Posts

Tech guru live is the most comprehensive technical problem solution website on the internet.It is one stop resource on all the technical queries and solutions.

It is driven by the latest information related to Information Technology industry and related fields.It helps to find the latest reports,articles and journals on Open source,Apache,PHP, MySql etc… which is updated on a daily basis.

Tech guru live is managed by a group of experienced and talented IT professionals.

please visit us on

www.techgurulive.com

For any queries, suggestions and feedback please feel to contact us at suggestions@techgurulive.com

Posted in Uncategorized | Leave a Comment »

How to Configure PIX Firewall.

August 12, 2008 by gishore

Please find below a step by step process to configure the PIX Firewall from scratch. A simple scenario is given here where you have a corporate network with a PIX Firewall connected to the Internet through the Outside Interface, Internal Network through the Inside interface and DMZ through the DMZ Network. This paper would assist you in a simple step by step, near complete configuration for a PIX Firewall running a midsized corporate network

The Outside Network is connected to the internet through a Internet Router. The Inside Network is connected to a switch to the Internal Clients or Inside Hosts. The DMZ network consists of two servers, the Web server and the WEB server.

The first thing in configuration is getting connected to the pix firewall. You use the console cable to connect the cable to the console port of the pix firewall. The other end goes to the serial port of your computer. You can then use a terminal emulation software to get connected to the prompt. For Windows users, HyperTerminal is a good option.

The next step is booting the Firewall.

When a non-configured PIX Firewall boots up, it prompts to preconfigure it through interactive prompts. If you press Enter to accept the default answer of yes, you are presented with a series of prompts that lead you through the basic configuration steps:

Pre-configure PIX Firewall now through
interactive prompts [yes]? Enable Password []: abc123

Clock (UTC)
Year [2002]:
Month [Aug]:
Day [2]: 12
Time [2:45:37]: 12:22:00
Inside IP address: 10.1.1.1
Inside network mask: 255.255.255.0
Host name: pixfirewall
Domain name: secmanager.com
IP address of host running
PIX Device Manager: 101.1.111
Use this configuration and write to flash? Y
The above can also be achieved by entering the setup command in privileged mode.

The pix Firewall has four modes of Operation as given below:

• Unprivileged mode: This mode provides a restricted, limited, view of PIX Firewall settings. Example : pixfirewall>
• Privileged mode: This mode enables you change the current firewall settings. Example: pixfirewall#
• Configuration mode: This mode enables you to change the system configurations of the firewall. Example pixfirewall(config)#
• Monitor mode: This mode is used to update the image over the network, perform password recovery or backup the configuration onto the TFTP server

In case you don’t want to use the setup command for the configuration, you can use the console connection and configure as follows:

Priveleged mode

The first step is to enter the privileged mode:

Pixfirewall> en
Password: (Enter or Cisco, for more information refer to the configuration manuals that came with the firewall)
Pixfirewall#

Changing password

The next step is to change the enable password on the firewall:

Pixfirewall# enable password abc123

The next step is to enter the configuration mode for changing the system configurations. To enter the config mode, enter the following command:

Pixfirewall# configure terminal (or popularly conf t)
Pixfirewall (config) #

Give a Hostname to the firewall.

You might want to give a hostname to the firewall. You can use the hostname command to do this.

Pixfirewall (config) #hostname CorpFW1
CorpFW1(config)#

To save the information, use the write memory command or simply wr mem.

CorpFW1(config)# write memory

For purposes of this document, we continue to give the firewall the name “Pixfirewall”. So let us change the name back to Pixfirewall

CorpFW1(config)# hostname Pixfirewall
Pixfirewall (config) # wr mem

Setup the console timeout:

Next, you might want to setup the console timeout for security reasons. The default timeout is 0, which means unlimited.

Pixfirewall (config) # console timeout 5

This means you have setup a console timeout of 5 minutes ( the value can be set from 0-60 minutes) which means after a idle time of 5 minutes, the session will be closed.

Setup a banner to your Pix firewall.

You can do this with the banner command:

Pixfirewall (config) # banner exec Unauthorized access will be prosecuted.

There are also two other commands available:

banner login
banner motd

To remove banner you use the no banner or clear banner commands.

Naming an Interface:

The first two interfaces would have the default names of inside and outside. While inside interface has a security level of 100, the outside interface has a default security level of 0.

Let us configure the Ethernet 2 interface as the dmz.

Pixfirewall (config) # nameif ethernet2 dmz sec60

In this example, we are assigning a security_level of 60 to the DMZ network.

Configure the Interface:

Now let us turn the interface on and configure the speeds for these interfaces:

Pixfirewall (config) # interface ethernet0 100full
Pixfirewall (config) #interface ethernet1 100full
Pixfirewall (config) #interface ethernet2 100full

Assign IP Address to the Interface:

Pixfirewall (config) # ip address outside 192.168.1.1 255.255.255.0
Pixfirewall (config) # ip address inside 10.1.1.1 255.255.255.0
Pixfirewall (config) #ip address dmz 172.16.16.1 255.255.255.0

You can use the “show ip” command to view the ip address information and “clear ip” command to remove all assigned IP addresses from all interfaces.

Route Commands:

Now let us setup the routing information on the pix firewall.

This is the default route, where we are configuring the next hop of the default route to the IP address of the Internet Router which is 192.168.1.100

Pixfirewall (config) # route outside 0.0.0.0 0.0.0.0 192.168.1.100 1

Pixfirewall (config) # route inside 10.0.0.0 255.0.0.0 10.1.1.1 1

Pixfirewall (config) # route dmz 172.16.17.0 255.255.255.0 172.16.16.1 1

So using these route commands you are telling the PIX router that route the traffic for 10.0.0.0/8 network to inside, 172.16.17.0/24 network to dmz. The default route is set for outside, which means for all other networks, route the traffic through the outside interface.

Posted in NETWORKING, Security | Leave a Comment »

Basic PIX Troubleshooting

August 12, 2008 by gishore

The “show interfaces” Command

The show interfaces command will show you the basic status of the PIX’s interfaces. I’ve included some sample output below:

pixfw# show interface

interface ethernet0 “outside” is up, line protocol is up

Hardware is i82559 ethernet, address is 0009.e89c.fdaa

IP address 97.158.253.25, subnet mask 255.255.255.248

MTU 1500 bytes, BW 10000 Kbit half duplex

5776596 packets input, 569192486 bytes, 0 no buffer

Received 5315835 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

435752 packets output, 74618166 bytes, 0 underruns

0 output errors, 3988 collisions, 0 interface resets

0 babbles, 0 late collisions, 6978 deferred

2 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) (0/77)

output queue (curr/max blocks): hardware (0/53) software (0/1)

…

…

pixfw#

Your basic physical connectivity should be OK if the interfaces are seen as being in an “up” state with line protocol being “up”. If line protocol is down, you probably have your PIX incorrectly cabled to the Internet or your home network.

If the interfaces are seen as “administratively down”, then the PIX configuration will most likely have the interfaces configured as being “shutdown” like this:

interface ethernet0 10baset shutdown

This can be easily corrected. First use the “write terminal” command to confirm the shutdown state. Then you should enter “config” mode and reenter the “interface” command without the word “shutdown” at the end.

pixfw(config)# interface ethernet0 10baset

The “show interfaces” is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each.
The “show xlate” Command

This command will show whether the PIX is doing NAT translations correctly. Double check your configuration if there are no translations immediately after trying to access the Internet. NAT failure could also be due to bad cabling which will prevent Internet bound traffic from reaching the PIX at all.

aquapix# sh xlate

3 in use, 463 most used

PAT Global 97.158.253.25(38448) Local 192.168.1.105(3367)

PAT Global 97.158.253.25(25838) Local 192.168.1.105(2971)

PAT Global 97.158.253.25(26306) Local 192.168.1.105(3610)

aquapix#

Posted in NETWORKING, Security | Leave a Comment »

How To Make Your PIX A DHCP Server

August 12, 2008 by gishore

Enabling your PIX to be a DHCP server for your home network requires very few statements. First you have to enable the feature on the desired interface, which is usually the “inside” interface. The next step is to set the range of IP addresses the PIX’s “inside” interface will manage, and finally, you need to state the IP address of the DNS server the DHCP clients will use.

The default DNS address the PIX provides its DHCP clients is the IP address of the “inside” protected interface. If the PIX is configured to get it’s Internet IP address from your ISP, then the PIX will automatically become a caching DNS server for your home network. This means that in this case you don’t have to use the DNS statement.

dhcpd enable inside

dhcpd address 192.168.1.20-192.168.1.30 inside

dhcpd dns 192.168.1.100

Posted in NETWORKING, Security | Leave a Comment »

How To Configure Your PIX To Accept Telnet

August 12, 2008 by gishore

The telnet command can be used to configure your PIX to accept telnet sessions. By default, it allows connections on the inside interface from the 192.168.1.0 network, as seen below:

telnet 192.168.2.0 255.255.255.0 inside

Of course, if you change the IP address of the inside interface, you may have to change the statement above.

