• Acknowledgments

  Page XV

• Foreword

  Page XVII

• + Introduction

  Page 1

  • + Why Detect Attacks with iptables?

    Page 2

    • What About Dedicated Network Intrusion Detection Systems?

      Page 3

    • Defense in Depth

      Page 4

  • Prerequisites

    Page 4

  • Technical References

    Page 5

  • About the Website

    Page 5

  • Chapter Summaries

    Page 6

• + 1: Care and Feeding of iptables

  Page 9

  • iptables

    Page 9

  • + Packet Filtering with iptables

    Page 10

    • Tables

      Page 11

    • Chains

      Page 11

    • Matches

      Page 12

    • Targets

      Page 12

  • Installing iptables

    Page 12

  • + Kernel Configuration

    Page 14

    • Essential Netfilter Compilation Options

      Page 15

    • Finishing the Kernel Configuration

      Page 16

    • Loadable Kernel Modules vs. Built-in Compilation and Security

      Page 16

  • Security and Minimal Compilation

    Page 17

  • Kernel Compilation and Installation

    Page 18

  • Installing the iptables Userland Binaries

    Page 19

  • + Default iptables Policy

    Page 20

    • Policy Requirements

      Page 20

    • iptables.sh Script Preamble

      Page 22

    • The INPUT Chain

      Page 22

    • The OUTPUT Chain

      Page 24

    • The FORWARD Chain

      Page 25

    • Network Address Translation

      Page 26

    • Activating the Policy

      Page 27

    • iptables-save and iptables-restore

      Page 27

    • Testing the Policy: TCP

      Page 29

    • Testing the Policy: UDP

      Page 31

    • Testing the Policy: ICMP

      Page 32

  • Concluding Thoughts

    Page 33

• + 2: Network Layer Attacks and Defense

  Page 35

  • + Logging Network Layer Headers with iptables

    Page 35

    • Logging the IP Header

      Page 36

  • Network Layer Attack Definitions

    Page 38

  • + Abusing the Network Layer

    Page 39

    • Nmap ICMP Ping

      Page 39

    • IP Spoofing

      Page 40

    • IP Fragmentation

      Page 41

    • Low TTL Values

      Page 42

    • The Smurf Attack

      Page 43

    • DDoS Attacks

      Page 44

    • Linux Kernel IGMP Attack

      Page 44

  • + Network Layer Responses

    Page 45

    • Network Layer Filtering Response

      Page 45

    • Network Layer Thresholding Response

      Page 45

    • Combining Responses Across Layers

      Page 46

• + 3: Transport Layer Attacks and Defense

  Page 49

  • + Logging Transport Layer Headers with iptables

    Page 50

    • Logging the TCP Header

      Page 50

    • Logging the UDP Header

      Page 52

  • Transport Layer Attack Definitions

    Page 52

  • + Abusing the Transport Layer

    Page 53

    • Port Scans

      Page 53

    • Port Sweeps

      Page 61

    • TCP Sequence Prediction Attacks

      Page 61

    • SYN Floods

      Page 62

  • + Transport Layer Responses

    Page 62

    • TCP Responses

      Page 62

    • UDP Responses

      Page 66

    • Firewall Rules and Router ACLs

      Page 67

• + 4: Application Layer Attacks and Defense

  Page 69

  • + Application Layer String Matching with iptables

    Page 70

    • Observing the String Match Extension in Action

      Page 70

    • Matching Non-Printable Application Layer Data

      Page 71

  • Application Layer Attack Definitions

    Page 72

  • + Abusing the Application Layer

    Page 73

    • Snort Signatures

      Page 74

    • Buffer Overflow Exploits

      Page 74

    • SQL Injection Attacks

      Page 76

    • Gray Matter Hacking

      Page 77

  • Encryption and Application Encodings

    Page 79

  • Application Layer Responses

    Page 80

• + 5: Introducing psad: The Port Scan Attack Detector

  Page 81

  • History

    Page 81

  • Why Analyze Firewall Logs?

    Page 82

  • psad Features

    Page 83

  • psad Installation

    Page 83

  • + psad Administration

    Page 85

    • Starting and Stopping psad

      Page 85

    • Daemon Process Uniqueness

      Page 86

    • iptables Policy Configuration

      Page 86

    • syslog Configuration

      Page 88

    • whois Client

      Page 89

  • + psad Configuration

    Page 90

    • /etc/psad/psad.conf

      Page 90

    • /etc/psad/auto_dl

      Page 96

    • /etc/psad/signatures

      Page 96

    • /etc/psad/snort_rule_dl

      Page 97

    • /etc/psad/ip_options

      Page 97

    • /etc/psad/pf.os

      Page 97

  • Concluding Thoughts

    Page 98

• + 6: psad Operations: Detecting Suspicious Traffic

  Page 99

  • + Port Scan Detection with psad

    Page 100

    • TCP connect() Scan

      Page 101

    • TCP SYN or Half-Open Scan

      Page 103

    • TCP FIN, XMAS, and NULL Scans

      Page 105

    • UDP Scan

      Page 106

  • + Alerts and Reporting with psad

    Page 108

    • psad Email Alerts

      Page 108

    • psad syslog Reporting

      Page 110

  • Concluding Thoughts

    Page 112

• + 7: Advanced psad Topics: From Signature Matching to OS Fingerprinting

  Page 113

  • + Attack Detection with Snort Rules

    Page 113

    • Detecting the ipEye Port Scanner

      Page 115

    • Detecting the LAND Attack

      Page 116

    • Detecting TCP Port 0 Traffic

      Page 116

    • Detecting Zero TTL Traffic

      Page 117

    • Detecting the Naptha Denial of Service Attack

      Page 117

    • Detecting Source Routing Attempts

      Page 118

    • Detecting Windows Messenger Pop-up Spam

      Page 118

  • psad Signature Updates

    Page 119

  • + OS Fingerprinting

    Page 120

    • Active OS Fingerprinting with Nmap

      Page 120

    • Passive OS Fingerprinting with p0f

      Page 121

  • + DShield Reporting

    Page 123

    • DShield Reporting Format

      Page 124

    • Sample DShield Report

      Page 124

  • Viewing psad Status Output

    Page 124

  • Forensics Mode

    Page 128

  • Verbose/Debug Mode

    Page 128

  • Concluding Thoughts

    Page 130

• + 8: Active Response with psad

  Page 131

  • Intrusion Prevention vs. Active Response

    Page 131

  • + Active Response Trade-offs

    Page 133

    • Classes of Attacks

      Page 133

    • False Positives

      Page 134

  • + Responding to Attacks with psad

    Page 134

    • Features

      Page 135

    • Configuration Variables

      Page 135

  • + Active Response Examples

    Page 137

    • Active Response Configuration Settings

      Page 138

    • SYN Scan Response

      Page 139

    • UDP Scan Response

      Page 140

    • Nmap Version Scan

      Page 141

    • FIN Scan Response

      Page 141

    • Maliciously Spoofing a Scan

      Page 142

  • + Integrating psad Active Response with Third-Party Tools

    Page 143

    • Command-Line Interface

      Page 143

    • Integrating with Swatch

      Page 145

    • Integrating with Custom Scripts

      Page 146

  • Concluding Thoughts

    Page 147

• + 9: Translating Snort Rules into iptables Rules

  Page 149

  • + Why Run fwsnort?

