Basic Steps to secure your Cisco Switch

Vlan Hopping (Rogue Trunk)
Disable trunking on port (eg. gigabitethernet 0/1) which don’t require trunking:
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport mode access

Disable DTP (Dynamic Trunking Protocol) on port which required trunking:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate

—————————————————————————————————

Vlan Hopping(Double-Tagging)
Change Native Vlan to a unused Vlan
Switch(config)# interface gigabitethernet 0/1
Switch(confi-if)# switchport trunk native vlan 400 <– vlan 400 not used by anyone
————————————————————————————————–

STP Manipulation Attack
Enable portfast globally for non-trunking ports (non-trunking ports over here means the ports not connecting the other switches)
Switch(config)#spanning-tree portfast default

Turn On portfast mode on a selected interface (eg. gigabitethernet 0/1)
Switch (config)#interface gigabitethernet 0/1
Switch (config-if)#spanning-tree portfast

Enable BPDUGuard globally on all portfast ports. When these ports see BPDU frames (used to elect STP root switch), the frame will be ignored and dropped.
Switch(config)#spanning-tree portfast bpduguard default

Enable RootGuard on selected port (eg. gigabitethernet 0/1), thus the port will stop passing traffic when it see BPDU which superior to current root. It start passing traffic again after the superior BPDU ceased.
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# spanning-tree guard root
———————————————————————————————-

CAM table Overflow
Enable port security (this only work on non-trunking port, aka access port)
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security violation [protect|restrict|Shutdown]

In previous example, that port will only learn 132 MAC address, other MAC address will trigger violation. The violation actions are:
protect: new MAC address will be ignored and not inserted into CAM table
restrict (default): switch will ignored new MAC address and send an SNMP trap or syslog to corresponding servers.
shutdown: New MAC address will be ignored and that network port will be shut down till manual turn on.

Instead of remember 132 MAC address, we can set the maximum MAC addresses to be learned (eg, maximum 50 addresses are allowed to be learned)
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

If we want the port to remember 1 MAC address only, there are 2 ways (dynamic and static)
Dynamic
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security sticky
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

Static
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security static 1234.1234.1234
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

Configure MAC address aging in CAM table
Scenario: Age out the MAC address which has been inactive for 100minutes
Switch(config-if)# switchport port-security aging time 100
Switch(config-if)# switchport port-security aging type inacitivity

Scenario: Age out the MAC address after 100minutes no matter what!
Switch(config-if)# switchport port-security aging time 100
Switch(config-if)# switchport port-security aging type absolute

Check port-security status
Switch#show port-security
—————————————————————————————

Create SPAN port
Replicate all traffic on a port (eg. gigabitethernet 0/1) to another port (eg gigabitethernet 0/2) for analaysis (normally for IDS/IPS):
Switch(config-if)# monitor session 1 source interface gigabitethernet 0/1
Switch(config-if)# monitor session 1 destination interface gigabitethernet 0/2 encapsulation replica
——————————————————————————————-

Storm-Control
Controlling 3 types of traffic: unicast, multicast and broadcast
Scenario, shutdown the port (eg. gigabitethernet 0/1) if:
a) unicast traffic is more than 99%
b) multicast reach 50Mbps
c) broadcast packet reach 3000 per second

Switch(config)# interface gigabitethernet 0/1
Switch(config-if)#storm-control unicast level 99
Switch(config-if)#storm-control multicast level bps 50m
Switch(config-if)#storm-control broadcast level pps 3k
Switch(config-if)#storm-control action shutdown

*Traffic measurements percentage, bps, pps can be freely used for unicast, multicast and broadcast.

See this example:
Switch(config-if)#storm-control unicast level bps 50m 30m
Switch(config-if)#storm-control action trap

Meaning: Switch will send SNMP trap and message to syslog once unicast traffic reach 50Mbps, and it will stop sending the message when unicast traffic fall below 30Mbps.

———————————————————————————————
Switch Security Best Practise

1. Secure Management: Use SSH, dedicated management Vlan, out of band etc.
2. Native Vlan: use dedicated Vlan for trunk ports and avoid vlan 1 at all.
3. User ports: configure it as non-trunking ports.
4. Port-security: control learned MAC address volume on non-trunking ports.
5. SNMP: Limit to the management Vlan if possible and treat community string as superuser password.
6. STP: Used BPDU guard and root guard.
7. CDP(Cisco Discovery Protocl): Use if necessary. CDP provide great deal of information about the device.
8. Unused ports: Disable them and put them in an unused Vlan for extra security.

Change Windows RDP port

By default, Windows listening on port 3389 f0r RDP (Remote Desktop Protocol), hence it has becomes a favor for attacker.

To change the port number, just go to windows registry:

Start -> Run -> regedit

Under the path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp > PortNumber option

Change the port 3389 to the number you preferred.

Reference:
How to change the listening port for Remote Desktop

Fedora 10 error with SCSI RAID controller

While installing Fedora 10 onto machine with SCSI RAID controller, error may come out while booting, as show above.

The machine will forever stucked there without getting into Fedora desktop if only reboot, swap disk, remove RAID setting action are taken.

To solve this problem:

Insert the Fedora 10 installation CD and reboot (force reboot is applicable).

On the GUI page for installation options, select Rescue an Installed System.

Select Do NOT start network devices. Click Continue.

On bash shell prompt, type:

# chroot /mnt/sysimage

# cd /boot

Backup the existing initial ramdisk image first. (Optional but recommended)

For example, the ramdisk image name is initrd-2.6.27.21.170.2.56.fc10.x86_64.img

# mv initrd-2.6.27.21.170.2.56.fc10.x86_64.img initrd-2.6.27.21.170.2.56.fc10.x86_64.img.original

Create a new initial ramdisk image:

# mkinitrd   – -with=scsi_wait_scan initrd-2.6.27.21.170.2.56.fc10.x86_64.img `uname –r`
*Note that it is “- -” double hypen without space; also grave accent/tilte button ( ` ) followed by “uname…”, not single quote( ‘ )

The ramdisk image filename “initrd-2.6.27.21.170.2.56.fc10.x86_64.img” MUST match the initrd file name in /boot/grub/grub.conf

Reboot and problem shall be solved (you may expecting a working login interface).

Reference:

1. Fedora Forum
2. Linuxtopis: Fedora 10. Begining the installation.

Removing Li-ion battery from Laptop really helps it life span?

A lot of people have the thinking that removing the battery from the laptop while using AC current will prolong the battery lifespan from being charged over long time. This concept is simply not right because most of the Li-ion has built-in circuit to cut off the charge in order to prevent over-charging, which will permanently damage the battery (normally 4.2V). So if the battery is already fully-charged, it won’t get charged even you leave it attached with the laptop.

The reason to remove the battery from laptop is because of HEAT! Over period of time, the battery will lose its capacity permanently according to its storage capacity and temperature, as refered to the chart below:
So, an idle fully-charged Li-ion battery at 40 degree celcius will lose 15% more capacity compared to another battery at room temperature.

With a laptop running more at 60 degree celcius (rarely seen), its attached battery will render useless within a year.  In another words, you can choose to attach your battery with your laptop all the time, as long as you remain the laptop is cool enough (bottom cooling pad with fans).

To store fresh/unused battery, it is recommended to charge the battery to 40% instead of 100%, to reduce its capacity lose over time.

Reference:

• 3 Things You Should Already Know About Your Lithium Ion Battery
• Wiki: Lithium-ion battery – Storage temperature and charge

Failed to open IIS metabase

When IIS is installed after .Net Framework, the right for ASPNet user isn’t configured properly, where it won’t handle aspx(asp) files properly. In order to solve, just reset the aspnet user rights in IIS registry with such command:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis  -i

Reference:

• Failed to access IIS metabase problem
• FIX: System.Web.Hosting.HostingEnvironmentException: Failed to access IIS metabase
• Failed to access IIS metabase, VS2005 RC

Changing Grub boot sequence on dual boot (Win+Linux)

Linux has been improved significantly that the users don’t have to give up Win platform while installing Linux on its hdd, since Linux distro now a day usually comes with boot loader which enable dual boot easily (Linux installation sometimes could be less “clicks” than Windows platform).

Ubuntu and Fedora use Grub boot loader, sometimes we might accidentally set Linux to default boot, where unattended machine will boot into Linux automatically, then the user has to reboot again and manually set it boot to Windows platform.

To change boot sequence, just edit the configuration at /etc/grub.conf
(“root” privilege is required)

Hereby I use vi as the text editor

vi /etc/grub.conf

On the parameters of default, change to the number of its partition on the hdd, like 0 in the example shown above. (hdd 0,0: Windows;    hdd 0,1:swap;    hdd 0,2:Fedora )

timeout is for the pending time for selection before it auto-boot the default choice, which is set to 5second on example above.

After changing to 0 (previously 2 for Fedora partition), pls kindly restart and it shall works!

reboot

Windows XP: Change IP address (static DHCP) using command prompt

There are conflicts of IP addresses everywhere, most typical case would be home networking using DHCP and office network use Static IP due to security measurement. Switch them would be quite troublesome.

The harder way is to do it via command prompt. To change DHCP address to static IP:

netsh interface ip set address name=”<network connection name>” static <static IP> <network mask> <default gateway>

eg. netsh interface ip set address name=”Ethernet Network Connection” static 192.168.0.10 255.255.255.0 192.168.0.1

To change it back to DHCP client:

netsh interface ip set address name=”<network connection name>” dhcp

eg. netsh interface ip set address name=”Ethernet Network Connection” dhcp

Other than these, changing the DNS server manually would be:

netsh interface ip set dns name=”<network connection name>” static <DNS server IP address>

eg.netsh interface ip set dns name=”Ethernet Network Connection” static 192.168.0.1 (assume the gateway is same as DNS server)

Lastly, changing the WINS server manually would be:

netsh interface ip set wins name=”<network connection name>” static <DNS server IP address>

eg.netsh interface ip set wins name=”Ethernet Network Connection” static 192.168.0.1 (assume the gateway is same as WINS server)

Troublesome, isn’t it? What if you put all the commands into one batch file (.bat), with one click, it is easier than GUI!

Reference:

1. Configure TCP/IP from the Command Prompt
2. Microsft Help and Support:How to Use the NETSH Command to Change from Static IP Address to DHCP in Windows 2000

Export Group policy on a network

For Microsoft computer network without Active Directory, deploying Group Policy is a nightmare as you definitely don’t want to get into Group Policy Object Editor and edit the option one-by-one on each PC.

This an alternative way to do so:

1. Open %systemroot%\system32\grouppolicy\ (eg. c:\WINDOWS\system32\GroupPolicy\)

2.Copy both “machine” and “user” folders to the “%systemroot%\system32\grouppolicy” – folder (same location) on the target machine.

3. Reboot or a “gpupdate /force” command to refresh the group policy.

Hereby I provide an example of batch file to do such jobs in one click.

First, you need to have both “machine” and “user” folders stored under a folder named “GroupPolicySource” (any filename as you like). Locate the batch file as in same folder with “GroupPolicySource” folder.

Batch file:

xcopy GroupPolicySource c:\WINDOWS\system32\GroupPolicy\ /s /e /y
gpdupate /f

or

xcopy GroupPolicySource c:\WINDOWS\system32\GroupPolicy\ /s /e /y
shutdown -r -i 5 (reboot in 5 seconds)

Reference:

1. Florian’s Blog: How can I export local Group Policy settings made in gpedit.msc?
2. XCOPY command reference

Site to Site PPTP VPN Tunnel

Hereby I will demonstrate a simplest PPTP site to site VPN tunnel built on Windows 2003 which none of the following are required:

• RADIUS server
• IAS server
• Active Directory
• Internal DNS server
• Internal DHCP server

In short, it is just simply 2 Windows 2003 VPN endpoint. The VPN tunnel has to be initialized by one VPN endpoint (so called “Calling Server”) to another VPN endpoint (so called “Answering Server”).

Such manual is based on a fresh Windows 2003 where Routing and Remote Access Service is started.

Configuring Answering Server:
Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access:
Right click on the server (eg ‘win12’ left panel) -> click Configure and Enable Routing and Remote Access
Welcome to the Routing and Remote Access Server Setup Wizard Menu: Click Next
Select Secure connection between Two private networks.

Do you want to use demand-dial connections to access remote networks? Select Yes -> click Next

How do you want IP address to be assigned to remote clients? Select From a specified range of address -> click Next

Enter the range of private IP address of Calling Server (eg. 192.168.200.0 – 192.168.200.255) -> Click OK

Completing the Routing and Remote Access Server Setup Wizard:  Click Finish.

Welcome to the Demand Dial Interface Wizard: Click Next.

Create Interface Name (eg. HK_VPNEndpoint, preferable in one word and same as Dial Out username which used to connect with remote server later on) -> click Next

Connection Type: Select Connect using virtual private networking (VPN) -> click Next

VPN type: Select Point to Point Tunneling Protocol (PPTP) -> click Next

Destination Address: Enter Calling Server’s IP address -> click Next

Protocols and Security: Select both Route IP packets on This Interface and Add a user account so a remote router can dial in. -> click Next

Static Routers for Remote Networks: Click Add -> Enter the remote server private IP range
eg.     Destination:         192.168.0.0
Network Mask:    255.255.255.0
Metric:            1
Click OK -> Click Next

Dial In Credentials:
Username is grey out, same as the Interface Name -> Create Password -> Confirm Password -> Click Next
(This username and password are to be used while the calling server dial in)

Dial Out Credentials:
Create UserName, Domain (optional, leave it blank for non-Active Directory environment), Password.
(This username and password are to be used to dial out for 2-way initialized connection, just enter the username for 1-way initialized connection)

Completing the Demand-Dial Interface Wizard -> Click Finish

Configuring Calling Server:
Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access:
Right click on the server -> click Configure and Enable Routing and Remote Access
Welcome to the Routing and Remote Access Server Setup Wizard Menu: Click Next
Select Secure connection between Two private networks.

Do you want to use demand-dial connections to access remote networks? Select Yes

How do you want IP address to be assigned to remote clients? Select From a specified range of address

Enter the range of private IP address of Calling Server (eg. 10.0.2.0 – 10.0.2.255) -> OK

Completing the Routing and Remote Access Server Setup Wizard -> Click Finish.

Welcome to the Demand Dial Interface Wizard: Click Next.

Create Interface Name (eg. MY_VPNEndpoint, preferable in one word and same as Dial Out username which used to connect with remote server later on) -> click Next

Connection Type: Select Connect using virtual private networking (VPN) -> click Next

VPN type: Select Point to Point Tunneling Protocol (PPTP) -> click Next

Destination Address: Enter Calling Server’s IP address -> click Next

Protocols and Security: Select both Route IP packets on This Interface and Add a user account so a remote router can dial in. -> click Next

Static Routers for Remote Networks: Click Add  Enter the remote private IP range
eg.     Destination:         192.168.200.0
Network Mask:    255.255.255.0
Metric:            1
Click OK -> Click Next

Dial In Credentials:
Username is grey out, same as the Interface Name -> Create Password -> Confirm Password -> Click Next
(This username and password are to be used while the calling server dial in)

Dial Out Credentials:
Create UserName, Domain (optional, leave it blank for non-Active Directory environment), Password.
(This username and password are to be used to dial out for 2-way initialized connection, just enter the username for 1-way initialized connection)

Completing the Demand-Dial Interface Wizard: Click Finish

Establishing connection

Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access -> Server -> Network Interfaces (left panel): (Right panel) Right click the Demand Dial Interface (eg. HK_VPNEndpoint) -> Click Connect

Static Route setting on other server (both side’s private network)
No Active Directory = No automatic deployment.
Add static route for remote private network to be passed to PPTP server:
route add [remote private IP address] mask [remote network mask] [local VPN server private IP address]
eg: route add 192.168.0.0 mask 255.255.255.0 192.168.200.250 (on answering server’s site)

Reference:

1. Deploying a PPTP-based Site-to-Site VPN Connection
2. Microsoft Site-to-Site VPN

Static route at Windows

At Windows, to add a static route, the syntax is as below:

route add [destination network] mask [destination network mask] [default gateway] -p

Example:
route add 10.0.0.0 mask 255.255.255.0 192.168.1.1 -p

*Without “-p“, the route will be erased upon next reboot.

To see the routing table:

route print

To delete the route:

route delete [network]

Example:

route delete 10.0.0.0

Reference:
Adding static routes to windows
Adding static route
Remove a static IP route