Linux Firewalls
Attack Detection and Response
Published on 7. September 2007
336 pages
978-1-59327-228-9 (ISBN)
Description
System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.
Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.
Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:
-Passive network authentication and OS fingerprinting
-iptables log analysis and policies
-Application layer attack detection with the iptables string match extension
-Building an iptables ruleset that emulates a Snort ruleset
-Port knocking vs. Single Packet Authorization (SPA)
-Tools for visualizing iptables logs
Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables—along with psad and fwsnort—to detect and even prevent compromises.
More details
Other editions
Additional editions
Book
09/2007
1st Edition
No Starch Press
€45.00
Article not available at the moment
Person
Michael Rash is a Security Architect on the Dragon Intrusion Detection System with Enterasys Networks, Inc., and is a frequent contributor to open source projects. As the creator of psad, fwknop, and fwsnort, Rash is an expert on firewalls, IDSs, OS fingerprinting, and the Snort rules language. He is co-author of the book Snort 2.1 Intrusion Detection, lead-author and technical editor of the book Intrusion Prevention and Active Response, and has written security articles for Linux Journal, SysAdmin, and ;login:.
Content
- Intro
- Linux Firewalls
- ACKNOWLEDGMENTS
- FOREWORD
- INTRODUCTION
- Why Detect Attacks with iptables?
- What About Dedicated Network Intrusion Detection Systems?
- Defense in Depth
- Prerequisites
- Technical References
- About the Website
- Chapter Summaries
- 1. CARE AND FEEDING OF IPTABLES
- iptables
- Packet Filtering with iptables
- Tables
- Chains
- Matches
- Targets
- Installing iptables
- Kernel Configuration
- Essential Netfilter Compilation Options
- Core Netfilter Configuration
- IP: Netfilter Configuration
- Finishing the Kernel Configuration
- Loadable Kernel Modules vs. Built-in Compilation and Security
- Security and Minimal Compilation
- Kernel Compilation and Installation
- Installing the iptables Userland Binaries
- Default iptables Policy
- Policy Requirements
- iptables.sh Script Preamble
- The INPUT Chain
- The OUTPUT Chain
- The FORWARD Chain
- Network Address Translation
- Activating the Policy
- iptables-save and iptables-restore
- Testing the Policy: TCP
- Testing the Policy: UDP
- Testing the Policy: ICMP
- Concluding Thoughts
- 2. NETWORK LAYER ATTACKS AND DEFENSE
- Logging Network Layer Headers with iptables
- Logging the IP Header
- Logging IP Options
- Logging ICMP
- Network Layer Attack Definitions
- Abusing the Network Layer
- Nmap ICMP Ping
- IP Spoofing
- IP Fragmentation
- Low TTL Values
- The Smurf Attack
- DDoS Attacks
- Linux Kernel IGMP Attack
- Network Layer Responses
- Network Layer Filtering Response
- Network Layer Thresholding Response
- Combining Responses Across Layers
- 3. TRANSPORT LAYER ATTACKS AND DEFENSE
- Logging Transport Layer Headers with iptables
- Logging the TCP Header
- Logging the UDP Header
- Transport Layer Attack Definitions
- Abusing the Transport Layer
- Port Scans
- Matching Port Scans to Vulnerable Services
- TCP Port Scan Techniques
- TCP connect() Scans
- TCP SYN or Half-Open Scans
- TCP FIN, XMAS, and NULL Scans
- TCP ACK Scans
- TCP Idle Scans
- UDP Scans
- Port Sweeps
- TCP Sequence Prediction Attacks
- SYN Floods
- Transport Layer Responses
- TCP Responses
- RST vs. RST/ACK
- Intrusion Detection Systems and RST Generation
- SYN Cookies
- UDP Responses
- Firewall Rules and Router ACLs
- 4. APPLICATION LAYER ATTACKS AND DEFENSE
- Application Layer String Matching with iptables
- Observing the String Match Extension in Action
- Matching Non-Printable Application Layer Data
- Application Layer Attack Definitions
- Abusing the Application Layer
- Snort Signatures
- Buffer Overflow Exploits
- SQL Injection Attacks
- Gray Matter Hacking
- Phishing
- Backdoors and Keystroke Logging
- Encryption and Application Encodings
- Application Layer Responses
- 5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
- History
- Why Analyze Firewall Logs?
- psad Features
- psad Installation
- psad Administration
- Starting and Stopping psad
- Daemon Process Uniqueness
- iptables Policy Configuration
- syslog Configuration
- syslogd
- syslog-ng
- whois Client
- psad Configuration
- /etc/psad/psad.conf
- EMAIL_ADDRESSES
- DANGER_LEVEL{n}
- HOME_NET
- EXTERNAL_NET
- SYSLOG_DAEMON
- CHECK_INTERVAL
- SCAN_TIMEOUT
- ENABLE_PERSISTENCE
- PORT_RANGE_SCAN_THRESHOLD
- EMAIL_ALERT_DANGER_LEVEL
- MIN_DANGER_LEVEL
- SHOW_ALL_SIGNATURES
- ALERT_ALL
- SNORT_SID_STR
- ENABLE_AUTO_IDS
- IMPORT_OLD_SCANS
- ENABLE_DSHIELD_ALERTS
- IGNORE_PORTS
- IGNORE_PROTOCOLS
- IGNORE_LOG_PREFIXES
- EMAIL_LIMIT
- ALERTING_METHODS
- FW_MSG_SEARCH
- /etc/psad/auto_dl
- /etc/psad/signatures
- /etc/psad/snort_rule_dl
- /etc/psad/ip_options
- /etc/psad/pf.os
- Concluding Thoughts
- 6. PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC
- Port Scan Detection with psad
- TCP connect() Scan
- TCP SYN or Half-Open Scan
- TCP FIN, XMAS, and NULL Scans
- UDP Scan
- Alerts and Reporting with psad
- psad Email Alerts
- Scan Danger Level, Ports, and Flags
- Source and Destination IP Addresses
- syslog Hostname, Time Interval, and Summary Information
- whois Database Information
- psad syslog Reporting
- Informational Messages
- Scan and Signature Match Messages
- Auto-Response Messages
- Concluding Thoughts
- 7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
- Attack Detection with Snort Rules
- Detecting the ipEye Port Scanner
- Detecting the LAND Attack
- Detecting TCP Port 0 Traffic
- Detecting Zero TTL Traffic
- Detecting the Naptha Denial of Service Attack
- Detecting Source Routing Attempts
- Detecting Windows Messenger Pop-up Spam
- psad Signature Updates
- OS Fingerprinting
- Active OS Fingerprinting with Nmap
- Passive OS Fingerprinting with p0f
- Emulating p0f with psad
- Decoding TCP Options from iptables Logs
- DShield Reporting
- DShield Reporting Format
- Sample DShield Report
- Viewing psad Status Output
- Forensics Mode
- Verbose/Debug Mode
- Concluding Thoughts
- 8. ACTIVE RESPONSE WITH PSAD
- Intrusion Prevention vs. Active Response
- Active Response Trade-offs
- Classes of Attacks
- False Positives
- Responding to Attacks with psad
- Features
- Configuration Variables
- Active Response Examples
- Active Response Configuration Settings
- SYN Scan Response
- UDP Scan Response
- Nmap Version Scan
- FIN Scan Response
- Maliciously Spoofing a Scan
- Integrating psad Active Response with Third-Party Tools
- Command-Line Interface
- Adding Blocking Rules
- Removing Blocking Rules
- Flushing All Blocking Rules
- Integrating with Swatch
- Integrating with Custom Scripts
- Concluding Thoughts
- 9. TRANSLATING SNORT RULES INTO IPTABLES RULES
- Why Run fwsnort?
- Defense in Depth
- Target-Based Intrusion Detection and Network Layer Defragmentation
- Lightweight Footprint
- Inline Responses
- Signature Translation Examples
- Nmap command attempt Signature
- Bleeding Snort "Bancos Trojan" Signature
- PGPNet connection attempt Signature
- The fwsnort Interpretation of Snort Rules
- Translating the Snort Rule Header
- Snort Rule Header
- Rule Actions and iptables Emulation
- Snort Actions and Alerting
- Translating Snort Rule Options: iptables Packet Logging
- Snort Options and iptables Packet Filtering
- content
- uricontent
- offset
- depth
- distance
- within
- flags
- itype and icode
- ttl
- tos
- ipopts
- dsize
- ip_proto
- flow
- replace
- resp
- Unsupported Snort Rule Options
- Concluding Thoughts
- 10. DEPLOYING FWSNORT
- Installing fwsnort
- Running fwsnort
- Configuration File for fwsnort
- Structure of fwsnort.sh
- TCP Connection States and fwsnort Chains
- Signature Inspection and Log Generation
- Activating the fwsnort Chains with Jump Rules
- Command-Line Options for fwsnort
- Observing fwsnort in Action
- Detecting the Trin00 DDoS Tool
- Detecting Linux Shellcode Traffic
- Detecting and Reacting to the Dumador Trojan
- Detecting and Reacting to a DNS Cache-Poisoning Attack
- Setting Up Whitelists and Blacklists
- Concluding Thoughts
- 11. COMBINING PSAD AND FWSNORT
- Tying fwsnort Detection to psad Operations
- WEB-PHP Setup.php access Attack
- Detecting the Attack with fwsnort
- Alerting with psad
- TCP Flags
- Reporting Application Layer Content
- Snort Rule ID, Message, and Reference Information
- Revisiting Active Response
- psad vs. fwsnort
- Restricting psad Responses to Attacks Detected by fwsnort
- Combining fwsnort and psad Responses
- DROP vs. REJECT Targets
- Intercepting the Incoming RST
- The NF_DROP Macro
- Thwarting Metasploit Updates
- Metasploit Update Feature
- Metasploit 3.0 Updates
- Metasploit 2.6 Updates
- Signature Development
- Busting Metasploit Updates with fwsnort and psad
- Concluding Thoughts
- 12. PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
- Reducing the Attack Surface
- The Zero-Day Attack Problem
- Zero-Day Attack Discovery
- Implications for Signature-Based Intrusion Detection
- Defense in Depth
- Port Knocking
- Thwarting Nmap and the Target Identification Phase
- Shared Port-Knocking Sequences
- Encrypted Port-Knocking Sequences
- Architectural Limitations of Port Knocking
- The Sequence Replay Problem
- Minimal Data Transmission Rate
- Knock Sequences and Port Scans
- Knock Sequence Busting with Spoofed Packets
- Single Packet Authorization
- Addressing Limitations of Port Knocking
- Architectural Limitations of SPA
- Access Piggy-Backing via NAT Addresses
- HTTP and Short-lived Sessions
- Security Through Obscurity?
- Concluding Thoughts
- 13. INTRODUCING FWKNOP
- fwknop Installation
- fwknop Configuration
- /etc/fwknop/fwknop.conf
- AUTH_MODE
- PCAP_INTF
- PCAP_FILTER
- ENABLE_PCAP_PROMISC
- FIREWALL_TYPE
- PCAP_PKT_FILE
- IPT_AUTO_CHAIN1
- ENABLE_MD5_PERSISTENCE
- MAX_SPA_PACKET_AGE
- ENABLE_SPA_PACKET_AGING
- REQUIRE_SOURCE_ADDRESS
- EMAIL_ADDRESSES
- GPG_DEFAULT_HOME_DIR
- ENABLE_TCP_SERVER
- TCPSERV_PORT
- /etc/fwknop/access.conf
- SOURCE
- OPEN_PORTS
- PERMIT_CLIENT_PORTS
- ENABLE_CMD_EXEC
- CMD_REGEX
- DATA_COLLECT_MODE
- REQUIRE_USERNAME
- FW_ACCESS_TIMEOUT
- KEY
- GPG_DECRYPT_ID
- GPG_DECRYPT_PW
- GPG_REMOTE_ID
- Example /etc/fwknop/access.conf File
- fwknop SPA Packet Format
- Deploying fwknop
- SPA via Symmetric Encryption
- SPA via Asymmetric Encryption
- GnuPG Key Exchange for fwknop
- Running fwknop with GnuPG Keys
- Detecting and Stopping a Replay Attack
- Spoofing the SPA Packet Source Address
- fwknop OpenSSH Integration Patch
- SPA over Tor
- Concluding Thoughts
- 14. VISUALIZING IPTABLES LOGS
- Seeing the Unusual
- Gnuplot
- Gnuplot Graphing Directives
- Combining psad and Gnuplot
- AfterGlow
- iptables Attack Visualizations
- Port Scans
- Port Sweeps
- Slammer Worm
- Nachi Worm
- Outbound Connections from Compromised Systems
- Concluding Thoughts
- A. ATTACK SPOOFING
- Connection Tracking
- Spoofing exploit.rules Traffic
- Spoofed UDP Attacks
- B. A COMPLETE FWSNORT SCRIPT
- COLOPHON
