[Firehol-support] mini-IDS

Tsaousis, Costa costa at tsaousis.gr
Fri Feb 6 11:20:53 CET 2015


Whitelisting needs some research...

There are a few options (even ipset support a 'nomatch' parameter, but
only for hash:net sets - and even in this case I don't know if the
whitelisted IPs will be replaced by iptrap).
Another possibility would be to define a custom action in firehol that
could chain matches, like this (THIS DOES NOT WORK YET - I am thinking
about it):

action MYDROP \
    src not ipset:whitelist \
    then src ipset:blacklist action DROP

then in backlist:

blacklist full action MYDROP

or even in one line like this:

blacklist full src not ipset:whitelist then src ipset:blacklist

The 'then' keyword could be used anywhere to indicate that firehol is
expected to chain matches together, do the first match, then the
second match, then the third and finally take action.

I will try to experiment a bit during the weekend...

Costa


On Fri, Feb 6, 2015 at 11:51 AM, John Sullivan <john at benzo8.org> wrote:
> So we can now replace fail2ban and knockd with firehol - that's awesome,
> Costa!
>
> Is there an easy way of making exceptions to traps - ie: if I never want to
> blacklist my home IP address, no matter how many times it accidentally tries
> to SSH into my server on the wrong port?
>
> John...
>
> On Fri Feb 06 2015 at 10:33:51 Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>
>> ok, nice.
>>
>> I was too excited to write down how iptrap works.
>>
>> I made a few more changes. So, the iptrap helper:
>>
>> iptrap sets up a IP address trap. It just copies an IP to an ipset. It
>> does not accept, reject, or drop traffic. Packets matched by iptrap
>> will continue to flow and should be handled like everything other
>> packet.
>>
>> iptrap will create the ipset specified, if that ipset has not already
>> created by other statements.
>>
>> The syntax of iptrap is:
>>
>> iptrap type ipset timeout [ optional rule parameters ]
>>
>> - type is src or dst or src,dst or dst,src. It controls what the
>> iptrap will save in the ipset. Keep in mind there are ipsets that can
>> have pairs of IPs. src,dst and dst,src are pairs. (unfortunately,
>> currently in FireHOL you cannot specify ipset with pairs of IPs to
>> optional rule parameters - so currently, ipsets with pairs can only be
>> used for logging).
>>
>> - ipset is the name of the ipset to be used/created. iptrap will only
>> check if the ipset has been created by a firehol. If the ipset is
>> created outside firehol, iptrap will re-create it.
>>
>> - timeout is the duration in seconds of the lifetime of each IP
>> address in the ipset. Every matching packet will refresh this duration
>> of IP address in the ipset.
>>
>> Current issues: such dynamic ipsets are emptied when the firewall is
>> restarted (not if restored, only when restarted). I will try to
>> address this too.
>>
>> My current rules are the same as above, but without the ipset line.
>> The first iptrap creates the ipset needed.
>>
>> # my traps
>> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 5038 log "TRAP
>> ASTERISK ADMIN"
>> iptrap4 src trap  3600 inface dsl0 proto tcp,udp dport 111 log "TRAP
>> PORTMAP"
>> iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
>> iptrap4 src trap  3600 inface dsl0 proto udp dport 137,138,139 log
>> "TRAP NETBIOS"
>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"
>>
>> # blacklist everything in the trap
>> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>
>>
>>
>> So, yes we can create knock, like this:
>>
>> iptrap4 src knock.step.1 60 inface dsl0 proto tcp dport 1000 log "STEP 1"
>> iptrap4 src knock.step.2 60 inface dsl0 proto tcp dport 2000 log "STEP
>> 2" src ipset:knock.step.1
>> iptrap4 src knock.step.3 60 inface dsl0 proto tcp dport 3000 log "STEP
>> 3" src ipset:knock.step.2
>>
>> and then:
>>
>> server ssh accept src ipset:knock.step.3 log "SSH ACCEPTED"
>>
>> So a user will have to knock tcp/1000, then in 60 seconds knock
>> tcp/2000, then in 60 seconds knock tcp/3000 and then in 60 seconds ssh
>> to us.
>>
>> Once he has ssh'd, his session will remain (it is ESTABLISHED), but no
>> new ssh sessions can be created by him after 60 seconds of
>> knock.step.3.
>>
>> Costa
>>
>>
>> On Fri, Feb 6, 2015 at 9:50 AM, Phil Whineray <phil at sanewall.org> wrote:
>> > Costa
>> >
>> > This looks great.
>> >
>> > On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
>> >> # create the trap ipset
>> >> ipset4 create trap hash:ip timeout 3600 counters
>> >
>> > I could read the code to check the exact syntax out but I will ask here,
>> > hopefully to the benefit of all:
>> >
>> >> # my traps
>> >> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>> >
>> > So the iptrap4 command adds the matching traffic to the ipset named in
>> > src, for the duration which is the second parameter?
>> >
>> >> # blacklist everything in the trap
>> >> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>> >
>> > Then business as usual.
>> >
>> > Could this also be used to setup e.g. port knocking without the daemon?
>> > In which case a different command name than iptrap4 might be nice?
>> > e.g. something like:
>> >
>> > ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>> >
>> > Cheers
>> > Phil
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support


More information about the Firehol-support mailing list