FortiGate VIP responding on telnet to TCP 5060 and 2000

If you have a FortiGate Firewall you might have encountered situation where Fortinet devices appear to have open TCP ports 2000 and 5060, even when firewalls are configured to block them. If an IPSec connection is configured, this even looks like a telnet connection can be established between the devices in each end of the tunnels on TCP 2000 and 5060.

Security scans will flag it a threat.

 

Fortinet's Default Behavior

 

By default, FortiGate (FortiOS 5.2, 5.4 and 5.6) is configured to intercept and inspect all SIP and SCCP traffic by its VoIP ALG configuration 'default-voip-alg-mode' set to 'proxy-based'.

 

When 'default-voip-alg-mode' is set to 'proxy-based' Fortinet treats:

    • TCP ports 5060, 5061 and UDP port 5060 as SIP protocol.
    • TCP port 2000 as Skinny Client Call protocol (SCCP) traffic - a Cisco proprietary protocol for VoIP.

 

Because of this, any telnet connections through FortiGate might looks like open. Security scans such as Port Scans might identify TCP/UDP 5060, TCP 2000 as open.

 

There are few options to prevent this:

 

1.     Change default-voip-alg-mode to kernel-helper-based.

SCCP traffic is not processed if default-voip-alg-mode is set to kernel-helper-based mode.

 

# config system setting
    set default-voip-alg-mode kernel-helper-based
end

            NOTE: If having Multi-VDOM, disable SIP-ALG on all respective VDOM.

 

2.     Disable SIP and SCCP ALG in the default VoIP profile

 

# config voip profile
    edit "default"
        config sip
            set status disable
        end
        config sccp
            set status disable
        end
    next
end

 

This should do the trick. You can verify FortiGate stopped listening on the ports using:

 

dia sys tcpsock | grep 5060

dia sys tcpsock | grep 2000

dia sys udpsock | grep 5060

 

You should not see any o/p.

DHCP deleting custom entries in /etc/resolv.conf file

 

If you are working on cloud environments like AWS, OCI you might have come across a requirement where you need to add custom settings on DNS like name servers, search domains and so on. Any changes to /etc/resolv.conf or the network configuration files will be reverted by the DNS server associated with the cloud virtual network.

 

There are many ways to set custom DNS settings and make sure it’s not overridden by DHCP. Using Dhclient supersede option is one of the best methods.

 

The dhclient.conf file allows you to configure various options for the DHCP client (dhclient) that controls how your system obtains IP addresses and network configuration information from DHCP servers. The supersede directive is used to override and modify DHCP options that are provided by the DHCP server. It allows you to replace or supplement the DHCP options with your own settings.

 

Below, I'll explain how to use the supercede directive in the dhclient.conf file.

 

Config file: /etc/dhcp/dhclient.conf

 

Basic Syntax with usage:

interface "<INTERFACE>" {

supersede domain-search "<OPTION-NAME>", "OPTION-VALUE";

}

 

Example: If you want to set a custom DNS server on Oracle Linux 8.8, you may use dhclient supersede option as follows:

 

interface "ens3" {

supersede domain-name-servers 8.8.8.8;

}

 

You should reboot the server to see this is action or you can manually set the /etc/resolv.conf file with the required DNS but during the next DHCP renewal, dhclient will check the configuration file and update the superseded value for the DNS name server in /etc/resolv.conf.

 

You can supersede a number of DHCP options in the dhclient.conf file. Here's a list of DHCP options that can be superseded, along with their descriptions:

 

1.     subnet-mask: Specifies the subnet mask for the client's IP address.

2.     broadcast-address: Defines the broadcast address for the client's subnet.

3.     routers: Sets the default gateway or router for the client.

4.     domain-name-servers: Specifies the DNS servers used by the client.

5.     domain-name: Specifies the domain name for the client's network.

6.     domain-search: Specifies the domain search list for the client.

7.     host-name: Sets the hostname for the client.

8.     ntp-servers: Specifies the Network Time Protocol (NTP) servers used for time synchronization.

9.     netbios-name-servers: Specifies the NetBIOS name servers for Windows networking.

10.  netbios-scope: Defines the NetBIOS scope for Windows networking.

11.  interface-mtu: Sets the Maximum Transmission Unit (MTU) for the client's network interface.

12.  domain-name-servers-append: Appends DNS servers to the list provided by the DHCP server.

13.  classless-static-routes: Specifies static routes for the client.

14.  nis-domain: Sets the Network Information Service (NIS) domain.

15.  nis-servers: Specifies NIS servers for the client.

16.  nisplus-domain: Sets the NIS+ domain.

17.  nisplus-servers: Specifies NIS+ servers for the client.

18.  nisplus-client: Configures the NIS+ client settings.

19.  slp-directory-agent: Specifies Service Location Protocol (SLP) directory agents.

20.  slp-service-scope: Defines the SLP service scope.

21.  ldap-servers: Specifies LDAP (Lightweight Directory Access Protocol) servers.

22.  ldap-base-dn: Sets the LDAP base domain name.

23.  ldap-raid-info: Configures LDAP RAID (Redundant Array of Independent Disks) information.

24.  vivso: Supports Vendor-Identifying Vendor Specific Options (VIVSO).

These options can be superseded in the dhclient.conf file to customize the client's network configuration. Keep in mind that not all of these options may be present in your DHCP server's response. It's essential to understand which options are provided by your DHCP server and which ones you need to supersede to meet your network's specific requirements.

Intrusion Detection and Integrity Checks with AIDE in Linux

 Advanced Intrusion Detection Environment (AIDE) is an open-source utility designed to monitor and protect the integrity of files on a Linux system. AIDE creates a database of file attributes and uses it to perform regular checks for changes, additions, or deletions in system files, alerting you to potential security breaches. When properly used AIDE helps to protect the system internally, by providing a layer of protection against viruses, rootkits, malware, and detection of unauthorized activities.

 

Why Use AIDE?

1. Detect Unauthorized Changes: AIDE can identify unauthorized changes to critical system files, helping you catch intrusion attempts promptly.
2. File Integrity Monitoring: It offers continuous file integrity monitoring, making it ideal for ensuring the stability and security of your server.
3. Customizable Rules: AIDE allows you to define specific rules for monitoring, tailoring its functionality to your unique server environment.
4. Alerts and Reports: It generates detailed reports and alerts when changes are detected, making it easier to respond to security incidents.

 

Install AIDE

AIDE is readily available in all the operating system software repositories.

 

# yum install aide

Initilize AIDE

Check if the AIDE database is created and initialized using:

 

# aide --check

 

You might end up with the below error, its because the AIDE database has not been created and initialized.

 

[root@delme ~]# aide --check

Couldn't open file /var/lib/aide/aide.db.gz for reading

 

Create and Initialize AIDE Database using:

 

# aide --init

 

Initializing the AIDE database will take some time as its building a database with entries of the files in the server for integrity checks.

 

As you can see from the logs, the new AIDE DB has been created at ‘/var/lib/aide/aide.db.new.gz’.

 

            [root@delme ~]# aide --init

Start timestamp: 2023-10-17 17:19:48 +0000 (AIDE 0.16)

AIDE initialized database at /var/lib/aide/aide.db.new.gz

 

 

Running the AIDE check now will again error out because the AIDE is still not in the location AIDE needs it to be.

 

[root@delme ~]# aide --check

Couldn't open file /var/lib/aide/aide.db.gz for reading

 

We need to rename the AIDE created in the initialization step as follows:

 

            # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

Running an AIDE check should complete successfully.

 

[root@delme ~]# aide --check

Start timestamp: 2023-10-18 09:34:17 +0000 (AIDE 0.16)

AIDE found differences between database and filesystem!!

 

Summary:

  Total number of entries:    152841

  Added entries:         0

  Removed entries:       0

  Changed entries:       2

 

---------------------------------------------------

Changed entries:

---------------------------------------------------

 

f   ...    .C... : /root/dead.letter

f           C    : /var/spool/anacron/cron.daily

 

---------------------------------------------------

Detailed information about changes:

---------------------------------------------------

 

File: /root/dead.letter

  SHA512   : jdMY+0A4RF8MDhMhdE1GvbQbxo695cYf | Q9XC53FBoeyLpzXe7bcUvEex0C/EwNZq

             KoS4la95t3np7LxoeMmH943uDFipAq8d | v1BNdB8ZlDwIgMTemCoUSeOWtz1CowZ3

             Q3VgvcerraMGjo6TVP1FHg==         | G/nTFnnCNr9ihxO/NGeTtg==

 

File: /var/spool/anacron/cron.daily

  SHA512   : MAp+To9ckjKmE7nZl5/J5M9EXxsgks8O | BsPYbhD/SXkrAdJ4Z4V6ng7BhrFJmqeZ

             wv/5ABt5bMMxWkrjOci3mQhRKfOoNV/h | IJ87kg0X3xVlJYrXV9MR7+0BJ90/0wg2

             eQBfHpitQxsAY2867cU2FQ==         | TI+f0QyA7lChmEYPer2QxQ==

 

---------------------------------------------------

The attributes of the (uncompressed) database(s):

---------------------------------------------------

/var/lib/aide/aide.db.gz

  MD5      : fkL+BqnpQdU/i6i3Y3kYqg==

  SHA1     : soqet8oNzHlY9RyDvmHxkqqHY50=

  RMD160   : yIFtCdBrYrt8XY0YipYaMMLP6N0=

  TIGER    : Cbz88BLcGNlurtyIUeizs8KOjof0vc97

  SHA256   : mZK5eTK5nHYDxp/Q7bpCjBtZXa8o8jTx

             INo+S3qXTVE=

  SHA512   : ASgbZO1egNtthUi4TkMqDuQFpKwUr7bh

             SHkdcSscF6rN2p0EKqdd27qmjDf3cr7X

             nCuHDXZrTfYwPSy46KGfdQ==

 

End timestamp: 2023-10-18 09:34:49 +0000 (run time: 0m 32s)

[root@delme ~]#

 

As you can see AIDE has detected 2 changes in the system since the DB is initialized/updated. Review those changes and make sure everything is fine.

 

Once verified, you should update the AIDE DB to include the known changes using the --update command option.

 

However, if there are changes in the filesystem, which is usually the case when you update the DB, AIDE will create a new DB as follows. You need to back up the old and rename the newly generated one to be the main db.

 

[root@delme ~]# aide --update

Start timestamp: 2023-10-18 09:44:02 +0000 (AIDE 0.16)

AIDE found differences between database and filesystem!!

New AIDE database written to /var/lib/aide/aide.db.new.gz

 

Summary:

  Total number of entries:    152841

  Added entries:         0

  Removed entries:       0

  Changed entries:       2

 

Rename the AIDE Db to include newly modified/added files:

 

# mv /var/lib/aide/aide.db.gz /var/lib/aide/aide.db.$(date +%d%m%y%H%M).gz

 

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

Running a check again should give you a clean summary provided there are no further changes in the system.

 

AIDE configuration

AIDE’s configuration file is /etc/aide.conf file. You can customize the rules for file monitoring based on your needs. For example, you can add or exclude specific directories or files from monitoring.

The AIDE confirmation file contains the directives that defines the database location, where the new database be created when running an update, default rules, files and directories to be included in the database for monitoring and so on.

 

The following are the default rules, that can be applied to the files and directories to be added to the DB.

#p:      permissions

#i:      inode:

#n:      number of links

#u:      user

#g:      group

#s:      size

#b:      block count

#m:      mtime

#a:      atime

#c:      ctime

#S:      check for growing size

#acl:           Access Control Lists

#selinux        SELinux security context

#xattrs:        Extended file attributes

#md5:    md5 checksum

#sha1:   sha1 checksum

#sha256:        sha256 checksum

#sha512:        sha512 checksum

#rmd160: rmd160 checksum

#tiger:  tiger checksum

 

#haval:  haval checksum (MHASH only)

#gost:   gost checksum (MHASH only)

#crc32:  crc32 checksum (MHASH only)

#whirlpool:     whirlpool checksum (MHASH only)

 

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

#L:             p+i+n+u+g+acl+selinux+xattrs

#E:             Empty group

#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

 

 

You can create custom rules of your choice using the above default rules.

There are few custom rules already in the configuration file as follows.

 

# NORMAL = R+sha512

NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512

 

# For directories, don't bother doing hashes

DIR = p+i+n+u+g+acl+selinux+xattrs

 

# Access control only

PERMS = p+u+g+acl+selinux+xattrs

 

# Logfile are special, in that they often change

LOG = p+u+g+n+S+acl+selinux+xattrs

 

# Content + file type.

CONTENT = sha512+ftype

 

# Extended content + file type + access.

CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs

 

# Some files get updated automatically, so the inode/ctime/mtime change

# but we want to know when the data inside them changes

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha512

 

You may define rules to watch files and directories. The configuration file contains several default rules that does a job of monitoring files, but you are free to tweak.

 

An example rule set:

Check everything for all files under the /root directory with the exception of checking for permissions only for the hidden files under /root.

 

            /root/\..* PERMS

     /root   CONTENT_EX

 

Use the following to help you detect any changes in data inside all files/directory under /etc/.

        /etc/   DATAONLY 

 

You may specify to ignore files and directories using “!” as follows:

            # Files under there directores are too volatile, hence do not include in the AIDE database

!/usr/src

!/usr/tmp

 

Some thoughts on setting up the AIDE rules

There are currently thirteen attributes that AIDE can log including permissions, owner, group, size, all three timestamps (atime, ctime, and mtime), plus lower-level stuff like inode, block count and number of links .

You need to review the rules in the AIDE configuration file and set proper regular expression matching the files you need to monitor is key to effective use of AIDE. If you are monitoring too many file and directories you might end up with extremely long logs to go through. On the other hand a narrow set of rules could risk missing an important change on your system.

 

Run System Integrity Checks Frequently

AT the very minimum AIDE should be configured to run every week or ideally everyday. You could setup a cornjob as follows.

        0 0 * * * /usr/sbin/aide --check