It seems like I'm always connecting to servers via ssh and I hate having to remember my password. I remember a long time ago someone showed me how to place your public key on the server so you could log in automatically but then I forgot how to do it. Well thats what this BLOG is for - here are the steps to doing it.
• Generate the Keys
• Copy your public key to the server and visa versa
• Connect and authorize
• Generate the Keys
All you need to do this is enter ssh-keygen into the terminal and you will be taken through a few steps.
#1 It will ask you where you want to save it. The default is in /Users/yourname/.ssh/id_rsa. Just stick with that.
#2 It will ask if you would like to add a passphrase to the key or leave it empty - enter a password that you can easily remember - you will need to enter the password twice. After you enter the passphrase it will display the key's randomart image.
• Copy your public key to the server
Now that the keys have been created you need to move the public one to the server. Navigate to the ~/.ssh directory and inside there you will find something like this:
-rw------- 1 user staff 1743 Jan 21 21:09 id_rsa
-rw-r--r-- 1 root staff 416 Jan 21 21:09 id_rsa.pub
-rw-r--r-- 1 user staff 4252 Jan 11 22:19 known_hosts
The file you want is the id_rsa.pub file so go ahead and do a "more" on that and copy the contents to the clipboard. Now go to the server you want to add this to and log in FOR THE LAST TIME (HA!) and navigate to the ~/.ssh and touch a file and name it "authorized_keys". Then do a chmod 644 ~/.ssh/authorized_keys. After thats complete do a sudo pico authorized_keys and paste in the key info you copied to your clipboard.
• Copy your server key to you:
Same process, go to the server and do this:
1. ssh-keygen - save it to the defaut location, enter a password
2. create the authorized_keys file, chmod 644
3. pico and paste the key from YOUR machine's id_rsa.pub file
Now you have the key from the server in your authorized_keys file and the server has your key in it's authorized_keys.
• Connect and authorize
Now that the key is in both places all you need to do is log out and log back in. Once you connect from your machine to the server you will see a pop up window (in the OS, not in the terminal) that asks you to authorize the connection with your public key (the password that you entered in when you created the key) and once you do this you will have completed the handshake and never again will you need to enter a password for this server.
It's just that easy! Enjoy.
Thursday, January 27, 2011
Wednesday, January 5, 2011
ASA 5505 AIP Module Configuration
This post is related to my experience getting the security services module or ASA-SSC-AIP-5 as it is known configured and doing something useful. We are going to cover the following things in this post:
• Getting into the module
• Configuring an IP
• Applying a license
• Setting up a schedule for it to download updated signatures
• Telling the ASA to pass the IPS traffic so it can do something useful
• Backing up the configuration
• Monitoring what the IPS is doing
• Resetting the module or formatting it
• Creating a Service Account
_________________________________________________________
• Getting into the module
First you need to SSH to the ASA and then do a show module to see the status of the IPS. It should look something like this:
!
asa# show mod
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5505 Adaptive Security Appliance ASA5505
1 ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5
!
Mod SSC Application Name Status SSC Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.2(2)E4
In order to do anything beyond looking at the status of the module you will need to get into the ASDM and run through the initial configuration for the IPS.
• Configuring an IP
The configuration assistant will ask you to name the device and to select the network that you want the IPS on. In this case we have it on the inside 192.168.X.0/24 network and have assigned it a .167 address. The username and password are also needed and thats about it. Once you have this completed you can select the Intrusion Prevention tab next to the Firewall Dashboard on the home screen of the ASDM or you can open an https connection to the IP of you gave to the IPS and using Cisco IDM manage the IPS.
• Applying a license
Under configuration you can select the IPS module tab and then scroll down till you licensing. The file that you were given can be uploaded to the module by defining the local path from the update license field.
• Setting up a schedule for it to download updated signatures
In the ASDM you have an easy signature retrieval setup section, the only trouble is that if you leave it set to the default hourly boundary (like 02:00 am) it will error out with something like this: http error response: 500 error
The reason has to do with the time so it's easy enough to set it to something else (like 02:01 am) and it will work fine. Here is a link to the page that describes the fix.
• Telling the ASA to pass the IPS traffic so it can do something useful
The basic setup I have is to send traffic to the Sensor for inspection and if the module fails go around it rather than stop processing. Here is what it looks like on the ASA:
!
class-map ips_class
match access-list IPS
!
policy-map ips_policy
class ips_class
ips inline fail-open <---- important for uptime
! service-policy ips_policy interface outside
! access-list IPS extended permit ip any any
!
• Backing up the configuration
First you need to go into your server (configuration destination accepting ssh connections) and create the config file you are goign to copy over - something like asa-ips.cfg. Now do a chmod 777 and then go to the ASA (or more specifically the IPS module) and then issue this command:
IPS# copy current-config scp://serveripaddress/path/filename-ips.cfg
Password: ******
Generating current config: ..........
It should fail saying something like this:
!
Protocol major versions differ: 1 vs. 2
Unsupported remote protocol version for host, 192.168.X.X - must support SSH version 1
I tried many ways to get the configuration off the box (even changing the SSH version on the server to support v1, which eventually worked). The reason for this error message is that the server I was sending the file to was not known by the sensor. In order to correct this you need to perform the following:
IPS# ssh host-key 192.168.x.x
!
It comes back with a message about the key it's pulled back from the server. You say yes to this. If you now do a "show host-keys" or a "show host-keys 192.168.x.x" you will see that the sensor has pulled in the key for the server and will now pass it's configuration file to it.
Now try the command and after what seems like a century it will produce the config file and pass it to the server. If you have any questions about this process you can look at this link.
I'm sure why this is but I was able to alter the configuration on the server (vi /etc/sshd_config and under #Port 22 change it to "Protocol 1") and reload it. Now you should be able to issue the scp command and succeed in backing up the config.
• Monitoring what the Sensor is doing
In order to verify that the Sensor is in fact "seeing" traffic and acting on it you can enable signatures 2000 and 2004. These are for ICMP messages (pings) and once enabled you should be able to see them trigger by pinging something behind the IPS.
• Resetting the module or formatting it
From the ASA you can reload or reset the module with the following command:
asa# hw-module module 1 ?
allow-ip Allow specific hosts/network to access the module
ip Configure management IP parameters
password-reset Reset the CLI password on the module
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
• Creating a Service Account
This link has some great info on how to create a services account on the IPS so you can do all kinds of cool unix commands. I created an account in an attempt to get tftp to work but I ended up altering the server to support SSH V1 instead:
http://flylib.com/books/en/2.464.1.133/1/
• Getting into the module
• Configuring an IP
• Applying a license
• Setting up a schedule for it to download updated signatures
• Telling the ASA to pass the IPS traffic so it can do something useful
• Backing up the configuration
• Monitoring what the IPS is doing
• Resetting the module or formatting it
• Creating a Service Account
_________________________________________________________
• Getting into the module
First you need to SSH to the ASA and then do a show module to see the status of the IPS. It should look something like this:
!
asa# show mod
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5505 Adaptive Security Appliance ASA5505
1 ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5
!
Mod SSC Application Name Status SSC Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.2(2)E4
In order to do anything beyond looking at the status of the module you will need to get into the ASDM and run through the initial configuration for the IPS.
• Configuring an IP
The configuration assistant will ask you to name the device and to select the network that you want the IPS on. In this case we have it on the inside 192.168.X.0/24 network and have assigned it a .167 address. The username and password are also needed and thats about it. Once you have this completed you can select the Intrusion Prevention tab next to the Firewall Dashboard on the home screen of the ASDM or you can open an https connection to the IP of you gave to the IPS and using Cisco IDM manage the IPS.
• Applying a license
Under configuration you can select the IPS module tab and then scroll down till you licensing. The file that you were given can be uploaded to the module by defining the local path from the update license field.
• Setting up a schedule for it to download updated signatures
In the ASDM you have an easy signature retrieval setup section, the only trouble is that if you leave it set to the default hourly boundary (like 02:00 am) it will error out with something like this: http error response: 500 error
The reason has to do with the time so it's easy enough to set it to something else (like 02:01 am) and it will work fine. Here is a link to the page that describes the fix.
• Telling the ASA to pass the IPS traffic so it can do something useful
The basic setup I have is to send traffic to the Sensor for inspection and if the module fails go around it rather than stop processing. Here is what it looks like on the ASA:
!
class-map ips_class
match access-list IPS
!
policy-map ips_policy
class ips_class
ips inline fail-open <---- important for uptime
! service-policy ips_policy interface outside
! access-list IPS extended permit ip any any
!
• Backing up the configuration
First you need to go into your server (configuration destination accepting ssh connections) and create the config file you are goign to copy over - something like asa-ips.cfg. Now do a chmod 777 and then go to the ASA (or more specifically the IPS module) and then issue this command:
IPS# copy current-config scp://serveripaddress/path/filename-ips.cfg
Password: ******
Generating current config: ..........
It should fail saying something like this:
!
Protocol major versions differ: 1 vs. 2
Unsupported remote protocol version for host, 192.168.X.X - must support SSH version 1
I tried many ways to get the configuration off the box (even changing the SSH version on the server to support v1, which eventually worked). The reason for this error message is that the server I was sending the file to was not known by the sensor. In order to correct this you need to perform the following:
IPS# ssh host-key 192.168.x.x
!
It comes back with a message about the key it's pulled back from the server. You say yes to this. If you now do a "show host-keys" or a "show host-keys 192.168.x.x" you will see that the sensor has pulled in the key for the server and will now pass it's configuration file to it.
Now try the command and after what seems like a century it will produce the config file and pass it to the server. If you have any questions about this process you can look at this link.
I'm sure why this is but I was able to alter the configuration on the server (vi /etc/sshd_config and under #Port 22 change it to "Protocol 1") and reload it. Now you should be able to issue the scp command and succeed in backing up the config.
• Monitoring what the Sensor is doing
In order to verify that the Sensor is in fact "seeing" traffic and acting on it you can enable signatures 2000 and 2004. These are for ICMP messages (pings) and once enabled you should be able to see them trigger by pinging something behind the IPS.
• Resetting the module or formatting it
From the ASA you can reload or reset the module with the following command:
asa# hw-module module 1 ?
allow-ip Allow specific hosts/network to access the module
ip Configure management IP parameters
password-reset Reset the CLI password on the module
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
• Creating a Service Account
This link has some great info on how to create a services account on the IPS so you can do all kinds of cool unix commands. I created an account in an attempt to get tftp to work but I ended up altering the server to support SSH V1 instead:
http://flylib.com/books/en/2.464.1.133/1/
Subscribe to:
Posts (Atom)
