[Firehol-devs] [Firehol-support] mini-IDS
Tsaousis, Costa
costa at tsaousis.gr
Sat Feb 7 17:36:30 GMT 2015
Hi all,
I think I have completed this functionality. I have also tested knock
sequence and I even wrote an ipuntrap helper to allow you untrap
yourself if you know the knock sequence.
ipuntrap is exactly the same with iptrap - only the timeout is not
needed. Everything else is same.
Now in firehol.conf I have this:
trap_iface="dsl0"
ipset4 create whitelist hash:net
ipset4 add whitelist "X.X.X.X/X A.A.A.A/A"
# this is the untrap sequence
iptrap4 src knock1 60 inface "${trap_iface}" proto tcp dport
12345 log "KNOCK 1"
iptrap4 src knock2 60 src ipset:knock1 proto tcp dport
23456 log "KNOCK 2"
iptrap4 src knock3 60 src ipset:knock2 proto tcp dport
34567 log "KNOCK 3"
# untrap all IPs in knock3
ipuntrap4 src trap src ipset:knock3 proto tcp dport
34567 log "UNTRAPPED"
# trap bad ports
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport 21
log "TRAP FTP"
iptrap4 src trap 600 inface "${trap_iface}" proto tcp dport
22 log "TRAP SSH"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport 23
log "TRAP TELNET"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport
3128,8080 log "TRAP PROXY"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport 5038
log "TRAP ASTERISK ADMIN"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp,udp dport 111
log "TRAP PORTMAP"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport 3306
log "TRAP MYSQL"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp,udp dport 5060
log "TRAP SIP"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport 5900
log "TRAP VNC"
iptrap4 src trap 86400 inface "${trap_iface}" proto tcp dport 1433
log "TRAP MSSQL"
# blacklist the trapped IPs
blacklist4 full inface "${trap_iface}" log "BLACKLIST TRAP" src
ipset:trap except src ipset:whitelist
To test it:
1. ping www.tsaousis.gr, it should you work (if it doesn't work you
are already trapped, goto step 3)
2. ssh www.tsaousis.gr, it should not work - you are trapped for 10 minutes
3. telnet www.tsaousis.gr 12345 - it will block, press control-c
4. telnet www.tsaousis.gr 23456 - it will block again, press control-c
5. telnet www.tsaousis.gr 34567 - it will give you connection refused
- you are untrapped - you can ping me again.
I have a few public (never used) IPs that I decided to trap every port
of them. In 24 hours I have collected 600 IPs. This is good, It
allowed me to see in the logs that there are hundreds of people
scanning just one port on all IPs. They scan just one port at a time,
but on the whole IP range. If you can have a few spare IPs, you will
be able to minimize the risk of such attacks. Anyone doing a brute
force attack even on port 80, the moment he will scan this port on
your spare IP, he will be out of your network.
Another interesting feature that could be useful would be to allow an
iptrap act as an interface or router policy. So every port someone is
trying to connect to, which is not accepted in firehol, will make him
enter an ipset. Then instead of just blacklisting all IPs in the
ipset, we could use query ipset to find how many times an IP has been
saved in the ipset (i.e. match all IPs in the ipset that have at least
10 packets trapped so far). So we could say in firehol that every IP
that attempts to connect 10+ times to unused ports, will be
automatically blacklisted for some time ! The end of port scanning...
ipset turns to be... magic in the kernel...
Costa
PS: By the way, I have done quite a few changes in firehol. I would
appreciate it if you could test it a bit. Just do this:
# git clone https://github.com/ktsaou/firehol.git firehol.git
the above will create the directory firehol.git.
The executable of firehol is firehol.git/sbin/firehol.in - you can run
it directly from there.
To test it you don't need to activate your firewall with it. Just
generate the iptables statements for your config, with the old and the
new version:
# firehol debug >/tmp/old.txt
And the same with the downloaded version:
# ./firehol.git/sbin/firehol.in debug >/tmp/new.txt
The above do not change your firewall in any way. They just dump the commands.
Now just compare /tmp/old.txt and /tmp/new.txt:
# diff /tmp/old.txt /tmp/new.txt
Normally, you will only have minimal changes (I think you will get all
lines with logs as changed, because the new version put quotes on the
logs).
If they don't differ in anything important, just use the new one from now on.
If you spot important differences between the two, please let us know.
Costa
On Fri, Feb 6, 2015 at 11:59 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Regarding the iptrap helper:
>
> 1. The problem of emptying the ipset when the firewall is restarted is
> solved. Now the iptrap generated ipset is not reset if you re-apply
> the firewall.
