Category Archives: Networking

Networking

Enable SSH Cisco IOS

So I wanted to disable telnet and enable SSH only on the switches – take my 2950 and 3560 switches and change the following:
Change the hostname and generate the crypto keys
conf t
hostname HOSTNAMEHERE
ip domain-name HOSTDOMAINHERE
crypto key generate rsa
If this command does not work then you need to update to a K9 or crytographic IOS!
end
show ip ssh
wr mem

Enable the AAA authentication
conf t
service password-encryption
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
exit

Create the User
conf t
username CISCO password PASSWORD
end

Create passwords
conf t
enable secret PASSWORD
line con 0
password PASSWORD
line vty 0 4
no password
transport input ssh
line vty 5 15
no password
transport input ssh
exit

Set SSH arguments
conf t
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2

Upgrade Cisco IOS TFTP

I have a C3560G-24-TS that I needed to upgrade to the newest version with K9 instead of MZ (so I could enable crypto SSH).

Verify your version
show version

System image file is “flash:c3560-ipbase-mz.122-50.SE5/c3560-ipbase-mz.122-50.SE5.bin”

View the files on your flash drive
dir flash:
In my case I had a folder called “c3560-ipbase-mz.122-50.SE5” with “c3560-ipbase-mz.122-50.SE5.bin” located inside
Also, the newest IOS required 15,072,310 bytes available and my switch had over 20MB free. If I had less than 15MB available I would have to delete the old configuration first.

Copy the old file from your switch to your TFTP
copy flash: tftp:

Source filename: c3560-ipbase-mz.122-50.SE5/c3560-ipbase-mz.122-50.SE5.bin
Address or name of remote host: 192.168.1.222 (your TFTP server)
Destination filename: I just hit enter with the defaults

Copy the new file from your TFTP to your Switch
copy tftp: flash:

Address or name of remote host: 192.168.1.222 (your TFTP server)
Source filename: c3560-ipbasek9-mz.122-58.SE2.bin
Destination filename: I just hit enter with the defaults

Verify the file has been uploaded
dir flash:
Technically you should be able to run verify flash:filenamehere, but I was receiving errors

Change the boot image to the new file
show boot
– notice the BOOT path-list is flash:c3560-ipbase-mz.122-50.SE5/c3560-ipbase-mz.122-50.SE5.bin
conf t
boot system flash:c3560-ipbasek9-mz.122-58.SE2.bin
exit
show boot

– notice the new BOOT path-list is flash:c3560-ipbasek9-mz.122-58.SE2.bin

wr mem
show version

Reload/Reboot the switch
reload
show ver

Add Public IP To DD-WRT

Customer has a comcast line (50/10) with 5 static IP addresses (/29 or .248, 1 IP used for the gateway) that they wanted to assign to various internal devices. I attempted to talk them into an actual firewall solution (either an ASA5505 or an Untangle system for roughly $400 plus my “fees”), but they were looking more into the sub-$100 range. After a bunch of options and a little bit of back and forth, they settled on buying a pair of refurbished E2000 Linksys Routers; one for the primary, and the second for a backup. Total cost for hardware: $85.

Unfortunately I needed to learn how to make their router work with additional public IPs. I’ve disliked the default (stock) interface of any home/small business router since the beginning of time, so I ended up installing dd-wrt on both of the routers. http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT

Just set the router up as you would if you only had a single IP address. In my case I’ll use 173.x.x.0 as my public network:
173.x.x.0 network
173.x.x.1 Public 1
173.x.x.2 Public 2
173.x.x.3 Public 3
173.x.x.4 Public 4
173.x.x.5 Public 5
173.x.x.6 gateway
173.x.x.7 broadcast
And I’ll also use 192.168.1.0 as my internal private NAT network. My default configuration for the router then was a static WAN 173.x.x.1, with an internal IP of 192.168.1.1 (DHCP from 192.168.1.100-254)

From here, click on Administration, and then on the Commands tab.
In the text box, type the following (obviously I’m adding ALL other public IPs to my configuration. Edit as appropriate):

WANIF=`/sbin/get_wanface`
/sbin/ifconfig $WANIF:1 173.x.x.2 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:2 173.x.x.3 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:3 173.x.x.4 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:4 173.x.x.5 netmask 255.255.255.248 broadcast 173.x.x.7

Now click on the Save Startup button. You should then see it after a page refresh. Basically this will add the vlan2:1 through vlan2:4 to your configuration.

Now that the virtual interfaces are configured, we need firewall rules to enable access. IPTables will enable this access. In that same box, type:

/usr/sbin/iptables -t nat -I PREROUTING -d 173.x.x.2 -j DNAT –to 192.168.1.x
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.x -j SNAT –to 173.x.x.2

This will create the in and outbound rule to translate from public to private addresses. You can add the other pubic IP address if applicable. Click on Save Firewall and you should then see the configuration after a page refresh.

