How To: Setup Cisco EtherChannel with ESX Server

In this blog, I will go through on how to setup a Port-Channel in a Cisco Catalyst 3750G switch, and setup that port-channel (etherchannel) to work properly with ESXi Server version 5.5. In my environment, it took, much, much longer to get this running because I had to completely re-architect my network to function this way. But if you’re building an environment from scratch, then this should be pretty easy to do.

I’ve verified that this config will also work with other Catalyst switches (2960’s, 3500’s, 3700’s, 4500’s, and 6500 series switches). This configuration will NOT work with Cisco Nexus switches, because the Cisco Nexus switches have different command line parameters than their Catalyst cousins.

So, let’s get going here.

I’m going to start by configuring a Port-Channel on my Catalyst switch.

interface Port-channel2
description Port Channel interface to DL380 Server
switchport trunk encapsulation dot1q
switchport mode trunk


After you create your port channel, you need to add switch ports to that port-channel. See below, as I add 8 ports to this port-channel.

interface GigabitEthernet4/0/11
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/12
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/14
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/15
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/21
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/22
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/23
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/24
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on


From here I need to mirror the same VLANs that the ESXi server will have on it. So, lets create 5 VLANs to start. We can add more at any time.

interface Vlan1
no ip address
!
interface Vlan10
description Outside zone between pfSense and ASA
no ip address
 
interface Vlan20
description Inside network
ip address 192.168.1.2 255.255.255.0

interface Vlan30
description Front DMZ for direct connections from the Internet
no ip address

interface Vlan40
description Back DMZ -- Teired DMZ for server systems
no ip address

interface Vlan50
description Wireless network
no ip address


Now that the Cisco Catalyst switch is configured, let’s log into ESXi vSphere Client and configure the server to communicate with our switch.


I actually just bought a new quad port network adapter off of eBay just for this project. So after I installed it in my HP DL 380 G6 Server, I went in to verify that the card worked. And from this screenshot, it looks like it is working just fine.

esxi-1


Now go over to the “Networking” section. You can see I already have multiple vSwitches defined for my other 4 port network card that was already installed in the server. What my plan is going to be, is that I want all eight of my network adapters to be part of one port-channel. This will maximize the throughput and bandwidth to and from the server, as well as provide a reliable 8 way path to my core switch. The only downside to this is that my core switch is now my single point of failure on the network. I recommend that if you’re going to do this in your environment, you should have an identical switch and a full backup of the configuration on your primary switch so that you can swap out if the primary fails.

esxi-2


From here, click on “Add Networking…”

esxi-3


You need to select “VMkernel” here. You’ll be using “Virtual Machine” network type later. For now, VMkernel, then click “Next”:

esxi-4


Select the network adapters you want to participate in the port channel, then click “Next”:

esxi-5


Since this is a Port-Channel, or Etherchannel, you want this to trunk all of your VLANs from the Cisco Catalyst switch to your ESXi server. Make it easy and name this “Port-Channel” and allow all VLANs to traverse the link, then click “Next”:

esxi-6


You’ll want to enable management on this, so give it an IP address on your Internal network. Please, for the love of all that is right and just, do NOT open up management access to the Internet or any of your DMZs!

esxi-7


Verify your settings on the “Summary” screen, then click “Finish” to continue.

esxi-8


After you create your switch, you’ll see it appear in the “Networking” screen of your vSphere client. You’ll see that I haven’t attached network cables yet, which is why all my adapters are showing as “Down” with the red “X” next to each physical adapter.

Go ahead and click on “Properties…” to continue.

esxi-9


Make sure your vSwitch is highlighted in the left column, then click, “Edit…”

esxi-10


In the vSwitch Properties window, make sure that you have ESXi “Route based on IP Hash”, then click okay.

esxi-11


Now you can add in all your VLANs that will live on this vSwitch. So click on “Add Networking…” to continue:

esxi-3


Here is where you’re going to use the “Virtual Machine” connection type. Click Next to continue.

esxi-12


We’re going to bind this VLAN to the new switch we created. So select the vSwitch you created earlier in this process, then click “Next” to continue.

esxi-13


Here, I will create a Business-to-Business VLAN, and I’ll tag all traffic in this VLAN to #75. Then click “Next” to continue.

esxi-14


Verify your changes in the “Summary” screen, then click “Finish” to continue.

esxi-15


After you create all of your VLANs and add your virtual machines to each network you desire, your end result will look like this:
esxi-16



If you have any questions, please feel free to contact me at any time!

http://vmwaremine.com/vmware-vsphere-best-practices/
http://vmwaremine.com/2012/05/29/networking-configuration-for-esx-ot-esxi-part-3/
http://frankdenneman.nl/2013/01/28/vmotion-and-etherchannel-an-overview-of-the-load-balancing-policies-stack/
http://www.virtualizetips.com/2011/03/05/esxi-management-network-issues-when-using-etherchannel-and-nic-teaming/
http://blog.scottlowe.org/2008/07/16/understanding-nic-utilization-in-vmware-esx/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1010778
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003825
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003806
http://searchnetworking.techtarget.com/tip/How-to-configure-Virtual-Switch-Tagging-for-vSphere-VLANs
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://serverfault.com/questions/628541/esxi-5-5-nic-teaming-for-load-balancing-using-cisco-etherchannel
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1001938
http://www.simongreaves.co.uk/vmware-nic-trunking/
http://www.geekmungus.co.uk/vmware/vmwareesxi55managementnetwork-nicteamingandvlantrunking
http://www.mustbegeek.com/configure-nic-teaming-in-esxi-server/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://www.ahmedchoukri.com/?p=298
https://glazenbakje.wordpress.com/2012/05/10/cisco-catalyst-switch-ether-channel-settings-to-vmware-esxi-5/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://longwhiteclouds.com/2012/04/10/etherchannel-and-ip-hash-or-load-based-teaming/
http://wahlnetwork.com/2012/05/09/demystifying-lacp-vs-static-etherchannel-for-vsphere/
http://www.amirmontazeri.com/?p=18

VN:D [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.

pfSense1

pfSense2

pfSense3

att-config0

att-config1

att-config2

att-config3



Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!

Thanks!





VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up Etherchannel between Cisco ASA and Cisco Switch

I’ve recently had the need to re-architect my network in order to gain more functionality, scalability and security. I’ve written in past blogs on how important it is to have network security built into your network, and how important it is to have a properly segmented network. Here I’m going to show you how easy that is to do, and show you why every business should be doing this to some extent.

So let’s get going here. First off, if you have an ASA that is already being used in a production environment, you’re going to have to schedule some downtime. In order to setup Etherchannel on the ASA, your ports need to have no configuration on them. In my case, I’m setting up a quad port Etherchannel, so I need all my ports wiped clean.

erdmanor-5510# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
erdmanor-5510#
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.1.2     YES manual up                    up  
erdmanor-5510#


Now that we have a clean configuration, let’s setup the port-channel.

erdmanor-5510(config)# int port-channel 1
erdmanor-5510(config-if)#
erdmanor-5510(config-if)# no nameif
erdmanor-5510(config-if)# no security-level
erdmanor-5510(config-if)# no ip address
erdmanor-5510(config-if)#


Now that we have a port-channel created, we need to assign what interfaces are going to take part in that port channel.

erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int Ethernet0/0
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/0.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/1        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/1.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/2        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/2.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)# int Ethernet0/3        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/3.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)#


Now we need to get our switch configured. We’ll basically be doing the same thing on the switch that we just got done doing on our ASA. You’ll notice the syntax on the ASA is just a bit different than the switch, but Cisco came close on the two.

Let’s start with creating our port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int port-channel 1
Erdmanor3750G(config-if)#    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switch mode trunk
Erdmanor3750G(config-if)#


Now we can get our Ethernet ports into the port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/1
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/2              
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA                
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/3        
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/4      
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA      
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#


Now that the port-channel is up and running, we need to establish what VLANs are going to traverse this link. The way that Cisco ASAs interpret VLANs is a bit different than the way Catalyst Switches interpret VLANs, at least for the configuration of them. In a Cisco ASA, for every VLAN that you want, you create a sub-interface. For The Catalyst Switch,

erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.10
erdmanor-5510(config-subif)# vlan 10
erdmanor-5510(config-subif)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 172.98.17.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.20                
erdmanor-5510(config-subif)# vlan 20                            
erdmanor-5510(config-subif)# nameif Inside                      
INFO: Security level for "Inside" set to 100 by default.
erdmanor-5510(config-subif)# ip address 192.168.100.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.30                
erdmanor-5510(config-subif)# vlan 30                              
erdmanor-5510(config-subif)# nameif FrontDMZ                      
INFO: Security level for "FrontDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.121.23.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.40                
erdmanor-5510(config-subif)# vlan 40                              
erdmanor-5510(config-subif)# nameif BackDMZ                      
INFO: Security level for "BackDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.156.183.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.50                
erdmanor-5510(config-subif)# vlan 50                              
erdmanor-5510(config-subif)# nameif Wireless                      
INFO: Security level for "Wireless" set to 0 by default.
erdmanor-5510(config-subif)# security-level 50
erdmanor-5510(config-subif)# ip address 172.21.49.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#



From here we just need to create some VLANs on the switch and then we can finalize the configuration on the ASA.

Erdmanor3750G#
Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#vlan 10
Erdmanor3750G(config-vlan)#no shut
%VLAN 10 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 20
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 30
Erdmanor3750G(config-vlan)#no shut
%VLAN 30 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 40
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 50
Erdmanor3750G(config-vlan)#no shut
%VLAN 40 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#interface vlan 10
Erdmanor3750G(config-if)#description Outside zone between pfSense and ASA
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 20                              
Erdmanor3750G(config-if)#description Inside network                      
Erdmanor3750G(config-if)#no shut                  
Erdmanor3750G(config-if)#exit                      
Erdmanor3750G(config)#interface vlan 30        
Erdmanor3750G(config-if)#description Front DMZ for direct connections from the Internet
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 40                                            
Erdmanor3750G(config-if)#description Back DMZ -- Teired DMZ for server systems
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 50                                    
Erdmanor3750G(config-if)#description Wireless network                
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#



So this is what my interface list looks like in the running config now:

interface Ethernet0/0
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 channel-group 1 mode on
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif Outside
 security-level 0
 ip address 172.98.17.1 255.255.255.0
!
interface Port-channel1.20
 vlan 20
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Port-channel1.30
 vlan 30
 nameif FrontDMZ
 security-level 0
 ip address 10.121.23.1 255.255.255.0
!
interface Port-channel1.40
 vlan 40
 nameif BackDMZ
 security-level 0
 ip address 10.156.183.1 255.255.255.0
!
interface Port-channel1.50
 vlan 50      
 nameif Wireless
 security-level 50
 ip address 172.21.49.1 255.255.255.0
!



And now a look at my switch port configuration:

!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/2
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/3
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/4
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan10
 description Outside zone between pfSense and ASA
 no ip address
!
interface Vlan20
 description Inside network
 no ip address
!
interface Vlan30
 description Front DMZ for direct connections from the Internet
 no ip address
!
interface Vlan40
 description Back DMZ -- Teired DMZ for server systems
 no ip address
!
interface Vlan50
 description Wireless network
 no ip address


Erdmanor3750G#
Erdmanor3750G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.3     YES manual up                    up      
Vlan10                 unassigned      YES unset  up                    up      
Vlan20                 unassigned      YES unset  up                    up      
Vlan30                 unassigned      YES unset  up                    up      
Vlan40                 unassigned      YES unset  up                    up  
GigabitEthernet4/0/1   unassigned      YES unset  up                    up      
GigabitEthernet4/0/2   unassigned      YES unset  up                    up      
GigabitEthernet4/0/3   unassigned      YES unset  up                    up      
GigabitEthernet4/0/4   unassigned      YES unset  up                    up      
...  
Port-channel1          unassigned      YES unset  up                    up



Fantastic. Let’s check to see that the ASA is showing the port-channel working.

erdmanor-5510# sh port-channel detail
        Channel-group listing:
        -----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
        Ports in the group:
        -------------------
Port: Et0/0
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/3
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

erdmanor-5510# sh port-channel sum    
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)             -            No     Et0/0(P)   Et0/1(P)   Et0/2(P)   Et0/3(P)  
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.86.2    YES manual up                    up  
Port-channel1              unassigned      YES unset  up                    up  
Port-channel1.10           172.98.17.1     YES manual up                    up  
Port-channel1.20           192.168.100.1   YES manual up                    up  
Port-channel1.30           10.121.23.1     YES manual up                    up  
Port-channel1.40           10.156.183.1    YES manual up                    up  
Port-channel1.50           172.21.49.1     YES manual up                    up  
erdmanor-5510#



And now to check the port channel on the Catalyst switch:

Erdmanor3750G#sh etherchannel detail
        Channel-group listing:
        ----------------------

Group: 1
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
        Ports in the group:
        -------------------
Port: Gi4/0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:45s

Port: Gi4/0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:16s

Port: Gi4/0/3
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:04s

Port: Gi4/0/4
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:23m:53s

        Port-channels in the group:
        ---------------------------

Port-channel: Po1
------------

Age of the Port-channel   = 0d:00h:33m:13s
Logical slot/port   = 10/1          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi4/0/1  On                 0
  0     00     Gi4/0/2  On                 0
  0     00     Gi4/0/3  On                 0
  0     00     Gi4/0/4  On                 0

Time since last port bundled:    0d:00h:23m:53s    Gi4/0/4

Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#sh etherchannel sum  
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi4/0/1(P)  Gi4/0/2(P)  Gi4/0/3(P)  
                                 Gi4/0/4(P)  

Erdmanor3750G#



Now, moving forward, please remember that you MUST specify the VLAN each switch port will be in, otherwise you’re going to have communications issues. The Catalyst switches do NOT auto-sense what VLAN your port is in. So to do this, you need to specify the VLAN, on both the Cisco ASA and the Switch, like this:

Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#
Erdmanor3750G(config)#vlan 60
Erdmanor3750G(config-vlan)#no shut
%VLAN 60 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#interface Vlan60
Erdmanor3750G(config-if)#description ATT Outside Public 108.227.33.120/28 Network
Erdmanor3750G(config-if)#no ip address
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#int GigabitEthernet4/0/19
Erdmanor3750G(config-if)#switchport access vlan 60
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#


Now create the VLAN (sub-interface) on the ASA, like this:

erdmanor-5510# conf t
erdmanor-5510(config)# interface Port-channel1.60
erdmanor-5510(config-subif)# vlan 60
erdmanor-5510(config-subif)# nameif ATTOutside
INFO: Security level for "ATTOutside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 108.227.33.121 255.255.255.248
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)# exit
erdmanor-5510#


Now that we have the VLANs and port-channel created, we need to ensure that our firewall rulebase is setup properly.

NOTE: I am just showing you how to set this up. It is up to YOU to be a smart network admin and lock down these VLANs with the proper rules!!!

From here, create your basic ACLs and lock them down tightly. Make sure that you tie your access-list to an interface too! I personally like to write all my ACLs from the point of view of the requester or client machine on a network. So what I do is write the ACL like you’re going into a garden hose. The garden hose is like the interface that traffic will be going to. Basically, you’re writing the rules that will be implemented as close to the end point as possible.

erdmanor-5510(config)# access-list backdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list frontdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list inside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list outside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list wireless-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)#
erdmanor-5510(config)# access-group outside-traffic-in in interface Outside
erdmanor-5510(config)# access-group inside-traffic-in in interface Inside
erdmanor-5510(config)# access-group frontdmz-traffic-in in interface FrontDMZ
erdmanor-5510(config)# access-group backdmz-traffic-in in interface BackDMZ
erdmanor-5510(config)# access-group wireless-traffic-in in interface Wireless


Now we’re all done! Please contact me with any questions or concerns (or if you found that I screwed this up at all!). Thanks for reading!





http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#wp1709086
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#18497
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config/channel.html#pgfId-1040179
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12033-89.html
http://www.amirmontazeri.com/?p=18
http://www.ciscozine.com/configuring-link-aggregation-with-etherchannel/
https://networkingtipz.wordpress.com/2013/12/09/etherchannel-on-asa-2/
http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/interface-vlan.pdf
https://supportforums.cisco.com/discussion/11378981/portchannel-cisco-asa-subinterface-vlan
https://www.fir3net.com/Firewalls/Cisco/configuring-etherchannel-on-an-asa-firewall.html
http://www.danpol.net/index.php/cisco/firewalls/asa-port-channels/
http://www.petenetlive.com/KB/Article/0001085.htm
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_19_ea1/configuration/guide/3750scg/swethchl.pdf

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Creating a basic monitoring server for network devices

I’ve recently been working more and more with network device management. So, to help with up-time monitoring, interface statistics, bandwidth utilization, and alerting, I’ve been building up a server with some great Open Source tools. My clients love it because it costs virtually nothing to run these machines, and it helps keep the network running smoothly when we know what is going on within the network.

One thing I haven’t been able to do yet is SYSLOG monitoring with the ability to generate email alerts off of specific SYSLOG messages. That’s in the work, and I’ll be adding that information into this blog as soon as I get it up and running properly.

I am using Debian 7.6 for this Operating System. Mainly because it’s very stable, very small, and doesn’t update as frequently (making it easier to manage). You can follow a basic install of this OS from here: Debian Minimal Install. That will get you up and running and we’ll take it from there.

Okay, now that you have an OS running, go ahead and open up a command prompt and log in as your user account or “root”. Go ahead an then “sudo su”.

Now we will update apt:

apt-get update

 

From here, let’s get LAMP installed and running so our web services will run properly.

apt-get install apache2
apt-get install mysql-server
apt-get install php5 php-pear php5-mysql

 

Now that we have that all setup, lets secure MySQL a bit:

mysql_secure_installation

 

When you run through this, make sure to answer these questions:

root@testmonitor:/root# mysql_secure_installation




NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n
 ... skipping.

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
 ... Failed!  Not critical, keep moving...
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

 
 

Let’s test the server and make sure it’s working properly. Using nano, edit the file “info.php” in the “www” directory:

nano /var/www/info.php

 

Add in the following lines:

<?php
phpinfo();
?>

 

Now, open a web browser and type in the server’s IP address and the info page:

http://192.168.0.101/info.php

 

 

Now let’s get Cacti installed.

apt-get install cacti cacti-spine

Make sure to let the installer know that you’re using Apache2 as your HTTP server.

