Re: [rancid] ASA-5585 Enable mode
Mon, Jan 01, 2018 at 06:41:56PM -0800, Azher: > In the ASA version 9.8.X , there are sending out the "Last login: " and the > "Last failed Login: " as default. There is no way to disable this. > > I tried adding following lines in .cloginrc but no luck: > > add prompt sslvpna {"sslvpna>"} > add enableprompt sslvpna {"sslvpna>"} > > Is there a way to skip login: for this specific device ? > > Thanks > -Azher Does this work? Index: bin/clogin.in === --- bin/clogin.in (revision 3754) +++ bin/clogin.in (working copy) @@ -248,6 +248,12 @@ send_user "\nError: Check your passwd for $router\n" catch {close}; catch {wait}; return 1 } + -nocase -re "last login:" { + exp_continue + } + -nocase -re "failed login:" { + exp_continue + } "Login failed" { send_user "\nError: Check your passwd for $router\n" catch {close}; catch {wait}; return 1 @@ -267,9 +273,6 @@ send "K\r" exp_continue } - -re "Last login:" { - exp_continue - } -re "Press the key \[^\r\n]+\[\r\n]+" { exp_continue } > > > On Sun, Dec 31, 2017 at 1:19 PM, heasleywrote: > > > Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher: > > > Hi All, > > > > > > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with > > RANCID. > > > > > > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is > > > sending "admin" twice and later it sends "enable" at the prompt Any > > > suggestions ? > > > > > > add user sslvpnb admin > > > add password sslvpnb pass1 pass2 > > > add autoenable sslvpnb 0 > > > add method sslvpnb ssh > > > > > > [rancid@rancid ~]$ more var/asa/router.db > > > sslvpn1;cisco;up > > > sslvpn2;cisco;up > > > sslvpna;cisco;up > > > sslvpnb;cisco;up > > > > > > [rancid@rancid ~]$ clogin sslvpnb > > > sslvpnb > > > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb > > > admin@sslvpnb's password: > > > User admin logged in to sslvpnb > > > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017 > > > from 68.181.191.19 > > > Failed logins since the last login: 0. Last failed login: 06:47:32 PST > > Dec > > > 28 2017 from 68.181.191.19 > > > > its sending admin again because it sees "login:" before a prompt. why > > is it displaying this? > > > > > Type help or '?' for a list of available commands. > > > sslvpnb> admin > > > ^ > > > ERROR: % Invalid input detected at '^' marker. > > > > > > Error: Unrecognized command, check your enable command > > > sslvpnb> admin > > > ^ > > > ERROR: % Invalid input detected at '^' marker. > > > sslvpnb> enable > > > Password: > > > Invalid password > > > Password: > > > Invalid password > > > Password: > > > Invalid password > > > Access denied. > > > sslvpnb> > > > > > > > > > Thanks > > > -Azher > > > > > ___ > > > Rancid-discuss mailing list > > > Rancid-discuss@shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > > > > ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] ASA-5585 Enable mode
Last login notification (and last failed login) has been a computing best practice for 30 years. It provides simple, easy detection of some forms of man-in-the-middle password trapping. It's not foolproof but it's an important protection that is valued by the informed users that it serves. If you're federally regulated in the USA (HIPPAA/HiTECH, SOX, GLB, FDA, DOD, NIST FIPS, ) you are probably legally required to enable last login and failed login notifications, simply because it's an industry best practice and blowing off industry best practices is (arguably) negligence. --Charlie On Mon, Jan 1, 2018 at 11:41 PM Azher Amin wrote: I think so. Having this detected by clogin would definitely help many others. -Azher On Mon, Jan 1, 2018 at 8:36 PM, Piegorsch, Weylin William <wey...@bu.edu<mailto:wey...@bu.edu>> wrote: Awesome. Though, since it’s the default parameter, would it make sense to account for it in clogin? weylin From: Azher <azhera...@gmail.com<mailto:azhera...@gmail.com>> Date: Monday, January 1, 2018 at 23:09 To: Weylin Piegorsch <wey...@bu.edu<mailto:wey...@bu.edu>> Subject: Re: [rancid] ASA-5585 Enable mode Thanks, that fixed it. no aaa authentication login-history -Azher On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <wey...@bu.edu<mailto:wey...@bu.edu>> wrote: This is a behavior change to the ASA made in version 9.8. I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins. At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site). I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance. I hadn’t noticed it in rancid, since I’m still in lab trials. Luckily, it’s configurable, see “Enable and View the Login History” at this URL: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf weylin -Original Message- From: heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>> Date: Sunday, December 31, 2017 at 16:19 To: Azher <azhera...@gmail.com<mailto:azhera...