Script is 50% done.
And here's a sneak peek
Wednesday, November 14, 2012
Sunday, November 4, 2012
Sunday, October 14, 2012
Whitelisting URLs using Cisco ASA
Taken from http://walshike.blogspot.com.au/2009/07/asa-regular-expression.html
ASA Regular Expression - Whitelist/Blacklist
The intent of this post is to show how you can permit specific web
sites from your inside hosts and block all others. In order to do this
URL (or IRI) filtering on the ASA you need to create few things.
• First off you need to decide what you want to allow by calling them
out in a regex statement:
!
regex urlreg1 "cisco.com"
regex urlreg2 "yahoo.com"
• Next we will group these statements under a class-map and call it whitelist:
!
class-map type regex match-any whitelist
match regex urlreg1
match regex urlreg2
• The class-map "goodclass" just assembles the URL's that are listed
in the "whitelist" and says match this.
!
class-map type inspect http match-all goodclass
match request header host regex class whitelist
• Now we need to create a class-map that blocks everything not in the
allowed list. This is done by creating the "badclass" and stating
"match not" for the whitelist.
!
class-map type inspect http match-all badclass
match not request header host regex class whitelist
• Here we are taking the "badclass" and "goodclass" and putting them
into a policy-map that has actions. In this case the action for the
"badclass" is to drop it
!
policy-map type inspect http regex-policy
parameters
class goodclass
class badclass
drop-connection
• The policy-map "global_policy" might already exist on the ASA (not
sure since I have hacked mine to hell) but in any case it calls out
the "class inspection_default" that has to exist on the box for the
statement under the "global_policy" to take. If you are missing it
here it is:
# class-map inspection_default
# match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect http regex-policy
• This next statement applies the "global_policy" to the inside
interface. Once applied this will allow users on the trusted LAN to
access two sites - cisco.com and yahoo.com and thats it.
!
service-policy global_policy interface inside
Have fun with this one. Maybe call out some social networking sites in
the regex statement and change the actions in the policy-map
"regex-policy" to log the hits and see how often your users are
accessing those sites.
ASA Regular Expression - Whitelist/Blacklist
The intent of this post is to show how you can permit specific web
sites from your inside hosts and block all others. In order to do this
URL (or IRI) filtering on the ASA you need to create few things.
• First off you need to decide what you want to allow by calling them
out in a regex statement:
!
regex urlreg1 "cisco.com"
regex urlreg2 "yahoo.com"
• Next we will group these statements under a class-map and call it whitelist:
!
class-map type regex match-any whitelist
match regex urlreg1
match regex urlreg2
• The class-map "goodclass" just assembles the URL's that are listed
in the "whitelist" and says match this.
!
class-map type inspect http match-all goodclass
match request header host regex class whitelist
• Now we need to create a class-map that blocks everything not in the
allowed list. This is done by creating the "badclass" and stating
"match not" for the whitelist.
!
class-map type inspect http match-all badclass
match not request header host regex class whitelist
• Here we are taking the "badclass" and "goodclass" and putting them
into a policy-map that has actions. In this case the action for the
"badclass" is to drop it
!
policy-map type inspect http regex-policy
parameters
class goodclass
class badclass
drop-connection
• The policy-map "global_policy" might already exist on the ASA (not
sure since I have hacked mine to hell) but in any case it calls out
the "class inspection_default" that has to exist on the box for the
statement under the "global_policy" to take. If you are missing it
here it is:
# class-map inspection_default
# match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect http regex-policy
• This next statement applies the "global_policy" to the inside
interface. Once applied this will allow users on the trusted LAN to
access two sites - cisco.com and yahoo.com and thats it.
!
service-policy global_policy interface inside
Have fun with this one. Maybe call out some social networking sites in
the regex statement and change the actions in the policy-map
"regex-policy" to log the hits and see how often your users are
accessing those sites.
Tuesday, September 25, 2012
Raspberry pi pandora radio box setup part 1
Pandora is a free streaming wireless radio station that I use a lot on
a daily basis (http://www.pandora.com/).
After looking at the pandora box project on lifehacker, I want to
build my own but based on raspberry pi rather than beagleboard.
