Category Archives: Security

Ossim lookup ip script – Execute using a rule

lookup_ip.pl

This script parse an ip address looking up geoip information and populating a database with its information and suricata ids information.

#!/usr/bin/perl

use Geo::IP::PurePerl;
use Email::MIME;
use Email::Sender::Simple qw(sendmail);
use Net::IP::Match::Regexp qw( create_iprange_regexp match_ip );
use DBI;

my $gi = Geo::IP::PurePerl->new("/usr/local/share/GeoIP/GeoIP.dat", GEOIP_STANDARD);
my $srcip = $ARGV[0];
my $country = $gi->country_code_by_addr($ARGV[0]);
my $date = qx(date +%Y-%m-%d);
my $time = qx(date +%H:%M:%S);
my $sidname = $ARGV[1];
my $srcport = $ARGV[2];
my $protocol = $ARGV[3];
my $dstip = $ARGV[4];
my $dstport = $ARGV[5];

open (MYFILE, '>/tmp/temp.txt');
foreach $argnum (0 .. $#ARGV) {
 print MYFILE "$ARGV[$argnum]\n";
}
close (MYFILE);

my $regexp = create_iprange_regexp('192.168.0.0/16','10.0.0.0/8','172.16.0.0/16','172.17.0.0/16');
if ( match_ip($srcip, $regexp) ) {
 print "ip interna \n";
 exit 0;
} else {
 print "ip externa \n";
}

my $dbh = DBI->connect("DBI:Pg:dbname=siem;host=localhost", "database", "password", {'RaiseError' => 1});
my $registry = $dbh->do("INSERT INTO ips_db (date,time,sensor,sid_name,src_ip,src_port,dst_ip,dst_port,src_country,action) VALUES ('$date','$time','192.168.56.10','$sidname','$srcip','$srcport','$dstip','$dstport','$country','database')");

IPTABLES: mapping ports with DNAT

If you want to redirect the web service for example, from the public IP address to a Private ones (located in your lan with private IP range) you use:

# iptables -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to-destination 10.10.0.15 (replace with yours)

In this case I’m mapping the Web service from my Public Server to a Private ones.

Note: The Public server can have the port 80 closed in its firewall rules

IPTABLES: how to do nat?

Network Address Translation, very useful for me.

You should have at leat two network interfaces.

This is an example using MASQUERADE (SNAT) dump type.

The kernel IP forwarding should be enabled before begins to setup NAT rules.

To enable on debian’s based system

# echo 1 > /proc/sys/net/ipv4/ip_forward ;(temporarily)

or add to the /etc/sysctl.conf file :

net.ipv4.ip_forward = 1 ;(for permanent)

Accepting connections through FORWARD table:

# iptables -P FORWARD ACCEPT

so the rule:

# iptables -t nat -A POSTROUTING -o (interface that has the internet connection) -j MASQUERADE

Note: is very important to have two different network ranges like and know what would be the gateway on the clients.
eth0 > dhcp from ISP
eth1 > 172.20.0.0 (NAT range)

For permanent effect:

add to /etc/rc.local script this line:

/sbin/iptables -t nat -A POSTROUTING -o (interface with internet) -j MASQUERADE

MANUAL CLIENTS CONFIGURATION

note: you can set up a DHCP server and make the job easier.

ip > 172.20.0.10 (into NAT range) ; this address could be different
Subnet Mask > 255.255.255.0 ; this address could be different
Gateway > 172.20.0.1 ; Linux nat interface (in this case eth1 address)

DNS servers > you can set public DNS address like openDNS or internal ones. On the Linux system machine with NAT rules type:

# cat /etc/resolv.conf

and put the Linux’s system DNS. (may be a router with another NAT range with a DNS server configured)

Tip! You can make restrinctions to any service on the network introducing INPUT rules like into FORWARD table with the prefix:

# iptables -A FORWARD ...

DOne.

IPTABLES: basic rules

Nowadays, It’s very important to get a fully working/firewall on your computer or in which you put your hands. I used to use Firestarter in my Debian’s Based System, But although is very functional, I didn’t like the way to apply the rules and manage the FORWARD and OUPUT rules as well. To manage your firewall directly with iptables you can read this and find it out in a simple way.

I supose you already have iptables installed in your system.

Previously to set up rules:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

General Rules:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT

Examples of rules:

# iptables -A INPUT -d (server address) -p FTP --dport 22 -j ACCEPT
# iptables -A INPUT -s 172.0.0.2 -d (server address) -p ICMP -j ACCEPT
# iptables -A INPUT -d (server address) -p ICMP -j DROP

How to Encrypt a folder ?

First you need to install encfs and fuse-utils packages

$ apt-get install encfs fuse-utils

So

$ encfs  "secret path folder" "mount point with encfs filesystem"
$ encfs /home/joe/Desktop/secret /media/crypt-files

Now
you have mounted a encfs filesystem and you can paste or save all
information to encrypt in the “/media/crypt-files” mount point.
To hide the information (unmount the cifs filesystem):

$ fusermount -u /media/crypt-files

Now if you open the /home/joe/Desktop/secret folder you’ll see the files encrypted.
For mount it one more time and use or read the info

$ encfs /home/joe/Desktop/secret /media/crypt-files

give the pass and it’s done