book

Linux Firewalls

by Michael Rash

September 2007

Intermediate to advanced

336 pages

9h 7m

English

No Starch Press

Read now

Unlock full access

Why Detect Attacks with iptables?What About Dedicated Network Intrusion Detection Systems?Defense in Depth
iptables

TablesChainsMatchesTargets
Essential Netfilter Compilation OptionsCore Netfilter ConfigurationIP: Netfilter ConfigurationFinishing the Kernel ConfigurationLoadable Kernel Modules vs. Built-in Compilation and Security
Policy Requirementsiptables.sh Script PreambleThe INPUT ChainThe OUTPUT ChainThe FORWARD ChainNetwork Address TranslationActivating the Policyiptables-save and iptables-restoreTesting the Policy: TCPTesting the Policy: UDPTesting the Policy: ICMP
Logging Network Layer Headers with iptablesLogging the IP HeaderLogging IP OptionsLogging ICMP
Nmap ICMP PingIP SpoofingIP FragmentationLow TTL ValuesThe Smurf AttackDDoS AttacksLinux Kernel IGMP Attack
Network Layer Filtering ResponseNetwork Layer Thresholding ResponseCombining Responses Across Layers
Logging Transport Layer Headers with iptablesLogging the TCP HeaderLogging the UDP Header
Port ScansMatching Port Scans to Vulnerable ServicesTCP Port Scan TechniquesTCP connect() ScansTCP SYN or Half-Open ScansTCP FIN, XMAS, and NULL ScansTCP ACK ScansTCP Idle ScansUDP ScansPort SweepsTCP Sequence Prediction AttacksSYN Floods
TCP ResponsesRST vs. RST/ACKIntrusion Detection Systems and RST GenerationSYN CookiesUDP ResponsesFirewall Rules and Router ACLs
Application Layer String Matching with iptablesObserving the String Match Extension in ActionMatching Non-Printable Application Layer Data
Snort SignaturesBuffer Overflow ExploitsSQL Injection AttacksGray Matter HackingPhishingBackdoors and Keystroke Logging
History
Starting and Stopping psadDaemon Process Uniquenessiptables Policy Configurationsyslog Configurationsyslogdsyslog-ngwhois Client
/etc/psad/psad.confEMAIL_ADDRESSESDANGER_LEVEL{n}HOME_NETEXTERNAL_NETSYSLOG_DAEMONCHECK_INTERVALSCAN_TIMEOUTENABLE_PERSISTENCEPORT_RANGE_SCAN_THRESHOLDEMAIL_ALERT_DANGER_LEVELMIN_DANGER_LEVELSHOW_ALL_SIGNATURESALERT_ALLSNORT_SID_STRENABLE_AUTO_IDSIMPORT_OLD_SCANSENABLE_DSHIELD_ALERTSIGNORE_PORTSIGNORE_PROTOCOLSIGNORE_LOG_PREFIXESEMAIL_LIMITALERTING_METHODSFW_MSG_SEARCH/etc/psad/auto_dl/etc/psad/signatures/etc/psad/snort_rule_dl/etc/psad/ip_options/etc/psad/pf.os
Port Scan Detection with psadTCP connect() ScanTCP SYN or Half-Open ScanTCP FIN, XMAS, and NULL ScansUDP Scan
psad Email AlertsScan Danger Level, Ports, and FlagsSource and Destination IP Addressessyslog Hostname, Time Interval, and Summary Informationwhois Database Informationpsad syslog ReportingInformational MessagesScan and Signature Match MessagesAuto-Response Messages
Attack Detection with Snort RulesDetecting the ipEye Port ScannerDetecting the LAND AttackDetecting TCP Port 0 TrafficDetecting Zero TTL TrafficDetecting the Naptha Denial of Service AttackDetecting Source Routing AttemptsDetecting Windows Messenger Pop-up Spam
Active OS Fingerprinting with NmapPassive OS Fingerprinting with p0fEmulating p0f with psadDecoding TCP Options from iptables Logs
DShield Reporting FormatSample DShield Report
Intrusion Prevention vs. Active Response
Classes of AttacksFalse Positives
FeaturesConfiguration Variables
Active Response Configuration SettingsSYN Scan ResponseUDP Scan ResponseNmap Version ScanFIN Scan ResponseMaliciously Spoofing a Scan
Command-Line InterfaceAdding Blocking RulesRemoving Blocking RulesFlushing All Blocking RulesIntegrating with SwatchIntegrating with Custom Scripts
Why Run fwsnort?Defense in DepthTarget-Based Intrusion Detection and Network Layer DefragmentationLightweight FootprintInline Responses
