UUSSEE IIPPTTAABBLLEESS TTOO LL II NN UU XX DDEETTEECCTT AANNDD PPRREEVVEENNTT NNEETTWWOORRKK--BBAASSEEDD FF II RR EE WW AA LL LL SS AATTTTAACCKKSS LL II NN A T T A C K D E T E C T I O N A N D R E S P O N S E W I T H System administrators need to stay ahead of new • Tools for visualizing iptables logs I P T A B L E S , P S A D , A N D F W S N O R T UU security vulnerabilities that leave their networks exposed • Passive OS fingerprinting with iptables every day. A firewall and an intrusion detection system (IDS) are two important weapons in that fight, enabling Perl and C code snippets offer practical examples XX M I C H A E L R A S H you to proactively deny access and monitor network that will help you to maximize your deployment of traffic for signs of an attack. Linux firewalls. Linux Firewalls discusses the technical details of the If you’re responsible for keeping a network secure, FF Linux Firewalls is a great book. iptables firewall and the Netfilter framework that are you’ll find Linux Firewalls invaluable in your attempt to —From the foreword by Richard Bejtlich II built into the Linux kernel, and it explains how they understand attacks and use iptables—along with psad of TaoSecurity.com provide strong filtering, Network Address Translation and fwsnort—to detect and even prevent compromises. RR (NAT), state tracking, and application layer inspection ABOUT THE AUTHOR capabilities that rival many commercial tools. You’ll EE learn how to deploy iptables as an IDS with psad and Michael Rash is a security architect with Enterasys fwsnort and how to build a strong, passive authentica- Networks, Inc., where he develops the Dragon WW tion layer around iptables with fwknop. intrusion detection and prevention system. He is a frequent contributor to open source projects and the Concrete examples illustrate concepts such as firewall creator of psad, fwknop, and fwsnort. Rash is an log analysis and policies, passive network authentica- expert on firewalls, intrusion detection systems, passive AA tion and authorization, exploit packet traces, Snort OS fingerprinting, and the Snort rules language. He is ruleset emulation, and more with coverage of: co-author of Snort 2.1 Intrusion Detection (Syngress, LL • Application layer attack detection with the iptables 2004) and author of Intrusion Prevention and Active string match extension and fwsnort Response (Syngress, 2005), and he has written LL security articles for Linux Journal, Sys Admin maga- • Building an iptables ruleset that emulates a Snort ruleset zine, and ;login:. SS • Port knocking vs. Single Packet Authorization (SPA) R A S H THE FINEST IN GEEK ENTERTAINMENT™ $49.95 ($59.95 CDN) ® w Thiws b wo o .k n u“osIes sL tRAaeYprK cFohLveA.rcT—.o”am durable binding that won’t snap shut. NETWORKINGCOMPUTER SECURITY/SHELVE IN: ® Printed on recycled paper www.it-ebooks.info www.it-ebooks.info fire_PRAISE.fm Page i Wednesday, April 9, 2008 5:18 PM PRAISE FOR LINUX FIREWALLS “Right from the start, the book presented valuable information and pulled me in. Each of the central topics were thoroughly explained in an informative, yet engaging manner. Essentially, I did not want to stop reading.” –SLASHDOT “What really makes this book different from the others I’ve seen over the years isthat the author approaches the subject in a layered method while exposing potential vulnerabilities at each step. So for those that are new to the security game, the book also takes a stab at teaching the basics of network security while teaching you the tools to build a modern firewall.” –INFOWORLD “This admirable, eminently usable text goes much further than advertised.” –LINUX USER AND DEVELOPER “This well-researched book heightens an average system administrator’s awareness to the vulnerabilities in his or her infrastructure, and the potential tofind hardening solutions.” –FREE SOFTWARE MAGAZINE “If you or anyone you know is responsible for keeping a secure network, Linux Firewalls is an invaluable resource to have by your side.” –LINUXSECURITY.COM “If you’re building a Linux firewall and want to know what all the bells and whistles are, when you might want to set them off, and how to hook them together, here you go.” –;LOGIN “If you run one or more Linux based firewalls, this book will not only help you to configure them securely, it will help you understand how they can be monitored to discover evidence of probes, abuse and denial of service attacks.” –RON GULA, CTO & CO-FOUNDER OF TENABLE NETWORK SECURITY www.it-ebooks.info www.it-ebooks.info LINUX FIRE WALLS Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash ® San Francisco www.it-ebooks.info fire_TITLE_COPY.fm Page iv Monday, April 14, 2008 10:48 AM LINUX FIREWALLS. Copyright © 2007 by Michael Rash. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. Printed on recycled paper in the United States of America 11 10 09 08 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-141-7 ISBN-13: 978-1-59327-141-1 Publisher: William Pollock Production Editor: Christina Samuell Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Pablo Neira Ayuso Copyeditors: Megan Dunchak and Bonnie Granat Compositors: Christina Samuell and Riley Hoffman Proofreaders: Karol Jurado and Riley Hoffman Indexer: Nancy Guenther For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com Library of Congress Cataloging-in-Publication Data Rash, Michael. Linux firewalls : attack detection and response with iptables, psad, and fwsnort / Michael Rash. p. cm. Includes index. ISBN-13: 978-1-59327-141-1 ISBN-10: 1-59327-141-7 1. Computers--Access control. 2. Firewalls (Computer security) 3. Linux. I. Title. QA76.9.A25R36 2007 005.8--dc22 2006026679 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. www.it-ebooks.info To Katie and little Bella www.it-ebooks.info www.it-ebooks.info B R I E F C O N T E N T S Acknowledgments..........................................................................................................xv Foreword by Richard Bejtlich.........................................................................................xvii Introduction....................................................................................................................1 Chapter 1: Care and Feeding ofiptables...........................................................................9 Chapter 2: Network Layer Attacks andDefense................................................................35 Chapter 3: Transport Layer Attacks and Defense...............................................................49 Chapter 4: Application Layer Attacks and Defense............................................................69 Chapter 5: Introducing psad: The Port Scan Attack Detector...............................................81 Chapter 6: psad Operations: Detecting Suspicious Traffic..................................................99 Chapter 7: Advanced psad Topics: From Signature Matching toOSFingerprinting.............113 Chapter 8: Active Response with psad...........................................................................131 Chapter 9: Translating Snort Rules into iptables Rules......................................................149 Chapter 10: Deploying fwsnort.....................................................................................173 Chapter 11: Combining psad and fwsnort.....................................................................193 Chapter 12: Port Knocking vs. Single Packet Authorization..............................................213 Chapter 13: Introducing fwknop...................................................................................231 Chapter 14: Visualizing iptables Logs............................................................................257 Appendix A: Attack Spoofing.......................................................................................279 Appendix B: A Complete fwsnort Script.........................................................................285 Index.........................................................................................................................291 www.it-ebooks.info www.it-ebooks.info