Welcome Shield Pro owners!

Notice: If you've found this, you're interested in Shield Pro. Users have set up another location to continue discussion, file storage and community aided troubleshooting here: http://itus.accessinnov.com/
Join us!

This is a spot for exchange of hints, fixes, enhancements, hacks and whatever that relates to the Itus Shield Pro home network security appliance.

About the Shield...

Shield is based on a Cavium Octeon Dual-Core MIPS64 (2x1.0 GHz) processor, with a custom board containing three gigabit ethernet ports, 1gb of DDR3 RAM and 4gb of eMMC internal storage, and a RJ45 Serial Console port. Early models also contained a SD Card slot. The system was shipped running OpenWRT 15 - Chaos Calmer, with customizations that create a security device capable of running OpenVPN, E2Guardian, Snort, Squid, Suricata, StrongSwan and other internet security applications. The system has an external slider switch to select from different operating modes: Router, Bridge or Gateway. As of this writing, the current firmware is v1.51 SP1.

Following are a few of the documents provided by Itus after the Shield was launched:

Shield Pro Administrator's Guide: http://1drv.ms/20eDDZh

Shield Pro Quick Start Guide: http://1drv.ms/20eDOnk

Shield Pro SSL VPN Dynamic DNS Setup Guide: http://1drv.ms/20eDV2a

Original 1.51 SP1 firmware Install script: http://1drv.ms/1Vy8Tvs
(this file is the original firmware install script provided by Itus. It is unlikely the links will remain live, so the binaries are attached in the package below)

Modified 1.51 SP1 firmware install script (local install script, may have issues - use at your own risk): http://1drv.ms/1UtjhV6
(this package contains a modified install script, router.tar.gz, and ItusrestoreImage files for v1.51 SP1)

fw_upgrade script file that runs on Shield for nightly updates to IPS and WF signatures: http://1drv.ms/1WU2Jaz
(open the file and read the important information at the top on how to use this script)

Following are excerpts from threads at the original support forum copied here to capture key information:

HowTo: Bridge Mode DNS for Web Filter: http://1drv.ms/1Vy8BEZ

HowTo: PS4 Connectivity Issues: http://1drv.ms/1Vy8IAj

HowTo: GeoIP for Router Mode: http://1drv.ms/1Vy8HfK

HowTo: Update OpenSSL to 1.0.23: http://1drv.ms/1Vy8NUQ

(Last edited by Wisiwyg on 1 Mar 2016, 19:19)

I'm glad you posted this!

We (Shield owners) are worried that ITUS may have gone under...they're no longer selling the Shield on their website and they've shut down their eBay operations, Facebook page, and twitter. More details here - https://packetinspector.org/showthread.php?tid=772.

Since it is powered by OpenWRT on a Cavium CPU (Octeon III) we're hoping that the community will pick things up should they really be kaput!

More info: http://www.prnewswire.com/news-releases … 72298.html

It's a great piece of hardware (I now have 2 - one for my Mom's and one for my Dad's - which I am about to build).

(Last edited by sk3tch on 30 Jan 2016, 03:39)

Thanks for the post I have bookmark this page

ITUS looks to be confirmed "out of business" -

https://twitter.com/padresj/status/693288762571255809

Their forum (packetinspector.org) will expire in early February, so we're hoping we can get users to post here, instead.

(Last edited by sk3tch on 30 Jan 2016, 06:27)

Sad news indeed.  I plan to keep my shield running in Bridge mode for as long as possible.  What's the best way to check that updates are being received?

I really hate to see Itus go under, was such a great idea/product. Thanks guys for starting this, I will monitor the forum to see what develops. My Shield is currently powered down, will probably power it back up with maybe 1 PC attached to see how it is doing.

Itus is not dead yet, lets hope they sort this out.

How to upgrade the Shield Pro Firmware SP1
Video of these steps can be found here: https://www.youtube.com/watch?v=p-CJmGL7ayQ

This is only required if your Shield is running v1.0 or RC2. After upgrading to the latest version (v1.51) this procedure will no longer be necessary for firmware upgrades.

SP 1 v1.51 Upgrade Instructions:

1. Download Putty - http://www.putty.org/
   Note: If you are using a Mac computer, you do not need to use putty.

2. If the Shield is not already in Router Mode follow the below instrcutions

    Flip mode switch on the Shield to "R" for Router Mode and reboot
    Connect Shield eth0 to router's LAN
    Connect Shield eth2 to your computer

3. Check that your computer can access the internet

4. Enable Shield Advanced Mode

    Login to the Shields Web GUI
    Go to Status -> ITUS Settings
    Change "Show Advanced Mode" to Yes
    Click "Save & Apply"

5. Enable SSH/Dropbear

    Go to System -> Administration
    Click on the 'Add' button under 'Dropbear Instance'
    Set Interface to lan
    Click 'Save and Apply.'

6. Cycle Firewall

    Go to System -> Startup
    Locate firewall and click "Restart"

7. Establish SSH Connection to Shield
Note: If you are using a Mac computer, you do not need to use putty. Instead, open a terminal and type 'ssh root@10.10.10.10' into the command prompt.

    Open Putty
    HostName: 10.10.10.10
    Port: 22
    Connection Type: SSH
    Click "Open"
    Click "Yes" in the warning window
    Login as: root
    Password: Same as Web GUI password

8. Upgrade Shield To SP1

    Copy the upgrade script from your browser (https://itus.io/wp-content/uploads/2015/...pgrade.txt)
    Paste into SSH terminal

9. Wait for firmware download to complete.

10. Reboot Shield

11. Wait 5-10 Minutes

12. Enjoy!

We are here to help! If you need assistance in upgrading, please open a support ticket at https://ITUS.io/support/#Help

All,
We are still working to find the final resolution to your PS4 issues. In the mean time please use the below instructions as a work around until we can provide a final resolution.

Note: These instructions put the PS4 (or whatever is at that IP) onto a DMZ that has direct connection to the internet. There's no filtering or protection, it bypasses Shield services.

Set PS4 to Static IP Address:

1) Set the PS4 to a static IP outside of DHCP range (Click here to learn how to set the static IP Address)
     Note: The below IPs will be different if you have changed the default IP address of the Shield
     
      Router Mode
      Static IP: 10.10.10.50
      Subnet Mask: 255.255.255.0
      Default Gateway: 10.10.10.10

      Bridge Mode
      Static IP: X.X.X.50 (X=Your Routers Network)
      Subnet Mask: Your Routers Subnet
      Default Gateway: Routers IP Address

Apply Custom Firewall Rules:

1) Login to Shield Web GUI
2) Network -> Firewall -> Custom Rules
3) Copy and paste the below two rules into the bottom of the file
      iptables -I FORWARD -s 10.10.10.50 -j ACCEPT
      iptables -I FORWARD -d 10.10.10.50 -j ACCEPT
4) Click "Submit"

Greetings. It looks like you all are new comers migrating from some forums to here. If so, I am please to have encountered you all here.

TBH, I never recall hearing of ITUS Shield Pro until this discussion topic. As such, I have no idea what this device can do. So, can anyone please educate me what this device can do or at least provide some links to its documentation? Thank you.

Thanks for the welcome!

This is probably one of the best technical articles that I have found: http://linuxgizmos.com/cavium-adds-open … cteon-iii/

The ITUS Shield Pro is a designed-for-home-users UTM with a Snort IPS and a squid proxy (and the usual firewall features and things like DHCP) - it's runs OpenWRT so we're hoping that even though the company looks to be out of business, that we can still support it as a community. They're great little devices.

Pez for scale.

Hello Mazilo and thanks for welcoming us. 

Yes, it appears ITUS Networks is no more and we wanted to keep our devices up and working for as long as we can.  If you are interested in what the Shield is, the ITUS home page ( https://itus.io/shield-pro/ ) should help.   

Thanks again.

Carlos.

Thanks Sk3tch for the very nice find.

All,

I was wondering if anyone can provide guidance on a good console adapter or cable for the Shield that is compatible with Macs? 

Thank you all in advance. 

Carlos.

Going to give this a try: http://www.amazon.com/gp/product/B00M2S … ge_o00_s00

Found here: https://packetinspector.org/showthread. … ht=console

Hi all -- I just joined. I'm really sad to hear about Itus going under. Great people and a great product idea. And now I'm having technical issues with my shield and cannot solve them on my own after many hours trying. I searched and didn't see a good place to post problems on this forum for possible help. Forgive my ignorance if I'm posting in the wrong place.

My shield (router mode) stopped working two days ago. No reason, just stopped. I tried all the suggestions in other forum posts about rebooting, resetting, restarting my modem, router, and shield. No dice. Tested cables too, and not the problem. Waited the prescribed timeframes for each bootup, including 15 min for Shield

When modem is connected to router without Shield between, everything works great. So problem is isolated to the Shield.

Lights are on, so the Shield appears to be working, and I can access its admin interface. But I can never get the internet connected with Shield in place. So obviously something is wrong

I'm very appreciative of any troubleshooting suggestions you can provide

However, if Itus is no longer, will Shield still get regular 3rd party updates (similar to virus definition updates)? If the current ones will become obsolete, and I cannot get new updates, is there a point in resurrecting my shield (?)

thanks for your insights and kind regards,
-Rob

I've had good experience with the Cisco Console Cable USB RJ45 6ft FTDI Windows 8, 7, Vista, MAC, Linux RS232 US. Got it from Ebay but you can also find it on Amazon.

Make sure to set the com to baud= 1152000, data bits = 8, stop bits =1, parity=none, row control=XON/XOFF

cheers, Trblz (on Itus: Hans)

(Last edited by trblz on 30 Jan 2016, 21:26)

Stangrunner

I have the same cable and it works fine on windows and linux, came with disk for windows drivers.

Andy (Roadrunnere42 itus forum)

Thanks everyone for the console cable tips.

It really is a nice piece of hardware. Unfortunately, it is beyond my budget. Nevertheless, I thank you for such an information.

Hi Mazilo,

Thank you for that kind welcome!!

Yep, it is a nice piece of hardware and the software is doing what it should. Yes, it has some minor things that haven't gotten worked out, but as a community we may be able to get it fixed.

Re budget, I'd keep an eye on eBay (and I *am* keeping one on it!) for people selling because they don't want to put in the effort to keep it going or can't wrap their heads around it. There are already one or two out there (at usury prices!) trying to sell before word gets widespread about Itus' plight. But there will be more that should be at reasonable asking price.

For me, I considered running Snort in my Asus router, but felt with a family of 4 and a 125mb pipe, it wouldn't handle the throughput. So this is a great solution.

(Last edited by Wisiwyg on 31 Jan 2016, 00:58)

The last fw_upgrade script provided by Itus puts the Shield in autopilot mode - everything happens, as far as signature updates, with no intervention required. If you're wanting to check to see if it is updated - log on to LuCI and check the Status page. It should show you the current day's date. The script runs around 3:15 am, unless you've changed the cron job.

Hi @roadrunnere42!

Head's up that the link to the script is dead - I think it is more an issue of copying over the information as I was able to go to the link from the original thread. I've included the script referenced above in the first post in one of the download links titled "Original 1.51 SP1 Firmware Install Script", just in case!

Thank you for putting the detailed information here!

(Last edited by Wisiwyg on 31 Jan 2016, 01:41)

Hi Rob!

Firstly, yes, if you're on 1.51 with the latest fw_upgrade script then Shield will continue to get updates for malicious sites for IPS rules. These are being pulled from rules.emergeingthreats.net, an open source Snort rules provider, with the rules being updated daily at emergingthreats. So yes, I'd recommend resurrecting your Shield!

What you described sounds like Snort is not starting. In Router Mode, Shield will still pass internet if Snort doesn't start - traffic just won't get filtered. In Bridge mode, traffic is passed through Snort like a soft switch. The fact that you're getting into the interface through the .111 interface, but no traffic is what points me to a Snort problem.

Try going into the Status, System Log file from the LuCI interface and scroll to the bottom. You're looking for FATAL ERROR, something like the problem described below...

After the upgrade, the system was not connecting. Searching through the logs I found this:

Sun Jan 24 10:01:38 2016 daemon.notice snort[10282]: WARNING: /etc/snort/rules/snort.rules(4349) GID 1 SID 2404000 in rule duplicates previous rule. Ignoring old rule.

Sun Jan 24 10:01:38 2016 daemon.err snort[10282]: FATAL ERROR: /etc/snort/rules/snort.rules(4349) threshold (in rule): could not create threshold - only one per sig_id=2404000.
Sun Jan 24 10:01:38 2016 daemon.info procd: Instance snort::instance1 s in a crash loop 6 crashes, 3 seconds since last crash

I searched through /etc/snort/snort.rules and found this entry listed twice:

drop tcp $HOME_NET any -> [103.225.168.222,104.131.93.109,104.144.167.131,104.144.167.132,104.161.17.17,104.238.141.230,104.238.147.212,106.187.48.236,106.187.99.92,107.161.19.71] any (msg:"ET CNC Shadowserver Reported CnC Server TCP group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404000; rev:4109;)

I commented out the first instance, saved, restarted snort and watched the log. Then this:

Sun Jan 24 10:09:38 2016 daemon.notice snort[10989]: WARNING: /etc/snort/rules/snort.rules(4350) GID 1 SID 2404001 in rule duplicates previous rule. Ignoring old rule.
Sun Jan 24 10:09:38 2016 daemon.err snort[10989]: FATAL ERROR: /etc/snort/rules/snort.rules(4350) threshold (in rule): could not create threshold - only one per sig_id=2404001.

So, looks like a number of duplicates have been introduced into the snort rules. While the log indicates the earlier (old) rule is ignored, it looks like it still causes a fatal exception preventing snort from starting.

Is there a backup of the snort rules stored on the system that I can replace the corrupt file with? Or, is the snort.rules file available for download alone? I don't want to go through this exercise of finding one, commenting out, restarting, to see if there's another one duplicated. It might be as simple as going to the first duplicate instance and deleting everything beneath it.

Also, the script goes to rules.emergingthreats.net to dl update files. That site is blocked by Norton connectsafe, which is running as a DNS filter on my router. Shield would never get to the site to dl a new ruleset.

Further update....

I walked through the snort.rules file and found where it looked like the original fileset had duplicated itself on top. I selected what appeared to be the duplicates and deleted them from the file, effectively the top half of the file's data.

I then went to the router and cleared rules.emergingthreats.net to allow it to pass the DNS filter - basically changed filter providers to Yandex and then navigated to rules.emergingthreats.net to ensure it would pass.

I then restarted Snort. Everything came back up and I had internet access.

I then SSH'd into Shield and manually kicked off fw_upgrade. Everything processed, the system log didn't list a fatal exception. It appears to be running as expected now, except I still received a couple of errors on the script:

rm: can't remove '/tmp/ads.tmp' : No such file or directory
rm: can't remove '/tmp/malicious.tmp' : No such file or directory

Even though it works fine with those errors, I would expect those to exist as I looked through the script and it tries to pull rules for them. I haven't looked at the server to confirm that there are or are not rules available for the script to pull to create those files, though. But for now, I have internet running through Shield again.

(Last edited by Wisiwyg on 31 Jan 2016, 01:27)

Regarding the information above, I also received a request to provide a walk-through the steps covered in the forensic review.

Disclaimer: I'm not a Snort expert or an IT specialist... I dabble at this for "fun with a purpose".

Prerequisite: Shield is running in Bridge mode, in place with output from modem on eth0, cable from eth1 to your network, cable from eth2 to the WAN port on your router. Shield is powered up, even though you're not getting internet. Basically, have it all set up as it should work normally.

Identify Snort Problem
1) In LuCI, open the System Log at Status/System Log
2) Use the browser's search function and look for "FATAL ERROR". In Firefox it is Ctrl-F.
3) If Fatal Error is found, look at the log to determine whether it occurs in the Snort start-up sequence. It should look like this:
Sun Jan 24 10:01:38 2016 daemon.err snort[10282]: FATAL ERROR: /etc/snort/rules/snort.rules(4349) threshold (in rule): could not create threshold - only one per sig_id=2404000

Problem Found
4) Using WinSCP, open Shield, navigate to /etc/snort/rules and highlight snort.rules. Right click and choose Duplicate and give it a .bak extension. Keep this backup- just in case...
5) In WinSCP still, right click on snort.rules and choose Edit. The file will open and present you with a screen full of text. Make sure your cursor is at the top, left of the text.
6) In WinSCP, press Ctrl-F for Find/Search. Enter the duplicate rule number from step 3 above that generated the Fatal Error. In this case, it is 2404000.
7) Search for the duplicate. Note the Search has an Up and Down function. Once you find the rule once, Search again from that location. If the rule is found a 2nd time (which it should), highlight the line above the 2nd instance and select all of the text back to the top. Delete the highlighted text, leaving the line with the 2nd instance as the 1st line in the resulting list.
8) Save the snort.rules list and exit WinSCP.
9) Reboot, give about 10 minutes for everything to start and internet to come up. If internet doesn't come up, go through the process steps 1-9 above again, eliminating duplicates in the snort.rules file.

It is probably OK to actually delete everything in the rules file except 1 or 2 lines. The purpose of this is to get Snort to come up. In Bridge mode, Snort is in control of internet pass-through. If it doesn't come up properly, internet doesn't pass. Router mode is different. I believe internet will pass, but Snort won't examine traffic. I'm not sure as I don't run in Router mode and have had no experience with it. By wiping everything but 1 or 2 lines, Snort would come up and the whole rules file would be rebuilt after the fw_upgrade script runs.

Other issue?
9) Once internet function is back, open rules.emergingthreats.net in your browser. If you are successful, then the script can get to the location for nearly all of the snort updates. If not, as in my case, you will need to figure out why that site is being blocked. In my case, my Asus router has DNS filter functions that prevented connection. By going there manually, I could see the block message from the router. 

Finally
10) There are additional functions in the nightly script that update the ads and malicious website filters used for the web filter functions. While they don't appear to break Snort, you may want to make sure the sites are available for that function as well. Those sites are listed at the bottom of the fw_upgrade script. Using the steps 4 and 5 above, open /sbin/fw_upgrade with WinSCP in Edit mode. Scroll to the bottom and look through the ####Ads Update#### and ####Malware Update#### sections. Try each of those websites in your browser. If any of them are blocked for some reason, you can either put a '#' in the first position on the line to comment it out or ferret out the reason they're being blocked. You don't have to do this to get Snort to run and get internet back online.

Update Rules
11) Using SSH, log into Shield and manually start the software update by issuing the command "sh /sbin/fw_upgrade". Alternatively, use the built-in LuCI function at Status/Itus Settings/Update Shield to start the upgrade process. It will take about 3-5 minutes to run the update.

Note that WinSCP has a 'terminal' icon that you can click to get a terminal into Shield, but it does not support multiple steps. So, don't use the WinSCP terminal to run the script. There is another icon in WinSCP that will open an instance of PuTTy. If you set this up, then you *can* use the Open PuTTy icon in WinSCP to run the script.

Hope this helps....