>
> 2. Regarding whitelists. I tried to find a solution to create chains
> of rules using the 'then' keyword. It is not that simple. I
> implemented another solution:
>
> The blacklist helper accepts an 'except' keyword, like this:
>
> blacklist4 full inface dsl0 log "BLACKLIST OPENBL" ipset:openbl
> except src "1.2.3.4 ipset:whitelist"
>
> The above will create the blacklist for all IPs in ipset openbl (which
> are of course coming from dsl0), except IP 1.2.3.4 and all IPs in the
> ipset whitelist.
>
> So, for the blacklist helper, anything you write after the keyword
> 'except' is assumed to be a whitelist.
>
> Happy IDSing...
>
> Costa
>
>
>
> On Fri, Feb 6, 2015 at 1:00 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>> I forgot to mention than in the contrib directory of firehol, I have
>> put a small script called 'update-ipsets.sh'.
>>
>> This downloads and installs a number of ipsets:
>>
>> 1. To 20 attackers according to www.dshield.org
>> 2. Known compromised hosts, according to emergingthreats.net
>> 3. Open black list hosts, according to www.openbl.org
>> 4. TOR known hosts, according to emergingthreats.net
>> 5. Command and Control botnets according to emergingthreats.net
>> 6. Spam networks, according to spamhaus.org
>>
>> The script just creates the ipsets, and can be used by cron to update
>> them daily, hourly, etc. (it knows when to update each)
>> It also very easy to extend it for more downloads.
>>
>> The ipsets are also saved in /etc/firehol/ipsets/. Files ending with
>> .ipset are lists of IPs (ipset of type hash:ip), while files ending in
>> .netset are lists of network addresses (ipset of type hash:net).
>>
>> The script does not alter your firewall. Use the ipset and blacklist
>> helpers to do whatever you like with these ipsets.
>>
>> I personally use in crontab:
>>
>> */15 * * * * root /data/src/firehol.git/contrib/update-ipsets.sh -s
>>
>> The above runs the script every 15 minutes to update the sets (-s
>> stands for silent - it will only output something when an ipset is
>> updated, so that I will only receive an email when an ipset is really
>> updated).
>>
>> And in firehol.conf:
>>
>> ipset4 create openbl hash:ip
>> ipset4 addfile openbl ipsets/openbl.ipset
>>
>> ipset4 create compromised hash:ip
>> ipset4 addfile compromised ipsets/compromised.ipset
>>
>> ipset4 create emerging_block hash:net
>> ipset4 addfile emerging_block ipsets/emerging_block.netset
>>
>> blacklist4 full inface dsl0 log "BLACKLIST OPENBL" ipset:openbl
>> blacklist4 full inface dsl0 log "BLACKLIST COMPROMISED" ipset:compromised
>> blacklist4 full inface dsl0 log "BLACKLIST EMERGINGBLOCK" ipset:emerging_block
>>
>> I have to mention that my log is FULL of matching blacklists...
>>
>> Costa
>>
>>
>> On Fri, Feb 6, 2015 at 12:20 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>> Whitelisting needs some research...
>>>
>>> There are a few options (even ipset support a 'nomatch' parameter, but
>>> only for hash:net sets - and even in this case I don't know if the
>>> whitelisted IPs will be replaced by iptrap).
>>> Another possibility would be to define a custom action in firehol that
>>> could chain matches, like this (THIS DOES NOT WORK YET - I am thinking
>>> about it):
>>>
>>> action MYDROP \
>>> src not ipset:whitelist \
>>> then src ipset:blacklist action DROP
>>>
>>> then in backlist:
>>>
>>> blacklist full action MYDROP
>>>
>>> or even in one line like this:
>>>
>>> blacklist full src not ipset:whitelist then src ipset:blacklist
>>>
>>> The 'then' keyword could be used anywhere to indicate that firehol is
>>> expected to chain matches together, do the first match, then the
>>> second match, then the third and finally take action.
>>>
>>> I will try to experiment a bit during the weekend...
>>>
>>> Costa
>>>
>>>
>>> On Fri, Feb 6, 2015 at 11:51 AM, John Sullivan <john at benzo8.org> wrote:
>>>> So we can now replace fail2ban and knockd with firehol - that's awesome,
>>>> Costa!
>>>>
>>>> Is there an easy way of making exceptions to traps - ie: if I never want to
>>>> blacklist my home IP address, no matter how many times it accidentally tries
>>>> to SSH into my server on the wrong port?
>>>>
>>>> John...
>>>>
>>>> On Fri Feb 06 2015 at 10:33:51 Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>>>
>>>>> ok, nice.
>>>>>
>>>>> I was too excited to write down how iptrap works.
>>>>>
>>>>> I made a few more changes. So, the iptrap helper:
>>>>>
>>>>> iptrap sets up a IP address trap. It just copies an IP to an ipset. It
>>>>> does not accept, reject, or drop traffic. Packets matched by iptrap
>>>>> will continue to flow and should be handled like everything other
>>>>> packet.
>>>>>
>>>>> iptrap will create the ipset specified, if that ipset has not already
>>>>> created by other statements.
>>>>>
>>>>> The syntax of iptrap is:
>>>>>
>>>>> iptrap type ipset timeout [ optional rule parameters ]
>>>>>
>>>>> - type is src or dst or src,dst or dst,src. It controls what the
>>>>> iptrap will save in the ipset. Keep in mind there are ipsets that can
>>>>> have pairs of IPs. src,dst and dst,src are pairs. (unfortunately,
>>>>> currently in FireHOL you cannot specify ipset with pairs of IPs to
>>>>> optional rule parameters - so currently, ipsets with pairs can only be
>>>>> used for logging).
>>>>>
>>>>> - ipset is the name of the ipset to be used/created. iptrap will only
>>>>> check if the ipset has been created by a firehol. If the ipset is
>>>>> created outside firehol, iptrap will re-create it.
>>>>>
>>>>> - timeout is the duration in seconds of the lifetime of each IP
>>>>> address in the ipset. Every matching packet will refresh this duration
>>>>> of IP address in the ipset.
>>>>>
>>>>> Current issues: such dynamic ipsets are emptied when the firewall is
>>>>> restarted (not if restored, only when restarted). I will try to
>>>>> address this too.
>>>>>
>>>>> My current rules are the same as above, but without the ipset line.
>>>>> The first iptrap creates the ipset needed.
>>>>>
>>>>> # my traps
>>>>> iptrap4 src trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>> iptrap4 src trap 3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
>>>>> iptrap4 src trap 3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
>>>>> iptrap4 src trap 3600 inface dsl0 proto tcp dport 5038 log "TRAP
>>>>> ASTERISK ADMIN"
>>>>> iptrap4 src trap 3600 inface dsl0 proto tcp,udp dport 111 log "TRAP
>>>>> PORTMAP"
>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
>>>>> iptrap4 src trap 3600 inface dsl0 proto udp dport 137,138,139 log
>>>>> "TRAP NETBIOS"
>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"
>>>>>
>>>>> # blacklist everything in the trap
>>>>> blacklist4 input inface dsl0 log "BLACKLIST TRAP" ipset:trap
>>>>>
>>>>>
>>>>>
>>>>> So, yes we can create knock, like this:
>>>>>
>>>>> iptrap4 src knock.step.1 60 inface dsl0 proto tcp dport 1000 log "STEP 1"
>>>>> iptrap4 src knock.step.2 60 inface dsl0 proto tcp dport 2000 log "STEP
>>>>> 2" src ipset:knock.step.1
>>>>> iptrap4 src knock.step.3 60 inface dsl0 proto tcp dport 3000 log "STEP
>>>>> 3" src ipset:knock.step.2
>>>>>
>>>>> and then:
>>>>>
>>>>> server ssh accept src ipset:knock.step.3 log "SSH ACCEPTED"
>>>>>
>>>>> So a user will have to knock tcp/1000, then in 60 seconds knock
>>>>> tcp/2000, then in 60 seconds knock tcp/3000 and then in 60 seconds ssh
>>>>> to us.
>>>>>
>>>>> Once he has ssh'd, his session will remain (it is ESTABLISHED), but no
>>>>> new ssh sessions can be created by him after 60 seconds of
>>>>> knock.step.3.
>>>>>
>>>>> Costa
>>>>>
>>>>>
>>>>> On Fri, Feb 6, 2015 at 9:50 AM, Phil Whineray <phil at sanewall.org> wrote:
>>>>> > Costa
>>>>> >
>>>>> > This looks great.
>>>>> >
>>>>> > On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
>>>>> >> # create the trap ipset
>>>>> >> ipset4 create trap hash:ip timeout 3600 counters
>>>>> >
>>>>> > I could read the code to check the exact syntax out but I will ask here,
>>>>> > hopefully to the benefit of all:
>>>>> >
>>>>> >> # my traps
>>>>> >> iptrap4 src trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>> >
>>>>> > So the iptrap4 command adds the matching traffic to the ipset named in
>>>>> > src, for the duration which is the second parameter?
>>>>> >
>>>>> >> # blacklist everything in the trap
>>>>> >> blacklist4 input inface dsl0 log "BLACKLIST TRAP" ipset:trap
>>>>> >
>>>>> > Then business as usual.
>>>>> >
>>>>> > Could this also be used to setup e.g. port knocking without the daemon?
>>>>> > In which case a different command name than iptrap4 might be nice?
>>>>> > e.g. something like:
>>>>> >
>>>>> > ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>> >
>>>>> > Cheers
>>>>> > Phil
>>>>> _______________________________________________
>>>>> Firehol-support mailing list
>>>>> Firehol-support at lists.firehol.org
>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-devs
mailing list