MikroTik. ⢠Linux Based. ⢠Cheap. ⢠Feature Rich. ⢠Rugged. ⢠Advanced. IPTables ... Similar to fail2ban. â
Dynamic Firewalls with IPSet Chris Cooper
Slides & Scripts: http://QCCoLab.com/ipset
Where this all Started
MikroTik • • • •
Linux Based Cheap Feature Rich Rugged
• Advanced IPTables
MikroTik
IPSet • Address Lists for IPTables • IPSet project – http://ipset.netfilter.org/
• • • •
Patch for Kernel 2.4.36 Officially included in Kernel 2.6.39 Nomatch & TC support added in 3.7 Binary included in all major repos
A List of Things • IPSet can store many types of data – IP – Single IP addresses – Net – Variable length subnets (using CIDR) – Ports – Lump multiple service ports together – IP,Port – A specific port at a specific IP – IP,port,IP – A specific connection – IP,MAC – For your Layer 2 filtering needs – Set – Group sets together (Yo, dawg…)
Matching
• IPSet will match hosts inside networks • Nomatch can be used for exceptions
So What?
• IPSet Simplifies Rules • Creates objects to work with
Fail2Ban • Fail2Ban – Bans IP’s that cause trouble – http://www.fail2ban.org/
• Modular Design • Watches logs for keys like failed logins • Can take a variety of actions – Default is IPTables rules to block – Creates a long ugly list of block rules
Fail2Ban • IPSet support added very recently • Not yet in any repos. Check GitHub – action.d/iptables-ipset-proto4.conf
• IPSet is IPv6 friendly – action.d/iptables-ipset-proto6.conf
vs
Oops. This refers to the version of IPSet used by fail2ban. Although IPSet does still support IPv6, fail2ban does not.
DenyHosts • DenyHosts – Similar to fail2ban – http://www.denyhosts.net/
• Centralized Server
DenyHosts • 12,000 IPTables rules is not practical – Adds ~5ms latency to every connection
• Uses hosts.deny – Requires tcpwrapper – Stock Apache & OpenSSH not supported – Only protects local services (not a firewall)
It’s also Faster! • IPSet’s Hash Tables are really fast
http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/
DenyHosts • DenyHosts supports external scripts • Add a quick script for setup
• PLUGIN_DENY
PLUGIN_PURGE
• Just called for local trips (not database)
DenyHosts • Finally, add a script to cron • Loads central databse entries • Swap used for no interruption
What Happened to Dynamic?
• IPSet supports timeouts – Create rules that automatically expire
• Iptables rules can add entries to a set – Create your own IPS systems inside netfilter
Stop Brute Force Attempts
• Identify 3 SSH connections in 60 seconds • Block the IP for 15 minutes
Port Knocking
• • • •
Hit TCP 123 Within 5 seconds hit TCP 1338 Within 5 seconds hit UDP 1175 Open access for 5 minutes
More Ideas • Detect & Block Port Scans – UDP/TCP Port 0 – Look for invalid TCP Flags • FIN,URG,PSH – Xmas Tree Scan
• FWSnort can convert Snort to IPTables – Pick specific rules you understand – http://www.cipherdyne.org/fwsnort/
• Beware of false positives!
You can do more than DROP • Be creative with targets • DNAT – Forward hostile hosts to a honeypot
• REDIRECT – Redirect to a “Captive Portal” page until auth – Warn users (Don’t be Comcast)
• LIMIT – Rate limit new connections
You can do more than DROP • Mark packets for use with iproute2 – Route some users out a different connection – Use statistic for source-based routing
• Throttle users with TC – Detect p2p or bittorrent presence • Easy to find, Hard to block
– Throttle all non-HTTP(s) traffic to dial-up – Timeouts minimize false-positive impact
Questions? • Chris Cooper – Twitter: @CC_DKP –
[email protected]
• Slides & Scripts: – http://QCCoLab.com/ipset