Who: ShmooCon/NovaInfosecPortal.com
What: ShmooCon 2012 FireTalks
When: 1/27 to 1/28/2011
Where: Washington Hilton Hotel (1919 Connecticut Avenue, NW Washington, DC 20009)

One problem with the small office or colo environment is there are very few affordable solutions that can be used to monitor for authorized and unauthorized access.  To solve this problem, ZZ Servers has implemented a cabinet monitoring solution that is able to not only monitor for cabinet door entry but also has the ability to have temperature and humidity sensors (which we do not actually do in this initial proof of concept).

The cabinet door alarm is based on a teensy 2.0 USB device that uses digital inputs to determine if magnetic alarm door switches are open or closed and then monitor their status with any standard monitoring system through a USB connection to the Teensy device. The teensy can be ordered from PJRC for $16. The LED, Resistor and remaining components can be purchased from Jameco, Amazon, Home Depot, Radio Shack or any other similar store.

The teensy is connected through USB to a linux server in the cabinet that runs an application to query the status of each sensor. The teensy provides a +5V pin that will be connected to a 10k ohm resistor which is then connected to the GND with one connection to each of 4 input pins for the door sensor and an LED connected to interface 11.

The current design is for only 4 alarm switches; but there is no reason the other inputs can’t be used. If additional inputs are used then the associated firmware and software programs will need to be updated to reflect the number of interfaces.

This design also expects there to be a closed circuit on all monitored ports otherwise an alarm will be raised. A simple closed loop will work for any alarm switches not installed.

Once the circuit is assembled the firmware needs to be uploaded to the teensy. The firmware used is based on the arduino support for Teensy that can be downloaded.  The steps to setup the Teensy/Arduino development environment are found on the page and need to be followed to allow for proper aduino sketch to be built and loaded onto the teensy flash.

• Extract Arduino Software
• Install 49-teensy.rules in /etc/udev/rules.d (see below for contents of this file)
• Download & Run teensy duino installer. Examples/samples are not needed unless doing future development

Once the development tools are installed:

• Start the arduino IDE (found in arduino software extract)
• Connect the teensy usb interface
• Set board type to Teensy 2.0 (Tools/Board/Teensy 2.0)
• Load the code (below)
• Verify (checkbox in IDE) the code
• Upload (right arrow in IDE) the HEX firmware

Teensy Firmware:
The firmware has 3 main sections; the Header where the various variables are defined that are used within the program, The setup function which runs when the teensy is powered on (plugged into USB) and then the loop which is executed after setup executing the designed function.

When the teensy boots, it load the setup function which initializes the device allowing for INPUT_PULLUP functionality for the 4 pins used for the alarm. This creates the alert when the switch is opened. The setup then initializes the USB serial device at 38400 8n1 and configures the LED output PIN and makes sure the LED is off.

The loop function is the core of the firmware. This is the function that the teensy executes over and over. In this function the first thing to do is read each of the alarm interfaces and if there is an alert flag it so we can be sure to blink the LED. Next the loop will see if there are any requests on the serial port, which will come from the serial program further down in this post. If there is input from the serial interface, the loop confirms it is a valid request [1,2,3,4] and then prints back on the serial interface a simple message showing the status of the serial ports.

Finally the loop ends by running the BlinkLED function if there is an alarm otherwise if the LED is on be sure to turn it off.

The BlinkLED function works by using a nice variable type provided by the Teensy “elapsedMillis” which creates a timer that is used to trace the time since the variable was created. Using this variable if it has been one second (1000ms) then reset the timer and if the LED is on turn it off, otherwise turn it on.
zz_alarm0.ino

// Header Section
int ledPin =  11;
int ledon = 0;
int ALARM_1 = 1;
int ALERT_1 = 0;
int ALARM_2 = 2;
int ALERT_2 = 0;
int ALARM_3 = 3;
int ALERT_3 = 0;
int ALARM_4 = 4;
int ALERT_4 = 0;
int alarmnow = 0;
char alarmcheck = ' ';
elapsedMillis sinceAlarm;
//End Header Section

// The setup() method runs once, when the sketch starts
void setup()   {
     pinMode(ALARM_1, INPUT_PULLUP);
     pinMode(ALARM_2, INPUT_PULLUP);
     pinMode(ALARM_3, INPUT_PULLUP);
     pinMode(ALARM_4, INPUT_PULLUP);
     Serial.begin(38400);
     pinMode(ledPin, OUTPUT);
     digitalWrite(ledPin, LOW);
}

// the loop() method runs over and over again, checking for events
void loop()   {
     alarmnow = 0;
     alarmcheck = ' ';

     ALERT_1 = digitalRead(ALARM_1);
     ALERT_2 = digitalRead(ALARM_2);
     ALERT_3 = digitalRead(ALARM_3);
     ALERT_4 = digitalRead(ALARM_4);

     if (ALERT_1 || ALERT_2 || ALERT_3 || ALERT_4) {
          alarmnow = 1;
     }

     if (Serial.available()) {
          alarmcheck = Serial.read();
     }

     switch (alarmcheck) {
          case '1':
               if (ALERT_1) {
                    Serial.println("1:1");
               } else {
                    Serial.println("1:0");
               }
               break;
          case '2':
               if (ALERT_2) {
                    Serial.println("2:1");
               } else {
                    Serial.println("2:0");
               }
               break;
          case '3':
               if (ALERT_3) {
                    Serial.println("3:1");
               } else {
                    Serial.println("3:0");
               }
               break;
          case '4':
               if (ALERT_4) {
                    Serial.println("4:1");
               } else {
                    Serial.println("4:0");
               }
               break;
          case ' ':
               break;
          default:
               Serial.println("X:1");
               break;
     }

     if (alarmnow) {
          BlinkLED();
     } else if (ledon) {
          digitalWrite(ledPin, LOW);
     }
}

void BlinkLED() {
     if (sinceAlarm >= 1000) {
          sinceAlarm = sinceAlarm - 1000;
          if (ledon) {
               ledon = 0;
               digitalWrite(ledPin, LOW);
          } else {
               ledon = 1;
               digitalWrite(ledPin, HIGH);
          }
     }
}

Once the firmware is loaded onto the teensy and all the switches are in place the linux system that will interface with the alarm needs to have a udev rule created that will allow the usbSerial interface to function.
Linux UDEV rules
/etc/udev/rules/49-teensy.rules

SUBSYSTEMS==”usb”, ATTRS{idVendor}==”16c0″, ATTRS{idProduct}==”04[789]?”, MODE:=”0666″ KERNEL==”ttyACM*”, ATTRS{idVendor}==”16c0″, ATTRS{idProduct}==”04[789]?”, SYMLINK+=”ttyUSB00%n”, MODE:=”0666″, ENV{ID_MM_DEVICE_IGNORE}=”1″

The host that connects to the ZZ-Teensy-Alarm needs to be able to query to the teensy on the USB Serial device to determine the status of any of the configured alarm switch inputs.  This is accomplished using a C program that will open the USB serial device presented by the teensy and write/read to the running firmware queries on port status.

The alarm-monitor application is a very simple C application. After initializing some variables it performs a quick check on the number of command line arguments, providing help and exiting if it is not correct. Next the application confirms that the query provided on the command line is a valid interface to query. Alarm-monitor then initializes the specified serial device to 38400 8n1 and writes out the query to the teensy serial device. Once the query is written the application will wait for a response for 10 seconds after which the appropriate response is sent back to the user.
Linux Command line zz-teensy-alarm query:
alarm-monitor.c

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>
#include <time.h>
 
int main(int argc,char** argv)
{
        struct termios tio;
        struct termios stdio;
        time_t start,now;
        int diff;
        int tty_fd;
        fd_set rdset;
        struct flock fl;
 
        unsigned char c=' ';
 
        if (argc<3) {
          printf("%s /dev/ttyUSB000 [1|2|3|4]\n\n",argv[0]);
          exit(1);
        }
 
        switch (argv[2][0]) {
          case '1':
            break;
          case '2':
            break;
          case '3':
            break;
          case '4':
            break;
          default:
            printf("Can only query alarms 1, 2, 3 or 4\n\n");
            exit(1);
            break;
        }

        fl.l_type   = F_WRLCK;  /* F_RDLCK, F_WRLCK, F_UNLCK    */
        fl.l_whence = SEEK_SET; /* SEEK_SET, SEEK_CUR, SEEK_END */
        fl.l_start  = 0;        /* Offset from l_whence         */
        fl.l_len    = 0;        /* length, 0 = to EOF           */
        fl.l_pid    = getpid(); /* our PID                      */

        tty_fd=open(argv[1], O_RDWR | O_NONBLOCK);
        fcntl(tty_fd, F_SETLKW, &fl);

        memset(&tio,0,sizeof(tio));
        tio.c_iflag=0;
        tio.c_oflag=0;
        // 8n1, see termios.h for more information
        tio.c_cflag=CS8|CREAD|CLOCAL;           
        tio.c_lflag=0;
        tio.c_cc[VMIN]=1;
        tio.c_cc[VTIME]=5;
 
        cfsetospeed(&tio,B38400);            
        cfsetispeed(&tio,B38400);           
 
        tcsetattr(tty_fd,TCSANOW,&tio);
  
        write(tty_fd,argv[2],1);

        start = time(NULL);
        now = time(NULL);
        diff = (int)difftime(now,start);
        while ((c != '\n') && (diff < 10)) {
          if (read(tty_fd,&c,1)>0) {
            write(STDOUT_FILENO,&c,1);
          }
          now = time(NULL);
          diff = (int)difftime(now,start);
        }

        fl.l_type   = F_UNLCK;
        fcntl(tty_fd, F_SETLK, &fl);
        close(tty_fd);

        if (diff >= 10) {
          printf("X:X\n");
          exit(1);
        }
        exit(0);
}

The alarm_monitor application can be compiled with gcc:

gcc -o alarm_monitor alarm_monitor.c

alarm_monitor has 2 inputs, the first is the USB device of the ZZ-Teensy-Alarm, the 2nd is the port to be queried (1-4 is hard coded, any additional ports need to be expanded on for alarm_monitor.c and zz_alarm0.ino).

EX:

alarm_monitor /dev/ttyUSB000 1
1:0

Would query alarm switch 1 and as this example shows returns the alarm #:status where 0 is OK and 1 is switch open (alarm).

There is a 10 second timeout if ZZ-Teensy-Alarm device isn’t connected or if there are connectivity issues.  An error code of X:X is returned for any timeout and any query to ports other than 1,2,3,4 return invalid query.

Concept Assembly

The initial design was built using a breadboard and is pictured below:

ZZ Servers Teensy Cabinet Alarm Prototype

Once the design was tested a standard radio shack project box was acquired along with a few screw down termination jacks.  These were assembled into the following picture

ZZ Cabinet Alarm Prototype - Assembly

ZZ Cabinet Alarm Prototype - Assembly

The final configuration has the usb cable coming out one side, an led on one side and the screw on terminators ready to be connected to magnetic door switches.

ZZ Cabinet Alarm Prototype - Assembled

ZZ Cabinet Alarm Prototype - LED on

Zabbix Integration

Once the alarm is in place it needs to be monitored. Here at ZZ Servers we leverage Zabbix but any system such as Nagios could work as long as they can execute a script for input.

Zabbix monitoring can monitor the status of each door alarm through the configuration of UserParameters.  A full configuration will follow in a future post with templates for items / alerts but for now below is a sample UserParameter for each of the 4 configured alarm monitors:

/etc/zabbix/zabbix_agentd.conf

UserParameter=CB001.0001F,/usr/local/bin/alarm-monitor /dev/ttyUSB000 1|cut -d”:” -f 2
UserParameter=CB001.0001B,/usr/local/bin/alarm-monitor /dev/ttyUSB000 2|cut -d”:” -f 2
UserParameter=CB001.0002F,/usr/local/bin/alarm-monitor /dev/ttyUSB000 3|cut -d”:” -f 2
UserParameter=CB001.0002B,/usr/local/bin/alarm-monitor /dev/ttyUSB000 4|cut -d”:” -f 2

Details on how to configure the zabbix template including the appropriate items, triggers and alerts will be posted in my next blog post.

Until OSSEC can have a better UI, I have decided to use the built in daily reports to automatically create tickets in our ticket system to be manually reviewed by security engineers documenting the steps taken to resolve what was identified.

In setting up the daily reports google helped me find the v2.5 documentation on the configuration options for daily reports (ossec.conf).  Some reports shown in the examples google found show access attempts or file integrity changes (examples).  This and other examples were very helpful in providing examples on how OSSEC could handle daily reports.

When setting up daily reports, the first thing to do is determine what variables will determine the report creation and the best way to do this is to use the ossec-reportd to  quickly test the various fields needed to search & create your reports.

For example, say you wanted to get the reports for file integrity changes in the 192.168.1 subnet, you would execute:

cat logs/alerts/2011/Jun/ossec-alerts-20.log | bin/ossec-reportsd -f group syscheck -f location 192.168.1

Valid ossec-reportd filters include: group, rule, level, location,user, srcip

Now to convert this into a daily report, edit: etc/ossec.conf, and add the following:

<reports>
<location>192.168.1.</location>
<group>syscheck</group>
<title>Daily OSSEC report: ZZ Syscheck Test Location</title>
<email_to>support@zzservers.com</email_to>
<showlogs>yes</showlogs>
</reports>

Rules can have the following options: group, categories, rule, level, location, srcip, user, title, email_to and showlogs.

The <showlogs> option is not listed on the ossec wiki and other documentation.  I only noticed it while reading through the source code trying to identify why the daily reports were not working for me.  It is a great option and determines whether the reports include or do not include the log items found when creating the report.

You can setup as many <reports></reports> as you need to within the ossec_config and they will all be generated when the ossec logs rotate at the change of every day.

However you may want to test your config or run reports without waiting for the automatic run at midnight. For those needing that functionality I have created the attached patch that can be applied within the ossec directory (cd ossec-hids-2.5.1; patch -p1 < ossec-dmz-forcedailyreports.diff).

This patch enables a “-R” option to ossec-monitord allowing it to be run from the command line processing all of the defined daily reports.  You may want to include the -d (debug) option if you are having problems or want to see what it is doing.

Please note that the -f (force foreground) is enabled by default when -R is selected.

Also, when researching what was needed for this patch I identified that the outgoing mail did not have 2 \r\n (\r\n\r\n) between the subject and the messages so the patch updates that so messages will be sent cleanly.

I also noticed that when ossec loads up the ossec.conf file it only accepts a-z,A-Z,0-9, – and _.  I had made the assumption that ossec-reportd used the same input details as ossec-monitord, however after hours of tracing I realized that the ossec.conf file was loaded with the prior mentioned input characters only.  So the config function was updated to allow “.” and “/” allowing for full neworks and log paths be entered.

Please let me know if I missed anything or if there are problems with my patch.

- David
- dmz

ossec-dmz-forcedailyreports.diff

diff -Naur -x ‘*.a’ -x ‘*.o’ ossec-hids-2.5.1/src/config/reports-config.c ossec-hids-2.5.1-manualreports/src/config/reports-config.c
— ossec-hids-2.5.1/src/config/reports-config.c    2010-10-12 19:17:37.000000000 +0000
+++ ossec-hids-2.5.1-manualreports/src/config/reports-config.c    2011-06-19 04:45:56.000000000 +0000
@@ -30,7 +30,7 @@
if((*mystr >= ‘a’ && *mystr <= ‘z’) ||
(*mystr >= ‘A’ && *mystr <= ‘Z’) ||
(*mystr >= ’0′ && *mystr <= ’9′) ||
-           *mystr == ‘-’ || *mystr == ‘_’)
+           *mystr == ‘-’ || *mystr == ‘_’ || *mystr == ‘.’ || *mystr == ‘/’)
{
mystr++;
}
diff -Naur -x ‘*.a’ -x ‘*.o’ ossec-hids-2.5.1/src/monitord/main.c ossec-hids-2.5.1-manualreports/src/monitord/main.c
— ossec-hids-2.5.1/src/monitord/main.c    2010-10-12 19:17:37.000000000 +0000
+++ ossec-hids-2.5.1-manualreports/src/monitord/main.c    2011-06-19 02:50:33.000000000 +0000
@@ -18,13 +18,19 @@

int main(int argc, char **argv)
{
-    int c, test_config = 0, run_foreground = 0;
+    time_t tm;
+    struct tm *p;
+    int c, test_config = 0, run_foreground = 0, generate_manual_reports = 0;
int uid=0,gid=0;
+    int today = 0;
+    int thismonth = 0;
+    int thisyear = 0;
char *dir  = DEFAULTDIR;
char *user = USER;
char *group = GROUPGLOBAL;
char *cfg = DEFAULTCPATH;

