yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 22 of 24

Tracking the source of DOS attack with Cisco IOS

May 28, 2009 / /

Problem: Enterprise is under Denial Of Service Attack that brings down key elements of the business or the whole network at all.
To track the attacker is the first step in handling the attack and unless the flood is coming from inside (most probably not in a well managed LAN) you will need help of your Service Provider to find out the origin. Unfortunately Service Provider’s (SP) backbone is not well suited for such forensics, as its business role is
to provide uninterrupted connectivity to ALL the clients , not only you, so SP will not enable ACLs/ip accounting/Netflow on their backbone to identify where the attack is coming from . And if source Ip of the attack is spoofed you can’t do much .

For such cases Cisco came with the nice feature called
ip source tracking that will gather flow statistics for specific destination
IPs (of victim) and periodically will export them for viewing, and will do all this without overloading the backbone router it is enabled on (Of course relevant if your SP is using Cisco gear) . Here are details:

– Enable it globally for the victim IP , here IP being attacked is 63.45.33.22

Edge(config)#ip source-track 63.45.33.22

– If you want (and if this is being done by SP they will not) you may create log entries:
Edge1(config)#ip source-track syslog-interval 2
Then you will see in logs (good for reminding to disable this afterwards) :
May 28 10:55:47.105: %DOS_TRACK-5-CFG: IP Source Tracker configured for 1 hosts

– Also you may define how often to export gathered info to be viewed (seems to depend on the platform ) :

Edge(config)#ip source-track export-interval 60

– And finally , you see the data accumulated so far :

Edge#sh ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s
63.45.33.22 Fa0/0 141G 485M 8244 141

Most important here will be the Source interface (in this router there is only 1 ingress interface , in real backbone you will have few feeds) where you see most of the incoming traffic for this destination IP. Then you (SP) would go to the upstream router connected to this local interface, enable the same source tracking and so on. Up to the last point in the backbone where the attacking traffic enters
the backbone of SP out of some upstream SP . Then SP would have option to contact the abuse of this upstream provider for them to investigate the issue further, or at least divert the attack to the black hole at the entry point, so end client would not be affected at all.

UTM or Power ? Checkpoint

May 8, 2009 / /

UTM or Power ?
How do you know when logged in with ssh what type of machine you are working with ?
I know 3 ways to find it:

1) By the interfaces names , see the difference:

UTM
(output edited for conciseness)

[Expert@Firewall]# ifconfig
DMZ Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.10 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.20 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.30 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.40 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.50 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.60 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.70 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.80 Link encap Ethernet HWaddr 00 90 FB 22 11 00

External Link encap Ethernet HWaddr 00 90 FB 22 11 00

Internal Link encap Ethernet HWaddr 00 90 FB 22 11 00

Lan1 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.2 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.3 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.4 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.5 Link encap Ethernet HWaddr 00 90 FB 22 11 00
lo Link encap:Local Loopback

VPN Power –
(output edited for conciseness)
Here you will see usual output as seen on any Linux- installed server.
[Expert@CP]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:33:12:FD:47:92
eth1 Link encap:Ethernet HWaddr 00:33:12:FD:47:12
eth3 Link encap:Ethernet HWaddr 00:33:12:FD:47:55
lo Link encap:Local Loopback

2) By installed products names (seen it on cpug.org forum somewhere) :

[Expert@CP]#sysconfig
-> Option 10 “Product installatiuon..” -> Next -> Yes , it then presents you with products available for
this hardware .

UTM
The following products are available in this version
Please select product(s)

1 [x] VPN-1 UTM
2 [ ] UserAuthority
3 [x] SmartCenter UTM
4 [x] Eventia Suite
5 [ ] Integrity
6 [ ] Performance Pack
7 [x] SmartPortal

VPN Power

The following products are available in this version
Please select product(s)

1 [x] VPN-1 Power
2 [ ] UserAuthority
3 [x] SmartCenter
4 [ ] Eventia Suite
5 [ ] Integrity
6 [ ] Performance Pack
7 [ ] SmartPortal

3) Yet another way – this time Checkpoint provided us:
/bin/is_power
/bin/is_appliance
When running each of these it prints out to the terminal either 0 or nothing, the tool that prints nothing identifies the
type of the software we are working with.
If you know of other ways to find it feel free to share.

Change password for console expert user Checkpoint Splat

May 2, 2009 / / 3 Comments

[showmyads]
As seen many times Checkpoint has its own way of doing otherwise simple and straightforward tasks. Changing
password for shell account is another example.
By default, when installed, Splat creates two console/OS users – admin and root. You can’t login remotely
(i.e. by ssh) with root as /etc/ssh/sshd_config contains this:
DenyUsers root shutdown halt nobody ntp pcap rpm
AllowGroups root

So , basically you are left with admin user to do all command line tasks (Expert mode) – security flaw by itself, but even more,
when you try to change the password of this user by passwd command
Checkpoint doesn’t let you to. Even worse, it happily goes ahead and notifies you that password has been
successfully changed and … you can still log in only with the old password. The reason is here:

[Expert@cp]# which passwd
alias passwd=’/bin/expert_passwd’
/bin/expert_passwd
[Expert@cp]#

This way Splat tricks you into running some dummy ‘passw’ of its own that is only good for CPshell
environment. So to really change password of Expert user you have 2 options:
1) Through Web device management GUI (not covered her)
2) Use native passwd , see below

[Expert@cp]# /usr/bin/passwd rambo
Changing password for user rambo.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[Expert@cp]#

Here:
/usr/bin/passwd – Linux native passwd utility
rambo – Expert user I added to the system and then blocked remote login for user admin (or type
admin for default user).

Adding Expert user:
To add another user with id = 0 use switch -o:


[Expert@cp]# useradd -u 0 -g 0 -o -s /bin/bash rambo

Then change password as per above and fix /etc/ssh/sshd_config to allow rambo login and block
admin login

DenyUsers root shutdown halt nobody ntp pcap rpm admin
AllowGroups root

Debug VPN in Fortigate – seeing is believing

April 21, 2009 / / 4 Comments

[showmyads]You can’t really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands that do just that for IPSEC site-to-site
tunnels in Fortigate.

Here:
192.168.168.254 – IP address on the LAN interface of the fortigate
10.170.15.131′ – IP address on the remote LAN
200.199.20.162 – (sanitazed) IP of the wan interface of Fortigate
72.21.207.65 – (sanitazed) IP of the remote VPN peer

-Enable debugging
FG100A# diag debug en

– Enable debug messages for specific application , here we are interested in IKE (note debug level -1,
following logic I enabled first +1, 255 etc and surprisingly had no effect at all )
FG100A # diag debug app ike -1
Continue reading

Black hole routing to the rescue – Fortigate OS 4 surprise

April 9, 2009 / /

Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert “..has reached connection limit” and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue you may never know for sure what causes this , it may be
oversized rulebase, custom IPS , AV set on everything and everywhere, etc.,.. The only way to pinpoint the
misbehaving component is by elimination – disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? – yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought – but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.

In the FortiOS 4 you can configure blackhole routing with no hassle:
FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable disable setting
enable enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst 69.63.176.0/20
FG100 (5) # end

Verify:
FG100 # show router static
config router static
edit 1
----output omitted----
edit 5
set blackhole enable
set dst 69.63.176.0 255.255.240.0
next
end

From station in LAN:
# ping 69.63.184.142
PING 69.63.184.142 (69.63.184.142) 56(84) bytes of data.
From 10.99.99.254 icmp_seq=1 Destination Net Unreachable
From 10.99.99.254 icmp_seq=2 Destination Net Unreachable

Facebook IP range:
whois 69.63.176.140
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Facebook, Inc.
OrgID: THEFA-3
Address: 156 University Ave, 3rd floor
City: Palo Alto
StateProv: CA
PostalCode: 94301
Country: US
NetRange: 69.63.176.0 – 69.63.191.255
CIDR: 69.63.176.0/20

eSafe Certified Professional

March 7, 2009 / /

Recently I’ve taken the 2-day course and then successfully passed eSCP certification and here are some impressions about that. First, for serial certification obtainers,for the main question – what is the gain here? – I will frankly say – I don’t know. This cert isn’t found under ‘most wanted/hot/industry leading’ headings anywhere, so whether it’s gonna get you an advantage in promotion/job search/etc remains an open question.
The course was fully funded by my work and I took part in it for the benfit of the knowledge I would gain there only. And to take test is possible only after you passed the course. So , let’s head over to the course.
The course was administered at 3rd-part learning center but by folks from Aladdin itself ONLY – one of the strong points of the course. As I understood even if the course would be given in the heart of Amazonia,Brazil it still would be presented by Aladdin folks, no ‘certified instructors’ are employed.
There were 2 instructors , one doing talking and helping in labs , and the other helping in labs . While first instructor is from Presale team, she could answer any technical questions I had (“- Can you remind me name of the file to add Ip address to the interface so it survives reboot, unlike ifconfig ?”).

The overall course consisted of approximately 20% presentations/talks and 80% hands-on labs. The contents can be seen here, only that we dealt with version 7 only, not 6.2 as in pdf:
ftp://ftp.aladdin.com/pub/marketing/eSafe/Agenda/Expert_Agenda.pdf .
Every pair of students was given Hellgate appliance to play with. And we used it to the full – our team even succeeded to push beyond the limit,crash and do RMA on our HellGate – fastest RMA ever seen – took 5 mins to bring new Hellgate.

Everyone was given a book-sized course material including presentations we heard and labs. The flow was – presentation then lab. Started with reimaging eSafe from usb, then all config labs as per pdf above. The LDAP lab took much more then was allocated for it as many (including me) are not good fiends with all the AD/LDAP/OU/CN/DN stuff ,eventhough the AD server was preconfigured and we had to just(?) connect eSafe to it.
Due to time shortage we haven’t done Web SSL/Reporter/Proxy (not a big deal for me as I am yet to see any of them in the wild) labs.
All setup had access to the Internet , so URL-filtering we could test real-time.

To conclude – I enjoyed the course, learned lots of new things (my job involves supporting already installed and working eSafe, so I don’t do installing/configuring from scratch the appliance, something our integration department always do) and therefore it was worthwhile.
Upon completion we were given link to password-protected CBT, possibility to open personal account with portal.aladdin.com , link to download eSafe 7.1 ISO disk (every eSafe has built-in evaluation license for 30 days), nice bag, and user/pass and link to the website to take exam.

Now to exam – it is a web based test, with 50 questions and 90 minutes to do it.
The test is pretty easy given you took active part in the course before as it recaptures the same topics. So I did it in about 30 mins, got the web page “Congradulations you passed” and a week later received by a courier framed certificate that I am now eSafe Certified Professional.

eSafe download – demo, docs

January 28, 2009 / /

Today newcomer to our department asked me how he should start learning eSafe – should he install Mail or Gateway on VMware ? Erm … May be docs and manuals (as I did) ? No ,old-fashioned, in our age of
CBTs/virtualization/Camtasia-everywhere buzzwords it needs to be with GUI and interactive, so …
The best way to start learning a product is first to see it 🙂 – for this Aladdin made a demo econsole.
After you run it it presents you with dosen of eSafe ”machines” to any of which you can login by double clicking and feel like you are configuring a real eSafe machine – all GUI and options are exact copy of real
product. You can get it here after filling form with (ir)relevant details.
Demo econsole

Here is the link for econsole download eSafe 7.1, be aware that is quite important that  you use econsole verison matching exactly the
eSafe software version you are trying to connect to. I once had client that installed eSafe 7.0 (some beta release) and downloaded locally econsole from the machine, all worked fine.Then he upgraded eSafe software to 7.1 but did  NOT reinstall  new econsole , as the result
he couldn’t find bunch of options in the econsole. In worst scenario using non-matching version of econsole to make configuration changes might cause substantial damage to the eSafe software, up to complete reinstall/reimage.
eSafe econsole 7.1
Docs Also freely available at :
eSafe Documenation
Knowledgebase – if you work for Aladdin partner you will have access to
complete knowledgebase , while anyone else can see a smaller part of it (that will suffice for few long
weeks of studying nevertheless ).
kb.aladdin.com

« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