This document describes the integration process of the ThreatSTOP IP Defense with VyOS

Overview

We have written a script to set up Vyatta devices with firewall rules to get your block lists, use the results to update the ipsets that are created, and to upload your firewall logs to us.

The software is available here

Prerequisites

  • A management station with a web browser that can read this page and an ssh client that can access the Vyatta device.
  • Set up your Vyatta device with an external Ethernet port and IP address, as well as a management IP address that can be accessed from your management station.
  • The Vyatta device should have ssh enabled on it. This can be setup by entering the following in the console:
configure
set service ssh
commit
exit
  • The Vyatta device should be allowed to communicate through port 53. If port 53 is unusable, or otherwise unavailable, it’s also possible to use port 5353.
  • Confirm that the ssh client can connect to the Vyatta device and log in to it; using that login session confirm that the Vyatta device can also access and download files from the Internet. In particular check that your Vyatta device can connect to ThreatSTOP’s FTP service.

Setup

For a physical install, a Vyatta appliance or a PC with two or three network interface cards (NICs) and a Vyatta OS CD is required. For testing, either a subscription edition or the Vyatta Core is acceptable – for longer term support a subscription version is required. Vyatta recommends 1 GB of memory, and for testing purposes this is plenty; in deployment, 512 MB or less can be used unless you are planning on using the device with many features enabled. From a hard drive standpoint a 4 GB hard disk is more than enough for testing and evaluation as Vyatta only requires about 1-2 GB of space.

For a virtual install either a VM image or a blank VM and the ISO of the Vyatta CD is required. The same memory and disk requirements given for the physical install apply. If you are not using a Vyatta image then you must enable PAE support on the CPU otherwise Vyatta will not boot.

The device may be set up using either two or three NICs.

This document briefly explains how to set up NAT so that devices on the 10.x.x.x networks can access the Internet via the Vyatta and to firewall the external interface so that no access is allowed to the Vyatta’s SSH console from outside. This is a very basic setup and most live deployments are more complex, including the configuration of VPNs access to internal web/mail servers from outside and so on.

In addition to the machine (or VM) that will be running Vyatta, a management station is required. This machine should have an SSH client installed (Linux/Mac OS machines have this by default for Windows you should install a client such as PuTTY (http://www.putty.org/) or Mindterm (http://www.appgate.com/index/products/mindterm/)) and access to the Internet and a web browser.

Installation of Vyatta OS onto Hard Disk

  • Insert the CD into the drive (add the ISO if virtual) and boot/reboot the device. You should see a Vyatta logo and the option to press F1 for help or Enter to boot.
  • Press ENTER.
  • After a short while booting up you will see a login prompt. Login as user vyos password vyos (both in all lowercase).
  • Once you are logged in enter the following command and follow the instructions.
vyatta@vyatta:~$ install-system
  • Near the end of the process you will be asked for a password for the Vyatta account, that is not the same as the default. Once the install has finished you can eject the CD and reset the machine. The machine will now boot Vyatta from the hard disk. When presented with the login prompt you should log in as vyatta using the password you defined during the install process.

VM Image users

  • Boot the VM and then when you get to a login prompt login as user vyatta password vyatta.

Hardware Appliance users

  • Follow the basic instructions that came with your appliance to unpack, connect, and attach a management station to your Appliance. When you get to a login prompt login as user vyatta password vyatta (both completely in lowercase).

  • Setup is divided in to two sections, the first is done from the console of the Vyatta device and the second done while SSHing in. It is possible to do all of the work from the console but the use of SSH allows you to cut and paste lines directly from this document, which is generally quicker and less likely to lead to errors. Note:

Console Setup Commands

Having logged in to the console you will need to set up the Ethernet interfaces, enable SSH and set the default nameserver and gateway. As noted above, you may optionally set up other services and options either from the console or via SSH. Likewise you can set the gateway and nameserver via SSH if the management station is on the same IP subnet as the Vyatta.

To configure anything on the Vyatta device it is necessary to enter configuration mode by typing configure at the console:

vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta#
  • First enable ssh:
vyatta@vyatta# set service ssh
[edit]
vyatta@vyatta#
  • Then if you have three NICs you should set up the ip address of the management interface on eth2:
vyatta@vyatta# set interfaces ethernet eth2 address 10.10.10.12/24
[edit]
vyatta@vyatta#
  • If you have two NICs you should set up the ip address of internal interface (eth1):
vyatta@vyatta# set interfaces ethernet eth1 address 10.1.1.1/24
[edit]
vyatta@vyatta#
  • Now set up the external IP address, default gateway, and name server (the default gateway is the next hop on the external route, the name server may be internal or external so long as it can resolve external names such as www.threatstop.com). These should be your INTERNAL default gateway and nameservers, the same as for any computer on the same network. If you don’t have your own nameservers, you can use your ISPs, or the primary ThreatSTOP nameserver:
vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# set system gateway-address 192.0.2.1
[edit]
vyatta@vyatta# set system name-server 10.10.10.5
[edit]
  • Finally commit your changes, save and exit.
vyatta@vyatta# commit
Restarting OpenBSD Secure Shell server: sshd.
[edit]
vyatta@vyatta# save
Saving configuration to '/opt/vyatta/etc/config/config.boot'...
Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$

At this point the Vyatta device is correctly set up for basic SSH access.

SSH from management console

Using your ssh tool connect to the Vyatta as user vyatta

ssh vyatta@10.10.10.12
vyatta@10.10.10.12's password: ******
Linux vyatta 2.6.32-1-586-vyatta-virt #1 SMP Mon Aug 2 23:28:02 PDT 2010 i686
Welcome to Vyatta.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
vyatta@vyatta:~$
  • Now add NAT so that computers inside can access external resources and save.
vyatta@vyatta# set service nat rule 10 type masquerade
[edit]
vyatta@vyatta# set service nat rule 10 outbound-interface eth0
[edit]
vyatta@vyatta# set service nat rule 10 source address 10.10.10.0/24
[edit]
vyatta@vyatta# set service nat rule 11 type masquerade
[edit]
vyatta@vyatta# set service nat rule 11 source address 10.1.1.0/24
[edit]
vyatta@vyatta# set service nat rule 11 outbound-interface eth0
[edit]
vyatta@vyatta# commit
[edit]
vyatta@vyatta# save
Saving configuration to '/opt/vyatta/etc/config/config.boot'...
Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$
  • If you wish to you may configure the Vyatta further to add additional features. If you intend to add custom firewall rules it is strongly recommended that this be done after you have enabled ThreatSTOP on the device.

  • Verify that you can access the internet by typing:

vyatta@vyatta:~$ ping ftp.threatstop.com
PING www.threatstop.com (64.87.26.148) 56(84) bytes of data.
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=1 ttl=43 time=234 ms
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=2 ttl=43 time=232 ms
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=3 ttl=43 time=233 ms
64 bytes from www.threatstop.com (64.87.26.148): icmp_seq=4 ttl=47 time=233 ms
^C
--- www.threatstop.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 232.764/233.798/234.675/0.680 ms
  • Finally verify that the Vyatta device is in our database.
vyatta@vyatta# wget -qO - http://www.threatstop.com/cgi-bin/validip.pl
Your IP address: 1.2.3.4
Address is in the list of authorized hosts

If the address is NOT in the database then the response will be

vyatta@vyatta# wget -qO - http://www.threatstop.com/cgi-bin/validip.pl
Your IP address: 1.2.3.4
Address is not in the list of authorized hosts
Host list updated every 15 minutes and last updated at
Wed Oct 27 11:15:01 2010 GMT. It is now Wed Oct 27 11:22:16 2010
  • If the address reported is the one you entered for the device when you added it at https://threatstop.com then you should wait for about 15 minutes and then try again. If the address remains invalid then contact ThreatSTOP tech support to find out why.

  • If the address reported is not the address you entered for the device at the ThreatSTOP website then you should correct that entry and wait about half an hour before retrying.

  • Once the address is confirmed as being in the ThreatSTOP database, you are ready to set the device up with ThreatSTOP. If you did not do the initial device addition on the ThreatSTOP website from this computer (or you closed the browser) then you should log in to your ThreatSTOP account at https://threatstop.com, select Manage Devices and then click on Rules for the device you added.

  • As the instructions say, it is a good idea to first save a copy of the current working configuration.

vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# save prethreatstop
Saving configuration to '/opt/vyatta/etc/config/prethreatstop'...
Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$

