Category Archives: Security

Was passiert wenn man Putty mit einem Squid kreuzt?

December 4, 2008 patrick.preuss Leave a comment

Dann kann man jeden Host mit SSH im Internet erreichen:-) Na dann mal los.

Block Skype Traffic on Cisco Router

November 5, 2008 patrick.preuss Leave a comment

Die Ciscos haben ein neues Konzept für die IOS Firewall implementiert. Mit dieser sollte auch das blocken von Skype möglich sein.

ZoneBased Firewall

Auf dem Ansatz der alten Lösung, Link, werd ich das ganze mal auf die ZBF übertragen.

Hier der erste Ansatz:

--- snip ---
class-map type inspect http block-skype-class
match request method connect
!
class−map type inspect match−any private−allowed−class
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect inside-outside-policy
class type inspect http block-skype-class
 drop
 log
class type inspect private−allowed−class
 inspect
class class-default
!
! the good
zone security inside
!
! the bad 
zone security dmz
!
! and the ugly
zone security outside
!
! combine inside and outside
! traffic goes from inside to outside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-policy
!
interface FastEthernet 0
zone-member security inside
!
interface FastEthernet 1
zone-member security outside
!
--- snip ---

Cisco, Computer, Security, Skype

Block Skype Traffic on Cisco Router

November 5, 2008 patrick.preuss Leave a comment

Die Ciscos haben ein neues Konzept für die IOS Firewall implementiert. Mit dieser sollte auch das blocken von Skype möglich sein.

ZoneBased Firewall

Auf dem Ansatz der alten Lösung, Link, werd ich das ganze mal auf die ZBF übertragen.

Hier der erste Ansatz:

--- snip ---
class-map type inspect http block-skype-class
match request method connect
!
class−map type inspect match−any private−allowed−class
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect inside-outside-policy
class type inspect http block-skype-class
 drop
 log
class type inspect private−allowed−class
 inspect
class class-default
!
! the good
zone security inside
!
! the bad 
zone security dmz
!
! and the ugly
zone security outside
!
! combine inside and outside
! traffic goes from inside to outside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-policy
!
interface FastEthernet 0
zone-member security inside
!
interface FastEthernet 1
zone-member security outside
!
--- snip ---

Computer, Security

kerberos und windows xp

October 25, 2008 patrick.preuss Leave a comment

Achtung kann üble Probleme machen.

[sourcecode]
ksetup /SetRealm PATRICK-PREUSS.DE
ksetup /AddKdc 10.0.12.32
ksetup /AddKpasswd PATRICK-PREUSS.DE 10.0.12.32
ksetup /SetComputerPassword somethingverysecret
ksetup /MapUser rt01@PATRICK-PREUSS.DE rt01
[/sourcecode]
[sourcecode]
C:Documents and Settingsrt01> ksetup
default realm = PATRICK-PREUSS.DE (external)
10.0.12.32:
(no kdc entries for this realm)
Realm Flags = 0x0 none
PATRICK-PREUSS.DE:
(no kdc entries for this realm)
kpasswd = 10.0.12.32
Realm Flags = 0x0 none
Mapping rt01@PATRICK-PREUSS.DE to rt01.
[/sourcecode]

Computer, LDAP, Security

OpenLDAP ppolicy

October 23, 2008 patrick.preuss Leave a comment

— snip /etc/ldap/slapd.conf —
# ppolicy schema
include /etc/ldap/schema/ppolicy.schema

moduleload ppolicy.la
overlay ppolicy
ppolicy_default “cn=default,ou=PasswordPolicy,dc=patrick-preuss,dc=de”
ppolicy_use_lockout
— snip /etc/ldap/slapd.conf —

— snip default.ldif —
dn: cn=default,ou=PasswordPolicy,dc=patrick-preuss,dc=de
objectClass: device
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdLockout: FALSE
pwdLockoutDuration: 1920
pwdMaxAge: 7516800
pwdMaxFailure: 4
pwdMinLength: 6
pwdMustChange: TRUE
pwdSafeModify: FALSE
— snip default.ldif —

— snip peruser.ldif —
dn: cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=PasswordPolicy,dc=patrick-preuss,dc=de
— snip peruser.ldif —

Computer, LDAP, Security

Kerberos und LDAP II

October 22, 2008 patrick.preuss Leave a comment

Normalerweise werden die Kerberos Attribute unter “cn=Kerberos,…” gespeichert.
Es ist möglich diese unter der “ou=People,….” in einem Account zu speichern.

Cisco, Computer, Debian, Security

Kerberos und IOS

October 20, 2008 patrick.preuss Leave a comment

Cisco IOS 12.2 Configuring Kerberos
Cisco IOS 12.4 Configuring Kerberos
Cisco IOS 12.4T Configuring Kerberos

moria# kadmin.local -q ‘addprinc -randkey host/ws-c2940-8tt-s.patrick-preuss.de’
moria# kadmin.local -q ‘ktadd -e DES-CBC-CRC:NORMAL -k /var/www/ios.keytab host/ws-c2940-8tt-s.patrick-preuss.de@PATRICK-PREUSS.DE’

— Cisco IOS 121-22.EA11 —
aaa authentication login default krb5-telnet local krb5
aaa authentication login console-override local
aaa authorization exec default local krb5-instance
kerberos local-realm PATRICK-PREUSS.DE
kerberos srvtab entry host/ws-c2940-8tt-s.patrick-preuss.de@PATRICK-PREUSS.DE 1 1224540392 3 1 8 0<=?;79;5:>>:
kerberos realm patrick-preuss.de PATRICK-PREUSS.DE
kerberos realm .patrick-preuss.de PATRICK-PREUSS.DE
kerberos server PATRICK-PREUSS.DE 10.0.12.32
kerberos instance map admin 15
kerberos credentials forward
— cisco —

— Cisco IOS 124-15.T5 —
aaa authentication login default krb5-telnet krb5 local
aaa authentication login console-override local
! Seams so 12.4 15 T 5 some bugs in kerberos code
! we should do some research in this point
! aaa authorization exec default local krb5-instance
kerberos local-realm PATRICK-PREUSS.DE
kerberos srvtab entry host/cisco1721.patrick-preuss.de@PATRICK-PREUSS.DE 1 1224539305 3 1 8 05>9898=?83
kerberos realm patrick-preuss.de PATRICK-PREUSS.DE
kerberos realm .patrick-preuss.de PATRICK-PREUSS.DE
kerberos server PATRICK-PREUSS.DE 10.0.12.32
kerberos instance map admin 15
kerberos credentials forward
— cisco —