Monday, 2 December 2013

How to Disable Telnet and Enable SSHV2 on DELL Switch:

How to Disable Telnet and Enable SSHV2 on Dell Switch: First enable SSH on Dell Switch and then Disable telnet on switch, because SSHV2 is more secure hence We are going to enable SSHV2 only.

Step to Enable SSHV2:
Step1: Generate Key for SSH: (Dell needs both rsa and dsa to be enabled before turning ssh protocol on).
#crypto key generate rsa
#crypto key generate dsa

Step2: Tell Switch to enable SSHV2 flavour of SSH:
#ip ssh protocol 2
#ip ssh server
Step3: Disable telnet now: (This command may be different as version of DELL IOS differs).

#ip telnet server disable










Posted by at No comments:

Friday, 11 October 2013

How to Disable SSHV1 on Cisco ASA:

As we know SSHV1 is less secure, Hence it may be demand to disable this flavor of SSH. We can force ASA to accept only connection from SSHV2 enabled device.

How to Disable SSHV1 on Cisco ASA:
run this command in config mode.
# ssh version 2
this command tells ASA to accept connection from sshv2 only.









Posted by at No comments:

Friday, 13 September 2013

How to Disable SSHV1 at Cisco IPS(AIP-SSM-10) 

How to Disable SSHV1 at IPS:
By default in IPS-IOS7, SSHV1 and SSHV2 is on, to disable SSHV1 we need root level access to make changes to IPS IOS config files, not in configuration. To do this We need service account. Service account is for support purpose and  have access to IOS files for making changes. Only one service account can be resides on IPS.
Method:
1. Create Service account if you don't have
username xxxx privilege service password xxxxx
2. Login with this account
3. Gain root level access
su -
(supply password of service account, it work in my scenario)
4. fire these commands.


cd /etc/ssh
cp sshd_config sshd_config.old  (it will copy current ssh_config to sshd_config.old)









sed -r '/^#?Protocol /cProtocol 2' sshd_config.old > sshd_config   (this command will make required changes)













/etc/init.d/cids reboot  (this command will restart the process)







Now connection with SSHV1 will drop by IPS.


Snapshot:
























Posted by



at





No comments:
  


































          

        

          

        

Tuesday, 28 May 2013


          

        





















File System Management on Cisco IOS Router:







Usually when login to Router we are in Flash File System(Flash drive) of the IOS Router, this drive holds IOS image files and retained on rebooting the router. Usually .bin, .tar, pkg files there, But system file like startup-config, private-config etc resides on nvram.







Output from Flash drive:#dir

Directory of flash:/


    1  -rw-    13937472  Dec 19 2006 06:03:00 +00:00  c1841-ipbase-mz.124-1c.bin

    2  -rw-        1821  Dec 19 2006 06:17:24 +00:00  sdmconfig-18xx.cfg

    3  -rw-     4734464  Dec 19 2006 06:18:12 +00:00  sdm.tar

    4  -rw-      833024  Dec 19 2006 06:18:46 +00:00  es.tar

    5  -rw-     1052160  Dec 19 2006 06:19:20 +00:00  common.tar

    6  -rw-        1038  Dec 19 2006 06:19:58 +00:00  home.shtml

    7  -rw-      102400  Dec 19 2006 06:20:26 +00:00  home.tar

    8  -rw-      491213  Dec 19 2006 06:21:02 +00:00  128MB.sdf

    9  -rw-     1684577  Dec 19 2006 06:22:00 +00:00  securedesktop-ios-3.1.1.27-k9.pkg

   10  -rw-      398305  Dec 19 2006 06:22:44 +00:00  sslclient-win-1.1.0.154.pkg







Output form nvram: #cd nvram:

#dir

Directory of nvram:/


  190  -rw-        1304                    <no date>  startup-config

  191  ----           5                    <no date>  private-config

  192  -rw-        1304                    <no date>  underlying-config

    1  -rw-           0                    <no date>  ifIndex-table

    2  ----          12                    <no date>  persistent-data


196600 bytes total (193191 bytes free)





Commands:



Dir: shows the directories







Copy: Copy command is used to copy the content like in linux. 



Example: copy "source" "destination"



Like: copy nvram:stratup-configuration tftp://IP_of_tftp/directory/file_name







Show file: show file command display information about sa specific file or a file system.



Like: #show file information flash:c1841-ipbase-mz.124-1c.bin

flash:c1841-ipbase-mz.124-1c.bin:

  type is image (elf) []

  file size is 13937472 bytes, run size is 14103140 bytes

  Runnable image, entry point 0x8000F000, run from ram



More: More command works as it works in linux, it shows the content of file.



Like: more nvram:stratup-config











Delete: Delete command works as it know for.







Earse or Formate: Both the command do the same, but depend what type of memory is being used, both commands are used to wipe out the entire content of memory, Erase is mostly used.









CD and PWD: Cd command is used to change directory as in DOS and Linux, this command change your present directory to whatever directory you specified. and PWD command verifies in what directory you are at present.







Mkdir and Rmdir: mkdir is used to make directory and rmdir is used to remove any directory, Not all router and switch offer of creation and deletion of directory, few of then do.

































Posted by



at





No comments:
  


















Labels:

















          

        

          

        

Thursday, 2 May 2013


          

        























SNMP and ASA:







SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 and latter,  also supports SNMP v3 which is the most secure snmp protocol version.









The ASA works as an SNMP server (or agent), So you need  a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. The NMS is basically a management server such as the CiscoWorks product or Firewall Analyzer. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.











Configuring SNMP











 Step1: Enable the snmp server on the ASA.













ASA(config)# snmp-server enable













 Step2: Identify the NMS host that can connect to the ASA for SNMP management.













ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]













Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.













Step3: Specify the ASA community string













 ASA(config)# snmp-server community [community string] 













Step4: Enable the ASA to send snmp traps to the NMS













 ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]











The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.











Configuration Example:











ASA(config)# snmp-server enable











ASA(config)# snmp-server host inside 10.1.1.100 community secret_Key











ASA(config)# snmp-server community secret_Key











ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart







Note: before configuring SNMP host, make sure that your can reach the NMS via specified Interface.



ASA#ping "interface_name" "IP of NMS"































Posted by



at





No comments:
  


































        

      









Subscribe to:
Posts (Atom)