[Firehol-support] mini-IDS

Tsaousis, Costa costa at tsaousis.gr
Fri Feb 6 02:19:00 CET 2015


Hi all,

there is a feature of recent iptables and kernels that allows us to
build some sort of an IDS (intrusion detection system).

It works like this:

1. The kernel supports ipsets. If you don't know what ipset is, check
this wiki page:
https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset

2. iptables support the SET action. This action allows to add or
remove dynamically IPs to an ipset. To see its options check: iptables
-j SET --help

3. We could therefore create an empty ipset named TRAP and when we
detect that someone is trying to access a few forbidden services (i.e.
we don't run an ftp server, but we see someone trying to ftp to our
host), we could add his IP on the TRAP ipset with a timeout of 1 hour
(this timeout is a standard kernel feature).

4. On the firewall there is a blacklist rule that drops all traffic
from/to all IPs in the TRAP ipset.

This is totally automatic, handled entirely by the kernel !

The firehol I just pushed to github has this feature.

This is what I have at the top of my firehol.conf:

# create the trap ipset
ipset4 create trap hash:ip timeout 3600 counters

# my traps
iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
iptrap4 src trap  3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
iptrap4 src trap  3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
iptrap4 src trap  3600 inface dsl0 proto tcp dport 5038 log "TRAP
ASTERISK ADMIN"
iptrap4 src trap  3600 inface dsl0 proto tcp,udp dport 111 log "TRAP PORTMAP"
iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
iptrap4 src trap  3600 inface dsl0 proto udp dport 137,138,139 log
"TRAP NETBIOS"
iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"

# blacklist everything in the trap
blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap


Now, just ping me:

ping www.tsaousis.gr

It should work.

stop it and do:

ssh www.tsaousis.gr

It would not work.

Now ping me again. Ping should be blocked for 600 seconds (10 mins).

If you do this:

telnet www.tsaousis.gr 3306

you would be blocked for a day (86400 seconds).

Nice little IDS inside FireHOL...

Costa


More information about the Firehol-support mailing list