yurisk.info » Esafe

MAC finder script

Yuri — Fri, 02 Jul 2010 05:35:37 +0000

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format , I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx 
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py

$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]

(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Quick and dirty way to bypass eSafe inspection

Yuri — Wed, 12 May 2010 18:46:26 +0000

There are times when you need to make some website work immediately while it is being blocked by eSafe for some (many) reasons. And you just don’t get it working the educated way – adding to white/exclude lists, changing script/category block options etc.
For the cases just like that Aladdin have provided us with Exclusion List in NitroInspection Configuration . It basically means traffic to/from the IP addresses you put into this list will be COMPLETELY ignored by eSafe scanning engine, and will be moved from interface to interface at the NIC driver speed.
To get there you go to Options->-NitroInspection Configuration->-Exclusion list->Add
In example below I add facebook.com IP range to such exclusion list.

Increase log size in eSafe

Yuri — Mon, 14 Dec 2009 12:26:38 +0000

Session logs in eSafe are essential for debugging . By default ,nevertheless each Session log file is limited to 100 megabytes in size , after reaching this limit eSafe stops writing the Session logs until the next log rotation – that is midnight.

To fix this , edit the file /opt/eSafe/eSafeCR/esafecfg.ini:

[ALERT GENERAL]
Size limit=2
Last overflow=0
Minimum free disk space=2000
Block if internal error=1
File name=^M
Report days=10
Session log days=7 = > Session log days= 365
Report max length=100
Session log max length=100 => Session log max length=500
Log sessions=1
Detailed log sessions=0
Log System Info Interval=10
MMS block if internal error=1
SessionLog To EventLog=0

SSH login alert by mail Linux or Unix based systems

Yuri — Fri, 18 Sep 2009 10:24:40 +0000

As you may have noticed many security-related software/appliances are based on Linux or Unix operating
systems in their variety. And as the logical consequence of that remote managing of such devices is done with OpenSSH
package . What is lacking in these applications built on Linux/Unix platforms is alerting in real–time on successful
SSH login to the system . e.g eSafe can alert only on login to the software itself (i.e. econsole), the same goes for the Checkpoint firewall
. On the other hand SSH login to the system ultimately means superuser/root access that gives control over the whole
system. To fix it I wrote the following script. This script sends mail to predefined email address each time someone
successfully logs in by SSH to the machine.
I take advantage here of the built-in feature of the OpenSSH daemon – if you create text file containing commands (as if you typed
them on the command line), and name it either /etc./ssh/sshrc or /.ssh/rc , these commands in file will be run each time user logs in through SSH daemon to the system.
The file has to be readable by the user logging in through SSH.
Note 1:
file /etc/ssh/sshrc is applied globally to any user logging in, unless:
Note 2:
file /.ssh/rc overrides action of /etc/ssh/sshrc . Caveat here – it is enough for a user to put in his home .ssh directory
empty file named rc and it will disable /etc/ssh/sshrc including mail alerts sent from it. Actually it is not that big of an issue as you may
create rc file in the home directory of the user yourself, give it 644 permissions and while user will know what is going on when doing ssh login he/she won’t be able to do anything about that.

So to script itself.
Here:
yurisk@yurisk.info   – mail to which I get mail alert
mail.yurisk.info   -   mail server that accepts mails destined for yurisk.info domain (its MX record)
SENDING_HOST   - hostname of sending host, will be included in the subject so later I can create mail inbox rule to pay appropriate attention   to such mails
USER_ID     – output of the #id command so I will also be able to filter incoming messages on the user logged in

freeBSD# cat /etc/ssh/mail_alert.awk
BEGIN {
# Set up some info to be included in the mail
# As you see I prefer to use absolute pathnames , but you don’t have to
# Find the hostname to which SSH login happened , to be included in the Subject
”/bin/hostname” | getline SENDING_HOST
# FInd ID of logged
”/usr/bin/id” | getline
USER_ID = $1
SMTP = “/inet/tcp/0/mail.yurisk.info/25″
RS = ORS = “\r\n”
print “helo yurisk.info”     |& SMTP
SMTP                       |& getline
print “mail from: <yurisk@yurisk.info>” |& SMTP
SMTP                       |& getline
print “rcpt to: <yurisk@yurisk.info>” |& SMTP
SMTP                       |& getline
print   “data”             |& SMTP
SMTP                       |& getline
print “Subject:SSH login alert – user ” USER_ID “logged in ” SENDING_HOST |& SMTP
print                       |& SMTP
”/usr/bin/w” | getline
print $0                  |& SMTP
  print   ” He is most free from danger, who, even when safe, is on his guard “               |& SMTP

print   “ “               |& SMTP
print “.”                 |& SMTP
print                      |& SMTP

print “quit” |& SMTP

}
- Now the file that is checked on each login for commands ( I put both files in /etc/ssh/) :
freeBSD# cat /etc/ssh/sshrc
awk -f /etc/ssh/mail_alert.awk > /dev/null
Note for FreeBSD (I guess any *BSD) users: in *rc file above you will have to replace awk with gawk, as in *BSD systems awk behaves as the old-style Unix awk that has no bidirectional pipe to connect to mail server.

PS. You might be asking why awk here ? True, Linux/Unix have perfect tool for sending mails called #mail, but I did it with awk
for a reason – not on every (especially if hardened) system you will find mail/telnet/etc utilities with which sending mails is more simple and more reliable. The biggest one is Checkpoint firewall – it has NO mail or telnet clients, neither scripting language beyond AWK and Bash.

The downside of awk is that it is not perfect for more or less complex protocols. So script may stuck / send commands too fast/ etc and therefore be disconnected by the server.

Also if mail server uses greylisting – this script won’t understand it. So check it in interactive session before using. If time permits later I will polish it a bit to count for such cases.

BTW If you haven’t noticed eSafe has full-blown scripting languages installed – Perl and Python . With these you are limited by your imagination only.

eSafe has iptables too ….

Yuri — Tue, 08 Sep 2009 17:58:05 +0000

Did you know that eSafe software is based on RedHat Enterprise Linux (RHEL) ? Of course you did.
But what does it mean? It means that all (or almost all) tools/utilities/programming logic of the Linux is at your fingertips.
Let’s take for example software eSafe runs on the boot

[root@esafe root]# chkconfig –list
rdisc                          0:off   1:off   2:off   3:off   4:off   5:off   6:off
anacron                   0:off   1:off   2:off   3:off   4:off   5:off   6:off
kudzu                    0:off   1:off   2:off   3:on    4:on    5:on    6:off
syslog                       0:off   1:off   2:on    3:on    4:on    5:on    6:off
network                 0:off   1:off   2:on    3:on    4:on    5:on    6:off
random                  0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd               0:off   1:off   2:off   3:off   4:off   5:off   6:off
microcode_ctl    0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance            0:off   1:off   2:off   3:on    4:on    5:on    6:off
smartd                     0:off   1:off   2:off   3:off   4:off   5:off   6:off
atd                             0:off   1:off   2:off   3:on    4:on    5:on    6:off
log2trap                   0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd                          0:off   1:off   2:on    3:on    4:on    5:on    6:off
crond                       0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd                       0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables                   0:off   1:off   2:on    3:on    4:on    5:on    6:off
webmin                   0:off   1:off   2:on    3:on    4:off   5:on    6:off
esafe                       0:off   1:off   2:off   3:on    4:on    5:on    6:off

Today I played with just one of them – iptables. First things first – eSafe is not a firewall . You don’t usually give
bunch of papers (called money) to use eSafe for the function that any Pentium 4 PC can do for the fraction of the price. So, it
is not supported and not to be used as the mainstream feature. Nevertheless it is here and may come handy in some situations.

In the output of chkconfig –list chckconfig showed that whenever eSafe is on, iptables is on as well. The default iptables policy is ALLOW ANY ANY :
[root@esafe root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Few observations:
- To block incoming connections destined for the eSafe itself you use INPUT chain, FORWARD chain has no meaning in bridged eSafe Gateway (in routing Gateway mode it would be applicable I guess)
- I tried few basic rules on the eSafe Hellgate 200 while turning on High-Debug mode , and while machine was loaded by debug
mode , using iptables filtering did not add visible overhead to it.
In most of the deployment scenarios eSafe is installed between internal interface of the firewall and LAN. It means from outside it is protected quite well whereas from LAN it is wide open to any trouble coming in. eSafe has its own means of limiting access to it from certain IPs.
To limit access to eConsole – you go in eConsole to Options -> Access and Permissions -> configure user (by default admin will be there) and IP from which this user will be granted access.
To limit access to WebGUI (HTTPS) : in the WebGUI go to Settings -> Access Control -> put IP to allow it access in “eSafe Appliance accepts connections from:”
To limit access by SSH use Linux means (there are few ways but I show just one of them) :
vi /etc/ssh/sshd_config
# add at the end the following line to limit ssh access to 10.99.99.150 only:
AllowUsers *@10.99.99.150
Or, using wildcards to the whole network only:
AllowUsers *@10.*.*.*

All the above is correct and fine BUT – what if you need to temporarily limit access and not permanently ? All the above are permanent changes that will survive reboot and if you make a mistake you grant someone a visit to the appliance for console connection. On the other hand you may use iptables to achieve the same access control and should something go wrong reboot will return all back to normal.

So, let’s go:

- I don’t like when debugging some complicated issue after logging off from eConsole I can’t access it again as someone from LAN already logged in :
1) Grant your IP the access to econsole:
[root@esafe root]# iptables -I INPUT -p tcp –s 10.99.99.150 –dport 43969:43982 -j ACCEPT
2) Deny anyone else
[root@esafe root]# iptables -I INPUT 2 -p tcp –dport 43969:43982 -j DROP
- SSH in general isn’t something a client should have access to :
1) First allow youself access:
[root@esafe root]# iptables -I INPUT -p tcp –dport 22 -s 10.99.99.150 -j ACCEPT
2) Then deny anyone else:
[root@esafe root]# iptables -I INPUT 2 -p tcp –dport 22 -j DROP

3) Restart ssh daemon (it won’t disconnect your current session):

[root@esafe root]# service sshd restart

[root@esafe root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp – 10.99.99.150         anywhere           tcp dpt:ssh
DROP       tcp – anywhere             anywhere           tcp dpt:ssh

Those addicted to iptables know that some spicy features come with modules and kernel options set at compile time.
To give you the taste of what is included in eSafe iptables, the listing follows:

/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arp_tables.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arpt_mangle.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arptable_filter.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_amanda.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_irc.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_tftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_amanda.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_ftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_irc.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_snmp_basic.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_tftp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_queue.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_tables.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipchains.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipfwadm.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_DSCP.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ECN.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_LOG.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MARK.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MIRROR.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_REDIRECT.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_REJECT.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_TCPMSS.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_TOS.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ULOG.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ah.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_conntrack.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_dscp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ecn.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_esp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_helper.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_length.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_limit.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_mac.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_mark.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_multiport.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_owner.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_pkttype.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_recent.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_state.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_tcpmss.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_tos.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ttl.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_unclean.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_filter.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_mangle.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_nat.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ah6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/esp6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ip6_tunnel.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ipcomp6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ipv6.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6_tables.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_LOG.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_MARK.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_ah.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_dst.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_esp.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_eui64.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_frag.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_hbh.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_hl.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_ipv6header.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_length.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_limit.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_mac.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_mark.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_multiport.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_owner.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_rt.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6table_filter.o
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6table_mangle.o

Website/malware categorization in eSafe

Yuri — Fri, 12 Jun 2009 08:41:02 +0000

If some website gets blocked by eSafe for being categorized wrongly you
may fix it actually very simple. You enter the link below and change the website category; this takes some time , usually from few hours up to a day,for the change to take effect. If website has no category already then update takes effect fast.

filterdb.iss.net/urlcheck/

To see what each category includes:
www-935.ibm.com/services/us/index.wss/detail/iss/a1029077?cntxt=a1027244

When you want to report an item that was falsely detected as virus/malware by
eSafe you should send your request to :

eSafe Certified Professional

Yuri — Sat, 07 Mar 2009 15:30:52 +0000

Recently I’ve taken the 2-day course and then successfully passed eSCP certification and here are some impressions about that. First, for serial certification obtainers,for the main question – what is the gain here? – I will frankly say – I don’t know. This cert isn’t found under ‘most wanted/hot/industry leading’ headings anywhere, so whether it’s gonna get you an advantage in promotion/job search/etc remains an open question.
The course was fully funded by my work and I took part in it for the benfit of the knowledge I would gain there only. And to take test is possible only after you passed the course. So , let’s head over to the course.
The course was administered at 3rd-part learning center but by folks from Aladdin itself ONLY – one of the strong points of the course. As I understood even if the course would be given in the heart of Amazonia,Brazil it still would be presented by Aladdin folks, no ‘certified instructors’ are employed.
There were 2 instructors , one doing talking and helping in labs , and the other helping in labs . While first instructor is from Presale team, she could answer any technical questions I had (”- Can you remind me name of the file to add Ip address to the interface so it survives reboot, unlike ifconfig ?”).

The overall course consisted of approximately 20% presentations/talks and 80% hands-on labs. The contents can be seen here, only that we dealt with version 7 only, not 6.2 as in pdf:
ftp://ftp.aladdin.com/pub/marketing/eSafe/Agenda/Expert_Agenda.pdf .
Every pair of students was given Hellgate appliance to play with. And we used it to the full – our team even succeeded to push beyond the limit,crash and do RMA on our HellGate – fastest RMA ever seen – took 5 mins to bring new Hellgate.

Everyone was given a book-sized course material including presentations we heard and labs. The flow was – presentation then lab. Started with reimaging eSafe from usb, then all config labs as per pdf above. The LDAP lab took much more then was allocated for it as many (including me) are not good fiends with all the AD/LDAP/OU/CN/DN stuff ,eventhough the AD server was preconfigured and we had to just(?) connect eSafe to it.
Due to time shortage we haven’t done Web SSL/Reporter/Proxy (not a big deal for me as I am yet to see any of them in the wild) labs.
All setup had access to the Internet , so URL-filtering we could test real-time.

To conclude – I enjoyed the course, learned lots of new things (my job involves supporting already installed and working eSafe, so I don’t do installing/configuring from scratch the appliance, something our integration department always do) and therefore it was worthwhile.
Upon completion we were given link to password-protected CBT, possibility to open personal account with portal.aladdin.com , link to download eSafe 7.1 ISO disk (every eSafe has built-in evaluation license for 30 days), nice bag, and user/pass and link to the website to take exam.

Now to exam – it is a web based test, with 50 questions and 90 minutes to do it.
The test is pretty easy given you took active part in the course before as it recaptures the same topics. So I did it in about 30 mins, got the web page “Congradulations you passed” and a week later received by a courier framed certificate that I am now eSafe Certified Professional.

eSafe download – demo, docs

Yuri — Wed, 28 Jan 2009 18:48:10 +0000

Today newcomer to our department asked me how he should start learning eSafe – should he install Mail or Gateway on VMware ? Erm … May be docs and manuals (as I did) ? No ,old-fashioned, in our age of
CBTs/virtualization/Camtasia-everywhere buzzwords it needs to be with GUI and interactive, so …
The best way to start learning a product is first to see it – for this Aladdin made a demo econsole.
After you run it it presents you with dosen of eSafe ”machines” to any of which you can login by double clicking and feel like you are configuring a real eSafe machine – all GUI and options are exact copy of real
product. You can get it here after filling form with (ir)relevant details.
Demo econsole

Here is the link for econsole download eSafe 7.1, be aware that is quite important that you use econsole verison matching exactly the
eSafe software version you are trying to connect to. I once had client that installed eSafe 7.0 (some beta release) and downloaded locally econsole from the machine, all worked fine.Then he upgraded eSafe software to 7.1 but did NOT reinstall new econsole , as the result
he couldn’t find bunch of options in the econsole. In worst scenario using non-matching version of econsole to make configuration changes might cause substantial damage to the eSafe software, up to complete reinstall/reimage.
eSafe econsole 7.1
Docs Also freely available at :
eSafe Documenation
Knowledgebase – if you work for Aladdin partner you will have access to
complete knowledgebase , while anyone else can see a smaller part of it (that will suffice for few long
weeks of studying nevertheless ).
kb.aladdin.com

Esafe defaults and some debug commands

Yuri — Sat, 06 Sep 2008 08:50:57 +0000

As any other box esafe comes with some default configs , to much of my surprise it takes too long to find them in the Esafe docs, so here they are:

eConsole TCP port: 43970
eConsole UDP port: 43982
Webmin TCP port: 37233 - https to eSafe, when installed on linux [last eSAfe to support
Windows was eSafe 6 FR2] (https://ip_address_of_esafe:37233)

default username: root
default password: kn1TG7psLu
Webmin username: admin
Webmin password: esafe
econsole default username: admin
econsole default pasword: no such, you will be asked to set on first login or during Webmin configuration

————————————————————————–

Product Configuration file:
/opt/eSafe/eSafeCR/esafecfg.ini

Nitroinspection Configuration file:
/opt/eSafe/esafenipca.ini

eSafe Machine Configuration file:
/opt/eSafe/esafe.ini
eSafe Applifilter Configuration file:
/opt/eSafe/eSafeCR/applifilter2.ini

————————————————————————–

Spool Directory:
/opt/eSafe/eSafeCR/SPOOL/

Advanced antispam and URL filtering (cobion) database Directory:
/var/esafe/ofdb/

Session log files:
/opt/eSafe/eSafeCR/SessionLog/

Machine logs – when debug mode enabled logs get written here:
/var/esafe/log/eSafeCR

Debugging procedure , quite standard procedure, provided load on the machine permits
(High Debug mode loads the machine a lot!) you may shorten the time of troubleshooting
when opening ticket in Aladdin.
You need to re-create the problem first in high debug level (you can do it with eConsole: Options > Troubleshooting… > Clear Log Files > choose High troubleshooting level > re-create the problem > choose “Off” to turn off troubleshooting level)

How to create support file:

cd /opt/eSafe
./esafeinf
Collecting eSafe info and log files, Please wait …

Information successfully logged in
/var/log/1004562_xxxxxxx3430esglog.tar.gz.

or:

enter Webmin (https://ip_address_of_esafe:37233) > Support > Create and download eSafe Support Info file
————————————————————————–

eSafe Machine configuration script (script has same functionality as Webmin does):

cd /opt/eSafe
./esgmenu