Checkpoint Firewall Upgrade from R67 VSX to R77.10 VS & CIFS Resources

I have some Crossbeam X80 hardware running R67 VSX for some virtual firewalls.  Life is good and everything worked fine.  I planned and executed an upgrade plan for these blades to move to Checkpoint R77.10 VS.  The policy upgrade process and software upgrade process went with zero errors.  When we tried to push the policy to the firewalls, it would fail.  The errors, during a debug, were ambiguous at best.

What was the eventual issue?  CIFS Resources with greater then 25 file shares.  It seems the IPS in R77 has a hard limit of 25 shares in CIFS resources.  We use CIFS resources as an extra level of protection when 3rd Parties access our Windows File Shares.

Most of our CIFS resources had less then 25 file shares, so they needed no change.  But, a single 3rd party accessed quite a few shares.  So, the revert back to a straight CIFS service group on these rules and removal of the CIFS resource in the firewall policy allowed a successful push of the policy to the gateway.

NOTE TO SELF: Keep that one in your back pocket.

Checkpoint Firewall: SecureXL and PPPoE do not play well

I recently had to upgrade an R70 Checkpoint firewall to R77.10.  Due to a variety of issues, this required a nuke and rebuild of the firewall via USB key to upgrade to R77.10.

The upgrade went fine, but during testing the firewall passed no traffic. This was an unusual config, the internet service was a PPPoE connection.

After a fair amount of troubleshooting went into this problem.  It wasn’t until a fw ctl zdebug -m fw + drop  command was run that the problem become obvious.  The following error was displayed:

;[fw4_0];fw_log_drop_ex: Packet proto=6 159.7.34.61:10002 -> 126.246.75.211:80 dropped by cphwd_offload_conn Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed;

A quick look on Checkpoint’s Support Site gave us Solution ID: sk79880.

SYMPTOMS

Kernel debug shows (fw ctl zdebug -m fw + drop) that traffic is dropped:

‘… is dropped by cphwd_offload_conn Reason: VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed’

CAUSE

No fix is required; the system is functioning as designed.

SecureXL does not support Point-to-Point interfaces (PPP, PPTP, PPPoE). In case a PPP-interface is detected, SecureXL disables itself on that interface (hence the name ‘non-accelerated interface’).

Refer to the following note in any ‘Performance Pack Administration Guide’ (R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76):

Note: Performance Pack is automatically disabled on PPTP and PPPoE interfaces.

If a connection is detected, which flows through even one such non-accelerated interface, and this connection is NATed and/or sent over VPN, it will be dropped, because SecureXL is not able to handle it: because of NAT (Client Side or Server Side) and/or VPN, some connection parameters are not available – SecureXL is not able to determine how to pass such connection.

SOLUTION

Possible steps:

  1. Change the rulebase, so that the problematic connection is not sent through such non-accelerated interface(s).
  2. Disable NAT on the problematic connection.
  3. Change the rulebase, so that the problematic connection is not sent over VPN.
  4. Disable SecureXL completely (via ‘fwaccel off’ command and via ‘cpconfig’ menu).

We disabled SecureXL and had no problems since.

 

 

Preventing WordPress Brute Force Attacks with Fail2Ban

I have been experiencing a high number of brute force attacks on the admin pages of some of my WordPress blogs.  Generally, I don’t worry too much about this.  I utilize multiple levels of security controls to prevent access to the admin sites, but the increase in bandwidth and load on my system during these attacks was a concern and I wanted a clean way to prevent it from happening.

I looked into some type of WordPress Plugin to stop the attacks, but I soon realized it wouldn’t stop my main concern, the bandwidth and CPU load the attacks caused.  I wanted a reactive, IP address block against the offending systems.  I already used Fail2Ban for SSH, FTP and other types of brute force attacks.  Why can’t I used Fail2Ban for WordPress logins as well?

I did some searching and found the following web site that gave me the base for my filter and jail configs (Check that site for all the technical details, I won’t steal directly from him).  But, there were some problems that I had to customize to get it work for on my site.

