Wednesday, 23 April 2008

Cisco Privilege levels

Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.

The Cisco IOS comes with 2 predefined user levels.
User EXEC mode runs at privilege level 1 and “enabled” mode (privileged EXEC mode)runs at level 15.

Every IOS command is pre-assigned to either level 1 or level 15. If the router is configured with aaa new-model then AAA can be used for user authorization and I recommend you do this.

By default Cisco provides EXEC (level 1) with a few commands which may, in terms of security, make more sense being at a higher privilege level. The next example shows how to move the commands to the privileged mode, which in most configurations should be protected better.

(config)#privilege exec level 15 connect
(config)#privilege exec level 15 telnet
(config)#privilege exec level 15 rlogin
(config)#privilege exec level 15 show ip access-lists
(config)#privilege exec level 15 show access-lists
(config)#privilege exec level 15 show logging
(config)#privilege exec level 1 show ip

The last line is required to move the show command back down to level 1 remember this is just an example and really you should not move commands down to user level unless there is no other choice.

privilege level.

For a real world example, a site might want to set up more than the two levels of administrative access on their routers.
This could be done by assigning a password to an intermediate level, like 5 or 10, and then assigning particular commands to that

Deciding which commands to assign to an intermediate privilege level is really up to your security policy and depends on the type of functions you want to allow a site administrator to preform. Also look to the version of IOS for the current command list.

Note: I said site administrator not domain administrator as you might have a remote site that you need a site administrator to check things on the router in the event of the link to the site being down.

However, if an attempt was made to do something like this there are a few things to be very careful about.

First, do not use the username command to set up accounts above level 1, use the enable secret command to set a level password instead, we'll come onto that in a moment.

Second, be very careful about moving too much access down from level 15, this could cause unexpected security holes in the system.
Third, be very careful about moving any part of the configure command down, once a user has write access they could leverage this to take control of the router.


There are two password protection schemes in Cisco IOS. Type 7 uses the Cisco-defined encryption algorithm which is known to the commercial security community to be weak. Type 5 uses an MD5 hash which is much stronger.

Cisco recommends that Type 5 encryption be used instead of Type 7 where possible.
Type 7 encryption is used by the enable password, username, and line password commands.

To protect the privileged EXEC level as much as possible, do not use the enable password command, only use the enable secret command.

Even if the enable secret is set do not set the enable password, it will not be used and may give away a system password.

(config)#enable secret 2-mAny-pAssw0rDs
(config)#no enable password

Because it is not possible to use Type 5 encryption on the default EXEC login or the username command, no user account should be created above privilege level 1. But user accounts should be created for auditing purposes.

So the username command should be used to create individual user accounts at the EXEC level and then the higher privilege levels should be protected with enable secret passwords. but I do not like this I would recommend you use authenticate, authorize, and audit users (AAA) security model if you have user accounts accessing privilege level 1

Good security practice dictates some other rules for passwords.
The privileged EXEC secret password should not match any other user password or any other enable secret password.

Enable service password-encryption; this will keep passers-by from reading your passwords when they are displayed on your screen.

Be aware that there are some secret values that service password-encryption does not protect.

Never set any of these secret values to the same string as any other password.

Avoid dictionary words, names, or dates. Always include at least one of each of the following: lowercase letters, uppercase letters, digits, and special characters.

Make all passwords at least eight characters long. Avoid more than 4 digits or same-case letters in a row.

Do not create any user accounts without passwords!!! if you do you should be shot as you know that only bad things can happen.

Note: enable secret and username passwords may be up to 25 characters long including spaces.

So if this was all clear then you should have an outline of what you need to do.
I may follow this posting with some step by step guides late.

Sunday, 20 April 2008

Cisco LAN Hardening

As we all know the are lots of Denial of Service (DoS) Attacks and defending against them to be honest has got quite easy from the point of view that we block almost every thing from the outside world, but surprisingly we still don't spend much time defending our internal networks so your network is still prone to internal attack whether its deliberate or accidental.

So to that end I'm going to name some common attacks and how to create some ACL on your routers and switches to prevent the problem affecting critical systems.

Smurf Attack
The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet. If a router is positioned to forward broadcast requests to other network devices on the protected network, then the router should be configured to prevent this forwarding from occurring.

The example statements below block all IP traffic from any host to the possible broadcast addresses ( and for the subnet.

access-list 111 deny ip any host log
access-list 111 deny ip any host log

Distributed Denial of Service (DDoS) Attacks
Several high-profile DDoS attacks have been observed on the Internet. While cisco router and switches cannot prevent DDoS attacks in general, it is usually sound security practice to discourage the activities of specific DDoS agents (a.k.a. zombies) by adding access list rules that block their particular ports.

[Note that some of these rules may also impose a slight impact on normal users, because they block high-numbered ports that legitimate network clients may randomly select. Therefore, you may choose to apply these rules only when an attack has been detected. Otherwise, these rules would normally be applied to traffic in both directions between an internal or trusted network and an untrusted network. However I run them all the time.]

!the TRINOO DDoS systems
access-list 180 deny tcp any any eq 27665 log
access-list 180 deny udp any any eq 31335 log
access-list 180 deny udp any any eq 27444 log
!the Stacheldraht DDoS system
access-list 180 deny tcp any any eq 16660 log
access-list 180 deny tcp any any eq 65000 log
!the TrinityV3 system
access-list 180 deny tcp any any eq 33270 log
access-list 180 deny tcp any any eq 39168 log
!the Subseven DDoS system and some variants
access-list 180 deny tcp any any range 6711 6712 log
access-list 180 deny tcp any any eq 6776 log
access-list 180 deny tcp any any eq 6669 log
access-list 180 deny tcp any any eq 2222 log
access-list 180 deny tcp any any eq 7000 log

The Tribe Flood Network (TFN)
DDoS system uses ICMP Echo Reply messages, which are problematic to block because they are the heart of the ping program. Follow the directions in the ICMP sub-section, above, to prevent at least one direction of TFN communication.

Configure rate limiting for SYN packets.

access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established

interface eth0/0
rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop

In the above example, replace:
45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values, to work out what the max value is you will need to do a show interface and see what the max value is for that interface.

To give you an idea of how it looks here is a 30Mb connection dropping ICMP packets

interface eth0/1
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop

access-list 2020 permit icmp any any echo-reply

So now you might have some ideas about how to defend your network on the inside, this won't stop the problems 100% but it will give you time to react and logs to look too so you can tighten up your network.

Thursday, 17 April 2008

Configuring Basic NTP Service

NTP or Network Time Protocol is designed for two reason really to keep your network all running on the same time so that programs such as emails have the correct dates and more importantly so that the logging and encryption on your network is accurate because without it you have no security or way of telling the true time something happened for establishing a time line of events so today we'll look at the Windows model for this.

Its quite simple really in as much as you have triangle hierarchy.

Ideally you should use something like or as your time keeping, as you'll need a service that syncs with the atomic clock, its a simple process to set the time server in your domain from the root server or Primary Domain Controller goto a command prompt and enter the following string as an example.

net time /setsntp:""

However remember that this server must be able to use NTP ports to the external time server, the standard ports for this are UDP 123 for both NTP and SNTP.

Now your domain controllers and workstation should sync with the time on the PDC however if your times on the firewall and routers are not the same as your Domain then the logs from them are not of much use so next I'll show you how to do that.

To set up a Cisco router to participate in an NTP network, simply designate one or more NTP servers.

There are two steps to configuring a Cisco router to be a simple NTP client: first, set the NTP source interface, second, designate one or more NTP servers. The NTP source interface is the network connection from which the NTP control messages will be sent; use the network interface on the same network as the designated server in 90 percent of cases this is your LAN interface, or the one that is the fewest number of network hops distant from the servers.

To add an NTP server use the ntp server command with the source qualifier. The example below shows how to configure the router to use as its NTP server, however if IP Domain-lookup and set some DNS server then you can use FQDN too.

(config)#ip domain-lookup
(config)#ip name-server
(config)#ip name-server
(config)#interface eth0/0
(config-if)#no ntp disable
(config)#ntp server source eth0/0
(config)#ntp server source eth0/0

One finial note is that your domain will have to sync all the PC's this in large domain can take up to 24 hours and by large I mean 600 and more servers with global sites.

Now you should have all your workstations, servers and routers with the same time.

Monday, 14 April 2008

New Service or Virus?

New viruses are every where but this one I came across the other day, I love viruses they are like little puzzles sometimes, anyway here is what I did.

Service name dkancz
Display name dkancz
Description Microsoft .NET Framework TPM
Path to executable
C:\WINDOWS\system32\SvChOsT.EXE –k dkancz

If you explorer the registry you will find that not only does this start as a service but it also has in parameters a dll named bnglxz.dll to remove this I changed the name of the file to prevent it exciting again in this case .dllx an extension that can’t be run and then removed the service from the current control set

ie HKY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\
and find the service dkancz and delete it

After you've delete this key and reboot check if the service has come back if it doesn't then you have removed it from starting up however you need to look deeper as to how it got there.

Sophos has now ID the virus as Mal/PcClient-A

Saturday, 12 April 2008

Boost Performance of Cisco Routers

Making your routers more secure and speeding them up can be the same things sometimes as reducing the load on the processor by disabling service you’re not using also prevents these services from being a security risk to you later, simple services like the ones below are often not used and can be disabled.

no cdp run
no ip source-route
no ip classless
no service tcp-small-serv
no service udp-small-serv
no ip finger
no service finger
no ip bootp server
no ip http server
no ip name-server
no boot network
no service config

Equally interfaces have services that might not be needed as well, these changes might not make much of an impact on a small amount of traffic but when your line if highly loaded every ms second count.

interface eth0/0
description Outside interface to net
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip redirect
ntp disable

Improvements can also be made to your access lists some Cisco router models support compiled access control lists, called “turbo ACLs”, in IOS 12.1(6), and later. Using compiled access control lists can greatly reduce the performance impact of long lists.

To enable turbo access lists on a router, use the configuration mode command access-list compiled. (If your IOS does not support compiled access lists, the command will generate an error.) Once this facility is enabled, IOS will automatically compile all suitable access lists into fast lookup tables, while preserving their matching semantics.

Once you have enabled turbo access lists, you can view statistics about them using the command show access-list compiled. If you apply access lists with more than 5 rules to any high-speed interfaces, then you should employ this feature to improve performance.

Cisco FTP deployment

Load doing a startup-config file from FTP is more secure than TFTP and RCP as these do not protect the configuration file by having a username and password to read the file so anyone can read the file and this poses a security risk.

So here is how to over come that using FTP. First you will need to setup the username and password for the device to use ie john-smith and password of Pass-word! Remember this is just an example I use far more complex usernames and passwords in my environments.

Central#config t
Enter configuration commands,one per line.End with CNTL/Z.
Central(config)#ip ftp usernamen john-smith
Central(config)#ip ftp password Pass-word!

The next bit I'd just like to clarify you can use ether the copy or the erase that's why I have both there but really you can only use one at a time.

Central#copy/erase ftp:startup-config
Address or name of remote host[]?
Source filename[]? /cisco/central/startup-config
Destination filename[startup-config]?
Accessing ftp: //
Erasing the nvram file system will remove all files! Continue?[confirm]
Erase of nvram:complete
Loading/cisco/central/startup-config !
central-startup-config !
5516 bytes copied in 4.364 secs

You can now issue the show startup-config to see if the configure you expect to see is there.

The FTP site you use to deploy the config file is best not just to have username and password but also to supplement this with IP security as well so only connection only from IP address of network devices you hold config files for are accepted.

Simple Network Management Protocol

SNMP is a great way to manage your network, it has some security risks if not setup correctly, an example of this is what I found the other day I was talking to a systems administrator and I asked the standard questions like what management protocols you run and he replied SNMP and we don't let it pass beyond the firewall so the public internet so its secure.

My eye brow razed as I asked this leaves the question what stops anyone reading the SNMP information from the LAN? Like most people he'd over look the people in the company as being a threat. I then proceed to show him how much information I can collect from SNMP about his network.

You should have on all SNMP network defined hosts for management if these are not defined then you might as well give a network diagram to everyone as it makes it that easy to identify you network layout and therefore use a more targeted attack.

Now on a Cisco you can configure the SNMP quite easy, and here is an example.

access-list 75 remark applies to hosts allowed to gather SNMP info from this router
access-list 75 permit host
access-list 75 permit host

snmp-server community n3t-manag3m3nt ro 75

Personally I would use version 3 of snmp if you are monitoring just Cisco devices however in a mix environment where you are monitoring both network hardware and network devices such as printers, server and desktops you may have no choice but to run version 2 this use the community string to identify so make your string something special and hard for anyone to guess don't use public and private strings as that’s for test lab only (don’t use them on a live network)

In windows SNMP runs as a service so you have to configure the service as the SNMP agent options are under the service, the option you are looking for is Only Accept SNMP Packets from These Hosts. Selecting this option provides limited security. When the option is enabled, only SNMP packets received from the hosts on a list of acceptable hosts are accepted. The SNMP agent rejects messages from other hosts and sends an authentication trap.

It gives you the same basic function as access list 75 on the Cisco and the number doesn't have to be 75 that just happen to be the first number in my head today.

Thursday, 3 April 2008

Kill SQL Deadlock

Deadlocks strangely I’m not talking about management meetings, I’m talking about SQL (Structured Query Language) so here is the deal just like when two managers can not agree on something it can become necessary to stop one so that things can continue normally.

If your unlucky enough not to have any monitoring software you might not even know one has happened until one of two things a lovely blue screen happens to you SQL server or two then you have high CPU load.

Most common is the high CPU load this at least lets you found out what happened without having to check debug logs and I’m sure I’ll get around to them in another posting.

If your SQL server is still alive you’ll be able to get some more explanations as to what is going on by using query analyzer, if you have many instances on your server you will have to run the following commands on each server till you find the problem instance.

So the command you want to run in the instance is


This will give a list of processes and what you are looking for is BlkBy column as if you see a number there then that is the process id that is locked, now you can find out more about what it was doing by running and inputbuffer command for the moment we’ll pretend that my locked process is 57 then I can see what it was doing by typing.

dbcc inputbuffer (57)

This information is only really good to developers to debug to you might not even be interested in it, what most likely is of interest to you is how to kill it this can be done my using the kill command simple really.

kill 57

Now after that kill command has run check the server with the sp_who2 again as there might have been more than one deadlock, once you happy you’ve resolve your deadlocks you should find your server goes back to normal.

Well that’s your tip for the day.

Failure in loading assembly

The other day in a meeting someone asked “Is cynicism really necessary?” I could not help myself but reply with “It’s as necessary to me as your skepticism is to you” while writing down on my notebook recommendation one down size the unbeliever.

Anyway moving on to my article of the day…

You see the following error reappear in the Windows event log with regular intervals:

Event Type: Error
Event Source: Windows SharePoint Services 2.0
Event Category: Devices
Event ID: 1000
Date: 17/08/2005
Time: 14.05.10
User: N/A
Computer: XXXXXXX
Error: Failure in loading assembly:
xxxxxxxxxxxxxxxxxxxxxxxxxx,, Culture=neutral, PublicKeyToken=xxxxxxxxxxxxx

Then you have one of two things ether (1) you’ve removed a webpart and the entry remains in your web.config file or (2) you’ve changed version and the old entry is till in your web.config ether way don’t panic

First of all its not a problem unless this error is causing your work process to crash and taking down the IIS server with it.

The second thing is that like all do good administrators your going to create a backup before you start aren’t you… this is the bit where you say yes an nod your head.

OK the process is quite easy really you copy you web.config file some where can even be in the same directory, this will be you way out if you make mistakes.

Now open the original web.config file with notepad and find the entry’s that corresponds to your error and example of this lets say your error message is

Event Type: Error
Event Source: Windows SharePoint Services 2.0
Event Category: Devices
Event ID: 1000
Date: 17/08/2005
Time: 14.05.10
User: N/A
Computer: XXXXXXX
Error: Failure in loading assembly:
ButterFly.Systems.SharePoint, Version=, Culture=neutral, PublicKeyToken=a8c2b621921b493b

So in your web.config file you should fine a entry with the same version number name and/or public key token, based on the error above I should find a line in my web.config file like the one below, just delete this and save the file. BE SURE NOT TO DELETE OTHER LINES as you may stop other things working and have to restore from the backup file.

SafeControl Assembly=" ButterFly.Systems.SharePoint, Version=, Culture=neutral, PublicKeyToken=a8c2b621921b493b" Namespace=" ButterFly.Systems.SharePoint.WebControls" TypeName="*" Safe="True"

Once you’ve safely removed the entry’s and saved it just reset IIS if all when well you sites are still running and you should see no more errors in the application log, and you can safely remove your backup.

If all did not go well stop IIS and restore you backup then restart IIS and try again.

See simple really. :-)