├── Automatelab.py ├── Baseline&Hardening_Configurations ├── .DS_Store ├── Base&Hardening_Generic.txt ├── Base&Hardening_IOSV1.txt ├── Builds │ ├── IOSV1.cfg │ ├── IOSV10.cfg │ ├── IOSV2.cfg │ ├── IOSV3.cfg │ ├── IOSV4.cfg │ ├── IOSV5.cfg │ ├── IOSV6.cfg │ ├── IOSV7.cfg │ ├── IOSV8.cfg │ └── IOSV9.cfg └── Templates │ └── Base&Hardening.template ├── Python3 install prereqs - linux ├── README.md ├── Vsphere-Automation ├── ansible.cfg ├── group_vars │ └── all.yml ├── hosts └── vspherescript.yml ├── device-vars.yml ├── render-templates.py └── requirements.txt /Automatelab.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Modified January 29, 2019 3 | 4 | Version: 2.4 5 | 6 | @author: OfWolfAndMan 7 | ''' 8 | 9 | ###################################################################### 10 | # + Additional snippets of code to be added: 11 | # 12 | # output = net_connect.send_command( 13 | # cmd, 14 | # expect_string=r'Destination filename' 15 | # ) 16 | # try: 17 | # output += net_connect.send_command('\n', expect_string=r'#') 18 | # 19 | # + In the above operation, a file is moved. 20 | # + Using the expect string allows for multiline handling 21 | # + Other implemenations: License configuration or reload 22 | # 23 | ###################################################################### 24 | # 25 | # + Raise an error manually if something occurs 26 | # 27 | # if this_happens: 28 | # raise ValueError("Something isn't there. Go back and fix it.") 29 | # 30 | # + Implementation: If file not present in directory 31 | # 32 | ###################################################################### 33 | 34 | import sys 35 | import os 36 | import platform 37 | import telnetlib 38 | import time 39 | import subprocess 40 | import threading 41 | from getpass import getpass 42 | from netmiko import ConnectHandler 43 | from tqdm import tqdm 44 | from argparse import ArgumentParser 45 | import yaml 46 | import contextlib 47 | is_py2 = sys.version[0] == '2' 48 | if is_py2: 49 | from Queue import Queue 50 | else: 51 | from queue import Queue 52 | 53 | 54 | def call_variables(stream): 55 | path = '/root/scripts/CCIE_Automation/' 56 | """The path needs to be more intuitive""" 57 | os.chdir(path) 58 | 59 | global localusername, localpassword, radiususer, radiuspass, scpuser, scppass, scpip 60 | 61 | localusername = stream['users']['localuser']['username'] 62 | localpassword = stream['users']['localuser']['password'] 63 | radiususer = stream['users']['radius']['username'] 64 | radiuspass = stream['users']['radius']['password'] 65 | scpuser = stream['users']['scp']['username'] 66 | scppass = stream['users']['scp']['password'] 67 | scpip = stream['nms']['scp'] 68 | 69 | """Currently, this script is written for Cisco IOS. In the future, variants 70 | may be written for other vendors' equipment.""" 71 | 72 | """Default="yes" in the function below represents a default 73 | option. If the option is not specified otherwise, it resorts 74 | to the default of "yes".""" 75 | def query_yes_no(question, default="y"): 76 | """Ask a yes/no question via input() and return their answer. 77 | 78 | "question" is a string that is presented to the user. 79 | "default" is the presumed answer if the user just hits . 80 | It must be "yes" (the default), "no" or None (meaning 81 | an answer is required of the user). 82 | 83 | The "answer" return value is True for "yes" or False for "no". 84 | """ 85 | global valid 86 | valid = {"y": True, "n": False} 87 | if default is None: 88 | prompt = " [y/n] " 89 | elif default == "y": 90 | prompt = " [Y/n] " 91 | elif default == "n": 92 | prompt = " [y/N] " 93 | else: 94 | raise ValueError("Invalid default answer: '%s'" % default) 95 | while True: 96 | sys.stdout.write("{}{}".format(question, prompt)) 97 | choice = input().lower() 98 | if default is not None and choice == '': 99 | return valid[default] 100 | elif choice in valid: 101 | return valid[choice] 102 | else: 103 | sys.stdout.write("Please respond with 'y' or 'n' \n") 104 | 105 | def ssh_connection(device, device_ip, username, password, my_command): 106 | net_connect = ConnectHandler(device_type = device, ip = device_ip, username = username, password = password) 107 | output = net_connect.send_command(my_command) 108 | net_connect.disconnect() 109 | 110 | def install_premium_license(device_ip, device, DeviceName): 111 | """Need to find a way to globally apply some form of concurrency to the 112 | net_connect instances""" 113 | print(""" 114 | !#***************************************************************!# 115 | !# It is advised to take a snapshot after installing the premium !# 116 | !# license on each box in ESXi, as the trials are only limited !# 117 | !# to so many days. Be sure to take your snapshots after running !# 118 | !# this script! !# 119 | !#***************************************************************!# 120 | """) 121 | try: 122 | my_command = "\nconfigure terminal\nlicense boot level premium\nyes\nend\nwrite\nreload\n" 123 | ssh_connection(device, device_ip, radiususer, radiuspass, my_command) 124 | except netmiko.ssh_exception.NetMikoTimeoutException: 125 | print("[!] Could not connect to device {}. Skipping...".format(DeviceName)) 126 | pass 127 | except EOFError: 128 | pass 129 | pbar.update(100/float(len(Devices))) 130 | 131 | def backup_config_single(device_ip, device, DeviceName): 132 | """Needs to be merged with backup_config""" 133 | try: 134 | my_command = "copy running-config scp://root@192.168.15.188/Documents/backups/{}.txt\n\n\n\n{}\n".format(DeviceName, scppass) 135 | ssh_connection(device, device_ip, localusername, localpassword, my_command) 136 | successful_connections.append(DeviceName) 137 | except: 138 | unsuccessful_connections.append(DeviceName) 139 | 140 | def exclude_devices(): 141 | print("What devices would you like to exclude? Please choose a device based on its hostname\n") 142 | DeviceNames = [] 143 | for DeviceName in Devices: 144 | print("[+] {} - {}".format(DeviceName, Devices[DeviceName]['mgmt_ip'])) 145 | DeviceNames.append(DeviceName) 146 | print("[+] To finish your selections, type in 'done' when you are complete.") 147 | while True: 148 | try: 149 | exclude_device = input() 150 | if exclude_device == "done": 151 | break 152 | elif exclude_device not in DeviceNames: 153 | print("[!] Invalid entry. Please make sure you are entering a valid hostname.") 154 | continue 155 | else: 156 | del Devices[exclude_device] 157 | print("[+] Excluded device {} from task.".format(exclude_device)) 158 | except KeyError: 159 | print("[!] That device has already been excluded.") 160 | continue 161 | 162 | 163 | def default_configurations(): 164 | device = 'cisco_ios' 165 | print("[+] Initiating startup configuration wipe of all applicable devices\n") 166 | for DeviceName in Devices: 167 | device_ip = Devices[DeviceName]['mgmt_ip'] 168 | try: 169 | my_command = "\nend\nwrite memory\nwrite erase\n\nreload\n\n" 170 | ssh_connection(device, device_ip, radiususer, radiuspass, my_command) 171 | print("[+] Configuration wiped successfully for device {}".format(DeviceName)) 172 | time.sleep(5) 173 | except netmiko.ssh_exception.NetMikoTimeoutException: 174 | print("[!] Could not connect to device {}. Skipping...".format(DeviceName)) 175 | continue 176 | except: 177 | pass 178 | 179 | def ping_em_all(device_ip, DeviceName, pingable_devices, unpingable_devices, limbo): 180 | """.rstrip is needed for the ip as .readline adds a \n to 181 | the lines' text""" 182 | is_py2 = sys.version[0] == '2' 183 | if is_py2: 184 | if "Linux" in platform.system(): 185 | ping_reply = subprocess.Popen(['ping', '-c', '2', '-w', '2', '-q', device_ip.rstrip('\n')],stdout=limbo, stderr=limbo).wait() 186 | #Darwin is Mac OSX 187 | elif "Darwin" in platform.system(): 188 | ping_reply = subprocess.Popen(['ping', '-c', '2', '-t', '2', '-q', '-n', device_ip.rstrip('\n')],stdout=limbo, stderr=limbo).wait() 189 | """Subprocess for Cygwin still not supported""" 190 | else: 191 | #Only other would be Windows 192 | ping_reply = subprocess.Popen(['ping', '-n', '2', '-w', '2', device_ip.rstrip('\n')],stdout=limbo, stderr=limbo).wait() 193 | else: 194 | import socket 195 | 196 | s = socket.socket() 197 | s.settimeout(1) 198 | 199 | try: 200 | s.connect((device_ip.rstrip('\n'), 22)) 201 | ping_reply = 0 202 | 203 | except ConnectionRefusedError: 204 | ping_reply = 2 205 | 206 | except socket.timeout: 207 | ping_reply = 1 208 | 209 | 210 | if ping_reply == 0: 211 | pingable_devices[DeviceName] = device_ip 212 | elif ping_reply == 2: 213 | unpingable_devices[DeviceName] = device_ip 214 | else: 215 | unpingable_devices[DeviceName] = device_ip 216 | 217 | def ip_reachability_group(): 218 | print("\n[+] Checking IP reachability. Please wait...") 219 | pingable_devices = {} 220 | global unpingable_devices 221 | unpingable_devices = {} 222 | with open(os.devnull, "wb") as limbo: 223 | #print("\n[+] Progress:\n") 224 | my_args = (pingable_devices, unpingable_devices, limbo) 225 | my_target = ping_em_all 226 | create_some_threads(my_target, *my_args) 227 | devices_exclude = query_yes_no("[?] Would you like to exclude all unreachable devices?", default="y") 228 | if devices_exclude: 229 | print("[!] Removing devices...") 230 | for rdevice in unpingable_devices: 231 | del Devices[rdevice] 232 | print("\n[!] Removed from future tasks:") 233 | else: 234 | print("[!] Unreachable devices:") 235 | print("*" * 30) 236 | for unreach in unpingable_devices: 237 | print("| [-] {} - {}".format(unreach, unpingable_devices[unreach])) 238 | print("*" * 30) 239 | print("\n[+] Devices remaining:") 240 | print("{}".format("*" * 30)) 241 | for DeviceName in sorted(Devices): 242 | print("| [+] {} - {}".format(DeviceName,Devices[DeviceName]['mgmt_ip'])) 243 | print("*" * 30) 244 | def get_bgp_asn(device_ip, DeviceName, output_q): 245 | try: 246 | output_dict = {} 247 | device = 'cisco_ios' 248 | my_command = "show run | inc router bgp\n" 249 | net_connect = ConnectHandler(device_type = device, ip = device_ip, username = radiususer, password = radiuspass) 250 | output = net_connect.send_command("show run | inc router bgp\n") 251 | if "bgp" in output: 252 | newoutput = output.replace("router bgp ", "") 253 | else: 254 | newoutput = "N/A" 255 | output = "| ASN for device {}: {}{}{}".format(DeviceName, newoutput, " " * (7 - len(DeviceName)), (" " * (5 - len(newoutput))) + "|") 256 | net_connect.disconnect() 257 | output_dict[DeviceName] = output 258 | output_q.put(output_dict) 259 | except: 260 | print("[!] Something went wrong on device {}. Do you have the correct login credentials?".format(DeviceName)) 261 | 262 | def backup_config(): 263 | global unsuccessful_connections 264 | unsuccessful_connections = [] 265 | global successful_connections 266 | successful_connections = [] 267 | print("[+] Initiating device backup procedure.") 268 | for DeviceName in Devices: 269 | global device_ip 270 | device_ip = Devices[DeviceName]['mgmt_ip'] 271 | device = 'cisco_ios' 272 | try: 273 | my_command = "copy running-config scp://root@{}/Documents/backups/{}.txt\n\n\n\n{}\n".format(scpip, DeviceName, scppass) 274 | ssh_connection(device, device_ip, radiususer, radiuspass, my_command) 275 | successful_connections.append(DeviceName) 276 | except: 277 | print("[+] Could not SSH to device {}. Trying serial connection...".format(DeviceName)) 278 | telnet_attempt(DeviceName) 279 | backup_config_single(device_ip, device, DeviceName) 280 | print("") 281 | print("Successful backups:") 282 | for yz in successful_connections: 283 | print("[+] {}".format(yz)) 284 | print("") 285 | print("Unsuccessful backups:") 286 | for xy in unsuccessful_connections: 287 | print("[-] {}".format(xy)) 288 | print("") 289 | 290 | def telnet_initial(device_ip, DeviceName, domainname, localusername, localpassword): 291 | try: 292 | serialip = Devices[DeviceName]['serial_ip'] 293 | port = Devices[DeviceName]['serial_port'] 294 | #Specify the connection timeout in seconds for blocking operations, like the connection attempt 295 | connection_timeout = 5 296 | reading_timeout = 5 297 | if port != '23': 298 | cmd_ser1 = '\xff\xfc\x25' 299 | cmd_ser2 = '\xff\xfb\x00' 300 | cmd_ser3 = '\xff\xfd\x00\xff\xfb\x03\xff\xfd \x03\xff\xfd\x01\xff\xfe\xe8' 301 | cmd_ser4 = '\xff\xfe\x2c' 302 | connection = telnetlib.Telnet(serialip, port, connection_timeout) 303 | #connection.set_debuglevel(100) 304 | connection.write(cmd_ser1) 305 | time.sleep(1) 306 | connection.write(cmd_ser2) 307 | time.sleep(1) 308 | connection.write(cmd_ser3) 309 | time.sleep(1) 310 | connection.write(cmd_ser4) 311 | time.sleep(1) 312 | else: 313 | port = '23' 314 | connection = telnetlib.Telnet(serialip, port, connection_timeout) 315 | #Waiting to be asked for a username 316 | #Serial over telnet requires carriage return 317 | connection.write("\r\n") 318 | time.sleep(2) 319 | #connection.write("no\r\n\r\n") 320 | #time.sleep(20) 321 | router_output = connection.read_until(">", reading_timeout) 322 | connection.write("enable\r\n") 323 | connection.write("configure terminal\r\n") 324 | router_output = connection.read_until("(config)#", reading_timeout) 325 | time.sleep(1) 326 | connection.write("hostname %s\r\n" % DeviceName) 327 | connection.write("ip domain-name %s\r\n" % domainname) 328 | connection.write("crypto key generate rsa general-keys modulus 2048\r\n") 329 | time.sleep(3) 330 | connection.write("interface Gig2\r\n") 331 | connection.write("ip address %s 255.255.255.224\r\n" % device_ip) 332 | connection.write("no shutdown\r\n") 333 | time.sleep(1) 334 | connection.write("enable secret %s\r\n" % localpassword) 335 | connection.write("ip route 0.0.0.0 0.0.0.0 10.51.60.33 2\n") 336 | #The reason there is an AD of 2 for the default route is due to having them in 337 | #the lab scenarios sometimes. 