Solution of the iLO error “HTTP SSL_ERROR_BAD_MAC_ALERT”

I noticed the following error when opening the iLO web interface in the browser:

Error establishing secure connection
An error occurred while connecting to 172.16.1.2. The SSL node reported an incorrect message authentication code. Error code: SSL_ERROR_BAD_MAC_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Continue reading “Solution of the iLO error “HTTP SSL_ERROR_BAD_MAC_ALERT””

Updating iLO 3 firmware on HP servers

Once I set up iLO on servers and noticed that when opening an interface in the browser, an SSL error occurs and the iLO web interface does not open.

See how to temporarily solve this error in my article – Solution of the iLO error “HTTP SSL_ERROR_BAD_MAC_ALERT”.

For example, I will use HP ProLiant DL380 G7 with old firmware iLO 3 1.10 (Jul 26 2010)

Continue reading “Updating iLO 3 firmware on HP servers”

TP-Link TL-WR941N Firmware Update

For the test, I will update the TP-Link TL-WR941N 300Mb/s V2 router with firmware 3.12.5 Build 100929 Rel.57776n.

1) Let’s look at the revision of the router, in my case it is V2, and just for it we download the archive with the new firmware from the official site, the first link for the 300Mb/c model, and the second for 450Mb/c.
Continue reading “TP-Link TL-WR941N Firmware Update”

Access restriction to Ubiquiti over IP using Firewall

For the test, I’ll take the airMAX Rocket M5 sector antenna in bridge mode and the airMAX NanoBeam M5 client antenna in router mode.

Restrict access first to the client.
Suppose that it is connected to the sector and has an IP address 192.168.110.40 which looks into the Internet (obtained via DHCP).
The IP of the administrator who should have access to it remotely is 10.10.10.5, the rest must be blocked.

And so, go to the airMAX NanoBeam M5 web interface, open the “NETWORK” tab, next to “Configuration Mode:” select “Advanced”, then more settings will appear.
At the bottom where the “Firewall” tick the “Enable”.

Just below we add a rule specifying:
Target: DROP
Interface: WLAN0
IP Type: TCP
Source: 10.10.10.5 (IP from which it is allowed to connect, as well as be sure to put a tick in front of it under the exclamation mark)
Port: leave empty
Destination: 192.168.110.40 (An antenna IP that looks out)
Port: 22 (This is an SSH port, similarly, other rules are created to restrict access to the HTTP port – TCP 80, HTTPS – TCP 443, Telnet – TCP 23, SNMP – UDP 161, Discovery – UDP 10001)

As you can see, this rule blocks all TCP connections to port 22 of the WLAN0 interface on IP 192.168.110.40, and the set check mark on ! before Source: 10.10.10.5 means that everything except this IP is blocked.

Click “Add”, then “Change” at the bottom and at the top of “Apply” to apply the changes, after that the antenna will restart.

To limit access to the sector antenna that is configured by the bridge, we add the same rules, only where the Interface: we specify ANY (ALL).

Is done.

After adding rules and connecting to a device via SSH in the configuration, you can see the following:

ebtables.status=enabled
ebtables.1.status=enabled
ebtables.1.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 22 -j DROP
ebtables.1.comment=
ebtables.2.status=enabled
ebtables.2.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 80 -j DROP
ebtables.2.comment=
ebtables.3.status=enabled
ebtables.3.cmd=-A FIREWALL -p 0x0800 --ip-protocol 6 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 443 -j DROP
ebtables.3.comment=
ebtables.4.status=enabled
ebtables.4.cmd=-A FIREWALL -p 0x0800 --ip-protocol 17 --ip-src ! 10.10.10.5/32 --ip-dst 192.168.110.40/32 --ip-dport 161 -j DROP
ebtables.4.comment=

See also my article:
Ubiquiti SSH control

Blocking social networks on Mikrotik routers

There are several ways to prohibit access to social networks and other sites on Mikrotik routers.

The first and most effective

method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)

The second and one of the simplest

is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:

ip dns static add name youtube.com address=127.0.0.1
ip dns static add name www.youtube.com address=127.0.0.1
ip dns static add name name=".*\.vk\.com" address=127.0.0.1

The command to view static DNS records on the router:

ip dns static print

However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 8.8.8.8 and 8.8.4.4.

The third option

is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 87.240.131.0/24 (this is ip 87.240.131.1-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
Example commands:

ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.97 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.103 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.117 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.120 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.143.245 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.143.246 disabled=no

The fourth option

through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):

ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$"
ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social

See also my articles:
Blocking social networks on Cisco
Blocking social networks using iptables

Installing Huawei iManager U2000 NMS on Windows Server

I will describe the procedure for installing the Huawei iManager U2000 NMS server software on a Windows Server:

1) Run on behalf of the administrator file install.bat

2) Copyright. We read and agree with the license agreement by selecting “I accept the terms”.
Continue reading “Installing Huawei iManager U2000 NMS on Windows Server”