Follow

After an install, how can I test that ThreatSTOP is working?

There are several ways to test the various steps that allow ThreatSTOP to give you automated IP protection.

There are 5 specific functions that can be tested to make sure that the ThreatSTOP solution is working properly:

  1. Does your system pull IPs from our database
  2. Are the IPs applied to firewall rules
  3. Do the blocked IPs get logged
  4. Can the logs be uploaded to our database.
  5. Can 1-4 be done automatically

 

  1. Does your system pull IPs from our database?
    For Vyatta and Vyos users should log into their machine, preferably though Putty, run:
     sudo ipset -L | less

    To see how many IPs are currently in your policy, use the following command:

    sudo ipset -L | grep '[^[:lower:]]' | wc -l

    This will pull up all the IPs addressed with your ThreatSTOP firewall rules. Find the TSblockaddr group. This group is all the singular IPs that are being blocked by our system. You have now verified that your system can pull IPs from our database. Take a note of one of these IPs.

     

  2. Are the IPs applied to firewall rules?
    To see if the IPs are being applied to the proper interfaces and referanceing the correct IPset groups run
    show firewall

    The output should look similar to

    Make sure that each rule is applied to the proper interface, in this case eth0. Also verify that the each group is applied to all three rules, the default rules are TSrtoutrule, TSrtinrule, and TSrtlocalrule. This will verify that your system is applying the IPs to the firewall rules.

     

  3. Do the blocked IPs get logged?
    In a second Putty session run:
    ls /var/log/user/ 

    If you followed the default install instruction, there should be a file named theratstop.log. In the second window run:

    tail -F /var/log/user/threatstop.log

    Keep this window open and in the first widow run:

     ping <ip address>

    where <ip address> is the IP you previously noted. This should not receive any replies. Not receiving responses verifies that the ThreatSTOP solution has correctly applied the firewall rules.

    The second window where threatstop.log is loaded should be logging the blocks and the output should appear similar to:

    You have now verified that the syslog is working properly. You can now close the second window and exit out of the ping command.

     

  4. Can the logs be uploaded to our database?
    Now go to the ts-vyatta directory (default is /home/vyatta) and run:
    sudo ./loguploadclient.pl 

    The output should look similar to:

    image

    You have now verified that your system can upload logs to our database.

     

  5. Can 1-4 be done automatically?
    For the final test we will make sure all of the tested functionality can be done automatically. In your putty session run:
     sudo crontab -l

    The output should be look like (with different times):

    ts-vyatta_crontab00.png

    Prior to chaning the cronjob times, take a note of the current time on your system by running:

     date

    To see the present time on your device and edit the cronjobs so they will run in one minute from the current time.

Back to Top

Was this article helpful?
0 out of 0 found this helpful

Comments