■Cisco892Jを単なるL3ルータにしてSyslog転送、ACLログを出力
やっぱりログが出ると何かと便利です。
以下の代替品として、VLANを使わない設定にします。
※今回はCisco892JでのNAT設定はしません。
Fortigate-80Cでポート転送(NAT)を設定してみる。
http://labunix.hateblo.jp/entry/20150222/1424613472
■「Fe8(LAN)->Ge0(WAN)」でL3設定をする。
「Fe0~Fe7」まではL2 SW固定なので。。。
interface FastEthernet8
ip address 172.31.31.252 255.255.255.0
shutdown
interface GigabitEthernet0
ip address 192.168.1.252 255.255.255.248
shutdown
exit
ip route 172.31.31.0 255.255.255.0 172.31.31.254
ip route 0.0.0.0 0.0.0.0 192.168.1.254
end
■疎通確認の準備が出来たら、インターフェイスを管理アップ
interface FastEthernet8
no shutdown
interface GigabitEthernet0
no shutdown
end
■NTPサーバの設定
「Internal」側からの同期設定をする機会は少ないかも知れない。
一応前振り。
ntp server 172.31.31.254
exit
show ntp associations
show ntp status
show ntp information
show ntp packets
address ref clock st when poll reach delay offset disp
~172.31.31.254 .INIT. 16 60 64 0 0.000 0.000 15937.
* sys.peer,
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**21
ntp uptime is 47700 (1/100 of seconds), resolution is 4000
reference time is D915A40D.DCCDED51 (15:15:25.862 UTC Sun May 31 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 108 sec ago.
Ntp Software Name : Cisco-ntpv4
Ntp Software Version : Cisco-ntpv4-1.0
Ntp Software Vendor : CISCO
Ntp System Type : Cisco IOS / MPC8300
Ntp In packets : 10
Ntp Out packets : 20
Ntp bad version packets : 0
Ntp protocol error packets : 0
■Syslog転送先(rsyslog.conf)の設定
$ grep -A 1 "172.31.31.252\|imudp" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
--
fromhost-ip, isequal, "172.31.31.252" /var/log/Cisco892J.log
& ~
$ sudo /etc/init.d/rsyslog restart
■Cisco892J、Syslog転送元設定
logging 172.31.31.254
logging source-interface fastEthernet 8
end
■「configure terminal」と「end」を3回ほど繰り替えしてsyslog転送が出来ていることを確認
$ sudo tail -f /var/log/Cisco892J.log
Jun 1 00:24:11 172.31.31.252 69: May 31 15:24:10.802: %SYS-5-CONFIG_I: Configured from console by console
Jun 1 00:25:31 172.31.31.252 70: May 31 15:25:30.835: %SYS-5-CONFIG_I: Configured from console by console
Jun 1 00:25:44 172.31.31.252 71: May 31 15:25:43.531: %SYS-5-CONFIG_I: Configured from console by console
■Telnetを許可
username labunix password XXXXXXXX
line vty 0 4
transport input telnet
login local
end
■Telnetのみに制限してログを取得
access-list 100 permit tcp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq 23 log telnetlog
access-list 100 deny tcp any any log deny-log
interface fastEthernet 8
ip access-group 100 in
end
■Telnetログインしてみる。
$ telnet 172.31.31.252
Trying 172.31.31.252...
Connected to 172.31.31.252.
Escape character is '^]'.
User Access Verification
Username: labunix
Password:
Router>
■Syslog転送されたログを確認
コンソールに表示されてから約5秒後
$ sudo tail -f /var/log/Cisco892J.log | sed -e 's/ list 100/\n&/g'
Jun 1 00:49:02 172.31.31.252 98: .May 31 15:49:01.435: %SEC-6-IPACCESSLOGP:
list 100 permitted tcp 172.31.31.254(36515) -> 172.31.31.252(23), 1 packet [telnetlog]
■例えばメール送信ポートはブロックされること。
$ telnet 172.31.31.252 25
Trying 172.31.31.252...
telnet: Unable to connect to remote host: No route to host
$ sudo tail -f /var/log/Cisco892J.log | sed -e 's/ list 100/\n&/g'
Jun 1 00:49:46 172.31.31.252 99: .May 31 15:49:45.804: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 172.31.31.254(40585) -> 172.31.31.252(25), 1 packet [deny-log]
■icmpのようにログを指定していない暗黙のdenyについてはブロックされてログが出ないこと。
$ ping -c 3 172.31.31.252
PING 172.31.31.252 (172.31.31.252) 56(84) bytes of data.
From 172.31.31.252 icmp_seq=1 Packet filtered
From 172.31.31.252 icmp_seq=2 Packet filtered
From 172.31.31.252 icmp_seq=3 Packet filtered
--- 172.31.31.252 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000ms
■パケットキャプチャで不要な通信を待って止める。
例えばCDPパケットが流れる。
$ sudo tcpdump -i eth2 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
00:59:26.834816 CDPv2, ttl: 180s, Device-ID 'Router', length 351
■CDPパケットを止める。
no cdp run
■VLAN自体も止めますか。
no spanning-tree vlan 1
interface vlan 1
shutdown
end
■Syslog転送ではないUDPもログを出しましょう。
ついでにlogの名前も変えるので、「15」にする必要は無いけど、一応。
ip access-list extended 100
15 deny udp any any log deny-udp
no 20
20 deny tcp any any log deny-tcp
end
Extended IP access list 100
10 permit tcp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq telnet log (102 matches) (tag = telnetlog)
15 deny udp any any log (tag = deny-udp)
20 deny tcp any any log (tag = deny-tcp)
■Internal側のNTPリプライがブロックされ、ログに載ったので除外します。
$ sudo tail -f /var/log/Cisco892J.log | sed -e 's/ list 100/\n&/g'
Jun 1 01:13:04 172.31.31.252 109: .May 31 16:13:03.880: %SEC-6-IPACCESSLOGP:
list 100 denied udp 172.31.31.254(123) -> 172.31.31.252(123), 1 packet [deny-udp]
ip access-list extended 100
no 15
no 20
20 permit udp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq 123
30 permit udp 172.31.31.0 0.0.0.255 eq 123 host 172.31.31.252 eq 123
40 deny tcp any any log deny-tcp
50 deny udp any any log deny-udp
end
Extended IP access list 100
10 permit tcp 172.31.31.232 0.0.0.16 gt 1023 host 172.31.31.252 eq telnet log (tag = telnetlog)
20 permit udp 172.31.31.0 0.0.0.255 gt 1023 host 172.31.31.252 eq ntp
25 permit udp 172.31.31.0 0.0.0.255 host 172.31.31.252 eq ntp
30 deny tcp any any log (tag = deny-tcp)
40 permit icmp 172.31.31.0 0.0.0.255 172.31.31.0 0.0.0.255 (10 matches)
50 deny udp any any log (3 matches) (tag = deny-udp)
■出力方向についても制限しましょう。
拡張ACLである必要は無く、基本ACLで良い気がしますが、スルーします。
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 23
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 25
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 53
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 80
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 443
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 3128
access-list 101 permit tcp 172.31.31.0 0.0.0.255 any eq 8080
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 53
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 123
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 161
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 162
access-list 101 permit udp 172.31.31.0 0.0.0.255 any eq 514
access-list 101 permit icmp 172.31.31.0 0.0.0.255 172.31.31.0 0.0.0.255
access-list 101 deny icmp
access-list 101 deny ip any any log deny-out
interface fastEthernet 8
ip access-group 101 out
end
■同一セグメントのICMPは許可しましょう。
今日はここまで。
ip access-list extended 100
no 40
exit
access-list 100 permit icmp 172.31.31.0 0.0.0.255 172.31.31.0 0.0.0.255
access-list 100 deny udp any any log deny-udp
end
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.31.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
$ ping -c 3 172.31.31.252
PING 172.31.31.252 (172.31.31.252) 56(84) bytes of data.
64 bytes from 172.31.31.252: icmp_req=1 ttl=255 time=0.410 ms
64 bytes from 172.31.31.252: icmp_req=2 ttl=255 time=0.407 ms
64 bytes from 172.31.31.252: icmp_req=3 ttl=255 time=0.402 ms
--- 172.31.31.252 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.402/0.406/0.410/0.016 ms