[Sidewinder] [Fwd: RE: ESXi in a DMZ - can't keep a consolegoing]

Sidewinder moderated discussion list sidewinder at adeptech.com
Tue Oct 27 14:12:07 EDT 2009 

That worked like a champ.

Now I'm off to see if I can figure out what's happening with
Wireshark. I might need some help with that as well, but I'll keep
y'all posted.

Kurt

On Tue, Oct 27, 2009 at 06:42, Sidewinder moderated discussion list
<sidewinder at adeptech.com> wrote:
> That shouldn't work, either - it is a Type Enforcement error; you need to chtype the files, not chown them, try:
>
> % chtype User:file kbuff*.pcap
>
> Then you should be able to scp them off.
>
> spike
>
> -----Original Message-----
> From: sidewinder-bounces at adeptech.com [mailto:sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder moderated discussion list
> Sent: Tuesday, October 27, 2009 4:42 AM
> To: sidewinder at adeptech.com
> Subject: Re: [Sidewinder] [Fwd: RE: ESXi in a DMZ - can't keep a consolegoing]
>
> I have had that exact problem before.
> Make a copy of the files you want and try to copy over the copy so to speak
>
> -----Original Message-----
> From: sidewinder-bounces at adeptech.com [mailto:sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder moderated discussion list
> Sent: 26 October 2009 20:52
> To: sidewinder at adeptech.com
> Subject: Re: [Sidewinder] [Fwd: RE: ESXi in a DMZ - can't keep a consolegoing]
>
> Done - sorta.
>
> I've got two nice matching pcap files, but I can't get them off the machine.
>
> I'm using WinSCP, and can't copy them to my workstation. I thought
> initially that it was permissions, so performed a 'chown kbuff *.pcap'
> which changed the ownership to kbuff:wheel - unfortunately, 'chown
> kbuff;kbuff *.pcap" gives a syntax error, because there's no kbuff
> group, so that didn't help. I also can't copy the files locally as
> myself, either. I've added my account to the wheel group, too - that
> didn't work either.
>
> I'm getting 'Error: Permission Denied" messages from WinSCP, and the
> following message in my inbox:
>
> Oct 26 13:49:00 2009 PDT  f_kernel a_tepm t_attack p_major
> pid: 64675 ruid: 101 euid: 101 pgid: 64674 logid: 101 cmd: 'sftp-server'
> domain: User edomain: User hostname: swfw1.mycompany.com
> category: policy_violation event: ddt violation srcdmn: User
> filedom: tcpd filetyp: file
> reason: OP: OP_FS_PERM_CHECK perm wanted: 0x1<read> perm granted: 0x0
> information: open /home/kbuff/admin.pcap
>
> My n00bness is showing, and help is appreciated.
>
> Kurt
>
> On Mon, Oct 26, 2009 at 03:38, Sidewinder moderated discussion list
> <sidewinder at adeptech.com> wrote:
>> ---------------------------- Original Message ----------------------------
>> Subject: RE: [Sidewinder] ESXi in a DMZ - can't keep a console going Date:
>>   Sun, October 25, 2009 7:57 pm
>> To:      "sidewinder at adeptech.com" <sidewinder at adeptech.com>
>> --------------------------------------------------------------------------
>>
>> tcpdump is your friend
>>
>> you can determine if the firewall is dropping packets straight away simply
>> by monitoring inbound and outbound interfaces
>>
>> get 2 shells running:
>>
>> tcpdump -n -i <inbound interface> host <source IP address> and port
>> <destination port>
>>
>> the -n flag simply shows IP, not hosts
>>
>> repeat for outbound
>>
>> IMO the GUI is really cludgy for monitoring traffic.
>>
>> We send all our logs to a separate syslog server and just tail and grep.
>>
>> There used to be a KB article on how to set this up somewhere. From memory
>> it's just an edit to /etc/sidewinder/auditd.conf
>>
>> log(syslog local7 NULL sef)
>>
>> sef being the readable log format
>>
>> then your syslog.conf should be edited to look like this
>>
>> local7.*                        @<IP address of your syslog server>
>>
>> then cf server restart auditd
>>
>> and restart syslogd
>>
>> gurus correct me if I'm wrong somewhere, been a long time
>>
>>
>>
>> David Harris
>> Unisys, Level 5, 20 Lee Street
>> SYDNEY NSW 2000
>> PH: 61 2 9032 4855
>> MB: 0416 231 024
>>
>> -----Original Message-----
>> From: sidewinder-bounces at adeptech.com
>> [mailto:sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder moderated
>> discussion list
>> Sent: Saturday, 24 October 2009 10:42 AM
>> To: sidewinder at adeptech.com
>> Subject: Re: [Sidewinder] ESXi in a DMZ - can't keep a console going
>>
>> On Tue, Oct 20, 2009 at 13:30, Sidewinder moderated discussion list
>> <sidewinder at adeptech.com> wrote:
>>> Hello:
>>> Check the resource utilization on the box.  If the CPU is running too
>> high, your firewall could be dropping connections.
>>> Ben
>>
>> Good thought. But, I don't think that's the issue.
>>
>> I just connected, and waited for the connection to drop while I monitored
>> top.
>>
>> The following is representative of what I saw:
>>
>> last pid: 61622;  load averages:  0.04,  0.03,  0.01
>>    up 59+10:20:24  16:41:36
>> 111 processes: 1 running, 110 sleeping
>> CPU states:  0.4% user,  0.0% nice,  1.1% system,  0.0% interrupt, 98.5% idle
>> Mem: 310M Active, 33M Inact, 123M Wired, 21M Cache, 60M Buf, 2764K Free
>> Swap: 5120M Total, 1325M Used, 3795M Free, 25% Inuse
>>
>>
>>
>> I'm beginning to wonder if a tcpdump trace might help with this - but I'm
>> certainly no expert with that.
>>
>> Kurt
>> _______________________________________________
>> Sidewinder mailing list
>> Sidewinder at adeptech.com
>> http://mail.adeptech.com/mailman/listinfo/sidewinder
>>
>>
>> _______________________________________________
>> Sidewinder mailing list
>> Sidewinder at adeptech.com
>> http://mail.adeptech.com/mailman/listinfo/sidewinder
>>
>>
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
> NOTICE: This electronic mail message and any files transmitted with it are intended
> exclusively for the individual or entity to which it is addressed. The message,
> together with any attachment, may contain confidential and/or privileged information.
> Any unauthorized review, use, printing, saving, copying, disclosure or distribution
> is strictly prohibited. If you have received this message in error, please
> immediately advise the sender by reply email and delete all copies.
>
> _______________________________________________
> Sidewinder mailing list
> Sidewinder at adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>

More information about the Sidewinder mailing list