Linux Firewalls

Real Audio Real Video and Quick Time TCP Ports 554 and 7070

This document is created with trial version of CHM2PDF Pilot 2.15.72. RealAudio, RealVideo, and QuickTime use the same ports. The control connection to the server is built on top of the Real-Time Streaming Protocol (RTSP). See RFC 2326, Real Time Streaming Protocol (RTSP), for more information on the protocol. The incoming data stream is built on top of the Real-Time Transport Protocol (RTP). See RFC 3550, RTP A Transport Protocol for Real-Time Applications, for more information on the RTP...

Creating an AIDE Configuration File

After AIDE has been installed, the first thing you'll want to do is create a configuration file. Unlike most other software in Linux, AIDE doesn't include a default configuration file from which you can build a customized version. There is a sample configuration file in the < AiDE-source> doc directory, but it explicitly states that you shouldn't use it as a system-wide configuration file. Therefore, you'll have to build one of your own. Don't worry, I'm here to help. The AIDE configuration...

Addrtype filter Table Match Extension

The addrtype match extension is used to match packets based on the type of address used, such as unicast, broadcast, and multicast. The types of addresses include those listed in Table 3.20. This document is created with trial version of CHM2PDF Pilot 2.15.72. Table 3.20. Address Types Used with the addrtype Match Table 3.20. Address Types Used with the addrtype Match Two commands are used with the addrtype match, as listed in Table 3.21 Table 3.21. addrtype Match Commands Sometimes defining a...

Monitoring with ARPWatch

ARPWatch is a daemon that watches for new Ethernet interfaces on a network. If a new ARP entry is seen, it could be indicative of a rogue computer somewhere within the network. ARPWatch uses the PCap library, which may not (yet) be on your system. If it's not, you'll find out during the configuration process for ARPWatch. The PCap library, commonly known as libpcap, can be downloaded from http www.tcpdump.org . The PCap library is used for other network and security-related programs such as...

Differences Between IPFW and Netfilter Firewall Mechanisms

Because iptables is so different from the previous ipchains, this book won't attempt to cover the older implementation. The next section is written for the reader who is familiar with or is currently using ipchains. If iptables is your first introduction to Linux firewalling, you can skip ahead to the section Netfilter Packet Traversal. If you are converting from ipchains, you'll notice several minor differences in the iptables syntax, most notably that the input and output network interfaces...

Building and Installing a Standalone Firewall

Chapter 2, Packet-Filtering Concepts, covered the background ideas and concepts behind a packet-filtering firewall. Each firewall rule chain has its own default policy. Each rule not only applies to an individual input or output chain, but also can apply to a specific network interface, message protocol type (such as TCP, UDP, or ICMP), and service port number. Individual acceptance, denial, and rejection rules a re defined for the input chain and the output chain, as well as for the FORWARD...

Syslog Configuration

Not all log messages are equally importantor even interesting. This is where etc sysiog.conf comes in. The configuration file etc sysiog.conf enables you to tailor the log output to meet your own needs. Messages are categorized by the subsystem that produces them. In the man pages, these categories are called facilities (see Table 8.1). Table 8.1. syslog Log Facility Categories Table 8.1. syslog Log Facility Categories Within any given facility category, log messages are divided into priority...

Host Forwarding to a Server Farm

DNAT can accept a range of destination addresses to translate to, and it selects one of the addresses when the exchange is initiated. As an example of multiple destination addresses, let's say that this site has a handful of public addresses. A web server is advertised as running on one of these addresses. Five duplicate web servers are running in the DMZ, each assigned a different private IP address ranging from 192.168.1.1 to 192.168.1.5. Remote clients address the web server at the single...

Compiling Your First Kernel

Before you apply the Grsec patch, it will be helpful for you to get a working customized version of the kernel going on the computer. After the new kernel is up and running, I'll show how to apply the patch. This section examines how to compile a kernel from the vanilla source. A good place to start when considering how to approach your first kernel compile is the Kernel-HOWTO or the Kernel Rebuild Guide. The Kernel-HOWTO is located at the Kernel Rebuild Guide is currently located at These...

Cleaning Up the AIDE Database

Over time, you'll notice that AIDE check reports become longer and longer. This is usually the result of normal activity on the server, such as adding and deleting users, updating software, and changing settings in configuration files. You should regularly update the AIDE database not only to shorten reports but also to better track when unexpected changes occur. If you don't regularly update the AIDE database, you might miss a change that resulted from an attack. You may be asking, How often...

Packet Filtering Firewall

Halo Firewall

At its most basic level, a packet-filtering firewall consists of a list of acceptance and denial rules. These rules explicitly define which packets will and will not be allowed through the network interface. The firewall rules use the packet header fields described in Chapter 1 to decide whether to forward a packet to its destination, to silently throw away the packet, or to block the packet and return an error condition to the sending machine. These rules can be based on a wide array of...

Packet Filtering Concepts

What is a firewall Over the years, the term has changed in meaning. According to RFC 2647, Benchmarking Terminology for Firewall Performance, a firewall is a device or group of devices that enforces an access control policy between networks. This definition is very broad, purposefully so in fact. A firewall can encompass many layers of the OSI model and may refer to a device that does packet filtering, performs packet inspection and filtering, implements a policy on an application at a higher...

Capturing An Smtp Conversation

Capturing an SMTP conversation is not unlike capturing an HTTP session. Begin with the basic TCPDump options that you'd like to use and then build an expression to grab the appropriate type of data, including protocol, port, and source or destination hosts. For example, here's a simple capture of port 25 traffic along with my normal TCPDump choice of options The TCP three-way handshake is again present, as you might expect 2 0 40 08.638690 murphy.debian.org.45772 > test.example.com.smtp S tcp...

Connectionless Versus Connection Oriented Protocols

At some layers of the OSI model, protocols can be defined in terms of one of their properties, connectionless or connection-oriented. This definition refers to the methods that the protocol contains for providing such things as error control, flow control, data segmentation, and data reassembly. Think of connection-oriented protocols in terms of a telephone call. Generally there is an acceptable protocol for making a phone call and having a conversation. The person making the call, the...

Checking for Open Ports

Listing your firewall rules with iptabies -l is the main tool available for checking for open ports. Open ports are defined to be open by your accept rules. Beyond the iptables -L command, other tools such as netstat are helpful for finding out what ports are listening on the firewall. netstat has several uses. In the next section, we'll use it to check for active ports so that we can double-check that the TCP and UDP ports in use are the ports that the firewall rules are accounting for. Just...

Mangle Table Features

The mangle table allows marking, or associating a Netfilter-maintained value, with the packet, as well as making changes to the packet before sending the packet on to its destination. The mangle table has five built-in chains The prerouting chain specifies changes to incoming packets as they arrive at an interface, before any routing or local delivery decision has been made. The INPUT chain specifies changes to packets as they are processed, but after the PREROUTING chain is traversed. The...

The Limitations of a Standalone Firewall

The single-system firewall presented in Chapter 4, Building and Installing a Standalone Firewall, is a basic bastion firewall, using only the input and output chains. When the firewall is a packet-filtering router that has a network interface connected to the Internet and another connected to your LAN (referred to as a dual-homed system), the firewall applies rules to decide whether to forward or block packets crossing between the two interfaces. In this case, the packet-filtering firewall is a...

Firewall Log Messages What Do They Mean

To generate firewall logs, the kernel must be compiled with firewall logging enabled. By default, individually matched packets are logged as kern.warn (priority 4) messages. The log priority can be changed with the --log-level option to -j LOG. Most of the IP packet header fields are reported when a packet matches a rule with the LOG target. Firewall log messages are written to var log messages by default. You could duplicate the firewall log messages to a different file by creating a new log...

Choke Ssh Configuration

The first rule allows local connections from the choke machine to sshd servers running in the DMZ, including the gateway firewall host IPT -A OUTPUT -o DMZ_INTERFACE -p tcp -s DMZ_IPADDR --sport UNPRIVPORTS -d DMZ_ADDRESSES dport 22 -m state --state NEW -j ACCEPT The next rule forwards connections from LAN clients to any remote server IPT -A FORWARD -i LAN_INTERFACE -o DMZ_INTERFACE -p tcp -s LAN_ADDRESSES sport UNPRIVPORTS --dport 22 -m state --state NEW -j ACCEPT The last rule forwards...

Public Web Server In The Dmz The Choke Lan And Remote Hosts As Clients

In this example, the site hosts a public web server in the DMZ. The gateway is a bidirectional conduit, allowing public access to the local server, as well as continuing to allow local access to remote sites using the rules presented in the preceding section. These rules apply to the gateway and would require a predefined constant of DMZ WEB SERVER IPT -A FORWARD -i EXTERNAL_INTERFACE -o DMZ_INTERFACE -p tcp --sport UNPRIVPORTS -d DMZ_WEB_SERVER dport 80 -m state --state NEW -j ACCEPT This...

Web Proxy In The Dmz The Gateway As A Conduit Choke And Lan As Clients

Although it's possible to offer public web service from an internal LAN server, it isn't usually done because of the greater potential for security breaches with misconfigured servers and CGI scripts, and the tendency to isolate private information from public information. That is, sites that host both a private, internal website and a public website usually run multiple web servers on different machines in different LANs. A more common scenario would be to host the public website from a host...

The Conceptual Background of NAT

NAT was first presented in 1994 in RFC 1631, which was later replaced by RFC 3022. NAT was proposed as a possible short-term, temporary solution (to be used until IPv6 was deployed) to the growing shortage of public IP addresses. NAT also was seen as a possible solution to the growing demands on routers that handled noncontiguous address blocks. It was thought that NAT might possibly reduce or eliminate the need for CIDR, which, in turn, was prompting address reallocations and changes to router...

Filter Table Listing Formats

The basic format of the filter table list command to list all rules on all filter table chains is this iptables -vn -L INPUT iptables -vn -L OUTPUT iptables -vn -L FORWARD Notice that the preceding list commands show only the rules in the filter table chains. The next three sections use seven sample rules on the INPUT chain to illustrate the differences among the various listing format options available to you with the filter table and to explain what the output fields mean. Using the different...

Iptables NAT Semantics

Iptables provides full NAT functionality, including both source SNAT and destination DNAT address mapping. The term full NAT isn't a formal term I'm referring to the capability to perform both source and destination NAT, to specify one or a range of translation addres-ses, to perform port translation, and to perform port remapping. iptables supports the three general types of NAT traditional NAT, bidirectional NAT, and twice NAT , as defined in RFC 2663. A partial implementation of NAPT, known...

Incoming TCP Connection State Filtering

Incoming TCP packet acceptance rules can make use of the connection state flags associated with TCP connections. All TCP connections adhere to the same set of connection states. These states differ between client and server because of the three-way handshake during connection establishment. As such, the firewall can distinguish between incoming traffic from remote clients and incoming traffic from remote servers. Incoming TCP packets from remote clients will have the syn flag set in the first...

Common Service Port Targets

Common targets often are individually probed as well as scanned. The attacker might be looking for a specific vulnerability, such as an insecure mail server, an unpatched web server, or an open RPC portmap daemon. A more extensive list of ports can be found at Only a few common ports are mentioned here, to give you the idea Incoming packets from reserved port 0 are always bogus. This port isn't used legitimately. Probes of TCP ports 0 to 5 are a signature of the sscan program. telnet ( 23 t...

Ip Addresses Expressed As Symbolic Names

Remote hosts and networks may be specified as fully qualified hostnames or network names. Using a hostname is especially convenient for firewall rules that apply to an individual remote host. This is particularly true for hosts whose IP address can change or that invisibly represent multiple IP addresses, such as ISP mail servers sometimes do. In general, however, remote addresses are better expressed in dotted quad notation because of the possibility of DNS host hostname spoofing. Symbolic...

Initializing the Firewall

A firewall is implemented as a series of packet-filtering rules defined by options on the iptabies command line. iptabies is executed once for each individual rule. (Different firewalls can range from a dozen rules to hundreds.) The iptabies invocations should be made from an executable shell script, not directly from the command line. You should invoke the complete firewall shell script. Do not attempt to invoke specific iptables rules from the command line because this could cause your...

Dividing Address Space to Create Multiple Networks

IP addresses are divided into two pieces a network address and a host address within that network. As stated in Chapter 1, Preliminary Concepts Underlying Packet-Filtering Firewalls, Class A, B, and C addresses are something of an artifact, but they remain the easiest addresses to use as examples because their network and host fields fall on byte boundaries. Class A, B, and C network addresses are defined by their first 8, 16, and 24 bits, respectively. Within each address class, the remaining...

Source Address Spoofing and Other Bad Addresses

This section establishes some filters based on source and destination addresses. These addres-ses will never be seen in a legitimate packet. At the packet-filtering level, one of the few cases of source-address spoofing that you can identify as a forgery with certainty is your own IP address. These rules deny incoming packets claiming to be from you Refuse spoofed packets pretending to be from you IPT -A INPUT -s DMZ_IPADDR -j DROP IPT -A INPUT -s LAN_IPADDR -j DROP IPT -A FORWARD -s DMZ_IPADDR...

Enabling Kernel Monitoring Support

Operating system support for various types of packet checking often overlaps with what the firewall can test for. When in doubt, aim for redundancy or defense in depth. From the commands shown in the following lines, icmp echo ignore broadcasts instructs the kernel to drop ICMP echo-request messages directed to broadcast or multicast addresses. (Another facility, icmp echo ignore all, drops any incoming echo-request message. It should be noted that ISPs often rely on ping to help diagnose local...

Firewall Initialization

The firewall script starts out identically to the example in Chapter 4. Recall that a number of shell variables were set, including one called IPT to define the location of the iptables firewall administration command A number of kernel parameters were also set refer to Chapter 4 for an explanation of these parameters Enable broadcast echo Protection echo 1 Disable Source Routed Packets Enable TCP SYN Cookie Protection echo 1 proc sys net ipv4 tcp_syncookies Disable ICMP Redirect Acceptance...

Iptables Firewall for a Standalone System from Chapter

Chapter 4 covers the application protocols and firewall rules for the types of services most likely to be used on an individual, standalone Linux box. Additionally, both client and server rules are presented for services that not everyone will use. The complete iptables firewall script, as it would appear in etc rc.d rc.firewall or etc init.d firewall, follows bin sh CONNECTION_TRACKING 1 ACCEPT_AUTH 0 SSH_SERVER 0 FTP_SERVER 0 WEB_SERVER 0 SSL_SERVER 0 DHCP_CLIENT 1 IPT sbin iptables INTERNET...

Optimized iptables Firewall from Chapter

For most systems on DSL, cable modem, and lower-speed leased line connections, the chances are good that the Linux network code can handle packets faster than the network connection can. Particularly because firewall rules are order-dependent and difficult to construct, organizing the rules for readability is probably a bigger win than organizing for speed. In addition to general rule ordering, iptables supports user-defined rule lists, or chains, that you can use to optimize your firewall...

Checking a Process Bound to a Particular Port with fuser

The fuser command identifies which processes are using a particular file, filesystem, or network port. netstat -a -A inet will report a port number rather than a service name if the port doesn't have an entry in etc services. fuser can be useful to determine which program is bound to that port. The general fuser command format to identify which program is bound to a given port is as follows fuser -n tcpjudp -v lt port number gt , lt remote address gt , lt remote port gt 515 tcp root 718 f lpd...

Accessing Your ISPs DHCP Server UDP Ports 67

DHCP exchanges, if any, between your site and your ISP's server will necessarily be local client-to-remote server exchanges. Most often, DHCP clients receive temporary, or semipermanent, dynamically allocated IP addresses from a central server that manages the ISP's customer IP address space. The server also typically provides your local host with other configuration information, such as the network subnet mask the network MTU the default, firsthop router addresses the domain name and the...

Broadcasting and Multicasting

When a device wants to send data to other devices on the same network segment, it can send the data to a special address known as a broadcast address to accomplish this task. On the other hand, a multicast is sent to the devices that belong to the multicast group, sometimes called subscribers. Imagine a large, flat network in which every computer and device is connected to the others. In such an environment every network device sees every other network device's traffic. In this type of network,...

Filtering ICMP Control and Status Messages

ICMP control messages are generated in response to a number of error conditions, and they are produced by network analysis programs such as ping and TRaceroute. iptables supports the use of either the ICMP numeric message type or the alphabetic symbolic name. iptables also supports use of the message subtypes, or codes. This is especially useful for finer filtering control over type 3 Destination Unreachable messages. For example, you could specifically disallow outgoing Port Unreachable...

Icmp Traffic

Finally, the last pair of rules match on incoming and outgoing ICMP traffic IPT -A EXT-input -p icmp -j EXT-icmp-in IPT -A EXT-output -p icmp -j EXT-icmp-out These two user-defined chains, EXT-icmp-in and EXT-icmp-out, perform the final determination on ICMP packets exchanged between the local host and remote machines. The EXT-icmp-in chain selects the incoming ICMP packets based on the message type. The EXT-icmp-out chain selects the outgoing ICMP packets based on the message type Log and drop...

The Value Of tos BITS

The TOS bits are of historical interest only. Linux does support their use locally, and various Linux firewall documents refer to the bits and their uses. Nevertheless, the fact remains that the TOS bits are not used or examined generally. The TOS field has been redefined as the Differentiated Services (DS) field for use by the Differentiated Services Control Protocol (DSCP). For more information on Differentiated Services, see these sources RFC 2474, Definition of the Differentiated Services...

Rejecting auth Requests

The following rule blocks AUTH requests at the gateway by using REJECT rather than DROP so that the requests get a TCP RST right away rather than being blocked silently IPT -A INPUT -i EXTERN AL_INTERFACE -p tcp --dport 113 -j REJECT Email (TCP SMTP Port 25, POP3 Port 110, IMAP Port 143) Mail is typically handled by a central SMTP server. As a workable example, this section is based on the assumption that a machine in the DMZ is the local mail gateway and mail host. Local clients will retrieve...

Configuration Options for a Trusted Home LAN

You must consider two kinds of internal network traffic. The first kind is local access to the gateway firewall, through the internal interface, as shown in Figure 6.4. The second is local access to the Internet, through the gateway machine's external interface. Figure 6.4. LAN traffic to the firewall machine and to the Internet. Figure 6.4. LAN traffic to the firewall machine and to the Internet. Presumably, most small systems have no reason to filter packets between the firewall and the local...

Configuration Options For Multiple Lans

Adding a second internal LAN allows this example to be developed further. The next example can be better secured than the preceding example. As shown in Figure 6.5, the DNS, SMTP, POP, and HTTP services are offered from server machines in a second LAN rather than from the firewall machine. The second LAN may or may not serve as a public DMZ. It's equally possible that the second LAN represents an internal service LAN, and its services are not offered to the Internet (although, in that case, the...

Symbolic Constants Used in the Firewall Examples

As with the firewall example in Chapter 4, the gateway's external interface is assigned to etho, leading to the Internet. Just for the sake of confusion, I'm going to divide the address space. As shown in Table 6.4, the gateway's public interface remains with IP address 192.168.1.1. Table 6.4. Class C Network 192.168.1.0 Subnetted into Four Subnets Table 6.4. Class C Network 192.168.1.0 Subnetted into Four Subnets This documentis created withtrialversion of CHM2PDF Pilot 2.15.72. 129 unused...

Mangle Table Listing Formats

The basic format of the mangie table list command to list all rules on the mangie table chains is as follows iptables -t mangle -vn -L PREROUTING iptables -t mangle -vn -L OUTPUT This document is created with trial version of CHM2PDF Pilot 2.15.72. Notice that the preceding list commands show only the rules in the mangie table chains. What follows are two sample mangle table rules, a mark rule on the prerouting chain and a TOS rule on the output chain. In the interest of brevity, only the -v...

Using Chkrootkit Securely

It's a good idea to use known-good sets of system binaries when using a tool such as Chkrootkit. Many rootkits replace vital system binaries such as bin ps with versions of their own. Therefore, if you try to use ps to find unknown processes, you may not be able to see them because the trojaned version of ps hides them. Chkrootkit gives two methods for working around this problem. The first method involves using a known-good set of binaries, probably mounted from a CD-ROM. The second method...

Using Swatch To Monitor Ssh Login Failures

In 2004 and 2005, a number of brute-force login attempts were noted against servers running SSH. These usually didn't result in much of anything except annoyance. However, it's generally useful to monitor log files for these and other attempts to brute-force attack a server. Swatch can be configured to send an email (or do any number of other actions) when such an attempt is logged. This section shows how to send an email alert when an authentication failure is logged. The system logs a line...

TCPDump Options

TCPDump accepts a wide range of command-line options that alter its behavior, the amount of data captured, and the way in which the data is captured. Such a wide range of options means that you have the power to significantly change how the program operates. For TCPDump, you'll find that you frequently use a common set of options for most data capture activities, and you may not use others at all. Some of the more commonly used options include those listed in Table 11.1. Table 11.1. Some Common...

Capturing Other Tcpbased Protocols

Capturing other TCP-based protocols follows much the same process as that in the examples shown. For example, capturing POP3 connections can be accomplished and the entire stream can be captured because POP3, like SMTP, is not encrypted during transit. One protocol is of particular interest because it has confounded network administrators for a long time. That protocol is FTP. FTP utilizes two TCP ports, 20 and 21. Port 21 is normally used for commands and is sometimes referred to as the...

Obtaining and Installing TCPDump

TCPDump can be downloaded from http www.tcpdump.org . TCPDump requires the PCap library libpcap, so while you're downloading TCPDump, you should download libpcap as well. Most popular Linux distributions such as SUSE also include TCPDump as an available package. For example, if you're using Debian you can simply type this The package maintenance system will install TCPDump and any prerequisites too. For everyone else, you can probably search your distribution's repository for a package or just...

Email Tcp Smtp Port 25 POP Port 110 IMAP Port 143

Email is a service that almost everyone wants. How mail is set up depends on your ISP, your connection type, and your own choices. Email is sent across the network using the SMTP protocol assigned to TCP service port 25. Email is commonly received locally through one of three different protocolsSMTP, POP, or IMAPdepending on the services your ISP provides and on your local configuration. SMTP is the general mail protocol. Mail is delivered to the destination host machine, as defined most...

Using Swatch To Monitor For Snort Alerts

With its default configuration, Snort logs to var iog snort aiert. Therefore, creating a Swatch configuration to monitor this file is quite easy. Again, it would be easy to overwhelm yourself or the system with alerts and emails from Swatch, so you should use caution when configuring any actions based on Snort alerts until you've had a chance to configure Snort further. Recall that Snort logs some prioritization data within var log snort alert. Therefore, you could set up a Swatch rule to watch...

Applying the Grsec Patch

Because you've already downloaded the patch in a previous step, now it's time to patch the kernel source. The problem is that you have an already-compiled version of the kernel in usr src linux. That version has a known-good configuration file, but there are other files that will interfere with the patching process. Therefore, you'll need to clean up that area before patching the kernel with Grsec. Usually the configuration file is copied to the boot directory. However, at this point there's no...

Automated Intrusion Monitoring with Snort

Snort is an excellent intrusion detection software package combining best-in-class technology with open-source configurability. Snort actually has a few different modes of operation, including a sniffer mode, a packet logger mode, an intrusion detection mode, and what is called inline mode. It is the intrusion detection mode that is of interest in this section. However, inline mode is also notable because it provides a way to configure Snort and iptables to work together to dynamically accept...

Avoiding Paranoia Responding To Port Scans

Firewall logs normally show all kinds of failed connection attempts. Probes are the most common thing you'll see reported in your logs. Thisdocument is created withitrial versionofCHM2pDFpilot2.15.72 m compromised No, it isn't. Well, not necessarily. The ports are blocked. The firewall is doing its job. These are failed connection attempts that the firewall denied. At what point do you personally decide to report a probe At what point is it important enough to take the time to report it At what...

Obtaining More Verbose Output

AIDE reports can be configured with additional verbosity. Adding verbosity to AIDE is valuable when you're troubleshooting rule matching. For example, when you set the verbose configuration option, you'll be able to see how AIDE builds the list of files to check. If you're seeing unexpected results or if files are being included or excluded for mysterious reasons, adding this option to the configuration or adding it as a command-line option will help. The configuration option to add verbosity...

What If Chkrootkit Says the Computer Is Infected

If Chkrootkit says your computer is infected, the first thing you should do is tell yourself to remain calm. Although you should not assume so, there is a chance that Chkrootkit is reporting a false positive. If Chkrootkit reports an infection, you should immediately take steps to mitigate any further damage. The preceding chapter of the book looked at incident response. Therefore, it would be redundant to cover that same material in this chapter. However, as with all tools of this nature,...

Normal Scan Nmap

Sometimes an attacker will scan your subnet or individual IP address for open ports. This scan can be anything from an innocent attempt to look for a service to reconnaissance for an attack. Many times, these scans are completely automated, with an attacker setting up one or more robots (bots) to automatically scan for vulnerable versions of software to exploit. This simulation was created with the nmap program with the following command line The TCPDump capture of the port scan is shown in the...

Allowing Remote Access To A Local Ssl Or Tls Web Server

If you conduct some form of e-commerce or have a user-authenticated web area, you'll most likely want to allow incoming connections to encryption-protected areas of your website. Otherwise, you won't need local server rules. Both the OpenSSL included with Linux and commercial SSL support packages are available for the Apache web server. See http www.apache.org for more information. The next two rules allow incoming access to your web server using the SSL or TLS protocols if CONNECTION_TRACKING...

The Types of AIDE Checks

You may be wondering about the different types of checks AIDE can perform. The checks are described again in Table 12.2. It's probably helpful to break down the types of AIDE checks into categories. There are three basic categories of AIDE checks what I will term standard checks, grouped checks, and checksums. The standard type of AIDE check looks for information that can be gathered from the file or the file's descriptor. These checks are listed in Table 12.3. These standard checks all utilize...

Detecting Intrusions

How do you know when you've been attacked successfully That question has been posed by administrators and intrusion analysts for a long time. The methods used for detecting successful attacks used to be more art than science. Luckily, various tools are now available to make intrusion detection much more science than art. With that said, the primary tool for intrusion detection still remains a human who can gather data from a number of sources and make an intelligent, educated decision about the...

Attacks Through the Eyes of TCPDump

You've seen what normal TCP and UDP packet traces look like through TCPDump, but how will you know whether someone or something is acting abnormally Unfortunately, finding nefarious activity is not that easy. Buried in normal packet traces may be signs that someone is attempting an attack on your server. An attacker will obviously attempt to disguise his activity, making detection even more difficult. Not only do you have to wade through all the normal traffic within a packet trace, but you...

Recording Traffic with TCPDump

While consulting for a small Internet provider, I noticed that there was a routine and significant spike in network traffic at about 3 a.m. every morning and lasting anywhere from 15 minutes to an hour. My goal was to determine the cause of this traffic spike. Because the traffic was routine and at an odd hour, my initial thought was that the traffic was the result of an automatic update process for the servers on the network. Most of the servers in the network were running Debian Linux and...

