yurisk.info » Yuri

awk weekly – Security rule hits statistics . Checkpoint

Yuri — Tue, 31 Jan 2012 08:50:36 +0000

As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:

awk -F\; ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5

Rule number:  Hits: 1197330  Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing
 Rule number: 2 Hits: 9
 Rule number: 5 Hits: 366
 Rule number: 11 Hits: 12296
 Rule number: 9 Hits: 14457
 Rule number: 0 Hits: 17094
 Rule number: 1 Hits: 44066
 Rule number: 7 Hits: 233643
 Rule number: 10 Hits: 366275
 Rule number: 6 Hits: 424639

Update 2012 Below is the script to use Rule ID instead of Rule sequential numbers – this way changing rules order will not affect statistics. The script matches also non-security rules – e.g. email session id, that are a bit shorter then Rule ID, but I didn’t want to slow down the processing with additional formatting .

awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5

Rule number: D199972C-ED3E-4EB4-8B83-813333156D18 Hits: 175
 Rule number: 85A905A7-951E-4100-A4BA-E13333151D29 Hits: 219
 Rule number: 81333316-E942-4313-BB7D-E1333315802F Hits: 1519
 Rule number: 71333215-2DB5-4A3A-95BC-5080AD0F5564 Hits: 2298
 Rule number: 11331315-AE52-44E0-A42A-711029B5768E Hits: 3755
 Rule number: 01333315-D290-4B05-AFE7-23BF24D889FF Hits: 4116
 Rule number: 121FA62F-3885-4328-8090-BF1333315eB1 Hits: 399793
 Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101
 Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341
Running time for a file of 900 Mb with 4.7 million records
real    5m50.287s
user    4m22.890s
sys     0m3.190s

Time-based access limiting on Checkpoint or any Linux for that matter

Yuri — Mon, 14 Nov 2011 21:08:16 +0000

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
Most probably restart the service and we are set.

E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
- Add to file /etc/pam.d/vsftpd the following line
account required /lib/security/pam_time.so
- Set time limits in /etc/security/time.conf with this line
vsftpd;*;ftp_user;Wk0800-1700
- Restart vsftpd to force it using pam_time.so module (need to do it just first time)
#service vsftpd restart
And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
Example for limiting ssh access to the firewall to working hours only.
/etc/security/time.conf :
sshd;*;client_user;Wk0900-1900
/etc/pam.d/sshd :
account required /lib/security/pam_time.so

Set NTP time source on Checkpoint to have correct log timestamps

Yuri — Sat, 12 Nov 2011 17:29:44 +0000

It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null

All you need to know about networking in Checkpoint firewall SecurePlatform FAQ

Yuri — Thu, 27 Oct 2011 11:32:13 +0000

Q. How do I see available interfaces, errors on them , IP addresses .
Q. How do I see routing table of the firewall.
Q. How do I see duplex, speed, physical link status of the interface .
Q. How do I manually set duplex, speed, autonegotiation settings of an interface.
Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.
Q. How do I add, delete, change routes.
Q. How do I delete, change IP address on the interface.
Q. How do I add, change, delete VLAN .
Q. How do I see existing VLANs .
Q. Can I combine few interfaces into one logical interface .
Q. How do I shut and unshut an interface.

Q. How do I see available interfaces, errors on them , IP addresses .

A. # ifconfig

Q. How do I see routing table of the firewall.

A. # route -en

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
19.247.195.20   0.0.0.0         255.255.255.252 U         0 0          0 External
10.123.123.0    0.0.0.0         255.255.255.224 U         0 0          0 Lan1

Legend:
Gateway – via which gateway this network is available, 0.0.0.0 means this network is configured locally on the interface
Iface – name of the interface via which this network is reachable

Q. How do I see duplex, speed, physical link status of the interface .

A. # ethtool
e.g. # ethtool External
Settings for External:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes

Q. How do I manually set duplex, speed, autonegotiation settings of an interface.

A. # ethtool -s speed 100
ethtool -s duplex full
ethtool -s autoneg off
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.

Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.

A. # eth_set [10h|10f|100h|100f|1000h|1000f|autoneg]
e.g # eth_set Lan1 100f

Q. How do I add, delete, change routes.

A. Using #sysconfig utility and its interactive menu (option 6) .

Q. How do I delete, change IP address on the interface

A. # sysconfig then option 5 .

Q. How do I add, change, delete VLAN .

A. # sysconfig , then option 5 .

Q. How do I see existing VLANs .

A Either via #sysconfig , then option 5 or ifconfig, VLAN interfaces will have format of . .
e.g. # ifconfig
eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71

Q. Can I combine few interfaces into one logical interface .

A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.

