Syed Jahanzaib Personal Blog to Share Knowledge !

November 28, 2019

Virtualization: Quick Notes for myself

Filed under: VMware Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:20 AM

vmware esxi

ESXI Server: ‘SEL Fullness’ message

Recently after upgrading ESXI from 6.5 to 6.7u3 on Lenovo (IBM) x3650 M5 machine, I received following error on vsphere web client

System Management Software 1 SEL Fullness: Log almost full

In vSphere 6.7 , Navigate to following and reset event log

Monitor > Tasks and Events > Hardware Health > SYSTEM EVENT LOG > RESET EVENT LOG

Updating ESXI 6.5 to 6.7u3 from the CLI

Recently I did some major updates in our virtual infrastructure including ESXi (ver 6.5.0, 10719125) ,  Vcenter & Veeam ( . Things were updated in following order

  • Veeam B&R upgraded to ver
  • Vcenter upgraded to ver
  • ESXI hosts upgraded to ver 6.5.0, 10719125

For ESXI update from 6.5 to 6.7u3. In the past I always use Installer CD/USB to upgrade from older esxi to new version, but for this approach, I have to compromise on my holidays or sit very late in office. This time time I took another approach and upgraded all the esxi hosts one by one on sundays remotely from the home using offline bundle installer & esxi CLI method. This is how I accomplished it.

I first downloaded the 6.7 update offline bundle from the Lenovo site (since we have all the IBM/Lenovo brand servers therefore I selected this option to avoid any hardware driver issue).

Afterwards I uploaded this offline bundle zip file to Esxi datastore, then logged in to esxi host via SSH, and issued

esxcli software vib install -d /vmfs/volumes/5d0cf64f-a83e7c86-6a4d-40f2e922c64a/

Note: make sure to change datastore and filename as required.

It took few minutes, once I saw SUCCESS message, I completed the process by simply rebooted the ESXI host by cmd


Better approach is to update rather than install

esxcli software vib update -d /vmfs/volumes/5d0cf64f-a83e7c86-6a4d-40f2e922c64a/

Difference between VIB update and VIB install

Excerpt from “”

To install or update a .zip file, use the -d option. To install or update a .vib file use the -v option.

Using the update command is the recommended method for patch application. Using this command applies all of the newer contents in a patch, including all security fixes. Contents of the patch that are a lower revision than the existing packages on the system are not applied.

Using the install command overwrites the existing packages in the system with contents of the patch you are installing, including installing new packages and removing old packages. The install command may downgrade packages on the system and should be used with caution. If required, the install command can be used to downgrade a system (only for image profiles) when the –allow-downgrade flag is set.

The install method has the possibility of overwriting existing drivers. If you are using 3rd party ESXi images, VMware recommends using the update method to prevent an unbootable state.

Check esxi version from CLI

esxcli system version get
Product : VMware ESXi
Version : 6.7.0
Build : Releasebuild-14320388
Update : 3
Patch : 73<span style="color:var(--color-text);">

Will update more

Syed Jahanzaib

November 26, 2019

Assigning friendly/fix name to USB device

Filed under: Linux Related — Tags: , , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:34 AM


Teltonika Usb Modem

Teltonika Usb Modem


We have Teltonika USB modem connected to our Linux box (Ubuntu) & Kannel is configured as SMS gateway for our network devices so that they can send Info/Alert SMS incase of any failure via HTTP method.

/dev/ttyACM0 is default port name on which this modem is detected by default BUT it happens Often that when the Linux box reboots, modem is detected on different port name like ttyACM1 which result in failure of kannel modem detection as the name is hardcoded in /etc/kannel/kannel.conf

To settle this issue, we fixed the USB device with our customized name , and in kannel we used this fixed name which sorted the modem port name change issue.


Run following CMD

udevadm info -a -p $(udevadm info -q path -n /dev/ttyACM1)

& look for following attributes & note down both

  • idVendor
  • idProduct


now Edit or create new file in /etc/udev by

nano /etc/udev/rules.d/99-usb-serial.rules

& paste following

SUBSYSTEM=="tty", ATTRS{idVendor}=="1d12", ATTRS{idProduct}=="3e11", SYMLINK+="gsm"

Make sure to change the idVendor & idProduct numbers that you noted in step #1.

Save & Exit.

Now issue below CMD to reload udev rules

sudo udevadm trigger

if all goes well, then look for your new device name gsm in /dev folder

ls -l /dev/gsm

Ok result would be similar to this

lrwxrwxrwx 1 root root 7 Nov 26 09:04 /dev/gsm -> ttyACM1

Syed Jahanzaib


November 23, 2019

DMASOFTLAB Radius Manager – Adding custom attribute to facilitate Dynamic address list on Mikrotik

Filed under: Mikrotik Related, Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:04 PM

Quick Recipe: If you are using DMA Radius Manager & want to assign Dynamic Address list to a service so that user can automatically be added to dynamic address list under NAS, you can do so by using custom RADIUS attributesunder services section

  • Login to Admin Panel
  • Goto Services
  • Click on your desired service example 4mb
  • Under `Custom RADIUS attributes` , add below attribute
Mikrotik-Address-List := 4mb

adding attribute in radius manager service

Save , & test any user authentication by CMD,

rmauth test 1

freeradius attribute for dma radius manager test via cmd


on NAS dynamic address list will be created for each user of this service group. Late ryou can use this address list to mark connections / packets/ routing/queue etc.

4mb pppoe.PNG

Happy Attributing 😉


November 8, 2019

Freeradius 3 with Mikrotik – Part-1 # Time to upgrade


fr logo

Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logics & create or modify the solutions as per your network scenario. Never follow copy paste blindly, [unfortunately this has become our national culture]

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

Syed Jahanzaib~

This is another post about installation & configuration of ISP related billing system called Freeradius version 3.0.19. My aim is to let people know that creating your own Radius Billing system is not a ROCKET SCIENCE.

The only thing required is your ultimate passion to achieve the goal & with the right search, reading, understanding logic’s, you can do all on your own. I strongly encourage all to read the FR mailing list and Google search

For older version of Freeradius ver 2.x series, you may read below

Make your own Billing system in Linux with Latest version of Freeradius 3.0.19 / MySQL 5.7.27

by Syed Jahanzaib / aacable[at]hotmail[dot]com

[This Guide will be updated with many further supporting posts)

The aim of writing this post was that there are number of radius products available on the internet with lots of features, each have some unique features. But this is also true that none of them is 100% perfect for every type of ISP. The reason is that every ISP/Network have different sort of local requirements and billing mode. If you have searched on google you will find that there are tons of guides for freeradius implementation, but most of them have either incomplete data , or difficult explanation, or does not meet the practical requirements of Desi ISP. That’s why I started this guide so that info that is not common on the net can be shared here. plus most important you can learn on your own using this baby step.

In this post I have made some quick guide to install a very basic level of billing system by using Freeradius/mysql on UBUNTU 18.4 [64bit]. Mikrotik routerboard with firmware version 6.45.7 is being used as NAS to connect user and freeradius will be used for authentication/accounting billing system.

Let’s Rock …


Hardware Software components used in this post


  • Xeon 2Ghz CPU x 2
  • 64 GB RAM
  • 480GB SSD x 8 disks in RAID-10
  • Vmware ESXI 6.5 installed on bare metal hardware
  • VM guest created for Radius role with following config
    40 GB RAM / 12 CORES VCPU / 300 GB Disk Space


  • OS: Ubuntu 18.04.3 LTS Server Edition [Click here for Download Link]
  • FreeRADIUS: Version 3.0.19 [using apt-get with custom repository]
  • Mysql Version: mysql Ver 14.14 Distrib 5.7.27, for Linux (x86_64) using EditLine wrapper [using apt-get]
  • IP scheme

    Radius IP =
    Mikrotik IP =



Quick Tips for Ubuntu OS before rolling out FR


Network address configuration


In Ubuntu 18, network addresses are configured slightly differently as compared to earlier version of ubuntu series. To add / modify IP addresses, edit 50-cloud-init.yaml file

nano /etc/netplan/50-cloud-init.yaml

A working configuration file is attached as below. Make sure to follow syntaxes as defined. U18 is quite sensitive regarding this section.

# Ubuntu 18 Network Config file # Syed Jahanzaib
# Interface Name
# Interface IP Address
version: 2
<span style="color:var(--color-text);">


ROOT Login Access on local machine is not Allowed by Default on Fresh installation of Ubuntu 18

After fresh installation of Ubuntu 18 server edition, you cannot login with root ID by default. & to perform various functions, you may need ROOT access.

Therefore using your normal user account , issue below cmd’s to change root password in order to enable root login access

sudo passwd root

it will ask you to enter current user password, then it will ask to enter new root password two times. Do so and then you can change to use root user by using

# su

and it will ask you to enter root password, Enter the password that you setup in above steps. and you will be switched to ROOT.

Allow SSH Login for remote access using PUTTY or any other tool


By default, Ubuntu 18 will not allow you to remotely login via SSH.

Edit file

nano /etc/ssh/sshd_config

now search for

PermitRootLogin prohibit-password

Change it to

PermitRootLogin yes

Save & Exit , Restart ssh service

service ssh restart

Another quick copy paste method to enable root ssh access

sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
service ssh restart

NTP configuration for timezone configuration &

Automatic time update from the internet [for KHI/PK]

apt-get -y install ntp ntpdate
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

Disable iPV6


if ipv6 not required, its a good idea to disable it from beginning.

Use below CMD

echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6=1" /etc/sysctl.conf
sysctl -p

for further ensurity, now edit

nano /etc/default/grub

& change


Save & exit & run below cmd to update GRUB

sudo update-grub

Installing components required for general operations including MYSQL as well

Install supporting tools like mysql / phpmyadmin etc [make sure you enter mysql password when it asks ]

#During installation, it will ask you to enter PASSWORD, dont let it skip, be vigilant 

apt-get -y install apache2 mc wget make gcc mysql-server mysql-client curl
apt-get -y install phpmyadmin

NOTE# mySQL Empty Root Password 

Try to login to mysql with your defined password. In case if mysql is letting you in with any random or empty password, use this CMD to change mysql root password

Use these steps only if you have mysql login issue with empty/any password

mysql -uroot -pANYPASS
UPDATE mysql.user SET authentication_string= '' WHERE User='root';
UPDATE mysql.user SET plugin = '' WHERE user = 'root';
UPDATE mysql.user SET authentication_string=PASSWORD('zaib1234') WHERE User='root';
UPDATE mysql.user SET plugin = 'mysql_native_password' WHERE user = 'root';

Don’t forget to restart mySQL service, this part wasted some time of mine

service mysql restart

fr logo with hatFR logo new .png

~ Installation & Configuration part ~
~ Freeradius version 3.0.19 ~

To install freeradius 3.0.19 via apt-get on ubuntu 18.4 server, first update the repository by using following

echo "deb bionic main" >> /etc/apt/sources.list

Save and exit, and issue below cmd

sudo apt-key adv --keyserver --recv-key 0x41382202
sudo apt-get update


Now using apt-get install method , we will install FR ver 3.0.19

apt-get -y install freeradius freeradius-mysql freeradius-utils

Once installed, check the FR version, & it should be similar to this

freeradius -v

radiusd: FreeRADIUS Version 3.0.19 (git #ab4c76709), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.19
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

SQL Section:

Create DB in mysql

# Make sure to change password which you setup while installing mySQL

mysql -uroot -pzaib1234
create database radius;
grant all on radius.* to radius@localhost identified by "zaib1234";

Now import sql schema file into the mysql

mysql -u root -pzaib1234 radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql

Now create SQL link

ln -s /etc/freeradius/mods-available/sql /etc/freeradius/mods-enabled/


now edit /etc/freeradius/mods-enabled/sql

nano /etc/freeradius/mods-enabled/sql

& make modification like in SQL { section

change to below

sql {
dialect = "mysql"
driver = "rlm_sql_${dialect}"
mysql {
# there are few lines related to certs, delete them as we donot require them
warnings = auto

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "zaib1234"
# Change password as you configured in initial steps/zaib
# Database table configuration for everything except Oracle
radius_db = "radius"

Save & exit.

Adding your NAS in mysql NAS table

TIP: Quick CMD to add NAS in table,

mysql -uroot -pzaib1234 -e "use radius; INSERT INTO nas (id, nasname, shortname, type, ports, secret, server, community, description) VALUES (NULL, '', NULL, 'other', NULL, '123456', NULL, NULL, 'RADIUS Client');"


mysql> select * from nas;
| id | nasname | shortname | type | ports | secret | server | community | description |
| 1 | | NULL  | other | 3799 | 123456 | | NULL | RADIUS Client |
1 row in set (0.00 sec)

Create TEST USER for validating freeradius & mysql installation

We will now create a simple Test USER in mySQL RADIUS DB for verification / test purposes. It will have

  1. Username Password
  2. Mikrotik Rate Limit for Bandwidth Limitation, example 1mb/1mb
  3. Expiration date time
  4. Simultaneous Use set to 1 , to prevent Multiple login of same ID (it requires further modifications in DEFAULT section of sites enabled)
mysql -uroot -pzaib1234
use radius;
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES ( NULL , 'zaib', 'Cleartext-Password', ':=', 'zaib');
INSERT INTO radreply (username, attribute, op, value) VALUES ('zaib', 'Mikrotik-Rate-Limit', '==', '1024k/1024k');
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Expiration', ':=', '13 Jan 2029 11:00');
INSERT INTO radcheck (username,attribute,op,value) VALUES ('zaib', 'Simultaneous-Use', ':=', '1');


Testing FREERADIUS connection using FR built-in tools

It’s time that we should test freeradius connectivity. in first Terminal, issue below cmd to start freeradius in DEBUG mode

service freeradius stop
freeradius -X

If FR configurall are configured correctly, then you will see something like below

Listening on auth address port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 48178
Listening on proxy address :: port 38713
Ready to process requests

If you see Ready to process requests  , than all good to Go, Else it will show you the particular errors and lines that you must FIX in order to proceed further.

