Linux firewalls attack detection and response with iptables, psad, and fwsnort
System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attac...
| Main Author: | |
|---|---|
| Format: | eBook |
| Language: | Inglés |
| Published: |
San Francisco :
No Starch Press
c2007.
|
| Edition: | 1st edition |
| Subjects: | |
| See on Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009627189806719 |
Table of Contents:
- Intro
- Linux Firewalls
- ACKNOWLEDGMENTS
- FOREWORD
- INTRODUCTION
- Why Detect Attacks with iptables?
- What About Dedicated Network Intrusion Detection Systems?
- Defense in Depth
- Prerequisites
- Technical References
- About the Website
- Chapter Summaries
- 1. CARE AND FEEDING OF IPTABLES
- iptables
- Packet Filtering with iptables
- Tables
- Chains
- Matches
- Targets
- Installing iptables
- Kernel Configuration
- Essential Netfilter Compilation Options
- Core Netfilter Configuration
- IP: Netfilter Configuration
- Finishing the Kernel Configuration
- Loadable Kernel Modules vs. Built-in Compilation and Security
- Security and Minimal Compilation
- Kernel Compilation and Installation
- Installing the iptables Userland Binaries
- Default iptables Policy
- Policy Requirements
- iptables.sh Script Preamble
- The INPUT Chain
- The OUTPUT Chain
- The FORWARD Chain
- Network Address Translation
- Activating the Policy
- iptables-save and iptables-restore
- Testing the Policy: TCP
- Testing the Policy: UDP
- Testing the Policy: ICMP
- Concluding Thoughts
- 2. NETWORK LAYER ATTACKS AND DEFENSE
- Logging Network Layer Headers with iptables
- Logging the IP Header
- Logging IP Options
- Logging ICMP
- Network Layer Attack Definitions
- Abusing the Network Layer
- Nmap ICMP Ping
- IP Spoofing
- IP Fragmentation
- Low TTL Values
- The Smurf Attack
- DDoS Attacks
- Linux Kernel IGMP Attack
- Network Layer Responses
- Network Layer Filtering Response
- Network Layer Thresholding Response
- Combining Responses Across Layers
- 3. TRANSPORT LAYER ATTACKS AND DEFENSE
- Logging Transport Layer Headers with iptables
- Logging the TCP Header
- Logging the UDP Header
- Transport Layer Attack Definitions
- Abusing the Transport Layer
- Port Scans
- Matching Port Scans to Vulnerable Services.
- TCP Port Scan Techniques
- TCP connect() Scans
- TCP SYN or Half-Open Scans
- TCP FIN, XMAS, and NULL Scans
- TCP ACK Scans
- TCP Idle Scans
- UDP Scans
- Port Sweeps
- TCP Sequence Prediction Attacks
- SYN Floods
- Transport Layer Responses
- TCP Responses
- RST vs. RST/ACK
- Intrusion Detection Systems and RST Generation
- SYN Cookies
- UDP Responses
- Firewall Rules and Router ACLs
- 4. APPLICATION LAYER ATTACKS AND DEFENSE
- Application Layer String Matching with iptables
- Observing the String Match Extension in Action
- Matching Non-Printable Application Layer Data
- Application Layer Attack Definitions
- Abusing the Application Layer
- Snort Signatures
- Buffer Overflow Exploits
- SQL Injection Attacks
- Gray Matter Hacking
- Phishing
- Backdoors and Keystroke Logging
- Encryption and Application Encodings
- Application Layer Responses
- 5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
- History
- Why Analyze Firewall Logs?
- psad Features
- psad Installation
- psad Administration
- Starting and Stopping psad
- Daemon Process Uniqueness
- iptables Policy Configuration
- syslog Configuration
- syslogd
- syslog-ng
- whois Client
- psad Configuration
- /etc/psad/psad.conf
- EMAIL_ADDRESSES
- DANGER_LEVEL{n}
- HOME_NET
- EXTERNAL_NET
- SYSLOG_DAEMON
- CHECK_INTERVAL
- SCAN_TIMEOUT
- ENABLE_PERSISTENCE
- PORT_RANGE_SCAN_THRESHOLD
- EMAIL_ALERT_DANGER_LEVEL
- MIN_DANGER_LEVEL
- SHOW_ALL_SIGNATURES
- ALERT_ALL
- SNORT_SID_STR
- ENABLE_AUTO_IDS
- IMPORT_OLD_SCANS
- ENABLE_DSHIELD_ALERTS
- IGNORE_PORTS
- IGNORE_PROTOCOLS
- IGNORE_LOG_PREFIXES
- EMAIL_LIMIT
- ALERTING_METHODS
- FW_MSG_SEARCH
- /etc/psad/auto_dl
- /etc/psad/signatures
- /etc/psad/snort_rule_dl
- /etc/psad/ip_options
- /etc/psad/pf.os
- Concluding Thoughts
- 6. PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC.
- Port Scan Detection with psad
- TCP connect() Scan
- TCP SYN or Half-Open Scan
- TCP FIN, XMAS, and NULL Scans
- UDP Scan
- Alerts and Reporting with psad
- psad Email Alerts
- Scan Danger Level, Ports, and Flags
- Source and Destination IP Addresses
- syslog Hostname, Time Interval, and Summary Information
- whois Database Information
- psad syslog Reporting
- Informational Messages
- Scan and Signature Match Messages
- Auto-Response Messages
- Concluding Thoughts
- 7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
- Attack Detection with Snort Rules
- Detecting the ipEye Port Scanner
- Detecting the LAND Attack
- Detecting TCP Port 0 Traffic
- Detecting Zero TTL Traffic
- Detecting the Naptha Denial of Service Attack
- Detecting Source Routing Attempts
- Detecting Windows Messenger Pop-up Spam
- psad Signature Updates
- OS Fingerprinting
- Active OS Fingerprinting with Nmap
- Passive OS Fingerprinting with p0f
- Emulating p0f with psad
- Decoding TCP Options from iptables Logs
- DShield Reporting
- DShield Reporting Format
- Sample DShield Report
- Viewing psad Status Output
- Forensics Mode
- Verbose/Debug Mode
- Concluding Thoughts
- 8. ACTIVE RESPONSE WITH PSAD
- Intrusion Prevention vs. Active Response
- Active Response Trade-offs
- Classes of Attacks
- False Positives
- Responding to Attacks with psad
- Features
- Configuration Variables
- Active Response Examples
- Active Response Configuration Settings
- SYN Scan Response
- UDP Scan Response
- Nmap Version Scan
- FIN Scan Response
- Maliciously Spoofing a Scan
- Integrating psad Active Response with Third-Party Tools
- Command-Line Interface
- Adding Blocking Rules
- Removing Blocking Rules
- Flushing All Blocking Rules
- Integrating with Swatch
- Integrating with Custom Scripts
- Concluding Thoughts.
- 9. TRANSLATING SNORT RULES INTO IPTABLES RULES
- Why Run fwsnort?
- Defense in Depth
- Target-Based Intrusion Detection and Network Layer Defragmentation
- Lightweight Footprint
- Inline Responses
- Signature Translation Examples
- Nmap command attempt Signature
- Bleeding Snort "Bancos Trojan" Signature
- PGPNet connection attempt Signature
- The fwsnort Interpretation of Snort Rules
- Translating the Snort Rule Header
- Snort Rule Header
- Rule Actions and iptables Emulation
- Snort Actions and Alerting
- Translating Snort Rule Options: iptables Packet Logging
- Snort Options and iptables Packet Filtering
- content
- uricontent
- offset
- depth
- distance
- within
- flags
- itype and icode
- ttl
- tos
- ipopts
- dsize
- ip_proto
- flow
- replace
- resp
- Unsupported Snort Rule Options
- Concluding Thoughts
- 10. DEPLOYING FWSNORT
- Installing fwsnort
- Running fwsnort
- Configuration File for fwsnort
- Structure of fwsnort.sh
- TCP Connection States and fwsnort Chains
- Signature Inspection and Log Generation
- Activating the fwsnort Chains with Jump Rules
- Command-Line Options for fwsnort
- Observing fwsnort in Action
- Detecting the Trin00 DDoS Tool
- Detecting Linux Shellcode Traffic
- Detecting and Reacting to the Dumador Trojan
- Detecting and Reacting to a DNS Cache-Poisoning Attack
- Setting Up Whitelists and Blacklists
- Concluding Thoughts
- 11. COMBINING PSAD AND FWSNORT
- Tying fwsnort Detection to psad Operations
- WEB-PHP Setup.php access Attack
- Detecting the Attack with fwsnort
- Alerting with psad
- TCP Flags
- Reporting Application Layer Content
- Snort Rule ID, Message, and Reference Information
- Revisiting Active Response
- psad vs. fwsnort
- Restricting psad Responses to Attacks Detected by fwsnort
- Combining fwsnort and psad Responses
- DROP vs. REJECT Targets.
- Intercepting the Incoming RST
- The NF_DROP Macro
- Thwarting Metasploit Updates
- Metasploit Update Feature
- Metasploit 3.0 Updates
- Metasploit 2.6 Updates
- Signature Development
- Busting Metasploit Updates with fwsnort and psad
- Concluding Thoughts
- 12. PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
- Reducing the Attack Surface
- The Zero-Day Attack Problem
- Zero-Day Attack Discovery
- Implications for Signature-Based Intrusion Detection
- Defense in Depth
- Port Knocking
- Thwarting Nmap and the Target Identification Phase
- Shared Port-Knocking Sequences
- Encrypted Port-Knocking Sequences
- Architectural Limitations of Port Knocking
- The Sequence Replay Problem
- Minimal Data Transmission Rate
- Knock Sequences and Port Scans
- Knock Sequence Busting with Spoofed Packets
- Single Packet Authorization
- Addressing Limitations of Port Knocking
- Architectural Limitations of SPA
- Access Piggy-Backing via NAT Addresses
- HTTP and Short-lived Sessions
- Security Through Obscurity?
- Concluding Thoughts
- 13. INTRODUCING FWKNOP
- fwknop Installation
- fwknop Configuration
- /etc/fwknop/fwknop.conf
- AUTH_MODE
- PCAP_INTF
- PCAP_FILTER
- ENABLE_PCAP_PROMISC
- FIREWALL_TYPE
- PCAP_PKT_FILE
- IPT_AUTO_CHAIN1
- ENABLE_MD5_PERSISTENCE
- MAX_SPA_PACKET_AGE
- ENABLE_SPA_PACKET_AGING
- REQUIRE_SOURCE_ADDRESS
- EMAIL_ADDRESSES
- GPG_DEFAULT_HOME_DIR
- ENABLE_TCP_SERVER
- TCPSERV_PORT
- /etc/fwknop/access.conf
- SOURCE
- OPEN_PORTS
- PERMIT_CLIENT_PORTS
- ENABLE_CMD_EXEC
- CMD_REGEX
- DATA_COLLECT_MODE
- REQUIRE_USERNAME
- FW_ACCESS_TIMEOUT
- KEY
- GPG_DECRYPT_ID
- GPG_DECRYPT_PW
- GPG_REMOTE_ID
- Example /etc/fwknop/access.conf File
- fwknop SPA Packet Format
- Deploying fwknop
- SPA via Symmetric Encryption
- SPA via Asymmetric Encryption
- GnuPG Key Exchange for fwknop.
- Running fwknop with GnuPG Keys.
