Command Line Interface How To. Version 8.0.0

Transcription

1 Command Line Interface How To Version 8.0.0

2 Table of Contents 1. Introduction About this Document... Examples used in this Guide... Documentation Sources... About the AXS GUARD What is it? Spare Units Licensed Units Configuration Wizards About VASCO Local Access to the Console Overview... Connecting a Keyboard and Screen... Enabling a User to access the Console... Connecting to the Console Tool Remote Access to the Console Overview Downloading and Installing the Required Software The Windows PuTTY Client The Linux SSH Client The Windows PuTTY Key Generator The SSH Key Generator Generating Key Pairs What is a Key Pair? What is a Key Fingerprint? Generating a Key Pair with PuTTYgen Generating a Key Pair with ssh-keygen Enabling Console Tool Access for a User Connecting to the Console Tool Using PuTTY in Windows Using the ssh command Menus of the Console Tool Overview... Navigating through the Menus... State & Information... Network Interfaces... The System Menu... Restoring Factory Default Settings... The Utilities Menu Console Commands Overview Getting help with man Tab completion ii

3 5.4. The w command The uptime command The ip Command The ifconfig Command The ping command Packet Tracing with traceroute Packet Tracing with tracepath Monitoring Bandwidth Usage with iftop Monitoring Bandwidth and Connections with iptraf Using grep to search through Files Viewing Log Entries with tail Analyzing Network Traffic with tcpdump Matching Network Traffic with tcpdump Examples of Traffic Matching Telnet Netcat Dig Nslookup Mtr iperf Copying Files to your Computer Overview Downloading and Installing the required Software WinSCP for Windows scp in Linux Software Configuration and Use Overview Configuring WinSCP Using WinSCP Using scp Analyzing Network Traffic with Wireshark Overview Downloading and Installing Opening Captured Traffic Files with Wireshark Troubleshooting Support Overview If you encounter a problem Return procedure if you have a hardware failure... Alphabetical Index iii

4 VASCO Products VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as VASCO. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. VASCO Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, AXS GUARD, DIGIPASS, DIGIPASS as a Service, MYDIGIPASS.COM and the logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Other Trademarks Citrix and XenServer are trademarks or registered trademarks of Citrix Systems, Inc. VMware and vsphere are registered trademarks or trademarks of VMware, Inc. Hyper-V is a registered trademark of Microsoft Corporation. Copyright 2014 VASCO Data Security, VASCO Data Security International GmbH. All rights reserved. iv

5 Chapter 1. Introduction 1.1. About this Document This document has been written for AXS GUARD version and is based on changes and features that have been implemented since version This document was last updated on 22 Sep The AXS GUARD Command Line Interface How To serves as a reference source for technical personnel or system administrators. It explains the use of the AXS GUARD console tool, which is used for advanced troubleshooting. In Chapter 1, Introduction, we introduce the AXS GUARD and explain the difference between licensed and spare units. In Chapter 2, Local Access to the Console, we introduce the AXS GUARD console tool and explain how to access the console tool locally, i.e. by connecting a keyboard and monitor to the AXS GUARD. In Chapter 3, Remote Access to the Console, we explain how to access the console tool remotely with Windows PuTTY and the Secure Shell (SSH). In Chapter 4, Menus of the Console Tool, we explain how to navigate through the console tool menus, describing each menu in detail and how to restore the factory default settings. In Chapter 5, Console Commands, we take a closer look at important console commands. Each command is explained and one or more examples are provided. We also explain how to capture network traffic to files. These files can be copied to the location of your choice for further analysis with a network traffic analyzer, such as Wireshark. In Chapter 6, Copying Files to your Computer, we explain how to copy files, such as log files and network traffic files from the AXS GUARD to a local machine, using WinSCP in Windows and the scp command in Linux. In Chapter 7, Analyzing Network Traffic with Wireshark, we explain how to download and install wireshark, a network traffic analyzer which can be used to examine files generated with the tcpdump command in the console tool. In Chapter 8, Troubleshooting, we provide some solutions to solve difficulties. In Chapter 9, Support, we explain how to request support, and return hardware for replacement Examples used in this Guide All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log on as a full administrator or a user with lower privileges. The administrator levels are explained in the system administration guide. As software development and documentation are ongoing processes, screenshots shown in this guide may slightly vary from the screens of the software version installed on your appliance Documentation Sources Other documents in the set of AXS GUARD documentation include: AXS GUARD Installation Guide, which explains how to set up the AXS GUARD, and is intended for technical personnel or system administrators. 1

6 Chapter 1. Introduction How to guides, which provide detailed information on the configuration of each of the features available as add-on modules (explained in Section 1.4.1, What is it? ). These guides cover specific features such as: AXS GUARD Authentication AXS GUARD Firewall AXS GUARD Single Sign-On AXS GUARD VPN AXS GUARD Reverse Proxy AXS GUARD Directory Services Access to AXS GUARD guides is provided through the permanently on-screen Documentation button in the AXS GUARD Administrator Tool. Further resources available include: Context-sensitive help, which is accessible in the AXS GUARD Administrator Tool through the Help button. This button is permanently available and displays information related to the current screen. Training courses covering features in detail can be organized on demand. These courses address all levels of expertise. Please see for further information About the AXS GUARD What is it? The AXS GUARD is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the AXS GUARD has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, and Web access control. The AXS GUARD can easily be integrated into existing IT infrastructures as a standalone authentication appliance or as a gateway providing both authentication services and Internet Security. Authentication and other features such as firewall, and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system Spare Units A Spare Unit is an unlicensed appliance, with limited configuration possibilities and allows you to swiftly replace a defective appliance. It can also be licensed as a new appliance. In fact, all appliances can be considered spare units until they are licensed. Restoring to a Spare Unit is restricted to: the same hardware version (e.g. AG-3XXX, AG-5XXX or AG7XXX) as the unit being replaced. the same software version as the appliance being replaced (or a higher version on which data migration is supported; please contact VASCO support (support@vasco.com) for guidance. Once a backup is restored on a Spare Unit, full functionality is available. The configuration tool of the appliance can then be accessed by any user with administrative privileges (see the AXS GUARD System Administration How To.) The license from the backup is also restored on the Spare Unit. However, an appliance with a restored license only remains operational for a grace period of 30 days, during which the System Administrator needs to acquire a new license. If a new license has not been issued after this grace period, all services on the appliance will be stopped. Only the Administrator Tool will remain accessible. Contact VASCO support (support@vasco.com) to release the restored license of the original appliance. To relicense the appliance, follow the same procedure as used during first-time licensing. 2

7 Chapter 1. Introduction Licensed Units With a licensed appliance, a user with full administrative privileges has access to all the configuration options on the AXS GUARD. Use the sysadmin account to create a user with administrative privileges. Since the sysadmin user can create new administrators, you should change the default password of this account when you log in to the appliance for the first time. Licensing and accessing a fully operational in-service appliance requires the following steps: 1. Logging on to the AXS GUARD as the default sysadmin user and changing the sysadmin password 2. Creating a new user with full administration rights, which is required to configure the AXS GUARD 3. Licensing the appliance Configuration Wizards Use the configuration wizards to configure your system essentials more easily About VASCO VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts, identities and transactions. As a global software company, VASCO serves a customer base of approximately 10,000 companies in over 100 countries, including approximately 1,500 international financial institutions. In addition to the financial sector, VASCO s technologies secure sensitive information and transactions for the enterprise security, e-commerce and e-government industries. For further information, please visit 3

8 Chapter 2. Local Access to the Console 2.1. Overview The console tool is a text-based command line interface (CLI) to edit and display critical AXS GUARD settings and variables via menus. It also allows you to execute commands for advanced troubleshooting, such as network traffic analysis. In this chapter, we explain how to access the AXS GUARD console. There are two methods to access the AXS GUARD console: Local Access: by connecting a keyboard and monititor to the AXS GUARD. Access to the console tool must be granted first via the AXS GUARD Administrator Tool. Remote Access: by granting remote console tool access to a user via the AXS GUARD Administrator Tool. The user connects to the console from a remote PC. This is explained in Chapter 3, Remote Access to the Console Connecting a Keyboard and Screen You can access the console tool locally by connecting a keyboard and monitor to the connectors on the back of the AXS GUARD appliance (shown below). Before you can access the console tool, you must enable console tool access for the accessing user, as explained in Section 2.3, Enabling a User to access the Console or use the sysadmin account, as explained in the AXS GUARD Getting Started and System Administration guides. These guides can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. Figure 2.1. Connectors for Display and Keyboard USB keyboards are not supported until further notice. QWERTY (US) is the default keyboard layout Enabling a User to access the Console This procedure does not apply to the sysadmin account. The console tool is only accessible to Basic Administrators or above and the sysadmin user. 4

9 Chapter 2. Local Access to the Console Detailed information about the sysadmin account is available in the AXS GUARD Getting Started and System Administration guides, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. To enable access to the AXS GUARD console for an administrator: 1. Log on to the AXS GUARD with an advanced administrator account, as explained in the AXS GUARD System Administration How To. 2. Navigate to Users & Groups Users. 3. Click on the user name of the administrator who needs access to the AXS GUARD console. 4. Click on the AXS GUARD Administration Tab (illustrated below). 5. Check the Console Tool Access option (illustrated below). No key is required for direct access. 6. Click on Update when finished. Figure 2.2. Enabling Console Tool Access 2.4. Connecting to the Console Tool Once the boot process is complete, press Alt + F2 to log on to the AXS GUARD console. The following screen will appear: Figure 2.3. Console Login Screen You can either log on with the sysadmin account or with an administrator account that has been granted console tool access (see Section 2.3, Enabling a User to access the Console ). 5

