Skip to content

Instantly share code, notes, and snippets.

@soheilsec

soheilsec/cisco passwd ubuntu

Created October 22, 2023 11:14
Show Gist options
  • Save soheilsec/caae689523a66abe6dede1c9d33c657e to your computer and use it in GitHub Desktop.
Save soheilsec/caae689523a66abe6dede1c9d33c657e to your computer and use it in GitHub Desktop.
Download ZIP
cisco passwd ubuntu
Raw
cisco passwd ubuntu
#!/bin/bash
#cisco
read -p "Port cisco : " PORT
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
read -p "IP address: " -e -i $IP IP
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo
echo "Enter Public IPv4 Address"
read -p "Public IP Address: " -e PUBLICIP
fi
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
yum update -y
cd /tmp
sudo apt-get update -y
sudo apt-get install iptables -y
sudo ufw disable
sudo apt-get remove ufw -y
sudo apt-get purge ufw -y
sudo apt install build-essential net-tools ocserv libradcli-dev -y
systemctl start iptables
systemctl enable iptables
mkdir -p /etc/ocserv/cert
cd /etc/ocserv/cert/
cat > /etc/ocserv/cert/server.crt <<EOF
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=acegishniz, OU=acegishniz, CN=acegishniz/name=acegishniz/[email protected]
Validity
Not Before: Sep 17 21:20:29 2013 GMT
Not After : Sep 15 21:20:29 2023 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=acegishniz, OU=acegishniz, CN=acegishniz/name=acegishniz/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:2f:d1:a3:5a:61:3b:82:dc:c7:4d:ce:b8:e7:
8a:7c:d9:70:88:7a:d5:0d:cd:61:06:cc:c2:0a:c2:
69:51:f7:46:39:a0:8f:e7:df:20:38:9b:57:42:cb:
06:fc:d8:5f:5b:c7:07:b1:ba:56:45:9b:7d:b0:39:
77:a5:fe:4f:bc:f8:30:8e:81:34:1c:52:4c:d8:76:
87:14:5a:f8:db:f5:47:02:40:c4:82:c1:f7:c2:04:
67:b0:67:83:08:d6:5d:3c:5e:26:d6:32:b9:d1:d7:
61:94:9b:4d:a6:33:5d:3b:ec:44:6e:38:96:30:63:
60:15:15:6a:7a:3a:95:0e:31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
8B:AF:7F:55:CF:F5:32:85:D1:D1:C1:2A:1D:18:2F:35:C1:B6:09:8D
X509v3 Authority Key Identifier:
keyid:3D:BB:02:74:E7:E3:AC:1C:EC:FE:98:07:C5:39:4F:8A:5B:71:C3:4F
DirName:/C=US/ST=CA/L=SanFrancisco/O=acegishniz/OU=acegishniz/CN=acegishniz/name=acegishniz/[email protected]
serial:E8:6B:74:86:E1:AA:8E:9B
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
06:d1:9a:bf:f9:c4:4e:7a:ca:c9:b4:8e:5f:7c:bb:2b:a8:4f:
a1:d9:4e:59:2b:a7:95:e5:c4:f5:49:36:d7:3c:7f:b4:0d:dc:
cf:9b:52:0b:e3:b7:db:fe:bb:ca:ff:e5:87:98:1a:5d:18:3f:
ae:f1:88:6b:77:26:7c:75:b9:cd:85:4d:38:8b:47:87:59:de:
87:7d:a1:2d:ae:cc:71:ff:88:8b:71:d6:d6:06:c3:9d:5e:85:
5b:f6:ee:af:46:c8:92:a0:fb:ff:af:e1:db:a3:5d:0c:bc:6d:
e0:76:b1:63:75:eb:fe:5d:c2:0b:33:08:6b:06:33:65:3d:71:
aa:67
-----BEGIN CERTIFICATE-----
MIIEPTCCA6agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xEzARBgNVBAoTCmFj
ZWdpc2huaXoxEzARBgNVBAsTCmFjZWdpc2huaXoxEzARBgNVBAMTCmFjZWdpc2hu
aXoxEzARBgNVBCkTCmFjZWdpc2huaXoxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9z
dC5kb21haW4wHhcNMTMwOTE3MjEyMDI5WhcNMjMwOTE1MjEyMDI5WjCBpjELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xEzAR
BgNVBAoTCmFjZWdpc2huaXoxEzARBgNVBAsTCmFjZWdpc2huaXoxEzARBgNVBAMT
CmFjZWdpc2huaXoxEzARBgNVBCkTCmFjZWdpc2huaXoxHzAdBgkqhkiG9w0BCQEW
EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkv
0aNaYTuC3MdNzrjninzZcIh61Q3NYQbMwgrCaVH3Rjmgj+ffIDibV0LLBvzYX1vH
B7G6VkWbfbA5d6X+T7z4MI6BNBxSTNh2hxRa+Nv1RwJAxILB98IEZ7BngwjWXTxe
JtYyudHXYZSbTaYzXTvsRG44ljBjYBUVano6lQ4xAgMBAAGjggF3MIIBczAJBgNV
HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1S
U0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUi69/Vc/1
MoXR0cEqHRgvNcG2CY0wgdsGA1UdIwSB0zCB0IAUPbsCdOfjrBzs/pgHxTlPiltx
