FlorianHeigl

# 1. dsa host key muss vorhanden sein, sonst startet server nicht  
# 2. dsa auth kann man abschalten, ausser firmware ist extra alt. FW <=5.5 kann kein RSA FW >=5.6 kann RSA.
# 3. secure mode disabled alle anderen Protokolle - auch snmp!
# 4. pubkey download ist nur via tftp server (nicht usb)
# 5. RO user fuer backup funktioniert nicht wegen Problem mit `enable` ohne PW in oxidized
# 6. PW muss man manuell eingeben
# 7. telnet bleibt hier so erreichbar! (block via ipmgr)
  

no ssh

FlorianHeigl

#!/usr/bin/env python3
from textfsm_aos.parser import parse
import re

sample_data = """
Local Chassis ID 1 (Master)
  Model Name:                    OS6860E-24,
  Module Type:                   0x6062203,
  Description:                   Chassis,
  Part Number:                   903708-90,

FlorianHeigl

#!/usr/bin/env python

from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
from elasticsearch_dsl import query as q
from elasticsearch_dsl import Q
from elasticsearch_dsl.query import MultiMatch, Match
from elasticsearch_dsl import UpdateByQuery
import re, sys

FlorianHeigl

---
version: '3'
services:
   checkmk:
     image: checkmk/check-mk-raw:2.0.0-latest
     ports:
       - "162:162/udp"
       - "514:514/udp"
       - "514:514/tcp"
       - "6557:6557/tcp"

FlorianHeigl

# Powershell refuses to connect to the Netbox API on our setup without this.
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }

FlorianHeigl

---
version: '3'
services:
   checkmk:
     image: checkmk/check-mk-raw:2.0.0-latest
     ports:
       - "162:162/udp"
       - "514:514/udp"
       - "514:514/tcp"
       - "6557:6557/tcp"

FlorianHeigl

if ! type gawk >/dev/null ; then
    echo "script requires gawk, please install it via apt/similar"
fi

cd ~/var/pnp4nagios/perfdata || exit 1

# out
for X in */Interface_*_outnucast.rrd; do
    rrdtool fetch $X MAX -r 300 -s -1h | gawk -v x=$X '{printf(x",\t\t %s,%8.2f,%8.2f \n",strftime("%c",$1),$2,$3) }'
done  |\

FlorianHeigl

---

# references
# [Switch Management Guide](https://www.al-enterprise.com/-/media/assets/internet/documents/os8-sw-87r3-rev-a.pdf)
# [Security Target for EAL2](https://www.fmv.se/globalassets/csec/alcatel-lucent-enterprise-omniswitch-with-aos-8.6.4.r11/alcatel-lucent-enterprise-omniswitch-with-aos-8.6.r11-security-target-for-eal2.pdf)
# [Security Best Practices in AOS](https://support.alcadis.nl/Support_files/Alcatel-Lucent/OmniSwitch//OS6450/Technotes/Security%20Best%20Practices%20in%20AOS%20v1.7.pdf)
# hier gesammelt in 8. AOS 8 example configuration (seite 68ff)


### ssh session limit

FlorianHeigl

#!/bin/sh

#username=ubnt
#password=ubnt
#baseurl=https://unifi:8443
#site=default
#[ -f ./unifi_sh_env ] && . ./unifi_sh_env

cookie=$(mktemp)

FlorianHeigl

setup_ipset() {
  # this only needs to be run once
  if ! type ipset 2>/dev/null ; then 
  ipset create log4j_attackers nethash
  iptables -I INPUT -m set --match-set log4j_attackers src -j DROP
  iptables -I OUTPUT -m set --match-set log4j_attackers dst -j DROP
}