We have written some scripts to set up the EdgeOS device with the correct firewall rules, to get your block lists and use the results to update the ipset sets that are created and to upload your firewall logs to us. You can download the scripts here, but you will probably find it easier to cut and paste the links in the instructions below.
If this is a new device, please allow up to 30 minutes for our systems to be updated.
We also have a PDF file showing how to setup a basic Vyatta/EdgeOS device and then apply ThreatSTOP to it.
You should have a management station with a web browser that can read this page and an ssh client that can access the EdgeOS device.
You should have set up your EdgeOS device with the external ethernet port and ip address as well as a management ip address that can be accessed from your management station.
The EdgeOS device should have ssh enabled on it, which can be done by entering these commands from the console:
configure set service ssh commit exit
You should confirm that the management’s ssh client can connect to the EdgeOS device and log in to it. Using that login session you should confirm that the EdgeOS device can also access/download files from the Internet. In particular you should check that your EdgeOS device can:
It is recommended that you save the configuration prior to applying the ThreatSTOP changes, which can be done by entering the following from the console:
configure save prethreatstop exit
You should also download the libnet-dns-perl module. This can be done by entering the following after logging in:
sudo apt-get install libnet-dns-perl
Copy and paste the following line into the EdgeOS ssh session:
curl ftp://ftp.threatstop.com/pub/ts-edgeos.tar.gz | tar xzv ; ts-vyatta/setup.pl --type r --blocklist <block list name>.<ThreatSTOP account ID>.threatstop.local --allowlist <allow list name>.<ThreatSTOP account ID>.threatstop.local
The device should download and unpack the ThreatSTOP scripts and then run the setup script which will display the following (if you have a sudo password enabled on your EdgeOS device then you will need to enter that when prompted).
=========================================================================== If you have not specified setup options on the command line then you will be given the chance to specify them now. First time users running this by pasting in the command from the ThreatSTOP website should probably not change anything except the firewall names and start rule number if you have already created some firewall rules. On subsequent runs, probably the only things to change will be the block and allow list ids. For each option, the default value is specified in , just press the ENTER key to accept it. Note for the paranoid. The proposed changes to the Vyatta config, the changes to /etc/rc.local, /etc/logrotate.d/messages and the new crontab are created in the installation directory. If you choose not to allow this script to apply the changes automatically then you can review them and then apply them manually. ===========================================================================
You will then be asked a number of questions and normally you should accept the default values. The critical questions are the third one asking about the external interface id and the subsequent ones concerning firewall rule names and numbers. If the external interface id is not eth0 then you must correct this. Likewise if you have existing firewall rules defined for the “in”, “out” and “local” directions of the external interface you must enter their names and an appropriate rule number since otherwise those rules will no longer be applied to traffic on that interface. If you do have existing rules it is generally recommended that the ThreatSTOP rules are performed first and thus that they have the lowest numbers. The setup script creates the four ThreatSTOP rules with consecutive numbers. Thus, if your existing rules start at 10, you should specify that the script insert the rules starting from 1 to 5.
ThreatSTOP installation directory [/home/vyatta/ts-vyatta/] ThreatSTOP ipset prefix [TS] Install type routed - external interface id [eth0] Firewall name for interface eth0 direction in: [TSrtinrule] Insert ThreatSTOP rules beginning at number?  Add default accept? (strongly recommended if you do not have other rules for this firewall name, not otherwise)[y] Firewall name for interface eth0 direction local: [TSrtlocalrule] Insert ThreatSTOP rules beginning at number?  Add default accept? (strongly recommended if you do not have other rules for this firewall name, not otherwise)[y] Firewall name for interface eth0 direction out: [TSrtoutrule] Insert ThreatSTOP rules beginning at number?  Add default accept? (strongly recommended if you do not have other rules for this firewall name, not otherwise)[y] ThreatSTOP block list:<block list name>.<ThreatSTOP account ID>.threatstop.local ThreatSTOP allow list:<allow list name>.<ThreatSTOP account ID>.threatstop.local dig command location [/home/vyatta/ts-vyatta/dig] Logfile to upload [/var/log/messages] URL for submitting logs [https://threatstop.com/cgi-bin/logupload.pl]
Once these questions have been answered the script will create the install directory and copy files if required, test whether the firewall can download the block list from ThreatSTOP’s DNS server and create the EdgeOS firewall rules (but not apply them) and the modifications of the various files that are needed.
Initial set up complete, testing /home/vyatta/ts-vyatta/dig +tcp -t ptr @188.8.131.52<block list name>.<ThreatSTOP account ID>.threatstop.local Test successful Creating bridging rules to configure.route.sh Creating local copy of logrotate.d/messages file Creating crontab file Creating local copy of rc.local file
Now you are asked whether you wish to accept the changes. If you have a complex/non-standard configuration you may wish to say N at this point and examine the files that have been created.
Apply changes: /home/vyatta/ts-vyatta/configure.route.sh, /etc/logroate.d/messages, /etc/rc.local, crontab (Y/N)[Y] Merging /home/vyatta/ts-vyatta/configure.route.sh Removing and clearing crontab for root no crontab for root no crontab for root # Update the ThreatSTOP lists. Every 2 hours, 0 minutes after the hour # (00:15, 02:15, 04:15, etc.) 0 */2 * * * /home/vyatta/ts-vyatta/ipsetget.pl # Force a logrotate if the log is > 100k. Check every 5 minutes after the hour 5 * * * * perl -e'exec q(logroate -f /etc/logrotate.d/messages) if (stat q(/var/log/messages))>100000;' Copying modified /etc/logrotate.d/messages `/home/vyatta/ts-vyatta/logrotated.messages' -> `/etc/logrotate.d/messages' Copying modified /etc/rc.local `/home/vyatta/ts-vyatta/rc.local' -> `/etc/rc.local'
Finally you have the choice to run the script to get the block list data for the first time:
Run script for first time? (Y/N) [Y]
After some seconds (depending on the blocklist size and the connectivity to our DNS servers this may take up to a minute) you should see a report of a successful first run and the script completes. Assuming this last step reports success, you have installed ThreatSTOP on your EdgeOS routing device.
You should verify that none of the changes have broken basic connectivity and, if there are no problems, you should save the configuration so that it is used whenever the device reboots. This can be done by entering from the console:
configure save threatstoprouter save exit
To view the contents of the block and allow lists, you will need to run the “ipset” command:
sudo ipset -L
When updating EdgeOS by using the image upgrade procedure, the scripts will be moved to a different location on the filesystem. This results in the block list not being updated and logs not uploading. In order to get ThreatSTOP working again, you will need to re-run the setup procedure, but this time it is run in a update mode. The configuration will not be modified, but the cronjobs that update the block list and uploads the log are recreated.
To perform the update copy and paste the following line into the EdgeOS ssh session:
wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; ts-vyatta/setup.pl --type u --blocklist<block list name>.<ThreatSTOP account ID>.threatstop.local --allowlist<allow list name>.<ThreatSTOP account ID>.threatstop.local
Restore to previous state
If you have run setup and applied the changes and wish to return to the pre-threatstop configuration then you should perform the following command (assuming that you installed to /home/vyatta/ts-vyatta). From a console enter:
Optionally you may also wish to remove the ts-vyatta directory (rm -r ts-vyatta/). This has now restored all the files changed. To restore the configuration you should do the following:
configure load presthreatstop save exit
It is possible that you may need to “load prethreatstop” more than once to handle “commit” errors. Once you have managed to load the old configuration without error you should probably reboot the EdgeOS device to be sure that it runs with no traces of ThreatSTOP changes in the system.