!ASA Version 7.2(4) ! enable password ********** encrypted passwd ********** encrypted names ! interface Vlan1 description LAN nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Vlan2 description OUTSIDE nameif outside security-level 0 pppoe client vpdn group MyPPPUserName ip address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! object-group network RemoteVendor01 network-object 192.168.64.0 255.255.248.0 ! object-group network LocalHostsToNATtoVendor01 network-object host 10.10.10.150 network-object host 10.10.10.151 network-object host 10.10.10.152 network-object host 10.10.10.153 network-object host 10.10.10.154 network-object host 10.10.10.155 network-object host 10.10.10.156 network-object host 10.10.10.157 ! access-list outside_1_cryptomap extended permit ip 172.16.6.24 255.255.255.248 192.168.64.0 255.255.248.0 access-list inside_nat0_outbound extended permit ip 172.16.6.24 255.255.255.248 192.168.64.0 255.255.248.0 ! access-list LocalHostsToNATtoVendor01 remark conditional NAT access-list LocalHostsToNATtoVendor01 extended permit ip object-group LocalHostsToNATtoVendor01 object-group RemoteVendor01 ! !define two NAT pools, one pool of IPs, the other the outside interface address global (outside) 1 172.16.6.24-172.16.6.31 global (outside) 2 interface !don't nat some hosts nat (inside) 0 access-list inside_nat0_outbound !do NAT this ACL nat (inside) 1 access-list LocalHostsToNATtoVendor01 nat (inside) 2 10.10.10.0 255.255.255.0 ! crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 192.152.45.12 crypto map outside_map 1 set transform-set ESP-AES-192-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-192 hash sha group 5 lifetime 28800 ! vpdn group MyPPPUserName request dialout pppoe vpdn group MyPPPUserName localname MyPPPUserName vpdn group MyPPPUserName ppp authentication pap vpdn username MyPPPUserName password ********* ! tunnel-group 192.152.45.12 type ipsec-l2l tunnel-group 192.152.45.12 ipsec-attributes pre-shared-key * ! ! here's an interesting feature smtp-server 10.45.26.2 prompt hostname context
Thursday, August 5, 2010
Cisco ASA 7.2 PPPoE Lan-to-LAN IPSEC with conditional NAT Template
This is a pretty standard config, except for the conditional NAT. So in this case, only certain local IP addresses (host in network-object LocalHostsToNATtoVendor01) will match the VPN tunnel, and will be NATted before hitting the tunnel.
blocking opportunists with Fail2ban
Fail2ban is a great package, and I've been using it a lot lately. It's extremely simple, flexible and effective. Out of the box it comes with some nice filters for scraping web server logs for those IPs looking for exploits on your web server. My web server has basic password authentication enforced, so most folks wouldn't even get to those pages if they tried, but I still don't like the idea of folks trying to brute force their way in. So I recently added a new filter for banning IPs who get a number of HTTP 401 401, access denied, Unauthorized errors (I might expand this to include 403 or 404 errors as well). It was easy:
1) define a new filter:
2) make a new jail in /etc/fail2ban/jail.conf:
That's pretty much it. The actions are additive and can include emailing the contact, yourself, banning only certain ports etc. The action could also include adding the IP to your perimiter firewall's ACL via ssh (I haven't tested this but probably will) or just about any scriptable function.
A few notes: This was designed for a private site. If you run a public site which you want well marketed, you may end up blocking Google, Yahoo etc when their spiders crawl your site. I'm not sure how that would work.
1) define a new filter:
[root@noc tacacs]# cat /etc/fail2ban/filter.d/apache-badURLs.conf
[Definition]
# adapted from apache-auth.conf
# Option: failregex
# Notes.: regex to match jerks trolling for exploits.
# The host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#examples:
#115.168.71.85 - - [25/Jul/2010:09:48:04 -0700] "GET /websql/scripts/setup.php HTTP/1.1" 401 479 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
#209.168.161.229 - - [25/Jul/2010:21:32:03 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 479 "-" "ZmEu"
#unknown.ord.scnet.net - - [28/Jul/2010:14:35:05 -0700] "GET /mysql/scripts/setup.php HTTP/1.0" 401 482 "-" "Wget/1.11.4 Red Hat modified"
failregex =.*\"GET.*HTTP.*\" 401 \d{3}
# end apache-badURLs
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P
# Values: TEXT
#examples:
#115.168.71.85 - - [25/Jul/2010:09:48:04 -0700] "GET /websql/scripts/setup.php HTTP/1.1" 401 479 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
#209.168.161.229 - - [25/Jul/2010:21:32:03 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 479 "-" "ZmEu"
#unknown.ord.scnet.net - - [28/Jul/2010:14:35:05 -0700] "GET /mysql/scripts/setup.php HTTP/1.0" 401 482 "-" "Wget/1.11.4 Red Hat modified"
failregex =
# end apache-badURLs
2) make a new jail in /etc/fail2ban/jail.conf:
[apache-badURLs]
enabled = true
#name of the file in /etc/fail2ban/filter.d/ which will define the match criteria
filter = apache-badURLs
action = hostsdeny
#ban IP address outright
action = iptables-allports
#send email to the WHOIS contact in charge of the IP address, for abuse tracking and follow-up
sendmail-whois[name=badURLs, dest=me@example.com, sender=fail2ban@example.com]
#define which logs to search. This string would include both "access_log" and "ssl_access_log"
logpath = /var/log/httpd/*access_log
# how many times will you put up with it before running the action?
maxretry = 3
#end apache-badURLs section That's pretty much it. The actions are additive and can include emailing the contact, yourself, banning only certain ports etc. The action could also include adding the IP to your perimiter firewall's ACL via ssh (I haven't tested this but probably will) or just about any scriptable function.
A few notes: This was designed for a private site. If you run a public site which you want well marketed, you may end up blocking Google, Yahoo etc when their spiders crawl your site. I'm not sure how that would work.
Wednesday, August 4, 2010
How to disable speed and duplex auto-negotiation on Cisco 2960
If you're having trouble finding the "speed" and "duplex" options for the Gigabit Ethernet ports in the interface configuration of your Cisco 2960, try manually setting the interface type.
swith01#sh run int gi0/1
Building configuration...
Current configuration : 126 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
end
swith01#conf term
Enter configuration commands, one per line. End with CNTL/Z.
swith01(config)#int g0/1
swith01(config-if)#speed ?
% Unrecognized command
swith01(config-if)#media-type ?
auto-select Use whichever connector is attached
rj45 Use RJ45 connector
sfp Use SFP connector
swith01(config-if)#media-type rj45
swith01(config-if)#speed ?
10 Force 10 Mbps operation
100 Force 100 Mbps operation
1000 Force 1000 Mbps operation
auto Enable AUTO speed configuration
swith01(config-if)#speed 100
swith01(config-if)#dupl
swith01(config-if)#duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
swith01(config-if)#duplex full
swith01(config-if)#end
swith01#sh run int
*Mar 1 00:04:04.318: %SYS-5-CONFIG_I: Configured from console by localuser on consolegi0/1
Building configuration...
Current configuration : 167 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
media-type rj45
speed 100
duplex full
end
swith01#sh run int gi0/1
Building configuration...
Current configuration : 126 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
end
swith01#conf term
Enter configuration commands, one per line. End with CNTL/Z.
swith01(config)#int g0/1
swith01(config-if)#speed ?
% Unrecognized command
swith01(config-if)#media-type ?
auto-select Use whichever connector is attached
rj45 Use RJ45 connector
sfp Use SFP connector
swith01(config-if)#media-type rj45
swith01(config-if)#speed ?
10 Force 10 Mbps operation
100 Force 100 Mbps operation
1000 Force 1000 Mbps operation
auto Enable AUTO speed configuration
swith01(config-if)#speed 100
swith01(config-if)#dupl
swith01(config-if)#duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
swith01(config-if)#duplex full
swith01(config-if)#end
swith01#sh run int
*Mar 1 00:04:04.318: %SYS-5-CONFIG_I: Configured from console by localuser on consolegi0/1
Building configuration...
Current configuration : 167 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
media-type rj45
speed 100
duplex full
end
Subscribe to:
Posts (Atom)
Posts
