Ops
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ops as PDF for free.
More details
- Words: 3,575
- Pages: 18
look for ip inspect modules on routers (chapter 6 cisco ccnp2 material) http://www.megaupload.com/?d=GJ6WS6GC http://www.pdfcoke.com/doc/13587657/Sec-Incident-Resp-Short-Form http://www.pdfcoke.com/doc/13590352/Linux-Notes http://www.pdfcoke.com/doc/13590402/Lab1-Report http://www.pdfcoke.com/doc/13590392/Lab3-Report http://www.pdfcoke.com/doc/13590387/Lab2-Report http://www.pdfcoke.com/doc/13590526/Server-Integration-Notes http://www.pdfcoke.com/doc/13590552/Lab-1-Report http://www.pdfcoke.com/doc/13590553/Lab-2-Report http://www.pdfcoke.com/doc/13590554/Lab-3-Report http://www.pdfcoke.com/doc/13590555/Lab-4-Report http://www.pdfcoke.com/doc/13609000/Router-Switch-Commandsc http://www.pdfcoke.com/doc/13591148/Ops download from sourceforge EventLogToSyslog-1.2.5-Bin ---------------------------------------download MSBA Step 1: If you do not have the file, download it from http://go.microsoft.com/fwlink/?LinkId=76054 and save it to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab. You may use any folder, but this is where MBSA will store the file after MBSA has downloaded it. Step 2: Open C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab using any program able to view an archive file type of *.cab. Step 3: Open package.cab from the wsusscn2.cab file, and then the package.xml file inside it. Step 4: View the OfflineSyncPackage header element for the CreationDate. It should be set to a value such as "2005-06-01T18:42:49Z" (for example). Use the value you find to determine when the file was generated by Microsoft. ---------------------------------------------------Start Service pack downloads SP3 XP http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE081E1555D4F3D4 Vista SP1 http://www.microsoft.com/downloads/details.aspx?FamilyId=B0C7136D-5EBB-413B-89C9CB3D06D12674&displaylang=en http://www.kiwisyslog.com/ https://fedoraproject.org/wiki/DebarshiRay/Opyum#Creating_A_Yum-Pack http://aptoncd.sourceforge.net/ -Start Autopatcher downloads for (server 08, 03, XP, Vista) and update
-Start Downloads of apt-oncd stuff (in gmail account) -Check router and switch configs (backup current router configs and switch configs before messing with them) -lockout switch and router -setup a syslog server on both devices (check how to) --- kiwi -Check System accounts and restrict right where needed -change passwords -google password generator (http://www.pctools.com/guides/password/) -lockout the router and the switch -resrict settings that make the PCs vulnerbale -guest accounts, rights, uneccesary services -check policy shares rules -run snort --webmin on all linux boxes ---change ports on each box ---finish setting up DNS on the Windows server08 box ----Bump up server08 DC level to 2003 NOT 2008 *default users in windows can join computers to the domain ---disable that --maybe not in 08....check the domain policies ----need to be a member of the schema group to do any exchange stuff *******Only have one domain admin account and all our other accounts would be lower privy---run as stuff for other users --------under local policies for the DC..get rid of some of the default shares, change the name of the admin accont to something else **Setup event viewer to syslog (sourceforge), install kiwi on multiple servers
**********Capture Router/Switch configs 1st (before messing with them) (put a banner on all equiptment) conf t banner motd ~ .ed"""" """$$$$be. -" ^""**$$$e.
." Authorized Access '$$$c ONLY "4$$b d 3 $$$$ $ * .$$$$$$ .$ ^c $$$$$e$$$$$$$$. d$L 4. 4$$$$$$$$$$$$$$b $$$$b ^ceeeee. 4$$ECL.F*$$$$$$$ e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$ z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c 4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$. ^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$ "**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P"" "*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***" ^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP" "$$$$$$"'$=e....$*$$**$cz$$" "..d$*" "*$$$ *=%4.$ L L$ P3$$$F $$$P" "$ "%*ebJLzb$e$$$$$b $P" %.. 4$$$$$$$$$$ " $$$e z$$$$$$$$$$% "*$c "$$$$$$$P" ."""*$$$$$$$$bc .-" .$***$$$"""*e. .-" .e$" "*$c ^*b. .=*"""" .e$*" "*bc "*$e.. .$" .z*" ^*$e. "*****e. $$ee$c .d" "*$. 3. ^*$E")$..$" * .ee==d% $.d$$$* * J$$$e* """"" "$$$" /
~ Exit Router--> conf t ! username Omeri privilege 15 secret 0 s&e7patHaPr7TReW6f#9 aaa new-model aaa authentication login default local service password-encryption ! enable secret phAW4A4*8ePhAMA-ud4S ! logging <syslog server> (not sure about this logging host) logging trap informational (notifications (or warning for less events) logging on login block-for 15 attempts 2 within 15 login delay 3 login on-failure log no ip domain-lookup service password-encryption ! ! line con 0 logging synchronous password Br!8aCeWrUmuDa6#r8Hu
login authentication default ! line vty 0 4 no transport input (or no line vty 0 4) password 9e$ecra*raf4ewRa95pr login authentication default or ip access-list extended telnet-block deny ip any any line vty 0 4 access-class telnet-block in ----------------------------Set date and time on all equipment clock set command *******************auto secure sheit---and more added backup config first then do the command "auto secure"from en mode - it will redo the banner too no cdp run no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd ------> not sure on this line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet --------------interface FastEthernet0/0 ---put on all interfaces used router no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled -----------------------------
ip ips name myips --Apply the rule you just created inbound on the interface facing UNTRUSTED. Once you enable IPS, some log messages will be sent to the console line indicating that the IPS engines are being initialized. FW(config)# interface serial0/0/1 FW(config-if)# ip ips myips in will get a lot of ping detections to disable a certain sig do this -FW(config)# ip ips signature 2004 disable
could also after that you must line con 0 login local line aux 0 login local line vty 0 4 login local Chapter 6 lesson 2.5 for firewall setup (stateful packet inspection) then ACL what to permit and deny chapter 5 lesson 7 IP Address Spoofing Mitigation: Inbound R2(config)#access-list 150 deny ip 10.2.1.0 0.0.0.255 any log R2(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any log R2(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any log R2(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any log ****deny broadcast traffic in R2(config)#access-list 150 deny ip host 255.255.255.255 any log R2(config)#access-list 150 permit ip any 10.2.1.0 0.0.0.255 R2(config)#interface e0/0 R2(config-if)#ip access-group 150 in R2(config-if)#exit IP Address Spoofing Mitigation: Outbound interface R2(config)#access-list 105 permit ip 10.2.1.0 0.0.0.255 any# R2(config)#access-list 105 deny ip any any log R2(config)#interface e0/1# R2(config-if)#ip access-group 105 in R2(config-if)#end
block both interfaces on the in direction DDOS trin00 attack
stacheldraht attact trinity attack access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny udp any any access-list 190 deny udp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 permit any any
eq 1524 log eq 27665 log eq 31335 log eq 27444 log eq 16660 log eq 65000 log eq 33270 log eq 6667 log eq 39168 log eq 1243 log eq 2773 log range 6711 6713 log eq 6776 log eq 7000 log eq 7215 log eq 27374 log eq 27573 log eq 54283 log
R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end ----with any denies you need at least 1 permit at the bottom permit any any --deny single source access-list 10 deny 192.168.3.0 0.0.0.255 snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] PR1(config)#snmp-server group billgroup v3 auth priv ---shows how to define a group billgroup for SNMP v3 using both authentication and privacy PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56 password2 PR1(config)#snmp-server group billgroup v3 auth priv The second example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied =============================================================OLD Configs From Previous years events---Router Config service timestamps debug datetime msec service timestamps log datetime msec service password-encryption !
hostname $&JDdj.kP(] ! boot-start-marker boot-end-marker ! logging console alerts enable secret 5 $1$m1qk$3aq/ZBRifnA/2hzlTQrEQ. ! aaa new-model ! ! ! aaa session-id common ! resource policy ! ip subnet-zero no ip source-route ! ! ip cef ! ! ip domain name team6.com ip ssh time-out 10 ip ssh authentication-retries 1 ip ssh source-interface FastEthernet0/1 ip ssh version 2 ! ! ! ! username test privilege 0 password 7 021605481811003348 username administrator privilege 0 password 7 142F024A125D7A7C29 ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.6.1 255.255.255.0 ip access-group 112 in no ip redirects ip nat outside ip virtual-reassembly no ip mroute-cache duplex full speed 100 ! interface FastEthernet0/1 ip address 10.1.38.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto
! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! no ip http server no ip http secure-server ip nat inside source static 10.1.38.2 192.168.6.2 ip nat inside source static 10.1.38.3 192.168.6.3 ip nat inside source static tcp 10.1.38.61 80 192.168.6.10 80 extendable ip nat inside source static tcp 1.1.1.1 443 192.168.6.20 80 extendable ip nat inside source static 10.1.38.46 192.168.6.20 ip nat inside source static 10.1.38.51 192.168.6.30 ip nat inside source static 10.1.38.61 192.168.6.40 ip nat inside source static tcp 10.1.38.51 53 192.168.6.50 53 extendable ip nat inside source static udp 10.1.38.51 53 192.168.6.50 53 extendable ip nat inside source static 10.1.38.21 192.168.6.60 ip nat inside source static 10.1.38.81 192.168.6.80 ip nat inside source static 10.1.38.101 192.168.6.100 ! logging trap warnings logging 10.1.38.81 access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.10 eq www log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.20 eq www log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.30 eq smtp log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.30 eq pop3 log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.60 eq ftp log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.60 eq ftp-data access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.1 eq 22 log access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.100 eq 4569 log access-list 112 permit icmp any any log access-list 112 permit tcp host 192.168.1.103 host 192.168.6.80 established log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.40 eq domain access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.40 eq domain access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.50 eq domain access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.50 eq domain access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.20 eq 443 access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.20 eq 443 access-list 112 permit tcp host 192.168.1.100 host 192.168.6.80 access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.1 eq snmp access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.1 eq snmptrap access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.3 eq snmp access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.3 eq snmptrap access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.2 eq snmp access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.2 eq snmptrap access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.2 eq 10000 snmp-server user C0rporat3 TEST v3 snmp-server group TEST v3 auth read READ write WRITE snmp-server community C0rporat3 RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps syslog no cdp run ! ! control-plane ! ! !
line con 0 password 7 065E496B045C4D1335 logging synchronous line aux 0 line vty 0 4 ! scheduler allocate 20000 1000 ! end -------------------------------------------------
------------------------------------------------------------Switch Config ---------------------------old version 12.1 no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ! ip subnet-zero ! spanning-tree extend system-id ! ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast no shut ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast no shut ! interface FastEthernet0/3 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast
no shut ! interface FastEthernet0/4 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/5 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/6 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/7 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/8 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/9 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/10 switchport mode access
sticky
sticky
sticky
sticky
sticky
sticky
switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast no shut
! interface FastEthernet0/11 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/12 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/13 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/14 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/15 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/16 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address
sticky
sticky
sticky
sticky
sticky
sticky
spanning-tree portfast no shut
! interface FastEthernet0/17 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/18 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/19 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/20 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/21 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/22 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/23
sticky
sticky
sticky
sticky
sticky
sticky
switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/24 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface GigabitEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface Vlan1 no ip address no ip route-cache no shutdown ! ip http server ! ! line con 0 line vty 5 15 ! end
sticky
sticky
sticky
sticky
Switch# --------------------------------custom configs conf t username Zefe privilege 15 secret 0 xatab7-fr65a7u&upudr
aaa new-model aaa authentication login default local enable secret yawruf&4pu*w_3us5&jE service password-encryption ! logging <syslog server> (not sure about this logging host) logging trap notice (or warning for less events) logging on login block-for 15 attempts 2 within 15 login delay 3 login on-failure log no ip domain-lookup ! line con 0 logging synchronous password he9eStEK3z&&eTuwu@re login ! line vty 0 15 no transport input (or no line vty 0 15) password m?_=prew@2u5r4!raGuq login ! ----spanning-tree vlan 1 root primary (or whatever is the new vlan) ! spanning-tree portfast bpduguard default ip arp inspection vlan 1 ip arp inspection validate (try in global config - might need to put it on the switch) on user port interfaces --do this *******USING VMWARE-------watch out on port security!!! switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation protect ****they may not like this though could try switchport port-security aging instead no ip address spanning-tree portfast no shut spanning-tree guard root-----only enter this on unused ports ---not our end stations ip arp inspection trust ---Put this on the trusted port (to the router) *******************auto secure sheit---and more added no cdp run no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server
no no no no no
ip ip ip ip ip
http server finger source-route gratuitous-arps identd
--------------------------Set date and time on all equipment clock set command could setup dont1x*****do this for client ports ----> this would block the user from accessing without a password --refer to the lab 8-1 --do and test this on workstations The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switchports. The authentication server authenticates each workstation that is connected to a switchport before making any services that are offered by the switch or the LAN available. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port. Use the aaa new-model command to turn on AAA authentication on ALS1. The aaa authentication dot1x default local command tells the switch to use a local database of usernames and passwords to authenticate the users. Users are assigned to the database using the username username password password command. The Fast Ethernet interfaces used for VLAN 100 staff access are configured using the dot1x port-control auto command. The auto keyword allows the switchport to begin in the unauthorized state, and allows the negotiation 12 - 19 CCNP: Building Multilayer Switched Networks v5.0 - Lab 8-1 Copyright � 2006, Cisco Systems, Inc between the client and server to authenticate the user. Once authenticated, the user is allowed access to the network resources. The following is a sample configuration for ALS1: ALS1#config t Enter configuration commands, one per line. End with CNTL/Z. ALS1(config)#username janedoe password 0 cisco ALS1(config)#username johndoe password 0 cisco ALS1(config)#username joesmith password 0 cisco ALS1(config)#aaa new-model ALS1(config)#aaa authentication dot1x default local ALS1(config)#int range fa 0/15 - 24 ALS1(config-if-range)#dot1x port-control auto ALS1(config-if-range)#end Verify your AAA configuration using the show dot1x interface command. ALS1# show dot1x interface fa0/15 Supplicant MAC AuthSM State = N/A BendSM State = N/A PortStatus = N/A MaxReq = 2 MaxAuthReq = 2 HostMode = Single PortControl = Auto
QuietPeriod = 60 Seconds Re-authentication = Disabled ReAuthPeriod = 3600 Seconds ServerTimeout = 30 Seconds SuppTimeout = 30 Seconds TxPeriod = 30 Seconds Guest-Vlan = 0 7. -------------------***disable vlan 1 and put everything into a different vlan?
2950 syslog config switch(config)#logging (hostname or ip address of log server kiwi) switch(config)#logging trap (level 0 thru 7 ---7 being all including debug messeages) switch(config)#logging on shutdown unnecesary ports Set date and time on all equipment configure dhcp snooping on the switch conf t ip dhcp snooping ip dhcp snooping trust (do this on the interface port of the port connected to the dhcp server) global cmd--ip dhcp snooping limit rate 20 ip dhcp snooping vlan number {vlan number} ================================================================================== ==============
Other Ideas and things to do ----------------------------*pwconv and also did grpconv *Change usernames and P@ssw0rds on everything -passwd, usermod -l
*Keep track of syslog and generate incident reponses regularly (MONITOR SHIT, CHECK ACCOUTS, TCP CONNECTIONS, USER RIGHTS....) -sysinternals package *Shutdown apache on the ubuntu machine until it is needed --/etc/init.d/apache2 stop *Put a banner on /etc/issue.net (linux machines) & less /etc/motd ------this is the message of the day that can be changed and edited (don�t use welcome--not invited-----policies and far use)
*Install AVG on ubuntu and windows? *IPtables block telnet ssh FOR Telnet, iptables -A INPUT -p tcp -m tcp --dport 23 -j DROP ---untested! *Check uneeded services on linux machines and disable ---/etc/init.d/vsftpd stop *shutdown SSH or SSHD
----------------------------------------------Mount a flash drive in freebsd mount_msdosfs /dev/da0s1 /mnt mount a usb device in linux /dev/sd* > # mkdir /media/cdrom or mkdir /media/usb > # mount -t iso9660 /dev/cdrom /media/cdrom mount /dev/sdb1 /media/usb > ls /dev/sd* 1) mount -t cd9660 /dev/cdrw /mnt/cdrw 2)mount -t iso9660 -r /dev/cdrom /mnt/cdrom mount /dev/scd0 /medi/cdrom0 ------------------------------------------------APT on CD ubuntu packages located /var/cache/apt/archives
(copy from cd to this)
/media/cdrom tar �xvf cp -r /media/cdrom/packages /var/cacge/apt/archives dpkg -i <debain package> get webmin installed with this --then can change port under the webmin tab --> webmin configuration ------------------------------------------------------chkconfig <process name> on for redhat/fedora sysv-rc-conf <service> on ubuntu
--might need to apt-get install sysv-rc-conf first ---------------------------------------------------------enable linux auditing with /etc/init.d/auditd start ----------------------------------------------------------xml config for EventLogToSyslog-1.2.5-Bin <SyslogSvrIpAddress value="192.168.2.219"/> <EventLog name="System" noinfo="false" nowarn="false" noerr="false" nosuccaudit="false" nofailaudit="false" facility="System0"/> <EventLog name="Security" noinfo="false" nowarn="false" noerr="false" nosuccaudit="false" nofailaudit="false" facility="System1"/> <EventLog name="Application" noinfo="false" nowarn="false" noerr="false" nosuccaudit="false" nofailaudit="false" facility="System2"/> <EventLog name="DNS Server" noinfo="true" nowarn="false" noerr="false" nosuccaudit="false" nofailaudit="false" facility="System3"/> <EventLog name="File Replication Service" noinfo="true" nowarn="false" nosuccaudit="false" nofailaudit="false" noerr="false" facility="System4"/> -->
-Start Downloads of apt-oncd stuff (in gmail account) -Check router and switch configs (backup current router configs and switch configs before messing with them) -lockout switch and router -setup a syslog server on both devices (check how to) --- kiwi -Check System accounts and restrict right where needed -change passwords -google password generator (http://www.pctools.com/guides/password/) -lockout the router and the switch -resrict settings that make the PCs vulnerbale -guest accounts, rights, uneccesary services -check policy shares rules -run snort --webmin on all linux boxes ---change ports on each box ---finish setting up DNS on the Windows server08 box ----Bump up server08 DC level to 2003 NOT 2008 *default users in windows can join computers to the domain ---disable that --maybe not in 08....check the domain policies ----need to be a member of the schema group to do any exchange stuff *******Only have one domain admin account and all our other accounts would be lower privy---run as stuff for other users --------under local policies for the DC..get rid of some of the default shares, change the name of the admin accont to something else **Setup event viewer to syslog (sourceforge), install kiwi on multiple servers
**********Capture Router/Switch configs 1st (before messing with them) (put a banner on all equiptment) conf t banner motd ~ .ed"""" """$$$$be. -" ^""**$$$e.
." Authorized Access '$$$c ONLY "4$$b d 3 $$$$ $ * .$$$$$$ .$ ^c $$$$$e$$$$$$$$. d$L 4. 4$$$$$$$$$$$$$$b $$$$b ^ceeeee. 4$$ECL.F*$$$$$$$ e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$ z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c 4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$. ^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$ "**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P"" "*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***" ^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP" "$$$$$$"'$=e....$*$$**$cz$$" "..d$*" "*$$$ *=%4.$ L L$ P3$$$F $$$P" "$ "%*ebJLzb$e$$$$$b $P" %.. 4$$$$$$$$$$ " $$$e z$$$$$$$$$$% "*$c "$$$$$$$P" ."""*$$$$$$$$bc .-" .$***$$$"""*e. .-" .e$" "*$c ^*b. .=*"""" .e$*" "*bc "*$e.. .$" .z*" ^*$e. "*****e. $$ee$c .d" "*$. 3. ^*$E")$..$" * .ee==d% $.d$$$* * J$$$e* """"" "$$$" /
~ Exit Router--> conf t ! username Omeri privilege 15 secret 0 s&e7patHaPr7TReW6f#9 aaa new-model aaa authentication login default local service password-encryption ! enable secret phAW4A4*8ePhAMA-ud4S ! logging <syslog server> (not sure about this logging host
login authentication default ! line vty 0 4 no transport input (or no line vty 0 4) password 9e$ecra*raf4ewRa95pr login authentication default or ip access-list extended telnet-block deny ip any any line vty 0 4 access-class telnet-block in ----------------------------Set date and time on all equipment clock set command *******************auto secure sheit---and more added backup config first then do the command "auto secure"from en mode - it will redo the banner too no cdp run no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd ------> not sure on this line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet --------------interface FastEthernet0/0 ---put on all interfaces used router no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled -----------------------------
ip ips name myips --Apply the rule you just created inbound on the interface facing UNTRUSTED. Once you enable IPS, some log messages will be sent to the console line indicating that the IPS engines are being initialized. FW(config)# interface serial0/0/1 FW(config-if)# ip ips myips in will get a lot of ping detections to disable a certain sig do this -FW(config)# ip ips signature 2004 disable
could also after that you must line con 0 login local line aux 0 login local line vty 0 4 login local Chapter 6 lesson 2.5 for firewall setup (stateful packet inspection) then ACL what to permit and deny chapter 5 lesson 7 IP Address Spoofing Mitigation: Inbound R2(config)#access-list 150 deny ip 10.2.1.0 0.0.0.255 any log R2(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any log R2(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any log R2(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any log ****deny broadcast traffic in R2(config)#access-list 150 deny ip host 255.255.255.255 any log R2(config)#access-list 150 permit ip any 10.2.1.0 0.0.0.255 R2(config)#interface e0/0 R2(config-if)#ip access-group 150 in R2(config-if)#exit IP Address Spoofing Mitigation: Outbound interface R2(config)#access-list 105 permit ip 10.2.1.0 0.0.0.255 any# R2(config)#access-list 105 deny ip any any log R2(config)#interface e0/1# R2(config-if)#ip access-group 105 in R2(config-if)#end
block both interfaces on the in direction DDOS trin00 attack
stacheldraht attact trinity attack access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny udp any any access-list 190 deny udp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 deny tcp any any access-list 190 permit any any
eq 1524 log eq 27665 log eq 31335 log eq 27444 log eq 16660 log eq 65000 log eq 33270 log eq 6667 log eq 39168 log eq 1243 log eq 2773 log range 6711 6713 log eq 6776 log eq 7000 log eq 7215 log eq 27374 log eq 27573 log eq 54283 log
R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end ----with any denies you need at least 1 permit at the bottom permit any any --deny single source access-list 10 deny 192.168.3.0 0.0.0.255 snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] PR1(config)#snmp-server group billgroup v3 auth priv ---shows how to define a group billgroup for SNMP v3 using both authentication and privacy PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56 password2 PR1(config)#snmp-server group billgroup v3 auth priv The second example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied =============================================================OLD Configs From Previous years events---Router Config service timestamps debug datetime msec service timestamps log datetime msec service password-encryption !
hostname $&JDdj.kP(] ! boot-start-marker boot-end-marker ! logging console alerts enable secret 5 $1$m1qk$3aq/ZBRifnA/2hzlTQrEQ. ! aaa new-model ! ! ! aaa session-id common ! resource policy ! ip subnet-zero no ip source-route ! ! ip cef ! ! ip domain name team6.com ip ssh time-out 10 ip ssh authentication-retries 1 ip ssh source-interface FastEthernet0/1 ip ssh version 2 ! ! ! ! username test privilege 0 password 7 021605481811003348 username administrator privilege 0 password 7 142F024A125D7A7C29 ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.6.1 255.255.255.0 ip access-group 112 in no ip redirects ip nat outside ip virtual-reassembly no ip mroute-cache duplex full speed 100 ! interface FastEthernet0/1 ip address 10.1.38.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto
! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! no ip http server no ip http secure-server ip nat inside source static 10.1.38.2 192.168.6.2 ip nat inside source static 10.1.38.3 192.168.6.3 ip nat inside source static tcp 10.1.38.61 80 192.168.6.10 80 extendable ip nat inside source static tcp 1.1.1.1 443 192.168.6.20 80 extendable ip nat inside source static 10.1.38.46 192.168.6.20 ip nat inside source static 10.1.38.51 192.168.6.30 ip nat inside source static 10.1.38.61 192.168.6.40 ip nat inside source static tcp 10.1.38.51 53 192.168.6.50 53 extendable ip nat inside source static udp 10.1.38.51 53 192.168.6.50 53 extendable ip nat inside source static 10.1.38.21 192.168.6.60 ip nat inside source static 10.1.38.81 192.168.6.80 ip nat inside source static 10.1.38.101 192.168.6.100 ! logging trap warnings logging 10.1.38.81 access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.10 eq www log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.20 eq www log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.30 eq smtp log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.30 eq pop3 log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.60 eq ftp log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.60 eq ftp-data access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.1 eq 22 log access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.100 eq 4569 log access-list 112 permit icmp any any log access-list 112 permit tcp host 192.168.1.103 host 192.168.6.80 established log access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.40 eq domain access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.40 eq domain access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.50 eq domain access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.50 eq domain access-list 112 permit tcp 192.168.0.0 0.0.255.255 host 192.168.6.20 eq 443 access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.20 eq 443 access-list 112 permit tcp host 192.168.1.100 host 192.168.6.80 access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.1 eq snmp access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.1 eq snmptrap access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.3 eq snmp access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.3 eq snmptrap access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.2 eq snmp access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.2 eq snmptrap access-list 112 permit udp 192.168.0.0 0.0.255.255 host 192.168.6.2 eq 10000 snmp-server user C0rporat3 TEST v3 snmp-server group TEST v3 auth read READ write WRITE snmp-server community C0rporat3 RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps syslog no cdp run ! ! control-plane ! ! !
line con 0 password 7 065E496B045C4D1335 logging synchronous line aux 0 line vty 0 4 ! scheduler allocate 20000 1000 ! end -------------------------------------------------
------------------------------------------------------------Switch Config ---------------------------old version 12.1 no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ! ip subnet-zero ! spanning-tree extend system-id ! ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast no shut ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast no shut ! interface FastEthernet0/3 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast
no shut ! interface FastEthernet0/4 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/5 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/6 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/7 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/8 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/9 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/10 switchport mode access
sticky
sticky
sticky
sticky
sticky
sticky
switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky no ip address spanning-tree portfast no shut
! interface FastEthernet0/11 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/12 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/13 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/14 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/15 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/16 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address
sticky
sticky
sticky
sticky
sticky
sticky
spanning-tree portfast no shut
! interface FastEthernet0/17 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/18 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/19 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/20 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/21 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/22 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/23
sticky
sticky
sticky
sticky
sticky
sticky
switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface FastEthernet0/24 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface GigabitEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security mac-address no ip address spanning-tree portfast no shut ! interface Vlan1 no ip address no ip route-cache no shutdown ! ip http server ! ! line con 0 line vty 5 15 ! end
sticky
sticky
sticky
sticky
Switch# --------------------------------custom configs conf t username Zefe privilege 15 secret 0 xatab7-fr65a7u&upudr
aaa new-model aaa authentication login default local enable secret yawruf&4pu*w_3us5&jE service password-encryption ! logging <syslog server> (not sure about this logging host
no no no no no
ip ip ip ip ip
http server finger source-route gratuitous-arps identd
--------------------------Set date and time on all equipment clock set command could setup dont1x*****do this for client ports ----> this would block the user from accessing without a password --refer to the lab 8-1 --do and test this on workstations The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switchports. The authentication server authenticates each workstation that is connected to a switchport before making any services that are offered by the switch or the LAN available. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port. Use the aaa new-model command to turn on AAA authentication on ALS1. The aaa authentication dot1x default local command tells the switch to use a local database of usernames and passwords to authenticate the users. Users are assigned to the database using the username username password password command. The Fast Ethernet interfaces used for VLAN 100 staff access are configured using the dot1x port-control auto command. The auto keyword allows the switchport to begin in the unauthorized state, and allows the negotiation 12 - 19 CCNP: Building Multilayer Switched Networks v5.0 - Lab 8-1 Copyright � 2006, Cisco Systems, Inc between the client and server to authenticate the user. Once authenticated, the user is allowed access to the network resources. The following is a sample configuration for ALS1: ALS1#config t Enter configuration commands, one per line. End with CNTL/Z. ALS1(config)#username janedoe password 0 cisco ALS1(config)#username johndoe password 0 cisco ALS1(config)#username joesmith password 0 cisco ALS1(config)#aaa new-model ALS1(config)#aaa authentication dot1x default local ALS1(config)#int range fa 0/15 - 24 ALS1(config-if-range)#dot1x port-control auto ALS1(config-if-range)#end Verify your AAA configuration using the show dot1x interface command. ALS1# show dot1x interface fa0/15 Supplicant MAC
QuietPeriod = 60 Seconds Re-authentication = Disabled ReAuthPeriod = 3600 Seconds ServerTimeout = 30 Seconds SuppTimeout = 30 Seconds TxPeriod = 30 Seconds Guest-Vlan = 0 7. -------------------***disable vlan 1 and put everything into a different vlan?
2950 syslog config switch(config)#logging (hostname or ip address of log server kiwi) switch(config)#logging trap (level 0 thru 7 ---7 being all including debug messeages) switch(config)#logging on shutdown unnecesary ports Set date and time on all equipment configure dhcp snooping on the switch conf t ip dhcp snooping ip dhcp snooping trust (do this on the interface port of the port connected to the dhcp server) global cmd--ip dhcp snooping limit rate 20 ip dhcp snooping vlan number {vlan number} ================================================================================== ==============
Other Ideas and things to do ----------------------------*pwconv and also did grpconv *Change usernames and P@ssw0rds on everything -passwd, usermod -l
*Keep track of syslog and generate incident reponses regularly (MONITOR SHIT, CHECK ACCOUTS, TCP CONNECTIONS, USER RIGHTS....) -sysinternals package *Shutdown apache on the ubuntu machine until it is needed --/etc/init.d/apache2 stop *Put a banner on /etc/issue.net (linux machines) & less /etc/motd ------this is the message of the day that can be changed and edited (don�t use welcome--not invited-----policies and far use)
*Install AVG on ubuntu and windows? *IPtables block telnet ssh FOR Telnet, iptables -A INPUT -p tcp -m tcp --dport 23 -j DROP ---untested! *Check uneeded services on linux machines and disable ---/etc/init.d/vsftpd stop *shutdown SSH or SSHD
----------------------------------------------Mount a flash drive in freebsd mount_msdosfs /dev/da0s1 /mnt mount a usb device in linux /dev/sd* > # mkdir /media/cdrom or mkdir /media/usb > # mount -t iso9660 /dev/cdrom /media/cdrom mount /dev/sdb1 /media/usb > ls /dev/sd* 1) mount -t cd9660 /dev/cdrw /mnt/cdrw 2)mount -t iso9660 -r /dev/cdrom /mnt/cdrom mount /dev/scd0 /medi/cdrom0 ------------------------------------------------APT on CD ubuntu packages located /var/cache/apt/archives
(copy from cd to this)
/media/cdrom tar �xvf cp -r /media/cdrom/packages /var/cacge/apt/archives dpkg -i <debain package> get webmin installed with this --then can change port under the webmin tab --> webmin configuration ------------------------------------------------------chkconfig <process name> on for redhat/fedora sysv-rc-conf <service> on ubuntu
--might need to apt-get install sysv-rc-conf first ---------------------------------------------------------enable linux auditing with /etc/init.d/auditd start ----------------------------------------------------------xml config for EventLogToSyslog-1.2.5-Bin
Related Documents
Ops
April 2020 39
Ops Gurita
May 2020 26
Kaush Ops
October 2019 38
Collapse Ops
December 2019 31
Ops Cart.txt
June 2020 29