Jaycee's Networking

April 23, 2009

Basic Tools

Filed under: IOS, Security — Tags: — Jaycee @ 1:19 am

1. In-band vs. Out-of-band:

Out-of-band does not carry LAN/WAN traffic that flows through the router.
In-band signaling uses the same path for data and control signals.

2. Cisco console cable:

a. It goes into the serial port adapter (DB9-to-RJ-45)
b. Console settings: 9600 N81 Hardware
c. Securing a console connection: use “exec-timeout” command

3. Terminal emulation software:

a. Windows-based:

1) HyperTerminal
2) HTPE (HyperTerminal Private Edition)
3) TeraTerm
4) PuTTY
5) SSH Secure Shell Client (http://www.ssh.com)

b. Linux-based:

1) Minicom
2) Cu
3) GtkTerm

4. Log session:

a. Linux users can log Telnet sessions by using Tee command:

telnet host-ip-address 2>&1 | tee text-file

b. Windows users can use “set logfile filename“:

C:>telnet
> set logfile routerlog.txt

5. For SSH encryption algorithm:

a. Configure:

crypto key generate rsa 1024
ip ssh time-out 120
ip ssh authentication-retries 4
line vty 0 4
transport input ssh

b. Display SSH info:

#sh ip ssh
#sh ssh

c. Login:

It can be DES or 3DES, depending on the encryption supported by the IOS image of the router, siwtch or firewall.

ssh -l username -c 3DES ip-address

6. Enable GUI:

1. Enable IOS for HTTP:

R(config)#ip http server
R(config)#ip http secure-server
R(config)#ip http authentication {aaa|enable|local|tacas}
R(config)#username name [privilege level]
R(config)#username name password secret

username jaycee password cisco
username jaycee privilege 15
ip http server
ip http authentication local

2. Enable PDM (PIX Device Manager) on Cisco PIX firewall:

R(config)#http server enable
R(config)#http ip_address  [netmask][if_name]

pix(config)#http server enable
pix(config)#http 192.168.0.0 255.255.255.0 inside

*PDM can only be accessed through HTTPS (HTTP over SSL).

7. TFTP Servers:

a. Windows-based:

Solarwind’s TFTP server: http://www.solarwinds.net

b. Linux-based: tftpd

1) Install tftpd: apt-get install tftpd
2) Configuration file: /etc/inetd.conf
3) Create tftpboot directory that matches the one in /etc/inetd.conf file (default location: /boot):  mkdir /tftpboot
4)
Change the folder permission to allow read and write permissions: chmod 666 /tftpboot
5) Change the owner to nobody: chown nobody /tftpboot
6) Change the file permission to allow read and write permissions: chmod a+wr *
*Linux tftpd has a built-in security feature that prevents access to files unles they are already created on the tftps server.
=> Before writing to any file, you must create it on the TFTP server.
==> The file must have read-and-write permission.
7) Restart inetd server: /etc/init.d/inetd restart

c. IOS-based:

R(config)#tftp-server flash:ios-image-file.bin

d. IOS commands to use tftp:

copy running-config tftp:
copy startup-config tftp:
copy tftp running-config
copy tftp startup-config

e. PIX commands to use tftp:

1) Copy running configuration to a TFTP server:

write net tftp-ip-adddress:filename

2) Copy configuration from a specified file on the TFTP server:

config net tftp-ipaddress:filename

8. FTP Servers:

a. Windows-based: it offers a built-in FTP server under IIS server

b. Linux-based:

1) vsFTP (very secure FTP): http://vsftpd.beasts.org

(i) install vsftpd: apt-get install vsftpd
(ii) edit /etc/vsftpd.conf: anonymous_enable=no
(iii) create ftp user: useradd ftp-user, passwd ftp-user
(iv)restart vsftpd: /etc/init.d/vsftpd restart

2) ProFTP: http://www.proftpd.org
3) WUFTP: http://www.wu-ftpd.org

c. IOS to use FTP:

R#copy running ftp://ftp-user:cisco@192.168.0.103/router-confg

9. IOS to use SCP:

a. Configure SCP:

Router (config)# aaa new-model
Router (config)# aaa authentication login default group tacacs+

*aaa authentication login {default | list-name} method1 [method2…]

Router (config)# aaa authorization exec default group tacacs+

*aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2]]

Router (config)# username superuser privilege 2 password 0 superpassword
Router (config)# ip scp server enable

b. Debug SCP:

Router#debug ip scp

c. Example:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username tiger privilege 15 password 0 lab
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable

Advertisements

2 Comments »

  1. When some one searches for his vital thing, so he/she desires to be available
    that in detail, so that thing is maintained over here.

    Comment by whatsapp for pc — July 4, 2013 @ 6:18 am

  2. Hi to all, the contents existing at this website are genuinely remarkable for people knowledge,
    well, keep up the nice work fellows.

    Comment by kids and technology — July 12, 2013 @ 9:07 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: