Table 314 dstlimit Match Extension

--dstlimit < ave rage> Maximum average match rate in packets --dstlimit-mode < mode> Defines the limit to be per IP (dstip), per IP and port tuple (dstip-dstport), per source IP and destination IP tuple This document is created with trial version ofCHM2PDFPilot2.15.72. , p and destination IP and destination port tuple This document is created with trial version ofCHM2PDFPilot2.15.72. , p and destination IP and destination port tuple Specifies the name for the file to be placed in proc...

TCPDump Options

TCPDump accepts a wide range of command-line options that alter its behavior, the amount of data captured, and the way in which the data is captured. Such a wide range of options means that you have the power to significantly change how the program operates. For TCPDump, you'll find that you frequently use a common set of options for most data capture activities, and you may not use others at all. Some of the more commonly used options include those listed in Table 11.1. Table 11.1. Some Common...

The Conceptual Background of NAT

NAT was first presented in 1994 in RFC 1631, which was later replaced by RFC 3022. NAT was proposed as a possible short-term, temporary solution (to be used until IPv6 was deployed) to the growing shortage of public IP addresses. NAT also was seen as a possible solution to the growing demands on routers that handled noncontiguous address blocks. It was thought that NAT might possibly reduce or eliminate the need for CIDR, which, in turn, was prompting address reallocations and changes to router...

Symbolic Constants Used in the Firewall Examples

As with the firewall example in Chapter 4, the gateway's external interface is assigned to etho, leading to the Internet. Just for the sake of confusion, I'm going to divide the address space. As shown in Table 6.4, the gateway's public interface remains with IP address 192.168.1.1. Table 6.4. Class C Network 192.168.1.0 Subnetted into Four Subnets Table 6.4. Class C Network 192.168.1.0 Subnetted into Four Subnets This documentis created withtrialversion of CHM2PDF Pilot 2.15.72. 129 unused...

Capturing An Smtp Conversation

Capturing an SMTP conversation is not unlike capturing an HTTP session. Begin with the basic TCPDump options that you'd like to use and then build an expression to grab the appropriate type of data, including protocol, port, and source or destination hosts. For example, here's a simple capture of port 25 traffic along with my normal TCPDump choice of options The TCP three-way handshake is again present, as you might expect 2 0 40 08.638690 murphy.debian.org.45772 > test.example.com.smtp S tcp...

Normal Scan Nmap

Sometimes an attacker will scan your subnet or individual IP address for open ports. This scan can be anything from an innocent attempt to look for a service to reconnaissance for an attack. Many times, these scans are completely automated, with an attacker setting up one or more robots (bots) to automatically scan for vulnerable versions of software to exploit. This simulation was created with the nmap program with the following command line The TCPDump capture of the port scan is shown in the...

Addrtype filter Table Match Extension

The addrtype match extension is used to match packets based on the type of address used, such as unicast, broadcast, and multicast. The types of addresses include those listed in Table 3.20. This document is created with trial version of CHM2PDF Pilot 2.15.72. Table 3.20. Address Types Used with the addrtype Match Table 3.20. Address Types Used with the addrtype Match Two commands are used with the addrtype match, as listed in Table 3.21 Table 3.21. addrtype Match Commands Sometimes defining a...

Clarification On The Meaning Of Ip Address 0000

Address 0.0.0.0 is reserved for use as a broadcast source address. The Netfilter convention of specifying a match on any address, any 0, 0.0.0.0 0, or 0.0.0.0 0.0.0.0, doesn't match the broadcast source address. The reason is that a broadcast packet has a bit set in the Layer 2 frame header indicating that it's a broadcast packet destined for all interfaces on the network, rather than a point-to-point, unicast packet destined for a particular destination. Broadcast packets are handled...

Basic iptables Syntax

Firewalls built with Netfilter are built through the iptables firewall administration command. The iptables command implements the firewall policies that you create and manages the behavior of the firewall. Netfilter firewalls have three individual tables filter, NAT, and mangle. Within these tables, firewalls are built through chains, with each individual link in the chain being an individual iptables command. Within the default filter table there is a chain for input or data coming into the...