First, the configs mentioned do not use my preferred method of blocking access, IPTABLES nor does it send an email when a IP is blocked. Second, my hosting server is using cPanel as a management system and it uses multiple access log files for all the different sites.

First Problem — Using IPTABLES and sending email alert
Here is the way I edited my /etc/fail2ban/jail.local file to support the changes I wanted to make.  The most important addition I have is the action line that lists iptables-multiport.  This blocks the IP at the TCP/IP level, never letting them touch the server again during the ban time.  In addition, I added the sendmail-whois line to the action to get the email out the door.   (Note, items in <> were removed by me to prevent private data from going public)

# Added for WordPress Brute Force
[apache-wp-login]

enabled = true
port = http,https
action = iptables-multiport[name=Wordpress, port=”http,https”, protocol=tcp]
sendmail-whois[name=Wordpress, dest=<email>, sender=fail2ban@<host>]
filter = apache-wp-login
logpath = /usr/local/apache/domlogs*/*.*
maxretry = 10
bantime = 86400
findtime = 120

Second Problem — Supporting cPanel multiple log files
As listed above, the logpath command is a tricky one.  Fail2Ban wants a direct path to the Apache access_log file.  Since I use cPanel and it splits out each host/site with it’s own log file, it was tough to set this up.  I could have manually entered each log file.  But, this would have required me to remember to add the log file in for each new host.  By using the logpath line item as listed, I was able to monitor all the log files in the directory, all the time.

logpath = /usr/local/apache/domlogs*/*.*

And that’s it!  I modified the maxretry and bantime (10 attempts and 24 hour ban time) to my preferred settings, restarted fail2ban and tested.  Success!

Fun with MAC Addresses and Crossbeam X80s

We had a fun little gotcha a few weeks ago while upgrading a Crossbeam X80 CPM from XOS 9.5.X to 9.6.6. As part of security controls we have in place in the perimeter, we implement MAC address filtering on the border switches. We implement very basic ACLs for the MAC addresses.

mac access-list extended mac_gi26
 permit host 0003.d2e0.0101 any
interface GigabitEthernet0/26
 switchport access vlan 901
 switchport mode access
 mac access-group mac_gi26 in
 spanning-tree portfast

So,  post upgrade to XOS 9.6.6 we lost access to many of our zones that previously worked.  After some digging around, we noted that the MAC addresses on the Crossbeam NPMs changed post upgrade.  This change was not noted in the Release Notes (at least I couldn’t find it).

The good news is that Crossbeam allows for the manual changing of MAC addresses on the X-Series Platform.  A simple change of the MAC address cleaned everything up.

[no] mac-addr <MAC_address>

IPSEC S2S VPN via AWS Openswan and Cisco IPSEC Router

I was asked to assist on setting up a Site-to-Site (S2S) VPN between an Amazon Web Service AC2 environment and a Cisco IPSEC router.  Instead of working on the customer’s production environment, I decided to setup my Cisco 2821 router as an IPSEC endpoint and try to do it from home.  There is a fair amount of instructions on the internet on how to do this.  But, it seems no matter what I tried, I wasn’t able to get it to work.  The biggest hurdle was the fact that my Cisco IPSEC router was behind a NATing firewall.  Please note, the IP addresses have been changed on my example to some randoms.

I relied heavily on this post titled CONNECTING TO A CISCO ASA VPN VIA AMAZON EC2/VPC to get the basis on how to do this.  It took me about two days to get everything the way I wanted it, so I’m going to tackle the instructions on my own as well.

Here is a quick and dirty diagram:

IPSEC-EC2

Start a Amazon VPC Instance

  1. Go to the VPC tab.
  2. I chose a Ubuntu 64 Bit AMD64 server, micro instance.
  3. Click Network & Security –> Elastic IPs
  4. Allocate New Address, associate the new address to the new micro instance.
  5. I didn’t setup the Amazon firewall initially.
  6. Test SSH into your instance, you should get a UNIX prompt.

