Data collection TOS5

Software SW help
1

I am after setup clear system TOS5 on Omnia … how do I verify that colletion data is working properly?

There is no data collection section in Foris indicating the correct function. Data collection packages are installed.
image

There’s only agreement to the terms in reForis. On the page https://view.sentinel.turris.cz/ isn`t still private accounts. My external IP has ports 22, 23 and 80 are opened but other ports 2323,
3128, 8080, 8123 are closed!

2

can you check in Luci / System Startup, what’s current status of haas-proxy, sentinel-dynfw-client, sentinel-proxy and sentinel-minipot ?

they should be enabled and started. If they aren’t, can you enable and start them?

3

I remind you that in the clean installation of TOS 5, I activated the data collection in the prescribed way in reForis. Now I don’t care if it works … but where is status check the data upload of: firewall, haas and minipots.

Port 22 is open, so haas is working as it should, and I can check with [Honeypot as a Service - Login to HaaS. The three sentinel* processes mentioned by you, are enabled and started in the processes.

I need information on how to verify that firewal and minipot data collection is working. I have doubts about this because the ports that should be open (as I was used to with TOS 4) 2323, 3128, 8080, 8123 open do not work. In TOS 4, I had this feature indicated in Foris and haas see at haas.nic.cz.

image
image

4

looks like sentinel only opens a few ports, not exactly those you thought.

  515 29236 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* !sentinel: HaaS proxy port redirect */ redir ports 2525
    4   196 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 /* !sentinel: Minipot FTP port redirect */ redir ports 2133
   44  2112 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !sentinel: Minipot HTTP port redirect */ redir ports 8033
 3349  200K REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 /* !sentinel: Minipot SMTP port redirect */ redir ports 5873
    8   428 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 /* !sentinel: Minipot SMTP submission port redirect */ redir ports 5873
  268 13716 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23 /* !sentinel: Minipot Telnet port redirect */ redir ports 2333
5

That’s how the minipot ports number are set changed (comparison with TOS 4). Of the 6 ports listed by you, I have 5 opened (21, 22, 23, 25 and 80) and port 587 is stealth. Unfortunately, which ports are to be opened for minipots is not described in reForis (in TOS 4 it was clearly described which ports will be opened). In the future, it would be a good idea to indicate the correctness of the data sending function somewhere

image
image561×723 10.6 KB

Apr 23 03:30:10 turris sentinel_nikola: Logrotate took 0.092233 seconds
Apr 23 01:30:10 turris crond[24650]: (root) CMDOUT (Logrotate took 0.092233 seconds)
Apr 23 03:30:10 turris sentinel_nikola: Syslog parsing took 0.068221 seconds
Apr 23 01:30:10 turris crond[24650]: (root) CMDOUT (Syslog parsing took 0.068221 seconds)
Apr 23 03:30:10 turris sentinel_nikola: Records parsed: 99
Apr 23 01:30:10 turris crond[24650]: (root) CMDOUT (Records parsed: 99)
Apr 23 03:30:10 turris sentinel_nikola: Sending records took 0.002242 seconds

So I banned the minipots, restarted router, and reinstall minipots.
then sentinel-minipot … enable and start
Retested opened ports … nad 587 still out of the game. Maybe it is by TOS 5 HBS ready ?

File /usr/libexec/sentinel/minipot-defaults.sh defines only 4 redirecting (i.e. together with HaaS) there should be 5 open ports

DEFAULT_FTP_PORT="2133"
DEFAULT_HTTP_PORT="8033"
DEFAULT_SMTP_PORT="5873"
DEFAULT_TELNET_PORT="2333"

So it looks like everything is ok only the indication of the correct function I miss :slight_smile:

1 Like
6

I run HBS for a while and I checked now, 587 gives SMTP prompt.
/usr/libexec/sentinel/firewall.d/70-minipot.sh contains

            iptables_redirect "$zone" 25 "$smtp_port" "Minipot SMTP"
            iptables_redirect "$zone" 587 "$smtp_port" "Minipot SMTP submission"

and

            bypass_dynamic_firewall "tcp" "25" "Minipot SMTP"
            bypass_dynamic_firewall "tcp" "587" "Minipot SMTP submission"
7

It’s the same for me on HBT, but I have a stealth port 587. This config file it is some pre-config pattern, the date of the file is March 4th and is therefore not actively used … You have 587 open?

8

Fisrt of all Sentinel is not uCollect. It uses different ports. If you think that we shoul include more open ports feel free to suggest it.

On the theme of semtinel status, we are working on that. (https://gitlab.nic.cz/turris/reforis/reforis-data-collection/-/issues/7)

On the note of data filtering in sview, we are working on that as well. (https://gitlab.nic.cz/turris/sentinel/sview/-/issues/1)

1 Like
9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.