Trace: untangle
Table of Contents

Untangle as UTM box

Official Site: http://www.untangle.com/

The following notes assume Untangle Version 7.1

Post installation task

Enable SSH access

Use the console terminal, remove file ”/etc/ssh/sshd_not_to_be_run” and edit sshd_config to your needs. Set ssh server port to something other than 22 for more security.

Or, follow this wiki article for latest information:

http://wiki.untangle.com/index.php/Enable_SSH

Then go to the packet filter and add a rule to allow traffic to the non-standard SSH port.

Access to internal database

Enhancement

Live view of traffic using iftop

Get the package at http://packages.debian.org/lenny/i386/iftop/download ,

and install using the ”dpkg -i” command.

Create a config file ”/etc/iftoprc” to format the default output.

Example for connection list: 

hide-destination: no
line-display: one-line-both
port-display: yes

Example for per local IP bandwidth usage: 

hide-destination: yes
line-display: one-line-both

And create a script to run it: 

#!/bin/sh

# customizable settings:
LOCALNET="192.168.1.0/24"
IFACE="eth1"  #internal interface
CONF="/etc/iftoprc"

iftop -p -n -N -i $IFACE -F $LOCALNET -c $CONF

Per IP bandwidth usage statistic using bandwidthd

bandwidthd project page

Get the package at http://packages.debian.org/lenny/i386/bandwidthd/download ,

get dependency package at http://packages.debian.org/lenny/i386/libgd2-noxpm/download ,

and install both using dpkg -i command.

Create ”/etc/apache2/conf.d/bandwidthd.conf”: 

Alias /bandwidthd /var/lib/bandwidthd/htdocs

<Location /bandwidthd>
    Order deny,allow
    Deny from all

    # allow from these trusted hosts:
    Allow from 127.0.0.1
    Allow from ::1
    Allow from 10.0.0.0/8
    Allow from 172.16.0.0/12
    Allow from 192.168.0.0/16
</Location>

Edit ”/etc/bandwidthd/bandwidthd.conf” to suit your needs. Normally these need to be changed: 

# Subnets to collect statistics on
subnet 192.168.1.0/24

# normally change dev to the internal interface, like:
dev "eth1"

promiscuous true

#Log data to cdf file htdocs/log.cdf
output_cdf true

#Read back the cdf file on startup
recover_cdf true

Reloading apache and start bandwidthd. Access the statistics at:
https://<ip of untangle box>/bandwidthd/

Installing ntop

ntop home page: http://www.ntop.org

Get the ntop package at http://packages.debian.org/lenny/i386/ntop/download ,

and dependency package libgraphviz at http://packages.debian.org/lenny/i386/libgraphviz4/download

After install, set ntop admin password by: 

/usr/sbin/ntop -A

Edit ”/etc/default/ntop”, change ntop web server listen port to avoid conflict with untangle, eg. 4000: 

GETOPT="-w 4000"

Edit ”/var/lib/ntop/init.cfg” to your needs. Example, monitor the bridged interface: 

INTERFACES="br.eth0"

Add a rule in the Packet Filter to allow remote access to port 4000.

7x24 traffic capture and analysis

Get latest tcpdump at http://packages.debian.org/sid/i386/tcpdump/download ,

dependency libpcap0.8 at http://packages.debian.org/sid/i386/libpcap0.8/download ,

dependency libssl0.9.8 at http://packages.debian.org/sid/i386/libssl0.9.8/download

The raw catpure command: 

 
# catpure on interface br.eth0
# how many bytes to save per packet: 68
# save buffer to file every 300 seconds
# file naming format: pcap_<year>_<month><day>_<hour><min> eg. pcap_2010_0120_1617

tcpdump -i br.eth0 -s 68 -G 300 -w "/capture-folder/pcap_%Y_%m%d_%H%M"

The more elegant way to do it is to use a init script.

Clear outdated capture files using tmpwatch. 

# You probably will run this using cron.
# Suppose you want to keep 30 days (=720hours) of traffic for analysis:
tmpwatch -m -f 720 /capture-folder/

To analyze the capture files, if your Untangle box has enough horsepower, fire up the bundled wireshark program at the console or remotely at your workstation. You can consider Xming if your workstation is running Windows. Otherwise, copy them to another box for analysis.

Add extra blocklists for SPAM Blocker

Suppose you want to add barracudacentral RBL.

Create file /etc/mail/spamassassin/99_barracuda_rbl.cf: 

header   RCVD_IN_BARRACUDACENTRAL_RBL    eval:check_rbl('barracuda', 'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACENTRAL_RBL    Received via a relay in BARRACUDACENTRAL Rbl blocklist
tflags   RCVD_IN_BARRACUDACENTRAL_RBL	 net
score    RCVD_IN_BARRACUDACENTRAL_RBL	 3.0

Custom Reports

Custom Reports

untangle/untangle.txt · Last modified: 2010-02-24 12:11 by admin
Back to top
GNU Free Documentation License 1.3
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0