Configure SSH access on a CISCO Router

Configure SSH access on a CISCO Router

There is only a way to access a cisco device physically is Console access ( of course we have USB now). But what if we have the Router or Switch in a remote location? 

We have to use Telnet to access the Router but Telnet is not a secure way of communication as the Username and Password transmit plane text format, Which is easy to capture the credentials. So we have to have a secure way of accessing the remote devices. This is where SSH comes in. SSH is a secure way of remote access with RSA encryption. Lets see how we can do configure SSH on a CISCO device

Login to the Router using console or Telnet and configure the following 

first we need to Configure the Basic configurations. 

1.Set hostname and domain-name

   Router>Enable

   Router#configure Terminal

   Router(Config)#hostname lab5

   Lab5(config)#ip domain-name lab5.com

   Lab5(config)#enable secret cisco123

   Lab5(config)#username XXXX privilege 15 secret XXXX

Now we have to configure RSA , if we use version 2 then we have to use 512 or above bits of encryption.

2.Generate the RSA Keys

   Router(config)#crypto key generate rsa

The name for the keys will be: lab5.com
 Choose the size of the key modulus in the range of 360 to 2048 for your
   General Purpose Keys. Choosing a key modulus greater than 512 may take
   a few minutes.

How many bits in the modulus [512]: 1024
 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

3.Next setup VTY line 

Lab5(config)#line vty 0 4

Lab5(config-line)#login local

Lab5(config-line)#transport input ssh

4. Setup IP

Lab5(Config)# int g0/1

Lab5(Config-if)#ip add 192.168.100.1 255.255.255.0

Lab5(Config-if)#no shutdown

Thats all , Use the Putty or CMD to connect your Router

In CMD use SSH  -l Username IPaddress

How to configure and install self signed digital certificate on Exchange server 2013( No Certificate Authority )

How to configure and install self signed digital certificate on Exchange server 2013( No Certificate Authority ) 

After successfully installed exchange server every time when we go to OWA or ECP we could notice that it  says certificate error .

Here is how we can fix it..

First login to Exchange ECP and go to server and click Certificate

Click on the + and create new certificate

Make sure you have to select option two ( Create a self-signed certificate) and enter the friendly name.

Then on the next screen specify the server where you want to apply this certificate , In my case i will install on my mail server WIN2k12MAIL

Now click next and Specify the Domains you want to include, Click on Pencil and add the names...

Here i am adding for both intranet and Internet



Click Ok and move on to confirmation page

Click Finish, that is all we have created a new certificate

Click on the newly created certificate and assign the services, here i have assigned to IMAP and POP

Now we need to tell our IIS server to use this certificate to email server web request to do that, Go to IIS server

Go to Sites and then click default web sites
 
Click Add

Select HTTPS as Type and give your host name and then select the newly created certificate on the drop down menu. Then click ok and also restart the web service..
Now go to Exchange web access and you will still see the certificate error, Click on the certificate and install to Trust root..

Click install certificate

Select Local computer and select Trusted root


That is all close the web browser and reopen you should see the following screen now


Click on the Lock icon on the web browser and open the certificate , Subject alternative names

You can see the given domain names are there...

Thanks

Configure Audit Logon Events Policy in a GPO

Configure Audit Logon Events Policy in a GPO

Step by Step Guide

1)   Log on to Domain Controller with an account that has Administrator rights.    Ensure that the Group Policy snap-in is installed.

2)   Press “Win + R”, type gpedit.msc and press the Enter button to open Windows Group Policy Editor.

3)  Once you are in the Group Policy Editor, navigate to “Computer Configuration Windows Settings -> Security Settings -> Local Policies” and then select “Audit Policy” in the left pane.

     

4) Once the Window is opened, select both the check boxes “Success” and “Failure.” Now click on the “Apply” and “Ok” buttons to save the changes.

5) Once its Done go to event viewer and Check under Security....

How to configure Windows Event Log Forwarding

In a small and medium level business your budged will not allow you to buy and run a dedicated event reader. Since these days business depend on multiple servers and services its not easy for a system administrator to read all the events separately  on the servers. 

For this kind of situations Microsoft introduced Event Forwarding. Event Forwarding allows administrators to get events from remote computers, also called source computers or forwarding computers and store them on a central server; the collector computer.

Events can be transferred from the forwarding computers to the collector computer in one of two ways:

Collector initiated – Using this method, the collector will contact the source computers (clients) and ask them for any events they might have. The minimum operating system level required on the source computers is Windows XP SP2 with minimum Windows Remote Management 1.1 installed.

Source initiated – By using this method the clients or forwarders transfer events to the collector as required. Systems like Windows Vista, Windows 7, Windows Server 2008/R2 and Windows Server 2012/R2 can be Event Collectors, but this feature is not supported for down-level operating systems. Even tough there are no limitations when a client operating system is used as an Event Collector, a server platform is recommended since will scale much better in high volume scenarios.

(http://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding)

Configuring event forwarding collector initiated subscriptions ( Step by Steps ) 

Let’s start by enabling WinRM on the Event Forwarders machines (the clients); and we have two choices here: we either use Group Policy to enable WinRM or we do it manually by issuing the bellow command on a client by client basis:

In my Example i have used WIN2K12MAIL as client.

winrm qc

If your clients are running Windows server 2012 and above, WinRM it’s enabled by default on them, but just to be sure, you can check the configuration using the bellow command line:

winrm get winrm/config

Now that WinRM it’s enabled on all our Event Forwarder computers
Now we have to configure Collector computer rights to read the logs from this computers
We can use the Event Collector computer account itself for authentication, or we can create a user account in Active Directory and use that
I have created an account called eventforwarder and added this to the default Event Log Readers Group.
Creating new user eventforwarder 
 

Adding eventforwarder to default Event Log Readers Group




The next step is to enable and start the event collector service on the collector machine, so i have logged in to WIN2k12DC server and issue the bellow command:



wecutil qc



Continue and if its Success let’s move forward and create a subscription on the collector computer which “tells” this one for what type of event logs to look for and collect from the forwarder computers
GO to Event Viewer and Right click on Subscription, Create new Subscription

Now click the Collector initiated radio button then hit Select Computers to add the source computers/forwarders from which the collector will pull the events

Now we have to select what events we wants to receive, so click on  Select Events button

The last step to make this work is to configure the account used by the collector machine to connect to clients. We already added this account to the local Event Log Readers group on every forwarder, so we should not have access problems.
Click the Specific User button, provide the account and credentials and click OK, then move down to the Event Delivery Optimization section where we have three options:
Normal This option ensures reliable delivery of events and does not attempt to conserve bandwidth.It gets the events every 15 minutes by using a pull delivery mode.
Minimize Bandwidth – This option ensures that the use of network bandwidth for event delivery is strictly controlled.
It uses push delivery mode and it uses a heartbeat interval of 6 hours.
Minimize Latency – This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode every of 30 seconds.
I have done this way but it didn't work, Access Denied , So i have changed the User access to 
Administrator and it worked ..
Didn't work 

The one worked 

Now i can see the Forwarder is been added 

After ~10 minutes or less, depending on how you configured the Event Delivery Optimization options, logs should start coming in


That is all. Its working ...

Install Exchange server 2013 with AD 2012 R2

In this Tutorial i ll explain how to install Exchange server 2013 Step by Step with Active Directory Domain Controller 2012R2 server.

My Lab is in NAT mode on VMware Workstation.

1. Exchange Server Hostname : WIN2k12MAIL 
2. ADDC : WIN2K12DC

IP Address are follows 

ADDC  

 IP 192.168.200.10

 GW: 192.168.200.2 ( NAT GATEWAY)

 DNS: 192.168.200.10, 192.168.200.2

Exchange 

 IP 192.168.200.20

 GW: 192.168.200.2 ( NAT GATEWAY)

 DNS: 192.168.200.10, 192.168.200.2

Make sure to have the latest updates on both the servers 

Install and configure AD on the WIN2K12DC and Join the Mail server as a member. Once its joined it will ask to restart the server , Restart it. Once its boot up you need to login to mail server as DOMAIN Administrator ( Domain name \ Administrator,) in my case i ll use student\Administrator. My domain name is Student.edu.au. 

Make sure the Firewall is properly configured for testing I have disabled the firewall. 

On the DC we have to create the following under DNS. 

Go to DNS manager and add the following records. 

Create a CNAME to point the WIN2K12MAIL as MAIL

create a MX record to point WIN2K12MAIL. 

Once its done go back to your mail server and do a ping to DOMAIN name like Ping student.edu.au, this should response with the DC's IP address then go back to the Exchange ( mail server) and do a NSLOOKUP to mail.student.edu.au, this should reply your mail server's IP address. If not check your DNS configurations.

Once all of this done. we will move to mail server to install the exchange server 2013. 

Exchange server 2013 needs few prerequisites to be installed before it starts. 

Prerequisites

  1)Download and install Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit in Mail Server 

  2)Download and install Microsoft Office 2010 Filter Pack 64 bit in Mail Server

 3)Download and install Microsoft Office 2010 Filter Pack SP1 64 bit in Mail Server.

 4)Install .NET Framework 3.5 in Mail Server. In most cases, this feature is installed by default if not install using power shell

You must mount the Windows server 2012R2 image to run this command 

Install-WindowsFeature NET-Framework-Core -Source D:\sources\sxs

 5)  Run the following command in Windows Power Shell to install other required components.

Install-WindowsFeature RSAT-ADDS-Tools, AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

6) Prepare the schema by using the following command 

Mount the Exchange 2013 and type the command

PS C:\Users\administrator.STUDENT> D:
PS D:\> .\Setup.EXE /PS /IAcceptExchangeServerLicenseTerms

Done:

Step By Step guide : 

1) Domain Controller's IP configuration


2) Exchange Server IP Configuration 


3) Join the Exchange to Domain


4) Login , Click Other Users 


5)Login as Domain Admin 


6) Install Dependencies
 
7) Install windows Features as mentioned Above

8) Restart the server 


9) Install .net 3.5 ( I am using power shell commends ) , Mount the Windows server 2012R2


10) Run the power shell command 


Done:


11) Once its done install Exchange server 2012 using setup.exe file. 


12) Double Click on the DVD Drive.


13) Continue the installation upto this point 


14) Make sure to tick all the options, Click next and wait till the next screen comes

15) Give any name relevant to your Organization , Doesn't need to be your domain name


16) Make sure to enable Malware scanning and Click next. 

17)  Installation has started and it may take up to 45 min to finish the installation. 

18)  Once the installation is finished, will open the ECP and add few email accounts to test the email server. 

 You can create Receive connectors in the Transport service on Mailbox servers, the Front End Transport service on      Mailbox servers, and on Edge Transport servers. By default, the Receive connectors that are required for inbound mail flow are created automatically when you install an Exchange 2016 Mailbox server, and when you subscribe an Edge Transport server to your Exchange organization.

Until you create a Send connector, mail can't flow from your Exchange to the Internet.

The first thing is that the Exchange Management Console is gone, however we still have Exchange Toolbox  and that GUI has some of the tools that we have been using for ages such as Remote Connectivity Analyzer and Queue Viewer. 

 


It will load the ECP on internet Explorer or on your default Browser

Click continue   as it is warning for Certificate. On the next blog i ll explain how to create self signed certificate and avoid this Warring 


Now that i can see my ECP is loaded, will go create new mail accounts. 

19) Now we will create some email accounts, we can create email accounts in two ways , We can create new user account on the AD under users and add them on exchange as existing users. Or else we can create new user on exchange and that will create the use account under the AD users. 


Creating existing user 



So i have created two mail account. will test the account by sending mails 
To send and receive mails i will use the Outlook Web Access (OWA) in this case, Later on i ll show how we can do it on a mail client. 
to go to OWA , you can use the following URL. if you try on your exchange then use https://localhost/owa 
if  you use another machine then type your FQDN or use your CNAME , 
Eg ; win2k12mail.student.edu.au/owa or mail.student.edu.au/owa  (mail is a CNAME for win2k12mail.)

Login to OWA and send mail. here we go bingo its  working 

That is all, my mail server is working well... Will configure this on Thunderbird and see how does it work..

Download and install Thunderbird from the website and configure 
https://www.mozilla.org/en-US/thunderbird/

Add the account 


Once the account is added we can see the mail that we send from Sathi to Sara will be there in the inbox.
So Thunderbird found the account and the mail server. Click Done, it will ask to confirm the certificate, Click confirm. 




Add the second account also... Now all is done.....



see the next post to configure self-signed Digital certificate....

https://faceitnet.blogspot.com.au/2016/08/how-to-configure-and-install-self.html

Thanks 
Saththiyan