ThreatSTOP Setup

  • Copy and paste the following line into the Vyatta ssh session:
wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; sudo ts-vyatta/setup.pl --type r --blocklist=<block list name>.<ThreatSTOP account ID>.threatstop.local --allowlist=<allow list name>.<ThreatSTOP account ID>.threatstop.local
  • The device should download and unpack the ThreatSTOP scripts and then run the setup script which will display the following (if you have a sudo password enabled on your Vyatta device you will need to enter it when prompted). All prompts include defaulted data which has been determined to be the safest to use for most users. Pressing ENTER will use the default data. In some circumstances this data may need to be changed to match your configuration, please contact ThreatSTOP Support if there is any difficulty in setting up your installation.
[INFO ] : Starting ThreatSTOP setup operation v2.20 at 15/07/2015 22:10:55
[INFO ] : Locking current execution instance.
Changing group to vyattacfg
[INFO ] : Starting ThreatSTOP setup operation v2.20 at 15/07/2015 22:10:56
[INFO ] : Locking current execution instance.
[INFO ] : Setting up install directory [/home/vyatta/ts-vyatta]
[INFO ] : Initializing data from configuration file.
===========================================================================
If you have not specified setup options on the command line then you will be
given the chance to specify them now. First time users running this by pasting
in the command from the ThreatSTOP website should probably not change anything
except the firewall names and start rule number if you have already created
some firewall rules.
On subsequent runs, probably the only things to change will be the block and
allow list ids. For each option, the default value is specified in [], just
press the ENTER key to accept it.
Note for the paranoid. The proposed changes to the Vyatta config, the changes
to /etc/rc.local, /etc/logrotate.d/messages and the new crontab are created in
the installation directory. If you choose not to allow this script to apply the
changes automatically then you can review them and then apply them manually.
===========================================================================
[INFO ] : Entering user interactive setup stage.
Please enter the Threatstop installation directory: [/home/vyatta/ts-vyatta]
Please enter the Threatstop ipset prefix: [TS]
Available interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.0.2.0/24                      u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
External interface id: [eth0]
Firewall name for interface eth0 direction in: [TSrtinrule]
Insert ThreatSTOP rules beginning at number?: [10]
Add default accept?: (strongly recommended if you do not have other rules for
this firewall name, not otherwise) [Y]
Firewall name for interface eth0 direction local: [TSrtlocalrule]
Insert ThreatSTOP rules beginning at number?: [10]
Add default accept?: (strongly recommended if you do not have other rules for
this firewall name, not otherwise) [Y]
Firewall name for interface eth0 direction out: [TSrtoutrule]
Insert ThreatSTOP rules beginning at number?: [10]
Add default accept?: (strongly recommended if you do not have other rules forthis firewall name, not otherwise) [Y]
Please enter the location of the dig command: [/home/vyatta/ts-vyatta/dig64]
Please enter the URL parameter for submitting logs: [https://threatstop.com/cgi-bin/logupload.pl]
Please enter the DNS PORT setting: [53]
Please provide a MAX POLICY SIZE value which is less than or equal to 65535: [30000]
Chosen configuration parameters
--------------------------------------------------------
Installation directory : /home/vyatta/ts-vyatta
Installation suffix    : TS
Installation type      : Router
External interface type: ethernet
Threatstop Block list  :<block list name>.<ThreatSTOP account ID>.threatstop.local
Threatstop Allow list  :<allow list name>.<ThreatSTOP account ID>.threatstop.local
Dig command location   : /home/vyatta/ts-vyatta/dig64
Logfile location       : /var/log/user/threatstop.log.1
Upload logs URL        : https://threatstop.com/cgi-bin/logupload.pl
DNS port               : 53
MAXPOLICYSIZE          : 30000
--------------------------------------------------------
Use these settings (Y/N)?: [Y]
[INFO ] : Creating config file [/home/vyatta/ts-vyatta/threatstop.conf]
[INFO ] : Checking DNS servers access ...
[INFO ] : Verifying dns server [192.124.129.42] access.
[INFO ] : 192.124.129.42 resolves OK.
[INFO ] : Done checking DNS servers.
[INFO ] : Creating log upload mechanism.

When prompted whether you wish to accept the changes and deploy them. If you have a complex/non-standard configuration you may wish to say N at this point and examine the files that have been created.

---------------------------------------------
ATENTION : Ready to deploy configurations !!!
---------------------------------------------
Deploy (Y/N)?: [Y]

[INFO ] : Deploying ...

Saving configuration to '/config/config.boot'...
Done
[NOTE ] : Merging /home/vyatta/ts-vyatta/configure.route.sh
[INFO ] : Getting allow/block lists.

--------------------------------------
NOTE : Ready to run allow/block script
for the first time
--------------------------------------
Get allow/block lists now (Y/N) [Y] :
--------------------------------------

[INFO ] : Starting ThreatSTOP setup operation v2.20 at 15/07/2015 22:11:16
[INFO ] : Locking current execution instance.
[INFO ] : Initializing data from configuration file.
[INFO ] : Updating DNS lists.
[INFO ] : Testing [192.124.129.42] servers.
[INFO ] : Comparing DNS lists.
[INFO ] : Updating configuration file with new DNS servers list.
[INFO ] : Initializing data from configuration file.

[INFO ] : Starting ipsetapply operation.
[INFO ] : Verifying running UID ...
[INFO ] : Loading configuration data.
[INFO ] : Verifying Block lists existence.
[INFO ] : Verifying ruleset existence.
[INFO ] : Performing ipset commands.
[INFO ] : Operation completed ...

[INFO ] : Finished ThreatSTOP ipsetget operation v2.20 at 15/07/2015 22:11:16
[INFO ] : Unlocking current execution instance.
--------------------------------------
[INFO ] : Finished getting allow/block lists.
[INFO ] : Unlocking current execution instance.
[INFO ] : Finished ThreatSTOP setup operation at 15/07/2015 22:11:16 after 00:00:20
  • After the install you will see a file in the /ts-vyatta directory named threatstop_preinstall_vytatta_config_backup. This is your configuration prior to installing ThreatSTOP.

  • You should verify that none of the changes have broken basic connectivity and, if there are no problems, you should save the configuration so that it is used whenever the device reboots. This can be done by entering the following in the console:

configure
save threatstoprouter
save
exit
  • To view the contents of the block and allow lists, you will need to run the ipset command:
    sudo ipset -L
    
  • You have now set up ThreatSTOP on a Vyatta in router mode. You should now add a firewall rule to the external interface to block ssh access to the Vyatta itself:
vyatta@vyatta# set firewall name TSrtlocalrule rule 20 destination port 22
[edit]
vyatta@vyatta# set firewall name TSrtlocalrule rule 20 action drop
[edit]
vyatta@vyatta# set firewall name TSrtlocalrule rule 20 protocol tcp
[edit]
vyatta@vyatta# set firewall name TSrtlocalrule rule 20 log enable
[edit]
vyatta@vyatta# commit
[edit]
vyatta@vyatta#
vyatta@vyatta# exit discard
exit
vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# save
Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$ reboot
Proceed with reboot? [confirm] Y
  • Once you have added the SSH rule and any other firewall rules you want and verified that the configuration works, you should probably save the configuration again as a named config and as the default.
vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# save threatstop
Saving configuration to '/opt/vyatta/etc/config/threatstop'... Done
[edit]
vyatta@vyatta# save
Saving configuration to '/opt/vyatta/etc/config/config.boot'... Done
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$
  • In general, as noted above, due to a bug that makes Vyatta only accept a limited number of configuration changes before it doesn’t take any more you should reboot after completing the installation.
vyatta@vyatta:~$ reboot

Updating Vyatta

New versions of the ThreatSTOP application may have significant changes and, as such, will require a different upgrade procedure. To resolve this:

  • Uninstall the older version of ThreaSTOP by running the following commands from the home directory:
ts-vyatta/revert.sh
rm -rf ts-vyatta

This will remove the previous configurations.

  • Once this is completed paste the following line into the Vyatta ssh session:
wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; sudo ts-vyatta/setup.pl --type r --blocklist=<block list name>.<ThreatSTOP account ID>.threatstop.local --allowlist=<allow list name>.<ThreatSTOP account ID>.threatstop.local

Updating Vyatta OS

When updating Vyatta by using the image upgrade procedure, the scripts will be moved to a different location in the file system. This results in the block list not being updated and logs not uploading. To get ThreatSTOP working again, you will need to re-run the setup procedure, this time in the update mode. The configuration will not be modified, but the cronjobs that update the block list and upload the log are recreated. To perform the update copy and paste the following line into the Vyatta ssh session:

wget -O - ftp://ftp.threatstop.com/pub/ts-vyatta.tar.gz | tar xzv ; sudo ts-vyatta/setup.pl --type u --blocklist=<block list name>.<ThreatSTOP account ID>.threatstop.local --allowlist=<allow list name>.<ThreatSTOP account ID>.threatstop.local

Uninstall

If you have run setup and applied the changes and wish to return to the pre-ThreatSTOP configuration then you should perform the following command (assuming that you installed to /home/vyatta/ts-vyatta).

  • From a console enter:
ts-vyatta/revert.sh
  • This has now restored all the files changed. To restore the configuration you should do the following:
configure
load /home/vyatta/ts-vyatta/threatstop_preinstall_vytatta_config_backup
save
exit

It is possible that you may need to enter load /home/vyatta/ts-vyatta/threatstop_preinstall_vytatta_config_backup more than once to handle commit errors. Once you have managed to load the old configuration without error you should probably reboot the Vyatta device to be sure that it runs with no traces of ThreatSTOP changes in the system