Xmas Tree And Tcp Header Flags

The Xmas Tree attack is so named because all the bit flags are set on within the TCP header. The idea is to cause the recipient host to respond, thus causing a DoS. Recall the TCP flag bits SYN, rst, ACK, urg, and others from This d LirienUs created with trial version ofCHM2pDFpilot2.15.72 hen they do it's an indication of a crafted packet. Xmas Tree attacks are quite uncommon. However, it's important to consider the TCP flags when examining packets. Setting these flags with invalid...

Tcpdumps Type Qualifier

Just as TCPDump has three kinds of qualifiers, the type qualifier itself contains three variations host, port, and net. The host qualifier is used to specify the host or destination of interesting traffic. The port type qualifier is not surprisingly used to specify the port on which to capture packets. The net type is used to specify the subnet for interesting traffic. You could use the net qualifier in an expression to listen for traffic on an entire range of addresses. Of course, there are...

TCPDump A Simple Overview

Recall what you've read in earlier chapters. You learned about IP addressing, subnetting, and the headers of some of those core protocols. In this chapter the TCPDump tool will be examined and you will see some of those protocols up close and personal. Armed with an understanding of how to monitor your network at this level, you can be confident that you'll be able to troubleshoot a wide range of problems, not just those related to computer security. An important tool in the intrusion analyst's...

Three Valuable Tools

An ever-growing number of tools and software exist to monitor network traffic. Some of these tools are free (as in price and speech) and some cost quite a bit of money. I've used both the expensive tools and the free ones, and I'm confident in saying that the free ones are better. The expensive tools are weak on functionality but strong on the pretty. The interfaces for many of the products provide a nice look and feel (though many of them seem to be somewhat unstable). In general, the...

Limitations of Chkrootkit and Similar Tools

Chkrootkit is a powerful and incredibly helpful tool but it is not without limitations. These limitations aren't really specific to Chkrootkit but rather are a limitation of any tool that attempts to perform complex checks such as this. One such limitation, false positives, has already been discussed. Another limitation of Chkrootkit and other tools like it is that they rely, by default, on programs included with the Linux computer itself, programs that may have been compromised or altered to...

Running Chkrootkit

Before you can run Chkrootkit, you need to get it. Chkrootkit can be downloaded from http www.chkrootkit.org . After it's downloaded, Chkrootkit needs to be unarchived and compiled tar -zxvf chkrootkit.tar.gz cd chkrootkit-< NNNN> make sense Yes, that does say make sense in the code example. Although Chkrootkit is a shell script, there is some additional functionality gained by compiling the code. Compiling is not required, but because it's quick and adds some additional levels of checking,...

Switches and Hubs and Why You Care

On a switched network, any given network interface would receive only traffic destined for it as well as broadcast traffic. In a hub network environment the network interface receives all traffic, whether that traffic is destined for it or for another device. This is why switched networks are faster than hubbed networksthe unnecessary traffic isn't sent to all ports of the switch. There are situations in which a network interface might receive all traffic or a greater subset than merely its own...

Checking the Forwarding Rules

The forwarding rules apply to packets passing or being routed through the machine. Forwarded packets are inspected only by the rules defined for the forward chain. These packets are not inspected against rules on the input or 0utput chains. If the packet's destination address is something other than the address of the interface on which the packet arrived, the packet is inspected by the FORWARD chain. If the packet matches a FORWARD acceptance rule, the packet is sent out the appropriate...

Checking the Output Rules

Your output rules are mostly ACCEPT rules when the default policy is DROP. Everything is blocked, by default. You explicitly define what will be accepted. The following example contains a representative sample of output acceptance rules Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target destination 34 3558 ACCEPT anywhere 92 12721 ACCEPT anywhere 1 82 ACCEPT s tate RELATED,ESTABLISHED udp -- any eth1 choke.dmz.lan nameserver.dmz.lan udp spt domain dpt domain state NEW 0 0 ACCEPT...

Local Port Redirection Transparent Proxying

Local port redirection, the REDIRECT target in iptables, is a special case of destination NAT. The packet is redirected to the local host, regardless of the packet's destination address. Incoming packets to be forwarded are redirected from the nat table's PREROUTING chain to the filter table's INPUT chain. The incoming interface is the interface that the packet arrived on. Outgoing packets from the local host are redirected from the nat table's output chain to the filter table's INPUT chain....

LAN Access to Other LANs Forwarding Local Traffic Among Multiple LANs

If the machines on your LAN, or on multiple LANs, require routing among themselves, you need to allow access among the machines for the service ports that they require, unless they have alternate internal connection paths. In the former case, any local routing done between LANs would be done by the firewall. The assumption in this section is that there is a gateway firewall with two network interfaces, a DMZ server network, an internal choke firewall with two network interfaces, and the LAN...

Logging Dropped Incoming Packets

Any packet matching a rule can be logged by using the -j log target. Logging a packet has no effect on the packet's disposition, however. The packet must match an accept or drop rule. Some of the rules presented previously had logging enabled, before matching the packet a second time to drop it. Some of the IP address spoofing rules are examples. Rules can be defined for the explicit purpose of logging certain kinds of packets. Most typically, packets of interest are suspicious packets...

Clarification On The Meaning Of Ip Address 0000

Address 0.0.0.0 is reserved for use as a broadcast source address. The Netfilter convention of specifying a match on any address, any 0, 0.0.0.0 0, or 0.0.0.0 0.0.0.0, doesn't match the broadcast source address. The reason is that a broadcast packet has a bit set in the Layer 2 frame header indicating that it's a broadcast packet destined for all interfaces on the network, rather than a point-to-point, unicast packet destined for a particular destination. Broadcast packets are handled...

Stealth Scans and TCP State Flags

Testing for common forms of TCP stealth scans is possible because iptables gives access to all the TCP state flags. The following rules block common stealth scan probes. None of the TCP state combinations tested for are legal combinations. In addition, the unclean match is used first in order to match packets with bad headers and other problems. This module has been experimental for a while, so use with caution. Should you see an error when attempting to load this module, it may not be...

Snat Nat Table Target Extension

Source Address and Port Translation (NAPT) is the kind of NAT people are most commonly familiar with. As shown in Figure 3.5, Source Address Translation is done after the routing decision is made. SNAT is a legal target only in the POSTROUTING chain. Because SNAT is applied immediately before the packet is sent out, only an outgoing interface can be specified. Some documents refer to this form of source NAT (the most common form) as NAPT, to acknowledge the port number modification. The other...

Table 314 dstlimit Match Extension

--dstlimit < ave rage> Maximum average match rate in packets --dstlimit-mode < mode> Defines the limit to be per IP (dstip), per IP and port tuple (dstip-dstport), per source IP and destination IP tuple This document is created with trial version ofCHM2PDFPilot2.15.72. , p and destination IP and destination port tuple This document is created with trial version ofCHM2PDFPilot2.15.72. , p and destination IP and destination port tuple Specifies the name for the file to be placed in proc...

Filter Table Operations On Entire Chains

Table 3.2 shows the iptables operations on entire chains. Table 3.2. iptables Operations on Entire Chains Table 3.2. iptables Operations on Entire Chains Flushes the chain, or all chains if none is specified. Deletes the user-defined chain, or all chains if none is specified. Defines the default policy for one of the built-in chains, input, output, or forward. The policy is either accept or drop. Lists the rules in the chain, or all chains if none is specified. Resets the packet and byte...

Basic iptables Syntax

Firewalls built with Netfilter are built through the iptables firewall administration command. The iptables command implements the firewall policies that you create and manages the behavior of the firewall. Netfilter firewalls have three individual tables filter, NAT, and mangle. Within these tables, firewalls are built through chains, with each individual link in the chain being an individual iptables command. Within the default filter table there is a chain for input or data coming into the...

Source Address Spoofing And Illegal Addresses

There are 10 major classes of source addresses you should deny on your external interface in all cases. These are incoming packets claiming to be from the following Your IP address You will never see legal incoming packets claiming to be from your machine. Because the source address is the only information available and it can be modified, this is one of the forms of legitimate address spoofing you can detect at the packet-filtering level. Incoming packets claiming to be from your machine are...

Special Ip Addresses

There are three major special cases of IP addresses Network address 0 As noted under Class A addresses, network address 0 is not used as part of a routable address. When used as a source address, its only legal use is during initialization when a host is attempting to have its IP address dynamically assigned by a server. When used as a destination, only address 0.0.0.0 has meaning, and then only to the local machine as referring to itself, or as a convention to refer to a default route....

The OSI Networking Model

The OSI (Open System Interconnection) model represents a network framework based on layers. Each layer in the OSI model provides distinct functionality in relation to the other layers. The OSI model contains seven layers, as shown in Figure 1.1. Figure 1.1. The seven layers of the OSI model. The layers are sometimes referred to by number, with the lowest layer (Physical) being layer 1 and the highest layer (Application) being layer 7. If you hear someone refer to a Layer 3 switch, he is...