Pages

1/30/2013

How do I secure a Cisco router from the Internet? Cisco Forum FAQ | DSLReports.com, ISP Information

How do I secure a Cisco router from the Internet? Cisco Forum FAQ | DSLReports.com, ISP Information: secure a Cisco router from the Internet?

Recommended Global and Interface Configurations



•Disable all non-essential services and features



no service pad

no ip finger

no ip bootp server

IOS versions 12.x and higher auto disable certain features like no tcp-small-servers; no udp-small-servers; and ip http-server

no ip source-route





Enable global security features



service password-encryption (automatically encrypts configured passwords)

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service tcp-keepalives-in

logging buffered <50000> debugging

logging console warnings (if you don't log, you can't trace problems)

enable secret (enables the strongest password encryption on the enable password)

no cdp run (if you don't need cdp at all)





Disable the following features per interface



no ip redirects

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

no cdp enable (for exterior facing interfaces)

make sure all other interfaces not being used are administratively shutdown





Enabling additional features



ip subnet-zero (enables networks on the 0 boundary)

ip classless (allows for CIDR netmasks)

enable access-lists per interface as necessary to restrict the traffic to only required communication (see the links above for info regarding access-list configuration)

interface fastethernet 1/0ip access-group 101 outip access-group 102 in

clock timezone (an accurate clock makes security logs more useful with timestamps)

clock summer-time recurring

NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries

ntp masterntp update-calendarntp server 

snmp-server community RO 10 (secures snmp control by access list 10)

Add ip addresses of only the hosts that need snmp access to the router to access-list 10

Use the banner command to state the obvious precuations upon login as a legal disclaimer

banner motd ^CC                        You Access Restricted Equipment                   All Activities are Monitored and Logged                            Unauthorized Use Prohibited     By Accessing, You Are Agree Your Activities to be Monitored and Logged                                 ^C

Console configuration - use exec-timeout to logout idle users after 5 minutes

line con 0 exec-timeout 5 0 password 7 <######> login authentication no_tacacs transport input noneline aux 0 exec-timeout 5 0 password 7 <#######> login authentication test modem InOut transport input all stopbits 1 speed 19200 flowcontrol hardwareline vty 0 4 exec-timeout 5 0 password 7 <########> login authentication test transport input telnet





IOS version



Make sure you are running a version of IOS that is stable and is patched 
for all of the most latest network bugs, especially the recent SSH and SNMP vulnerabilities.




Cisco Internet Inbound Access List




The following is a commented example of an Access List configuration
for a router that acts as a "choke" device on the inside or outside of 
a true firewall device. The 
! signifies a commented line in Cisco's 
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.





The information supplied in this configuration is in no way guaranteed
or supported by the author to "secure" your network. This is meant to provide
an example of generally accepted configuration practices when securing
routers that provide access to untrusted networks.





This access-list should be applied inbound on your choke router to what 
is considered your external or outside interface. In most cases, for routers 
outside your firewall this will be some sort of WAN interface like a serial port, 
BRI interface, frame relay sub-interface, or ATM PVC. This filters traffic that 
is coming from the Internet or untrusted network "inbound" on the external 
interface connecting to the Internet.




--------------------------------------------------------------------------------







! Deny all standard external spoofing attacks and log all attempts
! from illegal addresses, your external block, and reserved space
! For obvious reasons, non-routable Internet addresses should not be allowed to
! come inbound. A favorite of hackers is to spoof private source addresses or
! even masquerade as public addresses on your own external networks.
!deny ip 192.168.0.0 0.0.255.255 any log-inputdeny ip 172.16.0.0 0.15.255.255 any log-inputdeny ip 10.0.0.0 0.255.255.255 any log-inputdeny ip 127.0.0.0 0.255.255.255 any log-inputdeny ip 255.0.0.0 0.255.255.255 any log-inputdeny ip 224.0.0.0 31.255.255.255 any log-inputdeny ip host 0.0.0.0 any log-inputdeny ip   any log-inputdeny ip host  any log-input
!Deny any abusive networks here...
!deny ip xxx.xxx.xxx.xxx 0.0.0.255 any log-input
! The commands below are all for routers being used as a firewall device.
! If you plan on using another device for a firewall, then do not add any other 
! configuration lines except for the following:
! permit ip any any
! If you plan on using your router as your only firewall device you can permit
! or deny particular services as outlined below. The following are only examples. 
! There are hundreds of services and non-standard configurations you may need to 
! allow based on your indivdual requirements. If you do not have the budget
! for a true firewall such as a PIX, Checkpoint or Netscreen, you should still use
! a router that is sized properly to do the job you need. A Cisco 2620 or 2640 
! should have plenty of CPU for Reflexive Access lists and Content Based Access 
! Control for a full T-1 worth of traffic. The other key component is RAM. Allow for 
! a minimum of 32MB or 64MB if possible. If your budget is still an issue, you are 
! probably better off building a firewall using a PC server (under $1000) with 2 
! network cards using Linux or NetBSD and IPChains firewall software. You can get a 
! lot more mileage out of a machine like that than a low-end Cisco router which 
! really wasn't designed for that purpose anyway.
!
! Include the inbound Reflexive Access-Lists if you are using this function
!
! *WARNING* Reflexive Access Lists are CPU and memory intensive on your router. 
! Make sure that your hardware is properly sized to support your volume of traffic.
!
! For further explanation of these services and port numbers please refer to 
! documentation for the specific protocols.
!evaluate alliptraffic
! If you need to host any inbound services behind your router then the following 
! config may help you out with some example setups.
! Allow outside ftp sessions inbound
!permit tcp any host  eq 21
! Allow ftp to work from inside your network (requires port 20 to be open
! for incoming data session)
!permit tcp any eq 20 host  gt 1024
! Allow auth/identd traffic for smtp mail and for other client apps
!permit tcp any host  eq 113permit tcp any host  eq 113
! Allow smtp traffic inbound to mail servers
!permit tcp any host  eq smtp
! Allow http traffic inbound to all web servers
!permit tcp any host  eq www
! Allow SSL traffic inbound to all SSL servers
!permit tcp any host  eq 443
! Allow Microsoft PPTP/VPN sessions to connect inbound and log control channel 
! permit tcp any host  eq 1723 log-input permit tcp any host  eq 1731 permit gre any host 
! Allow only certain remote addresses to perform tcp DNS transfers from 
! specific DNS servers for secondary DNS service and log each connection
!permit tcp host  host  eq domain log-input
! Allow inbound client DNS requests to all DNS servers
!permit udp any host  eq domain
! Allow DNS resolution from the router's serial port for testing purposes
!permit udp any eq 53 host 
! Allow time synchronization to occur on router from ISP
!permit udp any eq ntp host  eq ntp
! Allow only particular types of icmp packets inbound to 
! maintain integrity of data flow and sanity and for troubleshooting etc.
!permit icmp any   net-unreachablepermit icmp any   host-unreachablepermit icmp any   port-unreachablepermit icmp any   packet-too-bigpermit icmp any   administratively-prohibitedpermit icmp any   source-quenchpermit icmp any   ttl-exceededpermit icmp any   echo-reply
! Deny all other ICMP explicitly so it isn't logged
!deny icmp any any
! Deny all other ip traffic explicitly and log it.
!deny ip any any log-input


Cisco Internet Outbound Access List




The following is a commented example of an Access List configuration
for a router that acts as a "choke" device on the inside or outside of 
a true firewall device. The 
! signifies a commented line in Cisco's 
notation. Non-commented lines are the actual configuration syntax as it
would be entered on the Cisco router.





The information supplied in this configuration is in no way guaranteed
or supported by the author to "secure" your network. This is meant to provide
an example of generally accepted configuration practices when securing
routers that provide access to untrusted networks.





This access-list should be applied inbound on your choke router to what 
is considered your internal or inside interface. In most cases, this will be some 
sort of ethernet interface. This filters traffic that is going towards the Internet 
or untrusted network "inbound on that interface.





--------------------------------------------------------------------------------







! Deny RFC 1918 private source addresses from going outbound. It is not wise 
! to let packets leak outside your network with your internal address information. 
! This is the primary way that hackers learn about the configuration of private 
! networks. These packets can not be responded to anyway, since these networks are 
! not routable on the Internet. they would only be reachable if you are using NAT on a 
! device beyond this point in the network to translate to a publicly routable address.
!deny ip 192.168.0.0 0.0.255.255 any log-inputdeny ip 172.16.0.0 0.15.255.255 any log-inputdeny ip 10.0.0.0 0.255.255.255 any log-input 
! Keep any errant request for private addresses inside your network
! Just in case your internal routing table for some reason does not contain a route 
! that should be internal, and clients follow your default route toward the Internet 
! for requests that should stay inside your network. This is another way that hackers 
! can find out about your internal network is watching for internal requests that 
! accidentally get routed out to a public device that they can capture traffic from.
!deny ip any 192.168.0.0 0.0.255.255 log-inputdeny ip any 172.16.0.0 0.15.255.255 log-inputdeny ip any 10.0.0.0 0.255.255.255 log-input 
! Deny all netbios traffic going outbound since this is one of the top 3 most hacked
! or attacked protocols on the Internet. Users should not access netbios services on 
! the Internet since it can very easily compromise NT Domain security and architecture.
!deny   udp any any eq netbios-nsdeny   udp any any eq netbios-dgmdeny   udp any any eq netbios-ss 
! Permit everything else from the "external network" and build the 
! reflexive access list alliptraffic with a timeout of 120 seconds
!
! This command allows all other traffic to pass through the interface and
! uses an IOS feature set called Reflexive Access Lists to build a dynamic
! access list for return traffic coming inbound from the Internet. That way a 
! command can be appended to an inbound access list to evaluate inbound packets against 
! "allowed" return traffic to sessions started from inside your network.
!
! *WARNING* This command is CPU and memory intensive on your router depending on the 
! volume of traffic flowing through the interface. I recommend at least a 2610 series 
! router with 32MB RAM minimum to support a full T-1 with this configuration.
!permit ip   any reflect alliptraffic timeout 120deny ip any any log 
! If this router is not being used as a firewall but more for just a choke device
! to enhance the security in front of or behind a firewall the following commands should
! replace the above commands... You should specifically define your networks that should 
! be allowed to go outbound and then deny everything else explicitly.
!permit ip   anydeny ip any any log


Cisco Guide to Harden Cisco IOS Devices - Cisco Systems

Cisco Guide to Harden Cisco IOS Devices - Cisco Systems: Cisco Guide to Harden Cisco IOS Devices

1/23/2013

Cisco UCS Networking Best Practices (in HD)

Cisco UCS Networking Best Practices (in HD): Cisco UCS Networking Best Practices

RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.

RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.: the remote computer that was reached is not the one you specified

To resolve the issue, change the remote desktop security on the RD server to RDP Security Layer to allow a secure connection using Remote Desktop Protocol encryption. Below are the steps:

1. Navigate to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
2. With RD Session Host Configuration selected view under Connections.
3. Right click RDP Listener with connection type Microsoft RDP 6.1 and choose Properties.
4. In general tab of properties dialog box under Security, select RDP Security Layer as the Security Layer.
5. Click OK.

1/09/2013

Some code playing around with sending mail with an attachment from a powershell script. Also launching a packet capture from another process so I can asynchronously repeat a test while doing a capture. -> Although I was able to execute an external command that included variables (to build the command line with a custom value for delay and output file) I was not able to start a job to do that same thing. I resorted to creating a custom batch file for this script and defining tshark duration and output file in that BAT file. -- not as flexible as I was trying to be.

#INSTANCE 1 
#  - Capture command:  C:\WORK\CAP1.BAT
#  - Output file:  CAP1OUT.CAP

$temp = "c:\work"
$test = "\\fs05\users\admin\test"
$threshold = 10
$SmtpServer = "mail.usa.domain.com"
$emailfrom = "no-reply-monitor@domain.com)"
$emailto = "administrator@domain.com"
$emailsubject = "folder count monitor output"
$emailbody = "Folder:  $test contains less than $threshold items"
$emailattachment="c:\temp\file.txt"
$emailfrom = ""
$emailto = ""
$emailsubject = "Monitoring Output"  

function send_email {
 $mailmessage = New-Object system.net.mail.mailmessage 
 $mailmessage.from = ($emailfrom) 
 $mailmessage.To.add($emailto)
 $mailmessage.Subject = $emailsubject
 $mailmessage.Body = $emailbody
 $attachment = New-Object System.Net.Mail.Attachment($emailattachment, 'text/plain')
 $mailmessage.Attachments.Add($attachment)
 #$mailmessage.IsBodyHTML = $true
 $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)  
 #$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("$SMTPAuthUsername", "$SMTPAuthPassword")
 $SMTPClient.Send($mailmessage)
}#end-function

if ((Get-ChildItem $test).Count -lt $threshold){
 "capturing for 30 s"
 ####################################################
 #     CAPTURE COMMAND
   $job = start-job {&cmd "/c","C:\WORK\CAP1.BAT"}
 ####################################################
 start-sleep 10
 "Testing Folder $test"
  Get-ChildItem $test | out-null
 "waiting 30 s"
  Start-Sleep 30
 wait-job $job
 remove-job $job
 "sending CAP file to $emailto"
 ####################################################
 #     OUTPUT FILE
  $emailattachment = "c:\work\cap1out.cap"
 ####################################################
  send_email 
}

1/08/2013

8 Wireshark Filters Every Wiretapper Uses to Spy on Web Conversations and Surfing Habits « Null Byte

8 Wireshark Filters
http://null-byte.wonderhowto.com/inspiration/8-wireshark-filters-every-wiretapper-uses-spy-web-conversations-and-surfing-habits-0134508/
ip.addr ==x.x.x.x
     Find packets with IP address as either source or destination
ip.addr ==x.x.x.x && ip.addr ==x.x.x.x
     conversation filter between the two IP addresses
http or dns
     filter based on protocol
tcp.port==xxx
     filters based on TCP port numbers
tcp.flags.reset==1
     filters to show all TCP resets.  A TCP reset basically kills a TCP connection instantly.
http.request
     Sets a filter for all HTTP GET and POST requests. This will show webpages being accessed for the most part.
tcp contains xxx
     Find TCP packets containing string.
(arp or icmp or dns)
     filter out protocols. The example hides ARP, ICMP, and DNS packets.

Classical Data

Classical Data
Good blog doing what I am trying to do here.
Useful and various topics.