10 Chapter 2. Local Access to the Console Detailed information about the sysadmin account is available in the AXS GUARD Getting Started and System Administration guides, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. The console tool menus are explained in Chapter 4, Menus of the Console Tool. 6

11 Chapter 3. Remote Access to the Console 3.1. Overview In this section, we explain the prerequisites to successfully log on to the AXS GUARD console from a PC in your network. Topics covered in this section include: The downloading and installation of required clients and key generators. How to generate key pairs. The required AXS GUARD configuration settings. How to connect to the AXS GUARD console tool from a remote machine Downloading and Installing the Required Software In this section, we explain how to download and install the necessary client software and key generators, required to connect to the AXS GUARD console tool The Windows PuTTY Client PuTTY is an SSH (Secure Shell) and Telnet client, developed for Windows platforms. PuTTY is open source software and is freely available on the Internet. PuTTY can be downloaded free of charge from the following site: PuTTY does not need to be installed like any other classic Windows program (through running a setup.exe or an install.exe). Just download the executable and save it to the desired location. Double-click the PuTTY application icon to start. When PuTTY is started, a screen similar to the image below appears. 7

12 Chapter 3. Remote Access to the Console Figure 3.1. Windows PuTTY Client The Linux SSH Client SSH stands for Secure Shell. SSH is a free program allowing users to securely log on to another computer on the Internet or in a LAN. SSH is an encrypted shell connection, which is entirely command line based and which uses the Public Key Infrastructure (PKI). PKI is the general term used to describe the technical equipment and the processes used by asymmetric encryption. On most Linux distributions, the SSH client is installed by default. Please refer to the documentation of your Linux distribution for downloading and installing instructions, if needed. SSH is entirely command line-based. Detailed information is available in the SSH man pages. Just type man ssh in a Linux console for help. The syntax used to access the AXS GUARD console tool is: ssh user_name@axsguard_lan_ip Examples are provided further in this guide The Windows PuTTY Key Generator PuTTYgen is a freely available RSA and DSA key pair generator, manager and converter for use with the Windows PuTTY client (see Section 3.2.1, The Windows PuTTY Client ). PuTTYgen is required to generate the necessary key pairs to access the AXS GUARD console tool. PuTTYgen can be downloaded from the following site: PuTTYgen does not need to be installed like any other classic Windows program (by running a setup.exe or install.exe). Just download the executable and save it to the desired location. Double-click the PuTTYgen application icon to start. When PuTTYgen is started, a screen similar to the image below appears. 8

13 Chapter 3. Remote Access to the Console Figure 3.2. Windows PuTTYgen Application The SSH Key Generator ssh-keygen is a Linux command to generate, manage and convert RSA and DSA authentication keys. It supports the creation of keys for the SSH protocol versions 1 and 2. On many Linux distributions, the SSH key generator (ssh-keygen) is installed by default. Please refer to the documentation of your Linux distribution for downloading and installing instructions, if necessary. For detailed information about the ssh-keygen command, consult the appropriate man pages by typing man ssh-keygen in a Linux console. The basic syntax used to generate a key pair for the AXS GUARD console is: ssh-keygen 3.3. Generating Key Pairs What is a Key Pair? A Key Pair is a pair of digital keys: a public key, which needs to be copied to the AXS GUARD, and a unique private key, which needs to be securely stored on the client workstation or another portable medium, such as a USB drive. The private key must be secured and not be accessible to anyone but the intended user. A Public Key can easily be identified by its Key Fingerprint, as explained in Section 3.3.2, What is a Key Fingerprint?. Both keys are required to encrypt the connection between the client and the AXS GUARD. Both keys have the following properties: One key is used to encrypt a message, the other key is used to decrypt the message. Even if the Public Key is known, it is virtually impossible to discover or deduct the corresponding Private Key, unless somebody has physical access to it. This is why it is critical to protect your Private Key with a password and to securely store it, e.g. on a USB drive. 9

