Showing posts with label Networking. Show all posts
Showing posts with label Networking. Show all posts

Wednesday, October 25, 2023

FortiGate VIP responding on telnet to TCP 5060 and 2000

If you have a FortiGate Firewall you might have encountered situation where Fortinet devices appear to have open TCP ports 2000 and 5060, even when firewalls are configured to block them. If an IPSec connection is configured, this even looks like a telnet connection can be established between the devices in each end of the tunnels on TCP 2000 and 5060.

Security scans will flag it a threat.

 

Fortinet's Default Behavior

 

By default, FortiGate (FortiOS 5.2, 5.4 and 5.6) is configured to intercept and inspect all SIP and SCCP traffic by its VoIP ALG configuration 'default-voip-alg-mode' set to 'proxy-based'.

 

When 'default-voip-alg-mode' is set to 'proxy-based' Fortinet treats:


     • TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
     • TCP port 2000 as Skinny Client Call protocol (SCCP) traffic - a Cisco proprietary protocol for VoIP.

 

Because of this, any telnet connections through FortiGate might looks like open. Security scans such as Port Scans might identify TCP/UDP 5060, TCP 2000 as open.

 

There are few options to prevent this:

 

1.     Change default-voip-alg-mode to kernel-helper-based.

SCCP traffic is not processed if default-voip-alg-mode is set to kernel-helper-based mode.

 

# config system setting
    set default-voip-alg-mode kernel-helper-based
end

            NOTE: If having Multi-VDOM, disable SIP-ALG on all respective VDOM.

 

2.     Disable SIP and SCCP ALG in the default VoIP profile

 

# config voip profile
    edit "default"
        config sip
            set status disable
        end
        config sccp
            set status disable
        end
    next
end

 

This should do the trick. You can verify FortiGate stopped listening on the ports using:

 

dia sys tcpsock | grep 5060

dia sys tcpsock | grep 2000

dia sys udpsock | grep 5060

 

You should not see any o/p.

Posted by at No comments:
Labels:

Wednesday, September 20, 2023

SS command Cheat Sheet

ss Command Cheat Sheet

This cheat sheet provides an overview of the ss command and its commonly used options for examining socket statistics and network connections in Linux. Adjust the options as needed to match your specific requirements when working with ss.

 

1. Displaying Sockets:

  • ss: Display a summary of all sockets.
  • ss -t: Display TCP sockets.
  • ss -u: Display UDP sockets.
  • ss -w: Display raw sockets.
  • ss -x: Display UNIX domain sockets.

 

2. Filtering and Displaying Specific Sockets:

  • ss -tuln: Display all listening TCP and UDP sockets without resolving names.
  • ss -tul: Display all listening TCP and UDP sockets with name resolution.
  • ss -t4: Display IPv4 sockets.
  • ss -t6: Display IPv6 sockets.

 

3. Display Socket Statistics:

  • ss -s: Display socket statistics summary.
  • ss -t -s: Display TCP socket statistics.
  • ss -u -s: Display UDP socket statistics.
  • ss -w -s: Display raw socket statistics.
  • ss -x -s: Display UNIX domain socket statistics.

 

4. Display Extended Information:

  • ss -e: Display extended information, including socket UID and inode.
  • ss -t -a: Display all sockets (listening and non-listening).

 

5. Display Processes Associated with Sockets:

  • ss -t -p: Show the processes associated with each socket.
  • ss -t -t -p: Display TCP sockets along with their associated processes.

 

6. Display Socket Timers:

  • ss -o: Show socket timers (e.g., TCP retransmit timeout).
  • ss -t -o: Display TCP socket timers.
  • ss -u -o: Display UDP socket timers.

 

7. Show Header Information:

  • ss -H: Display header lines to label each column.
  • ss -i: Display information about network interfaces.

 

8. Filter by State:

  • ss state FIN-WAIT-1: Display sockets in a specific state (e.g., FIN-WAIT-1).
  • ss state connected: Show connected sockets.

 

9. Sort Output:

  • ss -t state established -o: Sort and display established TCP connections.
  • ss -n -o state established | sort -r -k 5: Sort established connections by data transfer rate.

 

10. Output in JSON Format:

  • ss -t -j: Display socket information in JSON format.

 

11. Display Help:

  • ss --help: Display the ss command's help and usage information.

 

12. Clear Timers and Counters:

  • ss -t -E: Clear socket timers.
  • ss -t -Z: Clear socket counters.

 

13. Show Reverse DNS Lookups:

  • ss -r: Show reverse DNS lookups in the output.

 

Posted by at No comments:
Labels: , , , , ,

Tuesday, September 19, 2023

IP command Cheat Sheet

Several of the most used Linux commands/tools such as ifconfig, netstat, route is deprecated. It’s time to start using the versatile ip command line utility.

 

Ip command line utility provided by the ‘net-tools’ package is used for various network administration tasks on Linux nodes.

 

Syntax of the ip command line utility:

 

# ip [ OPTIONS ] OBJECT { COMMAND | help}

 

OPTIONS are used to define global parameters. Commonly used ones being:

-4 -> shows IPv4 specific details only.

-6 -> shows IPv6 specific details only.

-s -> shows statistics of the various network interfaces.

-t -> display current time when using monitor option.

 

 

OBJECTS are the items the command would action on.

Commonly used OBJECTS are the follows:

 

OBJECT

Abbreviation

Used for

address

a, addr

IP address on the device

link

l

Network device

route

r

Routing table entry

rule

ru

Rule in the routing policy database

neighbour

n, neigh

Manage ARP/NDSC cache entries

maddress

m, maddr

Multicast address

monitor

 

Watch netlink messages

 

 

This cheat sheet offers a concise overview of the ip command and its available options. It serves as a valuable resource for troubleshooting network and system issues."

 

NOTE: The commands have certain parameters mentioned in capital letters like ‘INTERFACE’, this needs to be changed depending on your use case.

1. Displaying Network Information:

  • ip address show or ip a : Show information about all network interfaces.
  • ip link show or ip l : Display link layer information.
  • ip route show or ip r : Display the routing table.

2. Managing Network Interfaces:

  • ip link set dev INTERFACE up/down : Enable or disable a network interface.
  • ip link set dev INTERFACE name NEW_NAME : Rename a network interface.
  • ip link set dev INTERFACE mtu MTU_VALUE : Set the Maximum Transmission Unit (MTU) for an interface.
  • ip link add link INTERFACE name NEW_INTERFACE type TYPE : Create a new virtual interface based on an existing one.

3. Configuring IP Addresses:

  • ip address add IP_ADDRESS/NETMASK dev INTERFACE : Assign an IP address to an interface.
  • ip address delete IP_ADDRESS/NETMASK dev INTERFACE : Remove an IP address from an interface.
  • ip address show dev INTERFACE : Display IP address information for a specific interface.

4. Managing Routes:

  • ip route add NETWORK via GATEWAY : Add a static route.
  • ip route delete NETWORK : Delete a static route.
  • ip route show : Display the routing table.
  • ip route flush cache : Clear the routing cache.

5. Managing ARP Cache:

  • ip neigh show : Display the ARP cache.
  • ip neigh add IP_ADDRESS lladdr MAC_ADDRESS dev INTERFACE : Add an ARP cache entry manually.
  • ip neigh delete IP_ADDRESS dev INTERFACE : Delete an entry from the ARP cache.

6. Managing VLANs (Virtual LANs):

  • ip link add link INTERFACE name VLAN_NAME type vlan id VLAN_ID : Create a VLAN interface.
  • ip link show VLAN_NAME : Display information about a VLAN interface.

7. Managing Bridge Interfaces:

  • ip link add name BRIDGE_NAME type bridge : Create a bridge interface.
  • ip link set dev INTERFACE master BRIDGE_NAME : Add an interface to a bridge.
  • ip link set dev INTERFACE nomaster : Remove an interface from a bridge.
  • ip link show BRIDGE_NAME : Display information about a bridge.

8. Managing Tunnels:

  • ip tunnel add TUNNEL_NAME mode MODE remote REMOTE_IP local LOCAL_IP : Create a tunnel interface.
  • ip tunnel delete TUNNEL_NAME : Delete a tunnel interface.
  • ip tunnel show : Display information about tunnel interfaces.

9. Managing QoS and Traffic Control:

  • ip link set dev INTERFACE qlen QUEUE_LENGTH : Set the length of the transmit queue.
  • ip link set dev INTERFACE txqueuelen QUEUE_LENGTH : Set the length of the transmit queue.
  • tc : Use the tc command for advanced traffic control and QoS configuration.

10. Managing Multicast:

  • ip maddr show : Display multicast group memberships.
  • ip maddr add IP_ADDRESS dev INTERFACE : This adds the INTERFACE to the membership of the multicast group with an  IPv4 address of IP_ADDRESS.
  • ip maddr delete IP_ADDRESS dev INTERFACE : Leave the INTERFACE from the multicast group with ip address IP_ADDRESS.

This ip command cheat sheet should provide you with a quick reference for managing network configurations and interfaces in Linux.

Remember to replace INTERFACE, IP_ADDRESS, NETMASK, NETWORK, GATEWAY, VLAN_NAME, BRIDGE_NAME, TUNNEL_NAME, REMOTE_IP, LOCAL_IP, QUEUE_LENGTH, and other placeholders with your specific values when using the commands.

 

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)