You are previewing Linux Firewalls.
O'Reilly logo
Linux Firewalls

Book Description

System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.

Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:

  • Passive network authentication and OS fingerprinting

  • iptables log analysis and policies

  • Application layer attack detection with the iptables string match extension

  • Building an iptables ruleset that emulates a Snort ruleset

  • Port knocking vs. Single Packet Authorization (SPA)

  • Tools for visualizing iptables logs

Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables-along with psad and fwsnort-to detect and even prevent compromises.

Table of Contents

  1. Linux Firewalls
    1. ACKNOWLEDGMENTS
    2. FOREWORD
    3. INTRODUCTION
      1. Why Detect Attacks with iptables?
        1. What About Dedicated Network Intrusion Detection Systems?
        2. Defense in Depth
      2. Prerequisites
      3. Technical References
      4. About the Website
      5. Chapter Summaries
    4. 1. CARE AND FEEDING OF IPTABLES
      1. iptables
      2. Packet Filtering with iptables
        1. Tables
        2. Chains
        3. Matches
        4. Targets
      3. Installing iptables
      4. Kernel Configuration
        1. Essential Netfilter Compilation Options
          1. Core Netfilter Configuration
          2. IP: Netfilter Configuration
        2. Finishing the Kernel Configuration
        3. Loadable Kernel Modules vs. Built-in Compilation and Security
      5. Security and Minimal Compilation
      6. Kernel Compilation and Installation
      7. Installing the iptables Userland Binaries
      8. Default iptables Policy
        1. Policy Requirements
        2. iptables.sh Script Preamble
        3. The INPUT Chain
        4. The OUTPUT Chain
        5. The FORWARD Chain
        6. Network Address Translation
        7. Activating the Policy
        8. iptables-save and iptables-restore
        9. Testing the Policy: TCP
        10. Testing the Policy: UDP
        11. Testing the Policy: ICMP
      9. Concluding Thoughts
    5. 2. NETWORK LAYER ATTACKS AND DEFENSE
      1. Logging Network Layer Headers with iptables
        1. Logging the IP Header
          1. Logging IP Options
          2. Logging ICMP
      2. Network Layer Attack Definitions
      3. Abusing the Network Layer
        1. Nmap ICMP Ping
        2. IP Spoofing
        3. IP Fragmentation
        4. Low TTL Values
        5. The Smurf Attack
        6. DDoS Attacks
        7. Linux Kernel IGMP Attack
      4. Network Layer Responses
        1. Network Layer Filtering Response
        2. Network Layer Thresholding Response
        3. Combining Responses Across Layers
    6. 3. TRANSPORT LAYER ATTACKS AND DEFENSE
      1. Logging Transport Layer Headers with iptables
        1. Logging the TCP Header
        2. Logging the UDP Header
      2. Transport Layer Attack Definitions
      3. Abusing the Transport Layer
        1. Port Scans
          1. Matching Port Scans to Vulnerable Services
          2. TCP Port Scan Techniques
          3. TCP connect() Scans
          4. TCP SYN or Half-Open Scans
          5. TCP FIN, XMAS, and NULL Scans
          6. TCP ACK Scans
          7. TCP Idle Scans
          8. UDP Scans
        2. Port Sweeps
        3. TCP Sequence Prediction Attacks
        4. SYN Floods
      4. Transport Layer Responses
        1. TCP Responses
          1. RST vs. RST/ACK
          2. Intrusion Detection Systems and RST Generation
          3. SYN Cookies
        2. UDP Responses
        3. Firewall Rules and Router ACLs
    7. 4. APPLICATION LAYER ATTACKS AND DEFENSE
      1. Application Layer String Matching with iptables
        1. Observing the String Match Extension in Action
        2. Matching Non-Printable Application Layer Data
      2. Application Layer Attack Definitions
      3. Abusing the Application Layer
        1. Snort Signatures
        2. Buffer Overflow Exploits
        3. SQL Injection Attacks
        4. Gray Matter Hacking
          1. Phishing
          2. Backdoors and Keystroke Logging
      4. Encryption and Application Encodings
      5. Application Layer Responses
    8. 5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
      1. History
      2. Why Analyze Firewall Logs?
      3. psad Features
      4. psad Installation
      5. psad Administration
        1. Starting and Stopping psad
        2. Daemon Process Uniqueness
        3. iptables Policy Configuration
        4. syslog Configuration
          1. syslogd
          2. syslog-ng
        5. whois Client
      6. psad Configuration
        1. /etc/psad/psad.conf
          1. EMAIL_ADDRESSES
          2. DANGER_LEVEL{n}
          3. HOME_NET
          4. EXTERNAL_NET
          5. SYSLOG_DAEMON
          6. CHECK_INTERVAL
          7. SCAN_TIMEOUT
          8. ENABLE_PERSISTENCE
          9. PORT_RANGE_SCAN_THRESHOLD
          10. EMAIL_ALERT_DANGER_LEVEL
          11. MIN_DANGER_LEVEL
          12. SHOW_ALL_SIGNATURES
          13. ALERT_ALL
          14. SNORT_SID_STR
          15. ENABLE_AUTO_IDS
          16. IMPORT_OLD_SCANS
          17. ENABLE_DSHIELD_ALERTS
          18. IGNORE_PORTS
          19. IGNORE_PROTOCOLS
          20. IGNORE_LOG_PREFIXES
          21. EMAIL_LIMIT
          22. ALERTING_METHODS
          23. FW_MSG_SEARCH
        2. /etc/psad/auto_dl
        3. /etc/psad/signatures
        4. /etc/psad/snort_rule_dl
        5. /etc/psad/ip_options
        6. /etc/psad/pf.os
      7. Concluding Thoughts
    9. 6. PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC
      1. Port Scan Detection with psad
        1. TCP connect() Scan
        2. TCP SYN or Half-Open Scan
        3. TCP FIN, XMAS, and NULL Scans
        4. UDP Scan
      2. Alerts and Reporting with psad
        1. psad Email Alerts
          1. Scan Danger Level, Ports, and Flags
          2. Source and Destination IP Addresses
          3. syslog Hostname, Time Interval, and Summary Information
          4. whois Database Information
        2. psad syslog Reporting
          1. Informational Messages
          2. Scan and Signature Match Messages
          3. Auto-Response Messages
      3. Concluding Thoughts
    10. 7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
      1. Attack Detection with Snort Rules
        1. Detecting the ipEye Port Scanner
        2. Detecting the LAND Attack
        3. Detecting TCP Port 0 Traffic
        4. Detecting Zero TTL Traffic
        5. Detecting the Naptha Denial of Service Attack
        6. Detecting Source Routing Attempts
        7. Detecting Windows Messenger Pop-up Spam
      2. psad Signature Updates
      3. OS Fingerprinting
        1. Active OS Fingerprinting with Nmap
        2. Passive OS Fingerprinting with p0f
          1. Emulating p0f with psad
          2. Decoding TCP Options from iptables Logs
      4. DShield Reporting
        1. DShield Reporting Format
        2. Sample DShield Report
      5. Viewing psad Status Output
      6. Forensics Mode
      7. Verbose/Debug Mode
      8. Concluding Thoughts
    11. 8. ACTIVE RESPONSE WITH PSAD
      1. Intrusion Prevention vs. Active Response
      2. Active Response Trade-offs
        1. Classes of Attacks
        2. False Positives
      3. Responding to Attacks with psad
        1. Features
        2. Configuration Variables
      4. Active Response Examples
        1. Active Response Configuration Settings
        2. SYN Scan Response
        3. UDP Scan Response
        4. Nmap Version Scan
        5. FIN Scan Response
        6. Maliciously Spoofing a Scan
      5. Integrating psad Active Response with Third-Party Tools
        1. Command-Line Interface
          1. Adding Blocking Rules
          2. Removing Blocking Rules
          3. Flushing All Blocking Rules
        2. Integrating with Swatch
        3. Integrating with Custom Scripts
      6. Concluding Thoughts
    12. 9. TRANSLATING SNORT RULES INTO IPTABLES RULES
      1. Why Run fwsnort?
        1. Defense in Depth
        2. Target-Based Intrusion Detection and Network Layer Defragmentation
        3. Lightweight Footprint
        4. Inline Responses
      2. Signature Translation Examples
        1. Nmap command attempt Signature
        2. Bleeding Snort "Bancos Trojan" Signature
        3. PGPNet connection attempt Signature
      3. The fwsnort Interpretation of Snort Rules
        1. Translating the Snort Rule Header
          1. Snort Rule Header
          2. Rule Actions and iptables Emulation
          3. Snort Actions and Alerting
        2. Translating Snort Rule Options: iptables Packet Logging
        3. Snort Options and iptables Packet Filtering
          1. content
          2. uricontent
          3. offset
          4. depth
          5. distance
          6. within
          7. flags
          8. itype and icode
          9. ttl
          10. tos
          11. ipopts
          12. dsize
          13. ip_proto
          14. flow
          15. replace
          16. resp
        4. Unsupported Snort Rule Options
      4. Concluding Thoughts
    13. 10. DEPLOYING FWSNORT
      1. Installing fwsnort
      2. Running fwsnort
        1. Configuration File for fwsnort
        2. Structure of fwsnort.sh
          1. TCP Connection States and fwsnort Chains
          2. Signature Inspection and Log Generation
          3. Activating the fwsnort Chains with Jump Rules
        3. Command-Line Options for fwsnort
      3. Observing fwsnort in Action
        1. Detecting the Trin00 DDoS Tool
        2. Detecting Linux Shellcode Traffic
        3. Detecting and Reacting to the Dumador Trojan
        4. Detecting and Reacting to a DNS Cache-Poisoning Attack
      4. Setting Up Whitelists and Blacklists
      5. Concluding Thoughts
    14. 11. COMBINING PSAD AND FWSNORT
      1. Tying fwsnort Detection to psad Operations
        1. WEB-PHP Setup.php access Attack
          1. Detecting the Attack with fwsnort
          2. Alerting with psad
          3. TCP Flags
          4. Reporting Application Layer Content
          5. Snort Rule ID, Message, and Reference Information
      2. Revisiting Active Response
        1. psad vs. fwsnort
        2. Restricting psad Responses to Attacks Detected by fwsnort
        3. Combining fwsnort and psad Responses
        4. DROP vs. REJECT Targets
          1. Intercepting the Incoming RST
          2. The NF_DROP Macro
      3. Thwarting Metasploit Updates
        1. Metasploit Update Feature
          1. Metasploit 3.0 Updates
          2. Metasploit 2.6 Updates
        2. Signature Development
        3. Busting Metasploit Updates with fwsnort and psad
      4. Concluding Thoughts
    15. 12. PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
      1. Reducing the Attack Surface
      2. The Zero-Day Attack Problem
        1. Zero-Day Attack Discovery
        2. Implications for Signature-Based Intrusion Detection
        3. Defense in Depth
      3. Port Knocking
        1. Thwarting Nmap and the Target Identification Phase
        2. Shared Port-Knocking Sequences
        3. Encrypted Port-Knocking Sequences
        4. Architectural Limitations of Port Knocking
          1. The Sequence Replay Problem
          2. Minimal Data Transmission Rate
          3. Knock Sequences and Port Scans
          4. Knock Sequence Busting with Spoofed Packets
      4. Single Packet Authorization
        1. Addressing Limitations of Port Knocking
        2. Architectural Limitations of SPA
          1. Access Piggy-Backing via NAT Addresses
          2. HTTP and Short-lived Sessions
      5. Security Through Obscurity?
      6. Concluding Thoughts
    16. 13. INTRODUCING FWKNOP
      1. fwknop Installation
      2. fwknop Configuration
        1. /etc/fwknop/fwknop.conf
          1. AUTH_MODE
          2. PCAP_INTF
          3. PCAP_FILTER
          4. ENABLE_PCAP_PROMISC
          5. FIREWALL_TYPE
          6. PCAP_PKT_FILE
          7. IPT_AUTO_CHAIN1
          8. ENABLE_MD5_PERSISTENCE
          9. MAX_SPA_PACKET_AGE
          10. ENABLE_SPA_PACKET_AGING
          11. REQUIRE_SOURCE_ADDRESS
          12. EMAIL_ADDRESSES
          13. GPG_DEFAULT_HOME_DIR
          14. ENABLE_TCP_SERVER
          15. TCPSERV_PORT
        2. /etc/fwknop/access.conf
          1. SOURCE
          2. OPEN_PORTS
          3. PERMIT_CLIENT_PORTS
          4. ENABLE_CMD_EXEC
          5. CMD_REGEX
          6. DATA_COLLECT_MODE
          7. REQUIRE_USERNAME
          8. FW_ACCESS_TIMEOUT
          9. KEY
          10. GPG_DECRYPT_ID
          11. GPG_DECRYPT_PW
          12. GPG_REMOTE_ID
        3. Example /etc/fwknop/access.conf File
      3. fwknop SPA Packet Format
      4. Deploying fwknop
        1. SPA via Symmetric Encryption
        2. SPA via Asymmetric Encryption
          1. GnuPG Key Exchange for fwknop
          2. Running fwknop with GnuPG Keys
        3. Detecting and Stopping a Replay Attack
        4. Spoofing the SPA Packet Source Address
        5. fwknop OpenSSH Integration Patch
        6. SPA over Tor
      5. Concluding Thoughts
    17. 14. VISUALIZING IPTABLES LOGS
      1. Seeing the Unusual
      2. Gnuplot
        1. Gnuplot Graphing Directives
        2. Combining psad and Gnuplot
      3. AfterGlow
      4. iptables Attack Visualizations
        1. Port Scans
        2. Port Sweeps
        3. Slammer Worm
        4. Nachi Worm
        5. Outbound Connections from Compromised Systems
      5. Concluding Thoughts
    18. A. ATTACK SPOOFING
      1. Connection Tracking
        1. Spoofing exploit.rules Traffic
        2. Spoofed UDP Attacks
    19. B. A COMPLETE FWSNORT SCRIPT
    20. About the Author
    21. COLOPHON