14 Chapter 3. Remote Access to the Console What is a Key Fingerprint? A Key Fingerprint is a string of numbers and characters or even ASCII art that uniquely identifies a public key. The fingerprint allows connecting users to identify the Public Key of a server. Public keys can be extremely lenghty and cumbersome to read. The Key Fingerprint is displayed during the initial connection to a server. The connecting user must then verify and accept (or deny) the key on the client side. The verification is an extra step to increase security and to prevent man-in-the-middle attacks. Figure 3.3. Example of a Key Fingerprint Generating a Key Pair with PuTTYgen It is highly recommended to protect your Private Key with a Password. The private key must not be accessible to anyone but the intended user. PuTTYgen automatically adds extra information to the Public Key when it is saved to a file. This extra information cannot be entered on the AXS GUARD, otherwise the SSH connection will fail. Always use copy/paste to add the Public Key on the AXS GUARD. To generate a Key Pair with the PuTTYgen program for Windows: 1. Double Click on the puttygen icon on your desktop. 2. Enter the number of desired bits (size) for the key you are about to generate. The default size is 1024 bits. The higher this number, the stronger the key. 3. Select the type of key to generate, e.g. SSH 2 RSA. This is the PuTTYgen default. 4. Click on the Generate button. 5. Move your mouse to generate random bits. When finished, the Public Key and the Key Fingerprint are displayed. 6. Enter a key passphrase to protect your Private Key and confirm the passphrase. 7. The generated Public Key has to be entered on the AXS GUARD (see Section 3.4, Enabling Console Tool Access for a User ). Use copy / paste to do this. Do not copy the contents of a saved Public Key file, as extra information is added to the Public Key by the PuTTYgen program. 8. Save the Private Key to a folder of your choice, preferably a private (encrypted) folder which nobody else can access. 10

15 Chapter 3. Remote Access to the Console Figure 3.4. Generating a Public Key with PuTTYgen Generating a Key Pair with ssh-keygen It is highly recommended to protect your Private Key with a Password. The private key must not be accessible to anyone but the intended user. To generate a Key Pair with the ssh-keygen command: 1. Start a Linux console. 2. Type ssh-keygen without any arguments and press enter. 3. Enter the location (directory and filename) in which the private key should be saved, e.g. /home/ yourhomedir/.ssh/axsguard. 4. Enter a password for the Private Key and confirm it. When finished, the Key file names, locations and the Public Key Fingerprint is displayed. The contents of the pub file must be entered on the AXS GUARD (see Section 3.4, Enabling Console Tool Access for a User ). The pub file contains the Public Key. [ram@ram ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ram/.ssh/id_rsa): /home/ram/.ssh/ axsguard Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ram/.ssh/axsguard. Your public key has been saved in /home/ram/.ssh/axsguard.pub. The key fingerprint is: 20:cb:b6:a6:c5:81:73:ac:6f:b9:f2:f8:d8:9b:d2:01 ram@ram The key's randomart image is: +--[ RSA 2048]

16 Chapter 3. Remote Access to the Console.. E+ o. o.b S *.o..=o oo+. +*Oo If invoked without any arguments, ssh-keygen generates an RSA key for use with SSH protocol 2 connections. Please refer to the ssh-keygen man page for specific options and supported key types Enabling Console Tool Access for a User The console tool is only accessible to Basic Administrators or above and the sysadmin user. To enable access to the AXS GUARD console for an administrator: 1. Log on to the AXS GUARD with an advanced administrator account, as explained in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to Users & Groups Users. 3. Click on the user name of the administrator who needs access to the AXS GUARD console. 4. Click on the AXS GUARD Administration Tab. 5. Check the Console Tool Access option. 6. Enter the generated Public DSA/RSA key (generated with PuTTYgen or ssh-keygen), using copy/paste. 7. Click on Update when finished. Figure 3.5. Enabling Console Tool Access for a User 12

17 Chapter 3. Remote Access to the Console The console tool can now be accessed by the selected administrator. The procedure to access the console tool is explained in Section 3.5, Connecting to the Console Tool. Invalid Keys are not accepted and generate an error message Connecting to the Console Tool Using PuTTY in Windows To access the AXS GUARD console with Windows PuTTY: 1. Double click on the PuTTY executable icon on your desktop (or in the folder where the PuTTY client is located). 2. Navigate to Connection Data and enter the AXS GUARD user name in the Auto-login username field. This is the user for whom console tool access has been enabled (see Section 3.4, Enabling Console Tool Access for a User ). Use the correct cases, as user names are case sensitive. 3. Navigate to Connection SSH Auth and add the correct Private Key for the user with the Browse button. Figure 3.6. Importing the Private Key in PuTTY 4. Navigate to Session and enter the LAN IP address of the AXS GUARD, e.g Press enter when finished. 13

18 Chapter 3. Remote Access to the Console Figure 3.7. Connecting with PuTTY A PuTTY session can be saved, so that the entered connection information can be reused. After entering the information, navigate to Session, enter a name in the Saved Sessions field and click on Save. If your Private Key is password protected (recommended), you must enter that password before connecting to the AXS GUARD console tool Using the ssh command To access the AXS GUARD console with ssh: 1. Start a console in your Linux Window Manager, e.g. xterm. 2. Specify the Private Key with the -i parameter, e.g.: ssh -i /home/yourhomedir/.ssh/axsguard admin@ If your Private Key is password protected (recommended), you must enter that password before the connection can be established. Replace yourhomedir with the appropriate path. Replace admin with the appropriate user. 14

19 Chapter 3. Remote Access to the Console Figure 3.8. AXS GUARD Console Tool 15

20 Chapter 4. Menus of the Console Tool 4.1. Overview In this section, we explain the console tool (sub)menus. Topics covered in this section include: Navigating through the console tool menus The State & Information menu The Interfaces menu The System menu Restoring factory default settings The Utilities menu 4.2. Navigating through the Menus You can navigate through the (sub)menus with the up and down arrow keys. Press enter to select a particular (sub)menu. Use the tab key to switch between OK and back State & Information The State and Information menu provides access to several submenus, which display AXS GUARD system information such as: the current system time the system s uptime the AXS GUARD serial number the routing table information about the hardware Menu Item Description Date and Time This submenu displays the current system date in the MM/DD/YY format. The current system time is displayed in the HH:MM:SS format. Serial Number Displays the serial number of your AXS GUARD. It corresponds to the information which can be found in the Administrator Tool, by navigating to System # Status # System Info. Routing Table Displays the Routing Table of the AXS GUARD. It corresponds to the information which can be found in the Administrator Tool, by navigating to Network # Status # Route Table. PCI Devices Displays information about the hardware of your AXS GUARD, such as the brand and type of the USB controllers and installed network interfaces. Table 4.1. State & Information: Overview of Menu Items 16

21 Chapter 4. Menus of the Console Tool Figure 4.1. Example of the System Load and Uptime Load Description Load < 1 There are no processes waiting to use the AXS GUARD CPU(s). The number of processes to be handled is inferior to the CPU capabilities. Load = 1 The AXS GUARD CPU(s) do(es) not have any waiting processes. The processes are handled as soon as they are invoked. The system operation is optimal. Load > 1 The number of processes to be handled are temporarily exceeding the capabilities of the AXS GUARD CPU(s). The processes are placed in a queue. Table 4.2. Interpretation of System Load Values 4.4. Network Interfaces The Interfaces menu allows you to view and modify the following AXS GUARD network settings: IP addresses of the AXS GUARD Ethernet (physical) interfaces. IP addresses of virtual interfaces (VLANs), if any. Network interface drivers. Physical interfaces are labeled as eth0, eth1, eth2, etc., whereas Virtual interfaces (VLANs) are labeled as eth0.12, eth0.13, etc. Select the desired interface and press enter. The information in this menu corresponds to the information which can be found in the Administrator Tool via the IP Settings Tab of a network device under Network Devices Eth. Figure 4.2. Network Interface Settings Submenu Information Description The device name of the interface which is currently selected, e.g. eth0. 17

22 Chapter 4. Menus of the Console Tool Submenu Description Change IP Select this submenu to change the IP address and subnet mask of the selected network interface. Use the CIDR notation, e.g /24. A system reboot is required to activate the new settings. Switch to other Device Select this submenu to change the driver of the selected network interface. A system reboot is required. Table 4.3. Network Settings Submenus Do not modify the driver settings, unless when specifically advised by VASCO. Some of the device drivers (ADSL) are reserved for systems which are only sold in the BENELUX The System Menu The System menu allows you to: Reboot the AXS GUARD, e.g. in case you cannot access the Administrator Tool. Shut down the AXS GUARD. Restore the AXS GUARD to its factory default settings (explained in Section 4.6, Restoring Factory Default Settings ) Restoring Factory Default Settings You can reset the AXS GUARD to its factory default settings via the System menu. Back up all your configuration and user data before restoring the AXS GUARD to its factory default settings. Details about backing up your AXS GUARD configuration and user data is available in the AXS GUARD System Administration How To, which can be accessed by clicking on the permanently available Documentation button in the Administration Tool. Figure 4.3. Restoring Factory Default Settings 18

23 Chapter 4. Menus of the Console Tool Resetting the AXS GUARD to its factory default settings will: Reset the IP addresses of all AXS GUARD network interfaces to their factory default settings. (For more information, see the AXS GUARD Getting Started guide and the System Administration How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool). Clear the customer information. Delete all users, groups, computers and system settings. Delete all user data, such as s. Delete all custom firewall, web access, mail rules and policies. Remove all VPN configurations, users and tunnel definitions. Remove all authentication rules and policies. Remove all anti-virus and anti-spyware updates. Remove the latest IPS rulesets. Remove all DNS entries in the DNS repository. Remove all bandwidth management schemes. Reset the sysadmin password to its default setting. The provided list is non-exhaustive The Utilities Menu Select this menu to access to the AXS GUARD shell (command line interface). The shell allows you to execute commands for advanced troubleshooting and analysis. The most important commands are explained in Chapter 5, Console Commands. Figure 4.4. AXS GUARD Shell 19