    Page 150

    • Defense in Depth

      Page 151

    • Target-Based Intrusion Detection and Network Layer Defragmentation

      Page 151

    • Lightweight Footprint

      Page 152

    • Inline Responses

      Page 152

  • + Signature Translation Examples

    Page 153

    • Nmap command attempt Signature

      Page 153

    • Bleeding Snort “Bancos Trojan” Signature

      Page 154

    • PGPNet connection attempt Signature

      Page 154

  • + The fwsnort Interpretation of Snort Rules

    Page 155

    • Translating the Snort Rule Header

      Page 155

    • Translating Snort Rule Options: iptables Packet Logging

      Page 157

    • Snort Options and iptables Packet Filtering

      Page 160

    • Unsupported Snort Rule Options

      Page 171

  • Concluding Thoughts

    Page 172

• + 10: Deploying fwsnort

  Page 173

  • Installing fwsnort

    Page 173

  • + Running fwsnort

    Page 175

    • Configuration File for fwsnort

      Page 177

    • Structure of fwsnort.sh

      Page 179

    • Command-Line Options for fwsnort

      Page 182

  • + Observing fwsnort in Action

    Page 184

    • Detecting the Trin00 DDoS Tool

      Page 184

    • Detecting Linux Shellcode Traffic

      Page 185

    • Detecting and Reacting to the Dumador Trojan

      Page 186

    • Detecting and Reacting to a DNS Cache-Poisoning Attack

      Page 188

  • Setting Up Whitelists and Blacklists

    Page 191

  • Concluding Thoughts

    Page 192

• + 11: Combining psad and fwsnort

  Page 193

  • + Tying fwsnort Detection to psad Operations

    Page 194

    • WEB-PHP Setup.php access Attack

      Page 194

  • + Revisiting Active Response

    Page 198

    • psad vs. fwsnort

      Page 198

    • Restricting psad Responses to Attacks Detected by fwsnort

      Page 199

    • Combining fwsnort and psad Responses

      Page 199

    • DROP vs. REJECT Targets

      Page 201

  • + Thwarting Metasploit Updates

    Page 204

    • Metasploit Update Feature

      Page 204

    • Signature Development

      Page 206

    • Busting Metasploit Updates with fwsnort and psad

      Page 208

  • Concluding Thoughts

    Page 212

• + 12: Port Knocking vs. Single Packet Authorization

  Page 213

  • Reducing the Attack Surface

    Page 213

  • + The Zero-Day Attack Problem

    Page 214

    • Zero-Day Attack Discovery

      Page 215

    • Implications for Signature-Based Intrusion Detection

      Page 215

    • Defense in Depth

      Page 216

  • + Port Knocking

    Page 217

    • Thwarting Nmap and the Target Identification Phase

      Page 218

    • Shared Port-Knocking Sequences

      Page 218

    • Encrypted Port-Knocking Sequences

      Page 221

    • Architectural Limitations of Port Knocking

      Page 223

  • + Single Packet Authorization

    Page 226

    • Addressing Limitations of Port Knocking

      Page 227

    • Architectural Limitations of SPA

      Page 228

  • Security Through Obscurity?

    Page 229

  • Concluding Thoughts

    Page 230

• + 13: Introducing fwknop

  Page 231

  • fwknop Installation

    Page 232

  • + fwknop Configuration

    Page 234

    • /etc/fwknop/fwknop.conf

      Page 234

    • /etc/fwknop/access.conf

      Page 237

    • Example /etc/fwknop/access.conf File

      Page 240

  • fwknop SPA Packet Format

    Page 241

  • + Deploying fwknop

    Page 243

    • SPA via Symmetric Encryption

      Page 244

    • SPA via Asymmetric Encryption

      Page 246

    • Detecting and Stopping a Replay Attack

      Page 249

    • Spoofing the SPA Packet Source Address

      Page 251

    • fwknop OpenSSH Integration Patch

      Page 252

    • SPA over Tor

      Page 254

  • Concluding Thoughts

    Page 255

• + 14: Visualizing iptables Logs

  Page 257

  • Seeing the Unusual

    Page 258

  • + Gnuplot

    Page 260

    • Gnuplot Graphing Directives

      Page 260

    • Combining psad and Gnuplot

      Page 261

  • AfterGlow

    Page 262

  • + iptables Attack Visualizations

    Page 263

    • Port Scans

      Page 264

    • Port Sweeps

      Page 267

    • Slammer Worm

      Page 270

    • Nachi Worm

      Page 272

    • Outbound Connections from Compromised Systems

      Page 273

  • Concluding Thoughts

    Page 277

• + A: Attack Spoofing

  Page 279

  • + Connection Tracking

    Page 280

    • Spoofing exploit.rules Traffic

      Page 282

    • Spoofed UDP Attacks

      Page 283

• B: A Complete fwsnort Script

  Page 285

• Index

  Page 291

• Updates

  Page 315

System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.

Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:

* Passive network authentication and OS fingerprinting
* iptables log analysis and policies
* Application layer attack detection with the iptables string match extension
* Building an iptables ruleset that emulates a Snort ruleset
* Port knocking vs. Single Packet Authorization (SPA)
* Tools for visualizing iptables logs

Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables—along with psad and fwsnort—to detect and even prevent compromises.