noiembrie 2009

Arhivă Lunară

noiembrie 23, 2009

Arhivarea configuratiilor intr-un router CISCO

Posted by m4nt13 under CISCO stuff | Etichete: , , |
1 Comment 
MUlti stiu, putini cunosc cat de usor se poate configura un kron
astfel incat, la intervale stabilite de voi
sa se salveze configuratia unui router intr-o
locatie aleasa.

De exemplu, avem nevoie ca respectiva configuratie sa fie salvata la
fiecare 2500 de minute:

archive
path disk0:/config-archive
maximum 14
time-period 2500
log config
notify syslog

FTP Kron Policy

kron occurrence ftpconfig_occur in 1:0:0 recurring
policy-list ftpconfig
!
kron policy-list ftpconfig
cli copy running-config
ftp://192.168.1.74/configs/router.cfg //IP e ales aleator... se poate
inlocui cu IP-ul unui
 server de ftp agreat de voi

Router#show archive
There are currently 3 archive configurations saved.
The next archive file will be named disk0:/config-archive-4
Archive # Name
0
1 disk0:/config-archive-1
2 disk0:/config-archive-2
3 disk0:/config-archive-3
…

Router#show kron schedule
Kron Occurrence Schedule
ftpconfig_occur inactive, will run again in 0 days 23:54:17
 

noiembrie 19, 2009

Astaro… reluare…

Posted by m4nt13 under Networking
Leave a Comment 

Azi m-am hotarat sa instalez un Astaro in ciclul de productie. Daca totul merge bine, inlocuiesc vechiul 515 de la CISCO…Urati-mi succes! :)

Later edit: De moment, Astaro functioneaza bine… il mai tin in teste si voi posta concluziile… Intre timp, am achizitionat un pix 501 pentru colectia de acasa. M-a costat doua beri, dar a meritat investitia, mai ales ca vreau sa-l configurez sa lucreze cu un 1721 pe adsl-ul propriu si personal… Pana acolo mai e cale lunga, mai ales ca nemernicul mic si rau e parolat iar fostul proprietar habar nu are de parola… Incercam varianta de la CISCO, cea in care trebuie sa opresti boot-ul si sa incarci in flash un fisier care sa iti stearga parola… Asta daca ma prind cee IP-uri are configurate pe interfete. Teoretic, daca las calculorul  pe DHCP, ar trebui sa sa ia un Ip din aceeasi clasa, si ar fi mai usor… Voi aveti alte idei?

 

noiembrie 16, 2009

Cand nu protejezi bine un router…

Posted by m4nt13 under CISCO stuff, Networking, pseudohacking | Etichete: , , |
[13] Comments 

… poti sa ai probleme. Cam asa se intampla cu Telefonica, una dintre cele mai mari companii de comunicatii din lume, care, culmea, imprumuta si configureaza routere pentru diverse alte companii…

Sa vedem cam cum arata configuratia unuia dintre routerele lor:

Using 5298 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ibemnapacc
!
boot-start-marker
boot-end-marker
!
logging buffered 100000 debugging
no logging console
enable secret 5 $1$u1X7$fFHQopGMm7UVDpXOvTnPE1
enable password 7 04480E0F0135484B
!
clock timezone MET 1
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa session-id common
ip subnet-zero
ip cef
!
!
!
!
ip ftp source-interface Loopback400
ip ips po max-events 100
ip tftp source-interface Loopback400
no ip domain lookup
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key ADSLREMOTA address 172.99.1.1
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set IBER esp-3des esp-sha-hmac
!
crypto map ADSLREMOTA local-address Loopback20
crypto map ADSLREMOTA 10 ipsec-isakmp
set peer 172.99.1.1
set transform-set IBER
match address 110
!
!
!
interface Loopback20
ip address 172.99.1.254 255.255.255.255
!
interface Loopback400
description Gestion InterLAN
ip address 172.30.153.130 255.255.255.255
!
interface ATM0
description ADSL: 948258057
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
description Conexion con NRI: 31712712 dlci 69
ip address 172.55.3.78 255.255.255.252
crypto map ADSLREMOTA
pvc 8/32
encapsulation aal5snap
!
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
ip address 89.31.29.1 255.255.255.248 secondary
ip address 89.102.10.60 255.255.0.0
shutdown
speed auto
!
router eigrp 1
network 89.0.0.0
network 172.55.0.0
network 172.99.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback400
!
!
access-list 3 permit 89.0.4.164
access-list 50 remark GESTION SNMP SOLO LECTURA
access-list 50 permit 172.24.7.128 0.0.0.63
access-list 50 permit 213.0.254.0 0.0.0.63
access-list 50 permit 213.0.190.192 0.0.0.63
access-list 50 permit 213.0.187.192 0.0.0.63
access-list 51 remark GESTION PERMISO ESCRITURA Y TFTP
access-list 51 permit 172.24.7.128 0.0.0.63
access-list 51 permit 213.0.254.0 0.0.0.63
access-list 51 permit 213.0.190.192 0.0.0.63
access-list 51 permit 213.0.187.192 0.0.0.63
access-list 52 permit 172.55.3.77
access-list 52 remark ACCESO TELNET
access-list 52 permit 172.24.7.128 0.0.0.63
access-list 52 permit 213.0.254.0 0.0.0.63
access-list 52 permit 213.0.190.192 0.0.0.63
access-list 52 permit 213.0.187.192 0.0.0.63
access-list 53 remark ACCESO NTP
access-list 53 permit 172.24.7.128 0.0.0.63
access-list 53 permit 213.0.254.0 0.0.0.63
access-list 53 permit 213.0.190.192 0.0.0.63
access-list 53 permit 213.0.187.192 0.0.0.63
access-list 110 permit ip 89.102.0.0 0.0.255.255 any
access-list 110 permit ip 89.31.29.0 0.0.0.7 any
snmp-server community GESTION RO 50
snmp-server community ESCRITO RW 51
snmp-server community IBERMUTUA RO 3
snmp-server ifindex persist
snmp-server trap-source Loopback400
snmp-server location IBERMUTUAMUR –> Sancho Ramirez 15   bj IRUQA NAVARRA
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps atm pvc
snmp-server host 172.24.7.174 GESTION
snmp-server host 89.0.4.164 IBERMUTUA
snmp-server tftp-server-list 51
tacacs-server host 172.24.7.171
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 132435312F29220D
!
control-plane
!
banner motd ^CC
********************************************************************
********************************************************************
********************************************************************
**    Esta usted accediendo a una maquina privada propiedad de    **
**                     TELEFONICA DATA ESPAQA S.A.          ,
**   sin autorizacion, podra estar incurriendo en una violacion   **
**  que podria suponer la posible comision de una falta o delito  **
********************************************************************
**                  Telefonica Data España S.A.                   **
********************************************************************
**          Grupo de Gestion Servicio InterLAN de TDE             **
********************************************************************
********************************************************************^C
!
line con 0
exec-timeout 5 0
password 7 1044081100161E
line aux 0
access-class 52 in
exec-timeout 5 0
password 7 045205130C29435D
modem InOut
no exec
stopbits 1
flowcontrol hardware
line vty 0 4
!
end

Router#

Router#

Nu intrebati cum am obtinut-o, bine? :)

 

noiembrie 12, 2009

Astaro Security Gateway

Posted by m4nt13 under Networking | Etichete: , , |
[4] Comments 

Pentru un informatician, procesul de invatare de noi tehnologii este esential. Iar in cadrul acestui proces, cel de experimentare are cel mai mult farmec. Asadar, dupa ce m-am jucat cateva saptamani cu un firewall hardware de la R.I.S.C. Security, despre care, din pacate nu pot sa scriu deocamdata din motive de licentiere si nu numai, zilele trecute am descarcat noua varianta de Security Gateway a celor de la Astaro. Care ASG exista si in varianta free pentru homeuseri.

Daca aveti vreo rasnita de calculator veche, nu e rau sa aruncati o privire si prin ograda celor de la Astaro. Produsul e chiar OK, usor de configurat, nu cere multe resurse…etc.

Deocamdata inca sunt in plin proces de testare, dar va pot oferi cateva preview-uri:

login window

Instalarea se face simplu, ca orice sistem operativ bazat pe Unix/Linux. Cerintele, dupa cum spuneam, nu sunt mari: procesor la 1GHz, minim 1 GB de Ram, doua placi de retea, un hard de 10 GB sau mai mare.

Dupa instalare se acceseaza consola de management direct din browser, folosind ca adresa localhost si portul 4444. Clar, se poate accesa si din retea, folosind IP-ul serverului de firewall. Prima care va intampina este fereastra de login de mai sus…

Dupa cum veti vedea, menagementul se face in mod grafic, ceea ce va simplica mult configurarea si supravegherea firewall-ului:

main window

Pe partea de securitate a retelei, care ma intereseaza, beneficiem de filtrare de pachete, NAT, Intrusion Prevention, Server load balancing…

net security

Suna bine, pentru un produs pe care il poti folosi acasa… In zilele urmatoare revin cu un review detaliat, impreuna cu cateva tutoriale..