Also, you’ll need to let the installer “Configure database for cacti with dbconfig-common”. Say yes!

After you apt is done installing your software, you’ll have to finish the install from a web browser.

http://192.168.0.101/cacti/install/

 

After answering a couple very easy questions, you’ll be finished and presented with a login screen.

The default credentials for cacti are “admin:admin”

From there you can log in and start populating your server with all the devices that you want to monitor. It’s that easy.

 

 

 

 

Now, let’s get Nagios installed. Again, it’s really easy. I just install everything nagios (don’t forget the asterisk after nagios):

apt-get install nagios*

This is what it will look like:

root@debiantest:/root# apt-get install nagios*
Reading package lists... Done
Building dependency tree      
Reading state information... Done
Note, selecting 'nagios-nrpe-plugin' for regex 'nagios*'
Note, selecting 'nagios-nrpe-doc' for regex 'nagios*'
Note, selecting 'nagios-plugins-basic' for regex 'nagios*'
Note, selecting 'check-mk-config-nagios3' for regex 'nagios*'
Note, selecting 'nagios2' for regex 'nagios*'
Note, selecting 'nagios3' for regex 'nagios*'
Note, selecting 'nagios-snmp-plugins' for regex 'nagios*'
Note, selecting 'uwsgi-plugin-nagios' for regex 'nagios*'
Note, selecting 'ndoutils-nagios3-mysql' for regex 'nagios*'
Note, selecting 'nagios-plugins' for regex 'nagios*'
Note, selecting 'gosa-plugin-nagios-schema' for regex 'nagios*'
Note, selecting 'nagios-nrpe-server' for regex 'nagios*'
Note, selecting 'nagios-plugin-check-multi' for regex 'nagios*'
Note, selecting 'nagios-plugins-openstack' for regex 'nagios*'
Note, selecting 'libnagios-plugin-perl' for regex 'nagios*'
Note, selecting 'nagios-images' for regex 'nagios*'
Note, selecting 'pnp4nagios-bin' for regex 'nagios*'
Note, selecting 'nagios3-core' for regex 'nagios*'
Note, selecting 'libnagios-object-perl' for regex 'nagios*'
Note, selecting 'nagios-plugins-common' for regex 'nagios*'
Note, selecting 'nagiosgrapher' for regex 'nagios*'
Note, selecting 'nagios' for regex 'nagios*'
Note, selecting 'nagios3-dbg' for regex 'nagios*'
Note, selecting 'nagios3-cgi' for regex 'nagios*'
Note, selecting 'nagios3-common' for regex 'nagios*'
Note, selecting 'nagios3-doc' for regex 'nagios*'
Note, selecting 'pnp4nagios' for regex 'nagios*'
Note, selecting 'pnp4nagios-web' for regex 'nagios*'
Note, selecting 'ndoutils-nagios2-mysql' for regex 'nagios*'
Note, selecting 'nagios-plugins-contrib' for regex 'nagios*'
Note, selecting 'ndoutils-nagios3' for regex 'nagios*'
Note, selecting 'nagios-plugins-standard' for regex 'nagios*'
Note, selecting 'gosa-plugin-nagios' for regex 'nagios*'
The following extra packages will be installed:
  autopoint dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gsfonts imagemagick-common libavahi-client3 libavahi-common-data libavahi-common3 libc-client2007e
  libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3 libcurl3-gnutls libdata-optlist-perl libdate-manip-perl
  libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libfpdf-tpl-php libfpdi-php
  libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
  libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0 libjansson4 libjasper1 libjbig0 libjbig2dec0
  libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl libmagickcore5 libmagickwand5 libmail-imapclient-perl
  libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl
  libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl
  libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0 librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl
  libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0 libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock ndoutils-common
  perlmagick php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby ruby1.9.1 samba-common
  samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core x11-common
Suggested packages:
  dbus-x11 freeipmi-ipmidetect freeipmi-bmc-watchdog gettext-doc ghostscript-cups ghostscript-x hpijs git-daemon-run git-daemon-sysvinit git-doc git-el git-arch git-cvs git-svn git-email git-gui gitk gitweb gosa-si-server
  cyrus21-imapd postfix-ldap gosa-schema php5-suhosin php-apc uw-mailutils cups-common libgd-tools libdata-dump-perl libjasper-runtime libjs-jquery-ui-docs libkohana2-modules-php liblcms2-utils libcrypt-ssleay-perl
  libmagickcore5-extra libauthen-sasl-perl libmcrypt-dev mcrypt libio-socket-inet6-perl libcrypt-des-perl libmyodbc odbc-postgresql tdsodbc unixodbc-bin libscalar-number-perl slpd openslp-doc libauthen-ntlm-perl backuppc perl-doc
  cciss-vol-status expect ndoutils-doc imagemagick-doc ttf2pt1 rrdcached libgearman-client-perl libcrypt-rijndael-perl poppler-utils fonts-japanese-mincho fonts-ipafont-mincho fonts-japanese-gothic fonts-ipafont-gothic
  fonts-arphic-ukai fonts-arphic-uming fonts-unfonts-core python-distribute python-distribute-doc ri ruby-dev ruby1.9.1-examples ri1.9.1 graphviz ruby1.9.1-dev ruby-switch ldap-utils cifs-utils nginx-full cherokee libapache2-mod-uwsgi
  libapache2-mod-ruwsgi uwsgi-plugins-all uwsgi-extra
The following NEW packages will be installed:
  autopoint check-mk-config-nagios3 dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gosa-plugin-nagios gosa-plugin-nagios-schema gsfonts imagemagick-common libavahi-client3
  libavahi-common-data libavahi-common3 libc-client2007e libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3
  libcurl3-gnutls libdata-optlist-perl libdate-manip-perl libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl
  libfont-afm-perl libfpdf-tpl-php libfpdi-php libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0
  libjansson4 libjasper1 libjbig0 libjbig2dec0 libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl
  libmagickcore5 libmagickwand5 libmail-imapclient-perl libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnagios-object-perl
  libnagios-plugin-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl
  libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0
  librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0
  libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock nagios-images nagios-nrpe-plugin nagios-nrpe-server nagios-plugin-check-multi nagios-plugins nagios-plugins-basic nagios-plugins-common
  nagios-plugins-contrib nagios-plugins-openstack nagios-plugins-standard nagios-snmp-plugins nagios3 nagios3-cgi nagios3-common nagios3-core nagios3-dbg nagios3-doc nagiosgrapher ndoutils-common ndoutils-nagios3-mysql perlmagick
  php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode pnp4nagios pnp4nagios-bin pnp4nagios-web poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby
  ruby1.9.1 samba-common samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core uwsgi-plugin-nagios x11-common
0 upgraded, 196 newly installed, 0 to remove and 0 not upgraded.
Need to get 81.9 MB of archives.
After this operation, 272 MB of additional disk space will be used.
Do you want to continue [Y/n]?

 

 

Now to test, just login at http://your-server-ip/nagios3/

You’ll have to look up tutorials on configuring Nagios and Cacti. Of the two, Cacti is much easier because it’s all web based. But Nagios isn’t too difficult once you get used to playing around with config files.

One last thing I did was setup a landing page to point at the services. To do that just edit the index.php file in your www folder like this:

root@testdebian:/etc/nagios3/conf.d/hosts# cat /var/www/index.html
<html><body><h1>TEST Monitoring Server</h1>
<p>This is the landing page for the TEST Monitoring server.</p>
<p>&nbsp;</p>
<p>Please use the following links to access services:</p>
<p><a href="/nagios3"> 1. Nagios</a></p>
<p><a href="/cacti"> 2. Cacti</a></p>
</body></html>
root@testdebian:/etc/nagios3/conf.d/hosts#

Now you can browse to the IP address and get a easy to use page that will forward you to which ever service you want!

Let me know if you have any questions!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Creating a Reverse Proxy with Apache2

Sometimes there is a need for hosting multiple websites from one server, or from one external IP address. For whatever your reason or need is, in this tutorial, I’ll just go through what I did to setup Apache server to forward requests.

In my setup here, I have a Debian Wheezy server in my DMZ, and in my tier 2 DMZ I have 5 Web servers. My objective is to host all these server from 1 IP address, and introduce some security.

I found a ton of info out there on setting up Apache as a reverse proxy, but none of them really spelled out exactly what to do, and what the results would be. Some of them did, but it wasn’t what I was looking for. So I took a bunch of stuff I see others doing, modify it to fit my needs and report back to you. I hope this helps.

Lets get started.

You’ll want a base install of Debian Wheezy which you can find at www.debian.org. After you download that, just follow my guide for install if you need: Debian Minimal Install: The base for all operations

As I stated before, I have a bunch of web servers in my tier 2 DMZ, and a Debian box in my Internet facing DMZ. It is my intention that the web servers never actually communicate with the end users. I want my end users to talk to my Debian box, the Debian box to sanitize and optimize the web request, and then forward that request on to the web server. The web server will receive the request from the Debian box, process it, and send back all the necessary data to the Debian server, which will in turn reply to the end user who originally made the request.

It sounds complicated to some people, but in reality it’s pretty simple, and the reverse proxy is transparent to the end user. Most people out there don’t even realize that many sites out there utilize this type of technology.

My Debian server needs some software, so I installed these packages:

sudo apt-get install apache2 libapache2-mod-evasive libapache2-mod-auth-openid libapache2-mod-geoip
libapache2-mod-proxy-html libapache2-mod-spamhaus libapache2-mod-vhost-hash-alias libapache2-modsecurity

From here you’ll want to get into the Apache directory.

cd /etc/apache2

Let’s get going with editing the main Apache config file. These are just recommendations, so you’ll want to tweak these for what ever is best for your environment.

sudo vim apache2.conf

I modified my connections for performance reasons. The default is 100.

# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 500

Also, what security engineer out there doesn’t know that without logs you have no proof that anything is happening. We’ll cover log rotation and retention in another blog, but for now, I set my logging to “notice”. Default was “warn”.

# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel notice

Perfect. Now, you may want to tweak your server a little differently, but for now this is all we need for here.

Now let’s get into some security hardening of the server.

sudo vim /etc/apache2/conf.d/security

We do have security in mind, so let’s not divulge any information that we don’t need to. Set “ServerTokens Prod”

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod

Now let’s set “ServerSignature Off”

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
#ServerSignature Off
ServerSignature On

And lastly, go ahead and uncomment these three lines in your config. We’ll configure “mod_headers” later.

Header set X-Content-Type-Options: "nosniff"

Header set X-XSS-Protection: "1; mode=block"

Header set X-Frame-Options: "sameorigin"

Sweet, looking good. Go ahead and save that, and we can get “mod_headers” activated. First, I’d like to point out that you can view what modules you have installed by using the “a2dismod” program. Simply enter the command, and it will ask you what modules you’d like to disable. Obviously, if you see it in the list, it’s already enabled. just hit “Ctrl+C” to stop the program.

To enable a module in Apache, you need to first made sure it’s installed, then you can just use the program “a2enmod”… like this:

sudo a2enmod headers

Now that we’ve enabled “mod_header”, lets verify we have the other necessary modules enabled as well.

steve @ reverseproxy ~ :) ᛤ>   a2enmod
Which module(s) do you want to enable (wildcards ok)?
cache
Enabling module cache.
Could not create /etc/apache2/mods-enabled/cache.load: Permission denied
steve @ reverseproxy ~ :( ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
cache
Enabling module cache.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_ajp
Considering dependency proxy for proxy_ajp:
Module proxy already enabled
Enabling module proxy_ajp.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_balancer
Considering dependency proxy for proxy_balancer:
Module proxy already enabled
Enabling module proxy_balancer.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_connect
Considering dependency proxy for proxy_connect:
Module proxy already enabled
Enabling module proxy_connect.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_ftp
Considering dependency proxy for proxy_ftp:
Module proxy already enabled
Enabling module proxy_ftp.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Enabling module proxy_http.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
vhost_alias
Enabling module vhost_alias.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
vhost_hash_alias
Enabling module vhost_hash_alias.
To activate the new configuration, you need to run:
  service apache2 restart

Here is a list of the Modules I just enabled:
cache proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite vhost_alias vhost_hash_alias

Now let’s just restart Apache, and keep going.

steve @ reverseproxy ~ :) ᛤ>   sudo service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .

Perfect, moving right along… Now what we need to do is setup a new file in the “/etc/apache2/conf.d/sites-available” directory. I named mine, “reverseproxy”, as it’s easy to figure out what it is.

Now, to correctly setup your reverse proxy, this server should not be hosting ANY websites. This is a proxy server, not a web host. So go ahead and delete the config sym link for the default website. We don’t want to host that.

sudo rm /etc/apache2/sites-enabled/000-default

Now we can edit our “reverseproxy” file.

sudo vim /etc/apache2/sites-available/reverseproxy

#enter this code into your file

<VirtualHost *:80>
  ServerName yoursite.info
  ServerAlias www.yoursite.info yoursite.info
  ServerAdmin info@yoursite.info
  ProxyPreserveHost On
  ProxyPass / http://www.yoursite.info/
  ProxyPassReverse / http://www.yoursite.info/
  <Proxy *>
        Order allow,deny
        Allow from all
  </Proxy>
  ErrorLog /var/log/apache2/yoursite.info.log
  CustomLog /var/log/apache2/yoursite.info.log combined
</VirtualHost>



<VirtualHost *:80>
  ServerName anothersite.com
  ServerAlias anothersite.com www.anothersite.com
  ServerAdmin info@anothersite.com
  ProxyPreserveHost On
  ProxyPass / http://www.anothersite.com/
  ProxyPassReverse / http://www.anothersite.com/
  <Proxy *>
        Order allow,deny
        Allow from all
  </Proxy>
  ErrorLog /var/log/apache2/anothersite.com.log
  CustomLog /var/log/apache2/anothersite.com.log combined
</VirtualHost>




<VirtualHost *:80>
  ServerName thirdsite.cc
  ServerAlias thirdsite.cc www.thirdsite.cc
  ServerAdmin info@thirdsite.cc
  ProxyPreserveHost On
  ProxyPass / http://www.thirdsite.cc/
  ProxyPassReverse / http://www.thirdsite.cc/
  <Proxy *>
        Order allow,deny
        Allow from all
  </Proxy>
  ErrorLog /var/log/apache2/thirdsite.cc.log
  CustomLog /var/log/apache2/thirdsite.cc.log combined
</VirtualHost>

Awesome, now save that file and we can get it enabled. Just like setting up new modules, we’re going to sym-link our new file to the “sites-enabled” folder.

sudo ln -s /etc/apache2/sites-available/reverseproxy /etc/apache2/sites-enabled

Now we can just reload the Apache server (no restart required) the server so that it picks up the new settings.

sudo service apache2 reload

Now we need to edit the /etc/hosts file so that our reverse proxy server knows where to push site traffic to on our DMZ. So lets do that:

127.0.0.1       localhost
127.0.1.1       reverseproxy.internal.dmz  reverseproxy
192.168.0.26   www.thirdsite.cc
192.168.0.26   thirdsite.cc
192.168.0.26   www.anothersite.com
192.168.0.26   anothersite.com
192.168.0.65   www.yoursite.info
192.168.0.65   yoursite.info

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Sweet, all done!
Now you can test from a computer that all your sites are working. They *should* be! 🙂

I’ll work on a blog eventually to show how to enable mod_security with this setup so that we can sanitize user interaction with our site. Our visitors are probably good people, but attackers and skiddies are always out there trying to damage stuff.

Thanks for reading!!

References:
http://ubuntuguide.org/wiki/Apache2_reverse_proxies
http://www.raskas.be/blog/2006/04/21/reverse-proxy-of-virtual-hosts-with-apache-2/
http://www.askapache.com/hosting/reverse-proxy-apache.html
http://www.integratedwebsystems.com/2010/06/multiple-web-servers-over-a-single-ip-using-apache-as-a-reverse-proxy/
http://httpd.apache.org/docs/current/vhosts/examples.html
http://geek-gogie.blogspot.com/2013/01/using-reverse-proxy-in-apache-to-allow.html
http://www.ducea.com/2006/05/30/managing-apache2-modules-the-debian-way/
http://www.akadia.com/services/apache_redirect.html
http://unixhelp.ed.ac.uk/manual/mod/mod_proxy.html
https://httpd.apache.org/docs/2.2/vhosts/
https://httpd.apache.org/docs/2.2/vhosts/name-based.html
https://httpd.apache.org/docs/2.2/vhosts/examples.html
https://httpd.apache.org/docs/2.2/vhosts/mass.html
https://httpd.apache.org/docs/2.2/vhosts/details.html

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Microsoft Exchange: Fortify and secure your mail server!

So, I just (mostly) finished with writing a blog on how to setup a Postfix Reverse Mail Proxy that works as a SPAM filter for your Exchange Server. A blog I wrote before that was about network architecture that I feel any organization should be able to do, regardless of the size of the company. Those two blogs really had a lot to do with security at the perimeter of the network. I would like to continue working on securing email and increasing the security and reliability of your MS Exchange environment, while at the same time not impeding on usability or scalability.

In this blog we’ll look at securing and fortifying your Exchange Server. If you look at Microsoft’s website, and the people talking out on the “social.technet.microsoft.com” site, you’ll hear people say asinine things like, “upon installation it’s already secure,” or, “Exchange server comes secure by default,” or something like that. I’m sorry, but any product that you purchase can be made more secure. If that weren’t the case, then why run “Windows Updates”, install patches, configure firewalls or setup SPAM filtering? I don’t care what product you’re talking about, there is ALWAYS something you can do in order to make things more secure.

There are many reasons for wanting to secure your Exchange infrastructure, but the main reason why is for availability. Many organizations rely on email as a backbone to their communications; especially small businesses. If your company lost email communications for even a day, how much productivity would be lost? How much credibility would be lost if outside senders couldn’t get their mail to your organization? But most of all, what if your Exchange server was used as a mass SPAM gateway that caused many other companies, partners or customers to be infected? The cost of cleaning up SPAM, junk, viruses, Malware, or in worst case scenario, a breach, could be in the tens or hundreds of thousands of dollars.

In this economy, no one can afford to go through something like that. It’s not even an option. So in this blog, it is my intention to show you how to effectively secure your Exchange Server(s), increase SPAM fighting ability, lock down users mailboxes, and I’ll do my best at providing some Power Shell Scripts to help out scripting a lot of these tasks. Most of all, I’m going to tell you that over time, this blog will grow to be pretty long. I don’t expect that this blog will just be a “set it and forget it” deal. Exchange administration is an ongoing effort, much like the hacking community. It’s constantly evolving with trying to minimize SPAM, decrease the frontage of your environment, while at the same time, allowing users to Sync with their phones, check web mail on the road, connect with MS Outlook and still receive the same level of service that they would expect from any other company. The last thing I want to hear is that something detailed and outlined on this blog caused an IT guy his job, or got him in trouble, because he implemented something that broke Exchange or caused an outage.

As for this blog, I want to set some barriers on what this blog IS, and IS NOT. If you’re looking for a Windows Server Hardening guide, you’re in the wrong spot. I’m currently working on a Windows Server hardening guide that will take existing MSBs, take the best of breed, and get them into GPOs and scripts that you can use on your Windows Server infrastructure. That blog can be found #here# when it is complete. Until then, what this blog is going to focus on will not be the OS layer. We’re looking at hardening Exchange, and Exchange only!

 

First thing we’re going to do is provide a brief overview of what’s going on with Exchange from a AD permissions standpoint. Most everything that Exchange does is based on Kerberos tickets, so my biggest suggestion is that you keep time on your domain extremely tightly. A hardware clock on a server can get out of sync pretty quickly, especially if the CMOS battery is going bad, so it’s best to make sure that your Exchange server and your domain controllers are all synced together by an external time source. Another good practice is to designate two (2) or more computers, preferably servers, to host an NTP service that is able to sync with the outside world at a reputable time source like NIST, Microsoft, or NASA. That server should be the only one that can communicate over port udp/123 to the outside world. Then you can allow all your servers, regardless of what network segment you put them in, to talk to your NTP server(s). Refer to my Network Architecture blog for what your forward facing DMZ should look like.

I’m going to skip going through setting up Exchange Roles. Reason being is that in smaller environments it’s really not feasible to delegate administrative access and give certain Admins a read only view, or that group of Admins Exchange Recipient Admins access, and so on. Even in larger companies, you may only have a small handful of Exchange Admins who all have full administration rights. So we wont get into those roles and permissions. It is possible to do that stuff, but at the end of the day, most companies these days do a pretty good job at vetting out who they give administrator rights to, there are signed agreements with those employees, and other mitigating controls. You’re going to have to trust your Exchange Admins. And if you don’t, you better trust your Backup Administrators.

You’ve probably noticed that Exchange 2010 permissions have even changed since prior editions. No longer are you setting up Exchange permissions inside the Exchange Management Console. You’ll be taking care of this stuff in Active Directory from now on due to Microsoft’s new security model. They’ve taken the approach of a true Role Based Access Control (RBAC) and they outline all of this information here at their site. The main permission that you’ll be concerned with is the Organization Management role. You can see that all the roles are in the “Microsoft Exchange Security Groups” OU in AD. See below:

 

Next thing to talk about is your Exchange Server, or at least the Physical- or VM-Server that you have Exchange running on. The underlying setup of this machine is very important to how Exchange will operate. If there are issues with the server getting DNS update mail will stop flowing, if the time is off your admins wont be able to administer the box, if there are errors or warnings in the event logs those need to be fixed, etc… It’s very important to monitor the event logs of your Server(s). While I am not blind to the fact that in the real world there are constantly issues arising on the network, but many issues can be minor issues if they aren’t let go to become large issues. The underlying theme here is to Harden Server 2008. Please go through that blog first, before venturing forward here.

 

Please go harden you Server 2008 Box before going forward

 

So now that your Server 2008 box is hardened, we can move on. To be honest, there really isn’t much to do on the Exchange side of the house. If you’ve gotten a SPAM filter sitting in front of your Exchange Servers, as I’ve outlined in my previous Postfix Mail Relay SPAM Filter blog, you’re already doing pretty well. There are many things that a front-end SPAM filter should be doing that Exchange shouldn’t. Exchange is a messaging platform. It’s really good at doing things like delivering email, working with Calendars, scheduling appointments, and keeping lines of communication open. From here on out it’s pretty much just controlling permissions to Exchange, between mailboxes and calendars, etc… There are other tasks such as Microsoft’s Security Configuration Wizard (SCW), granting users access to other mailboxes, creating conference rooms, Federation Services with other domains, ActiveSync controls, remote device wipe, internal and external receive connectors, and Exchange Certificates, that I’ll attempt to cover here.

 

One of the biggest things I hate to see is when you look at the message headers on an email from outside your organization. Hardly anyone updates the info on those things. I know it’s not really that much information, but you can easily divulge a few pretty important pieces of information from email message headers. The main two are your Internal Domain Name and your Internal IP Address space where your Exchange server lives. Especially in small companies, it’s extremely common to see that the server farm sits at either the top or the bottom of a /24 (like 192.168.10.0). What I mean is, these small companies have less than 10 servers most of the time, so you know all of their internal systems are on the same subnet. We want to take those pieces of information out of the header. To do that is very easy, just two or three Exchange PowerShell commands.

The following command, according to Microsoft’s Social pages, “When you remotely connect to PoSh (enter-pssession, invoke-command), unless you specify otherwise, it loads the default PowerShell shell with no added modules. When you run the command from your Exchange 2010 server, you’re probably running the commands from the Exchange Management Shell (EMS) that preloads a bunch of cmdlets in the background — that’s how you get the tip-of-the-day and such.

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ea SilentlyContinue

 

This command will disable ms-Exch-Send-Headers-Routing extended right, which in turn enabled the header firewall. Make sure to change “InternetConnectorName” to whatever your send connector is named.

Get-SendConnector –InternetConnectorName | Remove-ADPermission –User “NT AUTHORITY\ANONYMOUS LOGON”
–ExtendedRights ms-Exch-Send-Headers-Routing

 

Then to make sure that your settings are taken care of, push a synchronization to your edge servers like this:

Start-EdgeSynchronization

 

After running your commands you can log into a Domain Controller (given that you have the available rights) and check this in the ASDI Editor. You can see that the send connector security has changed. To do this, run ADSI Edit from the Start Menu, then Administrative Tools, ASDI Editor. When that starts up, click on File, then “Connect to” and connect to the configuration naming context (the drop down menu in the center of the screen), as you can see below:

After you get to this point, Expand “Domain Root \ your domain\ Services \ Microsoft Exchange \ {your Exchange organization} \ Administrative Groups \ Exchange Administrative Group (FYDIBOHF23SPDLT) \ Routing Groups \ Exchange Routing Group (DWBGZMFD01QNBJR) \ Connections”. As seen below:

As you see here, you will find the send connectors in the center panel. To verify the security changes have taken effect, double-click on the connector that you are working on and then click the “Security” tab. verify that the “ANONYMOUS LOGON” user has no check boxes enabled except for “Special Permissions” as you can see below:

 
 

I don’t know why I am saying this, but I feel that it should be stated that Exchange shouldn’t be running on a Domain Controller. I know Microsoft ships Windows Small Business Server with Exchange and SQL and other technologies built into it, but that is the only exception I’ll be making here. There are many reasons for wanting to separate Exchange services from a domain controller, but I would say the main reasons are, separation of duties and that if your Exchange box gets popped, the attackers already own your DC. Separation of duties is simple; each server in your organization should only be hosting 1 service. We do that for a number of reasons, such as making troubleshooting easier. Also, don’t forget, your Exchange box hosts web mail for your organization. Do you want a website hosted off your DC that is publicly available to everyone on the Internet? I think not.

 

Another good tool to use is the Exchange Best Practices Analyzer. Pending how large your organization is, this can take a significant amount of time to complete, but the information you’ll get out of it is pretty useful. There are a few different areas you can test in there including, Performance, Permissions, Baseline and a Connectivity Test. I would suggest finding the time to run all of the scans.

 

Don’t forget to be constantly updating settings in your Exchange Spam Filtering, too. I know what you’re thinking. You’re probably thinking, “This dude just told me that we shouldn’t use the Exchange SPAM filter, that we should be using his Postfix Mail Relay instead.” And you would be right. You should use that. BUT! Everything in moderation, and security in layers. If you put all your faith in any one piece of technology, that’s bad. Like I said before, the day that you can buy one product that will secure everything, is the day that I’m out of a job.

First, if you haven’t already, you’ll have to enable some stuff. Let’s get the SPAM filter enabled.

 cd 'C:\Program Files\Microsoft\Exchange Server\V14\Scripts'
.\install-AntispamAgents.ps1
Restart-Service MSExchangeTransport

 

Once that’s completed, we can tune the SPAM filter that is part of Exchange. You’ll find that in the Hub Transport area of the Organization Configuration in the EMC (seen below):

 

Make sure to go through all of those Features and set them up the way you want them to work. Some of this stuff overlaps the stuff in the Postfix Mail Relay, but if you aren’t using that go ahead and set them up here. The nice thing about setting up these options in the Exchange Server is that it’s scriptable. I mean, for all intensive purposes, it is scriptable in the Postfix Mail Relay too, but you have the ability to do that here too. Get a couple PowerShell cmdlets together and you can add stuff on the fly to this SPAM filter.

One nice thing here is that if you don’t want to tie your Postfix Mail Relay into Active Directory, you can block the messages here as well. What I mean by that is, Exchange will receive an email, check to see if the person exists in AD, and if they don’t it will block the message. The Postfix Mail Relay has the same capability, but with much more setup work to be done. This is just a simple checkbox, as seen below.

 

You’ll want to go through the settings in both the Exchange ActiveSync Mailbox Policies, as well as the Outlook Web App Mailbox Policies. There are many settings in there that

 

Another thing that should be obvious, but I’ll mention anyways, is that POP3 and IMAP should be disabled, and left disabled. There’s no need for that stuff. In Linux you can run DavMail for your local mail proxy, and in Windows and Mac you should be just running MS Office (with some version of Outlook). If you’re running an AD and Exchange environment, most of your users are probably using Outlook anyways, and they should be using Outlook 2007 or 2010 in order to get the most functionality out of Exchange. In all actuality, Even your Linux people really should have a Windows 7 VM running for Outlook, Visio and Office.

 
 

I’ll be going through and updating this as I have time… I’m burnt out on all this stuff, so check back periodically for updates!

 
 

 
 

 
 

 
 

 

 

 

 

 

 

 

References:
http://technet.microsoft.com/en-us/library/aa996604(v=exchg.141).aspx

http://www.techieshelp.com/add-an-administrator-to-exchange-2010/

VN:F [1.9.22_1171]
Rating: 1.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

Linux How-To: Debian Server, Bind9 DNS and Postfix Mail Relay SPAM Filter


So, MS Exchange has been attacked so many times over the years that it would be stupid to let it just sit out on the internet. Same goes for Microsoft DNS server. I would try as hard as I could to never put a Microsoft Server out on the Internet, or even allow a Microsoft to directly service the Internet. It’s just too risky, and I don’t play dice in certain situations such as these. I would, however, make an exception for hosting an Internet Information Services (IIS) Web Server. There are easy ways to lock down IIS and the OS, perform secure code reviews on the website itself, put reverse proxies in front of the web server (Apache Mod_Security or DotDefender)… the list goes on.

But this isn’t a blog about web services. This blog is about setting up a secure Debian Server to host out a Bind9 DNS server and a Postfix reverse email Proxy. And this really could be split up into two different blogs, but I really think that they belong together because of how intertwined Email services are with DNS. Without DNS, mail would be significantly more difficult. But, DNS is also the problem with a LOT of SPAM. DNS configured improperly causes much of the SPAM that gets through to be seen by end users. Also, with DNS and Postfix running on the same box, the services are speedier and more responsive. We’ll do our best, but I really hope I can just refer people to this setup, because I truly believe that if more people would secure their mail servers and setup DNS properly, we could easily stop MOST SPAM that is out on the Internet from making it to Inbox’s around the world.

And this will be a nice, really long, blog… strap in, people, we’re in for a ride! 🙂

 

First things first, we need to start with a fresh install of Debian server. The main reason why I choose to go with Debian server is that:

  • First, it’s exceedingly stable and secure right out of the box. Very little configuration is needed…
  • Second, the creators of Debian don’t make tons of changes and they aren’t on the bleeding edge of new technologies.
  • Third, Debian is super easy to use and the software we need is also super easy to install
  • Lastly, especially for virtualized environments, a full install, using my method, takes a minimum of 512MB RAM and 1.5GB HDD space.

 

 

I want to let everyone know here, that whatever I post on my site is things that I truly believe in. The main reason why I believe this process to work so well is that I’ve seen it in action at past employers, I’ve seen the MASSIVE cost savings past on to our customers, and because of all that I’ve implemented this exact same process at home. So basically, I eat my own dog food. I’m not going to tell you all to do something that is in secure or full of shit. My email server is already receiving emails through this Postfix Proxy, my domains are hosted off of this BIND9 server, and, if I may say, it’s ALL working beautifully.

A good friend of mine, Nick (I’ll leave out his last name until he says it’s okay to mention him here), was the one who inspired me to get much of this stuff going. I worked with him at a past employer and showed me much of this stuff. Regardless, what I’m trying to get to here is, just the way that we have things setup now is pretty damn good. I have one domain passing all of my mail to a DMZ which has zero restrictions, and that domain forwards all the email it gets to my home server, which is the Proxy we’re about to setup. The reason I do this is to make sure that my SPAM filtering isn’t killing emails I WANT to see. SO, every so often I’ll check both accounts, side by side, and make sure that I’m filtering properly. And if I’m not, I’ll tweak the proxy accordingly. Eventually, maybe even in this blog, I’ll get a mail quarantine up and running so that I can just do away with the DMZ server and pass all my mail through this Proxy…

Lastly, I’ve gone out of my way to make this as absolutely clear as I can. I’ve referenced all the sites and pages at the bottom of this blog, as I always do, and made this as close to perfect as I can. If you want an “installer” for this process, then you’re in the wrong spot. I will never build an automated installer for this without charging a butt load of money. If that’s what you’re looking for, go buy some Windows based software. Here, we’re working with Debian server on the Bash Shell.

 

 

Anyways… So let’s get a base image up and running.

Debian Minimal Install: The base for all operations

When you’re done with that come back here and we’ll keep going… In the mean time let’s talk about the software we’re dealing with here…

 

Postfix

While Postfix can do a lot, just by itself, in filtering SPAM, it’s not the end all, be all, software. It’s literally just a Mail Transfer Agent (MTA), and it’s only purpose is to send and receive mail. So what we need to do here is arm Postfix with some weaponry, by the likes of Amavis-New, SpamAssassin, Anomy Sanitizer, and ClamAV. Now, I know your thinking, “ClamAV, huh?” But it’s better than nothing, it’s open source and it’s got over a million signatures. If you’re reading this thinking “WTF? My company wont be able to run this!”, then you’re in luck, because Postfix can forward mail for AV inspection to many of the top names in Anti Virus (Kaspersky, Symantec and McAfee). But for this article we’re going to work with ClamAV and some other tools, so deal with it. It’s free, and so is this blog…

 

 

Amavis-New

Amavis-New is a really good SPAM filtering engine, as well as SpamAssassin. What we’ll have to do is create two directories for Amavis and SpamAssassin to work in. They both receive mail from Postfix, unpack the email and attachments, inspect everything, then package everything back up the way they should be, and send it back to Postfix. This happens in two forks. Amavis gets the email first, then sends it back to Postfix, then it’s sent to SpamAssassin, then sent back to Postfix.

When Amavis first starts at system boot, it just sits there and waits until it gets work to do, as any good little daemon should do. But when an email comes in, Amavis instantly forks a child process to do the work that needs to be done. This child process will create a sub directory in, in the Amavis working directory, and to it’s unpacking, inspection and repacking in. In the Amavis conf file you can specify how many children can be spawned, but you’ll want to test this out. Our config will have 5 children, and on a box with 1GB of ram, we should have PLENTY of room to work with. Now, if you’re running a Enterprise level SPAM filtering service, you may want to setup multiples of these servers that sit on a few or more MX records so that you can spread out the work load. Then beef up how much RAM and CPU cores you allocate to the VM and then allow Amavis to spawn more children. Pending the amount of hardware you have to work with, you could filter a TON of email with this configuration.

Really though, at the end of the day, I strongly recommend that you investigate the Amavis-New website. Their FAQ’s are great and super informative. It’s truly amazing what this product can do.

 

 

SpamAssassin

As for SpamAssassin let’s talk about this for a minute. At the writing of this blog, Spam Assassin is at release 3.3.1. I’ll tell you the same thing I said a minute ago about Amavis: You should really look at the Spam Assassin website for more details about running, installing, configuring, testing and the operations of Spam Assassin. But I’ll briefly go over this stuff now. SpamAssassin works like many other filtering engines, “grading” the email on a multitude of different areas, including content, encoding, MIME settings, HTML markup and blacklists provided from different carriers like Spamhaus (which we’ll talk about later in this blog). Configured and monitored properly, Spam Assassin, just by itself, can filter over 97% of all SPAM, it’s false positive ratio is easily 1% or less, and the best part is that it has the ability to “learn” about new SPAM. The scoring engine is like a game of golf. The lower the score, the better. Other factors are looked at as well, such as Blacklisted IP’s, Reverse DNS lookups, list of banned words, list of banned file attachments (exe, vbs, etc…) sender and receiver addresses, valid date and time, etc…

SpamAssassin isn’t all by itself though. While SpamAssassin is able to do a LOT on it’s own, it also “calls” other programs in to help it, such as razor, pyzor, and dcc-client. Each of these programs have specialized duties that perform additional SPAM checking. Razor is a distributed network devoted to spam detection. Razor uses statistical and randomized signatures that effectively identify many different types of SPAM. Pyzor, not surprisingly, is built on Python and also is based on a network dedicated to identifying SPAM. Like Razor, it too is signature based. Lastly, DCC (Distributed Checksum Clearinghouses) is also an anti-spam content filter. According to the DCC website, “The idea of DCC is that if mail recipients could compare the mail they receive, they could recognize unsolicited bulk mail. A DCC server totals reports of checksums of messages from clients and answers queries about the total counts for checksums of mail messages. A DCC client reports the checksums for a mail message to a server and is told the total number of recipients of mail with each checksum. If one of the totals is higher than a threshold set by the client and according to local whitelists the message is unsolicited, the DCC client can log, discard, or reject the message.”