Before you begin installing and configuring your Cisco device or Openswan, you need to gather some information:

EC2 Side

Private IP: 10.96.42.55
Elastic IP: 54.235.135.80

Home Side

Private Network: 1.1.1.0/24
Router Public IP: 192.168.1.5
Firewall Public IP: 71.162.211.111

Install and Configure Openswan

  • From the command prompt, run sudo apt-get install openswan openswan-doc ipsec-tools
  • Edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1

  • Run sudo ipsec verify (note any issues)
  • Edit /etc/ipsec.conf

nat_traversal=yes

protostack=netkey

include /etc/ipsec.d/*.conf

  • Run sudo ipsec verify (all issues should be resolved or have N/A,WARNING)
  • Run sudo service ipsec restart

 

Edit /etc/ipsec.d/home.conf (new file)

conn home

left=%defaultroute
leftsubnet=10.96.42.55/32
leftid=54.235.135.80
right=71.162.211.111
rightid=192.168.1.5
rightsubnet=1.1.1.0/24
authby=secret
ike=3des-md5
esp=3des-md5
keyexchange=ike
auto=start

Edit /etc/ipsec.d/home.secrets (new file)

192.168.1.5 54.235.135.80 : PSK “cisco123”

 

Configure the Cisco Router

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key cisco123 address 54.235.135.80
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
 description Amazon EC2 instance
 set peer 54.235.135.80
 set transform-set AMAZON-TRANSFORM-SET
 match address 111
interface GigabitEthernet0/0
 ip address 192.168.1.5 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map INTERNET-CRYPTO
interface GigabitEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
ip route 0.0.0.0 0.0.0.0 192.168.1.1
access-list 111 permit ip 1.1.1.0 0.0.0.255 host 10.96.42.55

 

Important Notes:

  • I setup my home router/firewall to create the 192.168.1.5 IP address as a DMZ.  This means that I didn’t need to setup any type of port forwarding or firewall rules, it was forwarding all traffic from my external IP address to the internal IP address.  Your mileage may vary.
  • Note the “right” and “rightid” calls in the home.conf file.  right=external IP at home, rightid=actual Cisco router IP. This is important.  Because I was behind a NATing firewall, these settings came into play.  IPSEC doesn’t play very well in NAT and even though I was using NAT-traversal, those settings were key.
  • This was just a simple IP to network test.  You’ll need to modify the ACLs as appropriate to access your devices.
  • I had a devil of a time matching the isakmp policies and transform-set settings on the Cisco with the Openswan.  Both platforms use different terms for the same thing.  Some commands to know and love:
    • Openswan — sudo ipsec auto –status
    • Openswan — sudo ipsec whack –status
    • Ubuntu Logs — /var/log/auth.log
    • Cisco — debug crypto isakmp
    • Cisco — debug crypto ipsec
    • Cisco — debug crypto isakmp error
    • Cisco — debug crypto ipsec error

 

 

Product Review — Logitech Harmony Touch

I’m a big fan of the Logitech Harmony product line.  Before purchasing the Touch, I already own the Harmony One Advanced Remote and the Harmony 620 Advanced Remote.

My Harmony 620 has been struggling lately.  The LCD screen completely died and the button have not been as responsive as they used to be.  So, I jumped on the Logitech web site to see what they had to offer.

The Harmony Touch was released on October 1, 2013 — just 10 days before my search.  But, at $250, it was a pricey clicker to say the least.  I thought about getting the Harmony One remote but at $200, it wasn’t much of a downgrade in price.  So, off to Newegg I went and bought a new Touch.

When the box arrived, it’s a behemoth.  You can see the packaging stealsa lot of queues from Apple’s.  The boxes are thick and sturdy. The directions are quick and to the point and the device is presented in a very simple plastic cradle.

I plugged the charging base into the wall (yay!  no more batteries) and let the remote charge overnight.  The next evening, I went to MyHarmony.com, installed the necessary software and plugged the remote into my laptop.

As a prior owner of Harmony remotes, I knew what to expect.  This was my first time using MyHarmony.com.  My previous two remotes used the thick Harmony software that installed on my laptop.  Both the MyHarmony site and the Harmony software are pretty straightforward   My biggest complaint with the software is that you could not use multiple remotes under a single login.  So, since I had two remotes, I had to remember two logins.  With the MyHarmony this limitation is removed.