Stealth Scans and TCP State Flags

Testing for common forms of TCP stealth scans is possible because iptables gives access to all the TCP state flags. The following rules block common stealth scan probes. None of the TCP state combinations tested for are legal combinations. In addition, the unclean match is used first in order to match packets with bad headers and other problems. This module has been experimental for a while, so use with caution. Should you see an error when attempting to load this module, it may not be...

Compiling Your First Kernel

Before you apply the Grsec patch, it will be helpful for you to get a working customized version of the kernel going on the computer. After the new kernel is up and running, I'll show how to apply the patch. This section examines how to compile a kernel from the vanilla source. A good place to start when considering how to approach your first kernel compile is the Kernel-HOWTO or the Kernel Rebuild Guide. The Kernel-HOWTO is located at the Kernel Rebuild Guide is currently located at These...

Configuration Options For Multiple Lans

Adding a second internal LAN allows this example to be developed further. The next example can be better secured than the preceding example. As shown in Figure 6.5, the DNS, SMTP, POP, and HTTP services are offered from server machines in a second LAN rather than from the firewall machine. The second LAN may or may not serve as a public DMZ. It's equally possible that the second LAN represents an internal service LAN, and its services are not offered to the Internet (although, in that case, the...

Source Address Spoofing and Other Bad Addresses

This section establishes some input chain filters based on source and destination addresses. These addresses will never be seen in a legitimate incoming packet from the Internet. At the packet-filtering level, one of the few cases of source address spoofing that you can identify with certainty as a forgery is your own IP address. This rule drops incoming packets claiming to be from you Refuse spoofed packets pretending to be from the external interface's IP address IPT -A INPUT -i INTERNET -s...

Limitations of Chkrootkit and Similar Tools

Chkrootkit is a powerful and incredibly helpful tool but it is not without limitations. These limitations aren't really specific to Chkrootkit but rather are a limitation of any tool that attempts to perform complex checks such as this. One such limitation, false positives, has already been discussed. Another limitation of Chkrootkit and other tools like it is that they rely, by default, on programs included with the Linux computer itself, programs that may have been compromised or altered to...

Changing the Output of the AIDE Report

You might want a little more flexibility in the location of the AIDE report. For example, you may not want to receive emails if everything is okay with the AIDE report, or you may want to have AIDE report into a file instead of providing standard output. AIDE has four basic options for configuring output that can be configured through the AIDE configuration file. Linux has three generic streams of output that are created when a program runs. These streams are referred to as stdin, stdout, and...

Building and Installing a Standalone Firewall

Chapter 2, Packet-Filtering Concepts, covered the background ideas and concepts behind a packet-filtering firewall. Each firewall rule chain has its own default policy. Each rule not only applies to an individual input or output chain, but also can apply to a specific network interface, message protocol type (such as TCP, UDP, or ICMP), and service port number. Individual acceptance, denial, and rejection rules a re defined for the input chain and the output chain, as well as for the FORWARD...

Differences Between IPFW and Netfilter Firewall Mechanisms

Because iptables is so different from the previous ipchains, this book won't attempt to cover the older implementation. The next section is written for the reader who is familiar with or is currently using ipchains. If iptables is your first introduction to Linux firewalling, you can skip ahead to the section Netfilter Packet Traversal. If you are converting from ipchains, you'll notice several minor differences in the iptables syntax, most notably that the input and output network interfaces...

Choke Ssh Configuration

The first rule allows local connections from the choke machine to sshd servers running in the DMZ, including the gateway firewall host IPT -A OUTPUT -o DMZ_INTERFACE -p tcp -s DMZ_IPADDR --sport UNPRIVPORTS -d DMZ_ADDRESSES dport 22 -m state --state NEW -j ACCEPT The next rule forwards connections from LAN clients to any remote server IPT -A FORWARD -i LAN_INTERFACE -o DMZ_INTERFACE -p tcp -s LAN_ADDRESSES sport UNPRIVPORTS --dport 22 -m state --state NEW -j ACCEPT The last rule forwards...

