Embed Size (px)
Citation preview
Dynamic Firewalls with IPSetChris Cooper
Slides & Scripts:
http://QCCoLab.com/ipset
Where this all Started
MikroTik
• Linux Based
• Cheap
• Feature Rich
• Rugged
• Advanced
IPTables
MikroTik
IPSet
• Address Lists for IPTables
• IPSet project
– http://ipset.netfilter.org/
• Patch for Kernel 2.4.36
• Officially included in Kernel 2.6.39
• Nomatch & TC support added in 3.7
• Binary included in all major repos
A List of Things
• IPSet can store many types of data
– IP – Single IP addresses
– Net – Variable length subnets (using CIDR)
– Ports – Lump multiple service ports together
– IP,Port – A specific port at a specific IP
– IP,port,IP – A specific connection
– IP,MAC – For your Layer 2 filtering needs
– Set – Group sets together (Yo, dawg…)
Matching
• IPSet will match hosts inside networks
• Nomatch can be used for exceptions
So What?
• IPSet Simplifies Rules
• Creates objects to work with
Fail2Ban
• Fail2Ban – Bans IP’s that cause trouble
– http://www.fail2ban.org/
• Modular Design
• Watches logs for keys like failed logins
• Can take a variety of actions
– Default is IPTables rules to block
– Creates a long ugly list of block rules
Fail2Ban
• IPSet support added very recently
• Not yet in any repos. Check GitHub
– action.d/iptables-ipset-proto4.conf
• IPSet is IPv6 friendly
– action.d/iptables-ipset-proto6.conf
vs
Oops. This refers
to the version of
IPSet used by
fail2ban.
Although IPSet
does still support
IPv6, fail2ban
does not.
DenyHosts
• DenyHosts – Similar to fail2ban
– http://www.denyhosts.net/
• Centralized Server
DenyHosts
• 12,000 IPTables rules is not practical
– Adds ~5ms latency to every connection
• Uses hosts.deny
– Requires tcpwrapper
– Stock Apache & OpenSSH not supported
– Only protects local services (not a firewall)
It’s also Faster!
• IPSet’s Hash Tables are really fast
http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/
DenyHosts
• DenyHosts supports external scripts
• Add a quick script for setup
• PLUGIN_DENY PLUGIN_PURGE
• Just called for local trips (not database)
DenyHosts
• Finally, add a script to cron
• Loads central databse entries
• Swap used for no interruption
What Happened to Dynamic?
• IPSet supports timeouts
– Create rules that automatically expire
• Iptables rules can add entries to a set
– Create your own IPS systems inside netfilter
Stop Brute Force Attempts
• Identify 3 SSH connections in 60 seconds
• Block the IP for 15 minutes
Port Knocking
• Hit TCP 123
• Within 5 seconds hit TCP 1338
• Within 5 seconds hit UDP 1175
• Open access for 5 minutes
More Ideas
• Detect & Block Port Scans
– UDP/TCP Port 0
– Look for invalid TCP Flags
• FIN,URG,PSH – Xmas Tree Scan
• FWSnort can convert Snort to IPTables
– Pick specific rules you understand
– http://www.cipherdyne.org/fwsnort/
• Beware of false positives!
You can do more than DROP
• Be creative with targets
• DNAT
– Forward hostile hosts to a honeypot
• REDIRECT
– Redirect to a “Captive Portal” page until auth
– Warn users (Don’t be Comcast)
• LIMIT
– Rate limit new connections
You can do more than DROP
• Mark packets for use with iproute2
– Route some users out a different connection
– Use statistic for source-based routing
• Throttle users with TC
– Detect p2p or bittorrent presence
• Easy to find, Hard to block
– Throttle all non-HTTP(s) traffic to dial-up
– Timeouts minimize false-positive impact
Questions?
• Chris Cooper
– Twitter: @CC_DKP
• Slides & Scripts:
– http://QCCoLab.com/ipset