Setting up my devices in MyHarmony is really easy.  You enter in the brand name and the model number of every device in use.  After the site knows all the devices that are in use, you setup all the Activities.  I have a fairly limited number of devices but they do some fairly complicated things.

Here is my hardware:

  • TV
  • Receiver
  • Cable Box
  • Remote Camera Receiver (we have a camera installed in my sons room so we can watch him)

Here are my activities:

  • Watch TV (TV, Receiver, Cable Box)
  • Listen to Music (TV, Receiver)
  • Watch my Son (TV, Receiver, Remote Camera)

MyHarmony goes through a very brief question and answer session for each activity and programs the remote for the activities   The Watching Music and Watching my Son activities presented some minor problems for the software as the settings to bring these actions to live are not default standard   But, since I have some known experience with my other two Harmony remotes, I was quickly able to customize my remote to do exactly what I want and programmed it without issues.

I’ve now been using the remote for about a week and there are things about it that I like and things that I don’t.

Things I like:

  • Size/Weight/Materials
    • My favorite part of my Harmony remotes is the design.  They have a dog-bone shape to them where your hands fits perfectly inside the thin part of the remote.  Your thumbs, for the most part, can reach all the import buttons with ease.  The Harmony Touch is similarly shaped to my previous remotes, with one big improvement.  It has a slightly grip material where your hand sits that really feels nice.
  • Touch Screen
    • The touch screen with the icons is very similar your SmartPhone screen.  It’s fast, responsive and very slick.  The Favorite icons you can setup make it very easy to jump from channel to channel.  This has shown to be a great benefit to my 3 year old son.  He knows what the channel icon is for Disney Junior and he just clicks and it’s on.  No numbers, no guide.
  • DVR Button
    • Finally, a DVR button.  Both other remotes did not have this and I was always too lazy to program one.  So, I ended up just clicking menu, and finding the DVR selection under there.

Things I don’t like:

  • Touch Screen Location
    • Yes, I said I liked the touch screen and I do.  The problem is the location.  It’s smack in the middle of the remote.  So, the common buttons like channels, volume, DVR, menu, Guide are at the buttom of the remote near your thumb. This is a great spot.  Right above these common buttons is the touch screen.  Above the touch screen and at the top of the remote is the Play/Pause/FF/RR buttons used for DVRs/DVDs.  So, everytime I want to skip commercials, pause the TV or play, I need to slide my hand to the top of the remote.  This was not the case with my other remotes and for me this is my biggest complaint.
  • Price
    • $250?  Are you shitting me?  I’m glad I have a nice wife.
  • No number pad
    • This isn’t 100% accurate.  There is a number pad, but it’s built into the touch screen.  So, it takes a click or two to bring it up.  I understand the need to consolidate and improve, but I miss my number pad.
  • No keyboard
    • My Vizio TV has lots of neat-o applets that run things like Twitter and Pandora.  They require input for the username and password only once and then they are saved.  Most of the time.  Every once in a while, my SmartTV decides to be dumb and forget everything I taught it.  I then need to input all my logins again, via it’s onscreen keyboard.  I usually end up digging out the Vizio remote which has a very slick slider keyboard built in.

Overall, it’s a nice remote.   It’s very snazzy, has a cool touch screen and the MyHarmony site is probably easy and workable for most situations.  Is it worth the price?  Nah, that’s a serious premium for a remote control.  Most folks that want a easy to use, functional remote would be perfectly happy with the $50-$100 device that Logitech makes.

Porsche Boxster Alternator Replacement

The alternator died on the Boxster so I decided to tackle this project myself.  I have never done a major repair to any of my cars, but figured I’d give the alternator replacement a try.  All of the articles on the internet and in my tech manual made it look pretty easy, so what the hell?

