winbox-security-issue

Mikrotik developer should really focus in this section , and encrypt the password using strong hash algorithm. I used it few months back at a friend’s admin PC to fetch the iD password with all details as showed in the image. Just imagine what will happen if it fall into wrong hands …

Reference: http://forum.mikrotik.com/viewtopic.php?f=2&t=81816

Regard’s
Syed Jahanzaib

February 11, 2014

Blocking http/https Facebook via automated address-list

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 9:18 AM

Recently I was working at a remote network of GHANA where a hotspot was deployed for school students and it was a school policy to have a central Filter policy to block access to adult web sites and facebook. Blocking adult web sites was easy by using OPENDNS and force users dns traffic to pass from it, but blocking facebook was a bit tricky as it uses HTTPS and web proxy cannot filter secure traffic. In the past I used few method to block facebook (or likewise) with various methods like .content / L7 filtering, but personally I prefer to have a address-list with the FB server’s ip addresses using automated script.This way I have more control over the block policy.

The below script (which can be scheduled to run after every few 5 or hourly/required basis) will create a address list and later a filter rule will block request going to this address list.

First create the script which will catch facebook.com from the DNS cache and will add it in “facebook_dns_ips” address list.
Open Terminal and paste the following script.

1) SCRIPT:

# Script to add Facebook DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com
# Script Source: N/A / GOOGLE : )

:log warning "Script Started ... Adding Facebook DNS ip's to address list name   facebook_dns_ips"
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName "facebook"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=facebook_dns_ips comment=$cacheName;
}
}
}
}
# FB DNS IP ADD Script Ended ...

 ↓

2) SCHEDULER:

Schedule the script to run after every 5 minutes  (or hourly basis)

/system scheduler
add disabled=no interval=5m name=fb-script-run-schedule on-event=facebook-list policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00

3) FILTER RULE:

Now create a FIREWALL FILTER rule which will actually DROP the request going to facebook_dns_ips address list.
[Make sure to move this rule on TOP , or before any general accept rule in Filter section)

/ip firewall filter
add action=drop chain=forward comment="Filter Rule to block FB adress LIST : )" disabled=no dst-address-list=facebook_dns_ips

Now try to access the facebook, it will open as usual, but as soon as the script will run, a address lsit will be created with the FB ip address list, & its access will be blocked.
As showed in the image below …

fb-script-address

filter-rule

.

TIME BASE FILTER RULE

You can also use this technique to block FB in some specific timings only. For example you want to block access to FB from 9am to 10:am then use the following filter rule.

/ip firewall filter
add action=drop chain=forward comment="Filter Rule to block FB address LIST : )" disabled=no dst-address-list=facebook_dns_ips time=9h-10h,sun,mon,tue,wed,thu,fri,sat

.

Force / Redirect users to use your DNS

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=udp dst-port=53

Regard’s
Syed Jahanzaib

February 10, 2014

Hotspot User Change Password FORM for ‘User Self Management’

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 11:18 AM

How to provide Mikrotik Hotspot Users an option to change there password using any form or web page?

The simple answer is to configure USER MANAGER and provide User Panel which is very nice and informative, it also allows users to change there password too, but what if you don’t want to install User Manager, or what if user also change his information via the user panel which you don’t want them to ?? since mikrotik source code is not public so we cannot hide that option (as far as in my limited knowledge) . Using the form base technique you can simply give them a web page from where they can simply change there password when required.

You can also add more functions in this page ,like it can send an email or add any entry in log file so that admin can be aware that at which time the last password was changed or other functions as required.

This is a simple password change form for hotspot users, After they logged in to hotspot , they can change there own password using this simple form.

REQUIREMENTS:

- Linux base system (I used UBUNTU, but you can use any flavor of your own choice)
- Apache / PHP5.x / PEAR2 library

Also Make sure you have enabled the API service in MIKROTIK
/ IP > Services
As showed in the image below …

1

LINUX SECTION

First Update your Ubuntu (if its not already updated on fresh installation)

apt-get install update

Now Install Apache Web Server with PHP5

 apt-get install apache2 php5

Don’t forget to restart the apache2 service, otherwise when you will try to open the password change form, it will ask you to save the file, instead of opening it on the browser :D

service apache2 restart

Now we have to download PEAR2 support library for the RouterOS functions to be performed via WEB,
Goto your web folder and download pear2 library, and extract it

cd /var/www
 wget http://wifismartzone.com/files/linux_related/pear2.tar.gz
 tar zxvf pear2.tar.gz

Ok now it’s time to create the change password page so that user can access it or you can link it with your status page for the user comfort level.

touch /var/www/changepass.php
 nano /var/www/changepass.php

and paste the following code.
{Make sure to change the IP address of Mikrotik and its admin ID Password}

<?php
use PEAR2\Net\RouterOS;
require_once 'PEAR2/Autoload.php';

$errors = array();

try {
    //Adjust RouterOS IP, username and password accordingly.
    $client = new RouterOS\Client('192.168.30.10', 'admin', 'admin');

    $printRequest = new RouterOS\Request(
        '/ip hotspot active print',
        RouterOS\Query::where('address', $_SERVER['REMOTE_ADDR'])
    );
    $hotspotUsername = $client->sendSync($printRequest)->getArgument('user');
} catch(Exception $e) {
    $errors[] = $e->getMessage();
}

if (isset($_POST['password']) && isset($_POST['password2'])) {
    if ($_POST['password'] !== $_POST['password2']) {
        $errors[] = 'Passwords do not match.';
    } elseif (empty($errors)) {
        //Here's the fun part - actually changing the password
        $setRequest = new RouterOS\Request('/ip hotspot user set');
        $client($setRequest
            ->setArgument('numbers', $hotspotUsername)
            ->setArgument('password', $_POST['password'])
        );
    }
}

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Change your hotspot password sample page in PHP / Syed Jahanzaib.PK-KHI</title>
        <style type="text/css">
            #errors {background-color:darkred;color:white;}
            #success {background-color:darkgreen:color:white;}
        </style>
    </head>
    <body>
        <div>
            <?php if (!isset($hotspotUsername)) { ?>
            <?php } else { ?>
<h3>
<pre><span style="color: blue">PA</span><span style="color: red">KI</span><span style="color: purple">ST</span><span style="color: orange">AN</span> <span style="color: green">ZINDABAD</span> ...JZ!!</pre>
<h2>
<br>HOTSPOT ... Sample password change FORM <br><br>
You are currently logged in as "<?php
                    echo $hotspotUsername;
                ?>"</h2>

            <?php if(!empty($errors)) { ?>
            <div id="errors"><ul>
                <?php foreach ($errors as $error) { ?>
                <li><?php echo $error; ?></li>
                <?php } ?>
            </ul></div>
            <?php } elseif (isset($_POST['password'])) { ?>
            <div id="success">Your password has been changed.</div>
            <?php } ?>

            <form action="" method="post">
                <ul>
                    <li>
                        <label for="password">New password:</label>
                        <input type="password" id="password" name="password" value="" />
                    </li>
                    <li>
                        <label for="password2">Confirm new password:</label>
                        <input type="password" id="password2" name="password2" value="" />
                    </li>
                    <li>
                        <input type="submit" id="act" name="act" value="Change password" />
                    </li>
                </ul>
            </form>
            <?php } ?>
        </div>
    </body>
</html>

Now once the user have logged in to hotspot, he can access the page like below.

http://192.168.30.50/changepass.php

As showed in the image below …

changepass

.

.

log

Credits and legal stuff

Author: Vasil Rangelov, a.k.a. boen_robot (boen [dot] robot [at] gmail [dot] com)

Regard’s
Syed Jahanzaib

Older Posts »

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,047 other followers