[Firehol-support] mini-IDS

Tsaousis, Costa costa at tsaousis.gr
Sun Feb 8 22:21:34 CET 2015


Hi all,

I wrote a wiki page for traps and knocks.

https://github.com/ktsaou/firehol/wiki/Working-with-traps

Costa


On Sat, Feb 7, 2015 at 7:36 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
>
> I think I have completed this functionality. I have also tested knock
> sequence and I even wrote an ipuntrap helper to allow you untrap
> yourself if you know the knock sequence.
>
> ipuntrap is exactly the same with iptrap - only the timeout is not
> needed. Everything else is same.
>
> Now in firehol.conf I have this:
>
>
> trap_iface="dsl0"
>
> ipset4 create whitelist hash:net
> ipset4 add whitelist "X.X.X.X/X A.A.A.A/A"
>
> # this is the untrap sequence
> iptrap4   src knock1 60 inface "${trap_iface}"      proto tcp dport
> 12345 log "KNOCK 1"
> iptrap4   src knock2 60 src ipset:knock1            proto tcp dport
> 23456 log "KNOCK 2"
> iptrap4   src knock3 60 src ipset:knock2            proto tcp dport
> 34567 log "KNOCK 3"
>
> # untrap all IPs in knock3
> ipuntrap4 src trap      src ipset:knock3            proto tcp dport
> 34567 log "UNTRAPPED"
>
> # trap bad ports
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport   21
> log "TRAP FTP"
> iptrap4 src trap    600 inface "${trap_iface}" proto tcp     dport
> 22 log "TRAP SSH"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport   23
> log "TRAP TELNET"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport
> 3128,8080 log "TRAP PROXY"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 5038
> log "TRAP ASTERISK ADMIN"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp,udp dport  111
> log "TRAP PORTMAP"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 3306
> log "TRAP MYSQL"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp,udp dport 5060
> log "TRAP SIP"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 5900
> log "TRAP VNC"
> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 1433
> log "TRAP MSSQL"
>
> # blacklist the trapped IPs
> blacklist4 full inface "${trap_iface}" log "BLACKLIST TRAP" src
> ipset:trap except src ipset:whitelist
>
> To test it:
>
> 1. ping www.tsaousis.gr, it should you work (if it doesn't work you
> are already trapped, goto step 3)
> 2. ssh www.tsaousis.gr, it should not work - you are trapped for 10 minutes
> 3. telnet www.tsaousis.gr 12345 - it will block, press control-c
> 4. telnet www.tsaousis.gr 23456 - it will block again, press control-c
> 5. telnet www.tsaousis.gr 34567 - it will give you connection refused
> - you are untrapped - you can ping me again.
>
> I have a few public (never used) IPs that I decided to trap every port
> of them. In 24 hours I have collected 600 IPs. This is good, It
> allowed me to see in the logs that there are hundreds of people
> scanning just one port on all IPs. They scan just one port at a time,
> but on the whole IP range. If you can have a few spare IPs, you will
> be able to minimize the risk of such attacks. Anyone doing a brute
> force attack even on port 80, the moment he will scan this port on
> your spare IP, he will be out of your network.
>
> Another interesting feature that could be useful would be to allow an
> iptrap act as an interface or router policy. So every port someone is
> trying to connect to, which is not accepted in firehol, will make him
> enter an ipset. Then instead of just blacklisting all IPs in the
> ipset, we could use query ipset to find how many times an IP has been
> saved in the ipset (i.e. match all IPs in the ipset that have at least
> 10 packets trapped so far). So we could say in firehol that every IP
> that attempts to connect 10+ times to unused ports, will be
> automatically blacklisted for some time !  The end of port scanning...
>
> ipset turns to be... magic in the kernel...
>
> Costa
>
> PS: By the way, I have done quite a few changes in firehol. I would
> appreciate it if you could test it a bit. Just do this:
>
> # git clone https://github.com/ktsaou/firehol.git firehol.git
>
> the above will create the directory firehol.git.
>
> The executable of firehol is firehol.git/sbin/firehol.in - you can run
> it directly from there.
>
> To test it you don't need to activate your firewall with it. Just
> generate the iptables statements for your config, with the old and the
> new version:
>
> # firehol debug >/tmp/old.txt
>
> And the same with the downloaded version:
>
> # ./firehol.git/sbin/firehol.in debug >/tmp/new.txt
>
> The above do not change your firewall in any way. They just dump the commands.
>
> Now just compare /tmp/old.txt and /tmp/new.txt:
>
> # diff /tmp/old.txt /tmp/new.txt
>
> Normally, you will only have minimal changes (I think you will get all
> lines with logs as changed, because the new version put quotes on the
> logs).
> If they don't differ in anything important, just use the new one from now on.
>
> If you spot important differences between the two, please let us know.
>
> Costa
>
>
>
>
>
>
>
>
>
> On Fri, Feb 6, 2015 at 11:59 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>> Regarding the iptrap helper:
>>
>> 1. The problem of emptying the ipset when the firewall is restarted is
>> solved. Now the iptrap generated ipset is not reset if you re-apply
>> the firewall.
>>
>> 2. Regarding whitelists. I tried to find a solution to create chains
>> of rules using the 'then' keyword. It is not that simple. I
>> implemented another solution:
>>
>> The blacklist helper accepts an 'except' keyword, like this:
>>
>> blacklist4 full  inface dsl0 log "BLACKLIST OPENBL" ipset:openbl
>> except src "1.2.3.4 ipset:whitelist"
>>
>> The above will create the blacklist for all IPs in ipset openbl (which
>> are of course coming from dsl0), except IP 1.2.3.4 and all IPs in the
>> ipset whitelist.
>>
>> So, for the blacklist helper, anything you write after the keyword
>> 'except' is assumed to be a whitelist.
>>
>> Happy IDSing...
>>
>> Costa
>>
>>
>>
>> On Fri, Feb 6, 2015 at 1:00 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>> I forgot to mention than in the contrib directory of firehol, I have
>>> put a small script called 'update-ipsets.sh'.
>>>
>>> This downloads and installs a number of ipsets:
>>>
>>> 1. To 20 attackers according to www.dshield.org
>>> 2. Known compromised hosts, according to emergingthreats.net
>>> 3. Open black list hosts, according to www.openbl.org
>>> 4. TOR known hosts, according to emergingthreats.net
>>> 5. Command and Control botnets according to emergingthreats.net
>>> 6. Spam networks, according to spamhaus.org
>>>
>>> The script just creates the ipsets, and can be used by cron to update
>>> them daily, hourly, etc. (it knows when to update each)
>>> It also very easy to extend it for more downloads.
>>>
>>> The ipsets are also saved in /etc/firehol/ipsets/. Files ending with
>>> .ipset are lists of IPs (ipset of type hash:ip), while files ending in
>>> .netset are lists of network addresses (ipset of type hash:net).
>>>
>>> The script does not alter your firewall. Use the ipset and blacklist
>>> helpers to do whatever you like with these ipsets.
>>>
>>> I personally use in crontab:
>>>
>>> */15 * * * *    root    /data/src/firehol.git/contrib/update-ipsets.sh -s
>>>
>>> The above runs the script every 15 minutes to update the sets (-s
>>> stands for silent - it will only output something when an ipset is
>>> updated, so that I will only receive an email when an ipset is really
>>> updated).
>>>
>>> And in firehol.conf:
>>>
>>> ipset4 create  openbl hash:ip
>>> ipset4 addfile openbl ipsets/openbl.ipset
>>>
>>> ipset4 create  compromised hash:ip
>>> ipset4 addfile compromised ipsets/compromised.ipset
>>>
>>> ipset4 create emerging_block hash:net
>>> ipset4 addfile emerging_block ipsets/emerging_block.netset
>>>
>>> blacklist4 full  inface dsl0 log "BLACKLIST OPENBL"        ipset:openbl
>>> blacklist4 full  inface dsl0 log "BLACKLIST COMPROMISED"   ipset:compromised
>>> blacklist4 full  inface dsl0 log "BLACKLIST EMERGINGBLOCK" ipset:emerging_block
>>>
>>> I have to mention that my log is FULL of matching blacklists...
>>>
>>> Costa
>>>
>>>
>>> On Fri, Feb 6, 2015 at 12:20 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>> Whitelisting needs some research...
>>>>
>>>> There are a few options (even ipset support a 'nomatch' parameter, but
>>>> only for hash:net sets - and even in this case I don't know if the
>>>> whitelisted IPs will be replaced by iptrap).
>>>> Another possibility would be to define a custom action in firehol that
>>>> could chain matches, like this (THIS DOES NOT WORK YET - I am thinking
>>>> about it):
>>>>
>>>> action MYDROP \
>>>>     src not ipset:whitelist \
>>>>     then src ipset:blacklist action DROP
>>>>
>>>> then in backlist:
>>>>
>>>> blacklist full action MYDROP
>>>>
>>>> or even in one line like this:
>>>>
>>>> blacklist full src not ipset:whitelist then src ipset:blacklist
>>>>
>>>> The 'then' keyword could be used anywhere to indicate that firehol is
>>>> expected to chain matches together, do the first match, then the
>>>> second match, then the third and finally take action.
>>>>
>>>> I will try to experiment a bit during the weekend...
>>>>
>>>> Costa
>>>>
>>>>
>>>> On Fri, Feb 6, 2015 at 11:51 AM, John Sullivan <john at benzo8.org> wrote:
>>>>> So we can now replace fail2ban and knockd with firehol - that's awesome,
>>>>> Costa!
>>>>>
>>>>> Is there an easy way of making exceptions to traps - ie: if I never want to
>>>>> blacklist my home IP address, no matter how many times it accidentally tries
>>>>> to SSH into my server on the wrong port?
>>>>>
>>>>> John...
>>>>>
>>>>> On Fri Feb 06 2015 at 10:33:51 Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>>>>
>>>>>> ok, nice.
>>>>>>
>>>>>> I was too excited to write down how iptrap works.
>>>>>>
>>>>>> I made a few more changes. So, the iptrap helper:
>>>>>>
>>>>>> iptrap sets up a IP address trap. It just copies an IP to an ipset. It
>>>>>> does not accept, reject, or drop traffic. Packets matched by iptrap
>>>>>> will continue to flow and should be handled like everything other
>>>>>> packet.
>>>>>>
>>>>>> iptrap will create the ipset specified, if that ipset has not already
>>>>>> created by other statements.
>>>>>>
>>>>>> The syntax of iptrap is:
>>>>>>
>>>>>> iptrap type ipset timeout [ optional rule parameters ]
>>>>>>
>>>>>> - type is src or dst or src,dst or dst,src. It controls what the
>>>>>> iptrap will save in the ipset. Keep in mind there are ipsets that can
>>>>>> have pairs of IPs. src,dst and dst,src are pairs. (unfortunately,
>>>>>> currently in FireHOL you cannot specify ipset with pairs of IPs to
>>>>>> optional rule parameters - so currently, ipsets with pairs can only be
>>>>>> used for logging).
>>>>>>
>>>>>> - ipset is the name of the ipset to be used/created. iptrap will only
>>>>>> check if the ipset has been created by a firehol. If the ipset is
>>>>>> created outside firehol, iptrap will re-create it.
>>>>>>
>>>>>> - timeout is the duration in seconds of the lifetime of each IP
>>>>>> address in the ipset. Every matching packet will refresh this duration
>>>>>> of IP address in the ipset.
>>>>>>
>>>>>> Current issues: such dynamic ipsets are emptied when the firewall is
>>>>>> restarted (not if restored, only when restarted). I will try to
>>>>>> address this too.
>>>>>>
>>>>>> My current rules are the same as above, but without the ipset line.
>>>>>> The first iptrap creates the ipset needed.
>>>>>>
>>>>>> # my traps
>>>>>> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
>>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 5038 log "TRAP
>>>>>> ASTERISK ADMIN"
>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp,udp dport 111 log "TRAP
>>>>>> PORTMAP"
>>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
>>>>>> iptrap4 src trap  3600 inface dsl0 proto udp dport 137,138,139 log
>>>>>> "TRAP NETBIOS"
>>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"
>>>>>>
>>>>>> # blacklist everything in the trap
>>>>>> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>>>>>
>>>>>>
>>>>>>
>>>>>> So, yes we can create knock, like this:
>>>>>>
>>>>>> iptrap4 src knock.step.1 60 inface dsl0 proto tcp dport 1000 log "STEP 1"
>>>>>> iptrap4 src knock.step.2 60 inface dsl0 proto tcp dport 2000 log "STEP
>>>>>> 2" src ipset:knock.step.1
>>>>>> iptrap4 src knock.step.3 60 inface dsl0 proto tcp dport 3000 log "STEP
>>>>>> 3" src ipset:knock.step.2
>>>>>>
>>>>>> and then:
>>>>>>
>>>>>> server ssh accept src ipset:knock.step.3 log "SSH ACCEPTED"
>>>>>>
>>>>>> So a user will have to knock tcp/1000, then in 60 seconds knock
>>>>>> tcp/2000, then in 60 seconds knock tcp/3000 and then in 60 seconds ssh
>>>>>> to us.
>>>>>>
>>>>>> Once he has ssh'd, his session will remain (it is ESTABLISHED), but no
>>>>>> new ssh sessions can be created by him after 60 seconds of
>>>>>> knock.step.3.
>>>>>>
>>>>>> Costa
>>>>>>
>>>>>>
>>>>>> On Fri, Feb 6, 2015 at 9:50 AM, Phil Whineray <phil at sanewall.org> wrote:
>>>>>> > Costa
>>>>>> >
>>>>>> > This looks great.
>>>>>> >
>>>>>> > On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
>>>>>> >> # create the trap ipset
>>>>>> >> ipset4 create trap hash:ip timeout 3600 counters
>>>>>> >
>>>>>> > I could read the code to check the exact syntax out but I will ask here,
>>>>>> > hopefully to the benefit of all:
>>>>>> >
>>>>>> >> # my traps
>>>>>> >> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>>> >
>>>>>> > So the iptrap4 command adds the matching traffic to the ipset named in
>>>>>> > src, for the duration which is the second parameter?
>>>>>> >
>>>>>> >> # blacklist everything in the trap
>>>>>> >> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>>>>> >
>>>>>> > Then business as usual.
>>>>>> >
>>>>>> > Could this also be used to setup e.g. port knocking without the daemon?
>>>>>> > In which case a different command name than iptrap4 might be nice?
>>>>>> > e.g. something like:
>>>>>> >
>>>>>> > ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>>> >
>>>>>> > Cheers
>>>>>> > Phil
>>>>>> _______________________________________________
>>>>>> Firehol-support mailing list
>>>>>> Firehol-support at lists.firehol.org
>>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support


More information about the Firehol-support mailing list