arnold
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
arnold [2007/09/26 14:42] – faltin | arnold [2016/01/06 13:54] (current) – link to new location morten | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | + | This has been moved into the official | |
- | + | ||
- | ====== Introduction ====== | + | |
- | + | ||
- | //This document is under construction.// | + | |
- | + | ||
- | {{tools: | + | |
- | + | ||
- | This document will give you information about how Arnold works and how to use and configure it. A FAQ-section will be added as questions are received. | + | |
- | + | ||
- | + | ||
- | ====== Arnold - what does it do? ====== | + | |
- | + | ||
- | Arnold is a system that blocks switch-ports by using SNMP-set commands. It does this based one or more ip-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to block, and attempts to block it using SNMP. //NB: It is important that the write-community is set in the NAV-database.// | + | |
- | + | ||
- | Arnold does not scan or in any other way detect or judge mischievers, | + | |
- | + | ||
- | + | ||
- | ====== Running Arnold ====== | + | |
- | + | ||
- | Arnold consists of a couple of scripts, a web-interface and a database. For basic use you will never have to touch the scripts, just use the web-interface to disable and enable ports. Arnold should be ready to use without any fuzz as long as the NAV-database is up to date. Some of the features requires some editing in config-files, | + | |
- | + | ||
- | ===== The web-interface ===== | + | |
- | + | ||
- | To access the web-interface you can use the Toolbox or just type '' | + | |
- | + | ||
- | * **History: | + | |
- | * **Blocked ports:** All currently blocked ports. This is the default page. | + | |
- | * **Search:** Search the database. | + | |
- | * **Add blockreason: | + | |
- | * **Manual block:** This page lets you block a port on your network. All you need is an ip-address and a Reason. | + | |
- | * **Blocktypes: | + | |
- | + | ||
- | As the functionality of these pages are more or less self-explaining, | + | |
- | + | ||
- | **Blocktypes** | + | |
- | + | ||
- | The concept // | + | |
- | + | ||
- | - It saves you the trouble of choosing all parameters when blocking. | + | |
- | - It is perfect for use by other scripts and by a cronjob. | + | |
- | - It is perfect for use when you have a lot of computers to block at the same time. | + | |
- | + | ||
- | So, hit the "Add new blocktype" | + | |
- | + | ||
- | * **Title:** is the title of the block type. This is just a name used on the web-site. | + | |
- | * **Description: | + | |
- | * **Reason:** is the reason used when blocking with this block type. You can choose one already defined or add a new one by using the respective fields. | + | |
- | * **Path to mailfile:** is the name of the mail template-file you must make if you want to send mail to the people responsible for the computers that are blocked by this block type. Read more about the mail templates in the " | + | |
- | * **Path to inputfile: | + | |
- | * **Block pursuit:** decides how Arnold will behave when pursuing a computer that moves to other ports when blocked. "Open on move" means that Arnold will open the former port when blocking the new port, "All closed" | + | |
- | * **Exponential increase:** is a nifty feature that blocks previous mischievers for a longer timespan for each new block. More details in the " | + | |
- | * **Block duration:** is the same as auto enable - it decides the timespan the port is disabled. | + | |
- | * **Active:** check this to activate the block type, uncheck to disable it. | + | |
- | * **User:** enables you to choose the username that appears as the blocker. | + | |
- | + | ||
- | **How to use a defined blocktype** | + | |
- | + | ||
- | The only way to use a defined block type when blocking is by using the '' | + | |
- | + | ||
- | Examples: | + | |
- | < | + | |
- | [prompt]# crontab -e | + | |
- | 0 0 * * * $NAVDIR/bin/start_arnold -i 2 -f $SCANFILES/ | + | |
- | :wq | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | [prompt]# cd nav/bin | + | |
- | [prompt]# | + | |
- | 129.241.xxx.xxx | + | |
- | < | + | |
- | 129.241.xxx.xxx (connected to nett-ans-xxx-h.ntnu.no 1:8) disabled successfully. | + | |
- | [prompt]# | + | |
- | </code> | + | |
- | + | ||
- | ===== The scripts ===== | + | |
- | + | ||
- | Arnold consists of four scripts, which all are located in the '' | + | |
- | + | ||
- | * **arnold.pl: | + | |
- | * **autoenable.pl: | + | |
- | * **start_arnold.pl: | + | |
- | * **t1000.pl: | + | |
- | + | ||
- | ==== arnold.pl ==== | + | |
- | + | ||
- | This is the workhorse of the system. You can run '' | + | |
- | + | ||
- | NB: All information listed here is from our test-install, | + | |
- | + | ||
- | **Disabling a port** | + | |
- | + | ||
- | If you, for some reason, want to disable a port using the script and not using the web-interface, | + | |
- | + | ||
- | 1: Locate the victim - i.e. an ip-address. | + | |
- | + | ||
- | 2: List all reasons: | + | |
- | + | ||
- | < | + | |
- | [prompt]# ./arnold.pl -l | + | |
- | Reasons for blocking currently in the database: | + | |
- | 1: Vi sperrer porter fordi det er gøy. | + | |
- | 2: Next reason | + | |
- | 3: Lav sko | + | |
- | </ | + | |
- | + | ||
- | 3: Determine time for auto enable (how many days before enabling of port happens automatically). not specified = forever. | + | |
- | + | ||
- | 4: Run the script: | + | |
- | + | ||
- | < | + | |
- | [prompt]# ./arnold.pl -x disable -a 129.241.xxx.xxx -r2 -t2 | + | |
- | 129.241.xxx.xxx (connected to nett-ans-xxx-h.ntnu.no 1:8) disabled successfully. | + | |
- | </ | + | |
- | + | ||
- | Now we have disabled //port 8// in //module 1// on the switch // | + | |
- | + | ||
- | **Enabling a port** | + | |
- | + | ||
- | Enabling of a port should really only be done by the web-interface. If you are very stubborn, find the id of the block in the database, and run this command: | + | |
- | + | ||
- | < | + | |
- | [bredal@isbre bin]$ ./arnold.pl -x enable -i 7 | + | |
- | 129.241.xxx.xxx (connected to nett-ans-xxx-h.ntnu.no 1:8) enabled successfully. | + | |
- | </ | + | |
- | + | ||
- | **Other options** | + | |
- | + | ||
- | More to come. | + | |
- | + | ||
- | ==== autoenable.pl ==== | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | ==== start_arnold.pl ==== | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | We want to scan our network for malicious computers. We have our own scanning-computer that has more-than-normal access to the whole network, and this is not the computer NAV is installed on. How do we deliver the list from the scanning-computer to arnold for blocking? Well, first we make a blocktype with the options we want. This is done by using the web-interface. We give the scanning-computer a public-key tuple on the NAV-server. Then we do some scanning which gives us a list of computers we don't want on the network anymore. We transfer the list like this (the -i option is the id of the blocktype): | + | |
- | + | ||
- | < | + | |
- | [prompt]# cat scanresult.txt | ssh scanner@navinstall.network.com: | + | |
- | </ | + | |
- | + | ||
- | This will ensure a clean and tidy run of arnold and some blocked ports. Of course you can also use '' | + | |
- | + | ||
- | ==== t1000.pl ==== | + | |
- | + | ||
- | This script is run by cron. It fetches all blocked ports from the database and starts checking if the mac-address which was behind that port is active any other place in the network. If it is, it blocks that port. Depending on options given at block-time it will either open the old closed port or just leave it closed. Needless to say this does not block the new port immediately after a blocked computer has moved to it, but it is as good as it gets (for now). | + | |
- | + | ||
- | ====== Configuring Arnold ====== | + | |
- | + | ||
- | ===== Config files ===== | + | |
- | + | ||
- | Arnold has two config-files, | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | In addition we have these: | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | If you make a // | + | |
- | + | ||
- | + | ||
- | More to come. | + | |
- | + | ||
- | ====== Details ====== | + | |
- | + | ||
- | More details. | + | |
- | + | ||
- | Logs of arnold-activity are stored in '' | + | |
- | + | ||
- | ====== Arnold - why that name? ====== | + | |
- | + | ||
- | The story. | + | |
- | + |
arnold.1190817772.txt.gz · Last modified: by faltin