Klingon Warrior . Com

If you plan on using phones or accessing the PBX from remote locations, it’s necessary to forward certain ports back to your PBX. www.portforward.com is a good resource for documentation on how to forward ports on most routers.

The following ports are used by the PBX.

TCP/UDP Port(s) description Used by Remote Phones
UDP 5060 SIP signaling port needed for phones outside your network
UDP 10000-10500 RTP audio ports needed for phones outside your network
Used for accessing the PBX web interface remotely
TCP 80 HTTP port for remote web voicemail access
TCP 443 HTTPS port for remote web admin access
TCP 5222 & 843 SMB Systems Only – ports for using the Switchboard remotely

Netscreen A
set interface ethernet1 zone untrust
set interface ethernet1 ip 10.2.1.1/24
set interface ethernet3 zone trust
set interface ethernet3 ip 10.1.1.1/24
set interface ethernet3 manage-ip 10.1.1.20
set nsrp rto-mirror sync
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet3
set nsrp cluster id 1
save

Netscreen B

set interface ethernet3 zone trust
set interface ethernet3 ip 10.1.1.1/24
set interface ethernet3 manage-ip 10.1.1.21
set nsrp rto-mirror sync
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet3
set nsrp cluster id 1

save

exec nsrp sync global-config save

reset

exec nsrp sync global-config save

Open HTTP connection to Netscreen firewall.

Click +VPNs
Click +AutoKey Advanced
Click Gateway

Create your gateway from IP provided in Cybercon VPN Setup Sheet.

Gateway Name: Cisco Pix Gateway
Click Static IP Address: IP Address / Hostname: ip.ip.ip.ip
Enter Preshare Key: CYBERCON

Click Advanced
Security Level ( Match customer supplied Phase 1 Proposal )
pre-g2-3des-sha

Click Return at bottom
Click OK

Click AutoKey IKE
Click New
VPN NAME: Tunnel to Cisco Pix
Remote Gateway: Predefined Cisco Pix Gateway (What we made above in drop down list)
Click Advance
User Defined: Phase 2 Proposal ( Match customer supplied Phase 2 Proposal )
g2-esp-3des-sha
Click Return
Click OK

Click +Objects
Click +Addresses
Click List
Untrust -> New
Address Name: Netblock behind Cisco Pix
IP Address/Domain Name
Click IP/Netmask ip.ip.ip.ip / 24
Zone Untrust
Click OK

Click +Objects
Click +Addresses
Click List
Trust -> New
Address Name: ip.ip.ip.ip/24
IP Address/Domain Name
Click IP ip.ip.ip.ip/24

Create Policy

Click Policies
Untrust to Trust Go
Untrust to Trust, then click “New”
Name: Cisco Pix Tunnel
Source Address Book Entry: Netblock behind Cisco Pix
Destination Address Book Entry: ip.ip.ip.ip/24
Action: Tunnel
Tunnel VPN: Tunnel to Cisco PIX
Check Modify matching bidirectional VPN policy
Check logging
Check Position at Top
Click OK

Notify Customer VPN is setup.

NUMBER ONE RULE: KEEP SYSTEM UP TO DATE!!!

IPTABLES (ADD BASIC SCRIPT HERE)

WORK ON limit Usage of su – sudo

Use hard passwords..

If account doesn’t need shell use /bin/false
# chsh -s /bin/false username

Set system limits to prevent fork bombs..
PREVENT THIS SIMPLE BOMB: :(){ :|:& }; :

/etc/security/limits.conf
Add:
@users soft nproc 100
@users hard nproc 150

SSH:
Change port to stop automated probes to port 22
Stop root log in..
Don’t allow passwordless account logins…

/etc/hosts.allow
sshd : 127.0.0.1 : allow
sshd : IP address here : allow
sshd : IP address here : allow
sshd : ALL : deny
(Do IPTABLES CONFIG TOO – 1=NONE 2=1 Theory)

MYSQL:
Allow local usage only…(When possible)
If open access change port to stop automated probes / attacks?
Redirect probe to a honeypot?
Rename main root account? (Make sure this won’t hurt anything but automated script kiddies)
ADD MORE MEASURES HERE

FTP:
Disable anonymous FTP