The goal of this document is to walk you through the configuration of your IPTables firewall and the setup of your management server using ThreatSTOP provided scripts. Once this setup has been completed your environment will begin receiving target list updates every two hours, and will be protected by ThreatSTOP.
We have written some shell scripts to prepare iptables, get your block lists, and use the results to create rules for iptables. You can download the scripts here. If this is a new device, please allow up to 15 minutes for our systems to be updated.
As with any Linux configuration the first step in configuring the management appliance is to apply the latest patches for the distribution. You will also need to gather any missing library files for the setup Perl script. To do this:
- Connect to the new virtual machine and login with your chosen credentials.
At the command prompt enter the following commands, pressing ENTER between each command.
rsyslog will need to be installed, Ubuntu seems to install syslog-ng by default which is not compatible with the ThreatSTOP Shield Platform.
Once the management appliance has been patched you will need to setup the device in the Portal using the setup steps provided in ThreatSTOP Portal Introduction. Once the device has been configured in the portal we can proceed with the installation of the ThreatSTOP application.
Test the connection from your management appliance to our network using the command:
Verify that the IP address is in the list of authorized hosts.
Testing the Connection
To test that a connection can be made successfully between your VM and ThreatSTOP enter:
Installing ThreatSTOP for iptables
ThreatSTOP can interface with a large number of management devices. One of the most readily available of these is built into Linux itself: iptables is a strong, prolific, and free, firewall software that is available in every Linux distro. To make use of this powerful utility you will need to perform the following steps:
- Login to the Virtual Machine.
FTP to ftp.threatstop.com and enter the following commands:
After the download completes enter:
If you do not have the file where you want the installation files to appear move them to your preferred spot and decompress them using the command:
This will install the ThreatSTOP IP firewall software, and setup a user with the name threatstop with no ability to login. You may either set a password on this account and login as the threatstop user, or sudo su threatstop and run commands as the threatstop user.
As the threatstop user, begin the setup process by entering:
An introduction screen will appear and a few brief checks will be run to verify that various settings are in place to allow the script to run. After which, you will begin configuring the System utilities. Unless you have specifically installed these utilities elsewhere, use the provided defaults for file locations. The utilities mentioned are a mix of what we downloaded above, and standard utilities distributed with most Linux based distributions. After the System Utilities are configured, the User required parameters will be configured.
Accept the default for the ThreatSTOP IP set prefix.
- Provided that your connection to ThreatSTOP is open via port 80, the following parameters will be automatically populated with data from your account. Both fields may be accepted without issue. If your connection is blocked you will need to contact support for the correct values to enter.
- ThreatSTOP Block list parameter: default
- ThreatSTOP Allow list parameter: default
Set the maximum policy size your system is able to handle. The default is likely to be OK so tap ENTER.
Accept the default location for the ThreatSTOP log file by tapping ENTER.
Use the provided URL to submit your logs by tapping ENTER.
Enter the log upload IP address, this is may be automatically configured for you, so you only need to change this if you know the Device IP address does not match the external IP address of the device.
- The value for Please enter the DNS PORT setting (0 - 65535) will depend on your being set as a DNS server:
- If your configuration is set as a DNS server, accept the default of 53.
- If your configuration is not set as a DNS server the default will fail and you will need to change the port. For a standard configuration this should be set to: 5353
This controls how often fresh Threat Intelligence is piped into your firewall. It's safe to leave this at 2 hours by tapping ENTER.
Unless you specifically need the logs uploaded at a rate different than normal accept the default of every hour by tapping ENTER.
Accept these settings by entering Y (or accepting the default) at the Use these settings prompt.
Information about the actions performed, and the results of connections tests will be displayed. After which a confirmation to enable the new Allow and Block list will be displayed. Tap ENTER to continue.
Finally you will be prompted with Ready to run get Allow/Block list for the first time. Accept the default of Y and the scripts will pull the latest information for your policy.
From here you'll be able to use this device as a firewall in your network.
Testing the Configuration
You can verify that your policy has been loaded into iptables by running the following command:
This will list all of the rules currently employed by IP Tables. After setting this you can verify the firewall's behavior by visiting the following URIs from a device behind the firewall:
To stop and remove ThreatSTOP from your firewall device:
Use the following command to remove ThreatSTOP and leave the configuration files:
Use the following command to remove ThreatSTOP and the configuration files:
In both uninstallation cases, your log files will not be removed. Additionally, the threatstop user will be left on the system.