Nmap command attempt SignatureBleeding Snort "Bancos Trojan" SignaturePGPNet connection attempt Signature
Translating the Snort Rule HeaderSnort Rule HeaderRule Actions and iptables EmulationSnort Actions and AlertingTranslating Snort Rule Options: iptables Packet LoggingSnort Options and iptables Packet Filteringcontenturicontentoffsetdepthdistancewithinflagsitype and icodettltosipoptsdsizeip_protoflowreplacerespUnsupported Snort Rule Options
Installing fwsnort
Configuration File for fwsnortStructure of fwsnort.shTCP Connection States and fwsnort ChainsSignature Inspection and Log GenerationActivating the fwsnort Chains with Jump RulesCommand-Line Options for fwsnort
Detecting the Trin00 DDoS ToolDetecting Linux Shellcode TrafficDetecting and Reacting to the Dumador TrojanDetecting and Reacting to a DNS Cache-Poisoning Attack
Tying fwsnort Detection to psad OperationsWEB-PHP Setup.php access AttackDetecting the Attack with fwsnortAlerting with psadTCP FlagsReporting Application Layer ContentSnort Rule ID, Message, and Reference Information
psad vs. fwsnortRestricting psad Responses to Attacks Detected by fwsnortCombining fwsnort and psad ResponsesDROP vs. REJECT TargetsIntercepting the Incoming RSTThe NF_DROP Macro
Metasploit Update FeatureMetasploit 3.0 UpdatesMetasploit 2.6 UpdatesSignature DevelopmentBusting Metasploit Updates with fwsnort and psad
Reducing the Attack Surface
Zero-Day Attack DiscoveryImplications for Signature-Based Intrusion DetectionDefense in Depth
Thwarting Nmap and the Target Identification PhaseShared Port-Knocking SequencesEncrypted Port-Knocking SequencesArchitectural Limitations of Port KnockingThe Sequence Replay ProblemMinimal Data Transmission RateKnock Sequences and Port ScansKnock Sequence Busting with Spoofed Packets
Addressing Limitations of Port KnockingArchitectural Limitations of SPAAccess Piggy-Backing via NAT AddressesHTTP and Short-lived Sessions
fwknop Installation
/etc/fwknop/fwknop.confAUTH_MODEPCAP_INTFPCAP_FILTERENABLE_PCAP_PROMISCFIREWALL_TYPEPCAP_PKT_FILEIPT_AUTO_CHAIN1ENABLE_MD5_PERSISTENCEMAX_SPA_PACKET_AGEENABLE_SPA_PACKET_AGINGREQUIRE_SOURCE_ADDRESSEMAIL_ADDRESSESGPG_DEFAULT_HOME_DIRENABLE_TCP_SERVERTCPSERV_PORT/etc/fwknop/access.confSOURCEOPEN_PORTSPERMIT_CLIENT_PORTSENABLE_CMD_EXECCMD_REGEXDATA_COLLECT_MODEREQUIRE_USERNAMEFW_ACCESS_TIMEOUTKEYGPG_DECRYPT_IDGPG_DECRYPT_PWGPG_REMOTE_IDExample /etc/fwknop/access.conf File
SPA via Symmetric EncryptionSPA via Asymmetric EncryptionGnuPG Key Exchange for fwknopRunning fwknop with GnuPG KeysDetecting and Stopping a Replay AttackSpoofing the SPA Packet Source Addressfwknop OpenSSH Integration PatchSPA over Tor
Seeing the Unusual
Gnuplot Graphing DirectivesCombining psad and Gnuplot
Port ScansPort SweepsSlammer WormNachi WormOutbound Connections from Compromised Systems
Connection TrackingSpoofing exploit.rules TrafficSpoofed UDP Attacks

Content preview from Linux Firewalls

Chapter 7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING

So far we've seen that psad analyzes iptables log messages in order to detect port scans. In this chapter we will extend the theme of attack detection much further; certain attacks that match signatures in the Snort signature set can be detected, and remote operating systems can be fingerprinted in some cases. We will also show how to extract verbose status information from psad, and we'll introduce the DShield reporting capability.

Attack Detection with Snort Rules

Because the iptables logging format is so complete, psad can detect traffic that matches Snort rules that lack application layer match criteria. For example, consider the following Snort rule, which looks for ...