+
/* Initializing global variables */
mond.a_queue = 0;

@@ -32,11 +38,15 @@
OS_SetName(ARGV0);

-    while((c = getopt(argc, argv, “Vdhtfu:g:D:c:”)) != -1){
+    while((c = getopt(argc, argv, “RVdhtfu:g:D:c:”)) != -1){
switch(c){
case ‘V’:
print_version();
break;
+            case ‘R’:
+                generate_manual_reports = 1;
+                run_foreground = 1;
+                break;
case ‘h’:
help(ARGV0);
break;
@@ -198,6 +207,19 @@
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());

+    if(generate_manual_reports)
+    {
+        /* Getting currently time before starting */
+        tm = time(NULL);
+        p = localtime(&tm);
+
+        today = p->tm_mday;
+        thismonth = p->tm_mon;
+        thisyear = p->tm_year+1900;
+
+       generate_reports(today, thismonth, thisyear, p);
+       exit(0);
+    }

/* the real daemon now */
Monitord();
diff -Naur -x ‘*.a’ -x ‘*.o’ ossec-hids-2.5.1/src/os_maild/sendcustomemail.c ossec-hids-2.5.1-manualreports/src/os_maild/sendcustomemail.c
— ossec-hids-2.5.1/src/os_maild/sendcustomemail.c    2010-10-12 19:17:37.000000000 +0000
+++ ossec-hids-2.5.1-manualreports/src/os_maild/sendcustomemail.c    2011-06-19 04:12:35.000000000 +0000
@@ -33,7 +33,7 @@
#define FROM            ”From: OSSEC HIDS <%s>\r\n”
#define TO                “To: <%s>\r\n”
#define CC                “Cc: <%s>\r\n”
-#define SUBJECT            ”Subject: %s\r\n”
+#define SUBJECT            ”Subject: %s\r\n\r\n”
#define ENDDATA            ”\r\n.\r\n”
#define QUITMSG         ”QUIT\r\n”

diff -Naur -x ‘*.a’ -x ‘*.o’ ossec-hids-2.5.1/src/shared/help.c ossec-hids-2.5.1-manualreports/src/shared/help.c
— ossec-hids-2.5.1/src/shared/help.c    2010-10-12 19:17:37.000000000 +0000
+++ ossec-hids-2.5.1-manualreports/src/shared/help.c    2011-06-20 04:13:07.000000000 +0000
@@ -21,12 +21,24 @@

void help(const char *prog)
{
+    int ismonitord = 0;
+    char helpopts[6];
+    helpopts[5] = ‘\0′;
+    snprintf(helpopts, 5, “Vhdt”);
+
+    if (strstr(prog, “monitord”))
+    {
+      ismonitord = 1;
+      snprintf(helpopts, 5, “VRhdt”);
+    }
print_out(” “);
print_out(“%s %s – %s (%s)”, __name, __version, __author, __contact);
print_out(“%s”, __site);
print_out(” “);
-    print_out(“  %s: -[Vhdt] [-u user] [-g group] [-c config] [-D dir]“, prog);
+    print_out(“  %s: -[%s] [-u user] [-g group] [-c config] [-D dir]“, prog,helpopts);
print_out(“    -V          Version and license message”);
+    if (ismonitord)
+       print_out(“    -R          Run daily report”);
print_out(“    -h          This help message”);
print_out(“    -d          Execute in debug mode”);
print_out(“    -t          Test configuration”);

This doesn’t mean the router should be your firewall, firewalls serve a different purpose for segmentation.  The border router has only the outside & inside; no real segmentation but at the same time the best place to block a wide variety of traffic at a single point.

We here at ZZ Servers leverage the best technology for a situation and as such utilize the vyatta router for our core routing devices (well custom hardware but running vyatta).  There is extensive documentation on vyatta filtering but it is mainly focused on the filtering of traffic into and out of the router directly.  The little there is on the traffic going “through” the device was focused on the vyatta box in a small office or home environment performing NAT and other “gateway” services.

When your router is a border gateway vs a network gateway the configuration is a little different and can be expanded to provide easy ways to block traffic.

The vyatta documentation is exceptional and a great starting point to getting a new system online and configuring as a NAT gateway so I will focus only on the filtering configuration needed for restricting access to / from and through the router as it simply routes traffic between networks.

From the vyatta firewall documentation the “The Vyatta firewall features IPv4/IPv6 stateful packet inspection to intercept and inspect network activity and allow or deny the attampt. Vyatta advanced firewall capabilities include stateful failover, zone and time-based firewalling, P2P filtering and more.”

It is the zone features that we will be working with for ingress and egress filter for traffic going through our border router.  The vyatta documentation best describes it’s approach to interface and “zone” filtering:

Ordinary firewall rule sets are applied on a per-interface basis to act as a packet filter for the interface. In zone-based firewall, interfaces are grouped into security “zones,” where each interface in the zone has the same security level.

Packet-filtering policies are applied to traffic flowing between zones. Traffic flowing traffic flowing between interfaces lying in the same zone is not filtered and flows freely, as the interfaces share the same security level.

When configuring the router for zone based routing there are a few notes highlighted in the vyatta documentation:

• An interface can be associated with only one zone.
• An interface belonging to a zone cannot have a per-interface firewall rule set applied and vice versa.
• Traffic between interfaces not belonging to any zone flows unfiltered and per-interface firewall rule sets can be applied to those interfaces.
• By default, all traffic to a zone is dropped unless explicitly allowed by a filtering policy for a from_zone.
• Filtering policies are unidirectional: they are defined as a “zone pair” defining the zone from which traffic is sourced (the from_zone) and the zone to which traffic is destined (the to_zone). In Figure 1-6, these unidirectional policies can be seen as follows:
  • From Private to DMZ
  • From Public to DMZ
  • From Private to Public
  • From DMZ to Public
  • From Public to Private
  • From DMZ to Private

The  configuration used in the example presented in this post has a router with 2 interfaces one “Internet” and the other “ZZ Servers” (or your inside; name yours as you will) with the internet on eth0 and zzservers on eth1.

The network segments for this vyatta configuration are then set to:

• ZZ Servers – The ZZ Servers public (internet) networks
• Internet – The Internet (outside ZZ Servers)
• Local – The local vyatta router

With these segments the vyatta zones will be configured as follows:

• Internet / Routed Network Traffic
  • Internet -> ZZ Servers
  • ZZ Servers -> Internet
• Traffic directly to or from the router
  • Internet -> Local
  • Local -> Internet
  • ZZ Servers -> Local
  • Local -> ZZ Servers

With the zones defined and router configured, the steps needed to configure the filtering include:

• Define various groups used
• Set rules from Internet directly to router
• Set rules from router to Internet
• Set rules from ZZ Servers directly to router
• Set rules from router to ZZ Servers
• Set rules for Internet to ZZ Servers
• Set rules for ZZ Servers to Internet

The differences between the router ingress & egress rules and the network rules is the direct rules will only allow what is specifically allowed and then deny all and the rules for the flow of traffic between the Internet and ZZ Servers will by default route (allow) all traffic and then deny only what we specify.

The first step is to enter the vyatta configuration mode and edit the firewall configuration, starting with the groups used in the rules.

The groups include:

• REJECTED-SERVERS: Will contain a list of IP addresses blocked from passing through to or from ZZ Servers and the Internet.
• REJECTED-NETWORKS: Will contain a list network segments blocked from passing through to or from ZZ Servers and the Internet.
• REJECTED-PORTS: Will contain a list of connection ports from passing  through to or from ZZ Servers and the Internet.
• SSH-FROM: Contains a list of IP addresses allowed to connect to the device
• SMB: Contains a list of ports used in SMB traffic (to block and not log the annoying microsoft broadcast traffic); NOTE – only blocking on direct access to/from device, not from passing through to or from ZZ Servers & the Internet.

configure
edit firewall

# Rejected Servers Group
set group address-group REJECT-SERVERS description “Block IP List”

# Rejected Networks Group
set group network-group REJECT-NETWORKS description “Block Network List”

# Rejected Ports Group
set group port-group REJECT-PORTS description “Block Port List”

# SSH Allowed Hosts List
set group address-group SSH-FROM description “IPs allowed to SSH into router”
set group address-group SSH-FROM address <management ip 1>
set group address-group SSH-FROM address <management ip 2>

# SMB Ports to drop and not log
set group port-group SMB description “SMB Ports to block and not log from ZZ Windows customers to local router”
set group port-group SMB port 67
set group port-group SMB port 135
set group port-group SMB port 137
set group port-group SMB port 138
set group port-group SMB port 139

Now with the groups defined the next thing is to setup the rules to filter traffic from the internet directly into the router.  The rule syntax is similar to a Cisco configuration; but significantly different as it sits on top of iptables which has extensive capabilities beyond basic filtering that will not be explored here.

We will not be doing anything fancy with this configuration; only defining what is and is not allowed.

The rules for ingress and egress directly on the router are very similar in structure:

• Set default policy to Deny, dropping any unauthorized connection
• Allow established and related connections
• Drop all invalid states
• Drop and do not log SMB broadcasts
• Accept ICMP
• Accept VRRP
• Accept BGP
• Accept HEARTBEAT
• Accept SSH
• Deny and log everything else

BGP packets are broadcast from peers with source port 179 and sent to peers on source port 179
HEARTBEAT packets are broadcast from peers to destination port 694.

With both BGP & HEARTBEAT I have setup source & destination port filters.  From my tests so far these may be adjusted; I’ve just not tested all situations so it may not need both sets of source & destination filters, so any feedback is welcome.

# Default deny
set name internet-local default-action drop

# Accept established & related
set name internet-local rule 1 action accept
set name internet-local rule 1 state established enable
set name internet-local rule 1 state related enable
set name internet-local rule 2 action drop
set name internet-local rule 2 log enable
set name internet-local rule 2 state invalid enable

# Drop and do not log Customer SMB
set name internet-local rule 3 action drop
set name internet-local rule 3 log disable
set name internet-local rule 3 destination group port-group SMB

# Allow inbound ICMP
set name internet-local rule 4 action accept
set name internet-local rule 4 protocol icmp

# Allow inbound VRRP
set name internet-local rule 5 action accept
set name internet-local rule 5 protocol vrrp

# Allow inbound BGP
set name internet-local rule 6 action accept
set name internet-local rule 6 port 179
set name internet-local rule 6 protocol tcp

# Allow inbound BGP
set name internet-local rule 7 action accept
set name internet-local rule 7 source port 179
set name internet-local rule 7 protocol tcp

# Allow inbound HEARTBEAT
set name internet-local rule 8 action accept
set name internet-local rule 8 destination port 694
set name internet-local rule 8 protocol udp

# Allow inbound HEARTBEAT
set name internet-local rule 9 action accept
set name internet-local rule 9 source port 694
set name internet-local rule 9 protocol udp

# Allow inbound SSH
set name internet-local rule 10 action accept
set name internet-local rule 10 log enable
set name internet-local rule 10 source group address-group SSH-FROM
set name internet-local rule 10 destination port 22
set name internet-local rule 10 protocol tcp

# Logging rule
set name internet-local rule 9999 action drop
set name internet-local rule 9999 log enable

The router to internet egress filters are similar but add additional rules for outbound upgrades, dns and ntp all of which could use groups for more specific filters.

• Set default policy to Deny, dropping any unauthorized connection
• Allow established and related connections
• Drop all invalid states
• Accept ICMP
• Accept VRRP
• Accept BGP
• Accept HEARTBEAT
• Accept DNS
• Accept NTP
• Upgrade rules
• Deny and log everything else

# Default deny
set name local-internet default-action drop

# Accept established & related
set name local-internet rule 1 action accept
set name local-internet rule 1 state established enable
set name local-internet rule 1 state related enable
set name local-internet rule 2 action drop
set name local-internet rule 2 log enable
set name local-internet rule 2 state invalid enable

# Allow outbound ICMP
set name local-internet rule 4 action accept
set name local-internet rule 4 protocol icmp

# Allow outbound VRRP
set name local-internet rule 5 action accept
set name local-internet rule 5 protocol vrrp

# Allow outbound BGP
set name local-internet rule 6 action accept
set name local-internet rule 6 destination port 179
set name local-internet rule 6 protocol tcp

# Allow outbound BGP
set name local-internet rule 7 action accept
set name local-internet rule 7 source port 179
set name local-internet rule 7 protocol tcp

# Allow outbound HEARTBEAT
set name local-internet rule 8 action accept
set name local-internet rule 8 destination port 694
set name local-internet rule 8 protocol udp

# Allow outbound HEARTBEAT
set name local-internet rule 9 action accept
set name local-internet rule 9 source port 694
set name local-internet rule 9 protocol udp

# Accept outbound DNS requests
set name local-internet rule 10 action accept
set name local-internet rule 10 destination port 53
set name local-internet rule 10 protocol tcp_udp

# Accept outbound NTP
set name local-internet rule 15 action accept
set name local-internet rule 15 destination port 123
set name local-internet rule 15 protocol tcp_udp

# Allow upgrade – only during valid changes
#set name local-internet rule 69 action accept
#set name local-internet rule 69 log enable
#set name local-internet rule 69 destination port 80
#set name local-internet rule 69 protocol tcp

# Logging rule
set name local-internet rule 9999 action drop
set name local-internet rule 9999 log enable

The rules between the router & the internal (ZZ Servers) public networks are basically the same as the internet rules.

• Set default policy to Deny, dropping any unauthorized connection
• Allow established and related connections
• Drop all invalid states
• Drop and do not log SMB broadcasts
• Accept ICMP
• Accept VRRP
• Accept BGP
• Accept HEARTBEAT
• Accept SSH
• Deny and log everything else

# Default Deny
set name zzservers-local default-action drop

# Accept established and related
set name zzservers-local rule 1 action accept
set name zzservers-local rule 1 state established enable
set name zzservers-local rule 1 state related enable
set name zzservers-local rule 2 action drop
set name zzservers-local rule 2 log enable
set name zzservers-local rule 2 state invalid enable

# Drop and do not log Customer SMB
set name zzservers-local rule 3 action drop
set name zzservers-local rule 3 log disable
set name zzservers-local rule 3 destination group port-group SMB
set name zzservers-local rule 3 protocol udp

# Allow inbound ICMP
set name zzservers-local rule 4 action accept
set name zzservers-local rule 4 protocol icmp

# Allow inbound VRRP
set name zzservers-local rule 5 action accept
set name zzservers-local rule 5 protocol vrrp

# Allow inbound BGP
set name zzservers-local rule 6 action accept
set name zzservers-local rule 6 destination port 179
set name zzservers-local rule 6 protocol tcp

# Allow inbound BGP
set name zzservers-local rule 7 action accept
set name zzservers-local rule 7 source port 179
set name zzservers-local rule 7 protocol tcp

# Allow inbound HEARTBEAT
set name zzservers-local rule 8 action accept
set name zzservers-local rule 8 destination port 694
set name zzservers-local rule 8 protocol udp

# Allow inbound HEARTBEAT
set name zzservers-local rule 9 action accept
set name zzservers-local rule 9 source port 694
set name zzservers-local rule 9 protocol udp

# Allow inbound SSH
set name zzservers-local rule 10 action accept
set name zzservers-local rule 10 log enable
set name zzservers-local rule 10 source group address-group SSH-FROM
set name zzservers-local rule 10 destination port 22
set name zzservers-local rule 10 protocol tcp

# Logging rule
set name zzservers-local rule 9999 action drop
set name zzservers-local rule 9999 log enable

And the final rules for direct access from the router are the rules from the local interface to zzservers.

• Set default policy to Deny, dropping any unauthorized connection
• Allow established and related connections
• Drop all invalid states
• Accept ICMP
• Accept VRRP
• Accept BGP
• Accept HEARTBEAT
• Accept DNS
• Deny and log everything else

# Default Deny
set name local-zzservers default-action drop

# Accept established and related
set name local-zzservers rule 1 action accept
set name local-zzservers rule 1 state established enable
set name local-zzservers rule 1 state related enable
set name local-zzservers rule 2 action drop
set name local-zzservers rule 2 log enable
set name local-zzservers rule 2 state invalid enable

# Allow outbound ICMP
set name local-zzservers rule 4 action accept
set name local-zzservers rule 4 protocol icmp

# Allow outbound VRRP
set name local-zzservers rule 5 action accept
set name local-zzservers rule 5 protocol vrrp

# Allow outbound BGP
set name local-zzservers rule 6 action accept
set name local-zzservers rule 6 destination port 179
set name local-zzservers rule 6 protocol tcp

# Allow outbound BGP
set name local-zzservers rule 7 action accept
set name local-zzservers rule 7 source port 179
set name local-zzservers rule 7 protocol tcp

# Allow outbound HEARTBEAT
set name local-zzservers rule 8 action accept
set name local-zzservers rule 8 destination port 694
set name local-zzservers rule 8 protocol udp

# Allow outbound HEARTBEAT
set name local-zzservers rule 9 action accept
set name local-zzservers rule 9 source port 694
set name local-zzservers rule 9 protocol udp

# Allow outbound dns lookups
set name local-zzservers rule 10 action accept
set name local-zzservers rule 10 destination port 53
set name local-zzservers rule 10 protocol tcp_udp

# Allow upgrades – only during valid change
#set name local-zzservers rule 69 action accept
#set name local-zzservers rule 69 log enable
#set name local-zzservers rule 69 destination port 80
#set name local-zzservers rule 69 protocol tcp# Logging rule
set name local-zzservers rule 9999 action drop
set name local-zzservers rule 9999 log enable

Now the rules are defined for inbound and outbound directly to and from the router.  The final set of rules to build are the rules for the traffic that flows “through” the router between the Internet & ZZ Servers.  There will again be 2 sets of rules for the ingress and egress packets.

The routing rules are different from the other rules in that they:

• Default allow all packets
• Block Servers specified in REJECT-SERVERS
• Block IP address ranges specified in REJECT-NETWORKS
• Block Ports specified in REJECT-PORTS

# Default route all packets
set name internet-zzservers default-action accept

# Deny and reject blocked servers / networks / ports
set name internet-zzservers rule 10 action reject
set name internet-zzservers rule 10 log enable
set name internet-zzservers rule 10 source group address-group REJECT-SERVERS
set name internet-zzservers rule 11 action reject
set name internet-zzservers rule 11 log enable
set name internet-zzservers rule 11 destination group address-group REJECT-SERVERS
set name internet-zzservers rule 15 action reject
set name internet-zzservers rule 15 log enable
set name internet-zzservers rule 15 source group network-group REJECT-NETWORKS
set name internet-zzservers rule 16 action reject
set name internet-zzservers rule 16 log enable
set name internet-zzservers rule 16 destination group network-group REJECT-NETWORKS
set name internet-zzservers rule 20 action reject
set name internet-zzservers rule 20 log enable
set name internet-zzservers rule 20 source group port-group REJECT-PORTS
set name internet-zzservers rule 21 action reject
set name internet-zzservers rule 21 log enable
set name internet-zzservers rule 21 destination group port-group REJECT-PORTS

The final set of rules are the same as internet-zzsevers but for traffic going out from zzservers-internet.

# Default route all packets
set name zzservers-internet default-action accept
# Deny and reject blocked servers / networks / ports
set name zzservers-internet rule 10 action reject
set name zzservers-internet rule 10 log enable
set name zzservers-internet rule 10 source group address-group REJECT-SERVERS
set name zzservers-internet rule 11 action reject
set name zzservers-internet rule 11 log enable
set name zzservers-internet rule 11 destination group address-group REJECT-SERVERS
set name zzservers-internet rule 15 action reject
set name zzservers-internet rule 15 log enable
set name zzservers-internet rule 15 source group network-group REJECT-NETWORKS
set name zzservers-internet rule 16 action reject
set name zzservers-internet rule 16 log enable
set name zzservers-internet rule 16 destination group network-group REJECT-NETWORKS
set name zzservers-internet rule 20 action reject
set name zzservers-internet rule 20 log enable
set name zzservers-internet rule 20 source group port-group REJECT-PORTS
set name zzservers-internet rule 21 action reject
set name zzservers-internet rule 21 log enable
set name zzservers-internet rule 21 destination group port-group REJECT-PORTS

With all of the filters now defined the final detail is to assign the segments (internet/zzservers/local) the appropriate devices.

You first will exit the firewall editor and edit the “zone-policy”

exit

edit zone-policy

Within the zone-policy we will configure:

• Default policy for all zones (internet/zzservers/local) to be to drop
• Identify the internet with eth0
• Identify the zz servers network with eth1
• Map the various rules to the appropriate policies
• Exit / Save and commit

# Set the default policy for zone internet to drop
set zone internet default-action drop
# For internet zone, traffic from zzservers to internet uses firewall filter zzservers-internet
set zone internet from zzservers firewall name zzservers-internet
# For internet zone, traffic from local router to internet  uses firewall filter local-internet
set zone internet from local firewall name local-internet
# Set internet zone assignment to eth0
set zone internet interface eth0

# Set the default policy for zzservers zone to drop
set zone zzservers default-action drop
# For zzservers zone, traffic from internet to zzservers uses firewall filter internet-zzservers
set zone zzservers from internet firewall name internet-zzservers
# For zzservers zone, traffic from local router to zzservers uses firewall filter local-zzservers
set zone zzservers from local firewall name local-zzservers
# Set zzservers interface eth1
set zone zzservers interface eth1

# Set the default policy for local zone to drop
set zone local default-action drop
# For local zone, traffic from internet to the local router uses firewall  filter internet-local
set zone local from internet firewall name internet-local
# For local zone, traffic from zzservers to the local router uses firewall filter zzservers-local
set zone local from zzservers firewall name zzservers-local
set zone local local-zone

exit
save
commit

With the rules now in place it is easy to block inappropriate traffic by adding the specific host/ip/port to the correct group.  The commands to add / remove items from the defined groups are as follows:

To add new IPs to the REJECT-IPS group and cause them to be rejected from the ZZ network, logon to the router and use the following command:

• configure
• set firewall group address-group REJECT-SERVERS address <ip to reject>
• commit
• save

To remove an IP address use a similar command replacing “set” with “delete”:

• configure
• delete firewall group address-group REJECT-SERVERS address <ip to remove>
• commit
• save

To reject subnets or ports use same syntax but change REJECT-SERVERS to REJECT-NETWORKS or REJECT-PORTS

The configuration generated by this example is attached below.  Good luck and remember, security should be a layered risk based approach and be sure to use all of the resources available to you.

vyatta-zone-firewall

References:
Vyatta
Vyatta is revolutionizing the networking industry by delivering a software-based, open-source, network operating system that is portable to standard x86 hardware as well as common virtualization and cloud computing platforms. By deploying Vyatta, users benefit from a flexible enterprise-class routing and security feature set capable of scaling from DSL to 20Gbps performance at a fraction of the cost of proprietary solutions. Thousands of physical and virtual infrastructures around the world, from small enterprise to Fortune 500, are connected and protected by Vyatta software and appliances.

Vyatta Community Edition
The free community Vyatta Core software(VC) is an award-winning open source network operating system providing advanced IPv4 and IPv6 routing, stateful firewalling, IPSec and SSL OpenVPN, intrusion prevention, and more. When you add Vyatta to a standard x86 hardware system, you can create an enterprise grade network appliance that easily scales from DSL to 10Gbps. Vyatta is also optimized to run in VMware, Citrix XenServer, Xen, KVM, and other hypervisors, providing networking and security services to virtual machines and cloud computing environments. Vyatta has been downloaded over 600,000 times, has a community of hundreds of thousands of registered users and counts dozens of fortune 500 businesses among its commercial customers.

Vyatta Documentation
Firewall (IPv4, IPv6, Zone-based Firewall) – Vyatta_Firewall_R6.1_v02.pdf

ZZ Servers
ZZ Servers was founded in 2006 by brothers Peter and David Zendzian to provide business and enterprise level hosted network environments at affordable prices. Our commitment to a high level of customer service and belief in personalized customer service for every client is an integral component of our business philosophy. Our goal is to work collaboratively with industry professionals, our clients and consumers to provide not just a source for affordable and secure hosted network infrastructures but also provide a friendly family oriented customer support experience.

ZZ Servers delivers a comprehensive collection of hosting services to organizations of all sizes. Our hosting services are at the core of our security and and management services and have been engineered for industry regulations including PCI, GLBA, SOX, HIPPA and ISO 27002.

We understand for your business to remain competitive and profitable, it needs to be on-line. We offer web hosting options that are custom tailored to fit your specific business needs. From our ultra affordable shared web hosting to state of the art geographically redundant solutions, we can meet your needs.

If a phone is lost or stolen, your natural reaction may be to change your password. This is not a good idea, because changing the password will make it impossible to do a “remote wipe” of the phone. Fortunately, Kerio Connect offers a solution called “remote wipe”. A “remote wipe” will erase all data on the phone completely resetting all accounts, and in the case of most phones, erasing all apps and completely resetting the phone. Remote wipe is much more effective than changing a password because it protects the user’s privacy, and should be used instead. More information regarding the remote wipe feature can be found at ZZ Servers.

After having used many open and commercial  monitoring systems, we have settled on Zabbix because of it’s extensive features and expandability (especially with the new integrated API).  That and it doesn’t hurt that it is well designed for expanded enterprises and is OpenSource.

This article was originally posted with details for Zabbix 1.6 and was updated on April 10 to reflect how to set it up under Zabbix 1.8.

OSSEC is a great tool provided by Trend Micro and is also an OpenSource application. OSSEC provides a variety of tools for host based intrusion detection including:  log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.  All of which support several compliance and basic security requirements. OSSEC is deployed in a client-server model with all alerting and active response features being controlled and sent through the central server.

To integrate OSSEC and Zabbix we will be using the active-response feature of OSSEC integrated with zabbix_sender to send the active response alert to the zabbix server.   Configuring for this integration requires a simple script, a quick change to the ossec.conf and the creation of an OSSEC template in the zabbix system.

We will start with the OSSEC changes.  First, we will edit the OSSEC/etc/ossec.conf file, where OSSEC is the path to your OSSEC installation.  In this file you will need to add the following items:

<command>
<name>zabbix-alert</name>
<executable>zabbix-alert.sh</executable>
<timeout_allowed>no</timeout_allowed>
<expect></expect>
</command>

<active-response>
<disabled>no</disabled>
<command>zabbix-alert</command>
<location>server</location>
<level>1</level>
</active-response>

The first <command> item defines the script we will be using for the zabbix-alert.  The <active-response> item defines when the system will use this script.  The defined configuration above has all alerts at and above level “1″ sent to the zabbix-alert command.  This can be modified for higher levels or specific rules or rule groups.  More information on this configuration can be found in the OSSEC manual.

Now the zabbix-alert.sh script needs to be put into the OSSEC/active-response/bin directory (be sure to watch for lines that are wrapped around but shouldn’t be).  You can download the script here: zabbix-alert.sh.

#!/bin/sh
#
# Submits an OSSEC alert as a passive service check result to zabbix.
#
# Author: David M. Zendzian
# ZZ Servers, LLC 2010
#
# Idea from Dave Stycos post: http://groups.google.com/group/ossec-dev/browse_thread/thread/e29c5d71926b8af5
#
# This script is Public Domain, and is provided AS-IS.  There is no
# warranty, and no support given for its contents.
#
# Version 1.0: Apr. 6, 2010
#

DEBUG=”false”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
UNAME=`uname`

# Zabbix Sender
ZabbixSender=”/usr/bin/zabbix_sender”
#ZabbixSender=”/usr/sbin/zabbix_sender”

# Zabbix Server
ZabbixServer=<your zabbix server ip>

# Zabbix Port
ZabbixPort=10051

# All alerts will be processed by Zabbix under this key.
ZabbixKeyName=OSSEC

# Check that zabbix_sender file exists.
if [ ! -w $ZabbixSender ]; then
logger -p local0.err “$0: File $ZabbixSender not found.  Exiting.”
exit 1
fi

# Getting alert time
ALERTTIME=`echo “$ALERTID” | cut -d  “.” -f 1`

# Getting end of alert
ALERTLAST=`echo “$ALERTID” | cut -d  “.” -f 2`

# Getting full alert
ALERTTEXT=`grep -A 10 “$ALERTTIME” $PWD/../logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 `

# Extract host (agent) name from alert.
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p’`

# if hostname alert wasn’t from local host, the host value is “(hostname) ip”, which extracts differently
if [ "$HOSTNAME" = "" ]
then
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9] (\([-A-Za-z0-9_]*\)) .*\->.*$/\1/p’`
fi
if [ "$HOSTNAME" = "" ]
then
exit 0
fi

# Extract alert level from alert.
ALERTLVL=`echo “$ALERTTEXT” | sed -n ’2,2s/^.*(level \([0-9]*\).*$/\1/p’`

# Extract description from alert.
ALERTMSG=`echo “$ALERTTEXT” | sed -n ’5,5p’`

# Create Alert message
# Short MSG version
#ZMSG=”$ALERTID | $ALERTLVL | $RULEID – $ALERTMSG”
# Full MSG Version
ZMSG=”AlertID: $ALERTID | User: $USER | IP: $IP | Level: $ALERTLVL | RuleID: $RULEID – $ALERTMSG”

# Send result to zabbix for logging and notification alerts.
$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value “$ZMSG”

if [ "$DEBUG" = "true" ]
then
echo “$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value ‘$ZMSG’” >> /tmp/zabbix-test.log
echo “ACTION: $ACTION” >> /tmp/zabbix-test.log
echo “USER: $USER”
echo “IP: $IP” >> /tmp/zabbix-test.log
echo “ALERTID: $ALERTID” >> /tmp/zabbix-test.log
echo “ALERTLVL: $ALERTLVL” >> /tmp/zabbix-test.log
echo “RULEID: $RULEID” >> /tmp/zabbix-test.log
echo “———————————” >> /tmp/zabbix-test.log
fi

With the script saved, you can restart OSSEC (OSSEC/bin/ossec-control restart) or wait until zabbix is setup then restart.

UPDATE 07-16-2010 – If you are using zabbix-proxies then you need to have the OSSEC alerts for proxy monitored hosts submitted through the proxy server.  This isn’t a problem with the existing script if the proxy server is also monitored through the proxy; just update the server IP to be the proxy not the central zabbix server.  If you monitor your proxy directly from the central zabbix server then the script needs to be updated to support sending proxy hosts though proxy and the host itself directly to zabbix.  The script can be found here; or below.  Again be sure to watch for broken wrapped lines:

#!/bin/sh
#
# Submits an OSSEC alert as a passive service check result to zabbix.
#
# Author: David M. Zendzian
#
# Idea from Dave Stycos post: http://groups.google.com/group/ossec-dev/browse_thread/thread/e29c5d71926b8af5
#
# Updated 7/15/10 – using 2 server hosts in case using proxies and local host is monitored directly by central server and not proxy.
#
# This script is Public Domain, and is provided AS-IS.  There is no
# warranty, and no support given for its contents.
#
# Version 1.1: Jul. 15, 2010
#

DEBUG=”true”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

if [ "$DEBUG" = "true" ]
then
echo “NOTICE: Starting Zabbix sender” >> /tmp/zabbix-test.log
fi

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
UNAME=`uname`

# Zabbix Sender
ZabbixSender=”/usr/bin/zabbix_sender”
#ZabbixSender=”/usr/sbin/zabbix_sender”

# Zabbix Server
# Set server2 to be the same if all hosts monitored through proxy or the same server; otherwise
# set ZabbixServer to the proxy for non-localhost and then ZabbixServer2 to the host that the
# local proxy uses
ZabbixServer=<Server/Proxy>
ZabbixServer2=<Server for “Localhost”>

# Zabbix Port
ZabbixPort=10051

# All alerts will be processed by Zabbix under this key.
ZabbixKeyName=OSSEC

# Check that zabbix_sender file exists.
if [ ! -w $ZabbixSender ]; then
logger -p local0.err “$0: File $ZabbixSender not found.  Exiting.”
if [ "$DEBUG" = "true" ]
then
echo “ERROR: No Zabbix Sender” >> /tmp/zabbix-test.log
fi
exit 1
fi

# Getting alert time
ALERTTIME=`echo “$ALERTID” | cut -d  “.” -f 1`

# Getting end of alert
ALERTLAST=`echo “$ALERTID” | cut -d  “.” -f 2`

# Getting full alert
ALERTTEXT=`grep -A 10 “$ALERTTIME” $PWD/../logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 `

# Extract host (agent) name from alert.
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p’`

# if hostname alert wasn’t from local host, the host value is “(hostname) ip”, which extracts differently
if [ "$HOSTNAME" = "" ]
then
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9] (\([-A-Za-z0-9_]*\)) .*\->.*$/\1/p’`
fi
if [ "$HOSTNAME" = "" ]
then
if [ "$DEBUG" = "true" ]
then
echo “ERROR: No Hostname” >> /tmp/zabbix-test.log
fi
exit 0
fi

# if the local host is a proxy then monitored items submitted through proxy, localhost probably monitored directly from central server (if not change comment this out)
LOCALHOSTNAME=`hostname -s`
if [ "$HOSTNAME" = "$LOCALHOSTNAME" ]
then
ZabbixServer=$ZabbixServer2
fi

if [ "$DEBUG" = "true" ]
then
echo “ZabbixServer: $ZabbixServer” >> /tmp/zabbix-test.log
fi

# Extract alert level from alert.
ALERTLVL=`echo “$ALERTTEXT” | sed -n ’2,2s/^.*(level \([0-9]*\).*$/\1/p’`

# Extract description from alert.
ALERTMSG=`echo “$ALERTTEXT” | sed -n ’5,5p’`

# Create Alert message
ZMSG=”$ALERTID | $ALERTLVL | $RULEID – $ALERTMSG”

# Send result to zabbix for logging and notification alerts.
$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value “$ZMSG”

if [ "$DEBUG" = "true" ]
then
echo “$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value ‘$ZMSG’” >> /tmp/zabbix-test.log
echo “ACTION: $ACTION” >> /tmp/zabbix-test.log
echo “USER: $USER” >> /tmp/zabbix-test.log
echo “IP: $IP” >> /tmp/zabbix-test.log
echo “ALERTID: $ALERTID” >> /tmp/zabbix-test.log
echo “ALERTLVL: $ALERTLVL” >> /tmp/zabbix-test.log
echo “RULEID: $RULEID” >> /tmp/zabbix-test.log
echo “———————————” >> /tmp/zabbix-test.log
fi

exit 0

UPDATE 09-24-2010 – If you happen to use full domain names, the regex for getting the name needs to allow “.”  – The script can be found zabbix-alert-201009; or below.  Again be sure to watch for broken wrapped lines:

#!/bin/sh
#
# Submits an OSSEC alert as a passive service check result to zabbix.
#
# Author: David M. Zendzian
#
# Idea from Dave Stycos post: http://groups.google.com/group/ossec-dev/browse_thread/thread/e29c5d71926b8af5
#
# Updated 7/15/10 – using 2 server hosts in case using proxies and local host is monitored directly by central server and not proxy.
#
# This script is Public Domain, and is provided AS-IS.  There is no
# warranty, and no support given for its contents.
#
# Version 1.1: Jul. 15, 2010
#

DEBUG=”true”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

if [ "$DEBUG" = "true" ]
then
echo “NOTICE: Starting Zabbix sender” >> /tmp/zabbix-test.log
fi

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
UNAME=`uname`

# Zabbix Sender
ZabbixSender=”/usr/bin/zabbix_sender”
#ZabbixSender=”/usr/sbin/zabbix_sender”

# Zabbix Server
# Set server2 to be the same if all hosts monitored through proxy or the same server; otherwise
# set ZabbixServer to the proxy for non-localhost and then ZabbixServer2 to the host that the
# local proxy uses
ZabbixServer=<Server/Proxy>
ZabbixServer2=<Server for “Localhost”>

# Zabbix Port
ZabbixPort=10051

# All alerts will be processed by Zabbix under this key.
ZabbixKeyName=OSSEC

# Check that zabbix_sender file exists.
if [ ! -w $ZabbixSender ]; then
logger -p local0.err “$0: File $ZabbixSender not found.  Exiting.”
if [ "$DEBUG" = "true" ]
then
echo “ERROR: No Zabbix Sender” >> /tmp/zabbix-test.log
fi
exit 1
fi

# Getting alert time
ALERTTIME=`echo “$ALERTID” | cut -d  “.” -f 1`

# Getting end of alert
ALERTLAST=`echo “$ALERTID” | cut -d  “.” -f 2`

# Getting full alert
ALERTTEXT=`grep -A 10 “$ALERTTIME” $PWD/../logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 `

# Extract host (agent) name from alert.
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_.]*\)\->.*$/\1/p’`

# if hostname alert wasn’t from local host, the host value is “(hostname) ip”, which extracts differently
if [ "$HOSTNAME" = "" ]
then
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9] (\([-A-Za-z0-9_.]*\)) .*\->.*$/\1/p’`
fi
if [ "$HOSTNAME" = "" ]
then
if [ "$DEBUG" = "true" ]
then
echo “ERROR: No Hostname” >> /tmp/zabbix-test.log
fi
exit 0
fi

# if the local host is a proxy then monitored items submitted through proxy, localhost probably monitored directly from central server (if not change comment this out)
LOCALHOSTNAME=`hostname -s`
if [ "$HOSTNAME" = "$LOCALHOSTNAME" ]
then
ZabbixServer=$ZabbixServer2
fi

if [ "$DEBUG" = "true" ]
then
echo “ZabbixServer: $ZabbixServer” >> /tmp/zabbix-test.log
fi

# Extract alert level from alert.
ALERTLVL=`echo “$ALERTTEXT” | sed -n ’2,2s/^.*(level \([0-9]*\).*$/\1/p’`

# Extract description from alert.
ALERTMSG=`echo “$ALERTTEXT” | sed -n ’5,5p’`

# Create Alert message
ZMSG=”$ALERTID | $ALERTLVL | $RULEID – $ALERTMSG”

# Send result to zabbix for logging and notification alerts.
$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value “$ZMSG”

if [ "$DEBUG" = "true" ]
then
echo “$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value ‘$ZMSG’” >> /tmp/zabbix-test.log
echo “ACTION: $ACTION” >> /tmp/zabbix-test.log
echo “USER: $USER” >> /tmp/zabbix-test.log
echo “IP: $IP” >> /tmp/zabbix-test.log
echo “ALERTID: $ALERTID” >> /tmp/zabbix-test.log
echo “ALERTLVL: $ALERTLVL” >> /tmp/zabbix-test.log
echo “RULEID: $RULEID” >> /tmp/zabbix-test.log
echo “———————————” >> /tmp/zabbix-test.log
fi

exit 0

For this integration to work, the host names used in OSSEC need to match the host names defined in Zabbix.  If they do not match, then zabbix_sender results will not make it into the hosts items correctly.

The easiest way to setup zabbix is to setup a template.  This template will define the application, item and triggers for OSSEC and can easily be linked to the hosts you are monitoring.

In zabbix goto Configure/Hosts and select ‘templates’.

Create a new template called OSSEC and be sure to add it to the Templates group.