Back to SpamAssassin… The thing that really makes SpamAssassin great is the way that it handles SPAM. It’s completely configurable to the way YOU want SPAM handled. You can have it tag email as potential SPAM by just changing the email headers. There’s also ways that Spam Assassin will modify the Subject line of an email to include text like “***Potential SPAM***” or whatever you want it to say to your end users. This option truly is great, because there will always be false positives (email marked as SPAM that really isnt), and there will always be false negatives (SPAM that gets through to the end user that shouldn’t). With Subject line modification, we can alert the user to use their best judgement in looking at an email. If a message has a high enough score we can have the message quarantined until the user releases the message for review, or in extreme cases the email can just be dropped without notification.

On the contrary, not all email should be blocked either. And Spam Assassin can look into messages to see if they have good karma. This sounds strange, but while there are services like Spamhaus, there are services that do the exact opposite of them. For instance, there are services like ISIPP Email Accreditation and Deliverability, Return Path who actually owns Bonded Sender which used to be Iron Port‘s product (which now Cisco owns), and more.

 

 

Anomy

Just because I’m too lazy to keep going on with this, I’ll just forward you to the Anomy website and you can look at their information if you want to know more. The main reason why I’ve decided to incorporate Anomy is because of the fact that, while the other SPAM and Virus checkers need to perform inspection on the disk, which can get very intense (and in extremely large environments can cause performance issues), Anomy does everything in system memory. The other reason why is that Anomy comes with it’s own custom built MIME parser which performs more checks than some of the other options. The thing that we’re looking at here is security in layers. You’ll hear that concept driven into your head over and over until the end of time. Security in layers. The day that you can buy 1 product to perform ALL of your security needs is the day I’m out of a job. Until then, you’re going to have to use multiple scan engines, multiple security technologies and continue to drive a culture of knowledge for your employees.

 

 

 

Awesome, you got your VM up and running!!!

 

SSH and Server Certificates

In that tutorial I had you setup the IP address on your new Debian server to 192.168.0.100. We’ll reference that IP address for the rest of the time, but you can substitute it for whatever you made it on your network.

If you haven’t done this yet, we’re going to make life easy and get the SSH Server installed so we can get some remote access to this server from our Linux Desktop.

apt-get install ssh openssh-server openssh-client

 

When that’s done test out connecting from your local machine to this virtual host using:

ssh steve@192.168.0.100

Now we can setup SSH keys on this system so that you can easily log in from your main Linux Desktop machine.

 

So go to your home directory on your local machine (NOT THE SERVER!) and your navigate to your home folder. From here CD into your .ssh directory and we’ll create your SSH Certificates.

cd ~/.ssh/
ssh-keygen -t rsa
{save as default file, press enter}        
{enter your own password and hit enter}     <-- this can be blank
{confirm your password}                     <-- this can be blank

 

Once this is done we’ll setup your host with keys to stay authenticated

cat ~/.ssh/id_rsa.pub | ssh steve@192.168.0.100 "cat - >> ~/.ssh/authorized_keys"

 

Now edit your “.ssh/config” file and add in your new server. If you dont have one just create one!

Host 100
HostName 192.168.0.100
User steve

 

And now you can test your new ssh keys by doing this:

ssh 100

 

You may need to adjust your permissions properly. To do so, simply run this command on your local system:

chmod 700 ~/.ssh && chmod 600 ~/.ssh/*

 

And this command on your remote system that you’re trying to connect to:

chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/

 

Disable IPv6

For our install, we need to disable IPv6. I’ve seen issues with Postfix and Bind when there is IPv6 running on the same box. I always bitch about lazy admins, and here I am being lazy and turning off IPv6 instead of fixing the underlying issue. 🙁

 

                           SO! Let’s get IPv6 disabled! haha 🙂

 

I promise I’ll look into the issue over time, because I’ll need to make this solution work with IPv6 eventually. I can’t run from it forever. In the mean time, lets get going with editing your grub file:

sudo vim /etc/default/grub

 

While you’re in your Grub file, find the line that looks like this:

GRUB_CMDLINE_LINUX="

 

What you need to do here is make it look like this:

GRUB_CMDLINE_LINUX="ipv6.disable=1"

 

Then you need to update the loader by doing this:

steve @ debian ~ :) ?>   sudo update-grub2
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-2.6.32-5-amd64
Found initrd image: /boot/initrd.img-2.6.32-5-amd64
done
steve @ debian ~ :) ?>   sudo update-grub
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-2.6.32-5-amd64
Found initrd image: /boot/initrd.img-2.6.32-5-amd64
done

 

 

Bind9 Domain Name System (DNS)

Perfect! Now, let’s get Bind9 installed and configured properly. What I’ve done in my network is allowed my Internal Name Servers keep a copy of the External DNS zones. It makes life easier than setting up all your internal servers to also look at your External Servers. We’ll run through that as well during the setup. You’ll also want to get a copy of the Bind 9 Administrator Reference Manual. It’s not critical, but there’s some pretty damn good information in that document. www.bind9.net has both the online website and the downloadable PDF document.

sudo apt-get install bind9

 

Now that Bind is installed, lets configure the service to do what we want. We’ll start by editing our “named.conf” file where all the good stuff is.

cd /etc/bind/
sudo vim named.conf

### Named.conf File ###
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

 

This file is really tiny; it’s really just the spawn point for all the other configurations. And there’s two ways you can do this.

  • 1. You can remove all the other files and just do all your configurations in here
  • 2. You can continue to use the file structure the way it is

Either way will work. If you’re a small company with only a few domain names, you can easily get away with lumping everything into this file and still keep separate zone files. If you’re a large company you may want to stay with many separate, smaller, configuration files. Especially when you’re dealing with companies that own hundreds, if not thousands, of domain names… even more so if you’re dealing with companies dispersed over several continents… or globally!

 

In this scenario, we’re going to tighten things up just to make the initial config easy to see, but by no means am I telling you that you have to do it this way. DO it however you feel makes the most sense to you!

 

So here we have the named.conf file; go ahead and make a backup of all your config files into a backup folder here and then modify your named.conf to look like mine below.

cd /etc/bind/
sudo mkdir installer-backup
sudo cp * installer-backup/
rm named.*

 

And here is the code you can copy and paste into your “named.conf” file:

sudo vim named.conf

#####################################################################################
#  This is not part of the default configuration that is included as part of the    #
#  Bind 9 package. This section is commented out because it isnt needed.            #
#  Also, for all of the files that were installed by default,                       #
#  look in the "/etc/bind/installer-backup" directory                               #
#####################################################################################
  #                                                                               #
  #                CONFIGURED BY STEVE ERDMAN, updated 12/27/12                   #
  #                                                                               #
  #################################################################################

// The following section is the called the options section.
// Configures the working directory for this BIND9 installation
// Sets up BIND to allow query's from the Internet
// recursion only from the Internal network (Change to your Internal Network!)
// Forwarders set to Level 3, Google and OpenDNS public servers (if these guys dont work, the Internet is probably broken!
// Listening on all interfaces (make sure to update this address to your real IP on this server!)
// IPv6 turned off
// running "named" version
// auth-nxdomain states that this server will answer authoritatively for all domains configured on it

options {
        directory "/etc/bind";
        notify-source * port 53;
        allow-query { any; };
        allow-recursion { 127.0.0.1; 192.168.0.0/24; };
        forwarders { 209.244.0.3; 209.244.0.3; 8.8.8.8; 8.8.4.4; 208.67.222.222; 208.67.220.220; };
        listen-on { 127.0.0.1; 192.168.0.100; };
        listen-on-v6 { none; };
        version "named";
        auth-nxdomain yes;    # conform to RFC1035
};
// end of options

#---------------------------------------------------------------------------------------#
#     Below are all of the zone files for all the forward and lookup zones that your    #
#     company is responsible for.                                                       #
#---------------------------------------------------------------------------------------#

// zone name
// 'type' only allows master, slave, stub, forward, hint... We own our zone, we're the master.
// specify the file that our zone sits in
// allow anyone to query our server
// allow our internal name servers to cache this zone as a slave server
// specify that if the zone data may have changed, that all servers with this zone data need to contact the SOA
// THE ERDMANOR
zone "example.com" IN {
                type master;
                file "/etc/bind/db.example.com";
                allow-query { any; };
                allow-transfer {192.168.0.7; 192.168.0.13; 192.168.0.18; 192.168.0.47; };
                notify yes;
};
//same options apply as the above zone
// 111.222.333.44 Reverse DNS
zone "333.222.111.in-addr.arpa" {
                type master;
                file "/etc/bind/333.222.111.in-addr.arpa";
                allow-query { any; };
                allow-transfer {192.168.0.7; 192.168.0.13; 192.168.0.18; 192.168.0.47; };
                notify yes;
};

#---------------------------------------------------------------------------------------#
#   Consider adding the 1918 zones here, if they are not used in your organization  #
#                  to use these just uncomment the following line:                      #
#   include "/etc/bind/zones.rfc1918";                          #
#---------------------------------------------------------------------------------------#
     #   Below are some zones that your server should cache                        #
     #   The for more info on this visit: http://www.zytrax.com/books/dns/ch7/     #
     #-----------------------------------------------------------------------------#

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

 

 

Now we need to create some zone files. “What is a zone file?” you may be asking… Well, zone files are where all of your host information is stored, so that when a Internet customer queries “www.yourdomain.com” your DNS server looks up in it’s zone file the “www” host A record, and returns the response. There are all kinds of records, and here is a site that can explain all of this for you: List of DNS record types at Wikipedia.

 

Now that you’re understanding records, lets get your zone file going. Working off of the example “named.conf” file above, let’s create our “db.example.com” and “333.222.111.in-addr.arpa” zone files. If you want to cheat a little bit, go ahead and use a zone file generator such as this one, but you really should understand how they work as well. So let’s look at one…

sudo vim db.example.com


; BIND data file for example.com
;
$TTL 3600
@       IN      SOA     ns1.example.com.      ns2.example.com. (
                        201212263453789   ; serial number YYMMDDNN + some numbers
                        28800           ; Refresh
                        7200            ; Retry
                        3600          ; Expire
                        3600           ; Min TTL
                        )

       
    IN  NS  ns1.example.com.
        IN  NS  ns2.example.com.

        IN  MX  10  mail.example.com.
        IN  MX  20  smtp.example.com.

$ORIGIN example.com.
    IN  A   111.222.333.41
ns1     IN      A       111.222.333.42
ns2     IN      A       111.222.333.43
mail    IN      A       111.222.333.44
smtp    IN      A       111.222.333.45
autodiscover    IN      A       111.222.333.46
vpn     IN      A       111.222.333.47
www     IN      A       111.222.333.48

 

Now let’s look at our Reverse Lookup zone so you can get an idea of what yours should look like:

sudo vim 333.222.111.in-addr.arpa


; BIND data file for local loopback interface
;
$TTL 3600
@       IN      SOA     ns1.example.com.      dns.example.com. (
                        201212263453789   ; serial number YYMMDDNN
                        28800           ; Refresh
                        7200            ; Retry
                        3600          ; Expire
                        3600           ; Min TTL
                        )

42     IN      NS       ns1.example.com.
43     IN      PTR      smtp.example.com.
44     IN      PTR      mail.example.com.
45     IN      PTR      smtp.example.com.
47     IN      PTR      vpn.example.com.
48     IN      PTR      www.example.com.

 

Awesome, now, one last thing that has helped me is if the “/etc/bind/” directory was owned by the “bind” user that was created upon install. Let’s do that real quick!

sudo chown -R bind:root /etc/bind/

 

Give your Bind server a quick restart, but you restart the service, open another bash shell tab (or session) and do a “sudo tail -f /var/log/syslog” and watch the output to make sure everything loads properly. It all should load up right, but if not, it’s better to find out now if there’s a problem than to wait until the end and troubleshoot tons of errors you *MAY* be having.

 

sudo /etc/init.d/bind9 restart
Stopping domain name service...: bind9 waiting for pid 2655 to die.
Starting domain name service...: bind9.

 

And dont forget your “tail”!

steve @ debian ~ :( ?>sudo tail -f /var/log/syslog
[sudo] password for steve:
Dec 26 22:17:01 debian /USR/SBIN/CRON[3353]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Dec 26 22:48:05 debian named[2655]: received control channel command 'stop -p'
Dec 26 22:48:05 debian named[2655]: shutting down: flushing changes
Dec 26 22:48:05 debian named[2655]: stopping command channel on 127.0.0.1#953
Dec 26 22:48:05 debian named[2655]: stopping command channel on ::1#953
Dec 26 22:48:05 debian named[2655]: no longer listening on ::#53
Dec 26 22:48:05 debian named[2655]: no longer listening on 127.0.0.1#53
Dec 26 22:48:05 debian named[2655]: no longer listening on 192.168.0.100#53
Dec 26 22:48:05 debian named[2655]: exiting
Dec 26 22:48:06 debian named[3491]: starting BIND 9.7.3 -u bind
Dec 26 22:48:06 debian named[3491]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
Dec 26 22:48:06 debian named[3491]: adjusted limit on open files from 1024 to 1048576
Dec 26 22:48:06 debian named[3491]: found 2 CPUs, using 2 worker threads
Dec 26 22:48:06 debian named[3491]: using up to 4096 sockets
Dec 26 22:48:06 debian named[3491]: loading configuration from '/etc/bind/named.conf'
Dec 26 22:48:06 debian named[3491]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Dec 26 22:48:06 debian named[3491]: using default UDP/IPv4 port range: [1024, 65535]
Dec 26 22:48:06 debian named[3491]: using default UDP/IPv6 port range: [1024, 65535]
Dec 26 22:48:06 debian named[3491]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 26 22:48:06 debian named[3491]: listening on IPv4 interface eth0, 192.168.0.100#53
Dec 26 22:48:06 debian named[3491]: generating session key for dynamic DNS
Dec 26 22:48:06 debian named[3491]: set up managed keys zone for view _default, file 'managed-keys.bind'
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: D.F.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: A.E.F.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: B.E.F.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 26 22:48:06 debian named[3491]: command channel listening on 127.0.0.1#953
Dec 26 22:48:06 debian named[3491]: command channel listening on ::1#953
Dec 26 22:48:06 debian named[3491]: the working directory is not writable
Dec 26 22:48:06 debian named[3491]: zone 0.in-addr.arpa/IN: loaded serial 1
Dec 26 22:48:06 debian named[3491]: zone 333.222.111.in-addr.arpa/IN: ending notifies (serial 3289701)
Dec 26 22:48:06 debian named[3491]: zone 127.in-addr.arpa/IN: loaded serial 1
Dec 26 22:48:06 debian named[3491]: zone 255.in-addr.arpa/IN: loaded serial 1
Dec 26 22:48:06 debian named[3491]: zone example.com/IN: loaded serial 16381
Dec 26 22:48:06 debian named[3491]: zone localhost/IN: loaded serial 2
Dec 26 22:48:06 debian named[3491]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Dec 26 22:48:06 debian named[3491]: managed-keys-zone ./IN: loaded serial 0
Dec 26 22:48:06 debian named[3491]: running
Dec 26 22:48:06 debian named[3491]: zone example.com/IN: sending notifies (serial 598703)

 

 

Success! Your DNS server started and all your zones are loaded! Let’s test a couple queries and just make sure 🙂

steve @ debian ~ :) ?>   dig @192.168.0.100 erdmanor.com mx

; <<>> DiG 9.8.1-P1 <<>> @192.168.0.100 erdmanor.com mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55227
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;erdmanor.com.          IN  MX

;; ANSWER SECTION:
erdmanor.com.       3600    IN  MX  20 smtp.erdmanor.com.
erdmanor.com.       3600    IN  MX  10 mail.erdmanor.com.

;; AUTHORITY SECTION:
erdmanor.com.       3600    IN  NS  ns1.erdmanor.com.
erdmanor.com.       3600    IN  NS  ns2.erdmanor.com.

;; ADDITIONAL SECTION:
mail.erdmanor.com.  3600    IN  A   65.55.37.62
smtp.erdmanor.com.  3600    IN  A   64.4.59.173
ns1.erdmanor.com.   3600    IN  A   74.125.228.105
ns2.erdmanor.com.   3600    IN  A   74.125.228.96

;; Query time: 1 msec
;; SERVER: 192.168.0.100#53(192.168.0.100)
;; WHEN: Wed Dec 26 22:52:11 2012
;; MSG SIZE  rcvd: 172

 

Fantastic, we’re looking good so far!

 

 

Now that you’re mostly updated, you’ll need to visit the registrar for your domain name and update the information for where your domain is hosted. These records are called glue records and normally they take a while to update. They could take up to 12 or 24 hours to update so dont get worried if you have and DNS issues in the next few hours. Really, the best time to update that information for production domains (domains that cant suffer down time) is early on a Saturday night. Many people are watching TV, busy with the family or out on the town after 8pm on a Saturday (unless you’re me, haha). By the time the propagation spreads across the Internet, it’s Sunday morning and no one really noticed. Also, you’ll want to get on the phone with your ISP to have them forward all reverse lookup queries to your name servers. This is critical if you want YOUR out going email not to be tagged as SPAM!

According to WikiPedia, “Name servers in delegations are identified by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. If the name given in the delegation is a subdomain of the domain for which the delegation is being provided, there is a circular dependency. In this case the nameserver providing the delegation must also provide one or more IP addresses for the authoritative nameserver mentioned in the delegation. This information is called glue. The delegating name server provides this glue in the form of records in the additional section of the DNS response, and provides the delegation in the answer section of the response.

For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the nameserver for the org top level domain includes glue along with the delegation for example.org. The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of the domain’s authoritative servers, which allows it to complete the DNS query.”

 

While your registrar information is updating let’s move forward and get some email action going!

 


If all you were looking for here was a DNS tutorial for a single DNS server, you’re done. If you’re looking to go any further into SPAM filtering, continue on!

I will be posting a blog as soon as I can on how to setup a distributed DNS server cluster. Stay tuned for that!

 

 

Postfix and SPAM Filtering

Alright, we need some software here, so… lets get Postfix installed!

sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install -y postfix

 

Now, when the software is installing, you’ll want to setup Postfix in a certain way. You NEED to make sure you pick “Internet Site” at the first prompt, and enter your EXTERNAL MX A-record. Many times this MX A Record is either “mail.example.com” or smtp.example.com”, but you’ll want to verify from your DNS zone that we created back in the BIND9 section.. See my screenshots below:

Internet Site

smtp.erdmanor.com

 

Now that we have Postfix installed, we can setup a temporary mail relay to our Microsoft Exchange server. THIS SHOULD NOT BE IN PRODUCTION RIGHT NOW!

GO ahead and edit your “main.cf” file. There is a line we need to change that I’ll show you below:

sudo vim /etc/postfix/main.cf

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h


# Add the IP address of your Exchange server's Receive Connector responsible for your Domain. (See below Screenshot)
relayhost =192.168.0.125

# And lastly, find "myorigin", and right below that add in "relay_domains = mydomain.com, example.com, (other, domains, comma, separated)"
myorigin = /etc/mailname
relay_domains = erdman.cc, erdmanor.com, someone.net, assholes.org

# If you're hosting multiple domains, you'll want to setup a transport config file.
transport_maps = hash:/etc/postfix/transport

WE will talk about the /etc/postfix/transport file, and others, later, but this DOES need to be there!

Exchange Server Receive Connector

 

Now that we have that complete, we’ll restart the service:

sudo /etc/init.d/postfix restart

 

SPAM Filtering Engines

Alright, cool… Let’s get some more software installed!

sudo apt-get install -y amavisd-new spamassassin clamav-daemon

 

As soon as that’s complete you’ll want to update the ClamAV virus definitions. They’re readily available, and even easier, you can run a simple command to do this:

sudo freshclam
[sudo] password for steve:
ClamAV update process started at Thu Dec 27 00:16:40 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cvd is up to date (version: 16130, sigs: 427971, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 209, sigs: 40, f-level: 63, builder: neo)

If you’re really looking to have fun with this, just create a quick shell script and then make a cron job out of it to run daily 🙂

 

Alright, more software to install. Mainly more dependencies and stuff you’ll need that may not have been installed yet.

sudo apt-get install -y libnet-dns-perl pyzor razor libarchive-tar-perl libio-socket-ssl-perl libio-socket-inet6-perl libnet-ident-perl liburi-perl libwww-perl libmailtools-perl tnef arj bzip2 cabextract cpio file gzip nomarch pax unzip zip zoo ripole cabextract p7zip lzop rpm2cpio unrar-free arc

 

Perl Script Installs

Following some package installs, we’ll be needing some perl scripts. So to install those, follow these instructions:

steve @ debian ~ :) ?>   sudo perl -MCPAN -e shell


CPAN is the world-wide archive of perl resources. It consists of about
300 sites that all replicate the same contents around the globe. Many
countries have at least one CPAN site already. The resources found on
CPAN are easily accessible with the CPAN.pm module. If you want to use
CPAN.pm, lots of things have to be configured. Fortunately, most of
them can be determined automatically. If you prefer the automatic
configuration, answer 'yes' below.

If you prefer to enter a dialog instead, you can answer 'no' to this
question and I'll let you configure in small steps one thing after the
other. (Note: you can revisit this dialog anytime later by typing 'o
conf init' at the cpan prompt.)
Would you like me to configure as much as possible automatically? [yes]

 

You’ll see a ton of information fly by as many values are automatically generated for you.
Feel free to look at that stuff if you want. When you’re ready install the perl modules we need:

(as you’re installing these Perl modules, you’ll see a lot of scrollback)

o conf prerequisites_policy ask
o conf commit
install IP::Country::Fast
install MIME::Base64
install MIME::QuotedPrint
install Net::DNS
install DB_File
quit

 

Now for the DCC install. I haven’t found a package for DCC in the Debian repo’s unfortunately, and while that is a drawback to this software, it’s not the end of the world. We’ll just need to do some quick building of the software. But first we need to acquire the software from the DCC download page. The newest version that is out was released on January 12, 2013.

From your Debian VM, run this command:

wget http://www.dcc-servers.net/src/dcc/old/dcc-1.3.144.tar.Z

Then you can extract and build the software like this:

tar -xzvf dcc-1.3.144.tar.Z
cd dcc-1.3.144/
./configure
make
sudo make install clean

And you’re ready to move forward! (we’ll configure DCC later, for now we just need to have the software installed)

NOTE

Perfect, we’re moving right along here. One other thing to note here is that with all this going on, you’re going to want a highly tuned box. What I mean by that is, think of it this way: Every time a message comes in, we’re sending that message through 4 scanning engines, each one of which invokes it’s own shell or child process, some using a Perl interpreter, and unpacking/repacking each message in a temporary folder, inspecting the message and then sending it back out to your internal Exchange server. There’s A LOT going on here. This may add a bit of latency to the delivery of your messages. Remember, I’m running a VM on an SSD, with a Core i7 960, and the VM has 2 cores and 1GB of RAM. The latency I’m seeing here, as opposed to my other email service, is less than 1 minute, which is more than reasonable. We’ll go over some tuning at the end of this and tweak this whole system to work as efficiently as possible.

 

Okay, now we need some user accounts created so that we can tighten up security a bit.

Start by cat’ing your /etc/passwd file. Pending if your following my tutorial on a Red Hat, CentOS, Ubuntu or other OS, I want to make sure that our “amavis”, “spamd”, “anomy” and “clamav” users are created.

steve @ debian ~ :) ?>   cat /etc/passwd
...
...
steve:x:1000:1000:Steve Erdman,,,:/home/steve:/bin/bash
postfix:x:104:107::/var/spool/postfix:/bin/false
bind:x:105:109::/var/cache/bind:/bin/false
clamav:x:106:110::/var/lib/clamav:/bin/false
amavis:x:107:111:AMaViS system user,,,:/var/lib/amavis:/bin/sh

 

SpamAssassin Configure

Based on this information, we’re good on most user accounts, but we need to create a “spamd” account and an “anomy” account. We also need to setup working directories for both of these services and lock down access to them.

sudo mkdir /var/run/spamassassin
sudo mkdir /usr/local/anomy
sudo groupadd -g 112 spamd
sudo useradd -u 112 -g 112 -s /sbin/nologin -d /var/run/spamassassin spamd
sudo chown spamd:spamd /var/run/spamassassin
sudo chmod 750 /var/run/spamassassin
sudo groupadd -g 113 anomy
sudo useradd -u 113 -g 113 -s /sbin/nologin -d /usr/local/anomy anomy
sudo chown root:anomy /usr/local/anomy
sudo chmod 750 /usr/local/anomy
sudo usermod -a -G clamav amavis
sudo usermod -a -G amavis clamav

 

Now let’s modify the SpamAssassin conf file:

sudo vim /etc/default/spamassassin

 

And modify these parameters: ( by default, SpamAssassin is disabled, we need to give it options to start)

ENABLED=1
OPTIONS="--username=spamd --create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamassassin/spamd.pid"
CRON=1

 

Now lets try to start SpamAssassin:

sudo /etc/init.d/spamassassin restart

 

And update the databases for SpamAssassin:

sudo sa-update

 

 

Amavis-New Configure

Now, let’s get Amavis running. Technically, it is already running, but we need to enable Virus and SPAM filtering. Start by editing this file:

sudo vim /etc/amavis/conf.d/15-content_filter_mode

 

There are 4 lines in the file that you need to “uncomment”. See below:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # ensure a defined return

 

Now restart Amavis to take effect:

sudo /etc/init.d/amavis restart

 

 

 

Anomy Configure

###I WANT TO STRESS THAT THIS PORTION (ANOMY) IS STILL UNDER INVESTIGATION AND YOU CAN SKIP THIS PART###

Now lets get Anomy installed and running. First we’ll have to download it from their website.

steve @ debian ~ :) ?>   cd ~
/home/steve
steve @ debian ~ :) ?>   wget http://bre.klaki.net/cgi-bin/qc?mailtools.anomy.net/dist/anomy-sanitizer-1.76.tar.gz
HTTP request sent, awaiting response... 200 OK
Length: 172722 (169K) [application/x-gzip]
Saving to: “qc?mailtools.anomy.net%2Fdist%2Fanomy-sanitizer-1.76.tar.gz”

100%[================================================================================>] 172,722      168K/s   in 1.0s    

2012-12-27 15:26:38 (168 KB/s) - “qc?mailtools.anomy.net%2Fdist%2Fanomy-sanitizer-1.76.tar.gz” saved [172722/172722]

 

Now to move it to it’s new home and unpack it. (for some reason the file name wasnt right so we need to rename it)

sudo mv qc\?mailtools.anomy.net%2Fdist%2Fanomy-sanitizer-1.76.tar.gz /usr/local/anomy-sanitizer-1.76.tar.gz
cd /usr/local/
sudo su
tar -zxvf anomy-sanitizer-1.76.tar.gz
cd anomy
ls -alh

 

For starters on configuration, I found a site that provides a baseline config that we’ll work off of. Thanks to “advosys.ca” for this one! We’ll use this conf file to start with. If that link doesn’t work, here it is on my site: anomy.conf.

Download that file and place it in your /usr/local/anomy/ folder.

END OF ANOMY SECTION

 

 

Allow Mail to be Scanned: Postfix Configuration

 

Now what we need to do is setup Postfix to actually send the mail to the Spam Filtering engines. In order to make this happen we’re going to have to modify some postfix files. We’re also going to setup the “client_access”, “helo_access”, “sender_access” and “transport” files. We’ll talk more about that when after we modify the “main” and “master” files for Postfix. Basically, these files further enhance how Postfix is able to start the filtering process before mail even gets to the SPAM Filtering Engines. It is here that we start invoking services such as dsbl.org, spamhaus.org, abuseat.org, and dnsbl.sorbs.net that work by notifying servers like our that a domain is either blacklisted or black-holed. PLEASE Visit their sites for more information. Let’s start by looking at the “main.cf” file. To look at the “main.cf” file in all it’s glory, check this out. All of the descriptions below are accredited to this that page.

**NOTE**: I’m setting up my configuration with the ability to verify user accounts through Active Directory. The reason for this is to allow Postfix to verify that the email address is valid before processing the mail. This is yet another safeguard against SPAM. Why accept mail for an account that doesn’t exist in your domain? Just block it! I’ll also show you how to secure the communications between Postfix and the domain. We’ll talk about this later. I haven’t added this content yet, but I will in the future!**END NOTE**

What I’m going to do is just post my “main.cf” file in here and then comment the hell out of it so you understand the reasons for what is in the file. Please take out ALL of my comments before pasting this config into your “main.cf” file! If you don’t, you will most definitely have errors at run time!

#EDITED BY STEVE ERDMAN
# This is the banner that will be seen by all systems connecting to our Postfix server.
smtpd_banner = The Erd-Manor-dot-com ESMTP Relay

#Biff is an old legacy thing that isnt needed anymore and can cause performance issue if left on.
biff = no

#We dont want to help anyone out. If you're hosting more than 1 domain, you better leave this off (no).
append_dot_mydomain = no

#This is how much time Postfix will wait before sending a message back to the originating server
#that there is an issue.
delay_warning_time = 4h

#This tells Postfix where to send mail on the next hop. You need this if you have more than 1 domain.
transport_maps = hash:/etc/postfix/transport

#The Internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN)
#of your MX record.
myhostname = smtp.erdmanor.com

#The alias databases that are used for local mail delivery. We'll be modifying this later.
alias_maps = hash:/etc/aliases

#This is just where the aliases exist at.
alias_database = hash:/etc/aliases

#For most cases, your /etc/mailname file should contain the "myhostname" value. In this case, smtp.erdmanor.com
myorigin = /etc/mailname

#What destination domains (and subdomains thereof) this system will relay mail to.
#This can be a file or a list of domains, that, are, comma, separated
relay_domains = erdman.cc, erdmanor.com

#The list of domains that are delivered via the $local_transport mail delivery transport. By default
#this is the Postfix local delivery agent which looks up all recipients in /etc/passwd and /etc/aliases.
#The SMTP server validates recipient addresses with $local_recipient_maps and rejects non-existent
#recipients.This can be a file or a list of domains
mydestination = debian.example.com, localhost

#This is usually the primary IP address of your Internal Exchange Server. This value is trumped by "transport_maps"
# so if you have multiple relay servers, you can comment this out like I have.
#relayhost = 192.168.0.125

# This is just a list of your internal networks. The list of "trusted" remote SMTP clients that have more
#privileges than "strangers". You can also specify "/file/name" or "type:table" patterns.
mynetworks = 127.0.0.0/8, 192.168.0.0/24

#The maximal size of any local individual mailbox or maildir file, or zero (no limit). In fact, this limits
#the size of any file that is written to upon local delivery, including files written by external commands
#that are executed by the local delivery agent. This limit must not be smaller than the message size limit.
mailbox_size_limit = 0

#The separator between user names and address extensions (user+foo). Basically, the software tries user+foo
#and .forward+foo before trying user and .forward. Just leave it the way it is.
recipient_delimiter = +

#The network interface addresses that this mail system receives mail on. Specify "all" to receive mail on all
#network interfaces (default) and "loopback-only" to receive mail on loopback network interfaces only.
inet_interfaces = all

#After the message is queued, send the entire message to the specified transport:destination. The transport
#name specifies the first field of a mail delivery agent definition in master.cf; the syntax of the next-hop
#destination is described in the manual page of the corresponding delivery agent. More information about
#external content filters is in the Postfix FILTER_README file.
content_filter = smtp-amavis:[127.0.0.1]:10024

#Enable or disable recipient validation, built-in content filtering, or address mapping. Typically, these
# are specified in master.cf as command-line arguments... Specify zero or more of the following options.
#The options override main.cf settings and are either implemented by smtpd(8), qmqpd(8), or pickup(8)
#themselves, or they are forwarded to the cleanup server.
#no_address_mappings means that we will disable canonical address mapping, virtual alias map expansion,
#address masquerading, and automatic BCC (blind carbon-copy) recipients. This is typically specified
#BEFORE an external content filter.
receive_override_options = no_address_mappings

#Require that addresses received in SMTP MAIL FROM and RCPT TO commands are enclosed with <>, and that
#those addresses do not contain RFC 822 style comments or phrases. This stops mail from poorly written
#software. By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM and RCPT TO addresses.
strict_rfc821_envelopes = yes

#Reject the request when the HELO or EHLO hostname has no DNS A or MX record. The
#unknown_hostname_reject_code parameter specifies the numerical response code for rejected requests
#(default: 450). This is a strong way to stop many spammers.
unknown_hostname_reject_code = 450

#The numerical Postfix SMTP server response code when a client without valid address <=> name mapping
# is rejected by the reject_unknown_client_hostname restriction. The SMTP server always replies with
#450 when the mapping failed due to a temporary error condition. Do not change this unless you have a
# complete understanding of RFC 5321. Turning this on can cause a lot of false positives, test this out.
### unknown_client_reject_code = 450

#Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
disable_vrfy_command = yes

#Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions
#and $smtpd_sender_restrictions, or wait until the ETRN command before evaluating
#$smtpd_client_restrictions and $smtpd_helo_restrictions. This feature is turned on by default because
#some clients apparently mis-behave when the Postfix SMTP server rejects commands before RCPT TO.The
#default setting has one major benefit: it allows Postfix to log recipient address information when
#rejecting a client name/address or sender address, so that it is possible to find out whose mail is
#being rejected.
smtpd_delay_reject = yes

#Require that a remote SMTP client introduces itself with the HELO or EHLO command before sending the
#MAIL command or other commands that require EHLO negotiation.
smtpd_helo_required = yes

#You need to read this --> http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
smtpd_client_restrictions =
        permit_mynetworks,
        check_client_access hash:/etc/postfix/client_access,
        reject_unknown_client_hostname,
#Below are all of the DNS Blacklists that Spam originates from.
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client sbl.spamhaus.org,
        permit

# You need to read this --> http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
smtpd_helo_restrictions =
        permit_mynetworks,
        check_helo_access hash:/etc/postfix/helo_access,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
#        reject_unknown_helo_hostname, #This can cause false positives, test before production!
        permit

smtpd_sender_restrictions =
        permit_mynetworks,
        check_sender_access hash:/etc/postfix/sender_access,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain, #This can cause false positives, test before production!
        permit

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_non_fqdn_hostname, #This can cause false positives, test before production!
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        permit

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20


# Basic SPAM prevention...Require that a remote SMTP client introduces itself with the HELO or
#EHLO command before sending the MAIL command or other commands that require EHLO negotiation.
smtpd_helo_required = yes

 

 

Wow, that took forever…

 

 

Now we need to jump into the “master.cf” file. This one is a bit more tricky than the “main.cf” in that it has a lot more little tweaks. For more info on “master.cf”, there is an excellent “FAQ” on Postfix’s website: HERE. Here we go, I’ll do this the same as I did for the “main.cf” file, attempting to explain as much as I can so that you understand what everything is doing. 🙂 Remember to take out ALL of my comments before pasting this config into your “master.cf” file! If you don’t, you will most definitely have errors at run time!

 

Here we go, here’s my “master.cf” file:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
         -o content_filter=
         -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

 

Now we need to take care of our “client_access”, “helo_access”, “sender_access” and “transport” files as we spoke of earlier. There are many types of these files that can be referenced by the “main.cf” file, but these are really the only ones we need. Theoretically, we could have created a bunch more of these, and in a large enterprise that owns hundreds or thousands of domains, it’s almost a necessity to do so. For all the info you need about these files look at the database webpage and the man 5 access page.

