yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 15 of 24

Schedule fw monitor to run unattended

May 29, 2010 / / 1 Comment

Not a groundbreaking idea but worth remembering that you can also run scheduled fw monitor using the cron. In case you have some problem occurring at the late night hours or you want to run debug at night when system is loaded less or put your case here this is one of the ways to do it.
First, the script named timed_fw_monitor.sh that starts the fw monitor:

#!/bin/bash
# We have to source Checkpoint environment variables for fw monitor to work
. /etc/profile.d/CP.sh
/opt/CPsuite-R71/fw1/bin/fw monitor -o /home/lambada/capture.cap -e 'accept icmp or port(25);'

Then of course I will want to stop fw monitor , here is the script named stop_fw_monitor.sh that I also put in cron jobs that stops previously started fw monitor :

#!/bin/bash
ps ax | grep 'capture.cap' | grep -v grep | awk '{ print ("kill -s 3 " $1) | "/bin/bash" }'

Now my crontab looks like this:

# DO NOT EDIT THIS FILE – edit the master and reinstall.
# (/tmp/crontab.4760 installed on Sat May 29 11:00:22 2010)
# (Cron version — $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
03 23 * * * /home/lambada/timed_fw_monitor.sh > /dev/null
17 23 * * * /home/lambada/stop_fw_monitor.sh > /dev/null

SMTP inspection with policy-map in ASA

May 26, 2010 / /

This is the first time I was disappointed by the cisco.com or Checkopint:ASA 1:0. I have had a simple task at hand – configure SMTP inspection in ASA 8.0(3) and cisco.com documentation didn’t help me at all. But first the task:Secure internal mail server by preventing it from sending spam outbound. It comes to mind two very simple but largely effective measures – block mails with From: field set to any domain but ours, and block attempts to relay Through the internal mail server mails destined to any domain but ours. In Checkpoint I can do it quite simply with SMTP Resource. Unfortunately in ASA it is not the case. Let’s look at final SMTP inspection I configured in ASA.
Input :
Internal server having outside IP address of 199.202.2.3 serves two domains apple.com and microsoft.com
Task:
– block mails with From: field set to any domain but apple.com or microsoft.com
– block mail relying for any domain but microsoft.com or apple.com
NOTE. Here I did this config on the production client so had no room for experimenting with all “what ifs” Identify mails direction from inside server outbound. I did it as didn’t find reliable info about sender-address match condition – does it match in any direction if applied globally on all traffic ? I mean , if it just looks at Mail from: field and acts on mails in both directions then it would block mails coming in from any domain but client’s own.
To prevent even checking this on client I did this ACL that will apply this SMTP inspection to outgoing mails
anyway.

BigInJapan(config)#access-list Mail-server permit tcp host 199.202.2.3 any eq 25

To block mails with From filed other than client’s domains I use regex that matches client’s domains and the use negation with NOT.

BigInJapan(config)# regex PermittedSenders “@microsoft.com|@apple.com “

Create policy-map where all the tweaked parameters are set (as of ASA 8.2 there is still no class-map type inspect esmtp) .

BigInJapan (config)# policy-map type inspect esmtp NoSpamOutside

Match all mails that Mail from field is anything but *@microsoft.com or *@apple.com. Action is reset and log.
It is more secure I guess to drop instead of reset as in drop malware would have to wait until some timeout, but I didn’t care here anyway.

BigInJapan(config-pmap)# match not sender-address regex PermittedSenders
BigInJapan(config-pmap-c)# reset log
BigInJapan(config-pmap-c)# exit

Various parameters. Here you set internal domain the mail server is serving, so trying to deliver mails to any other domain would be seen as illegal relaying and dropped. But also I was surprised to know here that policy-map mail-relay parameter can be used only once, leaving you without this protection if you have multiple domains served from the same server. So below is theoretical configuration if my client had just one domain on his server.

BigInJapan(config-pmap)# parameters
BigInJapan(config-pmap-p)# mail-relay apple.com action drop-connection log
BigInJapan(config-pmap-p)# exit
BigInJapan(config-pmap)# exit

Now create general policy-map to tie it all together.

BigInJapan(config)# policy-map NoSpamFromUs
BigInJapan(config-pmap)# class Mail-server
BigInJapan(config-pmap-c)# inspect esmtp NoSpamOutside
BigInJapan(config-pmap-c)# exit
BigInJapan(config-pmap)# exit

And apply it on some interface.

Important: according to Hucaby’s ASA handbook application protocol inspection is applied AFTER the NAT rules are done, so you need to use in your class-map/ACL IPs that are after the translation. Internal IP of the mail server is 192.168.3.3 that is statically NATed to 199.202.2.3, so I used 199.202.2.3 in class-map’s ACL.

On which interface to apply the policy-map I guess doesn’t matter but to be sure I did it on the outside.

BigInJapan(config)# service-policy NoSpamFromUs interface outside

Link to Inspection page in ASA 8.
Applying Application Layer Protocol Inspection

Alert on change of SOA in domain

May 22, 2010 / /

This comes from unpleasant experience of mine. One of my clients’ domain records (MX for the case involved) was mistakenly changed. While it was a human error and trying to fix humans is rolling the rock of Sisyphus,damage would be much lesser had I known about the change immediately . To take care of this side of the story I wrote awk one-liner that when invoked by cron compares SOA of the domain with the one saved locally in the file. If there is a discrepancy the mail is sent.
I tried to find more elegant solution on Google but found zillions of tools too complex for such a simple task.

#!/bin/bash
awk ' BEGIN {"dig +short soa yurisk.info"| getline
SOA_NOW=$3
getline SOA < "serial-yurisk.info"
if (SOA_NOW != SOA) { print (" mail -c yurisk@yurisk.info -s \"SOA of domain yurisk.info has changed\" president@whitehouse.gov") | "/bin/bash" }}'
serial-yurisk.info:
2010012000

FTP inside VPN Checkpoint troubles

May 19, 2010 / / 2 Comments

Do we need to fix all the problems all the time ? My answer is no. Also I believe in good solution today and dismiss ideal solutions tomorrow. Let me show this on the real case with one of the clients.
Client has Checkpoint, lots of Checkpoint, just heaps of it. And all their work is based on VPN site to site communication between myriad of remote branches and the central office. All being VPNed. One of the services running inside those endless tunnels is plain old FTP. To be more precise scriptable scheduled transfer of files.
It has been working like that for years until it started making troubles. Not all sites in one go, just one site a day or a week, only that multiplied by the sheer number of the branches it became an avalanche.
Following usual path I tried to fix things by myself, and it worked at the beginning. But then number of troublesome sites increased, at some point I attached Checkpoint to the process. They didn’t see some
major problem, just many seemingly unrelated local ones.
Also the FTP problems differed:
– download of small files went ok but on files > 1Mb it got stuck;
– download of any single file was ok, but multiple files got it stuck;
– files got transferred but with file size 0;
And all this had no obvious reasons – FTP drops here and there. Little by little I found myself fighting the windmills. Could it be solved ? I guess so . How much time ? Months .
Then I solved this problem quite simple – the client didn’t care a bit what file protocol is being used as long as it is scriptable and Windows-friendly. So I run a test, and offered him to use SSH/SCP inside VPN tunnels instead of FTP.
The results of the tests were funny – from the same remote server, and all the rest being the same moving
files with scp (pscp.exe) annihilated all the problems seen with the FTP. That is it.
See you.

Configure VLAN Solaris way

May 16, 2010 / / 1 Comment

To create VLAN in Solaris you have to first decide where the Physical Point of Attachment (PPA) will be. In other words you have to attach VLAN to some physical interface on the server , as of now interface types that support VLANs are:
ce
bge
xge
e1000g
After you decided on the PPA and the VLAN ID using this formula the whole name for the new VLAN interface is calculated:

VLAN int name = physical interface driver name + VLAN ID *1000 + physical device instance

In my case creating vlan 777 attached to the physical interface e1000g0 yields this:

Int name = e1000g + 777*1000 + 0 = e1000g777000

Usual plumbing and IP assigning to do:

Solaris_star# ifconfig e1000g777000 plumb
Solaris_star# ifconfig e1000g777000 inet 10.11.11.2/24
Solaris_star# ifconfig e1000g777000 up

Verify:

Solaris_star# dladm show-link
e1000g0 type: non-vlan mtu: 1500 device: e1000g0
e1000g777000 type: vlan 777 mtu: 1500 device: e1000g0
e1000g1 type: non-vlan mtu: 1500 device: e1000g1
e1000g2 type: non-vlan mtu: 1500 device: e1000g2
Solaris_star# ifconfig e1000g777000
e1000g777000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
inet 10.11.11.2 netmask ffffff00 broadcast 10.11.11.255
ether 0:c:29:67:98:e7

md5 and sha1 hashing in Solaris

May 15, 2010 / /

How do you calculate md5 hash ? md5sum of course, I thought ,coming from the Linux world and was wrong. In Solaris , again, all that comes from open source projects is add-at-your-own-risk paradigm. Instead the native crypto provider supplies hash calculations with digest command:

# digest -l
sha1
md5
sha256
sha384
sha512
Solaris_star# digest -v -a md5 sntp.py
md5 (sntp.py) = 0e306d35ef7da1a47c51590fe70b3144

Encrypting local files in Solaris

May 15, 2010 / / 3 Comments

How do I encrypt local file in Solaris ? On Linux I use either OpenSSL or GPG but these are both open source projects not native in Solaris land. For this Solaris has encrypt/decrypt which do what their name say.
And of course we talk here about symmetric encryption. Options for encrypt/decrypt are succinct – list available algorithms, specify input/output file(s), and optional specify file containing the key or otherwise type it on terminal. Few examples are to follow.
– List algos

# encrypt –l
Algorithm Keysize: Min Max (bits)
——————————————
aes 128 256
arcfour 8 2048
des 64 64
3des 192 192

– Now let’s encrypt something (file smtp_send.py ) with AES algo .

# encrypt -a aes -i smtp_send.py -o smtp_send.py.enc
Enter key:
Solaris#
Solaris# file smtp_send.py.enc
smtp_send.py.enc: data

– And what about decrypting ?

# decrypt -a aes -i smtp_send.py.enc -o smtp_send.py.dec
Enter key:

– In case you wish to use key stored in a file (I personally don’t do it as it is too easy to forget to delete the key file).

# encrypt -a aes –k key_in_a_file.txt -i smtp_send.py -o smtp_send.py.enc
« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