If you want to add specific port forwards to these new IP addresses, you must utilize the following template:

/usr/sbin/iptables -t nat -I PREROUTING -d 173.x.x.2 -j DNAT –to 192.168.1.x
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.x -j SNAT –to 173.x.x.2
/usr/sbin/iptables -I FORWARD -d 173.x.x.2 -p tcp –dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 173.x.x.2 -p tcp –dport 22 -j ACCEPT

Then reboot your router.

After a reboot, you can telnet to your router and verify that you can see the iptables:

telnet 192.168.1.1 root/admin
iptables -t nat -L

NPS Radius 2008 Cisco ASA VPN

I had IAS working on a 2003 server as a RADIUS server for authentication to a Cisco ASA for VPN connectivity.

1                     Create a RADIUS Client on the NPS

2                     Create a network Policy as follows;

  1. Right click network policies and click new
  2. Type a policy name accept the defaults and click next
  3. Add a condition (I used a windows group with my users in it), click next
  4. Make sure the access granted radio button is selected and hit next
  5. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest
  6. Select NO on the annoying help box
  7. Finally select next then next and finish to complete.

3                     Configure your Cisco device for RADIUS as you would have with 2k3.

Security Onion

After reading some more sans security documents I was pointed toward Security Onion as my go-to for IDS/IPS. I had been using snorby TKL by smooth-sec (Bailey.st), but it wasn’t doing a great job and the documentation was lacking. Security onion is more of a resource hog but offers quite a few awesome tools. Here is my basic setup to get Security Onion working properly:

Download ISO, burn, Install on a server (Dell PE1850, 2x 2.8GHz Xeon, 16GB RAM, Mirror 300GB SCSI)

Added Root User – I still dislike all this “sudo this” and “sudo that”
sudo passwd root

Update Operating system
apt-get update
apt-get upgrade

Update Onion
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Turn off sensor for Eth1 (assuming Eth0 is mirror port and Eth1 is LAN)
nsm_sensor_ps-stop --sensor-name=YOURSERVERNAME-eth1
nano /etc/nsm/sensortab
Comment out the Interface to disable

Reboot
reboot

Remove SIDs/Block Addresses (*OLD*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/local/bin/pulledpork_update.sh
nsm_sensor_ps-stop
nsm_sensor_ps-start

Remove SIDs/Block Addresses (*NEW*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/nsm/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/bin/rule-update
nsm_sensor_ps-stop
nsm_sensor_ps-start

Blocking IPs will stop snort from worrying about certain hosts – by default ALL hosts are worried
nano /etc/nsm/YOURSERVERNAME-eth1/bpf.conf

Add the following template:

#Nothing from src host to dst port
!(src host xxx.xxx.xxx.xxx && dst port 161) &&
#Nothing from src host to dst host and dst port
!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&
#Nothing to or from:
!(host xxx.xxx.xxx.xxx) &&
#Last entry has no final &&
!(host xxx.xxx.xxx.xxx)

nsm_sensor_ps-restart

Proxmox 2.0RC1 LAN Setup

Here is my hardware:
3x R610 Servers with 4x onboard broadcom gigabit interfaces and 4x riser intel gigabit interfaces
2x Dell 6224 iSCSI managed L3 switches with 20Gbps stacking cables (iSCSI and Backup)
1x Dell Equalogics SAN (24X 2.5″ 600GB SAS) P4100X
1x Cisco 3560X switches (LAN)

And my situation:
I needed to get the 3 R610 servers to communicate to the SAN LUN(s), a backup network, and the user LAN via the above equipment list. And it needed to be fairly quick – iSCSI over ethernet with bonded gigabit connections quick.

My configuration per proxmox server:
prox_lan_setup.txt
I made it a text document as that’s a lot easier to see.

Unfortunately I learned that Equallogics SAN will not use Bonded connections – they want MPIO. My configuration now has MPIO for iSCSI and LACP (802.3ad) for the LAN.

Syslog Log ASA VPN AnyConnect

I was recently tasked with logging when users would connect and disconnect from the VPN – I believe the intent is to keep track of hours, but it was proposed as a way to keep track of users in terms of security violations. Either way I needed to come up with a solution.

Here was the setup and results:
ASA5510 with anyconnect VPN licensing
Windows RADIUS (via ISA Services) for authentication
All ASA connect requests were logged via the eventviewer on the Windows RADIUS server
Disconnects or timeouts were not logged on the server

So I had half of the equation, just needed to capture and log the disconnects as well.

Unfortunately, the RADIUS only requires authentication. There was no “hey please give me permission to disconnect” going on. Lucky for me I also have a kiwi syslog server running on the premises. Kiwi free, in case you’re wondering.

So just set the ASA to send syslog data to your syslog server, and parse out the following Message IDs (for your anyconnect client. Other clients including ipsec will have different numbers)
722022: Connect
722023: Disconnect