Gewoon handige software
http://www.freac.org/index.php/en/homepage-mainmenu-1
https://handbrake.fr/
https://cdburnerxp.se/en/home
Auteur: Winfred
PPP Per Session Queueing and Shaping Using RADIUS
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/asr1000/bba-xe-3s-asr1000-book/bba-ppoe-ses-q-rad-xe.html#GUID-4F310583-68C0-4B5F-BDE6-BBE01C06D2AE
Cisco IOS DNS auth/recursive
ip dns view Event-Wifi
domain timeout 5
dns forwarder 208.67.222.222
dns forwarder 208.67.220.220
ip dns view-list Event-Wifi
view Event-Wifi 100
restrict source access-group 2
!
ip dns server view-group Event-Wifi
ip dns server
ip dns primary event.wifi soa ns.event.wifi postmaaster.event.wifi 21600 900 7776000 86400
Cisco back dialer-watch
interface Cellular0
dialer watch-group 1
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
Cisco IOS reflective ACL
interface Cellular0
ip access-group public-inbound-packet-catcher in
ip access-group public-outbound-packet-listener out
!
ip access-list extended public-inbound-packet-catcher
remark -= icmp permit’s and deny’s =-
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
permit tcp any any eq 1723
permit gre any any
permit udp any eq isakmp any eq isakmp
permit esp any any
remark -= allow ssh and dns =-
permit tcp any any eq 22 log
permit tcp any any eq www log
permit udp any eq domain any
remark -= returning traffic =-
evaluate outside-access-in-reflexive-temporary-list
deny ip any any log-input
ip access-list extended public-outbound-packet-listener
permit tcp any any reflect outside-access-in-reflexive-temporary-list timeout 3600
permit udp any any reflect outside-access-in-reflexive-temporary-list timeout 3600
IPv6 6vpe Radius AVP
http://blog.ipspace.net/2011/09/ipv6-mplsvpn-6vpe-with-pppoe-and-radius.html
Basic IOS config (o.a. VTP en NTP)
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
clock timezone CET 1 0
clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 3:00
!
aaa new-model
aaa authentication login local local
!
vtp mode transparent
!
username outeradmin secret PASSWORD
!
enable secret PASSWORD
!
no ip domain-lookup
!
ip domain-name routit.net
!
spanning-tree mode rapid-pvst
!
no ip http server
no ip http secure-server
!
banner exec ^
Organisatie : winfred.nl
Lokatie : site
Beheer : iemand @ winfred . nl
Installatie : iemand @ winfred . nl
^
banner motd ^
Waarschuwing !!!
Toegang tot dit systeem en informatie verkregen door middel van
deze systemen is strikt vertrouwelijk en in eigendom van
MOI
Toegang tot deze systemen en informatie is alleen met uitdrukkelijke
toestemming van de eigenaar geoorloofd, elke andere vorm van toegang
is niet toegestaan en kan juridische gevolgen hebben.
^
!
! NMS station SNMP
access-list 1 permit 172.31.180.10
!
! NMS station SSH
access-list 23 permit 10.35.0.0 0.0.255.255
!
line con 0
line vty 0 15
session-timeout 5
access-class 23 in
login authentication local
transport input ssh
!
snmp-server community 754d7066ab385bb0d44b6361d78faef1 RO 1
snmp-server ifindex persist
snmp-server location site
snmp-server contact iemand @ winfred . nl
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
!
! ntp update-calendar
! ntp0.nl.uu.net
ntp server 193.67.79.202
! ntp.pool.tu.nl
ntp server 193.79.237.14 prefer
Achtergrond:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/334-cisco-router-ntp.html
ASA basic | fail-over
Controle context mode:
ASA-lab# sh mode Security context mode: multiple
Verwijderen call-home config
ASA-lab(config)# clear config call-home ASA-lab(config)# no service call-home
Aanmaken Admin context:
ASA-lab(config)# admin-context admin Creating context 'admin'... Done. (1)
Aanmaken interfaces:
interface GigabitEthernet0/0 channel-group 1 mode active speed 1000 ! interface GigabitEthernet0/1 channel-group 1 mode active speed 1000 ! interface GigabitEthernet0/2 description FailOver HA speed 1000 ! interface GigabitEthernet0/3 description FailOver FT speed 1000 ! interface Port-channel1 ! interface Port-channel1.300 description ASA-Lab HA vlan 300 ! interface Port-channel1.301 description ASA-Lab FT vlan 301 ! interface Port-channel1.302 description ASA-Lab Admin vlan 302
Instellen Admin context:
ASA-lab(config)# context admin ASA-lab(config-ctx)# description Admin-context ASA-lab(config-ctx)# config-url disk0:/admin-beheer.cfg WARNING: Could not fetch the URL disk0:/admin-beheer.cfg INFO: Creating context with default config INFO: Admin context will take some time to come up .... please wait. ASA-lab(config-ctx)# allocate-interface interface Port-channel1.302 Beheer
Instellen FO:
interface Redundant1 member-interface GigabitEthernet0/2 Primary UNIT: failover failover lan unit primary failover lan interface LAN Redundant1 failover key wachtwoord failover replication http failover link LAN Redundant1 failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2 failover group 1 replication http Secondary UNIT: failover failover lan unit secondary failover lan interface LAN Redundant1 failover key wachtwoord failover replication http failover link LAN Redundant1 failover interface ip LAN 169.254.255.1 255.255.255.252 standby 169.254.255.2 failover group 1 replication http
Instellen admin context:
ASA-lab# changeto context admin interface Beheer nameif Beheer security-level 100 ip address 192.0.2.1 255.255.255.248 standby 192.0.2.2 ! http server enable http 192.0.2.0 255.255.255.0 Beheer ! user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL aaa authentication secure-http-client
ASA security Netflow
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_nsel.html#68826
DH group X ; The Logjam Attack
Highlight:
“We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break”.
Dit zijn de encryptie sterkte van de DH groepen:
- DH Group 1: 768-bit group
- DH Group 2: 1024-bit group
- DH Group 5: 1536-bit group
- DH Group 14: 2048-bit group
- DH Group 15: 3072-bit group
- DH Group 19: 256-bit elliptic curve group
- DH Group 20: 384-bit elliptic curve group