I decided to document the project via a video, so here it is:

Here are the links to the references:
http://bit.ly/oUWGHp
http://amzn.to/nfNmtg

PTY allocation request failed

My hosting provider, Razor Servers, recently moved hosted centers from the 401 North Broad St location in Philadelphia to a building right next door.  As part of my VM move to the new location, I was no longer able to SSH into the device.  I got this strange error about PTY allocation request failed.  In addition, the SPAMD process was not running on the box.  I tried to re-install SpamAssassin, I tried to re-install Exim and I even tried a complete upgrade of cPanel.  No go.  I thought the two might be related so a Googling I went…

After a good long while of Googling the problem, I found this site with my exact error message.  Via the web console, I checked to see if /dev/ptmx existed, it didn’t.  I ran the command as noted on the page:

sbin/MAKEDEV -d /dev ptmx

Restarted the ssh daemon:

service sshd restart

And, presto, I was able to SSH back into my box.  No idea why that file would disappear after a VM move, but it is all fixed now.

How to configure a Checkpoint UTM device without using the GUI

There is an annoying aspect of configuring a Checkpoint UTM appliance, you are forced to enter the web based GUI to do some basic config before using the command line interface (CLI) to complete the install.  If you try to use the CLI before using the GUI, you receive the following message:

Welcome to VPN-1 UTM Appliance

You can not use the ‘sysconfig’ and ‘cpconfig’ utilities until you successfully complete the First Time Wizard in the Administration web GUI.

Press Enter to continue…

If you run the following command, this message is not displayed and you can use the CLI for the full config:

  • SecurePlatform OS:
    /opt/spwm/conf/wizard_accepted
  • Gaia OS:
    /etc/.wizard_accepted

 

How to configure DNS NAT or DNS Doctoring on Checkpoint FW-1

In some topologies, it is required to DNS reply traffic from a DNS server so that the querying host will think that a certain DNS entry (example smtp.company.com) is resolvable to a different IP address than the one written in the database of the DNS server.

Procedure:
The feature has a global on/off switch, in the objects_5_.C file, called fw_dns_xlation (by default set to false). When it is set to true, the regular NAT Rule Base is used to determine how to change the DNS packets.
The regular NAT rules used to NAT the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

To enable the fw_dns_xlation property, perform on the SmartCenter server:

  1. Close all SmartConsole clients connected to the SmartCenter server.
  2. Open the GuiDBedit utility and and connect to the SmartCenter server.
  3. Find the fw_dns_xlation property.
  4. Change the value of this property to true. Click OK.
  5. Select File -> Save All.
  6. Open the SmartDashboard and re-install the Security Policy on the Security gateway.

From this point on, the Security gateway will NAT the DNS data, according to the NAT Rule Base.
You must also enable the DNS protocol protection for UDP in the IPS (formerly, SmartDefense). To enable this protection:

For the Security Gateway R70:

  1. Open the IPS tab in the SmartDashboard.
  2. Go to the Protections -> By Protocol -> Application Intelligence -> DNS view.
  3. Open the ‘DNS – General Settings’ Protection Details.
  4. Click Edit.
  5. Verify that either the ‘UDP only’ or ‘Both TCP and UDP’ checkbox is selected.

For all other versions:

  1. Open the SmartDefense tab in the SmartDashboard.
  2. Go to the Application Intelligence -> DNS -> Protocol Enforcement view.
  3. Verify that the ‘UDP protocol enforcement’ checkbox is selected.

Limitations:

  1. The manual rules for network objects or Automatic NAT Static rules for host objects must be used. This feature does not work with Automatic NAT Static rules of network objects.
  2. Traffic will be modified based on the destination address of the NAT rules without considering the source of the traffic.
  3. The feature does not work for a DNS zone transfer (used to synchronize DNS databases between to internal DNS servers).
  4. The feature does not work for DNS queries over TCP.
  5. The Security gateway must be between the querying host and the DNS server.
  6. On Security Gateway R70, DNS traffic cannot be accelerated when using this feature.

Note:
If the “NAT for DNS payload” option is enabled and the “UDP DNS protocol enforcement” protection is disabled on at least one of SmartDefense/IPS profiles, the Security Policy installation will succeed but the following warning will appear:
“You enabled NAT on DNS payload, please make sure that DNS UDP protocol enforcement defense is enabled on the desired gateway.”