w0+hgaykgakwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRMwEQYDVQQKEwphY2VnaXNobml6MRMwEQYDVQQLEwphY2Vn
aXNobml6MRMwEQYDVQQDEwphY2VnaXNobml6MRMwEQYDVQQpEwphY2VnaXNobml6
MR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA6Gt0huGqjpswEwYD
VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GB
AAbRmr/5xE56ysm0jl98uyuoT6HZTlkrp5XlxPVJNtc8f7QN3M+bUgvjt9v+u8r/
5YeYGl0YP67xiGt3Jnx1uc2FTTiLR4dZ3od9oS2uzHH/iItx1tYGw51ehVv27q9G
yJKg+/+v4dujXQy8beB2sWN16/5dwgszCGsGM2U9capn
-----END CERTIFICATE-----
EOF
cat > /etc/ocserv/cert/server.key <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC5L9GjWmE7gtzHTc6454p82XCIetUNzWEGzMIKwmlR90Y5oI/n
3yA4m1dCywb82F9bxwexulZFm32wOXel/k+8+DCOgTQcUkzYdocUWvjb9UcCQMSC
wffCBGewZ4MI1l08XibWMrnR12GUm02mM1077ERuOJYwY2AVFWp6OpUOMQIDAQAB
AoGAJAfAwwafqmOArypdUS6DjF0F/xffAgt2mEsYad1/flodCLNLrHKGI11d8fns
hx9WFlY4EgVOKcbiAnp75AkB3E48/lxn+jaU7DEcNpi4r8GSo4/cX+PYOxxVzQS0
YnoXP5xKBWCp8D2cPZa1jYmm4fUYuMbSQ0gMnmraQLiW3t0CQQDyKCd2O/MSzjEk
wduQ2AgCgVimkwhuUKCUb2OR6rTy6r/tTJDR0rVxeNWu0dbKDl3B+QxRriiRspCl
zeVuL0MfAkEAw8Xvo0P/wg1DmNWXIcxVvXCnhjz3gGbYbTN6x7a9kEEVPCiEZ/am
/2g61tFfcElQe7ZqKak/hqwz9V7LEcBUrwJBANe1UymsT2PiDr7KfRbyiXgJ1nlT
on/6DIENFGon5BY7bMoqmRp/kydIVziKLcYBtB0VB5c/B1557QX1ejmDmksCQEOk
fGw47oGp+5UvF40CAQ33gqqLHikrX9Q7WUzwAwd4tVGX3kfdnU3aQZo/tW4ipsBY
As5qQBzUGw/ItPlpLtkCQHTOJ9d+/ONvXBWvUNZxBak0e7hQUipyu06kU3vnko1P
J5sxO0QgEQV2XnmKD81PHKquRoiOgrwxE/f8FLhXTnM=
-----END RSA PRIVATE KEY-----
EOF
cat > /etc/ocserv/ocserv.conf <<EOF
auth = "plain[passwd=/etc/ocserv/passwd]"
stats-report-time = 30
max-clients = 0
rate-limit-ms = 0
max-same-clients = 0
#listen-host = [IP|HOSTNAME]
tcp-port = $PORT
udp-port = $PORT
#listen-clear-file = /var/run/ocserv-conn.socket
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = false
server-cert = /etc/ocserv/cert/server.crt
server-key = /etc/ocserv/cert/server.key
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
idle-timeout = 1200
mobile-idle-timeout = 2400
min-reauth-time = 2
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = nobody
net-priority = 6
device = vpns
predictable-ips = true
default-domain = $IP
ipv4-network = 10.30.0.0
ipv4-netmask = 255.255.0.0
dns = 8.8.8.8
dns = 4.2.2.4
mtu = 1200
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
cisco-client-compat = true
user-profile = /etc/ocserv/profile.xml
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"
EOF
cat > /etc/ocserv/profile.xml <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<BypassDownloader>true</BypassDownloader>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
<BackupServerList>
<HostName>VPN Server</HostName>
<HostAddress>$IP</HostAddress>
</BackupServerList>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>VPN Server</HostName>
<HostAddress>$IP</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
EOF
touch /etc/ocserv/passwd
ocpasswd -c /etc/ocserv/passwd -g default soheilsec
#RUles NAT Firewall
Ethernet=$(ip link | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}' | head -1 )
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
#curl api.ipify.org
PORT=443
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --dport "$PORT" -j ACCEPT
iptables -A INPUT -p udp --dport "$PORT" -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A POSTROUTING -o "$Ethernet" -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
service iptables save
service iptables restart
setenforce 0
systemctl start ocserv
systemctl enable ocserv
systemctl status ocserv
setenforce 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment