book

Linux Firewalls

Name: Linux Firewalls
Author: Michael Rash
ISBN: 9781593271411

by Michael Rash

September 2007

Intermediate to advanced

336 pages

9h 7m

English

No Starch Press

Read now

Unlock full access

Linux Firewalls
ACKNOWLEDGMENTS
FOREWORD
INTRODUCTION
Why Detect Attacks with iptables?What About Dedicated Network Intrusion Detection Systems?Defense in Depth
Prerequisites
Technical References
About the Website
Chapter Summaries
1. CARE AND FEEDING OF IPTABLES
iptables

Packet Filtering with iptables
TablesChainsMatchesTargets
Installing iptables
Kernel Configuration
Essential Netfilter Compilation OptionsCore Netfilter ConfigurationIP: Netfilter ConfigurationFinishing the Kernel ConfigurationLoadable Kernel Modules vs. Built-in Compilation and Security
Security and Minimal Compilation
Kernel Compilation and Installation
Installing the iptables Userland Binaries
Default iptables Policy
Policy Requirementsiptables.sh Script PreambleThe INPUT ChainThe OUTPUT ChainThe FORWARD ChainNetwork Address TranslationActivating the Policyiptables-save and iptables-restoreTesting the Policy: TCPTesting the Policy: UDPTesting the Policy: ICMP
Concluding Thoughts
2. NETWORK LAYER ATTACKS AND DEFENSE
Logging Network Layer Headers with iptablesLogging the IP HeaderLogging IP OptionsLogging ICMP
Network Layer Attack Definitions
Abusing the Network Layer
Nmap ICMP PingIP SpoofingIP FragmentationLow TTL ValuesThe Smurf AttackDDoS AttacksLinux Kernel IGMP Attack
Network Layer Responses
Network Layer Filtering ResponseNetwork Layer Thresholding ResponseCombining Responses Across Layers
3. TRANSPORT LAYER ATTACKS AND DEFENSE
Logging Transport Layer Headers with iptablesLogging the TCP HeaderLogging the UDP Header
Transport Layer Attack Definitions
Abusing the Transport Layer
Port ScansMatching Port Scans to Vulnerable ServicesTCP Port Scan TechniquesTCP connect() ScansTCP SYN or Half-Open ScansTCP FIN, XMAS, and NULL ScansTCP ACK ScansTCP Idle ScansUDP ScansPort SweepsTCP Sequence Prediction AttacksSYN Floods
Transport Layer Responses
TCP ResponsesRST vs. RST/ACKIntrusion Detection Systems and RST GenerationSYN CookiesUDP ResponsesFirewall Rules and Router ACLs
4. APPLICATION LAYER ATTACKS AND DEFENSE
Application Layer String Matching with iptablesObserving the String Match Extension in ActionMatching Non-Printable Application Layer Data
Application Layer Attack Definitions
Abusing the Application Layer
Snort SignaturesBuffer Overflow ExploitsSQL Injection AttacksGray Matter HackingPhishingBackdoors and Keystroke Logging
Encryption and Application Encodings
Application Layer Responses
5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
History
Why Analyze Firewall Logs?
psad Features
psad Installation
psad Administration
Starting and Stopping psadDaemon Process Uniquenessiptables Policy Configurationsyslog Configurationsyslogdsyslog-ngwhois Client
psad Configuration
/etc/psad/psad.confEMAIL_ADDRESSESDANGER_LEVEL{n}HOME_NETEXTERNAL_NETSYSLOG_DAEMONCHECK_INTERVALSCAN_TIMEOUTENABLE_PERSISTENCEPORT_RANGE_SCAN_THRESHOLDEMAIL_ALERT_DANGER_LEVELMIN_DANGER_LEVELSHOW_ALL_SIGNATURESALERT_ALLSNORT_SID_STRENABLE_AUTO_IDSIMPORT_OLD_SCANSENABLE_DSHIELD_ALERTSIGNORE_PORTSIGNORE_PROTOCOLSIGNORE_LOG_PREFIXESEMAIL_LIMITALERTING_METHODSFW_MSG_SEARCH/etc/psad/auto_dl/etc/psad/signatures/etc/psad/snort_rule_dl/etc/psad/ip_options/etc/psad/pf.os
Concluding Thoughts
6. PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC
Port Scan Detection with psadTCP connect() ScanTCP SYN or Half-Open ScanTCP FIN, XMAS, and NULL ScansUDP Scan
Alerts and Reporting with psad
psad Email AlertsScan Danger Level, Ports, and FlagsSource and Destination IP Addressessyslog Hostname, Time Interval, and Summary Informationwhois Database Informationpsad syslog ReportingInformational MessagesScan and Signature Match MessagesAuto-Response Messages
Concluding Thoughts
7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
Attack Detection with Snort RulesDetecting the ipEye Port ScannerDetecting the LAND AttackDetecting TCP Port 0 TrafficDetecting Zero TTL TrafficDetecting the Naptha Denial of Service AttackDetecting Source Routing AttemptsDetecting Windows Messenger Pop-up Spam
psad Signature Updates
OS Fingerprinting
Active OS Fingerprinting with NmapPassive OS Fingerprinting with p0fEmulating p0f with psadDecoding TCP Options from iptables Logs
DShield Reporting
DShield Reporting FormatSample DShield Report
Viewing psad Status Output
Forensics Mode
Verbose/Debug Mode
Concluding Thoughts
8. ACTIVE RESPONSE WITH PSAD
Intrusion Prevention vs. Active Response
Active Response Trade-offs
Classes of AttacksFalse Positives
Responding to Attacks with psad
FeaturesConfiguration Variables
Active Response Examples
Active Response Configuration SettingsSYN Scan ResponseUDP Scan ResponseNmap Version ScanFIN Scan ResponseMaliciously Spoofing a Scan
Integrating psad Active Response with Third-Party Tools
Command-Line InterfaceAdding Blocking RulesRemoving Blocking RulesFlushing All Blocking RulesIntegrating with SwatchIntegrating with Custom Scripts
Concluding Thoughts
9. TRANSLATING SNORT RULES INTO IPTABLES RULES
Why Run fwsnort?Defense in DepthTarget-Based Intrusion Detection and Network Layer DefragmentationLightweight FootprintInline Responses
Signature Translation Examples
Nmap command attempt SignatureBleeding Snort "Bancos Trojan" SignaturePGPNet connection attempt Signature
The fwsnort Interpretation of Snort Rules
Translating the Snort Rule HeaderSnort Rule HeaderRule Actions and iptables EmulationSnort Actions and AlertingTranslating Snort Rule Options: iptables Packet LoggingSnort Options and iptables Packet Filteringcontenturicontentoffsetdepthdistancewithinflagsitype and icodettltosipoptsdsizeip_protoflowreplacerespUnsupported Snort Rule Options
Concluding Thoughts
10. DEPLOYING FWSNORT
Installing fwsnort
Running fwsnort
Configuration File for fwsnortStructure of fwsnort.shTCP Connection States and fwsnort ChainsSignature Inspection and Log GenerationActivating the fwsnort Chains with Jump RulesCommand-Line Options for fwsnort
Observing fwsnort in Action
Detecting the Trin00 DDoS ToolDetecting Linux Shellcode TrafficDetecting and Reacting to the Dumador TrojanDetecting and Reacting to a DNS Cache-Poisoning Attack
Setting Up Whitelists and Blacklists
Concluding Thoughts
11. COMBINING PSAD AND FWSNORT
Tying fwsnort Detection to psad OperationsWEB-PHP Setup.php access AttackDetecting the Attack with fwsnortAlerting with psadTCP FlagsReporting Application Layer ContentSnort Rule ID, Message, and Reference Information
Revisiting Active Response
psad vs. fwsnortRestricting psad Responses to Attacks Detected by fwsnortCombining fwsnort and psad ResponsesDROP vs. REJECT TargetsIntercepting the Incoming RSTThe NF_DROP Macro
Thwarting Metasploit Updates
Metasploit Update FeatureMetasploit 3.0 UpdatesMetasploit 2.6 UpdatesSignature DevelopmentBusting Metasploit Updates with fwsnort and psad
Concluding Thoughts
12. PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
Reducing the Attack Surface
The Zero-Day Attack Problem
Zero-Day Attack DiscoveryImplications for Signature-Based Intrusion DetectionDefense in Depth
Port Knocking
Thwarting Nmap and the Target Identification PhaseShared Port-Knocking SequencesEncrypted Port-Knocking SequencesArchitectural Limitations of Port KnockingThe Sequence Replay ProblemMinimal Data Transmission RateKnock Sequences and Port ScansKnock Sequence Busting with Spoofed Packets
Single Packet Authorization
Addressing Limitations of Port KnockingArchitectural Limitations of SPAAccess Piggy-Backing via NAT AddressesHTTP and Short-lived Sessions
Security Through Obscurity?
Concluding Thoughts
13. INTRODUCING FWKNOP
fwknop Installation
fwknop Configuration
/etc/fwknop/fwknop.confAUTH_MODEPCAP_INTFPCAP_FILTERENABLE_PCAP_PROMISCFIREWALL_TYPEPCAP_PKT_FILEIPT_AUTO_CHAIN1ENABLE_MD5_PERSISTENCEMAX_SPA_PACKET_AGEENABLE_SPA_PACKET_AGINGREQUIRE_SOURCE_ADDRESSEMAIL_ADDRESSESGPG_DEFAULT_HOME_DIRENABLE_TCP_SERVERTCPSERV_PORT/etc/fwknop/access.confSOURCEOPEN_PORTSPERMIT_CLIENT_PORTSENABLE_CMD_EXECCMD_REGEXDATA_COLLECT_MODEREQUIRE_USERNAMEFW_ACCESS_TIMEOUTKEYGPG_DECRYPT_IDGPG_DECRYPT_PWGPG_REMOTE_IDExample /etc/fwknop/access.conf File
fwknop SPA Packet Format
Deploying fwknop
SPA via Symmetric EncryptionSPA via Asymmetric EncryptionGnuPG Key Exchange for fwknopRunning fwknop with GnuPG KeysDetecting and Stopping a Replay AttackSpoofing the SPA Packet Source Addressfwknop OpenSSH Integration PatchSPA over Tor
Concluding Thoughts
14. VISUALIZING IPTABLES LOGS
Seeing the Unusual
Gnuplot
Gnuplot Graphing DirectivesCombining psad and Gnuplot
AfterGlow
iptables Attack Visualizations
Port ScansPort SweepsSlammer WormNachi WormOutbound Connections from Compromised Systems
Concluding Thoughts
A. ATTACK SPOOFING
Connection TrackingSpoofing exploit.rules TrafficSpoofed UDP Attacks
B. A COMPLETE FWSNORT SCRIPT
About the Author
COLOPHON

Content preview from Linux Firewalls

Verbose/Debug Mode

To have a look at the inner workings of psad as it monitors iptables log messages, run psad in a highly verbose mode with the --debug switch:

[iptablesfw]# psad --debug

This instructs psad to not become a daemon; it can then display information on STDERR as it runs. This information includes everything from MAC addresses to passive OS fingerprinting information. Here's a sample of this output:

❶ Jul 11 16:21:31 iptablesfw kernel: DROP IN=eth0 OUT= MAC=00:13:d3:38:b6:e4:
00:90:1a:a0:1c:ec:08:00 SRC=12.17.X.X DST=71.157.X.X LEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=38577 DF PROTO=TCP SPT=38970 DPT=12754 WINDOW=53760 RES=0x00 SYN URGP=0 OPT (020405B4010303030101080A000000000000000001010402) [+] src mac addr: 00:90:1a:a0:1c:ec [+] dst ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781593271411Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Linux Firewalls

by Michael Rash

Verbose/Debug Mode

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.