TCP Intercept was developed to protect servers and other resources from Denial-of-Service (DoS)
attacks, specifically TCP SYN attacks.
Just as the name says, TCP Intercept captures incoming TCP requests. Instead of allowing direct access
to the server, TCP Intercept acts as an intermediary, establishing a connection to the server on behalf of
the requesting client.
TCP Intercept will block a client if too many incoming connections are attempted.
Basic Security
@ Updates
-Update manager
-Enable automatic security updates(Update Setting)
=> Super windows => type the key word (System Setting) =>
@ Firewall
-In Ubuntu all ports are block by default
-Default firewall-ufw (turned off by default)
+sudo ufw status
+sudo ufw enable/disable
-Firestarter for graphical interface (recommanded)
+sudo apt-get install firestarter
+Preferences
@ User Accounts
-User & Groups
+Disable user guest
-Do not use root user (Disable by default)
+sudo passwd
+sudo passwd -l root (disable/changed expiry password)
-Use sudo instead of root (/etc/sudoers)
+sudo visudo OR sudo gedit /etc/sudoers(To set the privilege user authorized)
+sudo adduser tolaleng sudo
-Deleting Users
+sudo deluser canamall
-Removing world readable permission to home directory
+sudo chmod 0750 /home/username
-Locking/Unlocking user
+sudo passwd -l username (enable user expiry)
+sudo passwd -u username (disable user expiry)
-passwords
+sudo chage canamall (Set the password expiration)
+sudo chage-l canamall (show the password expiration)
@ Antivirus
-Clam TK (Under Accessories), other anti-virus
@ Unistall Applications
-Ubuntu Software Center-> Installed software section-> Select application and click remove
@ Processes
-To see processes
+ps aux or top
+system monitor(cacti, nagios,)
-
@ Logs
-Some of logs
+ /var/log/messages : general log messages
+ /var/log/boot : system boot log
+ /var/log/debug/ : debugging log messages
+ /var/log/auth.log : user login and authentication logs
+ /var/log/daemon.log : running services such as squid,ntpd and other log message to this file
+ /var/log/kern.log : kernel log file
-Viewing logs
+ tail, more, cat, less, grep
+ GNOME system log viewer
@Firewall
ufw
=> Security Host
* Create Standard User and enable user passwd (complexity password, strong passwd, passwd expired, invalid day of passwd, Lock and Unlock user, disable user Guest, )
* Secure remote network and host
-Telnet(Secure with the host and address connection)
-SSH (Secure with the authentication encryption key)
=> Security Backup (Data Hosting)
*Make a Full Backup of Your Machine
-Aptik (backup application)
-rsync (Remote synce)
-Gsync (Remote)
-Amanda
-Rsnapshot
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linuxonlinerana
Introduction:-
The world today runs on fastest means of communication. One way to communicate quickly is by using electronic mail or email. It has become the essence of any business and without it they have hard time functioning. Due to this fact we need reliable email servers to ensure that our email is processed correctly and either delivered or receive on time. In Red Hat enterprise Linux send mail is default for sending mail and Dovecot is default for receiving mails.
Email Services:-
Email system is divided in three different parts MUA, MDA and MTA. The MUA mail user agent deals with end users, it helps creating and reading the mails they receive, examples are Mozilla Thunderbird, Evolution and Microsoft Outlook Express. MDA the mail delivery agent it handles the mails and delivers them to the destination. it take mails from receiving server place them in the spool from where the MUA picks it up .MTA mail transfer agent is responsible for transferring the mail from one server to another .
SMTP with Postfix:-
Red Hat provide both send mail and postfix as SMTP server. We use Postfix as SMTP server because it is easier to configure , administer , allows increased security and support virtual domains. Postfix is also a default SMTP server in Red Hat Enterprise Linux 6.
Postfix Server profile:-
Rpm- postfix.
Service- postfix
Port- TCP 25
Configuration file- /etc/postfix/main.cf
TCP Intercept was developed to protect servers and other resources from Denial-of-Service (DoS)
attacks, specifically TCP SYN attacks.
Just as the name says, TCP Intercept captures incoming TCP requests. Instead of allowing direct access
to the server, TCP Intercept acts as an intermediary, establishing a connection to the server on behalf of
the requesting client.
TCP Intercept will block a client if too many incoming connections are attempted.
Basic Security
@ Updates
-Update manager
-Enable automatic security updates(Update Setting)
=> Super windows => type the key word (System Setting) =>
@ Firewall
-In Ubuntu all ports are block by default
-Default firewall-ufw (turned off by default)
+sudo ufw status
+sudo ufw enable/disable
-Firestarter for graphical interface (recommanded)
+sudo apt-get install firestarter
+Preferences
@ User Accounts
-User & Groups
+Disable user guest
-Do not use root user (Disable by default)
+sudo passwd
+sudo passwd -l root (disable/changed expiry password)
-Use sudo instead of root (/etc/sudoers)
+sudo visudo OR sudo gedit /etc/sudoers(To set the privilege user authorized)
+sudo adduser tolaleng sudo
-Deleting Users
+sudo deluser canamall
-Removing world readable permission to home directory
+sudo chmod 0750 /home/username
-Locking/Unlocking user
+sudo passwd -l username (enable user expiry)
+sudo passwd -u username (disable user expiry)
-passwords
+sudo chage canamall (Set the password expiration)
+sudo chage-l canamall (show the password expiration)
@ Antivirus
-Clam TK (Under Accessories), other anti-virus
@ Unistall Applications
-Ubuntu Software Center-> Installed software section-> Select application and click remove
@ Processes
-To see processes
+ps aux or top
+system monitor(cacti, nagios,)
-
@ Logs
-Some of logs
+ /var/log/messages : general log messages
+ /var/log/boot : system boot log
+ /var/log/debug/ : debugging log messages
+ /var/log/auth.log : user login and authentication logs
+ /var/log/daemon.log : running services such as squid,ntpd and other log message to this file
+ /var/log/kern.log : kernel log file
-Viewing logs
+ tail, more, cat, less, grep
+ GNOME system log viewer
@Firewall
ufw
=> Security Host
* Create Standard User and enable user passwd (complexity password, strong passwd, passwd expired, invalid day of passwd, Lock and Unlock user, disable user Guest, )
* Secure remote network and host
-Telnet(Secure with the host and address connection)
-SSH (Secure with the authentication encryption key)
=> Security Backup (Data Hosting)
*Make a Full Backup of Your Machine
-Aptik (backup application)
-rsync (Remote synce)
-Gsync (Remote)
-Amanda
-Rsnapshot
How to install and configure Postfix Mail Server in Redhat (RHEL) / CentOS Linuxonlinerana
Introduction:-
The world today runs on fastest means of communication. One way to communicate quickly is by using electronic mail or email. It has become the essence of any business and without it they have hard time functioning. Due to this fact we need reliable email servers to ensure that our email is processed correctly and either delivered or receive on time. In Red Hat enterprise Linux send mail is default for sending mail and Dovecot is default for receiving mails.
Email Services:-
Email system is divided in three different parts MUA, MDA and MTA. The MUA mail user agent deals with end users, it helps creating and reading the mails they receive, examples are Mozilla Thunderbird, Evolution and Microsoft Outlook Express. MDA the mail delivery agent it handles the mails and delivers them to the destination. it take mails from receiving server place them in the spool from where the MUA picks it up .MTA mail transfer agent is responsible for transferring the mail from one server to another .
SMTP with Postfix:-
Red Hat provide both send mail and postfix as SMTP server. We use Postfix as SMTP server because it is easier to configure , administer , allows increased security and support virtual domains. Postfix is also a default SMTP server in Red Hat Enterprise Linux 6.
Postfix Server profile:-
Rpm- postfix.
Service- postfix
Port- TCP 25
Configuration file- /etc/postfix/main.cf
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
Netfilter: Making large iptables rulesets scalebrouer
Howto make large iptables firewall rulesets scale under Linux.
Presentation given at OpenSourceDays 2008 (and similar at Netfilter Developers Workshop 2008).
A good puzzle to solve which will clarify your networking concepts. Questions:
1> How and in which sequence Learning, Flooding and Forwarding will happen in Switch?
2> Find MAC and IP on every communication link shown in the figure?
1. Setup router
//to create a name for network card
//to assign ip address to network card
//to create NAT rule
//to assign gateway
//to assign dns
//to create dhcp
2.Create login page(Hotspot)
How to link from Mikrotik to Radius server
ارایه ای که در کارگاه بیان می شود به شرح زیر است:
مقدمات ، توضیحاتی اولیه در مورد footprint و شناسایی ، رمز نگاری ، اسکن ، نفوذ ، آشنایی با ویروس ها ، تروجان ، backdoors و ورم ، آشنایی با DoS ،Web Application Hacking ، شبکه های بیسیم ، programming attacks و توضیحاتی در مورد Intrusion
Reconsider TCPdump for Modern TroubleshootingAvi Networks
Are you tired of troubleshooting with TCPdump? The Avi Vantage Platform is here to help. Learn how you can reconsider your decades-old CPU-intensive logging tools – and gain intuitive, real-time analytics, faster time-to-resolution, modern SSL / TLS encryption, and (most importantly) happy IT teams focused on delivering applications.
Watch this Avi webinar to learn:
- Why TCPdump should be your tool of last resort
- How headers compressed with HTTP/2, PFS, and distributed systems have rendered certain tools useless
- How you can replace TCPdump with intelligent logs and analytics
- How to future proof your troubleshooting tools with HTTP/3, TLS 1.3, containers and Kubernetes
Watch on-demand here https://www.networkworld.com/resources/form?placement_id=de4979d3-4f46-498e-8285-2bdad91ca3fb&brand_id=512
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
Netfilter: Making large iptables rulesets scalebrouer
Howto make large iptables firewall rulesets scale under Linux.
Presentation given at OpenSourceDays 2008 (and similar at Netfilter Developers Workshop 2008).
A good puzzle to solve which will clarify your networking concepts. Questions:
1> How and in which sequence Learning, Flooding and Forwarding will happen in Switch?
2> Find MAC and IP on every communication link shown in the figure?
1. Setup router
//to create a name for network card
//to assign ip address to network card
//to create NAT rule
//to assign gateway
//to assign dns
//to create dhcp
2.Create login page(Hotspot)
How to link from Mikrotik to Radius server
ارایه ای که در کارگاه بیان می شود به شرح زیر است:
مقدمات ، توضیحاتی اولیه در مورد footprint و شناسایی ، رمز نگاری ، اسکن ، نفوذ ، آشنایی با ویروس ها ، تروجان ، backdoors و ورم ، آشنایی با DoS ،Web Application Hacking ، شبکه های بیسیم ، programming attacks و توضیحاتی در مورد Intrusion
Reconsider TCPdump for Modern TroubleshootingAvi Networks
Are you tired of troubleshooting with TCPdump? The Avi Vantage Platform is here to help. Learn how you can reconsider your decades-old CPU-intensive logging tools – and gain intuitive, real-time analytics, faster time-to-resolution, modern SSL / TLS encryption, and (most importantly) happy IT teams focused on delivering applications.
Watch this Avi webinar to learn:
- Why TCPdump should be your tool of last resort
- How headers compressed with HTTP/2, PFS, and distributed systems have rendered certain tools useless
- How you can replace TCPdump with intelligent logs and analytics
- How to future proof your troubleshooting tools with HTTP/3, TLS 1.3, containers and Kubernetes
Watch on-demand here https://www.networkworld.com/resources/form?placement_id=de4979d3-4f46-498e-8285-2bdad91ca3fb&brand_id=512
LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It helps in connecting networks in different geographical location.
1. Task In this assignment you are asked to provide named.pdfalokopticalswatchco0
1. Task In this assignment you are asked to provide named ACLs for Cisco Packet Filter
Firewalls. Each student must undertake their own assignment - any duplicate solutions will
receive 0 marks. Please submit any questions/queries via email to Consider the following
network outline: - Note: There is no need to build this network !!! - Note: Not all PCs/Servers are
displayed! This network has the following components: - The Internet: any machine/network
range not mentioned elsewhere. - Partner (class B network 136.201.0.0/16): a business partner
with privileged access rights. - Evil Group (class C network 6.6.60.0/C): known to have
malicious intent. - Your own corporate network (class B network 147.17.0.0/16), which has the
subnets 147.17.1.0/24 Screened Subnet, 147.17.2.0/24 Workstation Network, 147.17.3/24 Server
Network, and 147.17.4.0/24 Admin Network.
The Border Router in the Corporate Network has the following interfaces: - FastEthernet 0/0:
Connected to the ISP (Internet), IP address 10.10.10.10 - FastEthernet 1/0: Connected to the
Screened Subnet, IP address 147.17.1.254 - FastEthernet 2/0: Connected to the Workstation
Network, IP address 147.17.2.254 The Internal Router in the Corporate Network has the
following interfaces: - FastEthernet 0/0: Connected to the Workstation Network, IP address
147.17.2.254 - FastEthernet 1/0: Connected to the Server Network, IP address 147.17.3.254 -
FastEthernet 2/0: Connected to the Admin Network, IP address 147.17.4.254 The Screened
Subnet contains the following servers: - DNS Server 147.17.1.50 - Mail Server 147.17.1.60 -
Web Server 147.17.1.70 The Workstation Network contains the following machines: 2/6 -
Internal PCs and Workstations 147.17.2.1-254 (even though 147.17.2.254/_ .ne interfaces of the
routers, treat them as if they were PCS) The Internal Server Network contains the following
servers: - Internal NTP Server 147.17.3.10 - MySQL Database Server 147.17.3.20 The Admin
Network contains the following machines: - Admin PCs 147.17.4.1-127 - Syslog Server
147.17.4.128 Your task is to configure named ACLs in the two routers to implement the security
policy outlined below (only IPv4 needs to be considered). Please note that some networking
aspects that are usually required for the network to work might be missing - you can ignore
these. In this section, IP addresses are combined with ports in format ipaddress:port, where port
indicates TCP (T) or UDP (U) as well as port number. Ranges are indicated as follows: - Port in
range x to y (both inclusive): Txy - Any port greater than x:T>x - Any port greater or equal to
x:T>=x - Any port less than x:T1023 to 147.17.4.128:T514) and can contact the NTP server
(147.17.x.x:U>1023 to 147.17.3.10:U123). - Business partner machines can connect to the
Syslog Server via SSH (136.201.x.x:T>1023 to 147.17.4.128:T22), can send secure log message
to the Syslog Server (136.201.x.x:T>1023 to 147.17.4.128:T514) and contact the NTP Server
(136.201.x.x:U>1023 to 147.17.3.
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
This document is to help a new user set up the network when deploying a 3-node Cloudian storage cluster in your data center for use with the Cloudian HyperStore Hybrid Cloud Service from AWS Marketplace.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
How to set ssh telnet-http connection timeout using mpf for asa 8.3 and later
1. How to Set SSH/Telnet/HTTP Connection
Timeout using MPF for ASA 8.3 and Later
For the example, Cisco ASA is configured to allow the workstation (10.77.241.129)
to Telnet/SSH/HTTP to the remote server (10.1.1.1) behind the router. A separate
connection timeout to Telnet/SSH/HTTP traffic is also configured. All other TCP
traffic continues to have the normal connection timeout value associated with timeout
conn 1:00:00.
Network Diagram
This document uses this network setup:
Note:
The IP addressing schemes used in this configuration are not legally routable on the
Internet. They are RFC 1918 addresses, which have been used in a lab environment.
Configurations
This document uses these configurations:
CLI Configuration
ASDM Configuration
Note:
These CLI and ASDM configurations are applicable to the Firewall Service Module
(FWSM).
CLI Configuration
ASA Version 8.3(1)
!
hostname ASA
domain-name nantes-port.fr
enable password S39lgaewi/JM5WyY level 3 encrypted
enable password 2KFQnbNIdI.2KYOU encrypted
1
2. passwd 1mZfSd48bl0UdPgP encrypted
no names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.77.241.142 255.255.255.0
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup outside
!--- Creates an object called DM_INLINE_TCP_1. This defines the traffic
!--- that has to be matched in the class map.
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq ssh
port-object eq telnet
access-list outside_mpc extended permit tcp host 10.77.241.129 any object-group
DM_INLINE_TCP_1
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group 101 in interface outside
2
3. route outside 0.0.0.0 0.0.0.0 192.168.200.2 1
timeout xlate 3:00:00
!--- The default connection timeout value of one hour is applicable to
!--- all other TCP applications.
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!--- Define the class map Cisco-class in order
!--- to classify Telnet/ssh/http traffic when you use Modular Policy Framework
!--- to configure a security feature.
!--- Assign the parameters to be matched by class map.
class-map Cisco-class
match access-list outside_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
3
4. inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!--- Use the pre-defined class map Cisco-class in the policy map.
policy-map Cisco-policy
!--- Set the connection timeout under the class mode where
!--- the idle TCP (Telnet/ssh/http) connection is disconnected.
!--- There is a set value of ten minutes in this example.
!--- The minimum possible value is five minutes.
class Cisco-class
set connection timeout idle 0:10:00 reset
!
!
service-policy global_policy global
!--- Apply the policy-map Cisco-policy on the interface.
!--- You can apply the service-policy command to any interface that
!--- can be defined by the nameif command.
service-policy Cisco-policy interface outside
end
ASDM Configuration
Complete these steps in order to set up TCP connection timeout for Telnet, SSH and
HTTP traffic using ASDM as shown.
1. Choose Configuration > Firewall > Service Policy Rules and click Add in
order to configure the Service Policy rule as shown.
4
5. 2. From the Add Service Policy Rule Wizard - Service Policy window, choose the
radio button next to Interface under the Create a Service Policy and Apply To
section. Now choose the desired interface from the drop-down list and provide a
Policy Name. The policy name used in this example is Cisco-policy. Then, click
Next.
5
6. 3. Create a class map name Cisco-class and check the Source and Destination IP
address (uses ACL) check box in the Traffic Match Criteria. Then, click Next.
4. From the Add Service Policy Rule Wizard - Traffic Match - Source and
Destnation Address window, choose the radio button next to Match and then
provide the source and the destination address as shown. Click the drop-down
button next to Service to choose the required services.
6
7. 5. Select the required services such as telnet, ssh and http. Then, click OK.
7
9. 7. Choose Connection Settings in order to set up the TCP Connection Timeout as
10 minutes. Also, check the Send reset to TCP endpoints before timeout check
box. Click Finish.
9
10. 8. Click Apply in order to apply the configuration to the Security Appliance.
This completes the configuration.
10
11. Ebryonic Timeout
An embryonic connection is the connection that is half open or, for example, the
three-way handshake has not been completed for it. It is defined as SYN timeout on
the ASA. By default, the SYN timeout on the ASA is 30 seconds. This is how to
configure Embryonic Timeout:
access-list emb_map extended permit tcp any any
class-map emb_map
match access-list emb_map
policy-map global_policy
class emb_map
set connection timeout embryonic 0:02:00
service-policy global_policy global
Troubleshoot
If you find that the connection timeout does not work with the MPF, then check the
TCP initiation connection. The issue can be a reversal of the source and destination IP
address, or a misconfigured IP address in the access list does not match in the MPF to
11
12. set the new timeout value or to change the default timeout for the application. Create
an access list entry (source and destination) in accordance with the connection
initiation in order to set the connection timeout with MPF.
The more information about technical support you can consult with our CCIE expert
and the e-mail address is as below:
support@3anetwork.com
More related topics
How to Configure SSH for Cisco Switches?
Cisco ASA 5500-X Series Next-Generation Firewalls
How to use the Cisco Official Tool from PIX firewall to ASA?
How to Configure the Cisco Switch with the CLI-Based Setup Program
Preparation on Configuring the Switch with the CLI-Based Setup Program
More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog
3Anetwork.com is a world leading Cisco networking products supplier, we supply original
new Cisco networking equipments, including Cisco Catalyst switches, Cisco routers,
Cisco firewalls, Cisco wireless products, Cisco modules and interface cards products at
competitive price and ship to worldwide.
Our website: http://www.3anetwork.com
Telephone: +852-3069-7733
Email: info@3Anetwork.com
Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong
12