Cisco ASA initial configuration

Inital configs and image upgrades

http://www.michaelriccioni.com/how-to-configure-and-get-started-with-cisco-asa5505/
http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/
http://www.binbert.com/blog/2010/06/enable-ssh-access-in-cisco-asa-5510/

Setting pptp passtrough

hostname(config)# object network my-pptp-server 
hostname(config-network-object)# host 1.1.1.1 
hostname(config-network-object)# nat (inside,outside) static interface service tcp 1723 1723


ref:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_27597271.html

Systemd vs sysvinit cheatsheet

ref:

http://linoxide.com/linux-command/systemd-vs-sysvinit-cheatsheet/

Apache LDAP Active Directory authentication

<Location /test>

AuthType Basic

AuthName "Please enter your AD credentials to access this portal"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "user@domain.local"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://IP-ADDRESS:3268/DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
#Require ldap-user "testuser"
Require ldap-group CN=Everybody,OU=Security,OU=Groups,OU=1-Users,DC=DOMAIN,DC=LOCAL

</Location>

ldapsearch -h domain.local -p 3268 -D 'someuser@domain.local' -W -b "cn=users,dc=domain,dc=local"

refs:
http://stackoverflow.com/questions/22224465/querying-windows-active-directory-server-using-ldapsearch-from-command-line

Cisco trunks native vlans

interface Ethernet 0/2
 switchport
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast


interface Ethernet 0/2
 switchport
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10
# switchport trunk allowed vlan 10,20
 spanning-tree portfast trunk

Both configurations will result in the same behaviour.  Only VLAN 10 traffic will be forwarded on each port, and it will be forwarded untagged.  Any untagged traffic arriving at the port will be classified into VLAN 10.


ref:
http://rednectar.net/2012/03/11/the-access-vlan-is-dead-long-live-the-native-vlan/

*nix tricks

I have marked with a * those which I think are absolutely essential
Items for each section are sorted by oldest to newest. Come back soon for more!

BASH
* In bash, 'ctrl-r' searches your command history as you type
- Input from the commandline as if it were a file by replacing 
  'command < file.in' with 'command <<< "some input text"'
- '^' is a sed-like operator to replace chars from last command 
  'ls docs; ^docs^web^' is equal to 'ls web'. The second argument can be empty.
* '!!:n' selects the nth argument of the last command, and '!$' the last arg
  'ls file1 file2 file3; cat !!:1-2' shows all files and cats only 1 and 2
- More in-line substitutions: http://tiny.cc/ecv0cw http://tiny.cc/8zbltw
- 'nohup ./long_script &' to leave stuff in background even if you logout
- 'cd -' change to the previous directory you were working on
- 'ctrl-x ctrl-e' opens an editor to work with long or complex command lines
* Use traps for cleaning up bash scripts on exit http://tiny.cc/traps
* 'shopt -s cdspell' automatically fixes your 'cd folder' spelling mistakes
* Add 'set editing-mode vi' in your ~/.inputrc to use the vi keybindings 
  for bash and all readline-enabled applications (python, mysql, etc)


PSEUDO ALIASES FOR COMMONLY USED LONG COMMANDS
- function lt() { ls -ltrsa "$@" | tail; }
- function psgrep() { ps axuf | grep -v grep | grep "$@" -i --color=auto; }
- function fname() { find . -iname "*$@*"; }
- function remove_lines_from() { grep -F -x -v -f $2 $1; }
  removes lines from $1 if they appear in $2
- alias pp="ps axuf | pager"
- alias sum="xargs | tr ' ' '+' | bc" ## Usage: echo 1 2 3 | sum
- function mcd() { mkdir $1 && cd $1; }


VIM
- ':set spell' activates vim spellchecker. Use ']s' and '[s' to move between
  mistakes, 'zg' adds to the dictionary, 'z=' suggests correctly spelled words
- check my .vimrc http://tiny.cc/qxzktw and here http://tiny.cc/kzzktw for more


TOOLS
* 'htop' instead of 'top'
- 'ranger' is a nice console file manager for vi fans
- Use 'apt-file' to see which package provides that file you're missing
- 'dict' is a commandline dictionary
- Learn to use 'find' and 'locate' to look for files
- Compile your own version of 'screen' from the git sources. Most versions
  have a slow scrolling on a vertical split or even no vertical split at all
* 'trash-cli' sends files to the trash instead of deleting them forever. 
  Be very careful with 'rm' or maybe make a wrapper to avoid deleting '*' by
  accident (e.g. you want to type 'rm tmp*' but type 'rm tmp *')
- 'file' gives information about a file, as image dimensions or text encoding
- 'sort | uniq' to check for duplicate lines
- 'echo start_backup.sh | at midnight' starts a command at the specified time
- Pipe any command over 'column -t' to nicely align the columns
* Google 'magic sysrq' to bring a Linux machine back from the dead
- 'diff --side-by-side fileA.txt fileB.txt | pager' to see a nice diff
* 'j.py' http://tiny.cc/62qjow remembers your most used folders and is an 
  incredible substitute to browse directories by name instead of 'cd' 
- 'dropbox_uploader.sh' http://tiny.cc/o2qjow is a fantastic solution to 
  upload by commandline via Dropbox's API if you can't use the official client
- learn to use 'pushd' to save time navigating folders (j.py is better though)
- if you liked the 'psgrep' alias, check 'pgrep' as it is far more powerful
* never run 'chmod o+x * -R', capitalize the X to avoid executable files. If
  you want _only_ executable folders: 'find . -type d -exec chmod g+x {} \;'
- 'xargs' gets its input from a pipe and runs some command for each argument
* run jobs in parallel easily: 'ls *.png | parallel -j4 convert {} {.}.jpg'
- grep has a '-c' switch that counts occurences. Don't pipe grep to 'wc -l'.


NETWORKING
- Don't know where to start? SMB is usually better than NFS for most cases.
- If you use 'sshfs_mount' and suffer from disconnects, use 
  '-o reconnect,workaround=truncate:rename'
- 'python -m SimpleHTTPServer 8080' or 'python3 -mhttp.server localhost 8080'
  shares all the files in the current folder over HTTP. 
- 'ssh -R 12345:localhost:22 server.com "sleep 1000; exit"' forwards 
  server.com's port 12345 to your local ssh port, even if you machine 
  is not externally visible on the net. 
  Now you can 'ssh localhost -p 12345' from server.com and you will 
  log into your machine. 
  'sleep' avoids getting kicked out from server.com for inactivity
* Read on 'ssh-agent' to strenghten your ssh connections using private keys, 
  while avoiding typing passwords every time you ssh.
- 'socat TCP4-LISTEN:1234,fork TCP4:192.168.1.1:22' forwards your port
  1234 to another machine's port 22. Very useful for quick NAT redirection.
- Some tools to monitor network connections and bandwith:
  'lsof -i' monitors network connections in real time
  'iftop' shows bandwith usage per *connection*
  'nethogs' shows the bandwith usage per *process*
* Use this trick on .ssh/config to directly access 'host2' which is on a private 
  network, and must be accessed by ssh-ing into 'host1' first
  Host host2
      ProxyCommand ssh -T host1 'nc %h %p'
   HostName host2
* Pipe a compressed file over ssh to avoid creating large temporary .tgz files
  'tar cz folder/ | ssh server "tar xz"' or even better, use 'rsync'
* ssmtp can use a Gmail account as SMTP and send emails from the command line.
  'echo "Hello, User!" | mail user@domain.com' ## Thanks to Adam Ziaja.
  Configure your /etc/ssmtp/ssmtp.conf:
      root=***E-MAIL***
      mailhub=smtp.gmail.com:587
      rewriteDomain=
      hostname=smtp.gmail.com:587
      UseSTARTTLS=YES
      UseTLS=YES
      AuthUser=***E-MAIL***
      AuthPass=***PASSWORD***
      AuthMethod=LOGIN
      FromLineOverride=YES


ref:
http://cfenollosa.com/misc/tricks.txt

OpenSSL cert generation without password

# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
# openssl req -in server.csr -noout -text

BSD pf firewall ipsec

#vim /etc/pf.conf
pass in quick on $outside proto udp from remote-gateway to $external_carp_addr port { 500 4500 }

#
pfctl -f /etc/pf.conf


#vim /etc/ipsec.conf
ike esp from local-network/16 to remote-network/20 \
     peer remote-gateway \
     main auth hmac-sha1 enc aes-256 group modp1536 \
     quick auth hmac-sha1 enc aes-256 group modp1536 \
     srcid local-gateway psk 'secretkey'

#

ipsecctl -f /etc/ipsec.conf

#troubleshooting and monitoring
pfctl -sr
ipsecctl -sall
ipsecctl -m
tail -f /var/log/daemon

tcpdump -n -e -ttt -i pflog0

isakmpd -K


ref:
http://www.richweb.com/ipsec_between_openbsd_cisco_asa
http://littleabroad.wordpress.com/2012/03/28/ipsec-vpn-between-cisco-and-openbsd/
http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
http://resin.csoft.net/cgi-bin/man.cgi?section=5&topic=ipsec.conf
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Adding Linux/CentOS to Windows domain

wget http://download.beyondtrust.com/PBISO/7.5.3.1536/linux.rpm.x64/pbis-open-7.5.3.1536.linux.x86_64.rpm.sh
sh pbis-open-7.5.3.1536.linux.x86_64.rpm.sh
/opt/likewise/bin/domainjoin-cli join towncar.us mojleski
/opt/pbis/bin/update-dns

/opt/likewise/bin/lwregshell import /opt/pbis/share/config/lsassd.reg
/opt/likewise/bin/lw-ad-cache --delete-all
/opt/likewise/bin/lwconfig LoginShellTemplate /bin/bash


vim /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_access.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    sufficient      pam_lsass.so



vim /etc/security/access.conf

#
+ : root : ALL
#+ : mojleski1 : ALL
+ : DOMAIN\devs : ALL

# User "john" should get access from ipv6 host address (same as above)
#+ : john : 2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 net/mask
#+ : john : 2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
- : ALL : ALL





/opt/likewise/bin/lw-ad-cache --enum-users
/opt/likewise/bin/lw-find-user-by-name username --level 2
/opt/likewise/bin/lw-find-group-by-id
id username
getent group | grep somegroup
getent passwd | grep username