@gmail.com>> Cc: <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] ASA-5585 Enable mode Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher: > Hi All, > > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID. > > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is > sending "admin" twice and later it sends "enable" at the prompt Any > suggestions ? > > add user sslvpnb admin > add password sslvpnb pass1 pass2 > add autoenable sslvpnb 0 > add method sslvpnb ssh > > [rancid@rancid ~]$ more var/asa/router.db > sslvpn1;cisco;up > sslvpn2;cisco;up > sslvpna;cisco;up > sslvpnb;cisco;up > > [rancid@rancid ~]$ clogin sslvpnb > sslvpnb > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb > admin@sslvpnb's password: > User admin logged in to sslvpnb > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017 > from 68.181.191.19 > Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec > 28 2017 from 68.181.191.19 its sending admin again because it sees "login:" before a prompt. why is it displaying this? > Type help or '?' for a list of available commands. > sslvpnb> admin > ^ > ERROR: % Invalid input detected at '^' marker. > > Error: Unrecognized command, check your enable command > sslvpnb> admin > ^ > ERROR: % Invalid input detected at '^' marker. > sslvpnb> enable > Password: > Invalid password > Password: > Invalid password > Password: > Invalid password > Access denied. > sslvpnb> > > > Thanks > -Azher -- CONFIDENTIALITY NOTICE --- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. -- CONFIDENTIALITY NOTICE --- ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: [rancid] ASA-5585 Enable mode
Awesome. Though, since it’s the default parameter, would it make sense to account for it in clogin? weylin From: Azher <azhera...@gmail.com> Date: Monday, January 1, 2018 at 23:09 To: Weylin Piegorsch <wey...@bu.edu> Subject: Re: [rancid] ASA-5585 Enable mode Thanks, that fixed it. no aaa authentication login-history -Azher On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <wey...@bu.edu<mailto:wey...@bu.edu>> wrote: This is a behavior change to the ASA made in version 9.8. I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins. At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site). I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance. I hadn’t noticed it in rancid, since I’m still in lab trials. Luckily, it’s configurable, see “Enable and View the Login History” at this URL: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf weylin -Original Message- From: heasley <h...@shrubbery.net<mailto:h...@shrubbery.net>> Date: Sunday, December 31, 2017 at 16:19 To: Azher <azhera...@gmail.com<mailto:azhera...@gmail.com>> Cc: <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>> Subject: Re: [rancid] ASA-5585 Enable mode Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher: > Hi All, > > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID. > > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is > sending "admin" twice and later it sends "enable" at the prompt Any > suggestions ? > > add user sslvpnb admin > add password sslvpnb pass1 pass2 > add autoenable sslvpnb 0 > add method sslvpnb ssh > > [rancid@rancid ~]$ more var/asa/router.db > sslvpn1;cisco;up > sslvpn2;cisco;up > sslvpna;cisco;up > sslvpnb;cisco;up > > [rancid@rancid ~]$ clogin sslvpnb > sslvpnb > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb > admin@sslvpnb's password: > User admin logged in to sslvpnb > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017 > from 68.181.191.19 > Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec > 28 2017 from 68.181.191.19 its sending admin again because it sees "login:" before a prompt. why is it displaying this? > Type help or '?' for a list of available commands. > sslvpnb> admin > ^ > ERROR: % Invalid input detected at '^' marker. > > Error: Unrecognized command, check your enable command > sslvpnb> admin > ^ > ERROR: % Invalid input detected at '^' marker. > sslvpnb> enable > Password: > Invalid password > Password: > Invalid password > Password: > Invalid password > Access denied. > sslvpnb> > > > Thanks > -Azher > ___ > Rancid-discuss mailing list > Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss
[rancid] ASA-5585 Enable mode
Hi All, Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID. Same config does not work for ASA-5585, 9.8(1). I am not sure why it is sending "admin" twice and later it sends "enable" at the prompt Any suggestions ? add user sslvpnb admin add password sslvpnb pass1 pass2 add autoenable sslvpnb 0 add method sslvpnb ssh [rancid@rancid ~]$ more var/asa/router.db sslvpn1;cisco;up sslvpn2;cisco;up sslvpna;cisco;up sslvpnb;cisco;up [rancid@rancid ~]$ clogin sslvpnb sslvpnb spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb admin@sslvpnb's password: User admin logged in to sslvpnb Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017 from 68.181.191.19 Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec 28 2017 from 68.181.191.19 Type help or '?' for a list of available commands. sslvpnb> admin ^ ERROR: % Invalid input detected at '^' marker. Error: Unrecognized command, check your enable command sslvpnb> admin ^ ERROR: % Invalid input detected at '^' marker. sslvpnb> enable Password: Invalid password Password: Invalid password Password: Invalid password Access denied. sslvpnb> Thanks -Azher ___ Rancid-discuss mailing list Rancid-discuss@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss