[Firehol-support] mini-IDS

Tsaousis, Costa costa at tsaousis.gr
Mon Feb 9 16:26:46 GMT 2015


Hi all,

I updated the wiki page. I had a few typos in commands.
I you copied the example, please copy it again.

https://github.com/ktsaou/firehol/wiki/Working-with-traps

Thanks.

Costa

On Sun, Feb 8, 2015 at 11:21 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
>
> I wrote a wiki page for traps and knocks.
>
> https://github.com/ktsaou/firehol/wiki/Working-with-traps
>
> Costa
>
>
> On Sat, Feb 7, 2015 at 7:36 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>> Hi all,
>>
>> I think I have completed this functionality. I have also tested knock
>> sequence and I even wrote an ipuntrap helper to allow you untrap
>> yourself if you know the knock sequence.
>>
>> ipuntrap is exactly the same with iptrap - only the timeout is not
>> needed. Everything else is same.
>>
>> Now in firehol.conf I have this:
>>
>>
>> trap_iface="dsl0"
>>
>> ipset4 create whitelist hash:net
>> ipset4 add whitelist "X.X.X.X/X A.A.A.A/A"
>>
>> # this is the untrap sequence
>> iptrap4   src knock1 60 inface "${trap_iface}"      proto tcp dport
>> 12345 log "KNOCK 1"
>> iptrap4   src knock2 60 src ipset:knock1            proto tcp dport
>> 23456 log "KNOCK 2"
>> iptrap4   src knock3 60 src ipset:knock2            proto tcp dport
>> 34567 log "KNOCK 3"
>>
>> # untrap all IPs in knock3
>> ipuntrap4 src trap      src ipset:knock3            proto tcp dport
>> 34567 log "UNTRAPPED"
>>
>> # trap bad ports
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport   21
>> log "TRAP FTP"
>> iptrap4 src trap    600 inface "${trap_iface}" proto tcp     dport
>> 22 log "TRAP SSH"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport   23
>> log "TRAP TELNET"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport
>> 3128,8080 log "TRAP PROXY"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 5038
>> log "TRAP ASTERISK ADMIN"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp,udp dport  111
>> log "TRAP PORTMAP"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 3306
>> log "TRAP MYSQL"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp,udp dport 5060
>> log "TRAP SIP"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 5900
>> log "TRAP VNC"
>> iptrap4 src trap 86400 inface "${trap_iface}" proto tcp     dport 1433
>> log "TRAP MSSQL"
>>
>> # blacklist the trapped IPs
>> blacklist4 full inface "${trap_iface}" log "BLACKLIST TRAP" src
>> ipset:trap except src ipset:whitelist
>>
>> To test it:
>>
>> 1. ping www.tsaousis.gr, it should you work (if it doesn't work you
>> are already trapped, goto step 3)
>> 2. ssh www.tsaousis.gr, it should not work - you are trapped for 10 minutes
>> 3. telnet www.tsaousis.gr 12345 - it will block, press control-c
>> 4. telnet www.tsaousis.gr 23456 - it will block again, press control-c
>> 5. telnet www.tsaousis.gr 34567 - it will give you connection refused
>> - you are untrapped - you can ping me again.
>>
>> I have a few public (never used) IPs that I decided to trap every port
>> of them. In 24 hours I have collected 600 IPs. This is good, It
>> allowed me to see in the logs that there are hundreds of people
>> scanning just one port on all IPs. They scan just one port at a time,
>> but on the whole IP range. If you can have a few spare IPs, you will
>> be able to minimize the risk of such attacks. Anyone doing a brute
>> force attack even on port 80, the moment he will scan this port on
>> your spare IP, he will be out of your network.
>>
>> Another interesting feature that could be useful would be to allow an
>> iptrap act as an interface or router policy. So every port someone is
>> trying to connect to, which is not accepted in firehol, will make him
>> enter an ipset. Then instead of just blacklisting all IPs in the
>> ipset, we could use query ipset to find how many times an IP has been
>> saved in the ipset (i.e. match all IPs in the ipset that have at least
>> 10 packets trapped so far). So we could say in firehol that every IP
>> that attempts to connect 10+ times to unused ports, will be
>> automatically blacklisted for some time !  The end of port scanning...
>>
>> ipset turns to be... magic in the kernel...
>>
>> Costa
>>
>> PS: By the way, I have done quite a few changes in firehol. I would
>> appreciate it if you could test it a bit. Just do this:
>>
>> # git clone https://github.com/ktsaou/firehol.git firehol.git
>>
>> the above will create the directory firehol.git.
>>
>> The executable of firehol is firehol.git/sbin/firehol.in - you can run
>> it directly from there.
>>
>> To test it you don't need to activate your firewall with it. Just
>> generate the iptables statements for your config, with the old and the
>> new version:
>>
>> # firehol debug >/tmp/old.txt
>>
>> And the same with the downloaded version:
>>
>> # ./firehol.git/sbin/firehol.in debug >/tmp/new.txt
>>
>> The above do not change your firewall in any way. They just dump the commands.
>>
>> Now just compare /tmp/old.txt and /tmp/new.txt:
>>
>> # diff /tmp/old.txt /tmp/new.txt
>>
>> Normally, you will only have minimal changes (I think you will get all
>> lines with logs as changed, because the new version put quotes on the
>> logs).
>> If they don't differ in anything important, just use the new one from now on.
>>
>> If you spot important differences between the two, please let us know.
>>
>> Costa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Feb 6, 2015 at 11:59 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>> Regarding the iptrap helper:
>>>
>>> 1. The problem of emptying the ipset when the firewall is restarted is
>>> solved. Now the iptrap generated ipset is not reset if you re-apply
>>> the firewall.
>>>
>>> 2. Regarding whitelists. I tried to find a solution to create chains
>>> of rules using the 'then' keyword. It is not that simple. I
>>> implemented another solution:
>>>
>>> The blacklist helper accepts an 'except' keyword, like this:
>>>
>>> blacklist4 full  inface dsl0 log "BLACKLIST OPENBL" ipset:openbl
>>> except src "1.2.3.4 ipset:whitelist"
>>>
>>> The above will create the blacklist for all IPs in ipset openbl (which
>>> are of course coming from dsl0), except IP 1.2.3.4 and all IPs in the
>>> ipset whitelist.
>>>
>>> So, for the blacklist helper, anything you write after the keyword
>>> 'except' is assumed to be a whitelist.
>>>
>>> Happy IDSing...
>>>
>>> Costa
>>>
>>>
>>>
>>> On Fri, Feb 6, 2015 at 1:00 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>> I forgot to mention than in the contrib directory of firehol, I have
>>>> put a small script called 'update-ipsets.sh'.
>>>>
>>>> This downloads and installs a number of ipsets:
>>>>
>>>> 1. To 20 attackers according to www.dshield.org
>>>> 2. Known compromised hosts, according to emergingthreats.net
>>>> 3. Open black list hosts, according to www.openbl.org
>>>> 4. TOR known hosts, according to emergingthreats.net
>>>> 5. Command and Control botnets according to emergingthreats.net
>>>> 6. Spam networks, according to spamhaus.org
>>>>
>>>> The script just creates the ipsets, and can be used by cron to update
>>>> them daily, hourly, etc. (it knows when to update each)
>>>> It also very easy to extend it for more downloads.
>>>>
>>>> The ipsets are also saved in /etc/firehol/ipsets/. Files ending with
>>>> .ipset are lists of IPs (ipset of type hash:ip), while files ending in
>>>> .netset are lists of network addresses (ipset of type hash:net).
>>>>
>>>> The script does not alter your firewall. Use the ipset and blacklist
>>>> helpers to do whatever you like with these ipsets.
>>>>
>>>> I personally use in crontab:
>>>>
>>>> */15 * * * *    root    /data/src/firehol.git/contrib/update-ipsets.sh -s
>>>>
>>>> The above runs the script every 15 minutes to update the sets (-s
>>>> stands for silent - it will only output something when an ipset is
>>>> updated, so that I will only receive an email when an ipset is really
>>>> updated).
>>>>
>>>> And in firehol.conf:
>>>>
>>>> ipset4 create  openbl hash:ip
>>>> ipset4 addfile openbl ipsets/openbl.ipset
>>>>
>>>> ipset4 create  compromised hash:ip
>>>> ipset4 addfile compromised ipsets/compromised.ipset
>>>>
>>>> ipset4 create emerging_block hash:net
>>>> ipset4 addfile emerging_block ipsets/emerging_block.netset
>>>>
>>>> blacklist4 full  inface dsl0 log "BLACKLIST OPENBL"        ipset:openbl
>>>> blacklist4 full  inface dsl0 log "BLACKLIST COMPROMISED"   ipset:compromised
>>>> blacklist4 full  inface dsl0 log "BLACKLIST EMERGINGBLOCK" ipset:emerging_block
>>>>
>>>> I have to mention that my log is FULL of matching blacklists...
>>>>
>>>> Costa
>>>>
>>>>
>>>> On Fri, Feb 6, 2015 at 12:20 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>>> Whitelisting needs some research...
>>>>>
>>>>> There are a few options (even ipset support a 'nomatch' parameter, but
>>>>> only for hash:net sets - and even in this case I don't know if the
>>>>> whitelisted IPs will be replaced by iptrap).
>>>>> Another possibility would be to define a custom action in firehol that
>>>>> could chain matches, like this (THIS DOES NOT WORK YET - I am thinking
>>>>> about it):
>>>>>
>>>>> action MYDROP \
>>>>>     src not ipset:whitelist \
>>>>>     then src ipset:blacklist action DROP
>>>>>
>>>>> then in backlist:
>>>>>
>>>>> blacklist full action MYDROP
>>>>>
>>>>> or even in one line like this:
>>>>>
>>>>> blacklist full src not ipset:whitelist then src ipset:blacklist
>>>>>
>>>>> The 'then' keyword could be used anywhere to indicate that firehol is
>>>>> expected to chain matches together, do the first match, then the
>>>>> second match, then the third and finally take action.
>>>>>
>>>>> I will try to experiment a bit during the weekend...
>>>>>
>>>>> Costa
>>>>>
>>>>>
>>>>> On Fri, Feb 6, 2015 at 11:51 AM, John Sullivan <john at benzo8.org> wrote:
>>>>>> So we can now replace fail2ban and knockd with firehol - that's awesome,
>>>>>> Costa!
>>>>>>
>>>>>> Is there an easy way of making exceptions to traps - ie: if I never want to
>>>>>> blacklist my home IP address, no matter how many times it accidentally tries
>>>>>> to SSH into my server on the wrong port?
>>>>>>
>>>>>> John...
>>>>>>
>>>>>> On Fri Feb 06 2015 at 10:33:51 Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>>>>>>
>>>>>>> ok, nice.
>>>>>>>
>>>>>>> I was too excited to write down how iptrap works.
>>>>>>>
>>>>>>> I made a few more changes. So, the iptrap helper:
>>>>>>>
>>>>>>> iptrap sets up a IP address trap. It just copies an IP to an ipset. It
>>>>>>> does not accept, reject, or drop traffic. Packets matched by iptrap
>>>>>>> will continue to flow and should be handled like everything other
>>>>>>> packet.
>>>>>>>
>>>>>>> iptrap will create the ipset specified, if that ipset has not already
>>>>>>> created by other statements.
>>>>>>>
>>>>>>> The syntax of iptrap is:
>>>>>>>
>>>>>>> iptrap type ipset timeout [ optional rule parameters ]
>>>>>>>
>>>>>>> - type is src or dst or src,dst or dst,src. It controls what the
>>>>>>> iptrap will save in the ipset. Keep in mind there are ipsets that can
>>>>>>> have pairs of IPs. src,dst and dst,src are pairs. (unfortunately,
>>>>>>> currently in FireHOL you cannot specify ipset with pairs of IPs to
>>>>>>> optional rule parameters - so currently, ipsets with pairs can only be
>>>>>>> used for logging).
>>>>>>>
>>>>>>> - ipset is the name of the ipset to be used/created. iptrap will only
>>>>>>> check if the ipset has been created by a firehol. If the ipset is
>>>>>>> created outside firehol, iptrap will re-create it.
>>>>>>>
>>>>>>> - timeout is the duration in seconds of the lifetime of each IP
>>>>>>> address in the ipset. Every matching packet will refresh this duration
>>>>>>> of IP address in the ipset.
>>>>>>>
>>>>>>> Current issues: such dynamic ipsets are emptied when the firewall is
>>>>>>> restarted (not if restored, only when restarted). I will try to
>>>>>>> address this too.
>>>>>>>
>>>>>>> My current rules are the same as above, but without the ipset line.
>>>>>>> The first iptrap creates the ipset needed.
>>>>>>>
>>>>>>> # my traps
>>>>>>> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 23 log "TRAP TELNET"
>>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 3128 log "TRAP SQUID"
>>>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 3306 log "TRAP MYSQL"
>>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp dport 5038 log "TRAP
>>>>>>> ASTERISK ADMIN"
>>>>>>> iptrap4 src trap  3600 inface dsl0 proto tcp,udp dport 111 log "TRAP
>>>>>>> PORTMAP"
>>>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp,udp dport 5060 log "TRAP SIP"
>>>>>>> iptrap4 src trap  3600 inface dsl0 proto udp dport 137,138,139 log
>>>>>>> "TRAP NETBIOS"
>>>>>>> iptrap4 src trap 86400 inface dsl0 proto tcp dport 1433 log "TRAP MSSQL"
>>>>>>>
>>>>>>> # blacklist everything in the trap
>>>>>>> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So, yes we can create knock, like this:
>>>>>>>
>>>>>>> iptrap4 src knock.step.1 60 inface dsl0 proto tcp dport 1000 log "STEP 1"
>>>>>>> iptrap4 src knock.step.2 60 inface dsl0 proto tcp dport 2000 log "STEP
>>>>>>> 2" src ipset:knock.step.1
>>>>>>> iptrap4 src knock.step.3 60 inface dsl0 proto tcp dport 3000 log "STEP
>>>>>>> 3" src ipset:knock.step.2
>>>>>>>
>>>>>>> and then:
>>>>>>>
>>>>>>> server ssh accept src ipset:knock.step.3 log "SSH ACCEPTED"
>>>>>>>
>>>>>>> So a user will have to knock tcp/1000, then in 60 seconds knock
>>>>>>> tcp/2000, then in 60 seconds knock tcp/3000 and then in 60 seconds ssh
>>>>>>> to us.
>>>>>>>
>>>>>>> Once he has ssh'd, his session will remain (it is ESTABLISHED), but no
>>>>>>> new ssh sessions can be created by him after 60 seconds of
>>>>>>> knock.step.3.
>>>>>>>
>>>>>>> Costa
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Feb 6, 2015 at 9:50 AM, Phil Whineray <phil at sanewall.org> wrote:
>>>>>>> > Costa
>>>>>>> >
>>>>>>> > This looks great.
>>>>>>> >
>>>>>>> > On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
>>>>>>> >> # create the trap ipset
>>>>>>> >> ipset4 create trap hash:ip timeout 3600 counters
>>>>>>> >
>>>>>>> > I could read the code to check the exact syntax out but I will ask here,
>>>>>>> > hopefully to the benefit of all:
>>>>>>> >
>>>>>>> >> # my traps
>>>>>>> >> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>>>> >
>>>>>>> > So the iptrap4 command adds the matching traffic to the ipset named in
>>>>>>> > src, for the duration which is the second parameter?
>>>>>>> >
>>>>>>> >> # blacklist everything in the trap
>>>>>>> >> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap
>>>>>>> >
>>>>>>> > Then business as usual.
>>>>>>> >
>>>>>>> > Could this also be used to setup e.g. port knocking without the daemon?
>>>>>>> > In which case a different command name than iptrap4 might be nice?
>>>>>>> > e.g. something like:
>>>>>>> >
>>>>>>> > ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"
>>>>>>> >
>>>>>>> > Cheers
>>>>>>> > Phil
>>>>>>> _______________________________________________
>>>>>>> Firehol-support mailing list
>>>>>>> Firehol-support at lists.firehol.org
>>>>>>> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list