Faulty IPS pattern blocks all traffic - How to fix it!
Dear partners and customers,
As you might have noticed, our automated IPS pattern test routine has missed a faulty pattern which lead to the distribution of IPS pattern which blocked all communication through the Astaro Security Gateway. I personally apologize for this fault.
We will analyze this issue to find the root cause of the problem and how it was able to bypass our test procedures and update them accordingly to prevent such incidents in the future.
In the meantime we have found and fixed the pattern and uploaded the fixed one to our up2date servers. But because of the blocked communication, the system will not recover itself automatically. Please find attached a HowTo explaining how to get a system up and running again.
Again, please accept my apology for this incident.
Founder and VP Products
We have tested that the new IPS patterns on the Up2Date server are fixed and working. If your system is affected there are two ways to get the updated and fixed patterns:
- WebAdmin (the preferred way) - login to WebAdmin via https://YOUR_ASG_IP:4444
- go to left menu item "Network Security"
- go to sub menu item "Intrusion Prevention"
- disable the IPS system (if not already done)
- go to the last tab "Advanced"
- click on the green "+" sign under "Modified rules"
- enter under "Rule ID": 15851 and check "Disable this rule"
- click "Save"
- click again on the green "+" sign under "Modified rules"
- enter under "Rule ID": 16576 and check "Disable this rule"
- click "Save"
- go back to the first tab and activate the IPS system again This will fix the problem and install the new IPS pattern.
PLEASE NOTE: Depending on the speed and workload of your ASG it can take a minute!
- Command line (only for experienced users)
- login via SSH or local on console
- become "root"
- enter "echo 1 > /proc/net/nf_condition/ips" That's all and will do the following:
* it will bypass completely the IPS system on lowest level (ASG is online then), independent if IPS is activated or deactivated on WebAdmin
* the new IPS pattern will be fetched and installed
* the next IPS pattern update we will provide later today will remove this bypass automatically and the ASG works like configured (with new pattern)
If your ASG uses ACC as an Up2Date cache: do the same above for these ASGs if there are affected. There is no todo on ACC.
If your ASG is not and was not affected, because IPS was turned off last 8 hours or not online and therefore didn't fetch the corrupt pattern then there is no action needed. The old, corrupt patterns are removed from the Up2Date server. It is safe the activate IPS now and set the ASG online again to fetch IPS pattern.