chris cooper slides scripts
play

Chris Cooper - PowerPoint PPT Presentation

Chris Cooper Slides & Scripts: http://QCCoLab.com/ipset


  1. ���������������������������� Chris Cooper Slides & Scripts: http://QCCoLab.com/ipset

  2. ����������������������

  3. �������� • Linux Based • Cheap • Feature Rich • Rugged • Advanced IPTables

  4. ��������

  5. ����� • Address Lists for IPTables • IPSet project – http://ipset.netfilter.org/ • Patch for Kernel 2.4.36 • Officially included in Kernel 2.6.39 • Nomatch & TC support added in 3.7 • Binary included in all major repos

  6. ���������������� • IPSet can store many types of data – IP – Single IP addresses – Net – Variable length subnets (using CIDR) – Ports – Lump multiple service ports together – IP,Port – A specific port at a specific IP – IP,port,IP – A specific connection – IP,MAC – For your Layer 2 filtering needs – Set – Group sets together (Yo, dawg…)

  7. �������� • IPSet will match hosts inside networks • Nomatch can be used for exceptions

  8. �������� • IPSet Simplifies Rules • Creates objects to work with

  9. ����� �� • Fail2Ban – Bans IP’s that cause trouble – http://www.fail2ban.org/ • Modular Design • Watches logs for keys like failed logins • Can take a variety of actions – Default is IPTables rules to block – Creates a long ugly list of block rules

  10. ����� �� • IPSet support added very recently • Not yet in any repos. Check GitHub – action.d/iptables-ipset-proto4.conf • IPSet is IPv6 friendly Oops. This refers to the version of – action.d/iptables-ipset-proto6.conf IPSet used by fail2ban. Although IPSet does still support IPv6, fail2ban vs does not.

  11. ����!���� • DenyHosts – Similar to fail2ban – http://www.denyhosts.net/ • Centralized Server

  12. ����!���� • 12,000 IPTables rules is not practical – Adds ~5ms latency to every connection • Uses hosts.deny – Requires tcpwrapper – Stock Apache & OpenSSH not supported – Only protects local services (not a firewall)

  13. ��"�������������# • IPSet’s Hash Tables are really fast http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

  14. ����!���� • DenyHosts supports external scripts • Add a quick script for setup • PLUGIN_DENY PLUGIN_PURGE • Just called for local trips (not database)

  15. ����!���� • Finally, add a script to cron • Loads central databse entries • Swap used for no interruption

  16. �����!�$$���������������� • IPSet supports timeouts – Create rules that automatically expire • Iptables rules can add entries to a set – Create your own IPS systems inside netfilter

  17. ���$� �%��������������$�� • Identify 3 SSH connections in 60 seconds • Block the IP for 15 minutes

  18. �����&������� • Hit TCP 123 • Within 5 seconds hit TCP 1338 • Within 5 seconds hit UDP 1175 • Open access for 5 minutes

  19. ���������� • Detect & Block Port Scans – UDP/TCP Port 0 – Look for invalid TCP Flags • FIN,URG,PSH – Xmas Tree Scan • FWSnort can convert Snort to IPTables – Pick specific rules you understand – http://www.cipherdyne.org/fwsnort/ • Beware of false positives!

  20. '�%�������������������()� • Be creative with targets • DNAT – Forward hostile hosts to a honeypot • REDIRECT – Redirect to a “Captive Portal” page until auth – Warn users (Don’t be Comcast) • LIMIT – Rate limit new connections

  21. '�%�������������������()� • Mark packets for use with iproute2 – Route some users out a different connection – Use statistic for source-based routing • Throttle users with TC – Detect p2p or bittorrent presence • Easy to find, Hard to block – Throttle all non-HTTP(s) traffic to dial-up – Timeouts minimize false-positive impact

  22. *%�������� • Chris Cooper – Twitter: @CC_DKP – CCooper@QCColab.com • Slides & Scripts: – http://QCCoLab.com/ipset

Recommend


More recommend