338 | connection.write("username %s privilege 15 secret %s\r\n" % (localusername, localpassword) ) 339 | connection.write("line vty 0 4\r\n") 340 | connection.write("login local\r\n") 341 | connection.write("transport input ssh\r\n") 342 | connection.write("end\r\n") 343 | connection.write("write memory\r\n") 344 | time.sleep(2) 345 | print("[+]Resolving ARP entry for device %s." % DeviceName) 346 | connection.write("ping 208.67.222.222\n") 347 | time.sleep(2) 348 | print("[+]In-band interface configuration successful for device %s." % DeviceName) 349 | connection.read_very_eager() 350 | connection.close() 351 | time.sleep(4) 352 | except: 353 | print("[!] Serial over telnet attempt failed for device %s." % DeviceName) 354 | 355 | 356 | def telnet_attempt(DeviceName): 357 | try: 358 | print("[+] Attempting Out-of-Band IP configuration of device...") 359 | #Define telnet parameters 360 | #Specify the Telnet port (default is 23, anyway) 361 | serialip = Devices[DeviceName]['serial_ip'] 362 | port = Devices[DeviceName]['serial_port'] 363 | #Specify the connection timeout in seconds for blocking operations, like the connection attempt 364 | connection_timeout = 5 365 | #Specify a timeout in seconds. Read until the string is found or until the timout has passed 366 | reading_timeout = 5 367 | #Logging into device 368 | connection = telnetlib.Telnet(serialip, port, connection_timeout) 369 | #Waiting to be asked for an username 370 | connection.write("\n") 371 | time.sleep(1) 372 | router_output = connection.read_until("Username:", reading_timeout) 373 | #Enter the username when asked and a "\n" for Enter 374 | connection.write(localusername + "\n") 375 | 376 | #Waiting to be asked for a password 377 | router_output = connection.read_until("Password:", reading_timeout) 378 | #Enter the password when asked and a "\n" for Enter 379 | connection.write("{}\n".format(localpassword)) 380 | time.sleep(30) 381 | #Entering global config mode 382 | connection.write("end\n") 383 | time.sleep(1) 384 | connection.write("configure terminal\n") 385 | time.sleep(1) 386 | connection.write("interface Gig2\n") 387 | time.sleep(1) 388 | connection.write("ip address {} 255.255.255.224\n".format(device_ip)) 389 | connection.write("no shutdown\n") 390 | time.sleep(1) 391 | connection.write("interface Gig2\n") 392 | connection.write("no shutdown\n") 393 | time.sleep(5) 394 | print("[+]In-band interface configuration successful for device {}. Trying SSH connection again.".format(DeviceName)) 395 | connection.close() 396 | time.sleep(20) 397 | except: 398 | print("[!] Serial over telnet attempt failed for device {}.".format(DeviceName)) 399 | unsuccessful_connections.append(DeviceName) 400 | 401 | def reinitialize_basehardening(): 402 | while True: 403 | localorradius = input("[?] Are you currently using RADIUS or local credentials? [local/radius]\n") 404 | if localorradius == 'local': 405 | username = localusername 406 | password = localpassword 407 | break 408 | elif localorradius == 'radius': 409 | username = radiususer 410 | password = radiuspass 411 | break 412 | else: 413 | print("[!] Invalid input. Please try again.\n") 414 | continue 415 | print("[+] Copying baseline and hardening scripts to devices.\n") 416 | driver = "ios" 417 | my_target = basehardening_install 418 | my_args = [driver, username, password] 419 | create_some_threads(my_target, *my_args) 420 | 421 | def basehardening_install(device_ip, DeviceName, driver, username, password): 422 | from napalm import get_network_driver 423 | optional_args = {'global_delay_factor': 3} 424 | driver = get_network_driver(driver) 425 | device = driver(device_ip, username, password, optional_args=optional_args) 426 | device.open() 427 | device.load_replace_candidate(filename='Baseline&Hardening_Configurations/Builds/{}.cfg'.format(DeviceName)) 428 | device.commit_config() 429 | device.close() 430 | 431 | def choose_scenario_type(): 432 | while True: 433 | RandS = input('[?] Are these configurations for a switching lab, a routing lab, or both? Choose one of the three options: [sw/rt/both]') 434 | if RandS == 'rt': 435 | Switching_Devices = [] 436 | for DeviceName in Devices: 437 | if 'IOSV' not in DeviceName or 'R' not in DeviceName: 438 | Switching_Devices.append(DeviceName) 439 | 440 | for Switch in Switching_Devices: 441 | del Devices[Switch] 442 | break 443 | elif RandS == 'sw': 444 | Routing_Devices = [] 445 | for DeviceName in Devices: 446 | if 'SW' not in DeviceName: 447 | Routing_Devices.append(DeviceName) 448 | 449 | for Router in Routing_Devices: 450 | del Devices[Router] 451 | break 452 | elif RandS == 'both': 453 | break 454 | else: 455 | print("[!] Invalid input. Please try again!\n") 456 | continue 457 | def scenario_configuration_threading(): 458 | #Purpose: Deploys a scenario configuration for a lab workbook. Currently, only INE's lab workbook is applicable, 459 | #but this may change in the future. 460 | #sys.setdefaultencoding('utf-8') 461 | lab_set = {1: 'advanced.technology.labs', 2: 'advanced.foundation.labs', 3: 'advanced.troubleshooting.labs', 462 | 4: 'full-scale.labs', 5: 'mock.labs', 6: 'Narbik_CCIERS_configurationfiles'} 463 | for key, value in lab_set.items(): 464 | print('- ' + str(key) + ': ' + value) 465 | while True: 466 | option = input("\n[+] Choose which set of lab configs you'd like to use.\n") 467 | if int(option) > len(lab_set): 468 | print("[!] You chose an incorrect value. Try again.\n") 469 | continue 470 | if int(option) == 6: 471 | print("[!] These configurations are not available yet! Will be available soon!") 472 | else: 473 | path = '/root/scripts/CCIE_Automation/Scenario_Configurations/ine.ccie.rsv5.workbook.initial.configs/{}'.format(lab_set[int(option)]) 474 | break 475 | os.chdir(path) 476 | print("[+] Which Baseline Configs would you like to implement?\n") 477 | dir_output = [] 478 | for dir in enumerate(sorted(os.listdir('.')), start = 1): 479 | #print "[+] %d %s" % (ij, dir) 480 | dir_output.append(dir) 481 | #dir_output[ij] = dir 482 | #Using the below, I was able to print the options in three columns 483 | for a,b,c in zip(dir_output[::3],dir_output[1::3],dir_output[2::3]): 484 | print("{}{}{}{}{}".format(a," " * (53 - len(str(a))),b," " * (50 - len(str(b))),c)) 485 | #{:<47}{:<55}{:25} 486 | while True: 487 | option = input("[+] Choose an option by integer.\n") 488 | if int(option) > len(dir_output): 489 | print("[!] You chose an incorrect value. Try again.\n") 490 | continue 491 | else: 492 | for x,y in dir_output: 493 | if x == int(option): 494 | initial_config_folder = y 495 | final_path = os.chdir(initial_config_folder) 496 | print("[+] Pushing scenario configurations to all devices.") 