(http://www.lifehacker.com.au/2012/09/build-a-dedicated-pandora-wi-fi-radio/).
This is by no means a full on step by step guide, a bit of google
searching when you're stuck will go a long way.
What you'll need for this part:
1. Raspberry pi, would recommend getting from element14.com or
ebay/gumtree if you can't wait
2. micro USB power supply (or cable plugged into another PC, it's up to you)
3. A Realtek RTL8188CUS based wifi adapter. Most mini wifi dongle are
based on this chipset. Here's what I got:
http://www.netgear.com.au/home/products/wireless-adapters/simplesharing/WNA1000M.aspx
4. An SD card, I got myself an 8GB SD card (most card should work)
5. HDMI monitor, HDMI cable, USB keyboard, USB mouse optional
6. Another workstation/laptop with SD card reader to write/read to the SD card
7. wired and wireless internet connection and an ethernet cable.
If you don't have a wired connection, or a long enough cable, do a
internet connection sharing from your workstation or laptop to your
raspberry pi
8. Some spare time and perhaps a cup of good coffee
Instructions:
1. First of all use the latest raspi (debian squeeze image), download
it from http://www.raspberrypi.org/downloads.
This image allows auto overclocking as well as having the wifi driver
preinstalled.
The website will also teach you on how to apply the image into the SD card.
2. Boot up the raspberry pi plugging it to an HDMI monitor. Now, I
spent hours trying to troubleshoot why the output was not displaying
and it turned out that some HDMI cables + monitors gives out
inaccurate EDID or maybe it's the alignment of the cosmos, but I
sidestepped around the issue by using a HDMI to DVI cable instead.
3. Once you're in, configure your installation using raspi-config
(sudo raspi-config). There are a few things that you need to
configure, I would recommend doing it in this order:
- update: to update your raspbian image to the latest one available
- configure-keyboard: make sure you set it to the right locale,
default installation is UK keyboard, and we all use US keyboard
mapping
- change_pass, change_locale, change_timezone
- memory_split: I chose the lowest memory allocation for the Video as
we will be using terminal mode only with no GUI
- ssh: enable ssh server for remote monitorless troubleshooting
- expand-rootfs: to let raspbian use up all available space on the SD card
The overclocking option is up to you, I personally enable it.
4. Plug in your wifi dongle on the usb port (get rid of the mouse),
and power up the pi.
Setup wifi (http://omer.me/2012/04/setting-up-wireless-networks-under-debian-on-raspberry-pi/)
I personally did:
sudo apt-get install wpasupplicant
After that's done, create a configuration file for it:
$ sudo nano /etc/wpa.conf
network={
ssid="YOUR-SSID"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
psk="WPA-PASSWORD"
}
And reference this in /etc/network/interfaces:
$ sudo nano /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
auto lo
iface lo inet loopback
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa.conf
5. Once you reboot and have gone back to the command line prompt, set
up auto login as root. (this is bad practice for a workstation in
general, but perfect for our setup).
(http://elinux.org/RPi_Debian_Auto_Login)
sudo nano /etc/inittab
Scroll down to:
1:2345:respawn:/sbin/getty 115200 tty1 (your terminal speed may be
different, but no matter)
and change to
#1:2345:respawn:/sbin/getty 115200 tty1
Under that line add:
1:2345:respawn:/bin/login -f root tty1 </dev/tty1 >/dev/tty1 2>&1
Save the file and reboot
6. By now, you'll have a raspberry pi that upon powering up logs in as
root and connects to the wifi automatically.
You would want to install pianobar
(http://6xq.net/projects/pianobar/). This installs the pandora command
line client.
Just do apt-get install pianobar
And type in pianobar to start.
Plug in your earphone/speakers and enjoy.
This is where I am up to for now.
The next step of the tutorial will be on scripts that control pianobar.
The final aim is to have buttons invoking scripts that control pianobar.
a daily basis (http://www.pandora.com/).
After looking at the pandora box project on lifehacker, I want to
build my own but based on raspberry pi rather than beagleboard.
(http://www.lifehacker.com.au/2012/09/build-a-dedicated-pandora-wi-fi-radio/).
This is by no means a full on step by step guide, a bit of google
searching when you're stuck will go a long way.
What you'll need for this part:
1. Raspberry pi, would recommend getting from element14.com or
ebay/gumtree if you can't wait
2. micro USB power supply (or cable plugged into another PC, it's up to you)
3. A Realtek RTL8188CUS based wifi adapter. Most mini wifi dongle are
based on this chipset. Here's what I got:
http://www.netgear.com.au/home/products/wireless-adapters/simplesharing/WNA1000M.aspx
4. An SD card, I got myself an 8GB SD card (most card should work)
5. HDMI monitor, HDMI cable, USB keyboard, USB mouse optional
6. Another workstation/laptop with SD card reader to write/read to the SD card
7. wired and wireless internet connection and an ethernet cable.
If you don't have a wired connection, or a long enough cable, do a
internet connection sharing from your workstation or laptop to your
raspberry pi
8. Some spare time and perhaps a cup of good coffee
Instructions:
1. First of all use the latest raspi (debian squeeze image), download
it from http://www.raspberrypi.org/downloads.
This image allows auto overclocking as well as having the wifi driver
preinstalled.
The website will also teach you on how to apply the image into the SD card.
2. Boot up the raspberry pi plugging it to an HDMI monitor. Now, I
spent hours trying to troubleshoot why the output was not displaying
and it turned out that some HDMI cables + monitors gives out
inaccurate EDID or maybe it's the alignment of the cosmos, but I
sidestepped around the issue by using a HDMI to DVI cable instead.
3. Once you're in, configure your installation using raspi-config
(sudo raspi-config). There are a few things that you need to
configure, I would recommend doing it in this order:
- update: to update your raspbian image to the latest one available
- configure-keyboard: make sure you set it to the right locale,
default installation is UK keyboard, and we all use US keyboard
mapping
- change_pass, change_locale, change_timezone
- memory_split: I chose the lowest memory allocation for the Video as
we will be using terminal mode only with no GUI
- ssh: enable ssh server for remote monitorless troubleshooting
- expand-rootfs: to let raspbian use up all available space on the SD card
The overclocking option is up to you, I personally enable it.
4. Plug in your wifi dongle on the usb port (get rid of the mouse),
and power up the pi.
Setup wifi (http://omer.me/2012/04/setting-up-wireless-networks-under-debian-on-raspberry-pi/)
I personally did:
sudo apt-get install wpasupplicant
After that's done, create a configuration file for it:
$ sudo nano /etc/wpa.conf
network={
ssid="YOUR-SSID"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
psk="WPA-PASSWORD"
}
And reference this in /etc/network/interfaces:
$ sudo nano /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
auto lo
iface lo inet loopback
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa.conf
5. Once you reboot and have gone back to the command line prompt, set
up auto login as root. (this is bad practice for a workstation in
general, but perfect for our setup).
(http://elinux.org/RPi_Debian_Auto_Login)
sudo nano /etc/inittab
Scroll down to:
1:2345:respawn:/sbin/getty 115200 tty1 (your terminal speed may be
different, but no matter)
and change to
#1:2345:respawn:/sbin/getty 115200 tty1
Under that line add:
1:2345:respawn:/bin/login -f root tty1 </dev/tty1 >/dev/tty1 2>&1
Save the file and reboot
6. By now, you'll have a raspberry pi that upon powering up logs in as
root and connects to the wifi automatically.
You would want to install pianobar
(http://6xq.net/projects/pianobar/). This installs the pandora command
line client.
Just do apt-get install pianobar
And type in pianobar to start.
Plug in your earphone/speakers and enjoy.
This is where I am up to for now.
The next step of the tutorial will be on scripts that control pianobar.
The final aim is to have buttons invoking scripts that control pianobar.
Monday, September 24, 2012
Enabling Start Before Logon for Cisco ASA anyconnect clients
How to enable Anyconnect Start Before Logon
This is useful if your workstation is not in the secure zone but you
want to connect it to the domain anyway.
SBL allows the anyconnect client to be started before the windows logon process.