Zabbix 1.6: Add OSSEC Template

Zabbix 1.8: Add OSSEC Template

With the template created, a new application needs to be created so the OSSEC items have a place to be organized.  Staying in Configuration / Hosts (for Zabbix 1.6 & 1.8), in the drop down on the upper right, select “Applications” and then from the group and host dropdown, select Templates / Template_OSSEC that was just created.  There should be no Applications in the list. If you do not see Template_OSSEC that was just created, go back to templates and edit the OSSEC item and be sure that it is in the “Templates” group.

Click on “Create application” and create “OSSEC Monitor” or whatever you want to call it.

Zabbix 1.6: Create OSSEC Template Application

Zabbix 1.8: Create OSSEC Application

Now we are ready to create the Item & Trigger for the OSSEC data.  In Zabbix 1.6, select “Configuration / Items” and select “Templates / Template_OSSEC” from the group and host selections and then click on “Create Item.”  The important item here is the Key which we will setup as OSSEC and is required to match the ZabbixKeyName in the zabbix-alert.sh script on the OSSEC server.

Zabbix 1.6: Create OSSEC Item

In Zabbix 1.8, remain in the “Configuration / Hosts” menu and in the upper right drop down select “Items”.  Click on “Create Item.”  When the new form is up, click on “Select” for the Host and select Template_OSSEC that we created above.  The same values will be set as with Zabbix 1.6.

Zabbix 1.8: Create OSSEC Item

As you can see, the item is a “Text” type getting data from a Zabbix Trapper event.  The things to not forget here are to enter your OSSEC server(s) in the Allowed Host line and to select the OSSEC Monitor application.

The next step is to create a trigger which will let us know when new data has arrived from OSSEC. Select “Configuration / Triggers” in Zabbix 1.6.

If you are using 1.8 then remain on the “Configuration / Hosts” page and select “Triggers” from the dropdown box on the upper right.

It should default to the Template_OSSEC host, but if it doesn’t then select Templates from groups and the Template_OSSEC host.

There are several ways to monitor the OSSEC text data, but I have selected to alert if there is new data in the last 10 minutes.  As you can see from the screenshot, the expression I used is {Template_OSSEC:OSSEC.nodata(600)}#1.  This works because the nodata(600) will return a 1 if no data is received in the time period specified (600 sec or 10 min).  So if it ever returns anything other than 1, we have new data.  For more information on trigger functions, consult the zabbix manual.

Now click on “Create Trigger” go create the trigger.

Zabbix 1.6: Create OSSEC Zabbix Trigger

Zabbix 1.8: Create OSSEC Zabbix Trigger

I have set the alert severity to “average” but you may want to change that depending on your needs.  The zabbix actions we will define will send all OSSEC alerts so the severity will not really matter.  One thing that is worth examining is to change the OSSEC item value to log instead of text which could allow for log severity and other values that could be used with the OSSEC alert levels; but that project is for another time.

Updated: 4/16/10 – What I have done for alerting based on level is to use the “short” ZMSG message type in the zabbix-alert.sh script and define a trigger such as:

({Template_OSSEC:OSSEC.nodata(600)}#1)&({Template_OSSEC:OSSEC.str( | 1 | )}#1)&({Template_OSSEC:OSSEC.str( | 2 | )}#1)&({Template_OSSEC:OSSEC.str( | 3 | )}#1)

What this trigger does is requires all 4 conditions to be met (&=”AND” between each item test).  The first is that there is new data within the last 10 minutes, the other 3 are requirements that the new data does not contain | 1 | or | 2 | or | 3 |, which would be OSSEC alert levels 1, 2 and 3.  If you use the longer ZMSG then the str values would be like: {Template_OSSEC:OSSEC.str( | Level: 3 | )}#1

Only 2 things left to do and the OSSEC/Zabbix integration is done.  These are to create actions for OSSEC events and to link the OSSEC template to the hosts you are monitoring with OSSEC.

In our local zabbix configuration I have created a “Security Administrator” group that receives IDS and other security events and will be using that to specify who receives the alerts.  You can modify these settings based on your local policy and zabbix configuration.

As you will also see in the following screenshot, I have modified the default message.  This allows me to receive the full data from the OSSEC event through {ITEM.LASTVALUE}.  I have also shortened the message so I can receive the details I want on my SMS alerts which have a smaller size than full emails.

I have tried to enable escalations for OSSEC alerts, however the way that zabbix handles items is that it will only look at the “active” triggers & items, what this means is that when a new OSSEC alert comes in and is added to the items database, the trigger is alerted but after 10 minutes it will “go away”.  There is no way, currently, to have a trigger depend on it’s being “Ack’d” which would be preferred for security, log and other events that just shouldn’t go away until an admin acks what happened.  There is a currently active zabbix feature request requesting this, so please go vote it up so we can see it added in the near future!

Zabbix 1.6: Create OSSEC Action

Zabbix 1.8: Create OSSEC Action

All that is left is to link your hosts to the OSSEC template.  The OSSEC alert submits data to zabbix based on the host names defined in OSSEC.  So once again, please be sure the names used match in both systems.

If you do not know how to link the OSSEC template, simply go to “Configuration / Hosts” and edit the hosts that are monitored by OSSEC.  You need to link every host as the alerts will be coming in directly to each unique host.  The example below is for one of our ossec servers, but the configuration should be the same for all OSSEC monitored hosts.

Zabbix 1.6: Host OSSEC Template Link

Zabbix 1.8: Host OSSEC Template Link

This should be it.  If you have already restarted OSSEC then you just need to create an event it will alert on (logging onto monitored host, creating “segfault” log messages: logger “segfault”, etc).  In my quick test, seen below, I did a failed logon (bad pw) and within a few seconds I had my jabber alert pop up and a sms message arrive on my phone!

If you have any problems, you can set DEBUG=true in the zabbix-alert.sh and it will log out what is being sent to zabbix into /tmp/zabbix-test.log.

If OSSEC is not running active-alerts, you may want to jump on #ossec on the openprojects IRC and get some assistance or search google.

Good luck!

David M. Zendzian | Managing Partner | ZZ Servers
268 Bush St. #4127 | San Francisco, CA 94104

Business Hosting Solutions | PCI | HIPAA
Managed Hosting Specialists

In the past, it was though Linux servers were safe from viruses but recently hackers have been taking advantage of this false sense of security. Some researchers point out that 70% of attacks on Linux honeypots were infected with a 6 year old virus (RST-B)* and used as command and control points for botnets.

ZZ Servers now offers affordable F-Prot anti-virus software for Windows, Linux, Exchange, BSD and Solaris. Protect your servers, desktops and critical infrastructure today. Contact ZZ Servers at 800-796-3574 or email support@zzservers.com to arrange for installation of anti-virus software today.

*RST-B is a backdoor malware runs on Linux/UNIX platforms and infects ELF files in the current and /bin directories. This Linux backdoor and virus compromises system security by allowing remote users to manipulate and access infected machines. If executed as root, it will start processes listening on two network interfaces which provide a remote root shell.

One such example would be Amazon EC2.  In a recent discussion at amazonwebservices.com forum and slashdot.org users were discussing a desire to move to Amazon EC2 and maintain PCI compliance.  While not surprising, at least there was a concrete answer to were Amazon stands with regards to its role in its customer’s compliance.  In an email from Taimur Rashid, an account manager at Amazon Web Services, he states “We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.”

PCI requires all merchants maintain a written agreement between the merchant and service provider that outlines responsibility for cardholder data.  “Requirement 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Without this simple agreement, you cannot be compliant.

In addition to not allowing a written agreement, Amazon also will not allow on site audits required for Level 1 and now Level 2 merchants.  Cindy S from Amazon Web Services states “If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.”

Based on the 2 statements above, Amazon EC2/S3 is currently not capable of providing the level of service required for PCI compliance on any level.  If you are a merchant and require PCI compliance, avoid the cloud and find a reputable service provider which specializes in PCI compliance such as GSI, Rackspace or ZZ Servers.

This breech at Batteries.com shows that a merchant does not need to be large like Heartland to be targeted by hackers.

For more information regarding this breech, visit the Batteries.com security and fraud prevention page.