24 Chapter 5. Console Commands 5.1. Overview In this section, we provide some examples of important console commands, e.g. Getting help with man. Tab completion Getting configuration information of network devices. Extract specific system information from system logs, such as the firewall logs. Analyze network traffic Getting help with man man formats and displays the online manual pages. If you specify a section, man only looks in that section of the manual. name is the name of the manual page, which is usually the name of a command, function, or file. You can also find a lot of information online, e.g. Examples man ifconfig Provides detailed information about the ifconfig command. man man Provides detailed information about the man command itself Tab completion Tab completion or command-line completion is a common feature of command line interpreters, in which the program automatically fills in partially typed commands. Pressing the tab key at the prompt shows all available commands The w command w displays information about the users that are currently logged on to the appliance and their processes. The header shows the current time, how long the system has been running, how many users are currently logged on and the system load averages for the past 1, 5, and 15 minutes The uptime command uptime tells you how long the appliance has been running. 13:14:32 up 2:07, 0 users, load average: 0.73, 1.12,

25 Chapter 5. Console Commands 5.6. The ip Command The ip command must not be used to change any IP settings. Use the Administrator Tool or the Interfaces menu (see Section 4.4, Network Interfaces ) instead. ip addr list Displays the information of all available AXS GUARD network interfaces. ip addr list eth0 Displays the information of a specific AXS GUARD network interface, e.g. eth0 link/ether : The MAC address of the specified network interface, e.g. 00:0C:29:38:24:16. inet : The IP address and subnet mask (CIDR notation) of the specified network interface, e.g /24. brd : The Broadcast IP address of the subnet to which the interface is connected, e.g The ifconfig Command The ifconfig command must not be used to change any IP settings. Use the Administrator Tool or the Interfaces menu (see Section 4.4, Network Interfaces ) instead. Aliases are not shown with ifconfig. Use the ip command to display alias information. ifconfig If no arguments are provided, ifconfig displays the status of all active network interfaces, physical and virtual (VLANs). ifconfig eth0 Displays the information of the eth0 device. If eth1 is provided as an argument, only the information for the eth1 device is displayed, etc. Hwaddr: The MAC address of the specified network interface, e.g. 00:0C:29:38:24:16 inet addr: The IP address of the specified network interface, e.g Bcast: The Broadcast IP address of the subnet to which the interface is attached, e.g Mask: The Subnet Mask or network segment in which the interface operates, e.g [zed@isdead ~]$ ifconfig eth0 Link encap:ethernet HWaddr 00:08:54:56:2E:BB inet addr: Bcast: Mask: inet6 addr: fe80::208:54ff:fe56:2ebb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:172 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: ( Mb) TX bytes: (109.3 Mb) Interrupt:16 Base address:0xcc00 21

26 lo Chapter 5. Console Commands Link encap:local Loopback inet addr: Mask: inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:144 errors:0 dropped:0 overruns:0 frame:0 TX packets:144 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8640 (8.4 Kb) TX bytes:8640 (8.4 Kb) 5.8. The ping command ping -b pings a broadcast address to check which hosts are alive (up), e.g. ping -b ping -c pings the number of times specified, e.g. ping -c ping -I pings from a specific network device, e.g. ping -I Packet Tracing with traceroute traceroute -i Specifies the interface through which traceroute should send packets, e.g. traceroute -i eth1 traceroute -m Specifies the maximum number of hops (max time-to-live value) traceroute will probe, e.g. traceroute m 15 The default is Packet Tracing with tracepath tracepath -n Only shows the IP addresses, e.g. tracepath -n tracepath -b Shows the hostnames and corresponding IP addresses, e.g. tracepath -b Monitoring Bandwidth Usage with iftop iftop -i Specifies the interface for which network traffic information is to be displayed, e.g. iftop -i eth0 22

27 Chapter 5. Console Commands iftop -F Displays the network traffic from and to the specified IP address, e.g. iftop i eth0 -F iftop -n Do not perform host name lookups, e.g. iftop -i eth0 -n -F iftop -B Displays bandwidth rates in bytes per second rather than bits per second, e.g. iftop -i eth0 -n -B -F iftop -P Displays the ports (IP / Port pairs), e.g. iftop -i eth0 -n -B -P -F Monitoring Bandwidth and Connections with iptraf iptraf -i interface Start the IP traffic monitor on the specified interface, or all interfaces if "-i all" is specified, e.g. iptraf i eth0 iptraf -g Provides general interface statistics of all interfaces iptraf -d interface Provides detailed interface statistics on the specified interface, e.g. iptraf -d eth Using grep to search through Files grep -i Toggles case insensitive pattern search, e.g. grep -i 'drop' grep -r Toggles recursion. Search all files recursively within a specified directory, e.g. grep -ir 'drop' /log/fw grep -v Excludes the specified string from the search, e.g. grep -iv 'drop' /log/fw/ Example 5.1. Searching for dropped network traffic at a specific time This example demonstrates how to search for network traffic which was: dropped by the Firewall 23

28 Chapter 5. Console Commands logged on June 11th 2009 between 10:15 AM and 10:20 AM (10:20 AM is not included in the result) grep -i 'drop' /log/fw/ grep '10:1' Example 5.2. Searching for access to a specific website This example demonstrates how to search for network traffic in the proxy logs that is related to the access of a specific website ( grep -ir ' /log/proxy Example 5.3. Searching for dropped network traffic at a specific time excluding a specific source This example demonstrates how to search for network traffic which was: dropped by the Firewall logged on June 11th 2009 between 10:15 AM and 10:20 AM (10:20 is excluded from the result) and not originating from source IP grep -i 'drop' /log/fw/ grep -v ' ' grep '10:1' Viewing Log Entries with tail tail file file is the path to the file, including the file name, e.g. tail /log/fw/filex tail -f Displays data as it is appended to the file in real-time, e.g. tail -f /log/fw/filex Analyzing Network Traffic with tcpdump tcpdump -i Specifies the network interface to capture traffic from, e.g. tcpdump -i eth0 tcpdump -n Does not resolve IP addresses to host names. Only displays IP addresses, e.g. tcpdump -ni eth0 tcpdump -v Produces verbose output, such as TTL, ICMP header checksum, etc., e.g. tcpdump -v -ni eth0 tcpdump -c Specifies the number of packets to capture, e.g. tcpdump -vvv -c10 -ni eth0 tcpdump -s Specifies the length (in bytes) of each packet to be captured, rather than the default of 68, e.g. tcpdump -vvv -c10 -ni eth0 -s0 Setting the value to 0 means that tcpdump automatically uses the required length. 24

29 Chapter 5. Console Commands tcpdump -w Writes the raw packets to a file rather than parsing them and displaying them on the screen, e.g. tcpdump -vvv -c10 -ni eth0 -s0 -w mydumpfile. This option is used to analyze the packets with a protocol analyzer, such as Wireshark. More verbose output is provided for each additional v, e.g. tcpdump -vvv -ni eth0 Consult the tcpdump man page for additional details Matching Network Traffic with tcpdump The output of the tcpdump command can be matched with the following: A specific destination or source host, e.g. dst host A specific destination or source port, e.g. dst port 80 A specific network protocol, e.g. udp port 53 Matches can be combined using the and, or & not operands. The provided list of matches is non-exhaustive Examples of Traffic Matching tcpdump -ni eth0 host Captures network packets on the eth0 network interface that match with IP address tcpdump -ni eth0 port 22 Captures network packets on the eth0 network interface and displays all network traffic related to port 22 (SSH). tcpdump -ni eth0 icmp Captures network packets on the eth0 network interface and displays all ICMP network traffic. tcpdump -ni eth0 host and port 25 Captures network packets on the eth0 network interface that match with IP address Only network traffic related to port 25 (SMTP) is captured. tcpdump -ni eth0 host and not port 22 Captures network packets on the eth0 network interface that match with IP address All traffic is displayed, except traffic related to port 22 (excluded). tcpdump -ni eth0 host and not port 22 -s0 25

30 Chapter 5. Console Commands Performs the same operation as explained in the previous example, but in addition tcpdump automatically captures the required packet length, since the -s0 parameter is added. tcpdump -ni eth0 host and not port 22 -s0 -w mycapfile Performs the same operation as explained in the previous example, but in addition the command output is written to a file, allowing further analysis with a protocol analyzer, such as Wireshark. Press CTRL + C to exit tcpdump Telnet telnet -4 host.domain.com Forces IPv4 address resolution. telnet -6 host.domain.com Forces IPv6 address resolution Netcat Common uses include: simple TCP proxies network daemon testing SOCKS or HTTP ProxyCommand for ssh nc -l 2389 Starts server mode on the specified port and listens for incoming connections. nc somehost.com 2389 Starts client mode and tries to connect to the specified host on the specified port Dig dig google.com Queries the DNS server(s) as configured on your system and returns any record that matches google.com. dig mx Specifically queries the DNS server with IP for the MX record of the Google domain Nslookup nslookup 26

31 Chapter 5. Console Commands Server: Address: #53 Non-authoritative answer: Name: Address: nslookup followed by a domain name will display the A Record (IP Address) of that domain. nslookup -query=mx google.com Server: Address: #53 Non-authoritative answer: google.com mail exchanger google.com mail exchanger google.com mail exchanger google.com mail exchanger google.com mail exchanger = = = = = alt4.aspmx.l.google.com. alt1.aspmx.l.google.com. alt3.aspmx.l.google.com. alt2.aspmx.l.google.com. aspmx.l.google.com. Looks up the MX record for the specified domain name and lists the mail exchange servers for that domain.µ Mtr mtr is a network diagnotic tool that combines the functionalities of the traceroute and the ping commands. mtr iperf iperf is a command that enables system administrators to measure the network bandwidth and check the quality of a network link. iperf -c Client connecting to IP on TCP port 5001 (iperf default) 27

32 Chapter 6. Copying Files to your Computer 6.1. Overview In this chapter, we explain how to copy files from the AXS GUARD to your local machine for further analysis. Topics covered in this chapter include: How to download and install the programs needed to copy files from the AXS GUARD to a local machine. How to configure and use these programs with the AXS GUARD, e.g. how to copy files, such as logs and network traffic files created with tcpdump (see Section , Examples of Traffic Matching ), from the AXS GUARD to a local machine Downloading and Installing the required Software WinSCP for Windows WinSCP (Windows Secure Copy) is an open source SFTP and FTP client for Microsoft Windows. Its main function is secure file transfer between a local and a remote computer. Beyond this, WinSCP offers basic file manager and file synchronization functionality. For secure transfers, it uses the Secure Shell (SSH, explained in Section 3.2.2, The Linux SSH Client ) and supports the SCP protocol in addition to SFTP. Downloading You can download WinSCP free of charge from this site: Installing WinSCP is installed like any other classic Windows program (running setup.exe or install.exe). Download the installation executable and save it to the desired location. Double-click on the executable to start installing the WinSCP program. When downloading, you can either select the WinSCP installation package or the portable executable. The portable executable does not need to be installed like any other classic Windows program (running setup.exe or install.exe). Just download the executable and save it to the desired location. One the installation is complete or the portable executable is double-clicked, a screen as illustrated below appears. The configuration of WinSCP is explained in Section 6.3.2, Configuring WinSCP. 28

33 Chapter 6. Copying Files to your Computer Figure 6.1. WinSCP Login Screen scp in Linux In Linux, you can use the scp command to copy files and directories securely between remote hosts without starting an FTP session or logging in to the remote systems explicitly. The scp command uses SSH (see Section 3.2.2, The Linux SSH Client ) to transfer data, so it requires a password or passphrase for authentication. scp encrypts both the file(s) and any passwords exchanged between hosts. On most Linux distributions, scp is installed by default. Please refer to the documentation of your Linux distribution for downloading and installing instructions, if needed Software Configuration and Use Overview In this section, we explain how to configure and use WinSCP for Windows and scp for Linux. scp does not require any configuration. To copy the AXS GUARD logs, navigate to the /log directory. Each AXS GUARD service stores its logs in a specific subdirectory, e.g. the Firewall logs are stored in /log/fw. The file name of a log is the date on which it was created Configuring WinSCP 1. Start WinSCP by double-clicking on the WinSCP application icon. 2. Enter the settings as explained below. Host Name: The internal FQDN or LAN IP of the AXS GUARD Port Number: The port used by sshd, i.e. the SSH service on the AXS GUARD. The default is 22. Do not change this value. User Name: The AXS GUARD user who has access to the console tool. Password: The password of that user. Private Key File: The user s private key generated with PuTTYgen. File Protocol: The protocol that must be used to connect to the AXS GUARD. This must be set to SCP 29

34 Chapter 6. Copying Files to your Computer Figure 6.2. WinSCP Configuration 3. Check Advanced Options. 4. Navigate to Environment SCP / Shell. 5. Change the Shell to /bin/bash as shown in the image below. Figure 6.3. WinSCP Advanced Settings 6. Click on Save. Figure 6.4. Saving WinSCP Session 30

35 Chapter 6. Copying Files to your Computer 7. Do not save the password. 8. Click on OK. WinSCP is now set up to copy files from the AXS GUARD to your machine Using WinSCP Connect to the AXS GUARD 1. Start WinSCP. 2. Select the session that you saved during the setup of WinSCP. Figure 6.5. WinSCP Login 3. Click on Login. If you log in for the first time, WinSCP will ask you to confirm the host key of the AXS GUARD. Click on Yes to proceed. Figure 6.6. Accepting the Server's Host Key 4. If you protected your private key with a password, you will be prompted to enter it at this point. 5. Click on OK. 31