Pages

Sunday, July 15, 2012

Mikrotik IPSec VPN (site to site )

Site to Site IpSec Tunnel
Consider setup as illustrated below

Two remote office routers are connected to internet and office workstations behind routers are NATed. Each office has its own local subnet, 10.1.202.0/24 for Office1 and 10.1.101.0/24 for Office2. Both remote offices needs secure tunnel to local networks behind routers.
IP Connectivity
On both routers ether1 is used as wan port and ether2 is used to connect workstations. Also NAT rules are set tu masquerade local networks.
Office1 router:
/ip address
add address=192.168.90.1/24 interface=ether1
add address=10.1.202.1/24 interface=ether2

/ip route
add gateway=192.168.90.254

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
Office2 router:
/ip address
add address=192.168.80.1/24 interface=ether1
add address=10.1.101.1/24 interface=ether2

/ip route
add gateway=192.168.80.254

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
IpSec Peer's config
Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values.
Office1 router:
/ip ipsec peer
add address=192.168.80.1/32:500 auth-method=pre-shared-key secret="test"
Office2 router:
/ip ipsec peer
add address=192.168.90.1/32:500 auth-method=pre-shared-key secret="test"
Policy and proposal
It is important that proposed authentication and encryption algorithms match on both routers. In this example we can use predefined "default" proposal
[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled
0  name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
    pfs-group=modp1024
As we already have proposal as a next step we need correct IpSec policy. We want to encrypt traffic coming form 10.1.202.0/24 to 10.1.101.0/24 and vice versa.
Office1 router:
/ip ipsec policy
add src-address=10.1.202.0/24:any dst-address=10.1.101.0/24:any \
sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 \
tunnel=yes action=encrypt proposal=default
Office2 router:
/ip ipsec policy
add src-address=10.1.101.0/24:any dst-address=10.1.202.0/24:any \
sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 \
tunnel=yes action=encrypt proposal=default
Note that we configured tunnel mode instead of transport, as this is site to site encryption.
NAT Bypass
At this point if you will try to establish IpSec tunnel it will not work, packets will be rejected. This is because both routers have NAT rules that is changing source address after packet is encrypted. Remote router reiceves encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration.
To fix this we need to set up NAT bypass rule.
Office1 router:
/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
src-address=10.1.202.0/24 dst-address=10.1.101.0/24
Office2 router:
/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
src-address=10.1.101.0/24 dst-address=10.1.202.0/24
It is very important that bypass rule is placed at the top of all other NAT rules.

Unhide the Administrator Account in Windows XP

Unhide the Administrator Account in Windows XP

In every installation of Windows XP, there is a built-in and defaut administrator user account named Administrator, which is equivalent to super user or root in Unix system. However, if you have set up another user account in Windows XP, the Administrator account will be hidden, cloaked and invisible in User Accounts or Computer Management.

To see the Administrator account, you have to boot the Windows in Safe Mode. However, you can modify the Windows’s registry so that the Administrator account will be shown at Windows XP’s Welcome screen for you to select, in the Control Panel’s User Accounts and in the local user lists in Computer Management.

    Launch Registry Editor.
    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList in the Registry Editor.
    Double-click the Administrator key in the right pane.
    If the Administrator key doesn’t exist, right-click on the above tree in the pane, choose New, DWORD Value, name it Administrator and press .
    Type 1 in the “Value data” box, and press .

Note: To launch User Accounts in Control Panel, you can go to Control Panel -> User Accounts, or click Start -> Run, and then type Control userpasswords and press Enter.

Once you unhide and reveal the Administrator account, you can change its picture or assign it a password or change the password. In addition, on the next boot to the Welcome screen, the Administrator account will be visible, along with all of the computer’s other user accounts.

Windows 7/ XP/WLAN Laport make Access point


Windows 7/ XP/WLAN Laport make Access point

Just download connectify software and configure as a dhcp and wireless access point

http://www.connectify.me/

http://download.cnet.com/Connectify/3000-18508_4-75024171.html?part=dl-10061477&subj=dl&tag=button


Just Download and Install this software

Saturday, July 14, 2012

Basic Security Tips for Linux

Basic Security Tips for Linux
By Tayab Khan

-----------------------------------------------------------------------
Now, in the present world security is one of the main issues for all system. We can secure our system different ways. Here we will see some basic security parameters for Linux system.
1)    Physical Access Protection: - Physical access protection means, to protect any system from an attacker with physical access. We can take some steps to make secure of our system-
i)    BIOS Password restriction: - We can set a password in BIOS (Basic Input Output System) to protect our system from any unauthorized changes to the BIOS. Assigning BIOS password is important because it is the first step during system startup.
ii)    Boot Loader password Protection / Authentications in single user mode: - Boot Loader allows for starting the execution of the kernel. We can set a password to the boot loader configuration to prevent users from modifying the boot parameters. Set a password for the GRUB boot loader which will prevent users from entering single user mode or changing settings at boot time. It will forces grub to ask for a password before making any changes or entering into single user mode.
iii)    Configure Automatic logout after a period of inactivity in shell login.
iv)    Screen Lock Configure for GUI User’s:- Graphical User Interface (GUI) screen can be lock to increase system security.  In Linux system, GNOM desktop screen can be lock by choosing ‘Lock Screen’ from system menu.
v)    Enable SELINUX for Better Security:-  Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including U.S. Department of Defense style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. SELINUX can be used to protect against misconfigured or compromised programs.  The SELinux Policy is the set of rules that guide the SELinux security engine. It defines types for file objects and domains for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. That means, SELINUX enforces the idea that programs should be limited in what files they can access and what action they can take.
2)    Security for Network Configuration:-
i)    Configure Firewall and iptables: - We know, a firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. Configure firewall and iptables to allow access and block unnecessary ports and programs.  So, we can easily configure /etc/sysconfig/iptables file to secure our Linux system. We can allow specific services or ports and also can block unnecessary ports by iptables to improve our system security.  We can assign specific services to a specific user by editing hosts. allow and hosts. deny files. We have to force this part sincerely, because configuring Firewall properly is one of the most important part of system Security.
ii)    Configure Syslogd and Monitor all important syslogs For System Security: - Syslogd is a very important monitoring tool and also a standard for forwarding log messages in an Internet Protocol (IP) computer network basically in Linux system.  Syslogd logs all programs like (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, ... , local7 )and are assigned a priority/level (Emergency, Alert, Critical, Error, Warning, Notice, Info or Debug) by the sender of the message. We can easily configure syslog.conf file to monitor system’s ‘error messages’, system’s ‘mail messages’ and different ‘service messages’ etc. that will be helpful to identify the problems quickly and take a quick necessary steps for system security.

iii)    SSH and Telnet restriction for secured network:- SSH and Telnet is very helpful for remote login in Linux  system but we have to make sure that the services are configured in a secured way. For Network security we can stop ssh and telnet, if possible, otherwise restrict ssh login strictly from the file /etc/ssh/sshd_config. We can limit user’s ssh access, disable root login via ssh login and can change default ssh ports(22) for better security.

iv)    Secure Configure of Network Devices and Server’s:- Network devices that are run in our system must have a secured configuration. Server’s that are run in our system such as DNS, Samba, SNMP, WEB, FTP, NFS etc. have to configure in a secured way. Linux servers must be configured properly for strong network security and also have to ensure its applications and services configured.
3)    Restrict Accounts and access control:- To increase system security we must restrict all user accounts and control the access of individual users. Following steps are too much important for this type of security:-
i)    Configure sudoers file and limit su access.
ii)    Set password expiration for the accounts.
iii)    Verify Permission on passwd, shadow and groups.
iv)    Check permission of directories and files.
v)    Ensure no accounts have empty password felds.
Finally
There are also various tools exists which can be effectively used to improve a system’s security and detection of unknown attack from hackers. Basically we can use ‘iptables’ for host-based firewalling, SELINUX for protection against misconfigured programs and logging(such as syslogd) for detection of problems for our  Linux system.

Cisco and Huawei Port Level Bandwidth Control

 CISCO
===========

We will assign 1MB bandwidth in switch port 0/9.  (unicast=bps)

switch_5#configure terminal
switch_5(config)#interface fastEthernet 0/9
switch_5(config-if)#

storm-control broadcast level bps 256k
storm-control multicast level bps 256k
storm-control unicast level bps 1.024m

 Huawei
==========

[SW-2]interface Ethernet1/0/24
 broadcast-suppression 10
 port access vlan 24
 loopback-detection enable
 description Client-Name
 line-rate inbound 2944
 line-rate outbound 2944
For Huawei the value shoul be multiple of 64


Tayab Khan's Personal Profile




Tayab Khan

Sr. System and Network Consultant 

(MCP,CCNA,CCNP,CCNSP,JNCIA,JNCIS-SEC,Msc in CSE)


9+ Year Experienced at System and Network . Expert in Routing , Switching and Security. All types of network and corporate network, system server MAIL,DNS,PORXY,WEB,SMS,SYSLOG,BWMGR,VPN,FTP,SS7,RADIUS,VMWARE and IT related LAN,MAN,WAN administrative support, maintenance works. Highly expert in Unix and all types of applications server management, monitoring and backup. Expert in CISCO, Huawei, Linksys, Airlive, Juniper devices. My regular cell no +8801914035805


Tayab Khan- System, Network and training Manager at Daffodil Online Ltd, Completed BSC in Computer Science and Engineering (CSE)& MS in Computer Science from Jahangirnagar University. His professional attachment was included as a Sr. System and Network Administrator at Grameen CyberNet and Information Services Network Ltd. During his profession period, he worked for various system and network related solutions with Bangladesh Army at Army Head Quarter, Bangladesh Air Force, and Bangladesh Police at Police Head Quarter, DB, SB, Different Embassies and well-known organizations.

Mr. Khan is strong in System security, Backup, routing, switching and Technical Solution with different vendors like CISCO, Huawei, Juniper, Mikrotik and Linux. Mr. Khan has successfully completed Cisco Certification such as CCNA, CCNP, Juniper Certifications such as JNCIA-JunOS, Juniper Networks Certified Security Specialist (JNCIS-SEC), Microsoft Certification MCP, UTM and Firewall with Cyberoam Certification CCNSP (Cyberoam Certified Network & Security Professional), Certified from Ministry of Youth & Sports, Completed Advance level certifications in Linux and Mikrotik. Mr. khan is a member of Member of Bangladesh Computer Society and also member of ISOC (Internet Society), Bangladesh Dhaka Chapter.