get help to query RIPE Database :
telnet whois.ripe.net 43 help
Documentation page : http://www.ripe.net/data-tools/support/documentation
Query flags cheatsheet : http://www.ripe.net/data-tools/support/documentation/queries-ref-card
some aliases I use in my bashrc :
alias cymru='whois -h whois.cymru.com -v' alias ripe='whois -h whois.ripe.net -r' alias ntt='whois -h rr.ntt.net -r' alias radb='whois -h whois.radb.net -r'
Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):
---Port-security on cat 6500---
in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode):
switchport port-security switchport port-security maximum 100 switchport port-security maximum 2 vlan 4 switchport port-security mac-address 0000.1111.2222 vlan 4 switchport port-security mac-address 0000.1111.3333 vlan 4
errdisable recovery cause psecure-violation errdisable recovery interval 300
You can also choose other actions if a port violation occurs (interface conf mode):
switchport port-security violation { protect | restrict | shutdown }
Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key
hostname switch ip domain-name mydomain.tld aaa new-model crypto key generate rsa ip ssh version 2 line vty 0 15 transport input ssh
Remember to add ACL, this is always a good thing
access-list 99 permit 192.0.2.0 0.0.0.255 ipv6 access-list ACL-RESTRICTED-IN permit ipv6 2001:db8::/32 any line vty 0 15 access-class 99 in ipv6 access-class ACL-RESTRICTED-IN in
when you create your ACL, remember it's even better to only accept login from your network
Source and nice explanation of the banners : http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/...
OH! BTW if you use clogin/rancid to log into your equipments, make sure your MOTD does not have any # or the auto-enable won't work...
I told you : MOTD (with #) + SSH + clogin = no auto enable
conf t
mls qos
class-map match-any vlan123
match vlan 123
policy-map ratelimit
class vlan123
police cir 1000000000
confirm-action transmit
exceed-action drop
int gi0/1
service-policy input ratelimit
limit commands to admin 15 :
privilege exec level 15 ssh privilege exec level 15 telnet
Create a view for a user :
enable view
conf t
parser view readonly
secret 5 ???
commands exec include show vlan
commands exec include show
exit
username test view readonly password 0 ????
sources :
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html#wp1058080
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html#topic2
Old style :
interface Gi0/1 ip flow ingress ip flow-export source Gi0/2 ip flow-export destination 192.168.0.2 2055
flow-sampler-map SAMPLER mode random one-out-of 100 ip flow-export version 5 ip flow-export destination 192.168.0.2 2055 interface Gi0/1 flow-sampler SAMPLER
show ip flow sampling sh ip flow export
you can check your log in buffer :
#show logging
By default the buffer is 4k (aprox 60 lines), you can change it with :
(config)#logging buffered 23456
Remove logging to console :
(config)#no logging console
Disable specific logging in the buffer :
(config)#logging discriminator nologthr msg-body drops string_or_regexp_to_match
(config)#logging buffered discriminator nologthr
To only have notifications (level 5) and more important logs :
(config)#logging buffered 40960 notifications Add proper time format to your logs : (config)#service timestamps log datetime localtime show-timezone
Log when someone fail (or success) to log in :
(config)#login on-failure log (config)#login on-success log