You can also allow access to the outside interface with a similar command. In the case below we’re allowing access from the network 64.251.19.0. I generally wouldn’t recommended this, but in some cases the need to do it is unavoidable.

telnet 64.251.19.0 255.255.255.0 outside

As an added precaution, you can set the PIX to automatically log out telnet sessions that have been inactive for a period of time. Here is an example of a 15 minute timeout period.

telnet timeout 15

Posted in Security | Leave a Comment »

HOW TO CONFIGURE SENDMAIL

August 12, 2008 by gishore

With the growth of the Internet, e-mail has quickly become the main vehicle to spread information through the public at large. As the demand for fast, cheap and reliable e-mail grows, more individuals are turning to Linux to provide a fast, cheap and reliable solution.

sendmail was originally developed by Eric Allman, in 1979, as “delevermail”, which first shipped with BSD 4.0. This program was not very flexible and required configuration at compile time. With the growth of TCP protocol and other factors, it became obvious that delevermail was not flexible enough to handle these new demands. Eric Allman had to recreate sendmail from scratch, and what he produced has become the standard for MTAs. Rather than reject messages that were did not conform to protocols, sendmail is designed to be tolerant of these messages. For those individuals who have never configured an e-mail server, this article will demonstrate how to configure sendmail 8.11.2 after a fresh install of Red Hat Linux 7.1.

By default, sendmail 8.11 is installed during the Red Hat Linux 7.1 installation. As Red Hat has progressed over the years, the installation process has become very easy. Though this article will not go into installation details, further documentation is provided on the Red Hat CD set.

For your new e-mail server to work, you must first get all the DNS issues straight. First, add the hostname and IP address for the new e-mail server to your DNS server and confirm the address with nslookup:

[root@testmail /root]# nslookup -sil testmail.blank.com
Server: 192.168.100.1
Address: 192.168.100.1#53
Name: testmail.blank.com
Address: 192.168.100.134

It is also important that your administrator put a reverse DNS entry to prevent delays in mail delivery. Most modern e-mail servers use reverse lookup as a means of authentication for mail transfer. Again, confirm this setting is correct using the nslookup command on your IP address.

[root@testmail /root]# nslookup -sil 192.168.100.134
Server: 192.168.100.1
Address: 192.168.100.1#53
134.100.168.192.in-addr.arpa name = TESTMAIL.blank.com.

As you can see, the DNS entries are setup and working correctly, so let’s move on to actually configuring sendmail. By default, sendmail installations on Red Hat will only allow SMTP traffic on the localhost. The output of netstat -nl will show you all ports that have a dæmon listening; note the line that says 127.0.0.1:25. This means the server is only listening on the loop back interface for connections on port 25 (SMTP).

[root@testmail /root]# netstat -nl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:667 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1119 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 1172
/tmp/.font-unix/fs7100

This will keep your mail dæmon from accepting e-mail from any computer except the localhost. To fix this issue, we must tell sendmail to listen for connections on the external interface. In the case of our new server, there is only one Ethernet card, with eth0 being the external interface. To confirm the IP on eth0, simply perform an ifconfig. Depending on your configuration, this IP can be different than the address defined by your DNS server, but in our example the addresses are the same.

[root@testmail /root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:60:97:DE:E9:99
inet addr:192.168.100.134 Bcast:192.168.100.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12421 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

This machine has an address of 192.168.100.134 on the eth0 interface. Once you have that address, edit the /etc/sendmail.cf file and configure the sendmail dæmon to listen on the address.

# SMTP daemon options
O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

change to

O DaemonPortOptions=Port=smtp,Addr=192.168.100.134, Name=MTA

Once you have completed this task, save this file and restart the sendmail dæmon using the rc script /etc/init.d/sendmail.

[root@testmail /root]# /etc/init.d/sendmail restart
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
[root@testmail /root]#

Now check to see if there has been a change with the netstat -nl command. As you can see the output clearly shows that a dæmon (sendmail) is listening on port 25 of the IP address 192.168.100.134 that is assigned to our interface eth0.

[root@testmail /root]# netstat -nl
Active Internet connections (only servers)
Proto Recv-Q send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 192.168.100.134:25 0.0.0.0:*
LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:667 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1119 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 1172
/tmp/.font-unix/fs7100
[root@testmail /root]#

Now that we have sendmail accepting external connections, we need to assign the domains that can be accepted. This can be accomplished with the /etc/mail/local-host-names file. Simply put the domain name, blank.com, in the file.

# local-host-names – include all aliases for your machine here.
blank.com

Once this information is saved in this file, restart the sendmail dæmon with the rc script sendmail found in /etc/init.d/sendmail restart. sendmail can accept e-mail for multiple domains on the same server. Insert the domain name into this file each time you want to add a new domain.

You now have a fully working e-mail server from the localhost. It can accept e-mail from anywhere in the world, but can only send e-mail or relay e-mail from the localhost. Another default security feature is that sendmail will not allow the relay of any mail to prevent spam originating from your server. If your users log directly into the server, this configuration does not need modification. But if your organization is like most, clients are using e-mail from remote sites. If your users use clients like KMail or Outlook Express, you will need to allow those machines to relay e-mail using your new server, but you do not want to open your site up to complete relay. This can be done by adding the following line to the /etc/mail/access file and running the command make access.db after saving that file.

blank.com RELAY
# Check the /usr/share/doc/sendmail-8.11.2/README.cf file for a
description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail-8.11.2/README.cf is part of the
sendmail-doc
# package.
#
# by default we allow relaying from localhost…
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
blank.com RELAY

[root@testmail mail]# make access.db
[root@testmail mail]#

The make access.db command will include your new setting in the hash database used by sendmail to determine who can relay e-mail off your server. This will allow connections from inside the blank.com domain to relay e-mail from your new mail server, and prevent use of the service to nonmembers. One can also put a subnet of IPs, such as 192.168, to limit inside a domain. Keep in mind that if this setting is to open, spammers can bounce huge amounts of e-mail off your system.

Now that you can accept e-mail from anywhere in the world, have configured your domain, and allowed relay e-mail for approved clients, you may want to allow remote access to that mail. This can be accomplished with IMAP or POP. With a default server install, not all required packages are installed to make POP/IMAP mail work. These services can be obtained by the installation of the imap-2000-9 rpm package. To check the install status of this package use the following command: rpm -aq | grep -i imap. If no package is found, insert Disk 2 of the Red Hat 7.1 installation disk set into your cd-rom and mount that media. To accomplish this use the mount /dev/cdrom /mnt/cdrom command.

[root@testmail mail]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
(Successful Mount of Read-Only Media)
Once mounted you can install the package with rpm -Uvh
/mnt/cdrom/RedHat/RPMS/imap-2000-9.i386.rpm.
[root@testmail mail]# rpm -Uvh
/mnt/cdrom/RedHat/RPMS/imap-2000-9.i386.rpm
Preparing… ###########################################
[100%]
1:imap ###########################################
[100%]
As you can see, when I run the rpm search, rpm -aq | grep -i
imap the IMAP package is displayed with output.
[root@testmail mail]# rpm -aq | grep -i imap
imap-2000-9
[root@testmail mail]#

With the correct package install, you now need to enable POP3 connections to your new e-mail server. This can be accomplished in the /etc/xinetd.d directory by modifying the ipop3 file. Set the value for disable to no, and save the file. Remember to maintain the case as it appears in the file.

# default: off
# description: The POP3 service allows remote users to access their mail
\
# using an POP3 client such as Netscape Communicator, mutt,
\
# or fetchmail.
service pop3
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += USERID
log_on_failure += USERID
disable = no
}

Now you need to restart the xinetd dæmon to make the new setting work. This is possible by using the rc script /etc/init.d/xinetd. Simply issue the restart command as seen below.

[root@testmail xinetd.d]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@testmail xinetd.d]#

Now send a test e-mail to your new server and connect to the server via your favorite pop client. You should now be able to access your e-mail via POP protocol.

One final consideration about your new server is performance. You may receive complaints about slow connection to your POP server if the client traffic is being initiated from behind a firewall. The reason for this delay is that your e-mail server initiates a IDENT session with the client to confirm the identity of the client. If there is no response to that query, the server will invoke a timeout value set by default to 5 seconds. This value can be reduced to 1 second to remove most of the delay caused by IDENT. To change this value edit the /etc/sendmail.cf file, and reduce the timeout value to the desired value.

# timeouts (many of these)
#O Timeout.ident=5s
change to
O Timeout.ident=1s

Your e-mail server is now working and providing service to your users.

Posted in Email, Sendmail | Leave a Comment »

February 2010
M	T	W	T	F	S	S
« Sep
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28