Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:
- Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
- Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
- Most probably restart the service and we are set.
E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
- Add to file /etc/pam.d/vsftpd the following line
account required /lib/security/pam_time.so
- Set time limits in /etc/security/time.conf with this line
vsftpd;*;ftp_user;Wk0800-1700
- Restart vsftpd to force it using pam_time.so module (need to do it just first time)
#service vsftpd restart
And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .
For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
Example for limiting ssh access to the firewall to working hours only.
/etc/security/time.conf :
sshd;*;client_user;Wk0900-1900
/etc/pam.d/sshd :
account required /lib/security/pam_time.so
Posted in Checkpoint NG/NGX, Linux.
Tagged with Checkpoint, Stories from the trenches.
By Yuri
– November 14, 2011
It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null
Posted in Checkpoint NG/NGX.
Tagged with Checkpoint.
By Yuri
– November 12, 2011
Q. How do I see available interfaces, errors on them , IP addresses .
Q. How do I see routing table of the firewall.
Q. How do I see duplex, speed, physical link status of the interface .
Q. How do I manually set duplex, speed, autonegotiation settings of an interface.
Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.
Q. How do I add, delete, change routes.
Q. How do I delete, change IP address on the interface.
Q. How do I add, change, delete VLAN .
Q. How do I see existing VLANs .
Q. Can I combine few interfaces into one logical interface .
Q. How do I shut and unshut an interface.
A. # ifconfig
A. # route -en
Destination Gateway Genmask Flags MSS Window irtt Iface
19.247.195.20 0.0.0.0 255.255.255.252 U 0 0 0 External
10.123.123.0 0.0.0.0 255.255.255.224 U 0 0 0 Lan1
Legend:
Gateway – via which gateway this network is available, 0.0.0.0 means this network is configured locally on the interface
Iface – name of the interface via which this network is reachable
A. # ethtool <name of the interface you want to check, names are case-sensitive>
e.g. # ethtool External
Settings for External:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes
A. # ethtool -s <name of interface> speed 100
ethtool -s <name of interface> duplex full
ethtool -s <name of interface> autoneg off
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.
A. # eth_set <interface> [10h|10f|100h|100f|1000h|1000f|autoneg]
e.g # eth_set Lan1 100f
A. Using #sysconfig utility and its interactive menu (option 6) .
A. # sysconfig then option 5 .
A. # sysconfig , then option 5 .
A Either via #sysconfig , then option 5 or ifconfig, VLAN interfaces will have format of <physical interface name>.<vlan number> .
e.g. # ifconfig
eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71
A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.
A. #ifconfig <interface name > down
# ifconfig <interface name > up
Posted in Checkpoint NG/NGX.
Tagged with cheat sheet, Checkpoint.
By Yuri
– October 27, 2011
Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer – me 
. The question was in turn inspired by the article in Atlantic Monthly where James Fallows depicts in detail his wife’s Gmail account being hacked and how much trouble it was to get it back. I can only add that not using absolutely free and easy feature to safeguard your precious asset, mail account – is pretty reckless in our time . Just imagine what it would be to have ALL your Gmail inbox emptied and have your access to the account lost due to a hack …
I’ve always known that the best way to solve the problems is to prevent them from occurring at all, so go ahead and use this Gmail feature and have less problems in life to solve .
My personal experience of few months is that it works with any mobile provider in Israel and it is pretty much ‘ set and forget ‘ type of configuration, just be able to receive once a month SMS , it can’t be any easier I guess.
Advanced sign-in security for your Google account
Posted in Scan of the week.
Tagged with Stay safe online, Stories from the trenches.
By Yuri
– October 26, 2011
Domain records are most visible vulnerable and many time crucial asset of the company.
Attackers need not break your firewall protection, find and develop exploits for software running on your server to cut off your company from mails – it is enough for them to cause a change of MX record and it’s done – no incoming mails.
I’ve seen real life example of this happening with huge company when due to human error made to MX record that went unnoticed the company didn’t get mails.
While there are companies making millions on protecting domains (do whois on Google.com,Facebook.com to see example) you can at least spot potential problems automatically in no time with Nagios.
The plugin to watch for DNS record is called check_dns and works this way – you configure which hostname to query and what the IP address for it should be , if the IP return doesn’t much the one configured the Critical condition occurs and alert is fired.
This is the simplest of possible checks – to check hostname to IP mapping, more advanced checks are possible with check_dig plugin.
Example – if IP of the hostname mx20.013net.net that handles mail for my provider changes from 194.90.9.19, the alert will be sent:
check_dns -H mx20.013net.net -a 194.90.9.19 -s 8.8.8.8
Posted in Linux, Networking.
By Yuri
– October 9, 2011
New operating systems are supposed to better user experience .. I thought. Well, so I thought, until today, when I had a need to lower the maximum size of files to be scanned by Fortigate 80C . It was a matter of few clicks in the good old version 3 via management GUI but in version 4 I spent some 20 minutes digging its GUI high and low and then finally opened Command Reference and found how to do it the CLI way.
Here is the solution :
FTG80C# config antivirus service http
FTG80C(http)# sho
config antivirus service “http”
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
FTG80C(http) # set uncompsizelimit 2
FTG80C(http) # end
FTG80C# config antivirus service ftp
FTG80C(ftp) # set
scan-bzip2 enable scanning of bzip2 compressed files
uncompnestlimit uncompnestlimit
uncompsizelimit uncompsizelimit
FTG80C(ftp) # set uncompsizelimit
max uncompressed size to scan (1-50MB or use 0 for unlimited)
FTG80C(ftp) # set uncompsizelimit 2
FTG80C(ftp) # end
Posted in Firewall.
Tagged with Fortigate.
By Yuri
– October 3, 2011
To continue the series I did this video of configuring users to manage IPS sensor – adding/deleting/resetting password/unlocking them. All the configs are being done on CLI.
Posted in Cisco IPS.
Tagged with Cisco IPS, Cisco sensor 4200, Video How-to.
By Yuri
– October 3, 2011
Some great products get unfair treatment for unclear reasons. One such gear is Cisco IPS sensor 4200 appliance, that while doing its job doesn’t get much attention, fame and even worse proper relation on Cisco.com documentation site. The documentation exists but scarce , examples of configuration – close to none, screenshots – go find. You got the picture – and here comes my humble effort to introduce the sensor to wider audience of this website.
First is the initial configuration using the console. The software used is 6.1 , sensor hardware is IPS 4235 . I am doing the config NOT running built-in #setup dialog.
Enjoy and have a nice day.
Yuri
Posted in Cisco, Cisco IPS.
Tagged with Cisco IPS, Cisco sensor 4200, Video How-to.
By Yuri
– September 25, 2011
Here is a feature that will save you time and frustration in many possible scenarios – especially when managing Cisco routers in multi-user environment. Once enabled archiving saves periodically copy of the running configuration of IOS router to the flash or remote server. So
next time something stops working after changes and you don’t know which one caused this – just revert back to the working configuration that is readily available.
Posted in Cisco, IOS Cisco.
Tagged with IOS Cisco, Video How-to.
By Yuri
– September 23, 2011
guten Tag everyone, today i am posting the video showing how to configure Dynamic Virtual Tunnel Interface (DVTI) on Cisco IOS router. DVTI for remote access has been available for a long time already and actually comes to gradually replace the old way of dynamic crypto maps, but as always people are hard to get out of the rut so mainly this great feature goes unnoticed.
In this specific setup I am using DVTI for hairpinning – i.e. I will connect using CIsco VPN client to the router and will tunnel ALL of my traffic through this connection, no split tunnel.
The main benefit of DVTI here is that using DVTI interface I can assign it ip nat inside and router will take care of NAT translating my traffic when sending it clear text to the Internet.
Enjoy
As always you can watch all my videos on Vimeo – vimeo.com/yurisk.info, also you can download there videos as files.
Reference on Cisco: DVTI on CIsco.com
Posted in Cisco, IOS Cisco.
Tagged with Cisco, Video How-to.
By Yuri
– August 13, 2011
Follow me on Twitter