Email Tcp Smtp Port 25 POP Port 110 IMAP Port 143

Email is a service that almost everyone wants. How mail is set up depends on your ISP, your connection type, and your own choices. Email is sent across the network using the SMTP protocol assigned to TCP service port 25. Email is commonly received locally through one of three different protocolsSMTP, POP, or IMAPdepending on the services your ISP provides and on your local configuration. SMTP is the general mail protocol. Mail is delivered to the destination host machine, as defined most...

Monitoring with ARPWatch

ARPWatch is a daemon that watches for new Ethernet interfaces on a network. If a new ARP entry is seen, it could be indicative of a rogue computer somewhere within the network. ARPWatch uses the PCap library, which may not (yet) be on your system. If it's not, you'll find out during the configuration process for ARPWatch. The PCap library, commonly known as libpcap, can be downloaded from http www.tcpdump.org . The PCap library is used for other network and security-related programs such as...

Obtaining and Installing TCPDump

TCPDump can be downloaded from http www.tcpdump.org . TCPDump requires the PCap library libpcap, so while you're downloading TCPDump, you should download libpcap as well. Most popular Linux distributions such as SUSE also include TCPDump as an available package. For example, if you're using Debian you can simply type this The package maintenance system will install TCPDump and any prerequisites too. For everyone else, you can probably search your distribution's repository for a package or just...

Destination Unreachable Error Type 3 Messages

ICMP message type 3, Destination Unreachable, is a general error status message IPT -A INPUT -i INTERNET -p icmp --icmp-type destination-unreachable -d IPADDR -j ACCEPT IPT -A OUTPUT -o INTERNET -p icmp -s IPADDR --icmp-type fragmentation-needed -j ACCEPT Don't log dropped outgoing ICMP error messages IPT -A OUTPUT -o INTERNET -p icmp -s IPADDR --icmp-type destination-unreachable -j DROP The ICMP packet header for type 3 messages, Destination Unreachable, contains an error code field...

Accessing Your ISPs DHCP Server UDP Ports 67

DHCP exchanges, if any, between your site and your ISP's server will necessarily be local client-to-remote server exchanges. Most often, DHCP clients receive temporary, or semipermanent, dynamically allocated IP addresses from a central server that manages the ISP's customer IP address space. The server also typically provides your local host with other configuration information, such as the network subnet mask the network MTU the default, firsthop router addresses the domain name and the...

Optimized iptables Firewall from Chapter

For most systems on DSL, cable modem, and lower-speed leased line connections, the chances are good that the Linux network code can handle packets faster than the network connection can. Particularly because firewall rules are order-dependent and difficult to construct, organizing the rules for readability is probably a bigger win than organizing for speed. In addition to general rule ordering, iptables supports user-defined rule lists, or chains, that you can use to optimize your firewall...

Iptables Firewall for a Standalone System from Chapter

Chapter 4 covers the application protocols and firewall rules for the types of services most likely to be used on an individual, standalone Linux box. Additionally, both client and server rules are presented for services that not everyone will use. The complete iptables firewall script, as it would appear in etc rc.d rc.firewall or etc init.d firewall, follows bin sh CONNECTION_TRACKING 1 ACCEPT_AUTH 0 SSH_SERVER 0 FTP_SERVER 0 WEB_SERVER 0 SSL_SERVER 0 DHCP_CLIENT 1 IPT sbin iptables INTERNET...

Incoming TCP Connection State Filtering

Incoming TCP packet acceptance rules can make use of the connection state flags associated with TCP connections. All TCP connections adhere to the same set of connection states. These states differ between client and server because of the three-way handshake during connection establishment. As such, the firewall can distinguish between incoming traffic from remote clients and incoming traffic from remote servers. Incoming TCP packets from remote clients will have the syn flag set in the first...

Icmp Traffic

Finally, the last pair of rules match on incoming and outgoing ICMP traffic IPT -A EXT-input -p icmp -j EXT-icmp-in IPT -A EXT-output -p icmp -j EXT-icmp-out These two user-defined chains, EXT-icmp-in and EXT-icmp-out, perform the final determination on ICMP packets exchanged between the local host and remote machines. The EXT-icmp-in chain selects the incoming ICMP packets based on the message type. The EXT-icmp-out chain selects the outgoing ICMP packets based on the message type Log and drop...

Local Port Redirection Transparent Proxying

Local port redirection, the REDIRECT target in iptables, is a special case of destination NAT. The packet is redirected to the local host, regardless of the packet's destination address. Incoming packets to be forwarded are redirected from the nat table's PREROUTING chain to the filter table's INPUT chain. The incoming interface is the interface that the packet arrived on. Outgoing packets from the local host are redirected from the nat table's output chain to the filter table's INPUT chain....

Special Ip Addresses

There are three major special cases of IP addresses Network address 0 As noted under Class A addresses, network address 0 is not used as part of a routable address. When used as a source address, its only legal use is during initialization when a host is attempting to have its IP address dynamically assigned by a server. When used as a destination, only address 0.0.0.0 has meaning, and then only to the local machine as referring to itself, or as a convention to refer to a default route....

Intrusion Detection Tools

In the preceding chapter you learned the concepts of intrusion detection and intrusion response. Rarely are two attacks exactly the same, though the techniques used frequently rely on a common set of methods and result in many of the same symptoms, as described in the preceding chapter. It is through these common methods and symptoms that intrusion detection tools are able to assist the intrusion analyst with his job. The intrusion analyst has much to choose from when looking for software tools...

Real Audio Real Video and Quick Time TCP Ports 554 and 7070

This document is created with trial version of CHM2PDF Pilot 2.15.72. RealAudio, RealVideo, and QuickTime use the same ports. The control connection to the server is built on top of the Real-Time Streaming Protocol (RTSP). See RFC 2326, Real Time Streaming Protocol (RTSP), for more information on the protocol. The incoming data stream is built on top of the Real-Time Transport Protocol (RTP). See RFC 3550, RTP A Transport Protocol for Real-Time Applications, for more information on the RTP...

Three Valuable Tools

An ever-growing number of tools and software exist to monitor network traffic. Some of these tools are free (as in price and speech) and some cost quite a bit of money. I've used both the expensive tools and the free ones, and I'm confident in saying that the free ones are better. The expensive tools are weak on functionality but strong on the pretty. The interfaces for many of the products provide a nice look and feel (though many of them seem to be somewhat unstable). In general, the...

Running Chkrootkit

Before you can run Chkrootkit, you need to get it. Chkrootkit can be downloaded from http www.chkrootkit.org . After it's downloaded, Chkrootkit needs to be unarchived and compiled tar -zxvf chkrootkit.tar.gz cd chkrootkit-< NNNN> make sense Yes, that does say make sense in the code example. Although Chkrootkit is a shell script, there is some additional functionality gained by compiling the code. Compiling is not required, but because it's quick and adds some additional levels of checking,...

The OSI Networking Model

The OSI (Open System Interconnection) model represents a network framework based on layers. Each layer in the OSI model provides distinct functionality in relation to the other layers. The OSI model contains seven layers, as shown in Figure 1.1. Figure 1.1. The seven layers of the OSI model. The layers are sometimes referred to by number, with the lowest layer (Physical) being layer 1 and the highest layer (Application) being layer 7. If you hear someone refer to a Layer 3 switch, he is...

Avoiding Paranoia Responding To Port Scans

Firewall logs normally show all kinds of failed connection attempts. Probes are the most common thing you'll see reported in your logs. Thisdocument is created withitrial versionofCHM2pDFpilot2.15.72 m compromised No, it isn't. Well, not necessarily. The ports are blocked. The firewall is doing its job. These are failed connection attempts that the firewall denied. At what point do you personally decide to report a probe At what point is it important enough to take the time to report it At what...

Packet Filtering Firewall

At its most basic level, a packet-filtering firewall consists of a list of acceptance and denial rules. These rules explicitly define which packets will and will not be allowed through the network interface. The firewall rules use the packet header fields described in Chapter 1 to decide whether to forward a packet to its destination, to silently throw away the packet, or to block the packet and return an error condition to the sending machine. These rules can be based on a wide array of...

Rejecting auth Requests

The following rule blocks AUTH requests at the gateway by using REJECT rather than DROP so that the requests get a TCP RST right away rather than being blocked silently IPT -A INPUT -i EXTERN AL_INTERFACE -p tcp --dport 113 -j REJECT Email (TCP SMTP Port 25, POP3 Port 110, IMAP Port 143) Mail is typically handled by a central SMTP server. As a workable example, this section is based on the assumption that a machine in the DMZ is the local mail gateway and mail host. Local clients will retrieve...

Packet Filtering Concepts

What is a firewall Over the years, the term has changed in meaning. According to RFC 2647, Benchmarking Terminology for Firewall Performance, a firewall is a device or group of devices that enforces an access control policy between networks. This definition is very broad, purposefully so in fact. A firewall can encompass many layers of the OSI model and may refer to a device that does packet filtering, performs packet inspection and filtering, implements a policy on an application at a higher...

Gateway Ssh Configuration

The first rule allows local connections from the choke machine to an sshd server running on the gateway. All of these rules are applied on the gateway firewall IPT -A INPUT -i DMZ_INTERFACE -p tcp -s CHOKE_IPADDR --sport UNPRIVPORTS -d DMZ_IPADDR --dport 22 -m state --state NEW -j ACCEPT The next rule forwards connections from LAN clients to any remote server IPT -A FORWARD -i DMZ_INTERFACE -o EXTERNAL_INTERFACE -p tcp -s LAN_ADDRESSES sport UNPRIVPORTS --dport 22 -m state --state NEW -j ACCEPT...

The Limitations of a Standalone Firewall

The single-system firewall presented in Chapter 4, Building and Installing a Standalone Firewall, is a basic bastion firewall, using only the input and output chains. When the firewall is a packet-filtering router that has a network interface connected to the Internet and another connected to your LAN (referred to as a dual-homed system), the firewall applies rules to decide whether to forward or block packets crossing between the two interfaces. In this case, the packet-filtering firewall is a...

Broadcasting and Multicasting

When a device wants to send data to other devices on the same network segment, it can send the data to a special address known as a broadcast address to accomplish this task. On the other hand, a multicast is sent to the devices that belong to the multicast group, sometimes called subscribers. Imagine a large, flat network in which every computer and device is connected to the others. In such an environment every network device sees every other network device's traffic. In this type of network,...

Checking the Forwarding Rules

The forwarding rules apply to packets passing or being routed through the machine. Forwarded packets are inspected only by the rules defined for the forward chain. These packets are not inspected against rules on the input or 0utput chains. If the packet's destination address is something other than the address of the interface on which the packet arrived, the packet is inspected by the FORWARD chain. If the packet matches a FORWARD acceptance rule, the packet is sent out the appropriate...

Whois TCP Port

The whois program accesses the InterNIC Registration Services database. Table 4.11 lists the complete client server connection protocol for the whois service. DESCRIPTION PROTOCOL ADDRESS PORT IN OUT ADDRESS PORT FLAG The next two rules enable you to query an official remote server if CONNECTION_TRACKING 1 then IPT -A OUTPUT -o INTERNET -p tcp -s IPADDR --sport UNPRIVPORTS dport 43 -m state state NEW -j ACCEPT IPT -A OUTPUT -o INTERNET -p tcp -s IPADDR --sport UNPRIVPORTS --dport 43 -j ACCEPT...

Firewall Log Messages What Do They Mean

To generate firewall logs, the kernel must be compiled with firewall logging enabled. By default, individually matched packets are logged as kern.warn (priority 4) messages. The log priority can be changed with the --log-level option to -j LOG. Most of the IP packet header fields are reported when a packet matches a rule with the LOG target. Firewall log messages are written to var log messages by default. You could duplicate the firewall log messages to a different file by creating a new log...

Using TCPDump in the Real World

So far in this chapter, you've seen a number of examples for using TCPDump to capture various types of traffic. These examples were given to show the usage of TCPDump in relation to expressions and other options. Now it's time to give you real-life examples of using TCPDump to capture specific types of traffic. The situations in which you might use these examples will vary, but I'll try to give some clue as to why you might use a given example, where I can. It might be helpful to see how a...

Switches and Hubs and Why You Care

On a switched network, any given network interface would receive only traffic destined for it as well as broadcast traffic. In a hub network environment the network interface receives all traffic, whether that traffic is destined for it or for another device. This is why switched networks are faster than hubbed networksthe unnecessary traffic isn't sent to all ports of the switch. There are situations in which a network interface might receive all traffic or a greater subset than merely its own...

Connectionless Versus Connection Oriented Protocols

At some layers of the OSI model, protocols can be defined in terms of one of their properties, connectionless or connection-oriented. This definition refers to the methods that the protocol contains for providing such things as error control, flow control, data segmentation, and data reassembly. Think of connection-oriented protocols in terms of a telephone call. Generally there is an acceptable protocol for making a phone call and having a conversation. The person making the call, the...

TCPDump A Simple Overview

Recall what you've read in earlier chapters. You learned about IP addressing, subnetting, and the headers of some of those core protocols. In this chapter the TCPDump tool will be examined and you will see some of those protocols up close and personal. Armed with an understanding of how to monitor your network at this level, you can be confident that you'll be able to troubleshoot a wide range of problems, not just those related to computer security. An important tool in the intrusion analyst's...

Using Swatch To Monitor Ssh Login Failures

In 2004 and 2005, a number of brute-force login attempts were noted against servers running SSH. These usually didn't result in much of anything except annoyance. However, it's generally useful to monitor log files for these and other attempts to brute-force attack a server. Swatch can be configured to send an email (or do any number of other actions) when such an attempt is logged. This section shows how to send an email alert when an authentication failure is logged. The system logs a line...

Recording Traffic with TCPDump

While consulting for a small Internet provider, I noticed that there was a routine and significant spike in network traffic at about 3 a.m. every morning and lasting anywhere from 15 minutes to an hour. My goal was to determine the cause of this traffic spike. Because the traffic was routine and at an odd hour, my initial thought was that the traffic was the result of an automatic update process for the servers on the network. Most of the servers in the network were running Debian Linux and...

Automated Intrusion Monitoring with Snort

Snort is an excellent intrusion detection software package combining best-in-class technology with open-source configurability. Snort actually has a few different modes of operation, including a sniffer mode, a packet logger mode, an intrusion detection mode, and what is called inline mode. It is the intrusion detection mode that is of interest in this section. However, inline mode is also notable because it provides a way to configure Snort and iptables to work together to dynamically accept...

Iptables NAT Semantics

Iptables provides full NAT functionality, including both source SNAT and destination DNAT address mapping. The term full NAT isn't a formal term I'm referring to the capability to perform both source and destination NAT, to specify one or a range of translation addres-ses, to perform port translation, and to perform port remapping. iptables supports the three general types of NAT traditional NAT, bidirectional NAT, and twice NAT , as defined in RFC 2663. A partial implementation of NAPT, known...

Checking a Process Bound to a Particular Port with fuser

The fuser command identifies which processes are using a particular file, filesystem, or network port. netstat -a -A inet will report a port number rather than a service name if the port doesn't have an entry in etc services. fuser can be useful to determine which program is bound to that port. The general fuser command format to identify which program is bound to a given port is as follows fuser -n tcpjudp -v lt port number gt , lt remote address gt , lt remote port gt 515 tcp root 718 f lpd...

Land Attack

The LAND attack is a DoS attack against computers running Microsoft Windows. The attack was originally reported to affect Windows 95 and Windows NT back in 1997. Microsoft eventually patched the vulnerability for the operating systems. However, the vulnerability resurfaced in Microsoft's newer operating systems, including Windows XP Service Pack 2 and even Windows Server 2003. Obviously, a problem of this type resurfacing was quite embarrassing for Microsoft, especially because it has...