https://www.restorepoint.com/
Restorepoint automates network configuration backup, recovery, compliance analysis, and change management for more than 100 network and security vendors.
Nice mgmt interface with Oxidized or rancid is running under the hood. API/ansible/other DevOps tools.
Preamble:
C:\Users\Ivan Popov>ver && wsl --list
Microsoft Windows [Version 10.0.19041.985]
Windows Subsystem for Linux Distributions:
Debian (Default)
kali-linux
ToDo: access files in $HOME on Debian wsl instance from kali-linux wsl instance
Dunno how (and don't care actually) rootfs is mounted in Windows, but files are located here:
C:\Users\%USERNAME%\AppData\Local\Packages\TheDebianProject.DebianGNULinux_76v4gfsz19hv4\LocalState\rootfs\home
(TheDebianProject.DebianGNULinux depends of installed distro)
In WSL current disk partitions are already mounted under /mnt/Disk_Letter
To access my debian_home from kali I executed:
echo "sudo mount -B /mnt/c/Users/My\ Current\ WinUserName/AppData/Local/Packages/TheDebianProject.DebianGNULinux_76v4gfsz19hv4/LocalState/rootfs/ /mnt/deb/
" >> ~/.bashrc
[fstab entry should be in format /old_dir /new_dir none bind but for some reason didn't work]
The result:
$ls /mnt/deb/
total 620
drwxr-xr-x 1 root root 4096 May 3 23:31 .
drwxr-xr-x 1 root root 4096 May 20 15:59 ..
drwxr-xr-x 1 root root 4096 May 17 19:04 bin
drwxr-xr-x 1 root root 4096 Mar 20 00:44 boot
drwxr-xr-x 1 root root 4096 Apr 6 14:47 dev
drwxr-xr-x 1 root root 4096 May 17 19:04 etc
drwxr-xr-x 1 root root 4096 May 3 23:33 home
-rwxr-xr-x 1 root root 632048 May 5 00:48 init
drwxr-xr-x 1 root root 4096 Apr 6 14:48 lib
drwxr-xr-x 1 root root 4096 Apr 6 14:47 lib64
drwxr-xr-x 1 root root 4096 Apr 6 14:47 media
drwxr-xr-x 1 root root 4096 May 5 22:31 mnt
drwxr-xr-x 1 root root 4096 Apr 6 14:47 opt
drwxr-xr-x 1 root root 4096 Mar 20 00:44 proc
drwx------ 1 root root 4096 May 3 23:35 root
drwxr-xr-x 1 root root 4096 Apr 6 14:47 run
drwxr-xr-x 1 root root 4096 May 3 23:31 sbin
drwxr-xr-x 1 root root 4096 Apr 6 14:47 srv
drwxr-xr-x 1 root root 4096 Mar 20 00:44 sys
drwxrwxrwt 1 root root 4096 May 20 14:49 tmp
drwxr-xr-x 1 root root 4096 Apr 6 14:47 usr
drwxr-xr-x 1 root root 4096 Apr 6 14:47 var
The idea is simple: convenient way to blackhole some prefixes (bogus, wellknown C&C, spam,malicious, personally predefined, etc)
I'm using Linux + exaBGP + python script to collect some prefixes from a list of sources; exaBGP holding BGP session with our 2 RR and announce generated list of prefixes with blackhole community.
exaBGP is a python application to interact with BGP networks
List of prefixes is generated by generate_blacklists.py
https://drive.google.com/file/d/1XgksQVcb2rpabv8OVCBkFabR6YuQpxV9
The configuration itself is pretty straightforward and self-explanatory
1. to announce a single static route:
neighbor 192.168.0.1 {
router-id 192.168.0.10;
local-address 192.168.0.10;
local-as 12345;
peer-as 12345;
### optional
### hold-time 180;
### outgoing-ttl 1;
### capability {
### multi-session;
### }
family {
ipv4 unicast;
}
static {
route 10.0.0.1/32 next-hop self;
route 10.0.0/24 origin IGP as-path [10 20 30 30 30 ] next-hop 192.168.2.1;
route 172.10.0.0/22 next-hop 192.168.2.1 med 200 community [30303:30303] split /24;
route 9.9.9.9/32 next-hop 192.168.2.1 extended-community [ target:120000L:123 origin:130000:1234 ];
}
}
### Or
announce {
ipv4 {
unicast 10.0..0/24 next-hop 192.168.2.1 local-preference 200 community 30303:30303;
}
}
A direct API command (via exabgcli <- for systemd https://github.com/Exa-Networks/exabgp/blob/master/etc/systemd/exabgp.service)
announce route 10.0.0/24 origin IGP as-path [10 20 30 30 30 ] next-hop 192.168.2.1
2 servers; preview VIP is assigned as secondary IP; nginx listening on this "VIP"; if no output from curl == stop announcing VIP i.e. no incoming connections (ToDo: more detailed explanation about healthcheck and route announce)
process service-nginx {
run python3 -m exabgp healthcheck -s --name nginx --cmd "curl --fail --verbose --max-time 2 http://localhost" --start-ip 0;
encoder text;
}
neighbor 192.168.0.1 {
router-id 192.168.0.10;
local-address 192.168.0.10;
local-as 12345;
peer-as 12345;
api services {
processes [ service-nginx ];
}
}
ExaBGP could be used for DDoS protection (with NetFlow/syslog/monitoring), Internet Watch Inerception, Traffic Engineering, Server's HA and any other SDN variations
Some useful links:
https://github.com/Exa-Networks/exabgp
https://vincent.bernat.ch/en/blog/2013-exabgp-highavailability
https://thepacketgeek.com/exabgp/
Part 1 : https://www.dasblinkenlichten.com/working-with-exabgp-4/
Part 2: https://www.dasblinkenlichten.com/building-static-routes-with-exabgp/
https://blog.plessis.info/blog/2020/02/11/haproxy-exabgp.html
Simple example from developer:
neighbor 192.168.127.128 {
description "will flap a route until told otherwise";
router-id 198.111.227.39;
local-address 192.168.127.1;
local-as 65533;
peer-as 65533;
### add and remove routes when flap.sh prints
### flap.sh should produce readable for ExaBGP output
### in proper ExaBGP API syntax
process loving-flaps {
run etc/processes/flap.sh;
}
1 - take your favourite language : perl, python, lua, C, shell, french !
2 - create a forever loop3 - print what you want to do ...
#!/bin/sh
# ignore Control C
trap
'' SIGINT
while `true`;
### that echo result is understandable for ExaBGP API
do echo "announce route 192.0.2.1 next-hop 10.0.0.1"
sleep 10
echo "withdraw route 192.0.2.1 next-hop 10.0.0.1"
sleep 10
done
| Real life example: | |||||||||
neighbor 10.255.1.254 {
router-id 10.255.42.1;
local-as 65042;
peer-as 65001;
api services {
processes [ watch-loghost, watch-mailhost ];
}
}
process watch-loghost {
encoder text;
run python -m exabgp healthcheck --cmd "nc -z -w2 -u localhost 514" --no-syslog --label loghost --withdraw-on-down --ip 10.255.255.1/32;
}
process watch-mailhost {
encoder text;
run python -m exabgp healthcheck --cmd "nc -z -w2 localhost 25" --no-syslog --label mailhost --withdraw-on-down --ip 10.255.255.2/32;
}