This way you can reach the secure network for domain authentication, etc.
1. SBL only works with a trusted host, therefore if your vpn host does
not have a certificate endorsed by a CA authority, create a self
signed certificate and import it to the machine.
- Firstly, create self sign cert for the interface that anyconnect
connects to and assign it to the interface
crypto key generate rsa label sslvpnkeypair modulus 1024
crypto ca trustpoint self
enroll self
fqdn myasa.cisco.com
subject-name CN=myasa.cisco.com
keypair sslvpnkeypair
crypto ca enroll self noconfirm
ssl trust-point self outside
(reference: https://supportforums.cisco.com/docs/DOC-11433)
- Download the certificate to the local machine (either directly from
the ASA, or using your web browser to download it after trusting it.
Then add it to the computer's trusted root certificate store.
(reference: http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx)
2. If you do not want this option on all of the ssl vpn users, create
another anyconnect vpn profile.
Under Remote Access VPN -> Network Client Access -> AnyConnect Client Profile
On the profile make sure these are ticked:
o Use Start Before Logon
On the server list, make sure you enter the FQDN of the vpn server on
the "Hostname" and "Host Address" section
Either create a new group policy under Remote Access VPN -> Network
Client Access -> Group Policy
or assign it to an existing one.
And lastly make sure to create an Anyconnect connection profile and
give it an alias so that user can choose the right one when
connecting
(reference http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml#dfgh)
3. Join the computer to the domain, you might have to reinstall the
vpn client for SBL to take effect among the domain accounts.
This is useful if your workstation is not in the secure zone but you
want to connect it to the domain anyway.
SBL allows the anyconnect client to be started before the windows logon process.
This way you can reach the secure network for domain authentication, etc.
1. SBL only works with a trusted host, therefore if your vpn host does
not have a certificate endorsed by a CA authority, create a self
signed certificate and import it to the machine.
- Firstly, create self sign cert for the interface that anyconnect
connects to and assign it to the interface
crypto key generate rsa label sslvpnkeypair modulus 1024
crypto ca trustpoint self
enroll self
fqdn myasa.cisco.com
subject-name CN=myasa.cisco.com
keypair sslvpnkeypair
crypto ca enroll self noconfirm
ssl trust-point self outside
(reference: https://supportforums.cisco.com/docs/DOC-11433)
- Download the certificate to the local machine (either directly from
the ASA, or using your web browser to download it after trusting it.
Then add it to the computer's trusted root certificate store.
(reference: http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx)
2. If you do not want this option on all of the ssl vpn users, create
another anyconnect vpn profile.
Under Remote Access VPN -> Network Client Access -> AnyConnect Client Profile
On the profile make sure these are ticked:
o Use Start Before Logon
On the server list, make sure you enter the FQDN of the vpn server on
the "Hostname" and "Host Address" section
Either create a new group policy under Remote Access VPN -> Network
Client Access -> Group Policy
or assign it to an existing one.
And lastly make sure to create an Anyconnect connection profile and
give it an alias so that user can choose the right one when
connecting
(reference http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml#dfgh)
3. Join the computer to the domain, you might have to reinstall the
vpn client for SBL to take effect among the domain accounts.
Recover Cisco ASA crypto keys
more system:running-config
(reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml)
(reference: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml)
Thursday, September 6, 2012
raspberry pi
sudo raspi-config
sudo apt-get install freerdp rdesktop grdesktop
xfreerdp {hostname/ip address of Windows machine}
http://www.raspberrypi.org/phpBB3/viewtopic.php?f=10&t=5814
http://wiki.xbmc.org/index.php?title=Raspberry_Pi
xfree rdp -d -u -p -x l -a 15 -z -f --gdi sw
sudo apt-get install freerdp rdesktop grdesktop
xfreerdp {hostname/ip address of Windows machine}
http://www.raspberrypi.org/phpBB3/viewtopic.php?f=10&t=5814
http://wiki.xbmc.org/index.php?title=Raspberry_Pi
xfree rdp -d -u -p -x l -a 15 -z -f --gdi sw
Subscribe to:
Posts (Atom)