Back in the “main.cf” file, we added a line item in there that looks like this, “check_client_access hash:/etc/postfix/client_access“. The purpose of the Client Access file is to “search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets.” So what does that mean? Basically it means that this file is like access control list for remote SMTP servers. It checks client information: host names, network addresses, and envelope sender or recipient addresses.

As a safeguard, we should NEVER be accepting email from our own domain, from a remote source. Our Exchange server is inside our organization already and will process our internal mail for us. This proxy will deny anyone out on the internet trying to spoof mail into our domain. You want to make sure to have every domain you own in this list. And you can also do some “whitelisting” in here as well. Let’s get our “client_access” file going:

erdmanor.com        REJECT
erdman.cc       REJECT
74.114.46.150       OK
directv.com     OK
linuxmint.com       OK
forums.linuxmint.com    OK

 

Now for our “helo_access” file. This file is much the same, it’s another ACL that we are setting up. Postfix states that this command will tell the Postfix server to “Search the specified access database for the MX hosts for the HELO or EHLO hostname, and execute the corresponding action . Note 1: a result of “OK” is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. Note 2: specify “smtpd_helo_required = yes” to fully enforce this restriction (without “smtpd_helo_required = yes”, a client can simply skip check_helo_mx_access by not sending HELO or EHLO).

erdmanor.com            REJECT
erdman.cc           REJECT
/^smtp\.erdman\.cc$/        550 Dont use my own hostname
/^smtp\.erdmanor\.com$/     550 Dont use my own hostname
/^mail\.erdman\.cc$/        550 Dont use my own hostname
/^mail\.erdmanor\.com$/     550 Dont use my own hostname
/^ns1\.erdman\.cc$/     550 Dont use my own hostname
/^ns1\.erdmanor\.com$/      550 Dont use my own hostname
/^ns2\.erdman\.cc$/     550 Dont use my own hostname
/^ns2\.erdmanor\.com$/      550 Dont use my own hostname
/^\[108\.227\.33\.121\]$/   550 Dont use my own IP address
/^\[108\.227\.33\.122\]$/   550 Dont use my own IP address
/^\[108\.227\.33\.123\]$/   550 Dont use my own IP address
/^\[108\.227\.33\.124\]$/   550 Dont use my own IP address
/^\[108\.227\.33\.125\]$/   550 Dont use my own IP address
/^[0-9.]+$/         550 Your software is not RFC 2821 compliant
/^[0-9]+(\.[0-9]+){3}$/     550 Your software is not RFC 2821 compliant

 

Moving right along here, lets look at the “Sender_Access” file here. Again, this is another ACL that is supposed to search the specified access database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action. We want all of our domains in here as well, and for the same reason as the “client_access” file.

erdmanor.com            REJECT
erdman.cc               REJECT
forums.linuxmint.com    OK
linuxmint.com       OK

 

And lastly, our transport file. This file is really important. Without this working properly we wont get any mail at all from this proxy.

erdmanor.com        smtp:[192.168.0.126]
erdman.cc       smtp:[192.168.0.127]

 
 

Now that we have our access and transport files completed, we need to make them usable to Postfix. The only way that’s possible is to run the “Postmap” command on them.

sudo postmap client_access
sudo postmap helo_access
sudo postmap sender_access
sudo postmap transport

 

ANYTIME YOU MODIFY THESE 4 FILES YOU MUST RUN THE POSTMAP COMMAND AGAINST THEM AND THEN RESTART POSTFIX! NO EXCEPTIONS!

 

Now that Postfix is setup and ready to go, lets get that restarted and watch our log files at the same time. You should still have a second terminal open, so start your “tail” and then you can restart Postfix.

steve @ debian ~ :) ?>sudo tail -f /var/log/syslog
steve @ debian ~ :) ᛤ>   sudo /etc/init.d/postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.

 

Here is the output from the tail:

Dec 28 11:34:12 debian postfix/master[1481]: terminating on signal 15
Dec 28 11:34:12 debian postfix/master[3266]: daemon started -- version 2.7.1, configuration /etc/postfix

 

 

At a bare minimum here, assuming your DNS records are setup properly, your MX records have propagated throughout the Internet, your Firewall is setup properly, your Exchange box is setup properly, and the other million variables are good, you should be able to drop this in between your firewall and your Exchange server. I would suggest putting this in a DMZ that is forward facing to the internet as I explained in one of my previous blogs “Serious network architecture that works for everyone“.

 

 

SPAM Filter: SpamAssassin Configuration

Now that our Postfix Proxy is moving mail properly, lets get some SPAM engines configured. 🙂 We’ll start with SpamAssassin. A brief background on SpamAssassin: This product is an open source code set that is actually used in a TON of other SPAM filtering products behind the scenes.

Let’s get a quick idea of where SpamAssassin stores it’s files:

/etc/spamassassin
/etc/cron.daily/spamassassin
/etc/default/spamassassin
/etc/init.d/spamassassin
/etc/mail/spamassassin
/etc/spamassassin/
/usr/bin/spamassassin
/usr/share/spamassassin
/usr/share/doc/spamassassin/
/usr/share/man/man1/spamassassin*
/usr/share/perl5/spamassassin-run.pod
/usr/share/spamassassin/
/var/lib/spamassassin
/var/lib/amavis/.spamassassin
/var/lib/dpkg/info/spamassassin.*
/var/lib/spamassassin/

 

 

Here is what my “/etc/spamassassin/local.cf” file looks like. I’ll comment on the file as I did earlier in this blog. Dont forget to remove ALL “#comments” before using this in your configuration. If you don’t, you will most definitely have errors at run time! Also, according to SpamAssassin, “There are now multiple files read to enable plugins in the /etc/mail/spamassassin directory; previously only one, “init.pre” was read. Now both “init.pre”, “v310.pre”, and any other files ending in “.pre” will be read. As future releases are made, new plugins will be added to new files, named according to the release they’re added in.” So we’re going to have to go through that stuff as well. Again, if you would like any further information regarding this, I urge you to visit the SpamAssassin page for the local.cf configuration settings.

# I recommend not using this for this implementation. Our Postfix Server is acting as a Proxy to our
# Exchange server. If you have internal servers that need to get mail to your users, then the best
# place to handle that workload is at the Exchange Server Receive connectors. Send you internal mail there.
# trusted_networks 192.168.0.0/24

#Here is where we do our subject line rewrite for mail that is marked as SPAM.
rewrite_header Subject  [***** SPAM _SCORE_ *****]

#Score that a message needs to get to in order to be classified as SPAM.
# this number is actually pretty high, but after tweaking it, you can lower it to 4.5 or 5.0.
required_score      7.0

#If the mail message meets the two above requirements the message is then packed up into an attachment and
# forwarded to the recipient in plain text. It is up to the user to inspect and go from there.
report_safe     2

# Turn on DCC
# dcc
use_dcc 1
dcc_path            /usr/bin/dccproc
dcc_add_header          1
dcc_dccifd_path         /usr/sbin/dccifd

# Turning on the skip_rbl_checks setting will disable the DNSEval plugin, which implements Real-time Block
# List (or: Blackhole List) (RBL) lookups. We WANT Those checks to happen so leave this at ZERO (0).
skip_rbl_checks     0

#razor
use_razor2          1
razor_config            /etc/razor/razor-agent.conf

#pyzor
pyzor_options           --homedir /etc/mail/spamassassin discover
use_pyzor           1
pyzor_path          /usr/bin/pyzor
pyzor_add_header        1


# Language and Location options. I have mine set to only allow English. If you work at a large international
# business you'll want to setup all the languages your company communicates in or just say allow all:
#  ok_locales all         (allow all locales)
#  ok_locales en          (only allow English)
#  ok_locales en ja zh    (allow English, Japanese, and Chinese)
ok_locales              en


# The next three deal with the Bayes system and how SpamAssassin actually can "learn" spam.
use_bayes       1
use_bayes_rules     1
bayes_auto_learn    1
use_learner 1

# If you receive mail filtered by upstream mail systems, like a spam-filtering ISP or mailing list, and that
# service adds new headers (as most of them do), these headers may provide inappropriate cues to the Bayesian
# classifier, allowing it to take a "short cut". To avoid this, list the headers using this setting. Example:
# bayes_ignore_header X-Upstream-Spamfilter
# bayes_ignore_header X-Upstream-SomethingElse
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

# To be accurate, the Bayes system does not activate until a certain number of ham (non-spam) and
# spam have been learned. The default is 200 of each ham and spam, but you can tune these up or
# down with these two settings.
bayes_min_ham_num        20 #default is 200
bayes_min_spam_num       20 #default is 200

# The Bayes system will, by default, learn any reported messages (spamassassin -r) as spam.
# If you do not want this to happen, set this option to 0.
bayes_learn_during_report      1


# SpamAssassin will opportunistically sync the journal and the database. It will do so once a day,
# but will sync more often if the journal file size goes above this setting, in bytes. If set to
# 0, opportunistic syncing will not occur.
bayes_journal_max_size        102400

# What should be the maximum size of the Bayes tokens database? When expiry occurs, the Bayes
# system will keep either 75% of the maximum value, or 100,000 tokens, whichever has a larger
# value. 150,000 tokens is roughly equivalent to a 8Mb database file.
bayes_expiry_max_db_size      200000

# If enabled, the Bayes system will try to automatically expire old tokens from the database.
# Auto-expiry occurs when the number of tokens in the database surpasses the
# bayes_expiry_max_db_size value.
bayes_auto_expire      1


# If this option is set, whenever SpamAssassin does Bayes learning, it will put the information
# into the journal instead of directly into the database. This lowers contention for locking the
# database to execute an update, but will also cause more access to the journal and cause a delay
# before the updates are actually committed to the Bayes database.
bayes_learn_to_journal (default: 0)



#   Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit

#   default: strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#   Uncomment to turn this on
shortcircuit USER_IN_WHITELIST       on
shortcircuit USER_IN_DEF_WHITELIST   on
shortcircuit USER_IN_ALL_SPAM_TO     on
shortcircuit SUBJECT_IN_WHITELIST    on

#   the opposite; blacklisted mails can also save CPU
shortcircuit USER_IN_BLACKLIST       on
shortcircuit USER_IN_BLACKLIST_TO    on
shortcircuit SUBJECT_IN_BLACKLIST    on

#   and a well-trained bayes DB can save running rules, too
#
shortcircuit BAYES_99                spam
shortcircuit BAYES_00                ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit

 

 

Here’s that Exact same file without all the comments:

rewrite_header Subject  [***** SPAM _SCORE_ *****]
required_score          7.0
report_safe         2
use_dcc 1
dcc_path                /usr/bin/dccproc
dcc_add_header          1
dcc_dccifd_path         /usr/sbin/dccifd
skip_rbl_checks     0
use_razor2          1
razor_config            /etc/razor/razor-agent.conf
pyzor_options           --homedir /etc/mail/spamassassin discover
use_pyzor               1
pyzor_path          /usr/bin/pyzor
pyzor_add_header        1
ok_locales              en
use_bayes       1
use_bayes_rules     1
bayes_auto_learn    1
use_learner 1
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
bayes_min_ham_num        20 #default is 200
bayes_min_spam_num       20 #default is 200
bayes_learn_during_report      1
bayes_journal_max_size        102400
bayes_expiry_max_db_size      200000
bayes_auto_expire      1
bayes_learn_to_journal (default: 0)


ifplugin Mail::SpamAssassin::Plugin::Shortcircuit

shortcircuit USER_IN_WHITELIST       on
shortcircuit USER_IN_DEF_WHITELIST   on
shortcircuit USER_IN_ALL_SPAM_TO     on
shortcircuit SUBJECT_IN_WHITELIST    on

shortcircuit USER_IN_BLACKLIST       on
shortcircuit USER_IN_BLACKLIST_TO    on
shortcircuit SUBJECT_IN_BLACKLIST    on

shortcircuit BAYES_99                spam
shortcircuit BAYES_00                ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit

 

Now we need to restart SpamAssassin and test out our changes.

sudo sa-update -D --updatedir /tmp/updates
sudo /etc/init.d/spamassassin restart
echo "test" | sudo spamassassin -D pyzor 2>&1 | less

 

Alright, enough SpamAssassin stuff. Let’s get Amavis up and running.

 

 

SPAM Filter: Amavis-New Configuration

Now that our Postfix Proxy is moving mail properly, and SpamAssassin is filtering mail, lets get some Amavis-New configured. Remember what we said before: Amavis sends mail to SpamAssassin by default. That is the reason why we setup SpamAssassin first. In order to have Amavis properly scanning mail we’ll be configuring files in your /etc/amavis/ directory. Before we jump into that, lets get an Idea of where Amavis is located in your Server. Below is where Amavis has files by a default install:

/etc/amavis/
/etc/amavis/conf.d/
/etc/cron.d/amavisd-new
/etc/cron.daily/amavisd-new
/etc/cron.hourly/amavisd-new
/etc/init.d/amavis
/etc/init.d/amavisd-new-milter
/etc/ldap/schema/amavis.schema
/etc/logcheck/ignore.d.server/amavisd-new
/etc/logcheck/violations.ignore.d/amavisd-new
/usr/sbin/amavis
/usr/sbin/amavis-milter
/usr/sbin/amavisd-agent
/usr/sbin/amavisd-nanny
/usr/sbin/amavisd-new
/usr/sbin/amavisd-new-cronjob
/usr/sbin/amavisd-release
/usr/share/amavis/
/usr/share/amavis/conf.d/
/usr/share/doc/amavisd-new/
/usr/share/lintian/overrides/amavisd-new
/var/lib/amavis/
/var/lib/dpkg/info/amavisd-ne*
/var/lib/update-rc.d/amavis
/var/lib/update-rc.d/amavisd-new-milter

 

I know that seems like a lot, but we’ll try cover it all. Amavis is really a different beast than SpamAssassin. But since SpamAssassin is already doing the brunt force of the work, we can take our time in this one a bit.

 

 

 

 

 

SPF Records

The last thing I wanted to cover in this blog, since we’re hosting our own DNS and Mail servers, it would only be right for us to cover DNS SPF records. This is just another layer of security that we *should be* using to help strengthen, not only our email, but our whole external domain.

 

 

STILL A WORK IN PROGRESS!

I updated this again on 2/3/13. But I’m lazy, so… there’s no change log. 🙂

 

 

References for this blog go out to:
http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm
http://www.bind9.net/manuals
http://www.zytrax.com/books/dns/ch7/queries.html
http://www.itechlounge.net/2011/12/bind-unexpected-rcode-refused-resolving-xx-xx-xx-xx-in-addr-arpaptrin/
http://www.webupd8.org/2009/11/how-to-disable-ipv6-in-ubuntu-910.html
http://pgl.yoyo.org/as/bind-zone-file-creator.php
http://postfix.1071664.n5.nabble.com/Unknown-Recipient-Domain-td44755.html
http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html
http://www.zytrax.com/books/dns/
http://www.fencepost.net/2010/03/fix-postfix-recipient-address-rejected-domain-not-found/
http://www.zytrax.com/books/dns/ch7/xfer.html#notify
http://www.zytrax.com/books/dns/ch8/soa.html
http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html
http://www.postfix.org/addon.html
http://wiki.apache.org/spamassassin/UsingRazor
http://wiki.apache.org/spamassassin/UsingPyzor
http://wiki.apache.org/spamassassin/UsingDcc
http://www.dcc-servers.net/dcc/
http://www.kaspersky.com/linux-mail-security
http://www.postfix.org/FILTER_README.html
http://www.giac.org/paper/gsec/2824/smtp-gateway-virus-filtering-amavis-postfix/104787
http://advosys.ca/papers/email/53-postfix-filtering.html
http://mailtools.anomy.net/
http://www.dcc-servers.net/dcc/INSTALL.html
http://www.amavis.org/
http://spamassassin.apache.org/
http://www.postfix.org/
http://onetforum.com/fourm/viewtopic.php?p=27
http://wiki.apache.org/spamassassin/WritingRules
http://codesorcery.net/old/docs/spamtricks.html
http://svn.apache.org/repos/asf/spamassassin/branches/3.3/spamd/README
http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Cisco ASAs: Baseline Configurations


So, I’ve been dabbling around in the Cisco field for many years now. I started taking Cisco Academy courses at a local college in the Fall of 2002 and since then I’ve completed all the CCNA, CCNP and most recently the CCNA Security courses. By no means am I calling myself an expert, the best Cisco Engineer on the planet, or even on par with a Cisco engineer that’s been in the field for at least a year or so. But what I am saying is that, I feel that I’ve got a decent background.

I bought a Cisco ASA 5505 a few years ago, played with it for a while and then got side tracked with other work. I even forgot I even owned the device for a while, until I took my CCNA Security course in the Fall of 2012.

Again, my purpose of this blog site is to help give back to the community. So I just want to throw down a little ASA knowledge for anyone interested in buying an ASA for home use. This stuff is even transferable to the high class 5510’s up to the 5585’s.

Now, I host my own services for many reasons; mail, web, remote access, etc… Mainly the reason I do this is because for every service I run out of my house, the more knowledge I gain in IT management, Securing networks, and knowing what it takes to run both sides of the house (IT and Security). What I want to do here is go over how to create a baseline configuration for a Cisco ASA unit. It really is easier than you think.

 

So lets get going here!

 

If you’ve got a brand new Cisco ASA, right out of the box and you’re about to plug it in, you’re in a perfect spot. If you bought one off eBay or something like that, you’ll want to wipe the configuration on the device.

In order to wipe an ASA you need to know the enable password to the device, or you need to boot it into recovery mode. If you’re having issues with the password, I recommend you just reset it with the information on Cisco’s website.

I’m doing this work from a Debian box, but you can do this from virtually any OS. You’ll need a Cisco serial cable, which you should’ve gotten with your purchase of an ASA. For those of you who haven’t seen one, they look like this:
Cisco Serial Cable

And if you’re connecting with a laptop made in the last few years you’ll need a USB to serial adapter. Many computers don’t even have Serial ports anymore, so this adapter is essential.
USB to Serial (RS-232)

To connect to the Cisco ASA, connect your USB connector to your computer, and the Cisco serial cable to your ASA device. Then the easiest thing to use is Putty, which you can get from the Putty Website. There is the installer for pretty much every Windows OS as well as the source code that you can compile on just about every Unix/Linux platform out there.

