Dynamic Firewalls with IPSet - QC Co-Lab

Download PDF
19 downloads 166 Views 3MB Size Report
Comment
MikroTik. • Linux Based. • Cheap. • Feature Rich. • Rugged. • Advanced. IPTables ... Similar to fail2ban. –
Dynamic Firewalls with IPSet Chris Cooper

Slides & Scripts: http://QCCoLab.com/ipset

Where this all Started

MikroTik • • • •

Linux Based Cheap Feature Rich Rugged

• Advanced IPTables

MikroTik

IPSet • Address Lists for IPTables • IPSet project – http://ipset.netfilter.org/

• • • •

Patch for Kernel 2.4.36 Officially included in Kernel 2.6.39 Nomatch & TC support added in 3.7 Binary included in all major repos

A List of Things • IPSet can store many types of data – IP – Single IP addresses – Net – Variable length subnets (using CIDR) – Ports – Lump multiple service ports together – IP,Port – A specific port at a specific IP – IP,port,IP – A specific connection – IP,MAC – For your Layer 2 filtering needs – Set – Group sets together (Yo, dawg…)

Matching

• IPSet will match hosts inside networks • Nomatch can be used for exceptions

So What?

• IPSet Simplifies Rules • Creates objects to work with

Fail2Ban • Fail2Ban – Bans IP’s that cause trouble – http://www.fail2ban.org/

• Modular Design • Watches logs for keys like failed logins • Can take a variety of actions – Default is IPTables rules to block – Creates a long ugly list of block rules

Fail2Ban • IPSet support added very recently • Not yet in any repos. Check GitHub – action.d/iptables-ipset-proto4.conf

• IPSet is IPv6 friendly – action.d/iptables-ipset-proto6.conf

vs

Oops. This refers to the version of IPSet used by fail2ban. Although IPSet does still support IPv6, fail2ban does not.

DenyHosts • DenyHosts – Similar to fail2ban – http://www.denyhosts.net/

• Centralized Server

DenyHosts • 12,000 IPTables rules is not practical – Adds ~5ms latency to every connection

• Uses hosts.deny – Requires tcpwrapper – Stock Apache & OpenSSH not supported – Only protects local services (not a firewall)

It’s also Faster! • IPSet’s Hash Tables are really fast

http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

DenyHosts • DenyHosts supports external scripts • Add a quick script for setup

• PLUGIN_DENY

PLUGIN_PURGE

• Just called for local trips (not database)

DenyHosts • Finally, add a script to cron • Loads central databse entries • Swap used for no interruption

What Happened to Dynamic?

• IPSet supports timeouts – Create rules that automatically expire

• Iptables rules can add entries to a set – Create your own IPS systems inside netfilter

Stop Brute Force Attempts

• Identify 3 SSH connections in 60 seconds • Block the IP for 15 minutes

Port Knocking

• • • •

Hit TCP 123 Within 5 seconds hit TCP 1338 Within 5 seconds hit UDP 1175 Open access for 5 minutes

More Ideas • Detect & Block Port Scans – UDP/TCP Port 0 – Look for invalid TCP Flags • FIN,URG,PSH – Xmas Tree Scan

• FWSnort can convert Snort to IPTables – Pick specific rules you understand – http://www.cipherdyne.org/fwsnort/

• Beware of false positives!

You can do more than DROP • Be creative with targets • DNAT – Forward hostile hosts to a honeypot

• REDIRECT – Redirect to a “Captive Portal” page until auth – Warn users (Don’t be Comcast)

• LIMIT – Rate limit new connections

You can do more than DROP • Mark packets for use with iproute2 – Route some users out a different connection – Use statistic for source-based routing

• Throttle users with TC – Detect p2p or bittorrent presence • Easy to find, Hard to block

– Throttle all non-HTTP(s) traffic to dial-up – Timeouts minimize false-positive impact

Questions? • Chris Cooper – Twitter: @CC_DKP – [email protected]

• Slides & Scripts: – http://QCCoLab.com/ipset