497 | #my_args = {"arg": "placeholder"} 498 | my_target = scenario_configuration_install 499 | create_some_threads(my_target) 500 | break 501 | 502 | def create_some_threads(my_target, *my_args, **my_keyword_args): 503 | for DeviceName in sorted(Devices): 504 | device_ip = Devices[DeviceName]['mgmt_ip'] 505 | my_args = (device_ip, DeviceName,) + my_args 506 | #my_keyword_args = {device_ip: Devices[DeviceName]['mgmt_ip'], DeviceName: DeviceName} 507 | my_thread = threading.Thread(target=my_target, args=my_args, kwargs=my_keyword_args) 508 | my_thread.start() 509 | # Wait for all threads to complete 510 | my_args_list = list(my_args) 511 | my_args_list.remove(device_ip) 512 | my_args_list.remove(DeviceName) 513 | my_args = tuple(my_args_list) 514 | main_thread = threading.currentThread() 515 | for some_thread in threading.enumerate(): 516 | if some_thread != main_thread: 517 | some_thread.join() 518 | 519 | def scenario_configuration_install(device_ip, DeviceName): 520 | selected_cmd_file = open('{}.txt'.format(DeviceName), 'r') 521 | command_set = [] 522 | selected_cmd_file.seek(0) 523 | device = 'cisco_ios' 524 | for each_line in selected_cmd_file.readlines(): 525 | if '\r' not in each_line: 526 | each_line = each_line.strip('\n') 527 | each_line = ("{}\r\n".format(each_line)) 528 | command_set.append(each_line) 529 | else: 530 | command_set.append(each_line) 531 | with contextlib.suppress(netmiko.ssh_exception.NetMikoTimeoutException): 532 | net_connect = ConnectHandler(device_type = device, ip = device_ip, username = radiususer, password = radiuspass) 533 | output = net_connect.send_config_set(command_set) 534 | net_connect.disconnect() 535 | print("[+] Scenario configuration of device {} successful.".format(DeviceName)) 536 | selected_cmd_file.close() 537 | 538 | def render_templates(): 539 | from jinja2 import Environment, FileSystemLoader, Template 540 | ENV = Environment(loader=FileSystemLoader('./')) 541 | 542 | with open("device-vars.yml") as main_variables: 543 | main_variables = yaml.load(main_variables) 544 | with open("device-vars.yml") as main_variables_two: 545 | Devices = (yaml.load(main_variables_two))['Devices'] 546 | template = ENV.get_template("Baseline&Hardening_Configurations/Templates/Base&Hardening.template") 547 | for DeviceName in Devices: 548 | if "IOSV" in DeviceName or "R" in DeviceName: 549 | with open("Baseline&Hardening_Configurations/Builds/{}.cfg".format(DeviceName), 'w') as config_output: 550 | config_template = template.render(main_variables, hostname=DeviceName, mgmt_ip=Devices[DeviceName]['mgmt_ip'], mgmt_mask=Devices[DeviceName]['mgmt_mask']) 551 | config_output.write(config_template) 552 | config_output.close() 553 | def get_the_facts(): 554 | from napalm import get_network_driver 555 | while True: 556 | localorradius = input("[?] Are you currently using RADIUS or local credentials? [local/radius]\n") 557 | if localorradius == 'local': 558 | username = localusername 559 | password = localpassword 560 | break 561 | elif localorradius == 'radius': 562 | username = radiususer 563 | password = radiuspass 564 | break 565 | else: 566 | print("[!] Invalid input. Please try again.\n") 567 | continue 568 | driver = get_network_driver('ios') 569 | fact_list = {} 570 | for DeviceName in Devices: 571 | device_ip = Devices[DeviceName]['mgmt_ip'] 572 | #optional_args = {'global_delay_factor': 3} 573 | device = driver(device_ip, username, password) 574 | device.open() 575 | facts = device.get_facts() 576 | device.close() 577 | fact_list[DeviceName]=facts 578 | print("[+] Done gathering all teh facts! See below.") 579 | for key, value in fact_list.items(): 580 | if key == "os_version" or key == "serial_number" or key == "model": 581 | print("{}".format(DeviceName)) 582 | print("{}- {}".format(key, value)) 583 | 584 | def restart_boxes(): 585 | #Note: Install pysphere before running via pip 586 | print("[+] Restarting VMs through the Vsphere interface...\n") 587 | subprocess.call(["ansible-playbook", "-i", "Vsphere-Automation/hosts", "Vsphere-Automation/vspherescript.yml"]) 588 | 589 | 590 | def main_menu_selection(): 591 | try: 592 | print(""" 593 | !#***********************************************************************************************!# 594 | !# !# 595 | !# Welcome to the CCIE Automation script! The purpose of this !# 596 | !# script is to streamline your CSR1000v/IOSv deployment, !# 597 | !# as well as the physical switches in your environment. Be sure. !# 598 | !# to appropriately define your variables in the device-vars.yml. !# 599 | !# file before proceeding. Please use the example file in this !# 600 | !# program's local directory. !# 601 | !# !# 602 | !#***********************************************************************************************!# 603 | """) 604 | in_place = query_yes_no("[?] Do you already have the yaml file setup properly?") 605 | if not in_place: 606 | sys.exit("[!] You need to configure your yaml file before proceeding.") 607 | main_menu = {} 608 | main_menu['1']="Establish basic connectivity to the boxes" 609 | main_menu['2']="Convert running configurations to baseline/hardening templates" 610 | main_menu['3']="Enable premium license (Note: This MUST be enabled for certain scenario configurations!)" 611 | main_menu['4']="Push Scenario Configurations (INE)" 612 | main_menu['5']="Run configuration Backup" 613 | main_menu['6']="Get BGP ASNs for all routers" 614 | main_menu['7']="Wipe device configurations and start from scratch" 615 | main_menu['8']="Get device facts" 616 | main_menu['9']="Restart all routers (Resets the VM, NOT a reload command)" 617 | main_menu['10']="Exit" 618 | while True: 619 | options=main_menu.keys() 620 | sorted(options, key=int) 621 | print("!#{}!#".format("*" * 95)) 622 | print("!#{}!#".format(" " * 95)) 623 | menu_num = 1 624 | for entry in options: 625 | print("!# [+]{} {}{}!#".format(entry, main_menu[entry], " " * (90 - len(main_menu[entry]) - len(str(menu_num))))) 626 | menu_num += 1 627 | print("!#{}!#".format(" " * 95)) 628 | print("!#{}!#".format("*" * 95)) 629 | print("") 630 | selection=input("[*] Please select the option you'd like to run:\n") 631 | if selection == '1': 632 | domainname = input("[?] What is your FQDN?\n") 633 | my_args = (domainname, localusername, localpassword) 634 | my_target = telnet_initial 635 | print("[+] Attempting Out-of-Band IP configuration of all devices...") 636 | create_some_threads(my_target, *my_args) 637 | input("[+] Task completed. Press enter to return to the main menu\n") 638 | elif selection == '2': 639 | time_before = time.time() 640 | choose_scenario_type() 641 | templates_created = query_yes_no("[?] Have the templates already been created?") 642 | if templates_created == False: 643 | print("[!] Rendering templates...") 644 | render_templates() 645 | print("[+] Done.") 646 | print("[+] Applying configurations...") 