Archive for June, 2020

Passing F5 End Point Inspection On Linux

With the recent increase in home working, corporates have been beefing up their IT security measures. What was once the comparatively small attack vector of a fraction of the workforce occasionally connecting from home now represents a huge gaping hole. The simplest way in which corporates can protect against this enlarged attack surface is to mandate that several key components of connecting user’s systems meet certain criteria. These are usually, but not limited to; having an operating system that is up to date, installing a firewall and activating an anti-virus solution.

This is where the title of this article comes in. These criteria are as you will see, very Windows centric. One can also stretch these to apply to a Mac, but when it comes to Linux these checks become very hazy indeed. For example, what qualifies as a firewall? IP tables on my router? My local machine? Something else? Also the operating system – how can this be checked? There are so many out there and so many are secure, even on old versions thanks to back-ports and patches. A murky world indeed.

Fortunately I can, for one vendor product at least, F5, offer some insight into how to configure your local machine so that their checks will pass and permit remote connections. F5 end point inspection is commonly used in web accessible gateways that go on to permit Citrix style remote desktop access. By definition therefore this will cover the majority of users who work on either remote fixed machines or a VDI type setup.

Operating System

I was unable to get F5 to reject access on account of the operating system or how up to date it was, so I assume that any common Linux distribution that is running a supported version and has been reasonably recently updated for security and other patches will be permitted by the end point inspection process

Firewall

Neither my iptables rules on my local machine nor those present on my routers were sufficient to pass the end point inspection check for a firewall. My gateway router also has various filters based on packet inspection for additional protection but these also seemed to have little effect. The only way I could satisfy this failing test was to activate UncomplicatedFirewall. Now I could have gone to the lengths of figuring out what feature(s) of UFW were cogent to the test but this seemed like too much hassle. I only need SSH access to my local machine from others within my network and this is a simple enough rule to setup in UFW.

Anti Virus

Anti virus in the Linux space is a hotly debated topic and I’m not about to delve deeply into this here. Suffice it to say that most solutions focus heavily on manual or semi-automated scanning for vulnerabilities that are largely Windows centric. In other words, ensuring that no Windows viruses are transmitted to an unwitting user of a Linux mail server. What this means is that, for the most part, the end user of a Linux desktop probably doesn’t need an anti virus solution. Such arguments however are of absolutely no use to passing the “computer says no” bot of the f5 end point inspection tool.

My initial approach was to install ClamAV. This is free and works nicely for my mail server and other similar applications that would do well having some protection in place for Windows users. F5 *did* detect this solution was in place, however it then failed a further check – the one for real time protection. This is quite right – by default ClamAV doesn’t have such protection and indeed servers using it will make a call to invoke the scan on incoming files as applicable. ClamAV does have documentation regards enabling real time protection but unfortunately, despite following this process and seeing it in operation on my machine, the test still wouldn’t pass. Having spent too much time on this approach with no success I looked to other options.

Two commercial offerings stood out as both having free Linux solutions and real time protection – Comodo and Sophos. I tried Comodo first but after a lot of tinkering couldn’t get the real time protection to work. It seemed to require a kernel module which wouldn’t compile for my machine and further research revealed little success or support for Comodo AV on more recent versions of Linux.

Sophos AV was the salvation. Easy to install, runs automatically as a daemon in the background and, thankfully, passed all the F5 tests with flying colours.

Summary

Given that I’ve gone through all the hassle of testing out various approaches to this, the above is all in all a fairly simple set of steps to keep the remote workers among you out of Windows territory despite the prevalence of Microsoft technologies in the corporate world. I’d of course be interested in other approaches Linux users have taken to such requirements because my own research in this space offered up very little in the way of useful material, in fact the closest I got was an article from f5 describing how to install the end point inspection client on your machine, but that is so straight forward that it really doesn’t bear mentioning. What I was really after was the material in this article and that, it would seem, for the time being at least, is nowhere but this page!

Comments    

Shell access over FTP

For a variety of reasons many shared web hosts provide only FTP accounts, not SSH shell based access. While I would never recommend such a host to a die hard Linux fan, I have occasionally had the requirement to work with such accounts for friends. Clearly I’m not about to break my workflow and use FTP commands and/or web based MySQL tooling, so how to proceed?

Firstly, bizarrely, many hosts despite not providing SSH access, *do* allow you to have remote MySQL access, so with a local mysql-client library installed and the correct rules in CPanel to permit one of my static IPs access, I can easily run commands on the remote database. I won’t include a tutorial because, if your CPanel has such an option and you’re an avid Linux user, you’ll know what to do.

Getting around FTP is slightly harder to do and there will be some caveats. The main limitation will be that nothing can replace direct shell access; you won’t for example be able to execute processes on the remote host. You will however be able to work with the file system as if you were logged in over SSH. The method we will use here is to mount the remote FTP filesystem to a directory on our local machine and then work with it locally. This means, for example, we can develop live in PhpStorm and have the changes reflected on the remote CPanel administered server – neat!

So, to get this working you need to install curlftpfs. On my debian based system with sudo, apt command is as follows

sudo apt-get install curlftpfs

Once installed you can then mount the file system using the following command – be sure to swap out your hostname, user, password etc.

curlftpfs '<username>:<password>@<hostname>' /home/<local-user>/ftp/

And that’s it! You can then navigate to the directory in question and work on files in there as if they were local to you. When you’re finished you can unmount as follows

umount /home/<local-user>/ftp

Finally a little known fact about many CPanel configurations – they support cron jobs! This means that if, as a one-off, you *do* need to execute something on a remote server to which you do not have shell access, you can drop the executable onto the box via the FTP mounted file system method above, apply the appropriate CHMOD and then schedule your command to run as a timed job in CPanel. If you direct the command output to a log file then you can even tail that log file on your own machine over the mount point to allow you to track progress of the script!

Comments