After you get Putty installed and running, you can modify the settings to your liking. I like being able to see all the scroll-back of my sessions, so I normally set that to “999999” or something like that, and I also save all session output to putty.log on the Desktop of whatever OS I’m on at the time.

To connect to your Cisco ASA, on the main screen, click on “Serial” verify that your serial port is properly setup and click “Connect”. For Windows based machines, your USB to Serial connector usually will create a COM port that you’ll have to verify in the “Device Manager”. In Linux, the USB to Serial Adapter creates a device in your “/dev” directory, usually named “/dev/ttyUSB0”, but again, you’ll want to verify that. Also, most Linux distro’s require that you access that device as Root. You may have to start Putty from the Command line like this:

sudo putty

 

You should see this window appear after a few seconds:

Putty Screen in Linux

 

Alright enough messing around. Connect to your ASA and then power it on. You’ll see a bunch of scroll back as your device is starting. Like this:

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  01  00   1022   2080  Host Bridge        
 00  01  02   1022   2082  Chipset En/Decrypt 11
 00  0C  00   1148   4320  Ethernet           11
 00  0D  00   177D   0003  Network En/Decrypt 10
 00  0F  00   1022   2090  ISA Bridge        
 00  0F  02   1022   2092  IDE Controller    
 00  0F  03   1022   2093  Audio              10
 00  0F  04   1022   2094  Serial Bus         9
 00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006

Platform ASA5505

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
                                               
Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa845-k8.bin... Booting...
Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9672
�dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 96 files, 10581/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 109051904, Reserved memory: 41943040

Total SSMs found: 0

Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0019.0724.43f6
88E6095 rev 2 Ethernet @ index 07 MAC: 0019.0724.43f5
88E6095 rev 2 Ethernet @ index 06 MAC: 0019.0724.43f4
88E6095 rev 2 Ethernet @ index 05 MAC: 0019.0724.43f3
88E6095 rev 2 Ethernet @ index 04 MAC: 0019.0724.43f2
88E6095 rev 2 Ethernet @ index 03 MAC: 0019.0724.43f1
88E6095 rev 2 Ethernet @ index 02 MAC: 0019.0724.43f0
88E6095 rev 2 Ethernet @ index 01 MAC: 0019.0724.43ef
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0019.0724.43f7
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key:  

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.


Cisco Adaptive Security Appliance Software Version 8.4(5)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2012 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
Flash read failed

Cryptochecksum (changed):  

Pre-configure Firewall now through interactive prompts [yes]?

 

From here the ASA is going to ask a series of questions in order to get a very minimal configuration setup. You can go through them or not. Either way will be fine. I’m going to go through the prompts just to show what questions are asked:

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]: Routed
Enable password [<use current password>]: {strong-password-here}
Allow password recovery [yes]?
Clock (UTC):
  Year [2012]:
  Month [Dec]:
  Day [21]:
  Time [22:57:31]: 18:00:35
Management IP address: 172.27.128.56
Management network mask: 255.255.255.0
Host name: Erdmanor-ASA
Domain name: erdmanor.com
IP address of host running Device Manager:

The following configuration will be used:
Enable password:
Allow password recovery: yes
Clock (UTC): 18:00:35 Dec 21 2012
Firewall Mode: Routed
Management IP address: 172.27.128.56
Management network mask: 255.255.255.0
Host name: Erdmanor-ASA
Domain name: erdmanor.com

Use this configuration and write to flash? yes
INFO: Security level for "management" set to 0 by default.
Cryptochecksum: e661f916 9e00a961 ba015bae 20f4d894

2081 bytes copied in 1.50 secs (2081 bytes/sec)

 

It’s very import here that you setup your ASA with Routed mode. The reason why is that the only way to have an Internal, External and DMZ interface on your network with a base licensed ASA is to have it in Routed mode. According to Cisco, “For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command:

hostname(config-if)# no forward interface vlan number

Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.

With the Base license, you can only configure a third VLAN if you use this command to limit it.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.”

 

My suggestion here is that our Outside interface should never initiate traffic to the Internal network. The purpose of the Internal network is to communicate with Internet Hosts and the DMZ. It is the most secure network we have, therefore we should never accept incoming traffic. The DMZ will accept all incoming traffic and if there are any reverse proxies, then the DMZ will hold all of those systems and communicate to the internal for any Internet host. A few examples of this would be a Reverse SMTP Proxy or a HTTP or HTTPS Reverse Proxy. There is NEVER a reason for the Internal network to accept Internet traffic…… unless you have a lazy admin, or your company doesn’t know shit about security.

 

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists. If you enable NAT control, you do not need to configure NAT between same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. While I highly discourage this!, if you want to enable interfaces on the same security level so that they can communicate with each other, enter the following command:

hostname(config)# same-security-traffic permit inter-interface

 

So let’s see. What should we start with? Well, if you saw my blog on network architecture you’ll know that we should start things off securely. Let’s get a DMZ up and running as well as our internal and external interfaces.

enable
conf t
(config)# interface vlan 1
(config-if)# ip address (192.168.0.1) 255.255.255.0 ### Change this to match your internal network
(config-if)# nameif Inside
(config-if)# security-level 100
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 100
(config-if)# ip address (outside IP) 255.255.255.248 ### Change this to match your ISP Static IP Address
(config-if)# nameif Outside
(config-if)# security-level 0
(config-if)# no shut
(config-if)# exit
(config)# interface vlan 200
(config-if)# ip address (172.16.0.1) 255.255.255.0 ### Change this to match your DMZ network
(config-if)# nameif DMZ
(config-if)# security-level 50
(config-if)# no forward interface vlan 100
(config-if)# end
write mem

What we’ve done here is setup the three VLANs that we’ll be using in our network. Once you setup these VLANs, issue the “end” command followed by the “write mem” command to save your current running config. Then issue the “show run” command to view your config.

 

Now, let’s get rid of some junk configurations that Cisco throws in there.

conf t
(config)# no service-policy global_policy global
(config)# clear config call-home
(config)# no ftp mode passive
(config)# no snmp-server enable
(config)# no telnet timeout 5
(config)# end
wr mem

 

Now you can go back and check your config again by issuing the “show run” command.

So, let’s get off this console connection and get our SSH running. Once SSH is running we can not only access our Cisco ASA from the Linux command line where most of us are more comfortable, but we can also build up some pretty sweet Python scripts that we can use to manage our ASA much easier. My coworker Adrian, (AKA, IronGeek), wrote up some pretty bad ass Python scripts to do some various management tasks on some higher end 5500 Series ASA’s (fully tested on 5510, 5520 and 5540’s).

(config)# crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
(config)# ssh 192.168.0.0 255.255.255.0 inside
(config)# ssh timeout 45
(config)# ssh version 2
(config)# aaa aut
(config)# aaa authen
(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# aaa authentication enable console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
(config)# username steve password MyP@ssw0rd! privilege 15

You got 2 warning messages here. The first command that warned you the local user database was empty was telling the ASA to look at the local user database for authentication. The second warning was for the same reason, but the command was telling the ASA that you also wanted user authentication for the “enable” command.

 

Perfect, now lets get out of this console connection and configure this thing over SSH.

ssh steve@192.168.0.1
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 54:df:df:3e:we:5b:yj:20:ng:46:f4:a7:9p:a3:e6:8x.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.
steve@192.168.0.1's password:
Type help or '?' for a list of available commands.
Erdmanor-ASA> en
Password: *********
Erdmanor-ASA#

 

Now that we’ve got management access setup, let’s get a real config going on this thing. The first way that’s going to be possible is if we give it a Default Gateway so that it knows where to send traffic. Your Internet Service Provider (ISP) should have given you a default gateway IP Address. If they haven’t, it is usually your ISP’s on-site equipment; usually some type of router.

 

Now lets start creating our Object groups. Beginning with ASA version 8.3, network objects are used to configure all forms of NAT. A network object is created and it is within this object that NAT is configured. In this step, network object “inside-net” is used to translate the inside network addresses 192.168.0.0/24 to the global address of the outside ASA interface. Cisco says that this type of object configuration is called Auto-NAT.

 

You’re really going to want to create as MANY object groups as you can think of for all of your network segments. There’s a LOT of overhead here. You’re better off starting out making a list of all your servers, their functions, their open ports and what needs to be accessed from the Internet, then coming back and making your object groups. I went through all this crap when I put this together, you can do the same (it’s really not that difficult, and if you’re at a business and you dont already have this stuff documented, shame on you!).

 

Let’s start with the default “quad-zero” route and then specify the internal, external and DMZ networks. The “nat” statements we’re going to add to the DMZ and Internal network specify that all Internal traffic will leave through the “Outside-hide-nat” network, and be split up across the IP addresses in the range.

(config)# route outside 0.0.0.0 0.0.0.0 108.227.33.126
(config)# object network outside-hide-nat
(config-network-object)# range 108.227.33.121 108.227.33.124
(config-network-object)# exit
(config)# object network internal-network
(config-network-object)# subnet 192.168.0.0 255.255.255.0
(config-network-object)# nat (inside,outside) dynamic outside-hide-nat
(config-network-object)# exit
(config)# object network dmz-network
(config-network-object)# subnet 172.16.0.0 255.255.255.0
(config-network-object)# nat (DMZ,Outside) dynamic outside-hide-nat
(config-network-object)# end
# wr mem
Building configuration...
Cryptochecksum: 9a5cd00b 1dcb8169 b07905cf 8b7904ed

2961 bytes copied in 1.120 secs (2961 bytes/sec)
[OK]

 

Alright, so now we have basic Internet access from both our networks (the DMZ and Internal). Now we need to configure our ASA to forward specific traffic to our DMZ servers. It is very important that you realize we’re using Port Address Translation (PAT) here. There are other ways to do NAT, but we have more ports to open up to internal servers than we have external IP addresses. We have over 5 Internal Servers and only 4 Public IP addresses we can use for inbound traffic.

What we’ll do here is create more objects first.

object network openvpn
 host 172.16.0.14
object network https-exchange
 host 172.16.0.17
object network dns-external-1
 host 172.16.0.23
object network dns-external-2
 host 172.16.0.28
object network external-rdp
 host 172.16.0.37
object network external-ssh
 host 172.16.0.45

 

Now we need to create the proper PAT NAT statements for all of our externally accessible services. To do this, first we need to identify a new network object and specify a unique name for each inbound service. Then we’ll specify the host that it’s talking to in our DMZ, then we can create the inbound NAT and tie it to a service.

(config)# object network client-openvpn
(config-network-object)# host 172.16.0.14
(config-network-object)# nat (Inside,Outside) static 108.227.33.124 service tcp https https  
(config-network-object)# exit

 

See how easy that is? Let’s look at this stuff for a quick minute though. First there is the network object name, “Client-OpenVPN”. Then we specify the DMZ host IP Address that the name is attached to. Then we create the PAT. The NAT statement specifies the static address is a outside public address and then specifies that it’s a TCP service type and specifies its outside port is 443, mapping to the inside host 172.16.0.14 port number 443.

 

Now, we’ve got one done, lets get the rest:

(config)# object network openvpn-site2site
(config-network-object)# host 172.16.0.14
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service udp 7777 7777
(config-network-object)# exit
(config)# object network http-20
(config-network-object)# host 172.16.0.23
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp www www
(config-network-object)# exit
(config)# object network http-25
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service tcp www www
(config-network-object)# exit
(config)# object network https-25
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service tcp https https
(config-network-object)# exit
(config)# object network https-exchange
(config-network-object)# host 172.16.0.17
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp https https
(config-network-object)# exit
(config)# object network smtp-in
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service tcp smtp smtp
(config-network-object)# exit
(config)# object network dns-external-1
(config-network-object)# host 172.16.0.23
(config-network-object)#  nat (Inside,Outside) static 108.227.33.122 service udp domain domain
(config-network-object)# exit
(config)# object network dns-external-2
(config-network-object)# host 172.16.0.28
(config-network-object)#  nat (Inside,Outside) static 108.227.33.123 service udp domain domain
(config-network-object)# exit
(config)# object network external-rdp
(config-network-object)# host 172.16.0.37
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service tcp 3389 3389
(config-network-object)# exit
(config)# object network external-ssh
(config-network-object)# host 172.16.0.45
(config-network-object)#  nat (Inside,Outside) static 108.227.33.124 service tcp ssh ssh
(config-network-object)# exit
(config)# wr mem

 

Now that we have our internal objects created, as well as our PAT NAT objects created, now we can move
along and create our access list for our outside interface. This access list will control Internet
traffic inbound to our servers, specify the port number we’ll be using for each server service and then specify to log the event. Then we’ll place the access list on the external interface.

(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.23 eq domain log
(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.28 eq domain log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.23 eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq www log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.37 eq 3389 log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.45 eq ssh log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.17 eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq https log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.14 eq https log
(config)# access-list outside-traffic-inbound extended permit udp any host 172.16.0.14 eq 5656 log
(config)# access-list outside-traffic-inbound extended permit tcp any host 172.16.0.28 eq smtp log
(config)# access-list outside-traffic-inbound extended deny ip any any log
(config)# access-group outside-traffic-in in interface Outside
(config)# wr mem
Building configuration...
Cryptochecksum: 7f5a5aab aabeeafa dff03aeb ef264ed5

3404 bytes copied in 1.110 secs (3404 bytes/sec)
[OK]

 

 

Fantastic. Now, the process we just ran through for creating inbound NATs for DNS traffic into the DMZ, that process can be repeated for any other service you are running on your network. Running Microsoft Exchange? You’ll want to allow TCP 443 into it. An SSH server? TCP 22 for that. An SMTP reverse proxy for SPAM filtering? TCP 25 into that.

Well… you get the picture. Just repeat process! 🙂

 

 

Now, to complete a network properly we shouldn’t just let anyone out over any port. There’s no egress filtering going on here. Let’s specify what ports our internal users, as well as our servers, are allowed to communicate on over the internet. The only way that’s going to be possible is to create more network objects and more access lists.

 

 

Obviously, there’s no reason to ever be browsing the Internet from a server. Don’t be lazy, just do it right. Start by creating a network object containing either the subnet your Windows servers are on, or, you can just specify the host IP addresses your Windows servers have.

object-group network Windows-Servers
 description Microsoft Windows Servers Group
 network-object host 172.16.0.15
 network-object host 172.16.0.16
 network-object host 172.16.0.17
 network-object host 172.16.0.19
 network-object host 172.16.0.37
 network-object host 172.16.0.45
 network-object host 172.16.0.99

 

 

Now let’s make a network object that contains the most common used IP ranges owned and operated by Microsoft:

object-group network Microsoft-Internet
 description Microsoft server networks External IP ranges
 network-object 64.4.0.0 255.255.192.0
 network-object 65.52.0.0 255.252.0.0
 network-object 207.46.0.0 255.255.0.0

 

 

Now all we need is an ACL to allow the servers to talk outbound:

access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq www
access-list inside-traffic-outbound extended permit tcp object-group Windows-Servers object-group Microsoft-Internet eq https

 

 

Let’s do the same thing for our Ubuntu Servers. We have Linux Mint, Debian, and Ubuntu on the network, so we’ll just tie them all together:

object-group network Linux-OS-Updates
 description Linux Mint - Debian - and Ubuntu server networks External IP ranges
 network-object 91.189.88.0 255.255.240.0
 network-object 65.175.128.0 255.255.255.128
 network-object 109.203.97.0 255.255.255.0
 network-object 204.45.0.0 255.255.0.0

 

 

And again we need to create our ACLs:

access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq www
access-list inside-traffic-outbound extended permit tcp object-group Linux-Systems object-group Linux-OS-Updates eq https

 

 

I also talk on a couple networks like AOL IM, ICQ and Facebook Chat so my computer needs access out to those servers.

So again create the object group, with the IP Ranges for AOL, ICQ and Facebook:

object-group network aim-icq-fb
 description networks for Facebook, AOL IM and ICQ Instant Messangers
 network-object 173.252.64.0 255.255.192.0
 network-object 69.171.224.0 255.255.224.0
 network-object 66.220.144.0 255.255.240.0
 network-object 64.12.0.0 255.255.0.0
 network-object 205.188.0.0 255.255.0.0

 

 

And again, allow traffic out with an ACL:

access-list inside-traffic-outbound extended permit tcp host 192.168.0.86 object-group aim-icq-fb eq aol
access-list inside-traffic-outbound extended permit tcp host 192.168.0.86 object-group aim-icq-fb eq 5222

 

Also, if you’re running a Spam Filtering server in your DMZ, yet your mail server is in your Internal Network, then you’ll have to create a NAT from your DMZ to your internal, which you can use the same process again.

 

Also, dont forget to allow your Exchange server send mail and you DNS servers perform lookups!!

 

access-list inside-traffic-outbound extended permit tcp object https-exchange any eq smtp
access-list inside-traffic-outbound extended permit udp object-group Internal-DNS-Servers any eq domain

 

 

Lastly, if you want your DMZ or Internal to have access to the Internet, make sure to build an Access List to allow traffic out! Haha, wont get far without that!

 
 

Have fun with this. There’s a million ways to tweak what you’re trying to do!

 

Enjoy!

 

 

 

References for this blog go to:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1054877
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://www.gomjabbar.com/2011/09/11/no-forward-interface-command-on-the-cisco-asa-5505-with-a-base-license/
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wpxref64390
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1094668
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_overview.html
http://blog.f85.net/2011/11/cisco-asa-5500-ad-integration.html
https://www.google.com/search?oq=cisco+asa+5505+active+directory+authentication&sourceid=chrome&ie=UTF-8&q=cisco+asa+5505+active+directory+authentication
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1140516
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html#wp1525205
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_extended.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html

 

 

 

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Open Source: Managing Debian and Ubuntu Linux with Active Directory


I talked about this in my last blog post: We had a need for Authentication on our Linux/Unix systems to be done by Active Directory. So my co-worker and I set off on a mission to fulfill this request. We’d tried some software that wasn’t free, heard about some other software that wasn’t free and then is struck us. “Why Pay?”

All the work had previously been done for us in the Open Source community… why not leverage them directly? So this is my homage to the Open Source community. I’m going to try to give back by writing this blog about my trials and tribulations in setting up this functionality. I’ll forewarn you, this blog entry is very long and gets into a lot of detail, but I assure you, at the end of the day, this works!

My testbed here is my home network. I’m running a 2008 Server with AD installed. Nothing special, very vanilla, no crazy GPOs to deal with, no delegations to worry about and I’ve secured the environment fairly well (IMHO). There are virtually no extra roles, services or features installed other than a base install of AD Services, but I do have Exchange Server 2010 installed, so the schema has been extended for that. But it shouldn’t affect your environment if you aren’t running Exchange.

I want to get one last statement in here: I am by no means a Linux or Unix Expert, but I can troubleshoot and read. The way I have this setup here is the way I figured out to do it and the best I can say is that it works, it’s secure, and it doesn’t take long to do. I’ve done a bunch of research and I’m going to attempt to regurgitate that knowledge back into this blog as best I can. If you know how to do something better here, please contact me at my LinkedIn page 🙂 .

So lets get down to brass tacks here… I have some Debian based systems (Linux Mint 13, Debian 6 and two Ubuntu 10.04 Servers), a Red Hat server (REL 6), an Oracle Enterprise Linux 6 Server, 3 Windows Server 2008 domain controllers, an Exchange 2010 server and some other systems on my home network. I wanted to extend my AD capabilities by getting my Debian based systems to authenticate to my 2008 Domain Controllers (DCs).

To start, you’ll need to know a couple peices of information. You’ll need to know what DC is holding the PDC FSMO role. Easiest way to do that is to log onto a DC, fire up AD Users and Computers, right click on the domain name and then click on Operations Masters. In the window that appears on your screen click on the PDC tab and document the FQDN of the server that currently holds that role.

Operations Master

After you identify this system, the next best thing to do is create a DNS entry pointing to your PDC Server. This way if you ever need to decommission your current PDC server, you can just change the DNS record and not have to go back to all your Linux systems to update the system they authenticate to.

From here, everything you’re going to do, aside from creating new AD users and security groups, will all be done at the Linux command line. There’s a couple of conf files that we need to configure after installing some software on each of the systems. In one of my future blog posts, I’m (hopefully) going to be going over using Chef to distribute configuration files <http://wiki.opscode.com/pages/viewpage.action?pageId=7274862>.

This whole process isnt all that difficult as long as you have a decent understanding of the services and subsystems that you’re relying on. Here they are:

  • Pluggable Authentication Modules (PAM)
  • Server Message Block (SMB, Samba)
  • WinBIND (part of Samba)
  • Kerberos 5 (By MIT, with Microsoft compatibility hacks)

SO, lets get some software installed. Below is the EXACT command line that I used on my Ubuntu servers (10.04).

sudo apt-get install krb5-user libkrb53 krb5-config winbind samba ntp ntpdate nss-updatedb libnss-db libpam-ccreds libnss-ldap ldap-utils

 

After installing that software, you’ll want to stop all the services while you configure them:

sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/ntp-server stop

 

Each server in a Kerberos authentication realm must be assigned a Fully Qualified Domain Name (FQDN) that is both forward- and reverse-resolvable.

Note: Active Directory depends heavily on DNS, so it is likely that the Active Directory Domain Controller is also running the Microsoft DNS server package. If this is the case, verify that each server has a FQDN assigned to it before performing the tests outlined in this section.

If the server already has an FQDN assigned to it, test forward and reverse look-up with the following commands:

nslookup server.example.com
nslookup  (ip address of server) 10.1.1.5

The output of the first command should contain the IP address of the server. The output of the second command should contain the FQDN of the server. If this is not the case, Kerberos authentication will not function properly. Next, we’ll be configuring the Kerberos Config file which is located here: /etc/krb5.conf Here’s what mine looks like (Make sure to read the comments I put in there):

[libdefaults]
default_realm = ERDMANOR.COM #Kerberos is CASE sensitive; this must be all UPPERCASE!
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
MYDOMAIN.COM = { # MUST BE ALL CAPS ON THIS LINE!
kdc = kerberos.mydomain.com:88 #You really only need 1 kerberos domain controller
kdc = kerberos2.mydomain.com:88 #but in my network there are three, so I listed
kdc = kerberos3.mydomain.com:88 #all of them in here.
admin_server = kerberos.mydomain.com #This should be set to the DC that holds the PDC Role
default_domain = mydomain.com #
}

[login]
krb4_convert = true
krb4_get_tickets = false

#

 

Active Directory, for as long as I can remember, is time sensitive to about +/- 5 minutes. You can adjust that window to anything you want by editing your Domain Policies (Group Policies (GPOs)), but there’s no need to really do that. Anything outside that window of time and your Domain Controllers will deny any kerberos ticket requests. This is why you need to make sure and setup your NTP daemon to point at your domain controller. I recommend setting it up with a DNS name, but you can get by with an IP address. Reason is, if the PDC ever changes, you dont need to go back to all your old machines and update conf files. Run this command: “sudo nano /etc/ntp.conf”

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.

server kerberos.mydomain.com #insert your PDC here
server kerberos2.mydomain.com #secondary DC
server kerberos3.mydomain.com #third DC
server 1.ubuntu.pool.ntp.org #fall back to Ubuntu's NTP
server 2.ubuntu.pool.ntp.org #
server 3.ubuntu.pool.ntp.org #

#

So, we’re on our way here. Without saying, you’re probably getting a DHCP address from a Domain Controller if you’re already on a Windows network. If you’re setting up a server with a Static address, then make sure to setup your DNS nameservers in your /etc/resolv.conf file so that you’re getting DNS from your PDC and any other Domain Controllers which host DNS. I DONT recommend using your “/etc/hosts” file for this.

 

So lets get to testing! From the command line issue this command:

kinit -p username@MYDOMAIN.COM
#obviously changing to your username and domain name on your network.
#Notice the UPPERCASE spelling of MYDOMAIN.COM?
#

After that command is entered you should be getting prompted for your DOMAIN password. From here just make sure that you’re not getting any errors (which you shouldn’t). If you’re looking to verify that you have a valid ticket, then issue this command:

klist -e

Now that we have Kerberos and NTP working properly, we can move onto the next portion of authentication: PAM. If you dont know anything about PAM then you can safely move on to the configuration portion of this part. But for those of you wanting more of an understanding, here you go. I got this information from http://www.tldp.org/HOWTO/html_single/User-Authentication-HOWTO/, and it’s VERY good info. Also, verify that your “/etc/skel/” directory is setup properly. You can get creative with this and have some pretty neat options rolled out to all your users if you prefer.

#I took out all the #comments for this blog, but I HIGHLY recommend that you leave them in!

so here are what my PAM modules look like in /etc/pam.d/:

common-account:
# /etc/pam.d/common-account - authorization settings common to all services
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #VERY IMPORTANT!
account [success=3 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
#

 

common-auth:
# /etc/pam.d/common-auth - authentication settings common to all services
# here are the per-package modules (the "Primary" block)
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
auth [success=6 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=5 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=4 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=3 default=ignore] pam_ldap.so use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ccreds.so minimum_uid=1000 action=store
auth optional pam_mount.so
auth optional pam_cap.so
#

 

common-password:
# /etc/pam.d/common-password - password-related modules common to all services
password [success=4 default=ignore] pam_krb5.so minimum_uid=1000
password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=2 default=ignore] pam_winbind.so use_authtok try_first_pass
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
#

 

common-session
# /etc/pam.d/common-session - session-related modules common to all services
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11
#

 

common-session-noninteractive
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_ldap.so
#

 

This should be everything you need for PAM to work properly. Now we need to work on Samba. The Samba config is stored at “/etc/samba/smb.conf”. Again, I stripped my Samba config down and made a backup of the original. I dont want my end users sharing data between themselves, I want them using corporate file shares where I know that the data is backed up. Also, I want them using Print Servers, not hosting printers from their machines. So this smb.conf is pretty short compared to the original. If you visit the Samba website, you’ll even see that they want people to keep this file short and simple. According to the Samba Team, the longer this file is, the more it impacts performance of the system. Please heed the warnings in your smb.conf as well as the notes I post below:

# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#
#======================= Global Settings =======================

[global]

security = ads
realm = MYDOMAIN.COM #Must be UPPER case
password server = kerberos.mydomain.com #PDC that we mentioned earlier
workgroup = MYDOMAIN #This is the NetBIOS name of your Domain
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/MYDOMAIN/%U #Dont forget to update this directory!
template shell = /bin/bash #You can use whatever shell you'd like
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2

server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
syslog = 4
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
domain logons = no #Extremely important that this is NO.
usershare allow guests = yes

 

 

Next we’ll be setting up the “/etc/nsswitch.conf” file. This file does a few things to help communications with your LDAP server (AD in this case) as well as tell your local Linux system where to look for password information.

When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off or you will be confused by cached results. Turn it on afterwards.

/etc/init.d/nscd stop

Now edit the nsswitch.conf file:

# /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
#

And Turn back on your service:

/etc/init.d/nscd start

 

Assuming that all goes well and Kerberos, Winbind and Samba are setup properly, you should be able to join your linux system to the domain. Due to restrictions in the NetBIOS protocol, the hostname must contain no more than 15 characters. If you see a STATUS_BUFFER_OVERFLOW message in the winbind log, odds are the hostname is invalid. Now would also be a good time to clear whatever cache files, if any, Winbind had previously generated. The Winbind cache is located in /var/lib/samba/. Backup this directory to /var/lib/samba.bak/ and delete all the files in the original. Now you can issue this command:

sudo net ads join -S MYDOMAIN.COM -U {domain-admin-user}

Couple things here.
First, you may need to change MYDOMAIN.COM to KERBEROS.MYDOMAIN.COM. If it doesn’t work the first way, try the next. Second is, {domain-admin-user} MUST be a Domain Admin account in Active Directory. Otherwise you’ll fail.

Now, I’ve gotten mixed results here… My Mint 12 and 13 boxes joined and I actually got a “Domain Joined!” message in the shell.

My Debian 6 machine threw an error:

steve @ mintdebianvm ~ :) ᛤ>   sudo net ads join -S ERDMANOR.COM -U administrator
[sudo] password for steve:
Enter administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database

I haven’t had much time to look into why this is happening, but I can assure you the system joined the domain, the computer account was created in AD and I’m able to SSH to this machine with domain creds… If anyone knows why this is happening, PLEASE contact me! Thanks!

 

Look up Windows Ports needed for Active Directory. Need Microsoft Link!
After your join to the domain is successfull, you can startup your services:

sudo /etc/init.d/samba start
sudo /etc/init.d/winbind start

 

 

From this point, you should be able to test some querys against the domain:

getent passwd
getent shadow
getent group

At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don’t display your Windows accounts, try to resolve them using wbinfo -u and wbinfo -g. These commands query the Winbind service directly, bypassing the name service switch. If you can resolve users and groups with wbinfo, go back and make sure you configured /etc/nsswitch.conf properly.

 

Now with EVERYTHING setup properly, you *should* be able to fire up an SSH session to your linux box and log in with AD Credentals. BUT! Your Domain Users are NOT going to be able to “sudo” any commands. For the sake of security, you dont want ALL your domain users to be able to sudo commands, so what I did is create a domain security group, mine is named “linux-sudo”. Then I added in only the users I want to be able to sudo commands to that group. Then I edited my “sudoers” file to include the domain security group “linux-sudo”. So make sure to edit your “/etc/sudoers” file, and add this line:

%linux-sudo     ALL=(ALL:ALL) ALL

Now, I’m able to log into my Debian, Mint and Ubuntu Linux systems with Domain Credentials! 🙂

EDIT: In looking for information regarding this entire process on a RED HAT system. (RHEL 5 or 6), please refer to this guide:
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/9/jcr:frozenNode/rh:resourceFile

 
Here are all the sites that I used in the making of this blog:
 
http://wiki.samba.org/index.php/Samba_%26_Active_Directory#Setting_up_PAM_Authentication_for_Active_Directory
https://help.ubuntu.com/community/ADAuthentication
https://help.ubuntu.com/community/Kerberos
https://help.ubuntu.com/community/PamCcredsHowto
https://help.ubuntu.com/community/ActiveDirectoryHowto
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
http://www.tldp.org/HOWTO/html_single/User-Authentication-HOWTO/
http://www.linuxcertif.com/man/5/libnss-ldap.conf/
http://debian.securedservers.com/kernel/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
http://www.tldp.org/HOWTO/SMB-HOWTO.html
https://wiki.samba.org/index.php/Samba4/Winbind
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html
http://www.ccs.neu.edu/home/battista/articles/winbind/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/simple.html
http://communities.vmware.com/thread/298545
http://www.thegeekstuff.com/2010/09/sudo-command-examples/
http://serverfault.com/questions/444219/troubleshooting-sudoers-via-ldap
http://www.aeronetworks.ca/howtos/LinuxActiveDirectory.html
http://users.telenet.be/mydotcom/howto/linuxsbs/samba4.htm
https://help.ubuntu.com/8.04/serverguide/NTP.html
https://help.ubuntu.com/community/Samba/Kerberos

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Serious network architecture that works for everyone.

I started writing this blog post as a way to setup a reverse proxy for mail inspection, but it turned out that a network architecture blog focused on security of the perimeter was more important. I’ve gone over in my head with all the companies that have told me, “Ohhh we don’t need this” or, “this is too much administrative overhead” or, “We don’t need this much complexity, we’re just manufacturing “widgets” , or something like that. And to those people, I say this: “I am so sick and tired of hearing excuses of why you think it’s okay to be lazy. Do it right, do it now, and save yourself the headaches of a breach.” We’ll talk about the costs associated with being penetrated some other time, but it’s EXPENSIVE!

If you’re planning to do this right, then you’ll want/need to have a multi-tier DMZ for your public facing services. We’re not talking about internal servers or your internal network at this point (though after thinking about it, the exact same concept can be carried out on the Internal network too). In this blog, I’m merely trying to tell you about your externally facing services. This blog will go over proper placement for Internet facing services. The VAST majority of companies out there don’t go to this level of sophistication, but its totally possible for any company to do this and if you really want to secure your network infrastructure, then you’ll at least attempt this.

Before we start, I’ll say this. I’m going to try my best to describe this as granular as possible. There are a TON of intricacies here that need to be thought out. I’ll provide a rudimentary Visio diagram to help on this, but you’ll need to map out your own network and break it down in a way you can understand.

The main point of network segmentation and building a secure network architecture is based on one of the most talked about security areas: The Principle of Least Privilege. Do your end users need access to databases? How about other network services? How about filesharing with eachother? How about shared resources for just once specific department (should engineering folks be able to communicate with financial systems)? Please think about the level of access people should have to services while going through this blog.

You’re first level DMZ should house only your front end web servers (or load balancers in front of those servers), DNS servers and your proxy servers, nothing more. These systems are extremely visible to the public and will be processing thousands of requests per day, so if anything happens to them, trust me people will notice. Remember, these are front end systems, so you don’t need much of anything out there. I’ll be going over how to set those services up on a future blog, but for now just remember, least privilege. Internet users dont need direct access to the webserver, they do need access to a reverse proxy server that inspects the traffic going to the web server(s).

From here, you can create your second tier that will house your web servers (if you have load balancers or proxy servers in front of them out in tier one), mail servers, SFTP servers, if you’re using LDAP or AD you could add a read-only domain controller (RO-DC) for authentication (but NO Internet access), and things like that. These systems should be using local firewalls as well as network layer firewalls to control access to them. Web servers dont need to talk to anything except the back-end SQL BD and the end user. Both of those firewalls should specify that the only systems they’re allowed to talk to is the server in tier 1 that proxies data to it, and if there is a server behind it in tier three.

Then there is an optional third tier where you would house your back-end database servers and any other servers deemed unnecessary for tier two. when I say optional, I dont mean just throw it away and put SQL over in tier 2. I mean, if you dont have a SQL back-end you can eliminate tier 3. Another RO-DC could be posted here for authentication services(again, NO Internet access!). If you’re running MS-SQL or Oracle SQL servers here, you can have services level authentication (or any other services for that matter) authenticating to that RO-DC. Same goes for tier two.

Lastly, I’ll mention a Management network that will have access to all three tiers. You’ll obviously have admins (even if it’s just yourself) that will need to run updates on those boxes or perform other administrative functions on those systems. Don’t forget to allow yourself access to that. But that doesn’t mean “IP ANY ANY” from the management network into those tiers either! Dont be LAZY, be smart and do it right.

In my Visio diagram, I used some old hardware, and multiple physical switches, but don’t forget, you can trunk VLANs and do some pretty cool configurations with Cisco gear, especially the new ASA’s. See it here: DIAGRAM LINK

So from tier 1, your DNS server should only be servicing requests from your 3 DMZs, and the Internet. I would say, you shouldn’t open this up to your internal clients, because you should already have internal DNS servers for Active Directory (or what ever LDAP service you’re using). At most, you should only be allowing 53/udp inbound to that DNS server from the Internet, and allow SSH inbound to that server from your management network. That’s IT! For your proxy server or load balancer, you should allow 80/tcp and 443/tcp inbound from the Internet and allow in whatever port your load balancer needs from the management network. So in this scenario, you should have 80 and 443/tcp and 53/udp open from the Internet to tier 1. Simple, see?

Tier two only has ports open FROM tier 1 into tier 2 (and management network into tier 2). The people out on the Internet will NEVER communicate directly with tier 2, there’s just no need.

And lastly, tier 3 will only accept communications from tier 2 and the management tier. No end user needs to communicate with the SQL DB’s directly, so why let them?

The only thing I’ve left out here is the RO-DCs. What do they communicate with? Well, the way I would set them up is have the 2 real Domain Controllers in the management network. This should be a totally different domain than your internal network. Name the domain whatever you want (fubar.dmz or whatever). Your RO-DCs are only acting as a proxy to the domain. Nothing is stored on them, so you’ve got really nothing to lose.

So that’s really about it. If you’ve got any questions, contact me via my LinkedIn profile. There’s a link to that right on my home page near the bottom of the left column.

 

Enjoy!! 🙂

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)