[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] [Fwd: RE: ESXi in a DMZ - can't keep a
From: Sidewinder moderated discussion list <sidewinder () adeptech ! com>
Date: 2009-10-27 18:12:07
Message-ID: a9f4a3860910271112w572238c0ic00c2d16881b0eab () mail ! gmail ! com
[Download RAW message or body]
That worked like a champ.
Now I'm off to see if I can figure out what's happening with
Wireshark. I might need some help with that as well, but I'll keep
y'all posted.
Kurt
On Tue, Oct 27, 2009 at 06:42, Sidewinder moderated discussion list
<sidewinder@adeptech.com> wrote:
> That shouldn't work, either - it is a Type Enforcement error; you need to chtype \
> the files, not chown them, try:
> % chtype User:file kbuff*.pcap
>
> Then you should be able to scp them off.
>
> spike
>
> -----Original Message-----
> From: sidewinder-bounces@adeptech.com [mailto:sidewinder-bounces@adeptech.com] On \
> Behalf Of Sidewinder moderated discussion list
> Sent: Tuesday, October 27, 2009 4:42 AM
> To: sidewinder@adeptech.com
> Subject: Re: [Sidewinder] [Fwd: RE: ESXi in a DMZ - can't keep a consolegoing]
>
> I have had that exact problem before.
> Make a copy of the files you want and try to copy over the copy so to speak
>
> -----Original Message-----
> From: sidewinder-bounces@adeptech.com [mailto:sidewinder-bounces@adeptech.com] On \
> Behalf Of Sidewinder moderated discussion list
> Sent: 26 October 2009 20:52
> To: sidewinder@adeptech.com
> Subject: Re: [Sidewinder] [Fwd: RE: ESXi in a DMZ - can't keep a consolegoing]
>
> Done - sorta.
>
> I've got two nice matching pcap files, but I can't get them off the machine.
>
> I'm using WinSCP, and can't copy them to my workstation. I thought
> initially that it was permissions, so performed a 'chown kbuff *.pcap'
> which changed the ownership to kbuff:wheel - unfortunately, 'chown
> kbuff;kbuff *.pcap" gives a syntax error, because there's no kbuff
> group, so that didn't help. I also can't copy the files locally as
> myself, either. I've added my account to the wheel group, too - that
> didn't work either.
>
> I'm getting 'Error: Permission Denied" messages from WinSCP, and the
> following message in my inbox:
>
> Oct 26 13:49:00 2009 PDT f_kernel a_tepm t_attack p_major
> pid: 64675 ruid: 101 euid: 101 pgid: 64674 logid: 101 cmd: 'sftp-server'
> domain: User edomain: User hostname: swfw1.mycompany.com
> category: policy_violation event: ddt violation srcdmn: User
> filedom: tcpd filetyp: file
> reason: OP: OP_FS_PERM_CHECK perm wanted: 0x1<read> perm granted: 0x0
> information: open /home/kbuff/admin.pcap
>
> My n00bness is showing, and help is appreciated.
>
> Kurt
>
> On Mon, Oct 26, 2009 at 03:38, Sidewinder moderated discussion list
> <sidewinder@adeptech.com> wrote:
> > ---------------------------- Original Message ----------------------------
> > Subject: RE: [Sidewinder] ESXi in a DMZ - can't keep a console going Date:
> > Sun, October 25, 2009 7:57 pm
> > To: "sidewinder@adeptech.com" <sidewinder@adeptech.com>
> > --------------------------------------------------------------------------
> >
> > tcpdump is your friend
> >
> > you can determine if the firewall is dropping packets straight away simply
> > by monitoring inbound and outbound interfaces
> >
> > get 2 shells running:
> >
> > tcpdump -n -i <inbound interface> host <source IP address> and port
> > <destination port>
> >
> > the -n flag simply shows IP, not hosts
> >
> > repeat for outbound
> >
> > IMO the GUI is really cludgy for monitoring traffic.
> >
> > We send all our logs to a separate syslog server and just tail and grep.
> >
> > There used to be a KB article on how to set this up somewhere. From memory
> > it's just an edit to /etc/sidewinder/auditd.conf
> >
> > log(syslog local7 NULL sef)
> >
> > sef being the readable log format
> >
> > then your syslog.conf should be edited to look like this
> >
> > local7.* @<IP address of your syslog server>
> >
> > then cf server restart auditd
> >
> > and restart syslogd
> >
> > gurus correct me if I'm wrong somewhere, been a long time
> >
> >
> >
> > David Harris
> > Unisys, Level 5, 20 Lee Street
> > SYDNEY NSW 2000
> > PH: 61 2 9032 4855
> > MB: 0416 231 024
> >
> > -----Original Message-----
> > From: sidewinder-bounces@adeptech.com
> > [mailto:sidewinder-bounces@adeptech.com] On Behalf Of Sidewinder moderated
> > discussion list
> > Sent: Saturday, 24 October 2009 10:42 AM
> > To: sidewinder@adeptech.com
> > Subject: Re: [Sidewinder] ESXi in a DMZ - can't keep a console going
> >
> > On Tue, Oct 20, 2009 at 13:30, Sidewinder moderated discussion list
> > <sidewinder@adeptech.com> wrote:
> > > Hello:
> > > Check the resource utilization on the box. If the CPU is running too
> > high, your firewall could be dropping connections.
> > > Ben
> >
> > Good thought. But, I don't think that's the issue.
> >
> > I just connected, and waited for the connection to drop while I monitored
> > top.
> >
> > The following is representative of what I saw:
> >
> > last pid: 61622; load averages: 0.04, 0.03, 0.01
> > up 59+10:20:24 16:41:36
> > 111 processes: 1 running, 110 sleeping
> > CPU states: 0.4% user, 0.0% nice, 1.1% system, 0.0% interrupt, 98.5% idle
> > Mem: 310M Active, 33M Inact, 123M Wired, 21M Cache, 60M Buf, 2764K Free
> > Swap: 5120M Total, 1325M Used, 3795M Free, 25% Inuse
> >
> >
> >
> > I'm beginning to wonder if a tcpdump trace might help with this - but I'm
> > certainly no expert with that.
> >
> > Kurt
> > _______________________________________________
> > Sidewinder mailing list
> > Sidewinder@adeptech.com
> > http://mail.adeptech.com/mailman/listinfo/sidewinder
> >
> >
> > _______________________________________________
> > Sidewinder mailing list
> > Sidewinder@adeptech.com
> > http://mail.adeptech.com/mailman/listinfo/sidewinder
> >
> >
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
> NOTICE: This electronic mail message and any files transmitted with it are intended
> exclusively for the individual or entity to which it is addressed. The message,
> together with any attachment, may contain confidential and/or privileged \
> information. Any unauthorized review, use, printing, saving, copying, disclosure or \
> distribution is strictly prohibited. If you have received this message in error, \
> please immediately advise the sender by reply email and delete all copies.
>
> _______________________________________________
> Sidewinder mailing list
> Sidewinder@adeptech.com
> http://mail.adeptech.com/mailman/listinfo/sidewinder
>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic