Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Linux Firewalls
ACKNOWLEDGMENTS FOREWORD INTRODUCTION
Why Detect Attacks with iptables?
What About Dedicated Network Intrusion Detection Systems? Defense in Depth
Prerequisites Technical References About the Website Chapter Summaries
1. CARE AND FEEDING OF IPTABLES
iptables Packet Filtering with iptables
Tables Chains Matches Targets
Installing iptables Kernel Configuration
Essential Netfilter Compilation Options
Core Netfilter Configuration IP: Netfilter Configuration
Finishing the Kernel Configuration Loadable Kernel Modules vs. Built-in Compilation and Security
Security and Minimal Compilation Kernel Compilation and Installation Installing the iptables Userland Binaries Default iptables Policy
Policy Requirements iptables.sh Script Preamble The INPUT Chain The OUTPUT Chain The FORWARD Chain Network Address Translation Activating the Policy iptables-save and iptables-restore Testing the Policy: TCP Testing the Policy: UDP Testing the Policy: ICMP
Concluding Thoughts
2. NETWORK LAYER ATTACKS AND DEFENSE
Logging Network Layer Headers with iptables
Logging the IP Header
Logging IP Options Logging ICMP
Network Layer Attack Definitions Abusing the Network Layer
Nmap ICMP Ping IP Spoofing IP Fragmentation Low TTL Values The Smurf Attack DDoS Attacks Linux Kernel IGMP Attack
Network Layer Responses
Network Layer Filtering Response Network Layer Thresholding Response Combining Responses Across Layers
3. TRANSPORT LAYER ATTACKS AND DEFENSE
Logging Transport Layer Headers with iptables
Logging the TCP Header Logging the UDP Header
Transport Layer Attack Definitions Abusing the Transport Layer
Port Scans
Matching Port Scans to Vulnerable Services TCP Port Scan Techniques TCP connect() Scans TCP SYN or Half-Open Scans TCP FIN, XMAS, and NULL Scans TCP ACK Scans TCP Idle Scans UDP Scans
Port Sweeps TCP Sequence Prediction Attacks SYN Floods
Transport Layer Responses
TCP Responses
RST vs. RST/ACK Intrusion Detection Systems and RST Generation SYN Cookies
UDP Responses Firewall Rules and Router ACLs
4. APPLICATION LAYER ATTACKS AND DEFENSE
Application Layer String Matching with iptables
Observing the String Match Extension in Action Matching Non-Printable Application Layer Data
Application Layer Attack Definitions Abusing the Application Layer
Snort Signatures Buffer Overflow Exploits SQL Injection Attacks Gray Matter Hacking
Phishing Backdoors and Keystroke Logging
Encryption and Application Encodings Application Layer Responses
5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
History Why Analyze Firewall Logs? psad Features psad Installation psad Administration
Starting and Stopping psad Daemon Process Uniqueness iptables Policy Configuration syslog Configuration
syslogd syslog-ng
whois Client
psad Configuration
/etc/psad/psad.conf
EMAIL_ADDRESSES DANGER_LEVEL{n} HOME_NET EXTERNAL_NET SYSLOG_DAEMON CHECK_INTERVAL SCAN_TIMEOUT ENABLE_PERSISTENCE PORT_RANGE_SCAN_THRESHOLD EMAIL_ALERT_DANGER_LEVEL MIN_DANGER_LEVEL SHOW_ALL_SIGNATURES ALERT_ALL SNORT_SID_STR ENABLE_AUTO_IDS IMPORT_OLD_SCANS ENABLE_DSHIELD_ALERTS IGNORE_PORTS IGNORE_PROTOCOLS IGNORE_LOG_PREFIXES EMAIL_LIMIT ALERTING_METHODS FW_MSG_SEARCH
/etc/psad/auto_dl /etc/psad/signatures /etc/psad/snort_rule_dl /etc/psad/ip_options /etc/psad/pf.os
Concluding Thoughts
6. PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC
Port Scan Detection with psad
TCP connect() Scan TCP SYN or Half-Open Scan TCP FIN, XMAS, and NULL Scans UDP Scan
Alerts and Reporting with psad
psad Email Alerts
Scan Danger Level, Ports, and Flags Source and Destination IP Addresses syslog Hostname, Time Interval, and Summary Information whois Database Information
psad syslog Reporting
Informational Messages Scan and Signature Match Messages Auto-Response Messages
Concluding Thoughts
7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
Attack Detection with Snort Rules
Detecting the ipEye Port Scanner Detecting the LAND Attack Detecting TCP Port 0 Traffic Detecting Zero TTL Traffic Detecting the Naptha Denial of Service Attack Detecting Source Routing Attempts Detecting Windows Messenger Pop-up Spam
psad Signature Updates OS Fingerprinting
Active OS Fingerprinting with Nmap Passive OS Fingerprinting with p0f
Emulating p0f with psad Decoding TCP Options from iptables Logs
DShield Reporting
DShield Reporting Format Sample DShield Report
Viewing psad Status Output Forensics Mode Verbose/Debug Mode Concluding Thoughts
8. ACTIVE RESPONSE WITH PSAD
Intrusion Prevention vs. Active Response Active Response Trade-offs
Classes of Attacks False Positives
Responding to Attacks with psad
Features Configuration Variables
Active Response Examples
Active Response Configuration Settings SYN Scan Response UDP Scan Response Nmap Version Scan FIN Scan Response Maliciously Spoofing a Scan
Integrating psad Active Response with Third-Party Tools
Command-Line Interface
Adding Blocking Rules Removing Blocking Rules Flushing All Blocking Rules
Integrating with Swatch Integrating with Custom Scripts
Concluding Thoughts
9. TRANSLATING SNORT RULES INTO IPTABLES RULES
Why Run fwsnort?
