[Firehol-support] mini-IDS

Tsaousis, Costa costa at tsaousis.gr
Fri Feb 6 11:00:16 GMT 2015


I forgot to mention than in the contrib directory of firehol, I have
put a small script called 'update-ipsets.sh'.

This downloads and installs a number of ipsets:

1. To 20 attackers according to www.dshield.org
2. Known compromised hosts, according to emergingthreats.net
3. Open black list hosts, according to www.openbl.org
4. TOR known hosts, according to emergingthreats.net
5. Command and Control botnets according to emergingthreats.net
6. Spam networks, according to spamhaus.org

The script just creates the ipsets, and can be used by cron to update
them daily, hourly, etc. (it knows when to update each)
It also very easy to extend it for more downloads.

The ipsets are also saved in /etc/firehol/ipsets/. Files ending with
.ipset are lists of IPs (ipset of type hash:ip), while files ending in
.netset are lists of network addresses (ipset of type hash:net).

The script does not alter your firewall. Use the ipset and blacklist
helpers to do whatever you like with these ipsets.

I personally use in crontab:

*/15 * * * *    root    /data/src/firehol.git/contrib/update-ipsets.sh -s

The above runs the script every 15 minutes to update the sets (-s
stands for silent - it will only output something when an ipset is
updated, so that I will only receive an email when an ipset is really
updated).

And in firehol.conf:

ipset4 create  openbl hash:ip
ipset4 addfile openbl ipsets/openbl.ipset

ipset4 create  compromised hash:ip
ipset4 addfile compromised ipsets/compromised.ipset

ipset4 create emerging_block hash:net
ipset4 addfile emerging_block ipsets/emerging_block.netset

blacklist4 full  inface dsl0 log "BLACKLIST OPENBL"        ipset:openbl
blacklist4 full  inface dsl0 log "BLACKLIST COMPROMISED"   ipset:compromised
blacklist4 full  inface dsl0 log "BLACKLIST EMERGINGBLOCK" ipset:emerging_block

I have to mention that my log is FULL of matching blacklists...

Costa


On Fri, Feb 6, 2015 at 12:20 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Whitelisting needs some research...
>
> There are a few options (even ipset support a 'nomatch' parameter, but
> only for hash:net sets - and even in this case I don't know if the
> whitelisted IPs will be replaced by iptrap).
> Another possibility would be to define a custom action in firehol that
> could chain matches, like this (THIS DOES NOT WORK YET - I am thinking
> about it):
>
> action MYDROP \
>     src not ipset:whitelist \
>     then src ipset:blacklist action DROP
>
> then in backlist:
>
> blacklist full action MYDROP
>
> or even in one line like this:
>
> blacklist full src not ipset:whitelist then src ipset:blacklist
>
> The 'then' keyword could be used anywhere to indicate that firehol is
> expected to chain matches together, do the first match, then the
> second match, then the third and finally take action.
>
> I will try to experiment a bit during the weekend...
>
> Costa
>
>
> On Fri, Feb 6, 2015 at 11:51 AM, John Sullivan <john at benzo8.org> wrote:
>> So we can now replace fail2ban and knockd with firehol - that's awesome,
>> Costa!
>>
>> Is there an easy way of making exceptions to traps - ie: if I never want to
>> blacklist my home IP address, no matter how many times it accidentally tries
>> to SSH into my server on the wrong port?
>>
>> John...
>>
>> On Fri Feb 06 2015 at 10:33:51 Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>
>>> ok, nice.
>>>
>>> I was too excited to write down how iptrap works.
>>>
>>> I made a few more changes. So, the iptrap helper:
>>>
>>> iptrap sets up a IP address trap. It just copies an IP to an ipset. It
>>> does not accept, reject, or drop traffic. Packets matched by iptrap
>>> will continue to flow and should be handled like everything other
>>> packet.
>>>
>>> iptrap will create the ipset specified, if that ipset has not already
>>> created by other statements.
>>>
>>> The syntax of iptrap is:
>>>
>>> iptrap type ipset timeout [ optional rule parameters ]
>>>
>>> - type is src or dst or src,dst or dst,src. It controls what the
>>> iptrap will save in the ipset. Keep in mind there are ipsets that can
>>> have pairs of IPs. src,dst and dst,src are pairs. (unfortunately,
>>> currently in FireHOL you cannot specify ipset with pairs of IPs to
>>> optional rule parameters - so currently, ipsets with pairs can only be
>>> used for logging).
>>>
>>> - ipset is the name of the ipset to be used/created. iptrap will only
>>> check if the ipset has been created by a firehol. If the ipset is
>>> created outside firehol, iptrap will re-create it.
>>>
>>> - timeout is the duration in seconds of the lifetime of each IP
>>> address in the ipset. Every matching packet will refresh this duration
>>> of IP address in the ipset.
>>>
>>> Current issues: such dynamic ipsets are emptied when the firewall is
>>> restarted (not if restored, only when restarted). I will try to
>>> address this too.
>>>
>>> My current rules are the same as above, but without the ipset line.
>>> The first iptrap creates the ipset needed.
>>>
>>> # my traps
>>> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 5038 log "TRAP
>>> ASTERISK ADMIN"
>>> iptrap4 src trap  3600 inface dsl0 proto tcp,udp dport 111 log "TRAP
>>> PORTMAP"
>>> iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
>>> iptrap4 src trap  3600 inface dsl0 proto udp dport 137,138,139 log
>>> "TRAP NETBIOS"
>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"
>>>
>>> # blacklist everything in the trap
>>> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>>
>>>
>>>
>>> So, yes we can create knock, like this:
>>>
>>> iptrap4 src knock.step.1 60 inface dsl0 proto tcp dport 1000 log "STEP 1"
>>> iptrap4 src knock.step.2 60 inface dsl0 proto tcp dport 2000 log "STEP
>>> 2" src ipset:knock.step.1
>>> iptrap4 src knock.step.3 60 inface dsl0 proto tcp dport 3000 log "STEP
>>> 3" src ipset:knock.step.2
>>>
>>> and then:
>>>
>>> server ssh accept src ipset:knock.step.3 log "SSH ACCEPTED"
>>>
>>> So a user will have to knock tcp/1000, then in 60 seconds knock
>>> tcp/2000, then in 60 seconds knock tcp/3000 and then in 60 seconds ssh
>>> to us.
>>>
>>> Once he has ssh'd, his session will remain (it is ESTABLISHED), but no
>>> new ssh sessions can be created by him after 60 seconds of
>>> knock.step.3.
>>>
>>> Costa
>>>
>>>
>>> On Fri, Feb 6, 2015 at 9:50 AM, Phil Whineray <phil at sanewall.org> wrote:
>>> > Costa
>>> >
>>> > This looks great.
>>> >
>>> > On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
>>> >> # create the trap ipset
>>> >> ipset4 create trap hash:ip timeout 3600 counters
>>> >
>>> > I could read the code to check the exact syntax out but I will ask here,
>>> > hopefully to the benefit of all:
>>> >
>>> >> # my traps
>>> >> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>> >
>>> > So the iptrap4 command adds the matching traffic to the ipset named in
>>> > src, for the duration which is the second parameter?
>>> >
>>> >> # blacklist everything in the trap
>>> >> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>> >
>>> > Then business as usual.
>>> >
>>> > Could this also be used to setup e.g. port knocking without the daemon?
>>> > In which case a different command name than iptrap4 might be nice?
>>> > e.g. something like:
>>> >
>>> > ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>> >
>>> > Cheers
>>> > Phil
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list