Deploy iptables Cluster using Fwbuilder and Heartbeat

I/Intro

As We know fwbuilder is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls.

Firewall Builder is packaged with most Linux distributions. If the package is not available in the base distribution, it usually can be found in "extras". You need to install package that has supporting API library libfwbuilder and package fwbuilder that contains Firewall Builder GUI and policy compilers. You can use your favorite package management tool sucn as yum, apt-get or aptitude to find and install them. On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder. Now The new version comes with support for high availability firewall configurations, including heartbeat, vrrpd, keepalived, conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover configuration. It can generate configuration scripts to manage ip addresses, VLAN, bridge and bonding interfaces on the firewall. Drop-in support for OpenWRT firewall script is now available, as well as experimental integration with IPCOP firewall appliances. The GUI has supports undo/redo of unlimited depth and was generally streamlined and has many other improvements.you can prefer:http://www.fwbuilder.org/

2/Install

Step 1:config IP for 2 firewall as image

Step 2:install heartbeat

yum -y install heartbeat

yum -y install heartbeat# run again becaus of errors

Step 3:copy file configure default.It's necessary to do this on both systems

cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/authkeys

cp /usr/share/doc/heartbeat-2.1.3/ ha.cf etc/ha.d/ha.cf

cp /usr/share/doc/heartbeat-2.1.3/haresources etc/ha.d/haresources

Step 4 :Edit /etc/ha.d/authkeys It's necessary to do this on both systems

auth 3

3 md5 123

Step 5:edit etc/ha.d/ha.cf.It's necessary to do this on both systems

keepalive 2 #line 52

deadtime 10 # line 60

mcast eth0 225.0.0.1 694 1 0 #line 117

mcast eth1 225.0.0.1 694 1 0 #line 118

node fw1.test.vn #add it in BOTTOM

node fw2.test.vn #add it in BOTTOM

step 6:edit etc/ha.d/haresources

fw1.test.vn IPaddr::192.168.10.145/24/eth0/192.168.10.255

fw1.test.vn IPaddr::172.16.1.3/16/eth1/172.16.255.255

Step 7:

authkeys should have permissions "0600", other files can have permissions "0644"

Step 8:

/etc/init.d/heartbeat start

Step 9:Install fwbuilder

#rpm -Uvh libfwbuilder*

#rpm -Uvh fwbuilder*

Step 10:

Create 2 fw as image in Fwbuilder

Step 11:

Step 12:

we can open udp port 694 and udp port 3780 in both fw

Step 13:

Create Nat and Policy for cluster (it created as fwbuilder stand alone)

Step 14:Test

shutdown fw1 test again

start fw1 test again

beside you can use vrrp,carp.... for cluster.

if you need file template for config .Please send mail to quan.hoa@conheotiensinh.co.cc.I Will send it to you

Thanks

http://conheotiensinh.blogspot.com/

INSTALL IPS(SNORT) WITH EasyIDS and Guardian

I/Intro

An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

II/INSTALL

Step 1:Install IDS as http://conheotiensinh.blogspot.com/2009/12/install-ids-in-centos-with-5-minutes.html

Step 2:IPS – Guardian

Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Step 3:

Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
#wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
#tar -xzvf guardian-1.7.tar.gz
#cd guardian-1.7
#cp guardian.pl /usr/local/bin/
#cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
#cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
#cp guardian.conf /etc/snort/
#touch /etc/snort/guardian.ignore
#touch /etc/snort/guardian.target
#touch /var/log/snort/guardian.log

Step 4:

edit /etc/snort/guardian.conf change some variables

HostIpAddr xxx.xxx.xxx.xxx (IP snort monitor)
Interface ETH01 (interface snort monitor)
HostGatewayByte 75
Logfile /var/log/snort/guardian.log
AlertFile /var/log/messages
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
TimeLimit 86400

Step 5:
Edit /usr/local/bin/guardian_block.sh change some variables(this shell will block ip attacker and alert mail to test@conheotiensinh.co.cc )


source=$1
interface=$2

/sbin/iptables -I INPUT -s $source -i $interface -j DROP
/sbin/iptables -I FORWARD -s $source -i $interface -j DROP
echo "$source is blocked!" | mail -s "Snort alert is blocked" test@conheotiensinh.co.cc

Step 6:

Edit /usr/local/bin/guardian_unblock.sh change some variables(this shell will delete ip attaker from block ip and alert mail to test@conheotiensinh.co.cc)


source=$1
interface=$2

/sbin/iptables -D INPUT -s $source -i $interface -j DROP
/sbin/iptables -D FORWARD -s $source -i $interface -j DROP

echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert is released" test@conheotiensinh.co.cc

Step 7:

Edit /etc/snort/guardian.target

add ip (snort monitor)

Step 8:
Edit /etc/snort/guardian.ignore

add ip 127.0.0.1

Step 9:

Edit /etc/snort/snort.conf
uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

service snort restart

Step 10:create file shell guardian.sh

#————— CUT HERE —————–#

#!/bin/bash

start()
{
export PATH=$PATH:/usr/local/bin
/usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
}

stop()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'`
else
echo "Guardian is not running ....."
fi
}

status()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
echo "Guardian is Running ....."
else
echo "Guardian is not Running ...."
fi
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac

Step 11:

chmod +x guardian.sh
cp guardian.sh /usr/local/bin/guardian.sh


/usr/local/bin/guardian.sh start

Step 12:test

use nmap test


#nmap -v -sS xxx.xxx.xxx.xxx

Beside you can use Easy IDS as IPS with other Firewall:FreeBSD using IPFW,Checkpoint, PIX....use SSH copy rule to firewall

Please prefer:http://www.chaotic.org/guardian/

Install IDS in Centos with 5 minutes

I/Intro

An Intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violation.IDS install very hard (you need install Snort,HTTP,MYSQL and ......). But With EasyIDS you install IDS easier

II/Install

Step 1:you download ISO EasyIDS from http://sourceforge.net/projects/easyids/files/

Step 2:install It as install Centos OS (EasyIDS 4.0 run with Centos 5.4)

Step3:config Ip for Nic Card

Setp 4: To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username admin and the password password.

Step 5:atttack Easy IDS and check Status in Easy IDS

Beside you can use Easey IDS as IPS(Intrusion Prevention System) with iptables and Guardian.I will intro later

Thanks

INSTALL Monit for Monitor System

I/INTRO

Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

II/INSTALL

Step 1:Install monit

#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#yum install monit
#chkconfig --levels 235 monit on

Step 2:Config Monit

edit /etc/moni.d/monitrc

set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost #mail server
set mail-format { from: monit@server1.example.com }
set alert root@localhost #alert to admin with email adrress root@localhost
set httpd port 2812 and
  SSL ENABLE
  PEMFILE  /var/certs/monit.pem
  allow admin:test

some features example of monit

*check host CUIBAP with address 19.16.12.32
if failed icmp type echo with timeout 20 seconds then alert
(check host if over 20 second it will alert mail to admin)

*check host CONHEO with address 132.163.193.3
if failed port 25 with timeout 30 seconds then alert
(check Service SMTP if over 30 second it will alert mail to admin)

*check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/sshd start"
stop program "/etc/init.d/sshd stop"
if failed port 22 protocol ssh then restart
if failed port 22 protocol ssh then alert
if 5 restarts within 5 cycles then timeout
(check Service SSH if it down monit auto start only run in localhost)

Step 3:access monit via web mail port 2812

Install Iredmail use LDAP and Groupware Server use SOGO

I/INTRO

As document previous I intro to you how to install iredmail use Mysql as backend http://conheotiensinh.blogspot.com/2009/08/install-linux-mail-server-with-5.html.Today I Will intro to you how to install iredmail use LDAP as backend(config iredadmin for admin mailbox .If you use Mysql as backend(postfixadmin)).Beside I will intro install and config Groupware Server use SOGO

*SOGo is groupware server with a focus on scalability and open standards.

*SOGo provides a rich AJAX-based Web interface and supports multiple native clients through the use of standard protocols such as CalDAV, CardDAV and GroupDAV.

*SOGo is the missing component of your infrastructure; it sits in the middle of your servers to offer your users an uniform and complete interface to access their information. It has been deployed in production environments where thousands of users are involved.

II/INSTALL

1/Install iredmail as normal but attention ! you choose ldap as backend password of account postmaster

2/Install and config Iredadmin

Default after install finish you can use phpldapadmin for admin mailbox but It very hard for config

Step 1:install package need for install iredadmin

#yum install python-setuptools.noarch MySQL-python.i386 \
gcc.i386 gcc-c++.i386 openssl-devel.i386 python-devel.i386 \
openldap-devel.i386
#easy_install web.py Jinja2 python-ldap==2.3.8 netifaces
#rpm -ivh http://www.iredmail.org/yum/rpms/5/mod_wsgi-2.5-2.ired.i386.rpm

Step 2:download Iredadmin(you need buy liscense because open source version only fearture create mailbox not create maillist but you can use phpldapadmin create mailist ) from http://iredmail.googlecode.com/files/iRedAdmin-0.1.1.tar.bz2
Step 3:Copy iRedAdmin to /var/www/, set correct file permissions
Step 4:

$ tar xjf iRedAdmin-0.1.1.tar.bz2 -C /var/www/ 
$ cd /var/www/
$ chown -R root:root iRedAdmin-0.1.1 
$ chmod -R 0755 iRedAdmin-0.1.1
$ ln -s iRedAdmin-0.1.1 iredadmin   

Step 5:Add apache configure file: /etc/httpd/conf.d/iredadmin.conf.

