book

Linux Firewalls

by Michael Rash

September 2007

Intermediate to advanced

336 pages

9h 7m

English

No Starch Press

Read now

Unlock full access

Why Detect Attacks with iptables?What About Dedicated Network Intrusion Detection Systems?Defense in Depth
iptables

TablesChainsMatchesTargets
Essential Netfilter Compilation OptionsCore Netfilter ConfigurationIP: Netfilter ConfigurationFinishing the Kernel ConfigurationLoadable Kernel Modules vs. Built-in Compilation and Security
Policy Requirementsiptables.sh Script PreambleThe INPUT ChainThe OUTPUT ChainThe FORWARD ChainNetwork Address TranslationActivating the Policyiptables-save and iptables-restoreTesting the Policy: TCPTesting the Policy: UDPTesting the Policy: ICMP
Logging Network Layer Headers with iptablesLogging the IP HeaderLogging IP OptionsLogging ICMP
Nmap ICMP PingIP SpoofingIP FragmentationLow TTL ValuesThe Smurf AttackDDoS AttacksLinux Kernel IGMP Attack
Network Layer Filtering ResponseNetwork Layer Thresholding ResponseCombining Responses Across Layers
Logging Transport Layer Headers with iptablesLogging the TCP HeaderLogging the UDP Header
Port ScansMatching Port Scans to Vulnerable ServicesTCP Port Scan TechniquesTCP connect() ScansTCP SYN or Half-Open ScansTCP FIN, XMAS, and NULL ScansTCP ACK ScansTCP Idle ScansUDP ScansPort SweepsTCP Sequence Prediction AttacksSYN Floods
TCP ResponsesRST vs. RST/ACKIntrusion Detection Systems and RST GenerationSYN CookiesUDP ResponsesFirewall Rules and Router ACLs
Application Layer String Matching with iptablesObserving the String Match Extension in ActionMatching Non-Printable Application Layer Data
Snort SignaturesBuffer Overflow ExploitsSQL Injection AttacksGray Matter HackingPhishingBackdoors and Keystroke Logging
History
Starting and Stopping psadDaemon Process Uniquenessiptables Policy Configurationsyslog Configurationsyslogdsyslog-ngwhois Client
/etc/psad/psad.confEMAIL_ADDRESSESDANGER_LEVEL{n}HOME_NETEXTERNAL_NETSYSLOG_DAEMONCHECK_INTERVALSCAN_TIMEOUTENABLE_PERSISTENCEPORT_RANGE_SCAN_THRESHOLDEMAIL_ALERT_DANGER_LEVELMIN_DANGER_LEVELSHOW_ALL_SIGNATURESALERT_ALLSNORT_SID_STRENABLE_AUTO_IDSIMPORT_OLD_SCANSENABLE_DSHIELD_ALERTSIGNORE_PORTSIGNORE_PROTOCOLSIGNORE_LOG_PREFIXESEMAIL_LIMITALERTING_METHODSFW_MSG_SEARCH/etc/psad/auto_dl/etc/psad/signatures/etc/psad/snort_rule_dl/etc/psad/ip_options/etc/psad/pf.os
Port Scan Detection with psadTCP connect() ScanTCP SYN or Half-Open ScanTCP FIN, XMAS, and NULL ScansUDP Scan
psad Email AlertsScan Danger Level, Ports, and FlagsSource and Destination IP Addressessyslog Hostname, Time Interval, and Summary Informationwhois Database Informationpsad syslog ReportingInformational MessagesScan and Signature Match MessagesAuto-Response Messages
Attack Detection with Snort RulesDetecting the ipEye Port ScannerDetecting the LAND AttackDetecting TCP Port 0 TrafficDetecting Zero TTL TrafficDetecting the Naptha Denial of Service AttackDetecting Source Routing AttemptsDetecting Windows Messenger Pop-up Spam
Active OS Fingerprinting with NmapPassive OS Fingerprinting with p0fEmulating p0f with psadDecoding TCP Options from iptables Logs
DShield Reporting FormatSample DShield Report
Intrusion Prevention vs. Active Response
Classes of AttacksFalse Positives
FeaturesConfiguration Variables
Active Response Configuration SettingsSYN Scan ResponseUDP Scan ResponseNmap Version ScanFIN Scan ResponseMaliciously Spoofing a Scan
Command-Line InterfaceAdding Blocking RulesRemoving Blocking RulesFlushing All Blocking RulesIntegrating with SwatchIntegrating with Custom Scripts
Why Run fwsnort?Defense in DepthTarget-Based Intrusion Detection and Network Layer DefragmentationLightweight FootprintInline Responses
Nmap command attempt SignatureBleeding Snort "Bancos Trojan" SignaturePGPNet connection attempt Signature
Translating the Snort Rule HeaderSnort Rule HeaderRule Actions and iptables EmulationSnort Actions and AlertingTranslating Snort Rule Options: iptables Packet LoggingSnort Options and iptables Packet Filteringcontenturicontentoffsetdepthdistancewithinflagsitype and icodettltosipoptsdsizeip_protoflowreplacerespUnsupported Snort Rule Options
Installing fwsnort
Configuration File for fwsnortStructure of fwsnort.shTCP Connection States and fwsnort ChainsSignature Inspection and Log GenerationActivating the fwsnort Chains with Jump RulesCommand-Line Options for fwsnort
Detecting the Trin00 DDoS ToolDetecting Linux Shellcode TrafficDetecting and Reacting to the Dumador TrojanDetecting and Reacting to a DNS Cache-Poisoning Attack
Tying fwsnort Detection to psad OperationsWEB-PHP Setup.php access AttackDetecting the Attack with fwsnortAlerting with psadTCP FlagsReporting Application Layer ContentSnort Rule ID, Message, and Reference Information
psad vs. fwsnortRestricting psad Responses to Attacks Detected by fwsnortCombining fwsnort and psad ResponsesDROP vs. REJECT TargetsIntercepting the Incoming RSTThe NF_DROP Macro
Metasploit Update FeatureMetasploit 3.0 UpdatesMetasploit 2.6 UpdatesSignature DevelopmentBusting Metasploit Updates with fwsnort and psad
Reducing the Attack Surface
Zero-Day Attack DiscoveryImplications for Signature-Based Intrusion DetectionDefense in Depth
Thwarting Nmap and the Target Identification PhaseShared Port-Knocking SequencesEncrypted Port-Knocking SequencesArchitectural Limitations of Port KnockingThe Sequence Replay ProblemMinimal Data Transmission RateKnock Sequences and Port ScansKnock Sequence Busting with Spoofed Packets
Addressing Limitations of Port KnockingArchitectural Limitations of SPAAccess Piggy-Backing via NAT AddressesHTTP and Short-lived Sessions
fwknop Installation
/etc/fwknop/fwknop.confAUTH_MODEPCAP_INTFPCAP_FILTERENABLE_PCAP_PROMISCFIREWALL_TYPEPCAP_PKT_FILEIPT_AUTO_CHAIN1ENABLE_MD5_PERSISTENCEMAX_SPA_PACKET_AGEENABLE_SPA_PACKET_AGINGREQUIRE_SOURCE_ADDRESSEMAIL_ADDRESSESGPG_DEFAULT_HOME_DIRENABLE_TCP_SERVERTCPSERV_PORT/etc/fwknop/access.confSOURCEOPEN_PORTSPERMIT_CLIENT_PORTSENABLE_CMD_EXECCMD_REGEXDATA_COLLECT_MODEREQUIRE_USERNAMEFW_ACCESS_TIMEOUTKEYGPG_DECRYPT_IDGPG_DECRYPT_PWGPG_REMOTE_IDExample /etc/fwknop/access.conf File
SPA via Symmetric EncryptionSPA via Asymmetric EncryptionGnuPG Key Exchange for fwknopRunning fwknop with GnuPG KeysDetecting and Stopping a Replay AttackSpoofing the SPA Packet Source Addressfwknop OpenSSH Integration PatchSPA over Tor
Seeing the Unusual
Gnuplot Graphing DirectivesCombining psad and Gnuplot
Port ScansPort SweepsSlammer WormNachi WormOutbound Connections from Compromised Systems
Connection TrackingSpoofing exploit.rules TrafficSpoofed UDP Attacks

Content preview from Linux Firewalls

Transport Layer Responses

Under certain conditions, the transport layer can issue responses to traffic. Firewalls or other filtering devices can implement filtering operations based on transport layer headers (see the iptables.sh script presented in Chapter 1), manufacture TCP RST or RST/ACK packets to tear down TCP connections, or throttle rates of incoming packets (such as the number of TCP SYN packets in a given period of time).

Note

We will see more active response measures in Chapter 10 and Chapter 11, where we'll show how iptables is used to respond at both the network and transport layers upon detecting application layer attacks.

However, the application layer is where most of the interesting action is these days in terms of breaking into ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781593271411Errata

Linux Firewalls

by Michael Rash

Transport Layer Responses

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Linux Firewalls, Third Edition

Linux Security Cookbook

Linux iptables Pocket Reference

Practical Linux Security Cookbook - Second Edition

Publisher Resources

Transport Layer Responses

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Linux Firewalls, Third Edition

Linux Security Cookbook

Linux iptables Pocket Reference

Practical Linux Security Cookbook - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.