Moving forward, Open second Terminal window, & try below cmd’s to test the user credentials/authentication

Test#1 using RADCLIENT tool with particular calling MAC address

echo "User-Name=zaib,User-Password=zaib,Calling-Station-Id=00:0C:29:71:60:DA" | radclient -s localhost:1812 auth testing123


Sent Access-Request Id 38 from to length 63
Received Access-Accept Id 38 from to length 26
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0

Test#2 using RADTEST tool

radtest zaib zaib localhost 1812 testing123


Sent Access-Request Id 26 from to length 74
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address =
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "zaib"
Received Access-Accept Id 26 from to length 26
Session-Timeout = 289854175

Freeradius Debug Window:

Ready to process requests
(0) Received Access-Request Id 57 from to length 63
(0) User-Name = "zaib"
(0) User-Password = "zaib"
(0) Calling-Station-Id = "00:0C:29:71:60:DA"
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "zaib", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'zaib' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'zaib' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "zaib"
(0) sql: Expiration := "Jan 13 2029 11:00:00 PKT"
(0) sql: Simultaneous-Use := 1
(0) sql: Calling-Station-Id := "00:0C:29:71:60:DA"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'zaib' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'zaib' ORDER BY id
(0) sql: User found in radreply table, merging reply items
(0) sql: Mikrotik-Rate-Limit == "1024k/1024k"
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.27-0ubuntu0.18.04.1, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'zaib' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'zaib' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) if (notfound){
(0) if (notfound) -> FALSE
(0) expiration: Account will expire at 'Jan 13 2029 11:00:00 PKT'
(0) [expiration] = ok
(0) if (userlock){
(0) if (userlock) -> FALSE
(0) [pap] = updated
(0) if (&request:Calling-Station-Id != &control:Calling-Station-Id) {
(0) if (&request:Calling-Station-Id != &control:Calling-Station-Id) -> FALSE
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'zaib' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'zaib' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%{reply:Reply-Message}', '%S', '%{NAS-IP-Address}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( 'zaib', 'zaib', 'Access-Accept', '', '2019-11-07 15:58:05', '', '00:0C:29:71:60:DA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( 'zaib', 'zaib', 'Access-Accept', '', '2019-11-07 15:58:05', '', '00:0C:29:71:60:DA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) [exec] = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 57 from to length 0
(0) Session-Timeout = 289854115
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 57 with timestamp +2
Ready to process requests

Above output shows OK status. You can inspect any errors in the freeradius config or with the user credentials here like, invalid mac, expiratione etc

Workaround to open existing session in RADACCT


When there is an disconnection between NAS & RADIUS, following situation will be observed


User session will be online on NAS, but NAS will not send interim updates to the Radius because communication between NAS/Radius is lost


Radius will not receive any interim updates from the NAS & his session will keep alive (acctstoptime IS NULL), But for some local requirements we scheduled a bash script which checks stale session checking last acct update time . Example if the radius doesn’t receives interim update for 10 minutes, it will close this user session in radacct table by setting acctstoptime to current date/time.

Now when the connectivity restore between the NAS & Radius, and since NAS has this user online, it will send Interim Update to the radius, BUT our radius have closed this session already earlier (via bash script), therefore this update packet will only update the old entry using unique acct ID, but acctstoptime will not be set to NULL.

This will create confusion for frontend, because when you will search online users by searching entries whose acctstoptime is NULL. this session will not appear which will create FALSE assumption on your frontend that this user is offline whereas this user is actually online in NAS.

To settle this , I made some dirty workaround by poking in freeradius SQL queries.conf  file. I am not aware if this trick is is already being used or not,but its working fine on my end.

Add below code

acctstoptime = NULL, \

in queries.conf

Edit file by

nano /etc/freeradius/mods-config/sql/main/mysql/queries.conf
interim-update {
# Update an existing session and calculate the interval
# between the last data we received for the session and this
# update. This can be used to find stale sessions.
query = "\
UPDATE ${....acct_table1} \
acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \
acctupdatetime = FROM_UNIXTIME(\
%{integer:Event-Timestamp}), \
acctinterval = %{integer:Event-Timestamp} - \
UNIX_TIMESTAMP(@acctupdatetime_old), \
acctstoptime = NULL, \
framedipaddress = '%{Framed-IP-Address}', \
framedipv6address = '%{Framed-IPv6-Address}', \
framedipv6prefix = '%{Framed-IPv6-Prefix}', \
framedinterfaceid = '%{Framed-Interface-Id}', \
delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Input-Octets}:-0}', \
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Output-Octets}:-0}' \
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"

& as always reload freeradius

service freeradius reload

Prevent Multiple User login [ Simultaneous Login :=1 ]

To prevent multiple login for same user , we have to first enable SQL base session logging , so that our control can check the session details for already logged in user

Edit file

nano /etc/freeradius/sites-enabled/default

& then uncomment sql under session { section

# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {

Now we need to add UNLAG query in DEFAULT config to check for MAC address if control is defined in RADCHECK table

edit file

nano /etc/freeradius/sites-enabled/default

Under authorize { section, add below code

if (&request:Calling-Station-Id != &control:Calling-Station-Id) {
update reply {
Reply-Message := "Incorrect Mac"



After every change in config files, reload freeradius by

service freeradius reload

Now you can simulate test using below CMD

RADCLIENT test with particular calling MAC address

echo "User-Name=zaib,User-Password=zaib,Calling-Station-Id=00:0C:29:71:60:DA" | radclient -s localhost:1812 auth testing123

Note: If there is no Calling-Station-ID defined in RADCHECK , test will success and in FREERADIUS Debug log, you will see line that failed to evaluate control. but user will be able to connect if no mac defined in radcheck.

Modifying RADPOSTAUTH section for recording user login attempts in sql table

To record all users login attempts with our customized RADPOSTAUTH table, we can following

First edit queries.conf in /etc/freeradius/mods-config/sql/main/mysql

nano /etc/freeradius/mods-config/sql/main/mysql/queries.conf

Goto End & search for section (usually its in the last)

# Authentication Logging Queries
# postauth_query - Insert some info after authentication

Delete existing query & use this one

query = "\
INSERT INTO ${..postauth_table} \
(username, pass, reply, reply_msg, authdate, nasipaddress, mac) \
'%{SQL-User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', \
'%{reply:Reply-Message}', \
'%S', \
'%{NAS-IP-Address}', \

Save and Exit.

Modify RADPOSTAUTH table

Now modify the RADPOSTAUTH table in radius DB so that reply messages can be stored here in the way want it to be

mysql -uroot -pzaib1234
use radius;
DROP TABLE IF EXISTS `radpostauth`;
CREATE TABLE `radpostauth` ( `id` int(11) NOT NULL, `username` varchar(64) NOT NULL DEFAULT '', `pass` varchar(64) NOT NULL DEFAULT '', `reply` varchar(256) NOT NULL DEFAULT '', `reply_msg` varchar(256) DEFAULT NULL, `authdate` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `nasipaddress` varchar(100) DEFAULT NULL, `mac` text ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
ALTER TABLE `radpostauth` ADD PRIMARY KEY (`id`), ADD KEY `username` (`username`(32));

As always reload freeradius service after any modification in the configuration files using

service freeradius reload

Try to auth any user and then look into RADPOSTAUTH table & you will see entries like

mysql> select * from radpostauth;
| id | username | pass | reply | reply_msg | authdate | nasipaddress | mac |
| 14 | zaib | zaib | Access-Accept | | 2019-11-05 19:21:37 | | 00:0C:29:35:F8:2F |
| 15 | zaib | zaib | Access-Accept | | 2019-11-05 19:21:50 | | 00:0C:29:35:F8:21 |
| 16 | zaib | zaib | Access-Reject | | 2019-11-05 19:22:12 | | 00:0C:29:35:F8:21 |
| 17 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:23:51 | | 00:0C:29:35:F8:21 |
| 18 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:23:57 | | 00:0C:29:35:F8:2F |
| 19 | zaib | zaib | Access-Accept | | 2019-11-05 19:24:14 | | 11:11:11:11:11:11 |
| 20 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:24:21 | | 00:0C:29:35:F8:2F |
| 21 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:25:23 | | 00:0C:29:35:F8:2F |
| 22 | zaib | zaib | Access-Accept | | 2019-11-05 19:25:29 | | 11:11:11:11:11:11 |
| 23 | zaib | zaib | Access-Reject | Your account has expired=2C zaib | 2019-11-05 19:25:44 | | 11:11:11:11:11:11 |
| 24 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:26:16 | | 11:11:11:11:11:11 |
| 25 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:26:25 | | |
| 26 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:27:22 | | |
| 27 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:27:41 | | |
| 28 | zaib1 | zaib | Access-Reject | | 2019-11-05 19:27:55 | | |
| 29 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:29:04 | | |
| 30 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:29:12 | | |
| 31 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:30:28 | | |
| 32 | zaib | zaib1 | Access-Reject | Wrong Password | 2019-11-05 19:30:46 | | |
| 33 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:30:54 | | |
| 34 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:32:45 | | |
| 35 | zaib | zaib | Access-Accept | | 2019-11-05 19:32:51 | | |
| 36 | zaib | zaib | Access-Accept | | 2019-11-05 19:33:01 | | |
| 37 | zaib | zaib | Access-Reject | You are already logged in - access denied | 2019-11-05 19:33:57 | | |
| 38 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:21 | | |
| 39 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:28 | | 11:11:11:11:11:11 |
| 40 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:51 | | |
| 41 | zaib | | Access-Reject | Incorrect Mac | 2019-11-05 19:37:23 | | 00:0C:29:71:60:DA |
| 42 | zaib | | Access-Accept | | 2019-11-05 19:37:38 | | 00:0C:29:71:60:DA |
| 43 | zaib | | Access-Reject | Incorrect Mac | 2019-11-05 19:39:13 | | 00:0C:29:71:60:DA |
| 44 | zaib | zaib | Access-Reject | You are already logged in - access denied | 2019-11-06 08:37:04 | | |
| 45 | zaib | zaib | Access-Accept | | 2019-11-06 08:37:24 | | |
| 46 | zaib | | Access-Reject | Incorrect Mac | 2019-11-07 07:56:07 | | 00:0C:29:71:60:DA |
| 47 | zaib | | Access-Reject | You are already logged in - access denied | 2019-11-07 07:57:03 | | 00:0C:29:71:60:DA |
| 48 | zaib | | Access-Accept | | 2019-11-07 07:57:18 | | 00:0C:29:71:60:DA |
| 49 | zaib@zaib | | Access-Reject | Wrong Password | 2019-11-07 07:57:23 | | 00:0C:29:71:60:DA |
| 50 | zaib@zaib | | Access-Accept | | 2019-11-07 08:00:37 | | 00:0C:29:71:60:DA |
| 51 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-07 15:54:53 | | 11:11:11:11:11:11 |
| 52 | zaib | zaib | Access-Accept | | 2019-11-07 15:56:12 | | 00:0C:29:71:60:DA |
| 53 | zaib | zaib | Access-Accept | | 2019-11-07 15:57:05 | | |
| 54 | zaib | zaib | Access-Accept | | 2019-11-07 15:58:05 | | 00:0C:29:71:60:DA |

Unable to login with username like zaib@zaib

If you are unable to login with username like z@ib@zaib , then disable the filter_username module under authorize { section

edit file

nano /etc/freeradius/sites-enabled/default

Navigate to authorize { section, & comment the filter_username

authorize {
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
# See policy.d/filter for the definition of the filter_username policy.

# filter_username

Mikrotik-Rate-Limit not working with FR 3
(Updated on 9-NOV-2019)

Today I encountered issue at local network, where radius was not sending the Mikrotik-Rate-Limit syntax to the NAS. After doing some troubleshooting it came to my knowledge that you have to change op value from == to := , Example

Mikrotik-Rate-Limit := 1024k/1024k

Trimming RADACCT table to make it SLIM & blazing Responsive


Over the period of time, radacct table will grow enormously. This can slow down many queries , therefore its a good idea to move all closed session entries (NOT NULL) to another table like radacct_archive. I created following bash script which helped me to sort many issues.

Note: Make sure to change credentials section

mkdir /temp
touch /temp/
chmod +x /temp/
nano /temp/

& copy paste following

#!/usr/bin/env bash
#set -x
logger radacct_trim script started $DATE
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
# This is one time step.
echo "
Script Started @ $DATE
echo "- Step 1 : Checking for DB: $DB / TABLE: $TBL_ARCH ..."
DBCHK=`mysqlshow --user=$SQLUSER $DB | grep -v Wildcard | grep -o $DB`
if [ "$DBCHK" == "$DB" ]; then
echo " > $DB DB found"
echo " > $DB not found. Creating now ..."
$CMD "create database if not exists $DB;"
if [[ $(mysql -u$SQLUSER -e "$TBL_ARCH_EXISTS" $DB) ]]
echo " > $TBL_ARCH TABLE found IN DB: $DB"
echo " > $TBL_ARCH TABLE not found IN DB: $DB / Creating now ..."
$CMD "use $DB; create table if not exists $TBL_ARCH LIKE radacct;"

# Start Action: copy data from radacct to new db/archive table
NOTULL_COUNT=`$CMD "use $DB; select count(*) from radacct WHERE acctstoptime is not null;"`
echo "- Step 2 : Found $NOTULL_COUNT records in radacct table , Now copying $NOTULL_COUNT records to $TBL_ARCH table ..."
$CMD "use $DB; INSERT IGNORE INTO $TBL_ARCH SELECT * FROM radacct WHERE acctstoptime is not null;"
echo "- Step 3 : Deleting $NOTULL_COUNT records old data from radacct table (which have acctstoptime NOT NULL) ..."
# --- Now Delete data from CURRENT RADACCT table so that it should remain fit and smart ins size
$CMD "use $DB; DELETE FROM radacct WHERE acctstoptime is not null;"
echo "- Step 4 : Copying old data from $TBL_ARCH older then $MONTHS months ..."
# --- Now Delete data from RADACCT_ARCHIVE table so that it should not grow either more than we required i.e 1 Year - one year archived data is enough IMO
logger radacct_trim script ended with $NOTULL_COUNT records processed for trimming @ $DATE
echo "
radacct_trim script ended with $NOTULL_COUNT records processed for trimming @ $DATE"

Schedule this BASH script to run every minute (or as per required)

1 * * * * /temp/

Check for STALE Sessions in RADACCT [for FR ver3 in particular]

This bash script will close sessions in RADACCT whose interim updates have not received in last XX minutes. You can schedule it to run every minute or as required

#!/usr/bin/env bash
#set -x
#trap "set +x; set -x" DEBUG
# BASH base script to close STALE sessions from freeradius, whose accounting is not updated in last X minutes in RADACCT table
# By Syed Jahanzaib
# CREATED on : 25-July-2018
# Local Variables

# Mysql credentials
CMD="mysql -u$SQLID --skip-column-names -s -e"
#Table which contain main users information
#Rad user group in which we will update user profile like from 1mb to expired or likewise
# Date Time Variables
DATE=$(date +%d-%m-%Y)
DT_HMS=$(date +'%H:%M:%S')
CURR_HOUR=$(date +%H)
TODAY=$(date +"%Y-%m-%d")
WEEK=`date -d "-1000 days" '+%Y-%m-%d'`
H=$(date +'%-H')

#Check and close session for staleness
$CMD "use $DB; select username,radacctid,nasipaddress from radacct WHERE acctstoptime IS NULL AND acctupdatetime  $STALE_USR_LIST
# IF no user found , show error and exit - zaib
CHK=`wc -m $STALE_USR_LIST | awk {'print $1}'`
if [ "$CHK" -eq 0 ]
echo "No stall sesion found (which accounting session have not updated in last $INTERVAL minutes) , exiting ..."
exit 1
$CMD "use $DB; UPDATE radacct SET acctstoptime = NOW(), acctterminatecause = 'Clear-Stale-Session' WHERE acctstoptime IS NULL AND acctupdatetime /dev/null 2>&1

WordPress is not letting pasting of code. look for this line

wp post problem.PNG


following are some mySQL tuning made according to the hardware. These are just my assumptions that this setting will work fine. However you may tune your setup according to your hardware. Install & run MYSQLTUNER tool which will better guide you as per the actual hardware/software scneario.


socket = /var/run/mysqld/mysqld.sock
nice = 0
user = mysql
pid-file = /var/run/mysqld/
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
bind-address =
key_buffer_size = 4G
thread_stack = 192K
thread_cache_size = 8
myisam-recover-options = BACKUP
max_connections = 2000
table_open_cache = 15000
query_cache_limit = 200M
query_cache_size = 0
query_cache_type = 0
#log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
innodb_buffer_pool_size = 22G
innodb_log_file_size = 11G
innodb_buffer_pool_instances = 22

MYSQLTUNER to see mySQL performance

It is good idea to install mysqltuner

apt-get install mysqltuner

Let your mysql Run for 1-2 days, then run this tool



mysql -uroot -pzaib1234
use radius;


*************************** 2. row ***************************
Name: radacct
Engine: InnoDB
Version: 10
Row_format: Dynamic
Rows: 1
Avg_row_length: 16384
Data_length: 16384
Max_data_length: 0
Index_length: 212992
Data_free: 0
Auto_increment: 2323234
Create_time: 2019-11-05 19:06:21
Update_time: 2019-11-07 10:27:08
Check_time: NULL
Collation: latin1_swedish_ci
Checksum: NULL

In above OUTPUT, You can see the type, with 5.5+ its generally innodb


Monitor Disk Read Write

To monitor all disks read/write speed install this tool

apt-get install -y iotop

Run it using below cmd

iotop -o

HTOP – Monitor ALL Processes / CPU Cores Usage Monitor

install this

apt-get install -y htop


Doing Stress Test on Radius using BASH scripts

stress test on fr 3

FREERADIUS Stress Test Using BASH script – Zaib


Installing Freeradius latest version 3.0.21 on Ubuntu 16.4 Server

echo "deb xenial

main" >> /etc/apt/sources.list

apt-get update

sudo apt-key adv --keyserver --recv-key 0x41382202

sudo apt-get update

apt-get -y install freeradius freeradius-mysql freeradius-utils

Syed Jahanzaib

August 7, 2019

Exploiting Mikrotik for Good ?

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:30 AM

mikrotik exploit logo.png

Last updated: 7-AUGUST-2019 / 1400 hours

Note: Lot have been written on this vulnerability & this is not something NEW, but this vulnerability helped us in accessing one of our remote site old router with forgotten credentials.

In our remote branch network , we had installed one Mikrotik small box RB750 for branch to HO connectivity. This small unit was installed few years back & we never looked into it again. Recently we needed to make some configuration changes but following some bad practices we didn’t added this particular mikrotik in our centralized automated backup system & we didn’t noted down the credentials & IP configurations of its VPN settings after its deployment considering it less important.

Luckily it was running old firmware which was exploitable dueto to its critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords.

Index of this post

  1. Vulnerable Versions
  2. Requirements
  3. Executing scripts in linux
  4. Results
  5. Securing older version with firewalling
  6. Securing the Mikrotik Router at basics

Vulnerable Versions

Versions affected:

  • Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
  • Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
  • Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23

For more information see:

Using this exploit we were able to recover the password and after changes we upgraded it immediately.

We can use Windows or Linux to remotely exploit the older mikrotik firmware to query for all user accounts.


The scripts can be run using PYTHON version 3+ & I have uploaded the scripts @ my Google Drive.

Driving in Linux !

  • I have tested it with Ubuntu ver 12 & 16
sudo apt-get update
sudo apt-get install python3

Now extract scripts in any temp folder.

Executing the scripts …

Extract users details using the Remote Mikrotik IP address [default 8291 port]


Extract users details using the Remote Mikrotik IP address [custom port]

python3 1122

Discover Mikrotik on the network

(it will scan the network for Mikrotik, may take some time, or you can press CTRL+C to exit)



Extract users details using the Remote Mikrotik MAC Address

python3 e4:8d:8c:9a:ed:11


mikrotik winbox exploit results.PNG


If the firmware is latest or not exploitable, it will give error “Exploit failed

# Securing older version with firewalling

If you dont want to upgrade, than at least use firewall filter to secure older versions……

/ip firewall filter
add action=reject chain=input comment="block CVE-2018-14847 exploit by z@ib" content=user.dat
add action=drop chain=input content="user.dat"

# Securing the Mikrotik Router at basics

  • TOP OF THE LINE THING TO DO : apply port scanning filtering !
  • Remotely Accessible Router Services should be limited to few addresses/interfaces
  • Never use default ports for Winbox / SSH & other services
  • Change there ports number to preferably higher unused ports like 50000 or above or likewise
  • If not in use, Disable all services like FTP / SSH & others
  • Never use default usernames like ADMIN , disable or delete them, and make alternate admin accounts with difficult passwords

Disable following

  • MAC-telnet services
    /tool mac-server set allowed-interface-list=none
  • MAC-Winbox
    /tool mac-server mac-winbox set allowed-interface-list=none
  • MAC-Ping service
    /tool mac-server ping set enabled=no
  • MikroTik Neighbor discovery protocol
    /ip neighbor discovery-settings set discover-interface-list=none
    /ipv6 nd set [find] disabled=yes
  • DNS cache
    /ip dns set allow-remote-requests=no
  • Socks proxy
    /ip proxy set enabled=no
    /ip socks set enabled=no
  • UPNP service
    /ip upnp set enabled=no
  • MikroTik dynamic name service or ip cloud
    /ip cloud set ddns-enabled=no update-time=no
  • Enable More Secure SSH access
    /ip ssh set strong-crypto=yes

Syed Jahanzaib

July 23, 2019

RM: Delete Expired Users Record

Filed under: Radius Manager — Tags: — Syed Jahanzaib / Pinochio~:) @ 12:57 PM


Following script was made for DMA Radius Manager 4.1.x. It can delete X months old Expired users record from the mysql DB.

Sharing for reference purposes …

WordPress is not letting proper pasting of the code …

delete expired uesr.PNG

#set -x
# This script delets users who have expired 2 months ago. and then delete there records from all tables.
# Syed Jahanzaib / June 2019
> /tmp/expired.users.txt

#mysql -uroot -e “use radius; select username from rm_users where expiration BETWEEN ‘2010-01-01’ AND ‘2019-04-30’;” |sort > /tmp/expired.users.txt

# Fetch users who have expired 2 months ago & before, (using expired date), BE CAREFUL WHEN USING THIS
mysql -uroot -e “use radius; select username from rm_users where expiration <= DATE_SUB(CURDATE(), INTERVAL 2 MONTH)” |sort > /tmp/expired.users.txt
cat /tmp/expired.users.txt | while read users
USERNAME=`echo $users | awk ‘{print $1}’`
echo “$USERNAME —- user record from all relevant tables”
mysql -uroot -e “use radius; DELETE FROM rm_cards WHERE cardnum = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM rm_users WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM rm_changesrv WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM radcheck WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM radacct WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM rm_radacct WHERE username = ‘$USERNAME’;”



July 17, 2019

BASH: Exporting MYSQL DB to Remote Server

Filed under: Linux Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:28 AM


Disclaimer: This post is shared just for reference & learning purposes. You must modify and add more failsafe check before using it in production.

Syed Jahanzaib


We are using Freeradius server which uses mySQL as its backend DB. Ideally the mysql server should have replica server so that if Primary goes down dueto any fault, the secondary replica should come in action.

For high availability purposes we we want to have a standby server. Mysql Master-Slave or Master-Master replication is ideal for real time replication. We successfully implemented this model at few sites, but yes replication requires constant monitoring, and at one place the secondary replica server backfired & caused data loss.

For one particular Remote Site we wanted to avoid the complications of REPLICATION. What we wanted is a standby server, and the DB from primary should be exported to secondary replica server daily in morning and emails for the actions taken by the script should be emailed to us.

We made custom script that is running successfully from quite some time.

The BASH script performs following function …

  • Checks secondary server PING response
  • Check secondary server SSH access
  • Checks primary server MYSQL DB access
  • Checks secondary server MYSQL DB access
  • Check if exported DB is of valid size, (I set it to min 10 KB, yes you may want to adjust it according to your setup)
  • If all OK, then export primary server DB, and import it to secondary server

Script Requirements:

BASH Script Code:

  • touch /temp/
  • chmod +x /temp/
  • nano /temp/
#set -x
# Version 1.0 / 10-July-2019
# Syed Jahanzaib / Web: / Email:
# This script exports mysqldb and restores it to second remote server
# Requires passwordless login on remote server using SSH keys
# Settings various VARIABLES for the script
# adding dns for resolving
echo "nameserver" > /etc/resolv.conf
set $(date)
time=`date |awk '{print $4}'`
YESTERDAY=`date --date='yesterday' +%Y-%m-%d`
TODAY=`date +"%d-%b-%Y__%T"`
SCRIPTST=`date +"%d-%b-%Y__%T"`
HOSTNAME=`hostname | sed 's/ //g'`
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
touch $RESULT
rm -f /$SQL_DIR/*.sql
# Test PING to device
count=$(ping -c $PING_ATTEMPTS $IP2 | awk -F, '/received/{print $2*1}')
if [ $count -eq 0 ]; then
echo "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to PING Attempts, cannot continue without it , Please check !"
echo "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to PING Attempts, cannot continue without it , Please check !" > $PING_RESULT
sendemail -t $email -u "ALERT: $IP2 $IP2ROLE NOT RESPONDING!" -o tls=yes -s -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PING_RESULT -o message-content-type=text
exit 1
echo "- Script start time: $SCRIPTST

This report contains DB export results.

- Source Server : $HOSTNAME / $IP1
- Destination Server : $IP2

- PING Result to $IP2 : OK"

echo "- Script start time: $SCRIPTST

This report contains DB export results.

- Source Server : $HOSTNAME / $IP1
- Destination Server : $IP2
- PING Result to $IP2 : OK" >> $RESULT

#Cehck if SSH is accessible
scp -q -P $IP2_SSH_PORT root@$IP2:/etc/lsb-release $IP2_SSH_CHK
# Verify if file is downloaded from remote server via ssh
if [ ! -f $IP2_SSH_CHK ]; then
echo -e "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to passwordless SSH ACCESS, cannot continue without it , Please check !"
exit 1
echo -e "- SSH Access to $IP2 : OK"
echo -e "- SSH Access to $IP2 : OK" >> $RESULT

# Check if $DB (in this case radius )is accessible or not, if NOT, then exit the script
if [ "$RESULT_DB_CHK" != "$DB" ]; then
echo "- ALERT: $IP1 - DB $DB not accessible !!!"
echo "- ALERT: $IP1 - DB $DB not accessible !!!" >> $RESULT
sendemail -t $email -u "- ALERT: $IP1 - DB $DB not accessible" -o tls=yes -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text
exit 1

echo "- $DB - Database accessed on $IP1 : OK" >> $RESULT

######## START the BACKUP PROCESS ... #######
# Checking if $SQL_DIR folder is previously present or not . . .
if [ ! -d "/$SQL_DIR" ]; then
echo -e "- ALERT: /$SQL_DIR folder not found, Creating it MYSQL EXPORT/DUMP backup should be placed there . . ."
mkdir /$SQL_DIR
echo -e "- INFO: $SQL_DIR folder is already present , so no need to create it, Proceeding further . . ."

mysqldump -u$SQLUSER -p$SQLPASS --single-transaction=TRUE --ignore-table={radius.radacct} $DB > $FILE
SIZE=`ls -lh $FILE | awk '{print $5}'`
SIZEB=`ls -l $FILE | awk '{print $5}'`
if [ $SIZEB -lt 1 ]
echo "- ALERT: DB export failed on $IP1 - Size = $SIZE OR $SIZEB Bytes"
echo "- ALERT: DB export failed on $IP1 - Size = $SIZE OR $SIZEB Bytes" >> $RESULT
sendemail -t $email -u "ALERT: DB export failed on $IP1 - Size = $SIZE OR $SIZEB Bytes" -o tls=yes -s -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text
exit 1
#ssh -p $IP2_SSH_PORT root@$IP2 mkdir /$SQL_DIR
#ssh -p $IP2_SSH_PORT root@$IP2 ls -lh /$SQL_DIR
# Import file in secondary radius
#ssh -p $IP2_SSH_PORT root@$IP2 "mysql -u$SQLUSER -p$SQLPASS $DB < $FILE
#mysql -h $IP2 -u$SQLUSER -p$SQLPASS $DB < $FILE
ssh -p $IP2_SSH_PORT root@$IP2 mysql -u$SQLUSER -p$SQLPASS $DB  output
#scp -P $IP2_SSH_PORT $CLIENTS_FILE root@$IP2:/usr/local/etc/raddb/
ssh -p $IP2_SSH_PORT root@$IP2 'service freeradius restart'
SCRIPTET=`date +"%d-%b-%Y___%T"`

echo "- FILE NAME : $FILE

- DONE : Backup from $IP1 to $IP2 have been Exported OK

- Script End Time: $SCRIPTET

Syed Jahanzaib"

echo "- FILE NAME : $FILE

- DONE : Backup from $IP1 to $IP2 have been Exported OK

- Script End Time: $SCRIPTET

Syed Jahanzaib" >> $RESULT

sendemail -t $email -u "$TODAY $HOSTNAME DB Exported from $IP1 to $IP2 Report OK" -o tls=yes -s -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text

#cat $RESULT
rm $FILE

Email Report Sample:

replica export done.PNG

Cron schedule to run the script Daily at 7am

# To run the script daily at 7 AM in morning
00 07 * * * /temp/

# To run the script every 6th hours 30 mnts
30 */6 * * * /temp/

Syed Jahanzaib

July 2, 2019

DENIED Notes users are still able to access mails through IBM Notes Traveler

Filed under: IBM Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 4:30 PM

This post is about a case study regarding “Denied access Notes users are still able to access mails through IBM Notes Traveler“.

We are using IBM lotus Domino server as per following

  • – Lotus Domino – Primary Mail Server [For Lotus Notes/Webmail]
  • – Lotus Domino – Traveler Role [For Mobile Devices like Android/iPhone]


Case Study:

Today, It was brought to our knowledge that one of company’s employee resigned on 28th June 2019) have sent emails to HR Dept on ndex day. while his account was under DENY group, but still he was able to sent emails. We tried settings from IBm document referenced “Denied access Notes users are still able to access mails through IBM Notes Traveler” from but still no luck. Traveler users who were under NO ACCESS GROUP under Primary LOTUS server were still able to sync emails.

Our Blocking Practice:
As per our practice , when any user resigned from the company, we add him under DENY GROUP under Lotus Domino Server for few days, which blocks the Notes/Webmail Access access for that particular user. Later if user withdraw resignation we just remove his name from this list, Else we remove his profiles and save his email in Archive for ever.

If the user have IBM Verse installed on there mobile device, he can still access the email because his access is blocked primarily on Lotus Email Server, but since mobile devices does not communicate with the Primary server directly instead they access it via separate TRAVELER server (by proxying through LOTUS TRAVELER server), and communication between Primary Server & Lotus traveler server is being done through server to server basis thus they could access the emails.


no access group.jpg
Adding the NO ACCESS list in the traveler server document under security DID THE TRICK !

[13FC:000A-1574] 07/01/2019 12:45:02 PM XXXXX Web Server: Access Denied Exception [/traveler?action=sync&orig=sp&deviceId=Android_a41df4vf3fe46a8e3a] CN=MY USER/O=MYCOMP

This list will be updated via Primary Lotus server after every 10 minutes (using replication connection) & it will act as additional level of permissions filtering. Now if any user will be added under DENY GROUP under Lotus Mail Server, this list will be propagated to Lotus Traveler server as well which will deny the user request if his name is under DENY GROUP.

Thanks to FB group “IBM Lotus Domino Administrators” for pointing in the right direction.

Some addition Tip:

to flush DB cache

sh nlcache reset

Syed Jahanzaib


May 12, 2019

Manipulate CDN Traffic with Mikrotik Mangle & Queue Tree

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 12:49 PM


Control / Facilitate CDN traffic with

~ Mikrotik Router ~


First some DRY theory !

CDNs replicate content in multiple places. There’s a better chance of content being closer to the user, with fewer hops, and content will run over a more friendly network. The general idea of a CDN is to deliver content as fast as possible to the user without compromising the user’s experience. Usually, a CDN have global location servers, called Point of Presence. These PoPs store data as cache. When a user requests for a website, the nearest PoP will handle the request using stored cache.

The BIG players such as Google in order to enhance user experience have tried to get as close to the user as possible by direct peering with the regional service providers and provide contents using CDN (Content delivery network) providers. Google is having its own CDN network branded as a service called Google Global Cache (GGC)

Nowadays all the major ISPs have CDN facility , which tremendously helps them to reduce burden on there internet feed. Without CDN, cost of real internet bandwidth will be a heavy burden for any OP. With CDN user will get better video streaming experience.

I know few ISP’s here in Karachi (& one particularly originated from Gulshan Area) which totally relies on CDN (more than 50-60% of there internet data is routing via CDN) , I have used one of them, there real internet speed is pathetic but if you browse YT/FB they works excellent.


Our upstream ISP have CDN server installed in there data center & traffic going to CDN have no limit. But we want to control the traffic as following

1 Mb package Users break up for bandwidth controlling …

  • 1mb internet bandwidth
  • 2mb CDN bandwidth

So if a user is surfing the internet he will get full 1mb internet speed, & if he uses the traffic going to YOUTUBE CDN ,  He will get additional 2 mb.

Using Mikrotik, we can achieve this task by using Firewall Mangle & Queues Tree. Same can be done with Mangle & PCQ base simple queues too. It’s a debatable topic on what to use, & Depends on the selection, mangle marking method would also be changed.

Every network is different so one configuration cannot fit all. Number of users & traffic volume plays vital role in selection of marking / queue type to use.

Choose the marking/queue type wisely to save your Mikrotik CPU from becoming Mr. SPIKY 🙂 YKWIM 😀

Disclaimer: This is just an example for sharing purposes ONLY & yes there are many other methods and tuning techniques you can adopt to make this process much more efficient.

Script !

/ip pool
add name=pppoe_pool ranges=

/ip firewall address-list
add address= list=1mb
add address= list=cdn_list
# is WATEEN telecom CDN server range. It may change over time or different for each ISP/Network. Pay attention to this part.

# MANGLE Rules orderwise placement is very important. Make sure to mark CDN (or requireD) traffic before other traffic

/ip firewall mangle
# Marking traffic going to CDN (or required sites/ips)
add action=mark-packet chain=forward src-address-list=1mb dst-address-list=cdn_list new-packet-mark=cdn_1mb_up passthrough=no
add action=mark-packet chain=forward src-address-list=cdn_list dst-address-list=1mb new-packet-mark=cdn_1mb_down passthrough=no
# Marking other traffic , normal traffic other then CDN
add action=mark-packet chain=forward src-address-list=1mb new-packet-mark=1mb_up passthrough=no
add action=mark-packet chain=forward dst-address-list=1mb new-packet-mark=1mb_down passthrough=no

# Adding PCQ base queue type for per user distribution

/queue type
add kind=pcq name=2mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64
add kind=pcq name=2mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64
add kind=pcq name=1mb-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-limit=50KiB pcq-rate=1100k pcq-src-address6-mask=64 pcq-total-limit=2000KiB
add kind=pcq name=1mb-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-limit=50KiB pcq-rate=1100k pcq-src-address6-mask=64 pcq-total-limit=2000KiB

# Adding QUEUE  TREE to control bandwidth on per user basis policy using PCQ

/queue tree
# Adding 2mb QUEUE TREE for CDN traffic
add name="CDN - 1mb - upload" packet-mark=cdn_1mb_up parent=global priority=1 queue=2mb-cdn-upload
add name="CDN - 1mb - download" packet-mark=cdn_1mb_down parent=global priority=1 queue=2mb-cdn-download
# Adding 1mb QUEUE TREE for Normal traffic (Other then CDN)
add name=1mb-internet-up packet-mark=1mb_up parent=global queue=1mb-upload
add name=1mb-internet-down packet-mark=1mb_down parent=global queue=1mb-download


cdn and net queue tree


As shown in above example image, 1mb user is download contents from the internet at full 1 Mb speed (infact I add some extra liberty that is 1100 kb) and on the same side Youtube video (via CDN) is getting 2mb of bandwidth.

With the help of CDN, Real internet bandwidth is saved a lot, and available for other tasks/users,  thus providing relief to the real internet bandwidth pipe.

Personal experience regarding PCQ base queue – Simple Queue vs Tree !

In my personal experience, if you have hundreds of users, then Dynamic simple queues are better as there load spreads over multiple cores.

But for CDN we have to create separate queues for marked packets, therefore we have to use PCQ base queues , either in SIMPLE or TREE. In my experience I have seen that PCQ base queue with Queue Tree puts less load on the CPU.


Syed Jahanzaib


April 22, 2019

MySql Database Recovery from Raw Files

Filed under: Linux Related, Radius Manager — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 2:31 PM

mysql recovery.PNG

Disclaimer: This worked under particular case. It may or may not work for everyone.


OS: Ubuntu 12.4 Servedit Edition / x86

MYSQL: Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (i686) using readline 6.2

The OP was running radius for AAA. The disk got faulty for some unknown reasons and were unable to boot from it. There was no database backup [Real example of bad practices] So restoration from mysqldump to new system was not an option there !


We need to restore the Database using mysql raw files. Luckily the faulty disk was able to got attached to other system & we were able to copy the core /var/lib/mysql/ folders (along with all sub folders in it)

Quick & Dirty Restoration Step !

Requires some good level of Linux / DB knowledge]

  • Setup a test SANDBOX, Install same level of OS along with MYSQL on new system/disk. Create databases / tables as required. Verify all is working by logging to mysql
  • Stop the MYSQL service.
  • Copy the folder /var/lib/mysql [copied from faulty disk] to this new box under /var/lib/mysql/  
  • Set the permission on newly copied files/folders
    chown mysql -R /var/lib/mysql/

After this point Try to start the MYSQL service , IF it starts successfully & you can see your DATA , then skip below steps , ELSE continue through below steps …

  • Edit the /etc/mysql/my.cnf & add following line under [mysqld] section
    innodb_force_recovery = 6
  • Start MYSQL service & the service will start in Safe Mode with limited working support. Verify if you can able to login to MYSQL service by
    mysql -uroot -pPASS
  • If above step works, Export the Database backup using mysqldump cmd e.g:
    mysqldump -uroot -pSQLPASS   radius  >  radius_db_dump_.sql
  • Once done, Open the file in nano or any other text editor, & verify if it contains the required data.

Now copy the radius_db_dump_.sql to safe location & you know what to do next 🙂

  • Import this mysqldump file to your working radius system !



Make sure you have multistage backup strategies in place for any mission critical server.

Example for mysql Database, You can do following

  • If your server is VM, then VEEAM B&R will be your best friend & guardian, go for it
  • 1st Stage Backup: [Highly recommended for live replication]
    ideally, you should have at least 2 Replica servers & configure either Master-Master or Master-Slave Replication
  • 2nd Stage backup:
    Create bash scripts to export DB backup in local folder on a daily basis, (or hourly basis if required]
  • 3rd Stage backup:
    Attach external USB disk to the server, and in your backup script, add this usb as additional backup repository
  • 4th Stage backup:
    Configure DROPBOX and add it as additional backup repository
  • 5th Stage backup:
    The admin should manually copy the backup folders to his desktop so that if all other backups gets failed , this should come in handy.

Syed Jahanzaib




« Newer PostsOlder Posts »

%d bloggers like this: