Cisco IOS DNS auth/recursive

ip dns view Event-Wifi
domain timeout 5
dns forwarder 208.67.222.222
dns forwarder 208.67.220.220
ip dns view-list Event-Wifi
view Event-Wifi 100
restrict source access-group 2
!
ip dns server view-group Event-Wifi
ip dns server
ip dns primary event.wifi soa ns.event.wifi postmaaster.event.wifi 21600 900 7776000 86400

Cisco IOS reflective ACL

interface Cellular0
ip access-group public-inbound-packet-catcher in
ip access-group public-outbound-packet-listener out
!
ip access-list extended public-inbound-packet-catcher
remark -= icmp permit’s and deny’s =-
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
permit tcp any any eq 1723
permit gre any any
permit udp any eq isakmp any eq isakmp
permit esp any any
remark -= allow ssh and dns =-
permit tcp any any eq 22 log
permit tcp any any eq www log
permit udp any eq domain any
remark -= returning traffic =-
evaluate outside-access-in-reflexive-temporary-list
deny ip any any log-input
ip access-list extended public-outbound-packet-listener
permit tcp any any reflect outside-access-in-reflexive-temporary-list timeout 3600
permit udp any any reflect outside-access-in-reflexive-temporary-list timeout 3600

 

Basic IOS config (o.a. VTP en NTP)

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
clock timezone CET 1 0
clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 3:00
!
aaa new-model
aaa authentication login local local
!
vtp mode transparent
!
username outeradmin secret PASSWORD
!
enable secret PASSWORD
!
no ip domain-lookup
!
ip domain-name routit.net
!
spanning-tree mode rapid-pvst
!
no ip http server
no ip http secure-server
!
banner exec ^

Organisatie : winfred.nl
Lokatie         : site
Beheer          : iemand @ winfred . nl
Installatie    : iemand @ winfred . nl

^
banner motd ^
Waarschuwing !!!
Toegang tot dit systeem en informatie verkregen door middel van
deze systemen is strikt vertrouwelijk en in eigendom van

MOI

Toegang tot deze systemen en informatie is alleen met uitdrukkelijke
toestemming van de eigenaar geoorloofd, elke andere vorm van toegang
is niet toegestaan en kan juridische gevolgen hebben.
^
!
! NMS station SNMP
access-list 1 permit 172.31.180.10
!
! NMS station SSH
access-list 23 permit 10.35.0.0 0.0.255.255
!
line con 0
line vty 0 15
session-timeout 5
access-class 23 in
login authentication local
transport input ssh
!
snmp-server community 754d7066ab385bb0d44b6361d78faef1 RO 1
snmp-server ifindex persist
snmp-server location site
snmp-server contact iemand @ winfred . nl
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
!
! ntp update-calendar
! ntp0.nl.uu.net
ntp server 193.67.79.202
! ntp.pool.tu.nl
ntp server 193.79.237.14 prefer

 

Achtergrond:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/334-cisco-router-ntp.html

ASA basic | fail-over

Controle context mode:

ASA-lab# sh mode
Security context mode: multiple

Verwijderen call-home config

ASA-lab(config)# clear config call-home
ASA-lab(config)# no service call-home

Aanmaken Admin context:

ASA-lab(config)# admin-context admin
Creating context 'admin'... Done. (1)

Aanmaken interfaces:

interface GigabitEthernet0/0
 channel-group 1 mode active
 speed 1000
!
interface GigabitEthernet0/1
 channel-group 1 mode active
 speed 1000
!
interface GigabitEthernet0/2
 description FailOver HA
 speed 1000
!
interface GigabitEthernet0/3
 description FailOver FT
 speed 1000
!
interface Port-channel1
!
interface Port-channel1.300
 description ASA-Lab HA
 vlan 300
!
interface Port-channel1.301
 description ASA-Lab FT
 vlan 301
!
interface Port-channel1.302
 description ASA-Lab Admin
 vlan 302

Instellen Admin context:

ASA-lab(config)# context admin
ASA-lab(config-ctx)# description Admin-context
ASA-lab(config-ctx)# config-url disk0:/admin-beheer.cfg

WARNING: Could not fetch the URL disk0:/admin-beheer.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.

ASA-lab(config-ctx)# allocate-interface interface Port-channel1.302 Beheer

Instellen FO:

interface Redundant1
 member-interface GigabitEthernet0/2

Primary UNIT:

failover 
failover lan unit primary
failover lan interface LAN Redundant1
failover key wachtwoord
failover replication http
failover link LAN Redundant1
failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2
failover group 1
 replication http
 
Secondary UNIT:
 
failover 
failover lan unit secondary
failover lan interface LAN Redundant1
failover key wachtwoord
failover replication http 
failover link LAN Redundant1 
failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2 
failover group 1 
 replication http

Instellen admin context:

ASA-lab# changeto context admin

interface Beheer
 nameif Beheer
 security-level 100
 ip address 192.0.2.1 255.255.255.248 standby 192.0.2.2
!
http server enable
http 192.0.2.0 255.255.255.0 Beheer
!
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication secure-http-client

 

 

 

 

 

 

DH group X ; The Logjam Attack

https://weakdh.org/

 

Highlight:

“We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break”.

 

 

Dit zijn de encryptie sterkte van de DH groepen:

  • DH Group 1: 768-bit group
  • DH Group 2: 1024-bit group
  • DH Group 5: 1536-bit group
  • DH Group 14: 2048-bit group
  • DH Group 15: 3072-bit group
  • DH Group 19: 256-bit elliptic curve group
  • DH Group 20: 384-bit elliptic curve group
1 3 4 5 6 7 13