[Firehol-support] mini-IDS
Tsaousis, Costa
costa at tsaousis.gr
Fri Feb 6 09:33:41 GMT 2015
ok, nice.
I was too excited to write down how iptrap works.
I made a few more changes. So, the iptrap helper:
iptrap sets up a IP address trap. It just copies an IP to an ipset. It
does not accept, reject, or drop traffic. Packets matched by iptrap
will continue to flow and should be handled like everything other
packet.
iptrap will create the ipset specified, if that ipset has not already
created by other statements.
The syntax of iptrap is:
iptrap type ipset timeout [ optional rule parameters ]
- type is src or dst or src,dst or dst,src. It controls what the
iptrap will save in the ipset. Keep in mind there are ipsets that can
have pairs of IPs. src,dst and dst,src are pairs. (unfortunately,
currently in FireHOL you cannot specify ipset with pairs of IPs to
optional rule parameters - so currently, ipsets with pairs can only be
used for logging).
- ipset is the name of the ipset to be used/created. iptrap will only
check if the ipset has been created by a firehol. If the ipset is
created outside firehol, iptrap will re-create it.
- timeout is the duration in seconds of the lifetime of each IP
address in the ipset. Every matching packet will refresh this duration
of IP address in the ipset.
Current issues: such dynamic ipsets are emptied when the firewall is
restarted (not if restored, only when restarted). I will try to
address this too.
My current rules are the same as above, but without the ipset line.
The first iptrap creates the ipset needed.
# my traps
iptrap4 src trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
iptrap4 src trap 3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
iptrap4 src trap 3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
iptrap4 src trap 3600 inface dsl0 proto tcp dport 5038 log "TRAP
ASTERISK ADMIN"
iptrap4 src trap 3600 inface dsl0 proto tcp,udp dport 111 log "TRAP PORTMAP"
iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
iptrap4 src trap 3600 inface dsl0 proto udp dport 137,138,139 log
"TRAP NETBIOS"
iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"
# blacklist everything in the trap
blacklist4 input inface dsl0 log "BLACKLIST TRAP" ipset:trap
So, yes we can create knock, like this:
iptrap4 src knock.step.1 60 inface dsl0 proto tcp dport 1000 log "STEP 1"
iptrap4 src knock.step.2 60 inface dsl0 proto tcp dport 2000 log "STEP
2" src ipset:knock.step.1
iptrap4 src knock.step.3 60 inface dsl0 proto tcp dport 3000 log "STEP
3" src ipset:knock.step.2
and then:
server ssh accept src ipset:knock.step.3 log "SSH ACCEPTED"
So a user will have to knock tcp/1000, then in 60 seconds knock
tcp/2000, then in 60 seconds knock tcp/3000 and then in 60 seconds ssh
to us.
Once he has ssh'd, his session will remain (it is ESTABLISHED), but no
new ssh sessions can be created by him after 60 seconds of
knock.step.3.
Costa
On Fri, Feb 6, 2015 at 9:50 AM, Phil Whineray <phil at sanewall.org> wrote:
> Costa
>
> This looks great.
>
> On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
>> # create the trap ipset
>> ipset4 create trap hash:ip timeout 3600 counters
>
> I could read the code to check the exact syntax out but I will ask here,
> hopefully to the benefit of all:
>
>> # my traps
>> iptrap4 src trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>
> So the iptrap4 command adds the matching traffic to the ipset named in
> src, for the duration which is the second parameter?
>
>> # blacklist everything in the trap
>> blacklist4 input inface dsl0 log "BLACKLIST TRAP" ipset:trap
>
> Then business as usual.
>
> Could this also be used to setup e.g. port knocking without the daemon?
> In which case a different command name than iptrap4 might be nice?
> e.g. something like:
>
> ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>
> Cheers
> Phil
More information about the Firehol-support
mailing list