Q. How do I shut and unshut an interface.

A. #ifconfig down
# ifconfig up

Enable 2 factor authentication to protect your Gmail account if you have not done so already

Yuri — Wed, 26 Oct 2011 11:34:42 +0000

Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer – me . The question was in turn inspired by the article in Atlantic Monthly where James Fallows depicts in detail his wife’s Gmail account being hacked and how much trouble it was to get it back. I can only add that not using absolutely free and easy feature to safeguard your precious asset, mail account – is pretty reckless in our time . Just imagine what it would be to have ALL your Gmail inbox emptied and have your access to the account lost due to a hack …
I’ve always known that the best way to solve the problems is to prevent them from occurring at all, so go ahead and use this Gmail feature and have less problems in life to solve .
My personal experience of few months is that it works with any mobile provider in Israel and it is pretty much ‘ set and forget ‘ type of configuration, just be able to receive once a month SMS , it can’t be any easier I guess.
Advanced sign-in security for your Google account

Watch your DNS records day and night with Nagios

Yuri — Sun, 09 Oct 2011 10:11:22 +0000

Domain records are most visible vulnerable and many time crucial asset of the company.
Attackers need not break your firewall protection, find and develop exploits for software running on your server to cut off your company from mails – it is enough for them to cause a change of MX record and it’s done – no incoming mails.
I’ve seen real life example of this happening with huge company when due to human error made to MX record that went unnoticed the company didn’t get mails.
While there are companies making millions on protecting domains (do whois on Google.com,Facebook.com to see example) you can at least spot potential problems automatically in no time with Nagios.
The plugin to watch for DNS record is called check_dns and works this way – you configure which hostname to query and what the IP address for it should be , if the IP return doesn’t much the one configured the Critical condition occurs and alert is fired.
This is the simplest of possible checks – to check hostname to IP mapping, more advanced checks are possible with check_dig plugin.
Example – if IP of the hostname mx20.013net.net that handles mail for my provider changes from 194.90.9.19, the alert will be sent:
check_dns -H mx20.013net.net -a 194.90.9.19 -s 8.8.8.8

Limit maximum size of scanned files in Fortigate firmware 4

Yuri — Mon, 03 Oct 2011 17:58:46 +0000

New operating systems are supposed to better user experience .. I thought. Well, so I thought, until today, when I had a need to lower the maximum size of files to be scanned by Fortigate 80C . It was a matter of few clicks in the good old version 3 via management GUI but in version 4 I spent some 20 minutes digging its GUI high and low and then finally opened Command Reference and found how to do it the CLI way.
Here is the solution :

FTG80C# config antivirus service http
FTG80C(http)# sho

config antivirus service “http”
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end

FTG80C(http) # set uncompsizelimit 2
FTG80C(http) # end

FTG80C# config antivirus service ftp
FTG80C(ftp) # set

scan-bzip2 enable scanning of bzip2 compressed files
uncompnestlimit uncompnestlimit
uncompsizelimit uncompsizelimit

FTG80C(ftp) # set uncompsizelimit

max uncompressed size to scan (1-50MB or use 0 for unlimited)

FTG80C(ftp) # set uncompsizelimit 2
FTG80C(ftp) # end

Meet the Cisco IPS sensor 4200 series, episode 2 – User management

Yuri — Mon, 03 Oct 2011 03:43:02 +0000

To continue the series I did this video of configuring users to manage IPS sensor – adding/deleting/resetting password/unlocking them. All the configs are being done on CLI.

Meet the Cisco IPS sensor 4200 series, episode 1 – Initial configuration

Yuri — Sun, 25 Sep 2011 17:20:58 +0000

Some great products get unfair treatment for unclear reasons. One such gear is Cisco IPS sensor 4200 appliance, that while doing its job doesn’t get much attention, fame and even worse proper relation on Cisco.com documentation site. The documentation exists but scarce , examples of configuration – close to none, screenshots – go find. You got the picture – and here comes my humble effort to introduce the sensor to wider audience of this website.
First is the initial configuration using the console. The software used is 6.1 , sensor hardware is IPS 4235 . I am doing the config NOT running built-in #setup dialog.
Enjoy and have a nice day.
Yuri

Archive IOS running configuration automatically for possible rollback

Yuri — Fri, 23 Sep 2011 18:56:22 +0000

Here is a feature that will save you time and frustration in many possible scenarios – especially when managing Cisco routers in multi-user environment. Once enabled archiving saves periodically copy of the running configuration of IOS router to the flash or remote server. So
next time something stops working after changes and you don’t know which one caused this – just revert back to the working configuration that is readily available.