647 | reinitialize_basehardening() 648 | time_after = time.time() 649 | print("[+] All configurations have been converted to the bare baseline/hardening templates successfully.\n") 650 | print("[+] Total time to completion: {} seconds".format(round(time_after - time_before, 2))) 651 | input("[+] Task completed. Press enter to return to the main menu\n") 652 | elif selection == '3': 653 | device = 'cisco_ios' 654 | pbar = tqdm(total=100) 655 | for DeviceName in Devices: 656 | device_ip = Devices[DeviceName]['mgmt_ip'] 657 | print("\n[+] Progress:\n") 658 | install_premium_license(device_ip, device, DeviceName) 659 | pbar.close() 660 | elif selection == '4': 661 | choose_scenario_type() 662 | exclude = query_yes_no("[?] Would you like to exclude any additional devices prior to pushing scenario configs?", default="n") 663 | if exclude != False: 664 | exclude_devices() 665 | time_before = time.time() 666 | scenario_configuration_threading() 667 | time_after = time.time() 668 | print("[+] Total time to completion: {} seconds".format(round(time_after - time_before, 2))) 669 | print("") 670 | input("[+] Task completed. Press enter to return to the main menu\n") 671 | elif selection == '5': 672 | """The Linux SCP server used in this script is natively installed. One issue you 673 | may encounter is an issue with one of your switches or routers not having a cipher 674 | supported by the SCP server. To change this, you will need to edit your ssh configuration 675 | in the /etc/ssh/sshd_config file""" 676 | exclude = query_yes_no("[?] Would you like to exclude any devices from your backup?", default="n") 677 | if exclude != False: 678 | exclude_devices() 679 | backup_config() 680 | elif selection == '6': 681 | print("[+] Getting BGP ASNs for all routers...") 682 | time_before = time.time() 683 | print("\n" + "=" * 32) 684 | output_q = Queue() 685 | for DeviceName, value in Devices.items(): 686 | if value["device_type"] == "router": 687 | device_ip = Devices[DeviceName]['mgmt_ip'] 688 | my_thread = threading.Thread(target=get_bgp_asn, args=(device_ip, DeviceName, output_q)) 689 | my_thread.start() 690 | # Wait for all threads to complete 691 | main_thread = threading.currentThread() 692 | for some_thread in threading.enumerate(): 693 | if some_thread != main_thread: 694 | some_thread.join() 695 | 696 | # Retrieve everything off the queue 697 | while not output_q.empty(): 698 | my_dict = output_q.get() 699 | for k, val in my_dict.items(): 700 | print(val) 701 | print(("=" * 32) + "\n") 702 | print("[+] Done") 703 | time_after = time.time() 704 | print("[+] Total time to completion: {} seconds".format(round(time_after - time_before, 2))) 705 | input("[+] Task completed. Press enter to return to the main menu\n") 706 | elif selection == '7': 707 | exclude = query_yes_no("[?] Would you like to exclude any devices from your config wipe?", default="n") 708 | if exclude != False: 709 | exclude_devices() 710 | default_configurations() 711 | elif selection == '8': 712 | time_before = time.time() 713 | get_the_facts() 714 | time_after = time.time() 715 | print("[+] Total time to completion: {} seconds".format(round(time_after - time_before, 2))) 716 | input("[+] Task completed. Press enter to return to the main menu\n") 717 | elif selection == '9': 718 | restart_boxes() 719 | elif selection == '10': 720 | print("Bye") 721 | break 722 | else: 723 | print("[!] Invalid option. Please try again.\n") 724 | except KeyboardInterrupt: 725 | raise KeyboardInterrupt("\n[!] Keyboard Interrupt detected. Goodbye!") 726 | sys.exit() 727 | 728 | if __name__ == "__main__": 729 | stream = open('device-vars.yml', 'r') 730 | stream = yaml.load(stream) 731 | Devices = stream['Devices'] 732 | parser = ArgumentParser(description='Select options.') 733 | 734 | # Input parameters 735 | parser.add_argument('-verify', '--verify_bool', type=str, default='Yes', help="The device IP or DN") 736 | args = parser.parse_args() 737 | verification = args.verify_bool 738 | if verification == "Yes": 739 | print("[!] Need to check IP reachability and removable any unreachable devices first. Please wait...") 740 | ip_reachability_group() 741 | in_place = query_yes_no("\nDevices that are reachable are listed above. Proceed?") 742 | if not in_place: 743 | sys.exit("Exiting!") 744 | call_variables(stream) 745 | main_menu_selection() 746 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OfWolfAndMan/CCIE-Lab-Automation/d06ae9dd2295e8c9d1426522a995f382783c2360/Baseline&Hardening_Configurations/.DS_Store -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Base&Hardening_Generic.txt: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | enable 5 | ! 6 | configure terminal 7 | ! 8 | no service pad 9 | service tcp-keepalives-in 10 | service tcp-keepalives-out 11 | service password-encryption 12 | 13 | no logging console 14 | ! 15 | aaa new-model 16 | ! 17 | aaa authentication attempts login 4 18 | aaa authentication login default group radius local 19 | aaa authentication enable default group radius enable 20 | aaa authorization exec default group radius local 21 | aaa accounting exec default start-stop group radius 22 | 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | 27 | ip tcp synwait-time 10 28 | ip ssh time-out 60 29 | ip ssh authentication-retries 3 30 | ip ssh source GigabitEthernet0/1 31 | ip ssh version 2 32 | ip scp server enable 33 | 34 | ip radius source-interface GigabitEthernet0/1 35 | no ip http server 36 | no ip http secure-server 37 | 38 | interface GigabitEthernet0/0 39 | no ip proxy-arp 40 | no ip unreachables 41 | no ip redirects 42 | no shutdown 43 | 44 | interface range Gig2-3 45 | no ip proxy-arp 46 | no ip unreachables 47 | no ip redirects 48 | no snmp trap link-status 49 | 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | 53 | interface GigabitEthernet0/1 54 | description <===Connection to Lab Full Mesh===> 55 | 56 | interface GigabitEthernet0/2 57 | description <===UNUSED===> 58 | 59 | ip access-list standard SSH_ACCESS 60 | remark JumpBox_VM Access 61 | permit 10.1.1.5 log 62 | remark Rpi3 Access 63 | permit 192.168.1.15 log 64 | remark Trusted_Users Access 65 | permit 192.168.100.0 0.0.0.255 log 66 | permit 172.17.1.0 0.0.0.255 log 67 | 68 | kron policy-list Daily_Backup 69 | cli write memory 70 | 71 | kron occurrence Daily_Backup at 16:30 recurring 72 | policy-list Daily-Backup 73 | 74 | radius server PI 75 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 76 | key 7 Radiuskey 77 | 78 | alias exec sr show run 79 | alias exec siib show ip int brief 80 | alias exec scn show cdp neighbo 81 | 82 | banner login ^CC 83 | ****************************** WARNING *************************** 84 | | This system is restricted solely to KaliMac authorized personnel | 85 | | for legitimate