[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IDS: Introduction
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
Hello,
I have been a member of this list for a few months and I would like to
finally introduce myself as the rest of you have done. I am employeed in the
Pipeline Integrity industry as a Network Engineer. My job (amongst varoius
other tasks IE Programming) is to implement network/communication structures
into our workplace. Our LAN/WAN consists of OS flavours such as NT, Solaris,
and Slackware Linux.
I have utilized a Slackware Linux installation with 2 NICS to act as a
router/firewall between each office and the internet. Many services are
executed on these routers (Pop3, SMTP, SNMP, Ftp, Telnet, X11, Lotus Domino,
http, etc..). Any many of these services require access from specific hosts
in other offices located in distant cities with static IP addresses.
A large database we employ is Lotus Notes Domino. Many of our employees can
be spread across cities or countries, even continents. I have included some
solutions to allow DYNAMIC IP access to ports with public DENY. A few
scripts i have written for Un*x SH allow users to email their
password/username/requested port to a specific email address. And the
firewall application will grant access to that port from the specific
dynamic IP until a final email is transfered requesting the Port be blocked
to that IP. I have written an E-Mail interface for Win32 which makes
accessing and closing ports easy.
Many of these application/solutions i have created are specific to this
company and its requirements. Not applications which can easily be
transfered to other organizations requesting their own specific security.
Here is an example of a Un*x SH script I wrote which monitors our
/var/adm/message (slackware linux) for DENY's from IP Firewall. It also
emails administrators the DENY message, plus pages the pagers specified.
As you can tell its also a small tiny version of a icmp watcher like Big
Brother. This script was created years ago before I was familuar with what
was already created for simular tasks. We, however still employee this
structure and haven't had many problems.
Also included at the bottom of this file is another Un*x SH script that I
wrote for Slackware Linux that creates our initial firewall deny's and
accepts.
---
DJ Sures (dj@marr-associates.com)
Network Engineer
James E. Marr Associates ( http://www.marr-associates.com )
(PGP Key Available with request)
Personal ( http://atomic.marr-associates.com )
-= C Program Run - C Program Crash - C Programmer Quit =-
**** BIG BROTHER LIKE SCRIPT BELOW
----------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------
#!/bin/sh
MODEM="/dev/modem2"
SERVERS="192.168.0.3 192.168.0.73 209.115.174.222 207.210.68.33
207.210.68.34"
ERRORS="100003 1000073 20000222 3000033 3000034"
PAGERS="2099989"
LOGFILE="/var/adm/whats_up.log"
BAUD="2400"
echo "Whats Up Service Started...."
echo "Whats Up Service Started...." >> $LOGFILE
while [ 1 ] ; do
echo `date`" - Recycle Loop"
COUNT="0"
for SERVER in $SERVERS ; do
COUNT=`/usr/bin/expr $COUNT + 1`
echo -n "."
A=0
A=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
B=0
B=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
C=0
C=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
D=0
D=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
E=0
E=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
F=0
F=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
G=0
G=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
H=0
F=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
H=0
H=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
I=0
I=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
J=0
J=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
K=0
K=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
L=0
L=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
M=0
M=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
N=0
N=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
O=0
O=`ping -c1 $SERVER | grep "packets transmit" | cut -d\ -f4`
echo -n "."
REPLY="0"
if [ $A = "1" ] ; then REPLY="1" ; fi
if [ $B = "1" ] ; then REPLY="1" ; fi
if [ $D = "1" ] ; then REPLY="1" ; fi
if [ $E = "1" ] ; then REPLY="1" ; fi
if [ $F = "1" ] ; then REPLY="1" ; fi
if [ $G = "1" ] ; then REPLY="1" ; fi
if [ $H = "1" ] ; then REPLY="1" ; fi
if [ $I = "1" ] ; then REPLY="1" ; fi
if [ $J = "1" ] ; then REPLY="1" ; fi
if [ $K = "1" ] ; then REPLY="1" ; fi
if [ $L = "1" ] ; then REPLY="1" ; fi
if [ $M = "1" ] ; then REPLY="1" ; fi
if [ $N = "1" ] ; then REPLY="1" ; fi
if [ $O = "1" ] ; then REPLY="1" ; fi
if [ $REPLY = "1" ] ; then
echo $COUNT":"$SERVER" Alive"
elif [ $REPLY = "0" ] ; then
echo $COUNT":"$SERVER" Down!!"
echo $COUNT":"$SERVER" Down!!" >> $LOGFILE
NEWCOUNT="0"
for ERROR in $ERRORS ; do
NEWCOUNT=`/usr/bin/expr $NEWCOUNT + 1`
if [ $NEWCOUNT = $COUNT ] ; then
NEWERROR=$ERROR
fi
done
echo `date` > /tmp/whatsup.down
echo "Server "$SERVER" went down!" >> /tmp/whatsup.down
echo "Paging with code "$NEWERROR >> /tmp/whatsup.down
mailx dj -s "Server Down" < /tmp/whatsup.down
mailx dave -s "Server Down" < /tmp/whatsup.down
rm /tmp/whatsup.down
sleep 2
for PAGER in $PAGERS ; do
echo " Dialing "$PAGER" And sending code "$NEWERROR
echo " Dialing "$PAGER >> $LOGFILE
export PAGER
export NEWERROR
pppd $MODEM $BAUD modem connect 'chat -v "" "ATZ" "OK"
ATM0S0=1S7=20DT"$PAGER",,,,,,,"$NEWERROR "as"'
sleep 60
done
fi
done
sleep 2
# This pagercount is pause loop.
# While we pause before checking ICMP we will perform some other
# checks.
PAGERCOUNT=1
while [ $PAGERCOUNT != 120 ] ; do
# Check for a breach in our firewall
# Email pagers if so
A="0"
A=`tail /var/adm/messages | grep "deny" | cut -d\ -f9`
B="0"
B=`echo $A | cut -d\ -f1`"R"
if [ $B = "denyR" ] ; then
tail /var/adm/messages > /tmp/blah.haha
mailx dj -s firewall < /tmp/blah.haha
mailx dave -s firewall < /tmp/blah.haha
rm /tmp/blah.haha
sleep 5
NUMBER="1000911"
for PAGER in $PAGERS ; do
echo " Received DENY from Firewall" >> $LOGFILE
echo " Received DENY from Firewall"
echo " Dialing "$PAGER" And sending code "$NUMBER >> $LOGFILE
echo " Dialing "$PAGER" And sending code "$NUMBER
echo " Dialing "$PAGER >> $LOGFILE
export PAGER
export NUMBER
pppd $MODEM $BAUD modem connect 'chat -v "" "ATZ" "OK"
"ATM0S0=1S7=20DT"$PAGER",,,,,,,"$NUMBER "as"'
sleep 60
done
fi
sleep 2
PAGERCOUNT=`/usr/bin/expr $PAGERCOUNT + 1`
done
done
*** THE FIREWALL SCRIPT BELOW
----------------------------------------------------------------------------
------------------------------------------------------------------
#! /bin/sh
# -- http://atomic.marr-associates.com
# Author : D.J. Sures
# Date : 08/01/97
# Email : dj@marr-associates.com
# WWW : http://atomic.marr-associates.com
# Note : This script is copyright D.J. Sures (c)1997. Please do not
# change my source and claim it as your own. I would also
# appreciate credit if this is used in a commercial application.
# Thank ya!
#
# Please do not change a few lines in this script and say you wrote it.
# I wrote it and that's all there is to it. It is easy to understand
# If you have ipfwadm knowledge. If you don't have any clue what this
# does then please don't use it. Thank you
#
#
# --------------------------- Edit these varaibles -------------------
# IP Address of this machine
localhost="209.115.174.222"
# Add the ports you with to DENY from outside of your trusted IP's
# Any ports put in the following two variables will protect this
# machine and any machines past.
tcpports="137 138 139 901 1029 1352 6000 9600"
udpports="137 138 139"
# Any ports you put in the following two variables will protect this
# machine only. People will be able to see these ports beyond this
# machine. I use this so they can not see my internal web page.
localtcp=""
localudp=""
# Add the IP/NET's you trust to use all ports
trustedip="127.0.0.0/24 192.168.0.0/24 192.168.3.0/24 207.210.69.4/32
209.115.168.32/29 209.115.174.222/32"
# 0 - Ip Masquerade OFF, 1 - IP Masquerade ON
# If you don't know what this is turn it off!
masquerade="1"
# Add the IP/NET's that you wish to masquerade
masqueradenet="till/32 ravine/32 access/32 drone/32 chasm/32 sojourner/32
jim/32 aqua/32 neko/32 dialup-1/32 dialup-2/32 dialup-3/32 dialup-4/32
laser/32 probe/32 jerry/32"
# Do you wish to pick your own masquerade ports
# 0 - Masquerade ALL ports, 1 - Masquerade USER specified ports
usermasquerade="1"
# Add the PORTS that you wish to masquerade
masqueradeports="80 6666 6667"
# Add the IP/NET's you wish to deny EVERYTHING from!
tcpdeny=""
# 0 - ICMP firewall OFF, 1 - ICMP Firewall ON
icmpfirewall="0"
# Add the IP/NET's you wish to accept ICMP from below
icmpaccept=""
# Add the path to your ipfwadm utility with a traililng /
ipfwadmpath="/misc/"
# ------------------- Expiremental beyond this point! ------------------
# 0 - ICMP Packet Logging OFF, 1 - ICMP Packet Logging ON
icmplog="0"
# 0 - IP Forward OFF, 1 - IP Forward ON (Leave disabled if not sure)
ipforward="0"
# The IP FORWARD hosts editor is NOT COMPLETE!!
ipforwardsource="198.168.1.7/32"
ipforwarddest="192.168.1.2/32"
# -------------------------- Do not edit below here! ------------------
echo
echo
echo "** Mega Firewall Protection V2.3 By D.J. Sures (c)1997 -=STATE=-"
echo
echo "Clearing prevoius Firewall crap..."
$ipfwadmpath""ipfwadm -F -f
echo "Clearing prevoius Input crap..."
$ipfwadmpath""ipfwadm -I -f
if [ $masquerade = "1" ] ; then
if [ $usermasquerade = "0" ] ; then
for masqs in ${masqueradenet} ; do
echo "Adding Masquerade crap..."
# following line disabled so forwarding works wickity wack
#$ipfwadmpath""ipfwadm -F -p deny
echo "Enabling IP Masquerade on "$masqs
$ipfwadmpath""ipfwadm -F -a m -S$masqs -D0.0.0.0/0
done
elif [ $usermasquerade = "1" ] ; then
for port in ${masqueradeports} ; do
for masqs in ${masqueradenet} ; do
echo "Adding Masquerade crap..."
# following line disabled so forwarding works wickity wack
#$ipfwadmpath""ipfwadm -F -p deny
echo "Enabling IP Masquerade on "$masqs" for port "$port
$ipfwadmpath""ipfwadm -F -a m -P tcp -S$masqs -D0.0.0.0/0 $port
$ipfwadmpath""ipfwadm -F -a m -P udp -S$masqs -D0.0.0.0/0 $port
done
done
fi
fi
echo "Adding default input to accept..."
$ipfwadmpath""ipfwadm -I -p accept
for port in ${tcpports} ; do
for trusted in ${trustedip} ; do
echo "Accepting TCP connections on port "$port" from "$trusted
$ipfwadmpath""ipfwadm -I -a accept -P tcp -S$trusted -D0.0.0.0/0 $port
done
echo "Denying remote TCP connections on port "$port
$ipfwadmpath""ipfwadm -I -a deny -P tcp -S0.0.0.0/0 -D0.0.0.0/0 $port -o
done
for port in ${udpports} ; do
for trusted in ${trustedip} ; do
echo "Accepting UDP connections on port "$port" from "$trusted
$ipfwadmpath""ipfwadm -I -a accept -P udp -S$trusted -D0.0.0.0/0 $port
done
echo "Denying UDP remote connections on port "$port
$ipfwadmpath""ipfwadm -I -a deny -P udp -S0.0.0.0/0 -D0.0.0.0/0 $port -o
done
for denies in ${tcpdeny} ; do
echo "Denying everything from "$denies
$ipfwadmpath""ipfwadm -I -a deny -P all -S$denies -D0.0.0.0/0 -o
done
if [ $icmpfirewall = "1" ] ; then
for trusts in ${icmpaccept} ; do
echo "Accepting trusted ip "$trusts" for icmp"
$ipfwadmpath""ipfwadm -I -a accept -P icmp -S$trusts -D0.0.0.0/0
done
echo "Denying All icmp..."
$ipfwadmpath""ipfwadm -I -a deny -P icmp -S0.0.0.0/0 -D0.0.0.0/0 -o
fi
if [ $icmplog = "1" ] ; then
echo "Logging all icmp"
$ipfwadmpath""ipfwadm -I -a accept -P icmp -S0.0.0.0/0 -D0.0.0.0/0 -o
fi
if [ $ipforward = "1" ] ; then
echo "Adding IP Forward to hosts..."
$ipfwadmpath""ipfwadm -F -a accept -P
all -S0.0.0.0/0 -D209.115.174.222/32 -b
$ipfwadmpath""ipfwadm -F -l
fi
for port in ${localtcp} ; do
for trusted in ${trustedip} ; do
echo "Accepting TCP connections on port "$port" from "$trusted
$ipfwadmpath""ipfwadm -I -a accept -P tcp -S$trusted -D$localhost $port
done
echo "Denying remote TCP connections on port "$port
$ipfwadmpath""ipfwadm -I -a deny -P tcp -S0.0.0.0/0 -D$localhost $port -o
done
for port in ${localudp} ; do
for trusted in ${trustedip} ; do
echo "Accepting UDP connections on port 80 from "$trusted
$ipfwadmpath""ipfwadm -I -a accept -P udp -S$trusted -D$localhost $port
done
echo "Denying remote UDP connections on port "$port
$ipfwadmpath""ipfwadm -I -a deny -P udp -S0.0.0.0/0 -D$localhost $port -o
done
echo
echo
#echo "User Define DENYs"
# $ipfwadmpath""ipfwadm -I -a deny -P tcp -S0.0.0.0/0 -D209.115.168.36/32
80 -o
#echo "Done"
echo "Loading modules..."
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_vdolive
cat /proc/modules
echo "done"