Configuration Variables

The most important variable that controls whether or not psad enters into active response mode is ENABLE_AUTO_IDS, which can be set to either Y or N within the /etc/psad/psad.conf file. When this feature is enabled, several other variables (discussed below) control various operational aspects of psad as it endeavors to automatically block attackers.

1 As discussed in Chapter 3, iptables can send a reset packet in order to knock down a TCP connection through the use of the REJECT target, but psad does not support this in conjunction with instantiating a general DROP rule against an attacker.

The AUTO_IDS_DANGER_LEVEL variable sets a threshold from 1 to 5 for the minimum danger level that an IP address must reach before a blocking rule is instantiated. By tuning the port scan thresholds, individual signature danger levels (see /etc/psad/signatures), and automatic danger level assignments (see /etc/psad/auto_dl), psad can be made to perform granular decisions about whether or not to automatically block an IP address. For example, if a particular IP address or network (say 192.168.1.0/24, for the sake of example) is a known bad actor because of a history of scans or intrusion attempts, then you may want to keep communications from this address on a tight leash by adding the following line to the /etc/psad/auto_dl file:

Then, if any IP address within the 192.168.1.0/24 class C network gets out of line with respect to the filtering policy, a blocking rule will be added against this IP address, regardless of how high AUTO_IDS_DANGER_LEVEL is set.

Under normal circumstances, iptables is configured not to log legitimate traffic to crucial services (such as web sessions or DNS traffic), so any IP address within the 192.168.1.0/24 network can access such services without interruption, as long as it does not cause iptables to log a packet.

NOTE Legitimate traffic is somewhat of an amorphous concept, and in Chapters 9 and 10, we will see that legitimate does not just mean establishing a syntactically valid transport layer connection; iptables can also inspect application layer data for attacks.

The AUTO_BLOCK_TIMEOUT variable defines the length of time (in seconds) that an iptables blocking rule remains in effect. The default value is 3,600 seconds, or one hour. By setting AUTO_BLOCK_TIMEOUT to zero, all blocking rules are made permanent and are only removed if psad is restarted or the system is rebooted, unless FLUSH_IPT_AT_INIT is disabled.

The IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD variables control whether psad uses iptables or tcpwrappers to block offending IP addresses. If psad is configured to respond to attacks, then the recommended setting is to enable iptables blocking.

The ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX variables allow the act of adding a blocking rule against an IP address to be tied to whether or not a logging prefix matches a particular regular expression. This is most useful for blocking IP addresses, but only after monitoring an attack that requires bidirectional communication through an established TCP session. Because port scans are easily spoofed, this feature provides a powerful mechanism to restrict blocking rules to IP addresses that are not simply spoofed by an attacker.

Finally, the remaining important configuration variables for automatically blocking attackers control the manner in which iptables rules are created. These variables all begin with the string IPT_AUTO_CHAIN followed by an integer

(just like the DANGER_LEVEL{n} variables), and they specify seven criteria to influence how psad adds rules to iptables:

• Whether to apply the rule to the source or the destination (or both)

• The table in which the rule is added (e.g., the filter table) The iptables chain to which a jump rule is added for the custom psad chain

The position within this iptables chain where the jump rule is added The name of the custom psad chain

The position within the custom psad chain where new rules are added psad maintains the creation and maintenance of not only the blocking rules themselves, but also the custom psad chains and the jump rules into these chains from the built-in iptables chains.

The default IPT_AUTO_CHAIN{n} variables instruct psad to add a total of four blocking rules for an IP address that trips the AUTO_IDS_DANGER_LEVEL threshold:

• A DROP rule against the offending IP address in the PSAD_BLOCK_INPUT chain that forces packets to jump to this chain, so that packets from the attacker that are destined for the local system never communicate with a local socket.

• A DROP rule against the offending IP address in the PSAD_BLOCK_OUTPUT chain, so that packets originating from the local system never make it back to the attacker.

• Two DROP rules against the offending IP address in the PSAD_BLOCK_FORWARD chain that restrict packets originating from or destined for the offending IP address.2 This way, if the iptables firewall protects a system on an internal network, no attacker is able to connect with that system.

For reference, the default IPT_AUTO_CHAIN{n} variables in the /etc/psad/ psad.conf file appear below:

IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD1, 1;

Was this article helpful?

0 0

Post a comment