business purposes only. The actual or attempted | 86 | | unauthorized access, use or modification of this systems strictly| 87 | | prohibited. Unauthorized personnel are subject to KaliMac's | 88 | | disciplinary proceedings and/or criminal/civil penalties under | 89 | | state, federal or other applicable domestic/foreign laws. The | 90 | | use of this system is monitored and recorded for administrative | 91 | | and security reasons. Anyone accessing this system expressly | 92 | | consents to such monitoring and is advised that if such | 93 | | monitoring reveals possible evidence of criminal activity, | 94 | | KaliMac may provide the evidence of such activity to law | 95 | | enforcement officials. | 96 | ******************************************************************** 97 | ^C 98 | 99 | 100 | line con 0 101 | exec-timeout 5 0 102 | privilege level 15 103 | line aux 0 104 | no exec 105 | transport input none 106 | line vty 0 4 107 | access-class SSH_ACCESS in 108 | exec-timeout 10 109 | privilege level 15 110 | line vty 5 15 111 | no exec 112 | transport input none 113 | 114 | ntp source GigabitEthernet0/1 115 | ntp server time-c.nist.gov 116 | ntp server utcnist.colorado.edu 117 | 118 | end 119 | 120 | write memory 121 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Base&Hardening_IOSV1.txt: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV1 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name yomommashouse.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret secretpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.36 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | 93 | line con 0 94 | exec-timeout 5 0 95 | privilege level 15 96 | line aux 0 97 | no exec 98 | transport input none 99 | line vty 0 4 100 | access-class SSH_ACCESS in 101 | exec-timeout 10 102 | privilege level 15 103 | transport input ssh 104 | line vty 5 15 105 | no exec 106 | transport input none 107 | ! 108 | ntp source GigabitEthernet0/1 109 | ntp server time-c.nist.gov 110 | ntp server utcnist.colorado.edu 111 | ! 112 | end 113 | ! 114 | write memory 115 | 116 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV1.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV1 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.36 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV10.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV10 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.45 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV2.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV2 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.37 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV3.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV3 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.38 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV4.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV4 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.39 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV5.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV5 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.40 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV6.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV6 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.41 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV7.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV7 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.42 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV8.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV8 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.43 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Builds/IOSV9.cfg: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname IOSV9 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group radius local 18 | aaa authentication enable default group radius enable 19 | aaa authorization exec default group radius local 20 | aaa accounting exec default start-stop group radius 21 | ! 22 | ip domain-name thebigbadwolf.likes-pie.com 23 | ip domain-lookup 24 | ip name-server 208.67.222.222 25 | ip name-server 208.67.220.220 26 | ! 27 | username therootbridge privilege 15 secret localpassword 28 | ! 29 | enable secret secretpassword 30 | ! 31 | crypto key generate rsa general-keys modulus 2048 32 | ! 33 | archive 34 | path flash:archive 35 | write-memory 36 | ! 37 | ip tcp synwait-time 10 38 | ip ssh time-out 60 39 | ip ssh authentication-retries 3 40 | ip ssh source GigabitEthernet0/1 41 | ip ssh version 2 42 | ip scp server enable 43 | ! 44 | ip radius source-interface GigabitEthernet0/1 45 | no ip http server 46 | no ip http secure-server 47 | redundancy 48 | no ipv6 cef 49 | ! 50 | interface GigabitEthernet0/0 51 | description <===Virtual Network Connection===> 52 | no ip proxy-arp 53 | no ip unreachables 54 | no ip redirects 55 | no shutdown 56 | ! 57 | interface GigabitEthernet0/1 58 | description <===Connection to Lab Full Mesh===> 59 | ip address 10.51.60.44 255.255.255.224 60 | no shutdown 61 | no ip proxy-arp 62 | no ip unreachables 63 | no ip redirects 64 | no snmp trap link-status 65 | ! 66 | interface GigabitEthernet0/2 67 | description <===UNUSED===> 68 | no ip proxy-arp 69 | no ip unreachables 70 | no ip redirects 71 | no snmp trap link-status 72 | ! 73 | ip access-list standard SSH_ACCESS 74 | remark JumpBox_VM Access 75 | permit 10.1.1.5 log 76 | remark Rpi3 Access 77 | permit 192.168.1.15 log 78 | remark Trusted_Users Access 79 | permit 192.168.100.0 0.0.0.255 log 80 | permit 172.17.1.0 0.0.0.255 log 81 | ! 82 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 83 | ! 84 | radius server PI 85 | address ipv4 192.168.15.180 auth-port 1812 acct-port 1813 86 | key 7 Radiuskey 87 | ! 88 | alias exec sr show run 89 | alias exec siib show ip int brief 90 | alias exec scn show cdp neighbors 91 | ! 92 | line con 0 93 | exec-timeout 5 0 94 | privilege level 15 95 | line aux 0 96 | no exec 97 | transport input none 98 | line vty 0 4 99 | access-class SSH_ACCESS in 100 | exec-timeout 10 101 | privilege level 15 102 | transport input ssh 103 | line vty 5 15 104 | no exec 105 | transport input none 106 | ! 107 | ntp source GigabitEthernet0/1 108 | ntp server time-c.nist.gov 109 | ntp server utcnist.colorado.edu 110 | ! 111 | end 112 | ! 113 | write memory 114 | -------------------------------------------------------------------------------- /Baseline&Hardening_Configurations/Templates/Base&Hardening.template: -------------------------------------------------------------------------------- 1 | ! 2 | version 15.5 3 | ! 4 | no service pad 5 | service tcp-keepalives-in 6 | service tcp-keepalives-out 7 | service password-encryption 8 | ! 9 | hostname {{ hostname }} 10 | ! 11 | no logging console 12 | ! 13 | aaa new-model 14 | aaa session-id common 15 | ! 