Friday, May 30, 2008

Welcome to the new home of www.joe-ma.co.za

Hi all
I have moved all the content over to blogspot. in the hopes of adding more features and getting the access speed up.
All the articles are here including the most popular ones like Cisco DynDNS config and Cisco Static DHCP.

ALL of them are waiting for you folks to go check out.
I hope these How-Tos are going to help you.
Please check on the "Blog Archive" on the left side of the screen for all the articles, or check the Right side for the Labels. In the Label box you will see the tags like Cisco Dynamic DNS Rancid Tacacs+ FreeBSD etc.

I will be moving the www.joe-ma.co.za domain over to blogspot in the next 2 months or so.

Tuesday, May 13, 2008

Configuring FreeBSD Postfix Mailscanner and Mailwatch

Configuring Mailscanner Mailwatch and Postfix for FreeBSD

The Install guide is here

I have split the install guide and the configuration guide as they are pretty involved and might cause confusion if they where put together. I will start off with the easier stuff like clamav and then move on to spamassassin and postfix and then finally to mailscanner and mailwatch.

if you have not already read the Install Guide Which might be helpful to newcomers here is a summery of what has been installed.

Apache and php - this is for the Mailwatch web frontend.
Mysql - This is where mailscanner will log info and where your black and white lists will live.
Mailwatch - Mailwatch is the web front end to help monitor and manage Mailscanner.
Spamassassin - This is the system that checks the mail content looking for spam.
Clamav - the Antivirus scanner that Mailscaner will use
Mailscanner - The server that uses all of the above to keep your mail clean and spam free.

Ok now that that is over:

Configuring Clamav

to configure clamav cd /usr/local/etc/
you will see 2 files clamd.conf and freshclam.conf, you can leave them as default if you like but have a look at the files you will see a few handy options that including logging and setting virus update frequency.

To set freshclam to check for updates every hour
vi freshclam.conf

# Number of database checks per day.
# Default: 12 (every two hours)
Checks 24

here are some other handy options
# Log time with each message.
# Default: no
LogTime yes

# Enable verbose logging.
# Default: no
LogVerbose yes

# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes

Once you are happy with what you have configured save the file and vi /usr/local/etc/clamd.conf

Once again you can leave it as default but I would suggest maybe looking at some of the logging options.
# Log time with each message.
# Default: no
LogTime yes

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
LogClean yes

# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes

Spamassassin (sa-spamd)
You can leave this as is with no real changes what so ever. You can tweak it if you like or add new rules. One thing I would suggest is have a daily cronjob that runs sa-update or sa-update --nogpg
so update rules.

the mail config files for spamassassin are here /usr/local/etc/mail/spamassassin on Freebsd
and the rule files are here /usr/local/share/spamassassin

Postfix Configuration

I am assuming that you have at least the basic postfix know how. Although I will be adding a Postfix How-To at a later stage.

vi /usr/local/etc/postfix/main.cf

and add these lines

unknown_local_recipient_reject_code = 550

If your server does not know who the mail should be for then its pointless keeping the mail and trying again later which is what a 450 would do although a 450 is probably good for testing initially

bounce_notice_recipient = postmaster@yourdomain.com

Only add this if you want the usual postwaster notifies, although you will get a fair amount of useless mail its somehting that can help you detect a problem before others do.

bounce_queue_lifetime = 2d

If you do bouce a message back to notify someone that a particular address does not exist it will keep that notification for 2 days before discarding it. remember chances are 80% of the mail you get will be SPAM and you dont want to clog up your queues with undeliverable mail.


relay_domains = /usr/local/etc/postfix/relay_domains

These are the domains that you allow to relay i.e. your domains or your clients domains.
to add domains to the relay_domains file
cd /usr/local/etc/postfix
vi relay_domains and add a domain.com, domain2.com, domain3.com, domain4 etc. I find it seems to work best as 1 line rahter than say
domain.com,
domain2.com,
domain3.com,
domain4.com

Once you save the file type in postmap relay_domains
you will now see a relay_domains and relay_domains.db

transport_maps = hash:/usr/local/etc/postfix/transport

This is where the mail should go if its not local to the server. In this case the mailserver is a gate way so no mail is local to it at all.
to edit and add domains and mail servers here cd /usr/local/etc/postfix
then vi transport
add a domain and the server the mail for that domain should go to per line. as below

domain1.com smtp:[mail.domain1.com]
domain2.com smtp:[mail.domain2.com]
domain3.com smtp:[mail.domain3.com]
domain4.com smtp:[mail.domain4.com]

once again postmap the file.
postmap transport

header_checks = regexp:/usr/local/etc/postfix/header_checks hash_queue_depth = 2 hash_queue_names = incoming, hold defer deferred

These 3 are pretty much all related and has to do with how mailscanner handles mail.
Effectivly a mail arrives and is put into a hold queue then mailscanner scans the mail for spam or virus content then it is released.

Defer and defferred is a wait queue for delivery
and incoming is both and in and an out queue in this case from what I can recall basically active mail coming into the system or leaving the system.

vi header_checks
and simply add this

/^Received:/ HOLD

and write the file.

All this does is takes a new "Received" mail and puts it in the Hold queue.

As a part of the mailscanner postfix config you have to create your MailScanner queue directories
cd /var/spool
mkdir Mailscanner
mkdir Mailscanner/incoming
mkdir Mailscanner/quarantine
mkdir Mailscanner/spamassassin

Then set the permissions
As with most things Unix Permissions are pretty important.

chown root:daemon /var/spool/MailScanner
chown postfix:wheel /var/spool/MailScanner/incoming
chown root:www /var/spool/MailScanner/quarantine
chown postfix:postfix /var/spool/MailScanner/spamassassin

Mailscanner

cd /usr/local/etc/MailScanner
cp MailScanner.conf.sample to MailScanner.conf
vi MailScanner.conf
and check the config in there there are a few things you will have to change but most of it can be left as default at least until you are ready to start adding custom configs. the filre is pretty well documented.

some of the things you must change in MailScanner.conf
entries are examples
%org-name% = My Company Name

%org-long-name% = My Company Name

%web-site% = www.mycompany.com

%etc-dir% = /usr/local/etc/MailScanner

Just check the Paths:

%report-dir% = /usr/local/share/MailScanner/reports/en
%rules-dir% = /usr/local/etc/MailScanner/rules
%mcp-dir% = /usr/local/etc/MailScanner/mcp

More things that Must change

Run As User = postfix
Run As Group = postfix

Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Dir = /var/spool/MailScanner/incoming
Quarantine Dir = /var/spool/MailScanner/quarantine

MTA = postfix

Sendmail2 = /usr/sbin/sendmail

Incoming Work User = postfix
Incoming Work Group = wheel
Incoming Work Permissions = 0750
Quarantine User = root
Quarantine Group = www # set to www because of Mailwatch
Quarantine Permissions = 0660

most of the stuff below this is really just defaults I would suggest that you check paths etc to confirm that everything is there and in place.

When you are ready to start testing make sure that you tail the mail logs as it will help you to find any problems the errors you see should be pretty straight forward and will probably be related to incorrect directories or file permissions.

You might want to use Mailwatch's custom Black and White Lists.
see below

Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist
and further down the config file
Always Looked Up Last = &MailWatchLogging

Be sure to check Spamassassin directories in MailScanner.conf
e.g.
SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin User State Dir = /usr/local/share/spamassassin
SpamAssassin Install Prefix = /usr/local/share/spamassassin
SpamAssassin Site Rules Dir = /usr/local/share/spamassassin
SpamAssassin Local Rules Dir = /usr/local/etc/mail/spamassassin
SpamAssassin Default Rules Dir = /usr/local/share/spamassassin

Check for the Subject changes as well
Here is an example:
Scanned Modify Subject = no # end
Scanned Subject Text = {Scanned}

If set to yes when mail arrives it will have a subject of " {Scanned} original subject."

You can also set your level of spam rules
Required SpamAssassin Score = 4
if its higher than a 4 its classified as spam
High SpamAssassin Score = 6
if its higher than a 6 its High scoring spam

You can also setup Bayes or the Bayesian engine in the /usr/local/etc/Mailscanner directory
vi spam.assassin.prefs.conf and check the following lines

Go here to get the Starter Bayes database

you are probably using Spamassassin version 3 so download Bayes Starter DB (FreeBSD SA 3.0)

Bayesian Filtering
use_bayes 1
bayes_path /usr/local/etc/MailScanner/bayes/bayes # be sure to create these directories and set the permissions.

bayes_file_mode 0660
# To disable bayes autolearn
bayes_auto_learn 1
# Change X-YOURDOMAIN-COM to match your %org-name% as
# set in MailScanner.conf

bayes_ignore_header Yourdomain-MailScanner
bayes_ignore_header Yourdomain-MailScanner-SpamCheck
bayes_ignore_header Yourdomain-MailScanner-SpamScore
bayes_ignore_header Yourdomain-MailScanner-Information


Mailwatch
Now that you have setup everything else, we will now setup Mailwatch, the Web frontend.

You have already downloaded it and extracted the file and moved it to the apache working directory, in this case /usr/local/www/mailwatch

Before you start check the INSTALL file for php4 settings that you have to change.
by default installing php4 or 5 on FreeBSD does not create a php.ini file although there will be a php.ini-dist and php.ini-recommended in /usr/local/etc/

simply cp php.ini-dist php.ini and change the following if they are different.
short_open_tag = On
safe_mode = Off
register_globals = Off
magic_quotes_gpc = On
magic_quotes_runtime = Off
session.auto_start = 0

If you have not already started the mysql server then go ahead and start it so long
/usr/local/etc/rc.d/mysql-server start
then in the mailwatch directory
type in the following
mysql <> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY 'password';
mysql> GRANT FILE ON *.* TO mailwatch@localhost IDENTIFIED BY 'password';
mysql> FLUSH PRIVILEGES;

then quit
Now you setup the Mailwatch Web Admin user, you can log in with the details you supplied above.
# mysql mailscanner -u mailwatch -p
Enter password: ******
mysql> INSERT INTO users VALUES ('admin',md5('adminpassword'),'Admin','A','0','0','0','0','0');
and enter then quit.

No go ahead and edit MailWatch.pm and SQLBlackWhiteList.pm and change the $db_user and $db_pass values accordingly and move MailWatch.pm and SQLBlackWhiteList.pm to /usr/local/lib/MailScanner/MailScanner/CustomFunctions
cp MailWatch.pm /usr/local/lib/MailScanner/MailScanner/CustomFunctions/
cp SQLBlackWhiteList.pm /usr/local/lib/MailScanner/MailScanner/CustomFunctions/

Mailwatch.pm is in your Apache Working directory.

ok now cd to /usr/local/www/mailwatch/mailscanner
now you have to chmod and chown the images and images/cache directories
chown root:apache images
chown root:apache images/cache
chmod 775 images
chmod 775 images/cache

then copy conf.php.example to conf.php
and edit it.
be sure to change the following to whatever you set above.

define(DB_TYPE, 'mysql');
define(DB_USER, 'mailwatch');
define(DB_PASS, 'mailwatchpassword');
define(DB_HOST, 'localhost');
define(DB_NAME, 'mailscanner');

Check your paths in the conf.php file
// Paths
define(MAILWATCH_HOME, '/usr/local/www/data-dist/mailwatch/mailscanner');
define(MS_CONFIG_DIR, '/usr/local/etc/MailScanner/');
define(MS_LIB_DIR, '/usr/local/lib/MailScanner/');
define(CACHE_DIR, './images/cache/'); // JpGraph cache
define(TTF_DIR,'./jpgraph/fonts/'); // JpGraph fonts
define(SA_DIR,'/usr/local/bin/');
define(SA_RULES_DIR, '/usr/local/share/spamassassin/');
define(SA_PREFS, MS_CONFIG_DIR.'spam.assassin.prefs.conf');
define(FPDF_FONTPATH,'./fpdf/font/');

you can also set how long to keep messages in the Quarantine.
define(QUARANTINE_USE_FLAG, true);
define(QUARANTINE_DAYS_TO_KEEP, 7);

There are alot of other settings you can change more info can be seen here

Now all you have to do is setup apache.

Now all you have to do is start all the services and tail the maillog file and check if there are any errors.

tail -f /var/log/maillog

if you get an error like this
Could not use Custom Function code MailScanner::CustomConfig::InitSQLWhitelist, it could not be "eval"ed. Make sure the module is correct with perl -wc

then run
perl -MStorable -MDBI -MDBD::mysql -e 'print "OK\n";'
you will probably get this output

Can't locate DBD/mysql.pm in @INC (@INC contains: /usr/local/lib/perl5/5.8.8/BSDPAN /usr/local/lib/perl5/site_perl/5.8.8/mach /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.8.8/mach /usr/local/lib/perl5/5.8.8 .).
BEGIN failed--compilation aborted.

If so cd /usr/ports/databases/p5-DBD-mysql
make install clean
the run
perl -MStorable -MDBI -MDBD::mysql -e 'print "OK\n";'
if all is ok you will see an OK

to test you can simply send a message i.e.
telnet 192.168.1.46 25
Trying 192.168.1.46...
Connected to 192.168.1.46.
Escape character is '^]'.
220 mailav01.test.com ESMTP Postfix (2.5.1)
ehlo mail.test.com
250-mailav01.test.com
250-PIPELINING
250-SIZE 512000000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:
250 2.1.0 Ok
rcpt to:
250 2.1.5 Ok
data
354 End data with .
test mail.
.
250 2.0.0 Ok: queued as 6CCCB5AF06E
quit
221 2.0.0 Bye
Connection closed by foreign host.

if all goes well you will see no errors and you should get your mail
also check here for FreeBSD tips regarding Mailwatch

Monday, May 12, 2008

FreeBSD, Postfix, Mailscanner and Mailwatch Installation

Installing postfix, mailscanner and mailwatch on FreeBSD

I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance.
This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To

First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract

Right here we go.

Two things you might want to do is force your NIC to 100MB full duplex and install lsof

Type in ifconfig
and check if the ethernet interface is running at 100 Full-Duplex or Half Duplex you can force 100 Full duplex by editing your /etc/rc.conf file
here is an example

ifconfig_em0="inet 192.168.1.46 netmask 255.255.252.0 media 100baseTX mediaopt full-duplex"

cd /usr/ports/sysutils/lsof
make install clean

you can use lsof -i to check what is running and what ports are used.
here is an example
# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 262 root 16u IPv4 0xc5d15000 0t0 TCP *:http (LISTEN)
httpd 263 www 16u IPv4 0xc5d15000 0t0 TCP *:http (LISTEN)
httpd 264 www 16u IPv4 0xc5d15000 0t0 TCP *:http (LISTEN)
syslogd 491 root 6u IPv6 0xc568c000 0t0 UDP *:syslog
syslogd 491 root 7u IPv4 0xc568bec4 0t0 UDP *:syslog
sshd 612 root 3u IPv6 0xc57b4000 0t0 TCP *:ssh (LISTEN)
sshd 612 root 4u IPv4 0xc57b3cb0 0t0 TCP *:ssh (LISTEN)


Install Apache:
You are going to need this or Mailwatch

cd /usr/ports/www/apache13
make install clean

once installed
edit rc.d and rc.conf

vi /etc/rc.conf
add the following line
apache_enable="YES"

in theory you should not have to worry about changing the NO to a YES in /usr/local/etc/rc.d but I have run in to issues in the past where setting the /etc/rc.conf still does not start the service
vi /usr/local/etc/rc.d/apache
look for
apache_enable=${apache_enable-"NO"}
and change it to
apache_enable=${apache_enable-"YES"}

Then install php4
cd /usr/ports/lan/php4
make install clean
select the apache module if its not selected already














Then you install Mysql Server 5.0 (this is also used for Mailscanner and Mailwatch)

cd /usr/ports/databases/mysql50-server
make install clean
you should not have to make any changes a default config should be fine as is.
one you have installed mysql edit rc.d and rc.conf.

vi /etc/rc.conf
and add
mysql_enable="YES"

then vi /usr/local/etc/rc.d/mysql-server
and change
: ${mysql_enable="NO"}
to
: ${mysql_enable="YES"}


Postfix
postfix is the MTA that will accept the mail and push it on the the next server once mailscaner has processed it all.

cd /usr/ports/mail/postfix
make install clean

depending on what you want to do yoi just have to select the following, you can of course add SASL of Mysql and other if you want to use mysql maps or have SMTP authentication. in this example we are foregoing all that as its just a gateway.














During the postfix install you will see this pop up in the console screen

Added group "postfix".
Added group "maildrop".
Added user "postfix".
You need user "postfix" added to group "mail".
Would you like me to add it [y]?

press y and enter the install will continue

Would you like to activate Postfix in /etc/mail/mailer.conf [n]?
now you press n and enter, once again the install will continue

If you choose to completely disable sendmail see the rc.conf info below then:
you can choose y and see below for details
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmail

You see that the mailer is /usr/libexec <<<< this is the base system also notice the remark Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail

When entered y your mailer.conf file will look like

#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail

These are the postfix executeables (notice the remark Execute the Postfix sendmail program, named /usr/local/sbin/sendmail)

Now you edit the rc.conf and rc.d files again

vi /etc/rc.conf
and add the below
postfix_enable="YES"
sendmail_enable="NONE"

If you want to make sure that sendmail is competely disabled then also do the following
postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

also create a file /etc/periodic.conf containing the following

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

then vi /usr/local/etc/rc.d/postfix
and change from
: ${postfix_enable="NO"}
to
: ${postfix_enable="YES"}

if you like you can go ahead and edit the alias file for postfix vi /etc/aliases

where it says root: me change it to your address or an alias like networks@yourdomain.com
of course you can leave it as it is but either way run postalias /etc/aliases so that it can create the aliases.db file without this you will have issues getting postfix started and accepting mail.

Installing Mailscanner

Now you can go ahead and install mailscanner,
Mailscanner is a brilliant open source AntiSpam and Antivirus server that is as close to commercial offerings like MailMarshal and others that I have seen. If you use and like mailscanner you really should consider making a donation

cd /usr/ports/mail/mailscanner
make install clean














Next you will see this message while Mailscanner is compiling.

*************************************************************************
/bin/ln -s /usr/local/etc/MailScanner/spam.assassin.prefs.conf /usr/local/etc/mail/spamassassin/mailscanner.cf
# Display warning about new start/stop scripts
*************************************************************************

ATTENTION
The MailScanner port uses new start/stop scripts according to rc.subr
standard. Your old scripts will be overwritten after you press ENTER.
To start mailscanner and your mta, please put the correct statements in
your rc.conf. For examples/syntax please look at mailscanner.sh and
mta.sh in your rc.d directory.

Please: Also have a look at CHANGES.port in your MailScanner
doc dir (see above).

*************************************************************************
Press ENTER to continue...

Now before you go off and press Enter, scroll up in the session / console and you will see this

make renew-wrapper
make renew-autoupdate
make renew-reports

just copy the text and hit ENTER as it says and wait till mailscanner is installed.
or you can do the following

While mailscanner is building you can open another console or session the the server user
if you have local access you can use ALT-F1 or just ssh to the server again, or of course you can wait till its done and run the below commands afterwards

once you are connected to a different console / session
cd to the mailscanner port directory again
cd /usr/ports/mail/mailscanner

and paste
make renew-wrapper
make renew-autoupdate
make renew-reports

Then in the original session / console just hit Enter as it says.

ok cd to /usr/local/etc/rc.d

After mailscanner is installed you should have the following
clamav-freshclam
Freshclam will check to see if there are new virus pattern updates and download them on an hourly or daily basis. in the configuration How-To I will show you what to edit.
vi clamav-freshclam
and change
: ${clamav_freshclam_enable="NO"}
to
: ${clamav_freshclam_enable="YES"}

then add
clamav_freshclam_enable="YES" to /etc/rc.conf

clamav-clamd
Clamav is the actual Anti Virus scanner when mail enters the queue we will check a number of things including RBL's (real time blacklists) and then the message will be scanned for viruses.

vi clamav-clamd
and change
: ${clamav_clamd_enable="NO"}
to
: ${clamav_clamd_enable="YES"}

then add clamav_clamd_enable="YES" to /etc/rc.conf


mta
you can leave MTA as is, as the postfix startup file has already been sorted out.


sa-spamd

Sa-spamd is the spamassassin daemon that runs with mailscanner it will check the message for various indicators and score them if a mail has a score higher than say 4 the message will be sent to a quarrentine.

vi sa-spamd
and change
: ${spamd_enable:="NO"}

to
: ${spamd_enable:="YES"}

and add
spamd_enable:="YES" to /etc/rc.conf


mailscanner

Mailscanner is what basically runs and coardinates all of the above, spamd , clamav etc.

vi mailscanner
and change
: ${mailscanner_enable="NO"}
to
: ${mailscanner_enable="YES"}

and add mailscanner_enable="YES" to /etc/rc.conf

your rc.conf file should look like this now

defaultrouter="192.168.0.1"
hostname="mailav01.yourdomain.com"
ifconfig_em0="inet 192.168.1.4 netmask 255.255.255.0 media 100baseTX mediaopt full-duplex"
sendmail_enable="NONE"
sshd_enable="YES"
apache_enable="YES"
mysql_enable="YES"
clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
spamd_enable="YES"
mailscanner_enable="YES"
postfix_enable="YES"

If you installed FreeBSD using the default install and chose to use the auto option to setup your partitions you would see that your /var directory / partition is pretty small and trust me you can easily rack up a Database in the GB's not to mention huge log files, and
the default path of mysql is /var/db/mysql

so in your rc.conf file you might want to do this
Create a dir /usr/local/var/db and put the following line in my /etc/rc.conf

mysql_dbdir=”/usr/local/var/db/mysql”

Now the database location is on the /usr partition which is much bigger on a default install of freebsd.

Lastly we install Mailwatch
You can follow the above link and download the file
or you can use wget from your server. For some reason there is no FreeBSD port, or not that I have seen.

cd to a place where you want to download the file to
i.e.
cd /root/download
wget http://switch.dl.sourceforge.net/sourceforge/mailwatch/mailwatch-1.0.4.tar.gz
once its downloaded
tar xvfz mailwatch-1.0.4.tar.gz
then
mv mailwatch-1.0.4 mailwatch
mv mailwatch /usr/local/www/

Thats it for now.
Checkout the configuration guide, if you need assistance to configure.

Wednesday, May 7, 2008

Logging to syslog-ng on FreeBSD

Logging Cisco devises to syslog on FreeBSD

Overview
What we are going to do here is get a FreeBSD server up and running with syslog-ng, so that we can log information from our Cisco devises to it. This How-To will be pretty detailed and we will be logging data from Cisco Routers Switches and Cisco PIX Firewalls. We are going to get the syslog-ng daemon to create the log files automatically and to log to a new file each day, with a date stamp in the file name.

Installation

This is probable the easiest part
All you have to do is “cd /usr/ports/sysutils/syslog-ng” and run “make install clean”
Now that the port is installed you can edit the syslog-ng startup script to change the following line from NO to YES

: ${syslog_ng_enable:="NO"}
: ${syslog_ng_enable:="YES"}

also add syslog_ng_enable="YES" to your /etc/rc.conf file




Save the file, then edit your /etc/rc.conf file and add syslog_ng_enable="YES" and also add syslogd_enable="NO" this will stop the syslogd that comes with FreeBSD
Don’t bother starting the service yet.

Configuring the Cisco Devices

NB Commands might change depending on your IOS version

Cisco PIX firewalls (This is for Version 6.3)
Lets assume that the syslog server has an IP address of 192.168.2.5 and that the server is on the INSIDE interface, in general syslog information should be logged to something with a higher security level like the INSIDE interface or a DMZ interface. To keep things simple we will use the INSIDE interface, depending on your configuration you might have to adjust some of your firewall rules.

logging on
logging timestamp
logging standby
logging buffered debugging
logging trap debugging
logging host INSIDE 192.168.2.5

Cisco Switches
Make sure that the switch can communicate with the syslog server.
!
logging trap debugging
logging facility local6
logging 192.168.2.5
!
There are various logging facility option from 0 to 7 each one will vive you a different level of logging

Cisco Routers
Once again make sure that the router can see the syslog server in thins example the router can communicate to the syslog server via Loopback 0
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 192.168.2.5

Configuring the syslog server

By default syslog-ng puts its config file in “/usr/local/etc/syslog-ng” you should see a file called syslog-ng.conf.sample you can simply “cp syslog-ng.conf.sample syslog-ng.conf”

The file is broken up into a few sections:

Destination: This is where the data will be logged
Log level filters: This is where you define the filter of the host
Program filters: This is your last step in the file this just matches everything up.

#
# destinations
#
destination the-pix { file("/var/log/MEXCOM/FIREWALLS/MEXCOM-PIX/mexcom-pix-$YEAR$MONTH$DAY.log"); };
destination the-sw { file("/var/log/MEXCOM/SWITCHES/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
destination the-rtr { file("/var/log/MEXCOM/ROUTERS/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
#
# log level filters
#
filter f_the-pix {host(the-pix); };
filter f_the-sw {host(the-sw); };
filter f_the-rtr {host(the-rtr); };

then in program Filters

#
# Firewalls
#
log { source(src); filter(f_the-pix); destination(the-pix); flags(final); };
#
# Switches
#
log { source(src); filter(f_the-sw); destination(the-sw); flags(final); };
#
# Routers
#
log { source(src); filter(f_the-rtr); destination(the-rtr); flags(final); };

Ok start up syslog-ng “/usr/local/etc/rc.d/syslog-ng start”

The above shows how we match the filter or we are matching the hostname that the data is coming from, We have allocated a destination for it i.e my-sw and we are telling it that this log is final this will stop any other log files picking up information relevant to this particular device.

The ordering of the program filters is something to take note of. It really is a filter working from the top down so if some stuff is being logged and not others or some data is being logged to the wrong file just check the flow of the filters through the file.
As a default practically everything that is not logged to a file that is specified will log to your messages file so if your firewall’s switches and routers or anything else is not being logged you can just use tail “tail –f /var/log/messages” and tweak your config from there, in most cases it is just that the filter host is not being resolved to double check the filter host and the content of your /etc/hosts file.

Remember that after any changes you will need to restart the syslog-ng startup script
“/usr/local/etc/rc.d/syslog-ng restart”

Securing PHP4

There are many things to take into account when it comes to trying to secure anything not only PHP or Apache or Postfix or anything else

1. You and your users still need to be able to use it
2. The server can be as secure as possible but a few lines of bad code can really screw up your morning.

There are a few things to keep in mind when configuring the php.ini file

Firstly its probably not a bad idea to chroot your apache server, there are a few very good examples on how to do this on the web Just do a search in google or something

in your php.ini file

add the following
safe_mode = On
safe_mode_gid = Off
expose_php = Off
register_globals = Off
display_errors = Off
log_errors = On
error_log = "filename"

safe_mode = On

By switching on the safe_mode, you have just made your server probably twice as secure as it was before.
Safe mode will ensure that only the owner of the file or script is able to read or execute that file or script





Here is an example
-rw-rw-r-- 1 joeuser joeuser 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd

Running this script.php
readfile('/etc/passwd');
?>results in this error when safe mode is enabled:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

OF course we will also be logging this info to a log file rather than displaying the error

safe_mode_gid = Off

This is pretty much the same as safe_mode excepts it related directly to the GID or Group ID
If for instance we use this example, you will see how this can back fire on you if its not set to off. Although in some environments gaving GID On is fine.

-rw-rw-r-- 1 joeuser joeuser 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root joeuser 1116 May 26 18:01 /usr/local/etc/passwords

Running this script.php
readfile('/usr/local/etc/passwords');
?>Because the group info is the same, I can view the passwords file even though we set safe_mode = On
Without having safe_mode_gid = Off It will not restrict me directly to the UID which is what we want effectively making the file similar to 700

expose_php = Off

Turning off the "expose_php" directive causes PHP to not show information about itself in HTTP headers that are being sent to client systems in responses to their web requests.

register_globals = Off

When the register_globals parameter is turned on, all the EGPCS (Environment, GET, POST, Cookie and Server) variables are registered as global variables, This can pose a serious security threat, it is strongly recommended to turn this parameter off if you are running an older version from 4.2.0 it has been turned off by default, but you should still double check. If an application you use requires that Register Globals be On I suggest you get it rewritten fixed etc or stop using it.

display_errors = Off

This directive will not do anything magical, however if there is a problem in the code of if the backend Database is down (if there is one) you will not see the error messages on the screen this is because we don't necessarily want someone to see too much information like that user root@localhost can't log into the database and the data base is called jacks-db, Im sure you can see where I am going with this.

log_errors = On

Simply put we want to log our errors
where we log them will be defined in the next directive

error_log = "filename"
error_log = /var/log/php-errors/php.log
Or something like that its up to you


You might also want to check this out

disable_functions = phpinfo, curl_exec, curl_init, passthru, show_source, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system

This stops PHP scripts from using these functions you might need some of them but your average web site or even web based application probably would not need these.

Multiple IP addresses on FreeBSD on the same NIC

Sometimes you need more than one address aliased to a network interface on a server. for instance if you want to use ssl pages in apache
each ssl certificate should have its own IP address and each VirtualHost that runs on port 443 should have a unique IP address.
You can get around thins by changing the port from 443 to something like

VirtualHost:4430

vhost info

VirtualHost:4431

vhost info

VirtualHost:4432

But you are not using default ports and it might be a problem out in the real world sure you could do the above in side your own network

Anyway thats not what this is about this is to Alias other IP's to your NIC on your FreeBSD server





all you have to do is edit the /etc/rc.conf file
defaultrouter="10.10.10.1"
hostname="mysrv.mydom.com"
ifconfig_em0="inet 10.10.10.4 media 100baseTX mediaopt full-duplex netmask 255.255.255.0"
ifconfig_em0_alias0="10.10.10.7 netmask 0xffffffff"
ifconfig_em0_alias1="10.10.10.8 netmask 0xffffffff"
ifconfig_em0_alias2="10.10.10.9 netmask 0xffffffff"
ifconfig_em0_alias3="10.10.10.10 netmask 0xffffffff"

Thats it.
The Netmask of 0xffffffff is fine you can use it as per the example

Now all you have to do is run /etc/netstart
and all the IP's and the server will respond.

This way you can also get your web server to Listen on one IP and if you have other services running like Mail and FTP they can all have their own IP address.

Securing Apache 1.3

Securing Apache 1.3

Overview

There are many things to keep in mind when trying to secure anything, one of the most important is to make user that the system is usable and secure there is usually a bit of a trade off between security and usability. You could secure Apache by not allowing users to use any sort of scripts or only plain HTML pages but that’s not usually practical.

In this article I am going to go over the basic things to keep in mind on how to secure Apache but I will not go into running it in a jailed root mode. There is however a great article on this over at SecurityFocus.

Installation

Firstly you will need to install Apache if you are using FreeBSD then simply go to your ports directory and run a make install clean

/usr/ports/www/apache13
Or any of the other apache 1.3 ports that you might want to install
Like apache13-modssl or apache13-ssl/
In the case of the SSL apache versions you would install as follows
# make
# make certificate ( this is so you can create a self signed certificate)
# make install





Configuring

All your configuration files are now in /usr/local/etc/apache

This is up to you but I prefer breaking up my apache config.
Also you can neaten it up the Default httpd.conf file has tons of comments in it which might be handy to you are not always necessary.

If you want to split up your Apache config then this is what you can do.

In /usr/local/etc/apache
# mkdir conf
# mkdir conf/vhosts
# cd conf/vhosts
# vi vhosts.conf (you might want to split your http from your https vhosts here too by having a vhosts-ssl.conf file as well. In your vhosts.conf file you can now add your vhosts there is no need for anything else in this file at all other that the VirtualHost Information. This first vhost is the default catch-all domains that are pointed to your server.
Also if you want to change the Log directory make sure that it does exist.
# mkdir /var/log/httpd-logs

ServerName myservename.com
DirectoryIndex index.php index.html
ErrorLog /var/log/httpd-logs/server-default-error.log
CustomLog /var/log/httpd-logs/server-default-access.log combined
DocumentRoot /usr/local/www/data-dist/default
ServerName www.mysite1.com
DirectoryIndex intro.html index.htm index.php index.html
ErrorLog /var/log/http/www.mysite1.com-error-log
CustomLog /var/log/http/www.mysite1.com-access-log combined
DocumentRoot /usr/local/www/data-dist/mysite1/htdocs/
ScriptAlias /cgi-bin/ /usr/local/www/data-dist/mysite1/cgi-bin/
ServerName www.mysite2.com
DirectoryIndex intro.html index.htm index.php index.html
ErrorLog /var/log/http/www.mysite2.com-error-log
CustomLog /var/log/http/www.mysite2.com-access-log combined
DocumentRoot /usr/local/www/data-dist/mysite2/htdocs/
ScriptAlias /cgi-bin/ /usr/local/www/data-dist/mysite2/cgi-bin/
<--- Snip

As you can see I have a Log entries for each Virtual Host as well as a ScriptAlias /cgi-bin/ this gives the individual Virtual Host access to their own cgo-bin directory rather than having one centralized cgi-bin directory

In the main httpd.conf file you need to tell Apache where to find your vhosts.
And while we are doing this we might as well sort some other things out listed in no particular order.

#vi httpd.conf
You will probably want to enable NameVirtualHost

You would also probably want to change these settings

UseCanonicalName Off
ServerSignature Off
HostnameLookups Off

Include /usr/local/etc/apache/conf/vhosts
NameVirtualHost *:80

You an also use mod_rewrite to send suspicious requests elsewhere
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH.x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH..x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH...x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH....x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH.....x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)default\.ida(.*)$ http://www.sfsfsfsfsfrq.com


I am not suggesting that you redirect to a real site, rather point to something that does not exist like http://www.sfsfsfsfsfrq.com for instance. Of course you could redirect it to a real site that it your choice.

Also under DocumentRoot "/usr/local/www/data" add the following lines
If you want to use mod_security

Options FollowSymLinks
AllowOverride None
Include etc/apache/conf/modsecurity.conf
When you add a user make their home directory the path to the vhost
# adduser
Username: mysite1
Full name: My Site 1 Web User
Uid (Leave empty for default):
Login group [mysite1]:
Login group is mysite1. Invite mysite1 into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash nologin) [sh]:
Home directory [/home/mysite1]: /usr/local/www/data-dist/mysite1
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : mysite1
Password : *****
Full Name : My Site 1 Web User
Uid : 1005
Class :
Groups : mysite1
Home : /usr/local/www/data-dist/mysite1
Shell : /bin/sh
Locked : no

Now that you have the user added.
Change to that directory and add the following 2 directories
# cd /usr/local/www/data-dist/mysite1
# mkdir htdocs
# mkdir htdocs/stats (if you are using something like AWStats this will make life a bit easier
# mkdir cgi-bin
Then chmod and chown appropriately

drwxr-xr-x 2 mysite1 mysite1 512 Jun 12 16:00 cgi-bin
drwxr-xr-x 4 mysite1 mysite1 1024 Jun 13 08:35 htdocs
drwxr-xr-x 2 root wheel 512 Jun 13 11:48 stats (this can also be chown www:www this is to ensure that the user is not able to delete the stats folder

This should get you most of the way through the config

Apache and Mod Security

Installing and configuring Mod Security

ModSecurity is an open source application that acts as a web application firewall or an Intrusion Detection and Prevention system. It can but run as an Apache Module or as standalone. ModSecurity is able to increase web based application security from attacks.

Installing ModSecurity

This is simple just run a make install clean in FreeBSD's mod_sec port directory, if you are not running FreeBSD and need the source you can get it from the ModSecurity Site.

Preparing the ModSecurity config file for use with Apache

I have split my httpd.conf file up so I have a separate conf directory in /usr/local/etc/apache you can put your modsecurity.conf directly in that directory but for this example I am going to use /usr/local/etc/apache/conf

# mkdir modsec-rules
# vi modsecurity,conf





AddHandler application/x-httpd-php .php

SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec/audit_log
SecFilterScanPOST On
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:500"
SecAuditLogRelevantStatus ^5
#
# Rules
#
# RootKits
Include /usr/local/etc/apache/conf/modsec-rules/rootkits.conf
# useragents
Include /usr/local/etc/apache/conf/modsec-rules/useragents.conf
You can download the rules you want to use from GotRoot. Just check which ones are relevant to you and use those rule sets. There are quite a few options that you can implement in your modsecurity.conf file but you will have to test them the wrong rule could make your web page or clients pages unusable.


Add this into your apache config file
Options FollowSymLinks
AllowOverride None
Include etc/apache/conf/modsecurity.conf
Reload your apache config and test to see that the pages still work.
Once again make sure that the modsec log directory is there when you reload apache an audit log file should appear and any odd traffic will appear there by monitoring the log file you can see what is being blocked and take appropriate action if something is being blocked that should not be.

Static NAT and PAT (port forwarding)

Static NAT and PAT (port forwarding)

NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series routers in general including the Cisco 827 Cisco 837 Cisco 877W the Cisco 1720 Cisco 1721 Cisco 1750 series and the CIsco 1600 series


Right so you have setup your Cisco DSL (or you only have one IP address from your ISP) and you have setup your DynDNS so that you can connect to the router. But now you what’s next?

Well the usual next step, and probably the whole reason you did this in the first place is so that you can connect to the server from the outside world for a web server or a mail server. or some thing similar.

The basic principal is that the connection is made in from the dialer interface (the external address) and passed to the internal address on a matching port.

There is a limitation to this though, if you have two web servers both listing for traffic on port 80 but only one external address you are going to run into a problem you would have to change the port numbers that the server listens on for instance from 80 to 8080 on the second server.

However you can have multiple servers doing different things in the example below there are 2 servers one (10.0.0.2) is a mail and web server and the other is VPN box running pptp

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
!


router# conf t
router (config)#ip nat inside source static tcp 10.0.0.2 25 interface dialer 1 25
router (config)#ip nat inside source static tcp 10.0.0.2 21 interface dialer 1 21
router (config)#ip nat inside source static tcp 10.0.0.2 443 interface dialer 1 443
router (config)#ip nat inside source static tcp 10.0.0.2 80 interface dialer 1 80
router (config)#ip nat inside source static tcp 10.0.0.2 110 interface dialer 1 110
router (config)#ip nat inside source static tcp 10.0.0.3 1723 interface dialer 1 1723
router (config)#ip nat inside source static udp 10.0.0.3 1723 interface dialer 1 1723
router (config)#exit
router #wr
Building configuration...





Once you have done this, you can easily test this by connecting from the outside to your mailserver

telnet my-test-thing.dyndns.org 25
Trying 200.200.200.200...
Connected to my-test-thing.dyndns.org.
Escape character is '^]'.
220 Mail Server Ready

The exact same thing can be used with a Static IP address some providers like to assign a /31 address which will leave you with one usable IP so instead of using "interface Dialer 1" you can use the static address

ip nat inside source static tcp 10.0.0.2 3389 196.200.200.5 3389 extendable
ip nat inside source static tcp 10.0.0.2 443 196.200.200.5 443 extendable
ip nat inside source static tcp 10.0.0.2 21 196.200.200.5 21 extendable

This will obviously not work for a dynamically assigned address for that you would have to use the first example

I hope this helps someone.

Automatic Browser Configuration for Proxy Servers

In this How-To, we are going to cover the ability to automatically configure your browser to use a proxy. This should work fine with Mozilla FireFox, Internet Explorer and most other browsers, for Apple's Safari things are a little Different but I will cover that as best I can.

There are a few ways of doing thins but the actual proxy.pac or wpad.dat files are the most important. So we will start there.

Proxy Configuration Files PROXY.PAC and WPAD.DAT

They are actually the same file so you can just Alias or symlink the two files. So that if you edit the one the other “file” will also be updated. (I don’t think you can do this in windows but I might be wrong its been a long time.

In the Below Example we are going to tell the browser that if the domain we are going to matches a rule then go directly to the site, this is very useful for Internal sites like intranets that you don’t really need to cache. Then we will also tell the browser to go Direct for port 443 or https sites I doubt it’s a good idea to send that info via a proxy but that choice is up to you. Then we are going to tell the proxy that if your IP address falls with in a certain range to set the proxy address, causing the browser to use the proxy server.





OK lets start.
# vi proxy.pac

function FindProxyForURL(url, host)
{
if (shExpMatch(host, "*.YourDomain.com"))
return "DIRECT";
else if (url.substring(0,6)=="https:")
return "DIRECT";
else if (isInNet(myIpAddress(), "192.168.0.0", "255.255.252.0"))
return "PROXY 192.168.1.3:3128";
else
return "DIRECT";
}

That’s it no more no less. Although if you have the need you can add other directives to it for instance, if you have a setup where you are a mobile user and you have to use a proxy at your office as well as other branch offices and each branch has its own proxy server, then you can just do this

# vi proxy.pac

function FindProxyForURL(url, host)
{
if (shExpMatch(host, "*.YourDomain.com"))
return "DIRECT";
else if (url.substring(0,6)=="https:")
return "DIRECT";
else if (isInNet(myIpAddress(), "192.168.0.0", "255.255.252.0"))
return "PROXY 192.168.1.3:3128";
else if (isInNet(myIpAddress(), "192.168.4.0", "255.255.255.0"))
return "PROXY 192.168.4.3:3128";
else if (isInNet(myIpAddress(), "192.168.5.0", "255.255.255.0"))
return "PROXY 192.168.5.3:3128";
else
return "DIRECT";
}

Which in theory should tell the browser that if you local LAN address is in the 192.168.0.0/22 range then use Proxy 192.168.1.3 on port 3128 and If your IP address is in the 192.168.4.0/24 Range then your Proxy Server is going to be 192.168.4.3 on port 8080.

Implementation
Now implementing this

Like I said there are a number of ways of going this.

If its just for you then you could simply save the file somewhere on your hard drive and just tell your browser via the Preferences or Tools tab or something similar that your proxy configuration file is in /some/place/on/my/hdd/proxy.pac.

Now the fun part If you want to implement this for your entire company you can just use DNS and a web server

Create a CNAME entry on your DNS Server for your Domain

wpad.yourdomain.com CNAME webserv.yourdomain.com

Now put the file on the server and make sure that you can see the file and its contents if you point your browser to http://wpad.yourdomain.com/wpad.dat. Remember if you can't browse to it then your browser will not find it either if its set to Automatic Proxy.

One thing to keep in mind though is that the computers you are trying to configure should be set to look up or append anything to the domain

In a Unix environment including Apple and Linux
You can edit your /etc/resolv.conf
And make sure that there is a domain directive
For example


# less /etc/resolve.conf
domain mydomain.com
nameserver 192.168.0.2
nameserver 192.168.4.5

ISC DHCP SERVER ASSIGNED PROXY

There are a few other ways you could do this, you could for example use your DHCP server to notify its client that there is a proxy config file. I have never tried this, but if you are using the ISC DHCP Server then all you have to do is this.

Add the below to your dhcp config file

option wpad code 252 = text;
option wpad "http://www.example.com/proxy.pac";

the proxy.pac file would be the same as the example above.



I find that using a web (or dhcp not that I have tried it) server is probably more ideal, especially if you are trying to roll this out for multiple computers on a network.

But you can do the following if its just you, or if you are using Apple's Safari
By what I can see you have to tell it where the file is unlike Firefox or IE it does not search for the file via DNS

If you are running a Unix System you can also setup Apache server on your machine and place the proxy.pac file in the correct directory. So that if you browse to http:127.0.0.1/proxy.pac you get the content of the file, in which case you can configure the browser to look at http:127.0.0.1/proxy.pac instead of /some/place/on/my/hdd/proxy.pac.
You could do the same on a windows machine that has IIS installed.

Dynamic DNS on a Cisco ADSL Router

Any new Cisco ADSL router in the 800 series should support dynamic DNS updates to a DDNS provider like DynDNS.com

This particular example is for a Cisco 877 ADSL router.
NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series DSL routers in general including the Cisco 827 Cisco 837 Cisco 877W as long as your Cisco IOS on the router supports the DDNS config

You might want to check the Cisco ADSL config guide too.

First off you are going to want to create an account with a DDNS Provider, this particular example uses DynDNS.org but others should work in the same way or at least in a similar way. In this example the dns name we want is mycisco.dyndns.org





OK lets go

Login to you router via console or telnet

Go into Enable mode
Then configure terminal (conf t)

ip domain name dyndns.org
ip name-server ip.ip.ip.ip
ip name-server ip.ip.ip.ip
ip ddns update method DynDNS
HTTP add http://uname:passwd@members.dyndns.org/nic/update?system=dyndns&hostname=myrouter.dyndns.org&myip= # Note From HTTP to myip= is one line #
interval maximum 1 0 0 0

Breakdown of the Above Commands:

username:password This is the username and password of the account you created at the dyndns provider.
HINT: password issues seem to crop up with DynDNS.org unless you use an alpha-numeric combination pass123 for instance also shy away from pass!@# at least at the time of this How-To anyway.

members.dyndns.org/nic/update You can leave this as it is if you are using dyndns.org HINT the ? after this might cause problems
where the Cisco router thinks that you are asking for help you can escape this by pressing CTRL
and V at the same time then ?


system=dyndns There are 3 Options here dyndns is the one to use if you are using one of the default DynDNS.org domains.

hostname= The hostname you are updating in this case mycisco.dyndns.org

myip= Leave this blank the dyndns site will determine what IP your ISP has issued to you


interval maximum This is the Maximum Interval in time that will pass before your router sends your DDNS provider an update. For
testing purposes you can use interval maximum 0 0 5 0 (every 5 minutes) the First 0 is Days 0 - 365 the second 0 is
Hours 0 - 23 the third 0 is minutes 0 - 59 and the last one is for seconds 0 - 59. Once you have determined that the
DDNS Config is working I would suggest that you change it to 0 1 0 0 (once a day in other words) if for some reason
your IP Address is changed before that 24 hour period your router will automatically update your DDNS Provider
anyway.


interface Dialer1
ip ddns update hostname mycisco.dyndns.org
ip ddns update DynDNS host members.dyndns.org

interface Vlan1
ip ddns update hostname mycisco.dyndns.org
ip ddns update DynDNS host members.dyndns.org

Once you have that all added write the config, then enable dedugging turn on terminal monitor

debugging ip ddns update
term mon

I have noticed that to get the DDNS kick started that its best to shut the dialer interface and then un-shut it. As soon as you do that you start seeing debugging info on the terminal window.

If things work out you should see something like this happening

Example IP's
100.50.50.9 <-- IP assigned to the router by the ISP 110.28.196.94 <-- The IP of the the DDNS provider's HTTP page that your router is logging into to update. 00:04:35:%DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1 assigned DHCP address 100.50.50.9,
mask 255.255.255.255, hostname mycisco.dyndns.org

00:04:35: DYNDNSUPD: Adding DNS mapping for mycisco.dyndns.org <=> 100.50.50.9 server
110.28.196.94

00:04:35: DYNDNSUPD: Sleeping for 3 seconds waiting for interface Ethernet1 configuration
to settle

00:04:38: HTTPDNS: Update add called for mycisco.dyndns.org <=> 100.50.50.9

00:04:38: HTTPDNS: Update called for mycisco.dyndns.org <=> 100.50.50.9

00:04:38: HTTPDNS: init

00:04:38: HTTPDNSUPD: Session ID = 0x7

00:04:38: HTTPDNSUPD: URL =
'http://test:test@110.28.196.94/nic/update?system=dyndns&hostname=mycisco.dyndns.org&myip=100.50.50.9'

00:04:38: HTTPDNSUPD: Sending request

00:04:40: HTTPDNSUPD: Response for update test.dyndns.org <=> 100.50.50.9

00:04:40: HTTPDNSUPD: DATA START

good 100.50.50.9

00:04:40: HTTPDNSUPD: DATA END, Status is Response data received, successfully

00:04:40: HTTPDNSUPD: Call returned SUCCESS for update mycisco.dyndns.org <=> 100.50.50.9

00:04:40: HTTPDNSUPD: Freeing response

00:04:40: DYNDNSUPD: Another update completed (outstanding=0, total=0)

00:04:40: HTTPDNSUPD: Clearing all session 7 info


Now if all the above things happened you should by able to do a dig or nslookup for your host name (mycisco.dyndns.org)

$ dig mycisco.dyndns.org

in the answer section you should see somehting like this
;; QUESTION SECTION:
;mycisco.dyndns.org. IN A

;; ANSWER SECTION:
mycisco.dyndns.org. 60 IN A 112.1.2.3

or you can do an nslookup mycisco.dyndns.org

Non-authoritative answer:
Name: mycisco.dyndns.org
Address: 112.1.2.3


If you then reboot your router or even shut and un-shut your Dialer 1 Interface your ISP will Probably issue you will another IP if thats the case give it a few seconds and a Dig should give you another IP associated to the hostname.
Remember to change the interval maximum once you have determined that it does work For other DDNS Providers most things should stay the same except for the "add http:username:password........" thing and of course the "ip ddns update DynDNS host xxxxx " and "ip ddns update hostname xxxxx"

Here are some examples of others
DDNS
http://USERNAME:PASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=(hostname)&myip=(address)

TZO
http://cgi.tzo.com/webclient/signedon.html?TZOName=(hostname)&Email=USERNAME&TZOKey=PASSWORD&IPAd
dress=(address)

EASYDNS
http://USERNAME:PASSWORD@members.easydns.com/dyn/ez-ipupdate.php?action=edit&myip=(address)&host
_id=(hostname)

JUSTLINUX
http://USERNAME:PASSWORD@www.justlinux.com/bin/controlpanel/dyndns/jlc.pl?direst=1&usernam
e=USERNAME&password=PASSWORD&host=(hostname)&ip=(address)

DYNS
http://USERNAME:PASSWORD@www.dyns.cx/postscript.php?username=USERNAME&password=PASSWORD&ho
st=(hostname)&ip=(address)

HN
http://USERNAME:PASSWORD@dup.hn.org/vanity/update?ver=1&IP=(address)

ZONEEDIT
http://USERNAME:PASSWORD@www.zoneedit.com/auth/dynamic.html?host=(hostname)&dnsto=(address)


Tuesday, May 6, 2008

Cisco Static DHCP Configuration

Assigning STATIC IP addresses on a Cisco Router via DHCP

Although it’s not something that is probably all that common, and it’s actually the first time I have had a need to use this on a router, I thought I would share this information with you anyway

NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series routers in general including the Cisco 827 Cisco 837 Cisco 877W the Cisco 1720 Cisco 1721 Cisco 1750 series and the CIsco 1600 series


Normal DHCP config for a Cisco Router

ip dhcp excluded-address 192.168.1.1 192.168.1.10

We are excluding anything in the range between 192.168.1.1 to 1.10
In this example our servers are in this range and we don’t want any conflicts, also the router is .1

ip dhcp pool POOL-NAME
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.7 192.168.1.8
default-router 192.168.1.1
lease 0 8


The pool name is exactly that a name it will mean more to you than to the router so make it something you will know.

Network indicated that this is the network we are using 192.168.1.1/24 or a class C
dns-servers well those are the DNS Server Addresses we are going to assign to the DHCP clients.
The default-router is the default gateway
The lease time is the amount of time that the client machine will keep the IP before trying to renew itself 0 days 8 hours.






Now if for some reason you need to assign a static ip to a user via DHCP its pretty simple.
There are probably a number of reasons I can think of that you would do this.
For instance, if you have certain access to things based on your IP address. For instance if IP 192.168.1.11 192.168.1.12 and 192.168.1.13 have access to browse without having to use a proxy server (important people like your boss who pays your salary and he needs to be able to surf copious amounts of porn without anyone knowing

Anyway the why is up to you the how is listed below

The first thing you want to do is find out what the MAC Address is
Now if you are already running a DHCP server on the router its pretty easy

router#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.78 0012.7980.77b5 Aug 07 2006 08:36 PM Automatic
192.168.1.86 000e.7f32.37d7 Aug 07 2006 07:36 PM Automatic
192.168.1.23 0014.3863.4c56 Aug 07 2006 06:10 PM Automatic


Now the 3 MAC Addresses need to be reserved so that the next time those MAC addresses logon to the network they are assigned 192.168.1.11 1.12 and 1.13

So this is what you do
router#clear ip dhcp binding 192.168.1.78
router#clear ip dhcp binding 192.168.1.86
router#clear ip dhcp binding 192.168.1.23


If you want to clear the binding for all IP’s in the DHCP Pool you could just run
router#clear ip dhcp binding *

Now that the IPs are not bound

You can simple add something like this

ip dhcp pool STATIC-1
host 192.168.1.11 255.255.255.0
hardware-address 0012.7980.77b5
!
ip dhcp pool STATIC-2
host 192.168.1.12 255.255.255.0
hardware-address 000e.7f32.37d7
!
ip dhcp pool STATIC-3
host 192.168.1.13 255.255.255.0
hardware-address 0014.3863.4c56


These 3 addresses will now only be issued to the holders of the MAC Addresses

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide

What is TACACS
As per wikipedia
Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.

Installing Tacacs on FreeBSD
This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform.





You may also want to check out my Rancid How-To

Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/
run a "make install clean"

Once installed vi /usr/local/etc/rc.d/tac_plus.sh
Then Change the following line from NO to YES
tac_plus_enable=$

Save the file, then vi /etc/rc.conf and add tac_plus_enable="YES" this will ensure that tacacs starts if the server is rebooted.

Now cd to /usr/local/etc/
and edit the tac_plus.conf file

key = *KEYEXAMPLE* (using a Key is optional but recommended as it creates and encrypted session between the tacacs+ server and the device)
user = user1 {
login = cleartext user1password
}
user = rancid {
login = cleartext rancidpassword
}
user = user2 {
login = cleartext user2password
}

For all the features of the tacacs config file you should read /usr/local/share/doc/tac_plus/users_guide

Configuring a Cisco Router

login to the router you want to configure
be sure to go into enable mode
conf t
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
!
tacacs-server host 10.10.10.10 timeout 5
tacacs-server directed-request
tacacs-server key xxxxxxx


The tacacs-server host is as it seems its the server that the tacacs server is running on
The tacacs-server key is the key in the tac_plus.conf file

Depending on your network setup you might need to use the following command
ip tacacs source-interface Loopback0 (or whatever interface the cisco router can communicate to the tacacs server on)

For your own sake do not write the config on the router just yet.

Starting Tacacs+
/usr/local/etc/rc.d/tacacs.sh start

In a terminal window you might want to tail the tacacs log file
tail -f /var/log/tac_plus.acct

Now log into the router
If it works
You will see something like this.

***
User Access Verification

Username:
***

if not you will just see the usual
***
User Access Verification

Password:
***

If you do get the username prompt try to log in with your username and password in the tac_plus.conf file
If you are able to log in well done it works.
You can save your router config.

iI it does not log in you might want to enable the tacacs debug feature
Also disable the key from the config file and restart tacacs be sure to also remove the key from the routers config

If the tacacs login is successful you will see something like this in the tacacs accounting log
Fri Jul 7 13:13:28 2006 196.x.x.x username tty66 10.0.0.254 start task_id=22068 timezone=SAST service=shell start_time=1152270808

You will also see when someone is adding or changing a config as well as when a config is written.

Between Tacacs+ and Rancid you can keep a pretty close eye on your network.

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products

What is Rancid?
Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change.

here is an example of the output

===================================================================
retrieving revision 1.29
diff -u -4 -r1.29 mpls-jhb-pe1
@@ -288,9 +288,9 @@
!
interface Serial0/0
description Link to Client X
bandwidth 2048
- ip address 192.168.1.244 255.255.255.254
+ ip address 192.168.1.234 255.255.255.254
ip route-cache flow
ip tcp header-compression iphc-format
ip tcp compression-connections 256
! ip ospf message-digest-key 1 md5 the - symbol represents what was removed
the + symbol represents what was added

The above example is from a Cisco Router, however Rancid also is known to support Redback, Foundry, HP Procurve, Juniper, of course Cisco Routers and Switches and a host of others

I Suggest that you also use Tacacs+ if your hardware supports it, my install guide is here.

Installing Rancid

Install the port in /usr/ports/net-mgmt/rancid/
you can just run a "make install clean"

Once installed there are a few places where the files are found that you will need to configure this

The config files are in /usr/local/etc/rancid
The bin files are in /usr/local/libexec/rancid
The CVS and other files needed are in /usr/local/var/rancid
more other files /usr/local/share/rancid/

Frstly the rancid.conf file.

Copy the rancid.conf.sample to rancid.conf
The Conf file is pretty well commented and there are only 2 or 3 lines you would need to change
The lines I changed are as follows.

LIST_OF_GROUPS="networks"
MAILDOMAIN="@yourdomain.tld"; export MAILDOMAIN

you might also want to check this line
OLDTIME=4; export OLDTIME
4 hours is the default, you could change it to 1 or 2 hours
But if your cron that checks the config is set to every 2 hours setting the OLDTIME to 1 hour is not going to be a big help
OLDTIME is the amount of hours that pass before rancid complains about routers/devices that can not be reached.





4 hours should be fine, you should have some sort of an NMS System in place anyway that will tell you about a network problem so you should not have to rely on Rancid as an NMS.

Creating a Rancid User

I would suggest creating a rancid user
No special privileges are needed that I have noticed
I just used a standard user and a bash shell (I'm more comfortable using bash)

The .cloginrc file

This file is also pretty well commented and should be pretty easy to figure out. the file should be in the rancid users home directory, the owner and group should be the rancid user and the file should be either chmod 640 or 600

here is an example on mine
add user * rancid will log in as the rancid user if the device uses a username prompt i.e. tacacs+

add password *-pix-fw
add method *-pix-fw ssh
The above will log into any host matching somehost-pix.fw as rancid with the above specified passwords

add password specific-hosting-fw
add method specific-hosting-fw ssh
The above will log only into the firewall whose host is specific-hosting-fw as rancid with the above specified passwords

# all our routers, i.e.: everything else
add password *

# set ssh encryption type, dflt: 3des
add cyphertype *

There are namy other options in the file but these are the basics of what you might need to get yours up and running, once you have your .cloginrc file setup its time to test it.
su to your rancid user "su rancid"
and run: /usr/local/libexec/rancid/clogin ipaddr of the host you want to log into
if all goes well you should see something like this

[rancid@rat ~]$ clogin 10.0.0.1
10.0.0.1
spawn telnet 10.0.0.1
Trying 10.0.0.1...
Connected to MPLS-JHB-PE1.
Escape character is '^]'.

MPLS-JHB-PE1 line 162


User Access Verification

Username: rancid
Password:

MPLS-JHB-PE1>enable
Password:
MPLS-JHB-PE1#
MPLS-JHB-PE1#


you might want to consider linking the clogin script on the libexec dir to someplace else like /usr/sbin (or somewhere else in your path)
i.e ln -s /usr/local/libexec/rancid/clogin /usr/sbin/clogin

If your hosts are not in your DNS server zone files you can add them to your /etc/hosts file

Yes you guessed it im a lazy swine so the first thing i did was added a bunch on aliases to my .bashrc file and copied the .cloginrc file to my home directory and changed the user name from rancid in the file to my username

no all i have to do to log into a router switch or firewall is type in the alias name and im in no need to remember passwords
however there are security considerations that you might want to think about before hand.

here is an example of my aliases in the .bashrc file

## Aliases ##
alias mpls='clear;clogin mpls-ny-pe1;clear'
alias mcore1='clear;clogin mcore1-ny-sw;clear'
alias mcore2='clear;clogin mcore2-ny-sw;clear'

Ok now most of the hard work is done.
Setting up the CVS and telling Rancid what devices monitor for config changes.

The first thing to do here is to check if the this directory exists
/usr/local/var/rancid/
if it does and its not from a previous install (that is working........ then again if it was, you probably would not be reading this)
any way if it exists cd to /usr/local/ (as root)
and rm -fr var/rancid

then as the rancid user do the follwing
mkdir /usr/local/var/
mkdir /usr/local/var/rancid

then run rancid-run it should already be in /usr/local/bin/rancid-run if its not then you can create a link as you did with clogin the rancid-run and rancid-cvs bin's are in the libexec dir.

when you run rancid-run as the rancid user you should not get any errors
then you run rancid-cvs

Between these 2 rancid binaries your /user/local/var/rancid directory should now contain the following directories

CVS logs networks <-- networks here is the group in the /usr/local/etc/rancid/conf file

cd to the networks (or what ever group you created)


vi the router.db file
and add the hosts you want to monitor
Example below:
mpls-tex-pe1:cisco:up
mpls-la-pe1:cisco:up
mpls-ny-pe1:cisco:up
mpls-was-pe1:cisco:up
mpls-london-pe1:cisco:up
mpls-oz-pe1:cisco:up
fw-client:cisco:up
core1-sw-ny-1:cisco:up
core2-sw-ny-2:cisco:up

ETC.

I would suggest just adding one line for for now so you can test it.

also on your mail server add an alias to mail you or your group the info that will be sent by rancid.
vi /etc/aliases

rancid-networks: bob,john,jack

or you could do this
networks: bob,john,jack
rancid-networks: networks

But mail policy’s are up to you. Remember that rancid-xxxxxx will be what ever you group was called mine is networks hence the alias rancid-networks

Once you have setup the mail to send you the logs of rancid data.
Run rancid-run again.

With any luck you will receive an email that will have a bunch of info in regarding the host you just had rancid log into.
it should look similar to the output example right near the top of this page.

if not then either you have a problem with your rancid config (check /usr/local/var/rancid/logs for log files)
or maybe your alias is not working or the server you are running rancid from is not sending the mail (mail server stopped disabled being blocked etc.)

Last Step if all works
add a crontab as the rancid user

something like this
crontab-e
@hourly /usr/local/bin/rancid-run

Setting up a Cisco 800 series Router for ADSL

Setting up a Cisco 800 series Router for ADSL

Not that the Average user would use a Cisco ADSL router, or if they do use a Cisco product it would probably be a Linksys router.

Anyway here is the config with comments in between. all comments are in italics

You might want to check out the Cisco DYNDNS configuration guide too

NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series DSL routers in general including the Cisco 827 Cisco 837 Cisco 877W

This example is a basic setup for just access to the web you can enable PAT or Port Address Translation on the router to allow access from the outside to a server or something like that. Also this setup is for a Dynamic IP from the ISP

you might also want to checko out the how to on setting up SSH login on the router





no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname # your router name i.e. Bobs Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret Your Enable Secret
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.0.100 #IPs you want to have as static addresses to be excluded from the Pool
ip dhcp excluded-address 192.168.0.7
ip dhcp excluded-address 192.168.0.2
!
ip dhcp pool MYPOOL
network 192.168.0.0 255.255.255.0 #Your Internal IP range
dns-server # your ISP's DNS Server IP Addresses
default-router 192.168.0.1 #The Address of this Router
!
!
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35 # the PVC Address Telkom in South Africa use 8/35 your particular Telco provider probably uses something else
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 2
ppp chap hostname your ISP username goes here
ppp pap sent-username your ISP username goes here password your ISP password goes here
!
ip nat inside source interface Dialer1 overload This enables NAT on your router to mask your internal range to the external IP address
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
logging synchronous
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 1 in
exec-timeout 120 0
password # your password goes here to telnet into your router
login
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
sntp server (optional)
!
end

Joe's Store