���������������������������� Chris Cooper Slides & Scripts: http://QCCoLab.com/ipset
����������������������
�������� • Linux Based • Cheap • Feature Rich • Rugged • Advanced IPTables
��������
����� • Address Lists for IPTables • IPSet project – http://ipset.netfilter.org/ • Patch for Kernel 2.4.36 • Officially included in Kernel 2.6.39 • Nomatch & TC support added in 3.7 • Binary included in all major repos
���������������� • IPSet can store many types of data – IP – Single IP addresses – Net – Variable length subnets (using CIDR) – Ports – Lump multiple service ports together – IP,Port – A specific port at a specific IP – IP,port,IP – A specific connection – IP,MAC – For your Layer 2 filtering needs – Set – Group sets together (Yo, dawg…)
�������� • IPSet will match hosts inside networks • Nomatch can be used for exceptions
�������� • IPSet Simplifies Rules • Creates objects to work with
����� �� • Fail2Ban – Bans IP’s that cause trouble – http://www.fail2ban.org/ • Modular Design • Watches logs for keys like failed logins • Can take a variety of actions – Default is IPTables rules to block – Creates a long ugly list of block rules
����� �� • IPSet support added very recently • Not yet in any repos. Check GitHub – action.d/iptables-ipset-proto4.conf • IPSet is IPv6 friendly Oops. This refers to the version of – action.d/iptables-ipset-proto6.conf IPSet used by fail2ban. Although IPSet does still support IPv6, fail2ban vs does not.
����!���� • DenyHosts – Similar to fail2ban – http://www.denyhosts.net/ • Centralized Server
����!���� • 12,000 IPTables rules is not practical – Adds ~5ms latency to every connection • Uses hosts.deny – Requires tcpwrapper – Stock Apache & OpenSSH not supported – Only protects local services (not a firewall)
��"�������������# • IPSet’s Hash Tables are really fast http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/
����!���� • DenyHosts supports external scripts • Add a quick script for setup • PLUGIN_DENY PLUGIN_PURGE • Just called for local trips (not database)
����!���� • Finally, add a script to cron • Loads central databse entries • Swap used for no interruption
�����!�$$���������������� • IPSet supports timeouts – Create rules that automatically expire • Iptables rules can add entries to a set – Create your own IPS systems inside netfilter
���$� �%��������������$�� • Identify 3 SSH connections in 60 seconds • Block the IP for 15 minutes
�����&������� • Hit TCP 123 • Within 5 seconds hit TCP 1338 • Within 5 seconds hit UDP 1175 • Open access for 5 minutes
���������� • Detect & Block Port Scans – UDP/TCP Port 0 – Look for invalid TCP Flags • FIN,URG,PSH – Xmas Tree Scan • FWSnort can convert Snort to IPTables – Pick specific rules you understand – http://www.cipherdyne.org/fwsnort/ • Beware of false positives!
'�%�������������������()� • Be creative with targets • DNAT – Forward hostile hosts to a honeypot • REDIRECT – Redirect to a “Captive Portal” page until auth – Warn users (Don’t be Comcast) • LIMIT – Rate limit new connections
'�%�������������������()� • Mark packets for use with iproute2 – Route some users out a different connection – Use statistic for source-based routing • Throttle users with TC – Detect p2p or bittorrent presence • Easy to find, Hard to block – Throttle all non-HTTP(s) traffic to dial-up – Timeouts minimize false-positive impact
*%�������� • Chris Cooper – Twitter: @CC_DKP – CCooper@QCColab.com • Slides & Scripts: – http://QCCoLab.com/ipset
Recommend
More recommend