16 | aaa authentication attempts login 4 17 | aaa authentication login default group {{ nms.aaa.protocol }} local 18 | aaa authentication enable default group {{ nms.aaa.protocol }} enable 19 | aaa authorization exec default group {{ nms.aaa.protocol }} local 20 | aaa accounting exec default start-stop group {{ nms.aaa.protocol }} 21 | ! 22 | ip domain-name {{ domain.name }} 23 | ip domain-lookup 24 | {% for server in domain.servers -%} 25 | ip name-server {{ server }} 26 | {% endfor -%} 27 | ! 28 | username {{ aaa.localuser }} privilege 15 secret {{ aaa.localpassword }} 29 | ! 30 | enable secret {{ aaa.secret }} 31 | ! 32 | crypto key generate rsa general-keys modulus 2048 33 | ! 34 | archive 35 | path flash:archive 36 | write-memory 37 | ! 38 | ip tcp synwait-time 10 39 | ip ssh time-out 60 40 | ip ssh authentication-retries 3 41 | ip ssh source GigabitEthernet0/1 42 | ip ssh version 2 43 | ip scp server enable 44 | ! 45 | ip radius source-interface GigabitEthernet0/1 46 | no ip http server 47 | no ip http secure-server 48 | redundancy 49 | no ipv6 cef 50 | ! 51 | interface GigabitEthernet0/0 52 | description <===Virtual Network Connection===> 53 | no ip proxy-arp 54 | no ip unreachables 55 | no ip redirects 56 | no shutdown 57 | ! 58 | interface GigabitEthernet0/1 59 | description <===Connection to Lab Full Mesh===> 60 | ip address {{ mgmt_ip }} {{ mgmt_mask }} 61 | no shutdown 62 | no ip proxy-arp 63 | no ip unreachables 64 | no ip redirects 65 | no snmp trap link-status 66 | ! 67 | interface GigabitEthernet0/2 68 | description <===UNUSED===> 69 | no ip proxy-arp 70 | no ip unreachables 71 | no ip redirects 72 | no snmp trap link-status 73 | ! 74 | ip access-list standard SSH_ACCESS 75 | remark JumpBox_VM Access 76 | permit 10.1.1.5 log 77 | remark Rpi3 Access 78 | permit 192.168.1.15 log 79 | remark Trusted_Users Access 80 | permit 192.168.100.0 0.0.0.255 log 81 | permit 172.17.1.0 0.0.0.255 log 82 | ! 83 | ip route 0.0.0.0 0.0.0.0 10.51.60.33 2 84 | ! 85 | {% if nms.aaa.protocol == "radius" -%} 86 | radius server {{ nms.aaa.instance_name }} 87 | address ipv4 {{ nms.aaa.server_ip }} auth-port 1812 acct-port 1813 88 | key 7 {{ nms.aaa.key }} 89 | {% elif nms.aaa.protocol == "tacacs" -%} 90 | tacacs server {{ nms.aaa.instance_name }} 91 | address ipv4 {{ nms.aaa.server_ip }} 92 | key 7 {{ nms.aaa.key }} 93 | {% endif -%} 94 | ! 95 | alias exec sr show run 96 | alias exec siib show ip int brief 97 | alias exec scn show cdp neighbors 98 | ! 99 | line con 0 100 | exec-timeout 5 0 101 | privilege level 15 102 | line aux 0 103 | no exec 104 | transport input none 105 | line vty 0 4 106 | access-class SSH_ACCESS in 107 | exec-timeout 10 108 | privilege level 15 109 | transport input ssh 110 | line vty 5 15 111 | no exec 112 | transport input none 113 | ! 114 | ntp source GigabitEthernet0/1 115 | {% for server in nms.ntp -%} 116 | ntp server {{ server }} 117 | {% endfor -%} 118 | ! 119 | end 120 | ! 121 | write memory 122 | 123 | -------------------------------------------------------------------------------- /Python3 install prereqs - linux: -------------------------------------------------------------------------------- 1 | ###RUN PRIOR TO THE REQUIREMENTS FILE!### 2 | 3 | #Install the following libraries 4 | sudo apt-get install build-essential libssl-dev libffi-dev python-dev 5 | 6 | #Install the following python libraries 7 | pip3 install Crypto pycrypto ezsetup 8 | 9 | #Update the setuptools python library 10 | pip install --upgrade setuptools 11 | 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CCIE-Lab-Automation 2 | ## Version 2.4 3 | 4 | Use this script to automate a CSR1000V/IOSv deployment, primarily within a CCIE lab environment. 5 | 6 | Built in python 2.7. The following are a few features currently available with this script: 7 | 8 | - Baseline and hardening script configuration 9 | 10 | - Scenarios configuration per INE's CCIE topology (Will introduce Micronics' labs into the mix soon) 11 | 12 | - Pull BGP ASNs from all devices 13 | 14 | - Configuration backups to an SCP server (A Raspberry Pi was used for testing) 15 | 16 | - Install trial premium license for extra functionality i.e. Security and Data licenses (MPLS, IPSec) 17 | 18 | - Configure replace function 19 | 20 | - Template rendering with Jinja2 prior to deployment 21 | 22 | - Have an idea? Pitch it! I want to hear it! 23 | 24 | **Prerequisites & Dependencies:** 25 | 26 | * Python (Duh) 27 | 28 | * Required libraries 29 | 30 | + Netmiko 31 | 32 | + TQDM (Used as a progress bar for tasks) 33 | 34 | + NAPALM (Used for the configure replace operations) 35 | 36 | * SCP server for backups (Can modify for FTP) 37 | 38 | * RADIUS or TACACS+ server for authentication (FreeRADIUS was used in testing on a Raspberry Pi) 39 | 40 | **New in this release:** 41 | 42 | - Code cleanup 43 | 44 | **(Potential) Future Development:** 45 | 46 | - TextFSM integration for data parsing 47 | 48 | - Ansible integration for supplementary configuration management purposes 49 | 50 | - Multithreading abilities for additional functions (Used to speed up the process of pulling data and pushing configurations) 51 | 52 | - Consolidation of certain code to provide greater modularity 53 | 54 | **Additional Details:** 55 | 56 | Baseline script formatting must have the following requirements for configure replace to take it properly: 57 | 58 | - "Version 15.4" (Or the applicable version) 59 | 60 | - "end" command 61 | 62 | - Subcommands, such as those under "interface Gigx/x", must have a space in them to display hierarchy. Otherwise those lines 63 | won't be added. 64 | 65 | - ALL whitespaces should be filled with "!". In addition, it is advised against using a configuration with a banner 66 | in it during configure replace operations 67 | 68 | Paths should be defined in the script to suit your needs. Things that will need to be defined in the YAML (Data structure for external variables) file include: 69 | 70 | - SCP server IP 71 | 72 | - SCP server path 73 | 74 | - Router/Switch serial IPs and ports, and in-band IPs 75 | 76 | - Path to your scenario/baseline/hardening configurations on the box running the script 77 | 78 | - Variables for the Jinja2 templates 79 | 80 | Since release 2.2, Python 2 functionality has been partially broken. Working on patching things up, but moving forward, python3 compatibility is a must. 81 | 82 | **To-Do:** 83 | 84 | - Guidance on script usage must be added. Lots of parameters not mentioned 85 | 86 | - The telnet functions can likely be consolidated, (DRY principle) -------------------------------------------------------------------------------- /Vsphere-Automation/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | inventory=hosts 3 | # as ansible_connection=local 4 | host_key_checking=False 5 | log_path = ~/.ansible/log/ansible.log 6 | host_key_auto_add = True 7 | retry_files_enabled=false 8 | -------------------------------------------------------------------------------- /Vsphere-Automation/group_vars/all.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | vsphere_login: root 4 | vsphere_password: bob-saget! 5 | powerOnTimeout: 3 6 | vcenter_hostname: esxi1 7 | routers: 8 | - IOSV1 9 | - IOSv2 10 | - IOSv3 11 | - IOSv4 12 | - IOSv5 13 | - IOSv6 14 | - IOSv7 15 | - IOSv8 16 | - IOSv9 17 | - IOSV10 18 | -------------------------------------------------------------------------------- /Vsphere-Automation/hosts: -------------------------------------------------------------------------------- 1 | #NOTE: Putting SSH password inline with vars here [group:vars] requires sshpass to be installed. 2 | #=============================================================================================== 3 | #INSTALLING ON LINUX (DEBIAN): 4 | # apt-get install sshpass -y 5 | #=============================================================================================== 6 | #INSTALLING ON OS X (Must have Homebrew installed!): 7 | # brew install https://raw.githubusercontent.com/kadwanev/bigboybrew/master/Library/Formula/sshpass.rb 8 | #=============================================================================================== 9 | 10 | [all:vars] 11 | ansible_python_interpreter="/usr/bin/env python2" 12 | 13 | [vsphere] 14 | esxi1 15 | 16 | -------------------------------------------------------------------------------- /Vsphere-Automation/vspherescript.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: vsphere 4 | gather_facts: false 5 | connection: local 6 | 7 | tasks: 8 | 9 | - name: Check for vSphere access parameters 10 | fail: msg="Must set vsphere_login and vsphere_password in a Vault" 11 | when: (vsphere_login is not defined) or (vsphere_password is not defined) 12 | 13 | - name: debug vCenter hostname 14 | debug: msg="vcenter_hostname = '{{ vcenter_hostname }}'" 15 | 16 | - name: power off vm 17 | vsphere_guest: 18 | vcenter_hostname: "{{ vcenter_hostname }}" 19 | username: "{{ vsphere_login }}" 20 | password: "{{ vsphere_password }}" 21 | guest: "{{ item }}" 22 | state: powered_off 23 | force: yes 24 | validate_certs: no 25 | with_items: "{{ routers }}" 26 | tags: 27 | - reboot 28 | - shutdown 29 | 30 | - name: wait for power off to finish 31 | pause: seconds="{{ powerOnTimeout }}" 32 | 33 | - name: power on vm for Cisco routers 34 | vsphere_guest: 35 | vcenter_hostname: "{{ vcenter_hostname }}" 36 | username: "{{ vsphere_login }}" 37 | password: "{{ vsphere_password }}" 38 | guest: "{{ item }}" 39 | state: powered_on 40 | force: yes 41 | validate_certs: no 42 | with_items: 43 | - "{{ routers }}" 44 | tags: 45 | - reboot 46 | - initialize 47 | 48 | - name: power on vm for PFSense 49 | vsphere_guest: 50 | vcenter_hostname: "{{ vcenter_hostname }}" 51 | username: "{{ vsphere_login }}" 52 | password: "{{ vsphere_password }}" 53 | guest: "{{ item }}" 54 | state: powered_on 55 | force: yes 56 | validate_certs: no 57 | with_items: 58 | - "{{ pfsense }}" 59 | tags: initialize 60 | 61 | -------------------------------------------------------------------------------- /device-vars.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | Devices: 4 | IOSV1: 5 | mgmt_ip: 10.51.60.36 6 | serial_ip: 192.168.10.120 7 | serial_port: 2001 8 | mgmt_mask: 255.255.255.224 9 | device_type: router 10 | IOSV2: 11 | mgmt_ip: 10.51.60.37 12 | serial_ip: 192.168.10.120 13 | serial_port: 2002 14 | mgmt_mask: 255.255.255.224 15 | device_type: router 16 | IOSV3: 17 | mgmt_ip: 10.51.60.38 18 | serial_ip: 192.168.10.120 19 | serial_port: 2003 20 | mgmt_mask: 255.255.255.224 21 | device_type: router 22 | IOSV4: 23 | mgmt_ip: 10.51.60.39 24 | serial_ip: 192.168.10.120 25 | serial_port: 2004 26 | mgmt_mask: 255.255.255.224 27 | device_type: router 28 | IOSV5: 29 | mgmt_ip: 10.51.60.40 30 | serial_ip: 192.168.10.120 31 | serial_port: 2005 32 | mgmt_mask: 255.255.255.224 33 | device_type: router 34 | IOSV6: 35 | mgmt_ip: 10.51.60.41 36 | serial_ip: 192.168.10.120 37 | serial_port: 2006 38 | mgmt_mask: 255.255.255.224 39 | device_type: router 40 | IOSV7: 41 | mgmt_ip: 10.51.60.42 42 | serial_ip: 192.168.10.120 43 | serial_port: 2007 44 | mgmt_mask: 255.255.255.224 45 | device_type: router 46 | IOSV8: 47 | mgmt_ip: 10.51.60.43 48 | serial_ip: 192.168.10.120 49 | serial_port: 2008 50 | mgmt_mask: 255.255.255.224 51 | device_type: router 52 | IOSV9: 53 | mgmt_ip: 10.51.60.44 54 | serial_ip: 192.168.10.120 55 | serial_port: 2009 56 | mgmt_mask: 255.255.255.224 57 | device_type: router 58 | IOSV10: 59 | mgmt_ip: 10.51.60.45 60 | serial_ip: 192.168.10.120 61 | serial_port: 2010 62 | mgmt_mask: 255.255.255.224 63 | device_type: router 64 | SW1: 65 | mgmt_ip: 192.168.10.102 66 | device_type: switch 67 | SW2: 68 | mgmt_ip: 192.168.10.103 69 | device_type: switch 70 | SW3: 71 | mgmt_ip: 192.168.10.104 72 | device_type: switch 73 | SW4: 74 | mgmt_ip: 192.168.10.105 75 | device_type: switch 76 | 77 | users: 78 | localuser: 79 | username: localuser 80 | password: localpass 81 | radius: 82 | username: radiususername 83 | password: radiuspassword 84 | scp: 85 | username: scpusername 86 | password: scppassword 87 | 88 | 89 | domain: 90 | name: thebigbadwolf.likes-pie.com 91 | servers: 92 | - 208.67.222.222 93 | - 208.67.220.220 94 | nms: 95 | ntp: 96 | - time-c.nist.gov 97 | - utcnist.colorado.edu 98 | aaa: 99 | instance_name: PI 100 | protocol: radius 101 | server_ip: 192.168.15.180 102 | key: Radiuskey 103 | scp: 192.168.15.188 104 | 105 | aaa: 106 | localuser: therootbridge 107 | localpassword: localpassword 108 | secret: secretpassword 109 | -------------------------------------------------------------------------------- /render-templates.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | from jinja2 import Environment, FileSystemLoader, Template 3 | 4 | ENV = Environment(loader=FileSystemLoader('./')) 5 | 6 | with open("device-vars.yml") as main_variables: 7 | main_variables = yaml.load(main_variables) 8 | with open("device-vars.yml") as main_variables_two: 9 | Devices = (yaml.load(main_variables_two))['Devices'] 10 | template = ENV.get_template("Baseline&Hardening_Configurations/Templates/Base&Hardening.template") 11 | for DeviceName in Devices: 12 | if "IOSV" in DeviceName: 13 | with open("Baseline&Hardening_Configurations/{}.cfg".format(DeviceName), 'w') as config_output: 14 | config_template = template.render(main_variables, hostname=DeviceName, mgmt_ip=Devices[DeviceName]['mgmt_ip'], mgmt_mask=Devices[DeviceName]['mgmt_mask']) 15 | config_output.write(config_template) 16 | config_output.close() -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | napalm 2 | netmiko 3 | tqdm 4 | --------------------------------------------------------------------------------