Page tree

Contents

 

We have written a script to set up Vyatta devices with firewall rules to get your block lists, use the results to update the ipsets that are created, and to upload your firewall logs to us.

You can download the script here, but you will find it is easier to cut and paste the wget command in Setup below.

Note:

  • If this is a new device, please allow up to 30 minutes for our system to update and acknowledge the device.

Prerequisites

  • A management station with a web browser that can read this page and an ssh client that can access the Vyatta device.
  • Set up your Vyatta device with an external Ethernet port and IP address, as well as a management IP address that can be accessed from your management station.
  • The Vyatta device should have ssh enabled on it. This can be setup by entering the following in the console:

    configure
    set service ssh
    commit
    exit


    Note:

    You should also ensure that the device has a default gateway and name server configured. Additionally, the default name server of the device may be set to one of the ThreatSTOP DNS servers (addresses below).

  • The Vyatta device should be allowed to communicate through port 53. If port 53 is unusable, or otherwise unavailable, it’s also possible to use port 5353.

  • Confirm that the management's ssh client can connect to the Vyatta device and log in to it; using that login session confirm that the Vyatta device can also access and download files from the Internet. In particular check that your Vyatta device can connect to ThreatSTOP’s FTP service by entering this command:

    ping ftp.threatstop.com

    Note:

    If this is a re-installation you may wish to either rename the folder ts-vyatta something else or restore the system to its original state before running the re-installation.

Setup

For a physical install, a Vyatta appliance or a PC with two or three network interface cards (NICs) and a Vyatta OS CD is required. For testing, either a subscription edition or the Vyatta Core is acceptable – for longer term support a subscription version is required. Vyatta recommends 1 GB of memory, and for testing purposes this is plenty; in deployment, 512 MB or less can be used unless you are planning on using the device with many features enabled. From a hard drive standpoint a 4 GB hard disk is more than enough for testing and evaluation as Vyatta only requires about 1-2 GB of space.

For a virtual install either a VM image or a blank VM and the ISO of the Vyatta CD is required. The same memory and disk requirements given for the physical install apply. If you are not using a Vyatta image then you must enable PAE support on the CPU otherwise Vyatta will not boot.

The device may be set up using either two or three NICs and may be positioned either inside or outside the existing network firewall/router as shown in the three diagrams to the right.

Caution:

Without additional firewall rules to block external SSH access it is not recommended to deploy the two NIC configuration outside the firewall.


3 NIC Vyatta configuration outside the firewall


3 NIC Vyatta configuration inside the firewall


2 NIC Vyatta configuration inside the firewall

It is preferable to install the Vyatta box behind the firewall/router if it is doing NAT to track down bots on your network. If, however, your firewall has multiple internal interfaces e.g. one for the intranet and another for DMZ servers, etc. then you should place the Vyatta box outside the firewall. In this case you will have trouble identifying the IP addresses of any bots since they will be NATted by the firewall.

In addition to the machine (or VM) that will be running Vyatta, a management station is required. This machine should have an SSH client installed (Linux/Mac OS machines have this by default for Windows you should install a client such as PuTTY (http://www.putty.org/) or Mindterm (http://www.appgate.com/index/products/mindterm/)) and access to the Internet and a web browser.

Installation of Vyatta OS onto Hard Disk

Note:

Users of the Vyatta VM image or with a Vyatta Hardware Appliance should skip this section.

  1. Insert the CD into the drive (add the ISO if virtual) and boot/reboot the device. You should see a Vyatta logo and the option to press F1 for help or Enter to boot.



  2. Press ENTER.
  3. After a short while booting up you will see a login prompt. Login as user vyatta password vyatta (both in all lowercase).
  4. Once you are logged in enter the command below and follow the instructions.

    Caution:

    If you follow the recommended defaults you will totally reformat the hard disk. If you wish to not destroy all data then you should not select auto from the partition choice. Either have the partitions set up in advance (Skip) or choose Parted.

    vyatta@vyatta:~$ install-system

  5. Near the end of the process you will be asked for a password for the Vyatta account, that is not the same as the default. Once the install has finished you can eject the CD and reset the machine.
    The machine will now boot Vyatta from the hard disk. When presented with the login prompt you should log in as vyatta using the password you defined during the install process.

VM Image users:

Boot the VM and then when you get to a login prompt login as user vyatta password vyatta.

Hardware Appliance users:

Follow the basic instructions that came with your appliance to unpack, connect, and attach a management station to your Appliance. When you get to a login prompt login as user vyatta password vyatta (both completely in lowercase).

Setup is divided in to two sections, the first is done from the console of the Vyatta device and the second done while SSHing in. It is possible to do all of the work from the console but the use of SSH allows you to cut and paste lines directly from this document, which is generally quicker and less likely to lead to errors.

Note:

When entering commands on the Vyatta console (or SSH terminal) you can press the TAB key at any time to auto complete a word so – for example – the command

set interfaces ethernet eth1 router-group router br0

may be entered

set int[TAB] et[TAB] eth1 br[TAB] router br0

If there are multiple possibilities these will be listed.

Also pressing the [UP ARROW] gives access to the history of prior commands that may be edited or reapplied.

Console Setup Commands

Having logged in to the console you will need to set up the Ethernet interfaces, enable SSH and set the default nameserver and gateway. As noted above, you may optionally set up other services and options either from the console or via SSH. Likewise you can set the gateway and nameserver via SSH if the management station is on the same IP subnet as the Vyatta.

To configure anything on the Vyatta device it is necessary to enter configuration mode by typing configure at the console:

vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta#

First enable ssh:

vyatta@vyatta# set service ssh
[edit]
vyatta@vyatta#

Then set up the router group using Ethernet interfaces eth0 and eth1:

vyatta@vyatta# set interfaces ethernet eth1 router-group router br0
[edit]
vyatta@vyatta# set interfaces ethernet eth0 router-group router br0
[edit]
vyatta@vyatta# set interfaces router br0
[edit]
vyatta@vyatta#

If you have three NICs you should set up the ip address of the management interface on eth2:

vyatta@vyatta# set interfaces ethernet eth2 address 192.0.2.12/24
[edit]
vyatta@vyatta#

If you have two NICs you should set up the ip address of the router group:

vyatta@vyatta# set interfaces router br0 address 192.0.2.12/24
[edit]
vyatta@vyatta#

Now set up the default gateway and name server. These should be your INTERNAL default gateway and nameservers, the same as for any computer on the same network. If you don’t have your own nameservers, you can use your ISPs, or the primary ThreatSTOP nameserver:

vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# set system gateway-address 192.0.2.1
[edit]
vyatta@vyatta# set system name-server 192.0.2.5
[edit]

Finally commit your changes, save and exit.

vyatta@vyatta# commit
[ interfaces ethernet eth1 to router-group ]
Adding interface eth1 to router br0.
[ interfaces ethernet eth1 to router-group ]
Adding interface eth0 to router br0.
Restarting OpenBSD Secure Shell server: sshd.
[edit]
vyatta@vyatta# save
Saving configuration to '/opt/vyatta/etc/config/config.boot'...
Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$

At this point the Vyatta device is correctly set up for basic SSH access.

vyatta@vyatta# set interfaces ethernet eth2 address 192.0.2.12/24
[edit]
vyatta@vyatta#

SSH from management console

Using your ssh tool connect to the Vyatta as user vyatta

MindTerm home: C:\Users\<username>\Application Data\MindTerm\
SSH Server/Alias: 192.0.2.12
No settings file for 192.0.2.12 found.
(^C = cancel, ^D or empty = don't save)
Save as alias : 192.0.2.12
Current settings file: 'C:\Users\<username>\Application Data\MindTerm\192.0.2.12.mtp'
Connected to server running SSH-2.0-OpenSSH_5.1p1 Debian-5
Server's hostkey (ssh-rsa) fingerprint:
openssh md5: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
bubblebabble: xipag-vomal-lebuk-zuvyb-nimyl-dipek-modid-sofol-vebus-segig-guxox
Host key not found in 'C:\Users\<username>\Application
Data\MindTerm\hostkeys\key_22_192.0.2.12.pub'
192.0.2.12 login: vyatta
vyatta@192.0.2.12's password: ******
Linux vyatta 2.6.32-1-586-vyatta-virt #1 SMP Mon Aug 2 23:28:02 PDT 2010 i686
Welcome to Vyatta.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
vyatta@vyatta:~$

Now add NAT so that computers inside can access external resources and save.

 

vyatta@vyatta# set service nat rule 10 type masquerade
[edit]
vyatta@vyatta# set service nat rule 10 outbound-interface eth0
[edit]
vyatta@vyatta# set service nat rule 10 source address 192.0.2.0/24
[edit]
vyatta@vyatta# set service nat rule 11 type masquerade
[edit]
vyatta@vyatta# set service nat rule 11 source address 192.0.2.0/24
[edit]
vyatta@vyatta# set service nat rule 11 outbound-interface eth0
[edit]
vyatta@vyatta# commit
[edit]
vyatta@vyatta# save
Saving configuration to '/opt/vyatta/etc/config/config.boot'...
Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$

If you wish to you may configure the Vyatta further to add additional features. If you intend to add custom firewall rules it is strongly recommended that this be done after you have enabled ThreatSTOP on the device.

Verify that you can see the world by typing:

vyatta@vyatta:~$ ping ftp.threatstop.com
PING www.threatstop.com (64.87.26.148) 56(84) bytes of data.
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=1 ttl=43 time=234 ms
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=2 ttl=43 time=232 ms
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=3 ttl=43 time=233 ms
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=4 ttl=47 time=233 ms
^C
--- www.threatstop.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 232.764/233.798/234.675/0.680 ms

Finally verify that the Vyatta device is in our database.

vyatta@vyatta# wget -qO - http://www.threatstop.com/cgi-bin/validip.pl
Your IP address: 192.0.2.0
Address is in the list of authorized hosts

If the address is NOT in the database then the response will be

vyatta@vyatta# wget -qO - http://www.threatstop.com/cgi-bin/validip.pl
Your IP address: 192.0.2.0
Address is not in the list of authorized hosts
Host list updated every 15 minutes and last updated at
Wed Oct 27 11:15:01 2010 GMT. It is now Wed Oct 27 11:22:16 2010

If the address reported is the one you entered for the device when you added it at https://threatstop.com then you should wait for about 15 minutes and then try again. If the address remains invalid then contact ThreatSTOP tech support to find out why.

If the address reported is not the address you entered for the device at the ThreatSTOP website then you should correct that entry and wait about half an hour before retrying.

Once the address is confirmed as being in the ThreatSTOP database, you are ready to set the device up with ThreatSTOP. If you did not do the initial device addition on the ThreatSTOP website from this computer (or you closed the browser) then you should log in to your ThreatSTOP account at https://threatstop.com, select Manage Devices and then click on Rules for the device you added.

Look down the webpage until you see a section like:

As the instructions say, it is a good idea to first save a copy of the current working configuration.

vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# save prethreatstop
Saving configuration to '/opt/vyatta/etc/config/prethreatstop'...
Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$

ThreatSTOP Setup

  1. Copy and paste the following line into the Vyatta ssh session:

    wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; sudo ts-vyatta/setup.pl --type b --blocklist=<block list name>..threatstop.local --allowlist=<allow list name>..threatstop.local

    The device should download and unpack the ThreatSTOP scripts and then run the setup script which will display the following (if you have a sudo password enabled on your Vyatta device then you will need to enter it when prompted).

    ThreatSTOP Vyatta setup script 1.02 If you have not specified setup options on the command line then
    you will be given the chance to specify them now. First time users running this by pasting in the
    command from the ThreatSTOP website should probably not change anything. On subsequent runs probably
    the only things to change will be the block and allow list ids. For each option the default value is
    specified in [], just press the ENTER key to accept it.

    Note for the paranoid. The proposed changes to the Vyatta config, the changes to /etc/rc.local,
    /etc/logrotate.d/messages and the new crontab are created in the installation directory. If you
    choose not to allow this script to apply the changes automatically then you can review them and then
    apply them manually.

    You will then be asked a number of questions and normally you should accept the default values. The critical questions are the third one asking about the bridge id and the subsequent ones concerning firewall rule names and numbers. If the bridge id is not br0 then you must correct this. Likewise if you have existing firewall rules defined for the "in" and "local" directions of the bridge you must enter their names and an appropriate rule number since otherwise those rules will no longer be applied to traffic on that interface. If you do have existing rules it is generally recommended that the ThreatSTOP rules are performed first and thus that they have the lowest numbers. The setup script creates the eight ThreatSTOP rules with consecutive numbers. Thus, if your existing rules start at 10, you should specify that the script insert the rules starting at either 1 or 2.

    ThreatSTOP installation directory [/home/vyatta/ts-vyatta/]

    Install type bridged - bridge id [br0]

    ThreatSTOP installation directory [/home/vyatta/ts-vyatta/]

    ThreatSTOP ipset prefix [TS]

    Install type bridged - bridge id [br0]

    Firewall name for interface br0 direction in: [TSbridgeinrule]

    Insert ThreatSTOP rules beginning at number? [10]

    Add default accept? (strongly recommended if you do not have other
    rules for this firewall name, not otherwise)[y]

    Firewall name for interface br0 direction local: [TSbridgelocalrule]

    Insert ThreatSTOP rules beginning at number? [10]

    Add default accept? (strongly recommended if you do not have other
    rules for this firewall name, not otherwise)[y]

    ThreatSTOP block list:<block list name>..threatstop.local

    ThreatSTOP allow list:<allow list name>..threatstop.local

    dig command location [/home/vyatta/ts-vyatta/dig]

    Logfile to upload [/var/log/messages]

    URL for submitting logs [https://threatstop.com/cgi-bin/logupload.pl]

    Once these questions have been answered the script will create the install directory and copy files if required, test whether the firewall can download the block list from ThreatSTOP's DNS server and create the Vyatta firewall rules (but not apply them) and the modifications of the various files that are needed.

    Initial set up complete, testing
    /home/vyatta/ts-vyatta/dig +tcp -t ptr @192.124.129.42<block list name>..threatstop.local
    Test successful
    Creating bridging rules to configure.bridge.sh
    Creating local copy of logrotate.d/messages file
    Creating crontab file
    Creating local copy of rc.local file

    Now you are asked whether you wish to accept the changes. If you have a complex/non-standard configuration you may wish to say N at this point and examine the files that have been created.

    Apply changes: /home/vyatta/ts-vyatta/configure.bridge.sh,
    /etc/logroate.d/messages, /etc/rc.local, crontab (Y/N)[Y]

    Merging /home/vyatta/ts-vyatta/configure.bridge.sh

    Removing and clearing crontab for root
    no crontab for root
    no crontab for root
    # Update the ThreatSTOP lists. Every 2 hours, 0 minutes after the hour
    # (00:15, 02:15, 04:15, etc.)
    0 */2 * * * /home/vyatta/ts-vyatta/ipsetget.pl
    # Force a logrotate if the log is > 100k. Check every 5 minutes after
    the hour
    5 * * * * perl -e'exec q(logroate -f /etc/logrotate.d/messages) if
    (stat q(/var/log/messages))[7]>100000;'

    Copying modified /etc/logrotate.d/messages
    `/home/vyatta/ts-vyatta/logrotated.messages' ->
    `/etc/logrotate.d/messages'
    Copying modified /etc/rc.local
    `/home/vyatta/ts-vyatta/rc.local' -> `/etc/rc.local'

    Finally you have the choice to run the script to get the block list data for the first time:

    Run script for first time? (Y/N) [Y]

    After some seconds (depending on the blocklist size and the connectivity to our DNS servers this may take up to a minute) you should see a report of a successful first run when the script completes. Assuming this last step reports success, you have installed ThreatSTOP on your Vyatta routing device.
    You should verify that none of the changes have broken basic connectivity and, if there are no problems, you should save the configuration so that it is used whenever the device reboots. This can be done by entering in the console:

    configure
    save threatstopbridge
    save
    exit

    To view the contents of the block and allow lists, you will need to run the "ipset" command:

    sudo ipset -L

    The output will most likely go by too fast to view. You can pipe it to less so you can page through the output:

    sudo ipset -L | less

Updating Vyatta

New versions of the ThreatSTOP application may have significant changes and, as such, will require a different upgrade procedure. To resolve this:

  1. Uninstall the older version of ThreaSTOP by running the following commands from the home directory:

    ts-vyatta/revert.sh
    rm -rf ts-vyatta

    This will remove the previous configurations.

  2. Once this is completed paste the following line into the Vyatta ssh session:

    wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; sudo ts-vyatta/setup.pl --type r --blocklist=<block list name>..threatstop.local --allowlist=<allow list name>..threatstop.local

Updating Vyatta OS

When updating Vyatta by using the image upgrade procedure, the scripts will be moved to a different location on the filesystem. This results in the block list not being updated and logs not uploading. In order to get ThreatSTOP working again, you will need to re-run the setup procedure, but this time it is run in update mode. The configuration will not be modified, but the cronjobs that update the block list and uploads the log are recreated.
To perform the update copy and paste the following line into the Vyatta ssh session:

wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; sudo ts-vyatta/setup.pl --type u --blocklist=<block list name>..threatstop.local --allowlist=<allow list name>..threatstop.local

Troubleshooting

The following five problems are frequently seen by our support staff, if you are confused or if these steps do not help then please contact ThreatSTOP support.

  1. ThreatSTOP rules do not appear to block anything

    The most likely reason is that you have not correctly entered the firewall's IP address in the ThreatSTOP device definition page. You can verify whether the address the firewall uses is in our database by running the following from the command prompt (SSH or console):

    wget -qO -http://www.threatstop.com/cgi-bin/validip.pl

    You should see a simple result stating the device's IP address and whether it is in the database or not. Database updates are not instantaneous but take place every 20 minutes; so, if you have recently added/modified the firewall IP details, you may wish to wait about half an hour before checking this. If there is no response at all then verify by using the ping command that the firewall can reach threatstop.com and, if not, that it can reach other places such as google.com. If you have no connectivity to ThreatSTOP but do have connectivity elsewhere please contact ThreatSTOP support for further information about the status of the ThreatSTOP infrastructure.
    If the address is valid but there are still problems you should manually run the blocklist retrieval procedure and then examine the output file. To download the blocklists do the following at the command prompt (SSH or console):

    ts-vyatta/ipsetget.pl
    less /tmp/tsoutput.txt

    In the output file the first few lines should look like:

    /home/vyatta/ts-vyatta/ipsetget.pl started at Mon Nov 1 10:49:01 2010
    /home/vyatta/ts-vyatta/dig +tcp t ptr @192.124.129.42<block list name>..threatstop.local

    ; <<>> DiG 9.4.3-P2 <<>> +tcp -t ptr @192.124.129.42<block list name>..threatstop.local
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<< opcode: QUERY, status: NOERROR, id: 32530
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 2, ADDITIONAL:
    0

    If instead you see ;; connection timed out; no servers could be reached then there is a problem with either our DNS or with the Internet path to us. If you confirm via pings etc. (see above) that the problem is with our DNS then please contact ThreatSTOP support for guidance on how to use a backup DNS server (and when the DNS will resume operation).

    If the status message is NXDOMAIN or REFUSED then the blocklist name is probably incorrect. Double-check that the name in the file is<block list name>..threatstop.local

    If the status is NOERROR but the ANSWER number is 0 (or possibly 1) then the likely issue is that you have forgotten to enable any blocklists. Go back to the devices page in your ThreatSTOP account, click edit by the appropriate entry and confirm that you have some blocklists enabled. If you are in standard mode, then normally you should have at least the Basic, and Advanced blocklists enabled and probably either or both Botnets and Unix Server lists. In expert Advanced mode you should confirm that you have some lists checked and you should contact ThreatSTOP support to understand what the lists you have enabled should be blocking.

  2. ThreatSTOP blocks access to places it shouldn't

    Although ThreatSTOP tries very hard to ensure that we have zero false positives in our standard lists, we do occasionally miss something. If you are a community user or are using ThreatSTOP in standard mode on your firewall then please report the offending domain and ip address to ThreatSTOP support. Please check in the Vyatta log file (/var/log/messages) that the IP address is indeed being blocked by the ThreatSTOP rules before contacting us.

    You can also add the IP address to a custom allow list. Once you have created the allow list and added it to this device in the Edit device page, you should run the following command on the Vyatta command prompt to enable it on the device:

    sudo ts-vyatta/setup.pl --type u --blocklist=<block list name>..threatstop.local --allowlist=<allow list name>..threatstop.local

    Note:

    Our expert Advanced lists are not so well checked for false positives as we believe that it is up to each expert user to make his or her decision about the suitability of certain feeds. and Additionally some feeds - e.g. the "Parasites" feed - are known to block ip addresses that are not considered harmful by everyone. Do consider a custom allowlist (see above) as a first step and do please contact ThreatSTOP support to verify that the feeds you have chosen are appropriate to your situation.

  3. Other firewall rules do not appear to work

    The most common reason for this is that the ThreatSTOP setup script modified the existing firewall setup and in the process overwrote either the name of the firewall used for traffic or some of the rules - including changing the default action to accept.

    Take a look at the "prethreatstop" and "postthreatstop" saved configurations (both are in /opt/vyatta/etc/config) to see what changes have been made. One place to look at is in the interfaces section. If there are firewall names in the prethreatstop bridge interfaces then make sure that they remain there in the postthreatstop (check spelling differences). If those match then also check that you did not overwrite rules in that firewall name and also verify that if the firewall name had a "default-action accept" line previously.

  4. No Logs Uploaded

    In many cases logging issues are related to issue 1. above. If running the validip test described above is successful then you should verify that "log enable" is set appropriately in the current configuration (all ThreatSTOP firewall drop rules should log enable in them).

    You should also confirm that the systems root crontab and /etc/logrotate.d/messages files have been correctly modified. To check the root crontab do:

    sudo crontab -l

    If crontab is correctly setup there should be a line with a number, some asterisks and then the following perl command line:

    perl -e'exec q(/usr/sbin/logrotate -f /etc/logrotate.d/messages) if (stat q(/var/log/messages))[7]>100000;'

    To check the /etc/logrotate.d/messages enter:

    cat /etc/logrotate.d/messages

    If crontab is correctly setup there should be the following lines displayed:

    dailyprerotate/home/vyatta/ts-vyatta/loguploadclient.plendscript

    You should also be able to see the same lines in the relevant files in the ts-vyatta directory. An upload can be forcing a logrotation and then examining /tmp/tsoutput.txt for errors.

    sudo /usr/sbin/logrotate -f /etc/logrotate.d/messages

  5. Logging private addresses

    If private intranet addresses are being logged talking to other private addresses then it is possible that the issue is to do with the log-martians enable line that ThreatSTOP adds to the firewall configuration. You should verify that the traffic is indeed harmless and then remove the line.

Restore to previous state

If you have run setup and applied the changes and wish to return to the pre-threatstop configuration then you should perform the following command (assuming that you installed to /home/vyatta/ts-vyatta).

  1. From a console enter:

    ts-vyatta/revert.sh

    Optionally you may also wish to remove the ts-vyatta directory (rm -r ts-vyatta/).

  2. This has now restored all the files changed. To restore the configuration you should do the following:

    configure
    load presthreatstop
    save
    exit

  3. It is possible that you may need to load prethreatstop more than once to handle commit errors. Once you have managed to load the old configuration without error you should reboot the Vyatta device to be sure that it runs with no traces of ThreatSTOP changes in the system.

There is no content with the specified labels