AddType text/html .py Order deny,allow Allow from all

Step 6:Edit /etc/httpd/conf.d/ssl.conf, make iredadmin accessable via HTTPS. Add below lines before :

WSGIScriptAlias /iredadmin /var/www/iredadmin/iredadmin.py/ Alias /iredadmin/static /var/www/iredadmin/static/

Step 7:restart apache

/etc/init.d/httpd restart

Step 8:Create MySQL database: iredadmin and grant privileges

$ mysql -uroot -p
mysql> CREATE DATABASE iredadmin DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> USE iredadmin;
mysql> SOURCE /var/www/iredadmin/docs/samples/iredadmin.sql;
GRANT SELECT,INSERT,UPDATE,DELETE ON iredadmin.* TO
iredadmin@localhost IDENTIFIED BY '123' ;
FLUSH PRIVILEGES;

Step 9:Configure iRedAdmin

$ cd /var/www/iredadmin/ $ cp settings.ini.sample settings.ini


Edit settings.ini and set several variables


$ chmod -w settings.ini

Step 10:access iredamin:https://your_server_ip_address/iredadmin/

3/Install and config SOGO

Step 1:create repo for install SOGO by yum
create file /etc/yum.repos.d/inverse.repo with info

[RHEL5] name=Inverse SOGo Repository baseurl=http://inverse.ca/downloads/SOGo/RHEL5/$basearch gpgcheck=0

Step 2:install sogo

#yum install sogo
#yum install sope49-gdl1-postgresql(you can use mysql or oracle)

Step 3:Because SOGo requires a relational database system in order to store appointments, tasks and contacts information. It also uses the database system to store personal preferences of SOGo users.You need create DB and Grand permission

Step 4:Edit /home/sogo/GNUstep/Defaults/.GNUstepDefaults as image

Step 5:you need install add-on for thurderbird

http://www.sogo.nu/fr/downloads/frontends.html


Step 6:config thunderbird


If you only use the SOGo Connector plug in, you can still easily access your data.
To access your personal address book:
Choose Go > Address Book. Choose File > New > Remote Address Book.
Enter a signifcant name for your calendar in the Name feld.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Contacts/personal/ Click on OK.
To access your personal calendar: Choose Go > Calendar.
Choose Calendar > New Calendar. Select On the Network and click on Continue. Select CalDAV.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Calendar/personal/ Click on Continue.

STep 7:Test create 1 calendar in web it will auto sync to thunderbird

Monitor bandwidth with Netflow and PRTG(PFSENSE)

I/Intro

*NetFlow Analyzer is a, web based (no hardware probes), bandwidth monitoring, network forensics and network traffic analysis tool that has been optimizing thousands of networks across varied industries for peak performance and helping them to put their bandwidth for a better use. NetFlow Analyzer is a NetFlow, sFlow, JFLow (and more) collector, analyzer and reporting engine integrated together. With close to 4000 enterprises using NetFlow Analyzer for an in-depth visibility into their network traffic and its patterns, NetFlow Analyzer continues to earn trust of more users by giving business knowledge of real-time network behavior and how traffic impacts the network's overall health.

*PRTG Traffic Grapher is an easy to use Windows software for monitoring and classifying bandwidth traffic usage. It provides system administrators with live readings and long-term usage trends for their network devices. The most common usage is bandwidth management, but you can also monitor many other aspects of your network like memory and CPU utilizations.

II/Install

Step 1:install pfsense as normal

Step 2:install Service pfflowd(system->Packages chose pffflow click icon "+")

Step 3:Config Service pfflowd in pfsense (services -> pfflowd) and config as image with Host(address of machine install netflow) and click save

Step 4:config Service SNMP for PRTG(Services -> SNMP check enable as image )

Step 5 :install PRTG and Netflow .

Download PRTG:http://www.paessler.com/prtg6/download
Netflow:http://www.manageengine.com/products/netflow/download.html

install PRTG and Netflow auto

Step 6:restart pfsense

Step 7:Test
from 172.16.1.3 download check status prtg and netflow

INSTALL MOD SECURITY ModSecurity (Web Application Firewall)

I/INTRO

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella – shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

The module filters, and optionally rejects, incoming requests based on a number of different criteria like CGI variables, HTTP headers, environment variables, and even individual script parameters. mod_security can also create an audit log, storing full request details in a separate file, including POST payloads (the audit feature can be turned on or off on a per-server or per-directory basis).

II/INSTALL

Step 1:You need install Microsoft Visual C++ 2008 Redistributable Package (x86) (if you use Apache in window).

If you use LINUX.you can install from source as:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.11.tar.gz

#tar -xvzf modsecurity-apache_2.5.11.tar.gz

#cd modsecurity-apache_2.5.11

#./configure;make;make install

you can install It by yum if you use RHEL or CENTOS

prefer:http://www.jasonlitka.com/yum-repository/

Step 2:Configure

copy libxml2.dll to folder bin in folder Apache(/etc/httpd/)if you use window

Step 3:edit file httpd.conf

uncommend

  LoadModule unique_id_module modules/mod_unique_id.so 

Add this line at the bottom of Load Modules section:
LoadModule security2_module modules/mod_security2.so

Step 4:Test you change signature"SecServerSignature "IIS/7.5" " of webserver to IIS/7.5 and access to apache