book

Linux Firewalls

by Michael Rash

September 2007

Intermediate to advanced

336 pages

9h 7m

English

No Starch Press

Read now

Unlock full access

Why Detect Attacks with iptables?What About Dedicated Network Intrusion Detection Systems?Defense in Depth
iptables

TablesChainsMatchesTargets
Essential Netfilter Compilation OptionsCore Netfilter ConfigurationIP: Netfilter ConfigurationFinishing the Kernel ConfigurationLoadable Kernel Modules vs. Built-in Compilation and Security
Policy Requirementsiptables.sh Script PreambleThe INPUT ChainThe OUTPUT ChainThe FORWARD ChainNetwork Address TranslationActivating the Policyiptables-save and iptables-restoreTesting the Policy: TCPTesting the Policy: UDPTesting the Policy: ICMP
Logging Network Layer Headers with iptablesLogging the IP HeaderLogging IP OptionsLogging ICMP
Nmap ICMP PingIP SpoofingIP FragmentationLow TTL ValuesThe Smurf AttackDDoS AttacksLinux Kernel IGMP Attack
Network Layer Filtering ResponseNetwork Layer Thresholding ResponseCombining Responses Across Layers
Logging Transport Layer Headers with iptablesLogging the TCP HeaderLogging the UDP Header
Port ScansMatching Port Scans to Vulnerable ServicesTCP Port Scan TechniquesTCP connect() ScansTCP SYN or Half-Open ScansTCP FIN, XMAS, and NULL ScansTCP ACK ScansTCP Idle ScansUDP ScansPort SweepsTCP Sequence Prediction AttacksSYN Floods
TCP ResponsesRST vs. RST/ACKIntrusion Detection Systems and RST GenerationSYN CookiesUDP ResponsesFirewall Rules and Router ACLs
Application Layer String Matching with iptablesObserving the String Match Extension in ActionMatching Non-Printable Application Layer Data
Snort SignaturesBuffer Overflow ExploitsSQL Injection AttacksGray Matter HackingPhishingBackdoors and Keystroke Logging
History
Starting and Stopping psadDaemon Process Uniquenessiptables Policy Configurationsyslog Configurationsyslogdsyslog-ngwhois Client
/etc/psad/psad.confEMAIL_ADDRESSESDANGER_LEVEL{n}HOME_NETEXTERNAL_NETSYSLOG_DAEMONCHECK_INTERVALSCAN_TIMEOUTENABLE_PERSISTENCEPORT_RANGE_SCAN_THRESHOLDEMAIL_ALERT_DANGER_LEVELMIN_DANGER_LEVELSHOW_ALL_SIGNATURESALERT_ALLSNORT_SID_STRENABLE_AUTO_IDSIMPORT_OLD_SCANSENABLE_DSHIELD_ALERTSIGNORE_PORTSIGNORE_PROTOCOLSIGNORE_LOG_PREFIXESEMAIL_LIMITALERTING_METHODSFW_MSG_SEARCH/etc/psad/auto_dl/etc/psad/signatures/etc/psad/snort_rule_dl/etc/psad/ip_options/etc/psad/pf.os
Port Scan Detection with psadTCP connect() ScanTCP SYN or Half-Open ScanTCP FIN, XMAS, and NULL ScansUDP Scan
psad Email AlertsScan Danger Level, Ports, and FlagsSource and Destination IP Addressessyslog Hostname, Time Interval, and Summary Informationwhois Database Informationpsad syslog ReportingInformational MessagesScan and Signature Match MessagesAuto-Response Messages
Attack Detection with Snort RulesDetecting the ipEye Port ScannerDetecting the LAND AttackDetecting TCP Port 0 TrafficDetecting Zero TTL TrafficDetecting the Naptha Denial of Service AttackDetecting Source Routing AttemptsDetecting Windows Messenger Pop-up Spam
Active OS Fingerprinting with NmapPassive OS Fingerprinting with p0fEmulating p0f with psadDecoding TCP Options from iptables Logs
DShield Reporting FormatSample DShield Report
Intrusion Prevention vs. Active Response
Classes of AttacksFalse Positives
FeaturesConfiguration Variables
Active Response Configuration SettingsSYN Scan ResponseUDP Scan ResponseNmap Version ScanFIN Scan ResponseMaliciously Spoofing a Scan
Command-Line InterfaceAdding Blocking RulesRemoving Blocking RulesFlushing All Blocking RulesIntegrating with SwatchIntegrating with Custom Scripts
Why Run fwsnort?Defense in DepthTarget-Based Intrusion Detection and Network Layer DefragmentationLightweight FootprintInline Responses
Nmap command attempt SignatureBleeding Snort "Bancos Trojan" SignaturePGPNet connection attempt Signature
Translating the Snort Rule HeaderSnort Rule HeaderRule Actions and iptables EmulationSnort Actions and AlertingTranslating Snort Rule Options: iptables Packet LoggingSnort Options and iptables Packet Filteringcontenturicontentoffsetdepthdistancewithinflagsitype and icodettltosipoptsdsizeip_protoflowreplacerespUnsupported Snort Rule Options
Installing fwsnort
Configuration File for fwsnortStructure of fwsnort.shTCP Connection States and fwsnort ChainsSignature Inspection and Log GenerationActivating the fwsnort Chains with Jump RulesCommand-Line Options for fwsnort
Detecting the Trin00 DDoS ToolDetecting Linux Shellcode TrafficDetecting and Reacting to the Dumador TrojanDetecting and Reacting to a DNS Cache-Poisoning Attack
Tying fwsnort Detection to psad OperationsWEB-PHP Setup.php access AttackDetecting the Attack with fwsnortAlerting with psadTCP FlagsReporting Application Layer ContentSnort Rule ID, Message, and Reference Information
psad vs. fwsnortRestricting psad Responses to Attacks Detected by fwsnortCombining fwsnort and psad ResponsesDROP vs. REJECT TargetsIntercepting the Incoming RSTThe NF_DROP Macro
Metasploit Update FeatureMetasploit 3.0 UpdatesMetasploit 2.6 UpdatesSignature DevelopmentBusting Metasploit Updates with fwsnort and psad
Reducing the Attack Surface
Zero-Day Attack DiscoveryImplications for Signature-Based Intrusion DetectionDefense in Depth
Thwarting Nmap and the Target Identification PhaseShared Port-Knocking SequencesEncrypted Port-Knocking SequencesArchitectural Limitations of Port KnockingThe Sequence Replay ProblemMinimal Data Transmission RateKnock Sequences and Port ScansKnock Sequence Busting with Spoofed Packets
Addressing Limitations of Port KnockingArchitectural Limitations of SPAAccess Piggy-Backing via NAT AddressesHTTP and Short-lived Sessions
fwknop Installation
/etc/fwknop/fwknop.confAUTH_MODEPCAP_INTFPCAP_FILTERENABLE_PCAP_PROMISCFIREWALL_TYPEPCAP_PKT_FILEIPT_AUTO_CHAIN1ENABLE_MD5_PERSISTENCEMAX_SPA_PACKET_AGEENABLE_SPA_PACKET_AGINGREQUIRE_SOURCE_ADDRESSEMAIL_ADDRESSESGPG_DEFAULT_HOME_DIRENABLE_TCP_SERVERTCPSERV_PORT/etc/fwknop/access.confSOURCEOPEN_PORTSPERMIT_CLIENT_PORTSENABLE_CMD_EXECCMD_REGEXDATA_COLLECT_MODEREQUIRE_USERNAMEFW_ACCESS_TIMEOUTKEYGPG_DECRYPT_IDGPG_DECRYPT_PWGPG_REMOTE_IDExample /etc/fwknop/access.conf File
SPA via Symmetric EncryptionSPA via Asymmetric EncryptionGnuPG Key Exchange for fwknopRunning fwknop with GnuPG KeysDetecting and Stopping a Replay AttackSpoofing the SPA Packet Source Addressfwknop OpenSSH Integration PatchSPA over Tor
Seeing the Unusual
Gnuplot Graphing DirectivesCombining psad and Gnuplot
Port ScansPort SweepsSlammer WormNachi WormOutbound Connections from Compromised Systems
Connection TrackingSpoofing exploit.rules TrafficSpoofed UDP Attacks

Content preview from Linux Firewalls

Concluding Thoughts

Some people prefer to write scripts to detect when an attacker is trying to brute force a password via SSHD by watching for repeated Authentication failure for root messages reported in /var/log/auth.log (the specific file depends on the configuration of your syslog daemon). This will be of little use, however, if a new buffer overflow vulnerability is discovered within OpenSSH (or another SSH implementation) in a function that is remotely accessible without having to go through the username/password verification process. There are even Snort rules to perform cleartext IDS across an SSH connection in order to detect an attempt to exploit the CRC32 overflow vulnerability reported in Buqtraq number 2347 (see Snort rule IDs 1324, ...