Defense in Depth Target-Based Intrusion Detection and Network Layer Defragmentation Lightweight Footprint Inline Responses
Signature Translation Examples
Nmap command attempt Signature Bleeding Snort "Bancos Trojan" Signature PGPNet connection attempt Signature
The fwsnort Interpretation of Snort Rules
Translating the Snort Rule Header
Snort Rule Header Rule Actions and iptables Emulation Snort Actions and Alerting
Translating Snort Rule Options: iptables Packet Logging Snort Options and iptables Packet Filtering
content uricontent offset depth distance within flags itype and icode ttl tos ipopts dsize ip_proto flow replace resp
Unsupported Snort Rule Options
Concluding Thoughts
10. DEPLOYING FWSNORT
Installing fwsnort Running fwsnort
Configuration File for fwsnort Structure of fwsnort.sh
TCP Connection States and fwsnort Chains Signature Inspection and Log Generation Activating the fwsnort Chains with Jump Rules
Command-Line Options for fwsnort
Observing fwsnort in Action
Detecting the Trin00 DDoS Tool Detecting Linux Shellcode Traffic Detecting and Reacting to the Dumador Trojan Detecting and Reacting to a DNS Cache-Poisoning Attack
Setting Up Whitelists and Blacklists Concluding Thoughts
11. COMBINING PSAD AND FWSNORT
Tying fwsnort Detection to psad Operations
WEB-PHP Setup.php access Attack
Detecting the Attack with fwsnort Alerting with psad TCP Flags Reporting Application Layer Content Snort Rule ID, Message, and Reference Information
Revisiting Active Response
psad vs. fwsnort Restricting psad Responses to Attacks Detected by fwsnort Combining fwsnort and psad Responses DROP vs. REJECT Targets
Intercepting the Incoming RST The NF_DROP Macro
Thwarting Metasploit Updates
Metasploit Update Feature
Metasploit 3.0 Updates Metasploit 2.6 Updates
Signature Development Busting Metasploit Updates with fwsnort and psad
Concluding Thoughts
12. PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
Reducing the Attack Surface The Zero-Day Attack Problem
Zero-Day Attack Discovery Implications for Signature-Based Intrusion Detection Defense in Depth
Port Knocking
Thwarting Nmap and the Target Identification Phase Shared Port-Knocking Sequences Encrypted Port-Knocking Sequences Architectural Limitations of Port Knocking
The Sequence Replay Problem Minimal Data Transmission Rate Knock Sequences and Port Scans Knock Sequence Busting with Spoofed Packets
Single Packet Authorization
Addressing Limitations of Port Knocking Architectural Limitations of SPA
Access Piggy-Backing via NAT Addresses HTTP and Short-lived Sessions
Security Through Obscurity? Concluding Thoughts
13. INTRODUCING FWKNOP
fwknop Installation fwknop Configuration
/etc/fwknop/fwknop.conf
AUTH_MODE PCAP_INTF PCAP_FILTER ENABLE_PCAP_PROMISC FIREWALL_TYPE PCAP_PKT_FILE IPT_AUTO_CHAIN1 ENABLE_MD5_PERSISTENCE MAX_SPA_PACKET_AGE ENABLE_SPA_PACKET_AGING REQUIRE_SOURCE_ADDRESS EMAIL_ADDRESSES GPG_DEFAULT_HOME_DIR ENABLE_TCP_SERVER TCPSERV_PORT
/etc/fwknop/access.conf
SOURCE OPEN_PORTS PERMIT_CLIENT_PORTS ENABLE_CMD_EXEC CMD_REGEX DATA_COLLECT_MODE REQUIRE_USERNAME FW_ACCESS_TIMEOUT KEY GPG_DECRYPT_ID GPG_DECRYPT_PW GPG_REMOTE_ID
Example /etc/fwknop/access.conf File
fwknop SPA Packet Format Deploying fwknop
SPA via Symmetric Encryption SPA via Asymmetric Encryption
GnuPG Key Exchange for fwknop Running fwknop with GnuPG Keys
Detecting and Stopping a Replay Attack Spoofing the SPA Packet Source Address fwknop OpenSSH Integration Patch SPA over Tor
Concluding Thoughts
14. VISUALIZING IPTABLES LOGS
Seeing the Unusual Gnuplot
Gnuplot Graphing Directives Combining psad and Gnuplot
AfterGlow iptables Attack Visualizations
Port Scans Port Sweeps Slammer Worm Nachi Worm Outbound Connections from Compromised Systems
Concluding Thoughts
A. ATTACK SPOOFING
Connection Tracking
Spoofing exploit.rules Traffic Spoofed UDP Attacks
B. A COMPLETE FWSNORT SCRIPT About the Author COLOPHON
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion