Adaptive firewall

[VladSun]

Well, it's not a question, but a solution
My firewall

Code: Select all

#!/bin/bash
 
/sbin/modprobe ipt_recent ip_list_tot=1000
 
ipt="/usr/local/sbin/iptables"
ips="/usr/local/sbin/ipset"
 
for TABLE in filter nat mangle; do
    $ipt -F -t $TABLE
    $ipt -X -t $TABLE
    $ipt -Z -t $TABLE
done
 
$ips -F
$ips -X
 
if [ "$1" == "stop" ]
then
    echo
    echo "Stopping firewall..."
    echo
    exit
fi
 
# White IP list
$ips -N WL iphash
$ips -A WL 127.0.0.1
$ips -A WL 90.90.0.1
 
# White nets list
$ips -N WLN nethash
$ips -A WLN 90.91.0.0/24
 
### ADAPTIVE TOTAL DROP ###
$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP
 
$ipt -N BANNED
$ipt -A BANNED -m limit --limit 1/s --limit-burst 1 -j LOG
$ipt -A BANNED -m recent --name banned-hosts --set -j RETURN
 
$ipt -N ADAPT
$ipt -A ADAPT -m limit --limit 1/s --limit-burst 1 -j LOG
$ipt -A ADAPT -m recent --hitcount 2 --name watch-hosts --update --seconds 180 -j BANNED
$ipt -A ADAPT -m recent --name watch-hosts --set -j RETURN
 
### MALFORMED PACKETS ###
 
# Smurf attack
$ipt -A INPUT -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
 
# Invalid tcp packets
$ipt -A INPUT -p tcp --tcp-option 128 -j DROP
$ipt -A INPUT -p tcp --tcp-option 64 -j DROP
 
# Malformed xmas packets
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Malformed null packets
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# New tcp connections must be SYN packets!
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# others
$ipt -A INPUT -m state --state INVALID -j DROP
 
# Local IP filter
$ipt -t mangle -A PREROUTING -i eth+ -s 172.16.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 172.16.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 192.168.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -s 192.168.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -s 10.0.0.0/8 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 10.0.0.0/8 -j DROP
$ipt -t mangle -A PREROUTING -i ! lo -s 127.0.0.0/8 -j DROP
 
# Block timestamp
$ipt -A INPUT -p icmp --icmp-type timestamp-request -j DROP
$ipt -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
# Always allow VPN users
$ipt -A INPUT -i ppp+ -j ACCEPT
$ipt -A OUTPUT -o ppp+ -j ACCEPT
 
# Always allow localhost
$ipt -A INPUT -i lo -j ACCEPT
 
# Port scan detection
$ipt -N PSD 
$ipt -A INPUT -m recent --name PSD --update --seconds 60 -j DROP
$ipt -A INPUT -m psd --psd-weight-threshold 10 --psd-delay-threshold 200 -j PSD
$ipt -A PSD -m set --set WL src -j RETURN
$ipt -A PSD -m recent --name PSD --set -j ADAPT
$ipt -A PSD -j DROP
 
# Syn-flood protection
$ipt -N syn-flood
$ipt -A INPUT -p tcp --syn -j syn-flood
$ipt -A syn-flood -m set --set WL src -j RETURN
$ipt -A syn-flood -m recent --name syn-flood --update --seconds 60 -j DROP
$ipt -A syn-flood -m hashlimit --hashlimit 1/s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name syn-flood -j RETURN
$ipt -A syn-flood -m recent --name syn-flood --set -j ADAPT
$ipt -A syn-flood -j DROP
 
# Furtive port scanner
$ipt -N port-scan
$ipt -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
$ipt -A port-scan -m recent --name port-scan --update --seconds 60 -j DROP
$ipt -A port-scan -m hashlimit --hashlimit 1/s --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name port-scan -j RETURN
$ipt -A port-scan -m recent --name port-scan --set -j ADAPT
$ipt -A port-scan -j DROP
 
# Ping of death
$ipt -N PoD
$ipt -A INPUT -p icmp --icmp-type echo-request -j PoD
$ipt -A PoD -m set --set WL src -j RETURN
$ipt -A PoD -m set --set WLN src -m limit --limit 50/s --limit-burst 60 -j RETURN
$ipt -A PoD -m recent --name PoD --update --seconds 60 -j DROP
$ipt -A PoD -m length --length 128: -m hashlimit --hashlimit 1/s --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
$ipt -A PoD -m hashlimit --hashlimit 5/s --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
$ipt -A PoD -m recent --name PoD --set -j ADAPT
$ipt -A PoD -j DROP
 
# Mail protection 
$ipt -N MAIL
$ipt -A INPUT -p tcp --dport 25 --syn -j MAIL
$ipt -A INPUT -p tcp --dport 143 --syn -j MAIL
$ipt -A MAIL -m set --set WL src -j RETURN
$ipt -A MAIL -p tcp -m connlimit --connlimit-above 2 --connlimit-mask 32 -j REJECT
$ipt -A MAIL -m recent --hitcount 2 --name mail --update --seconds 60 -j DROP
$ipt -A MAIL -m recent --name mail --update --seconds 60 -j RETURN
$ipt -A MAIL -m recent --name mail --set -j ADAPT
 
# SSH bruteforce attack protection
$ipt -N SSH
$ipt -A INPUT -p tcp --dport 22 --syn -j SSH
$ipt -A SSH -m set --set WL src -j RETURN
$ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j DROP
$ipt -A SSH -p tcp -m recent --name SSH --update --seconds 60 -j RETURN
$ipt -A SSH -m recent --name SSH --set -j ADAPT
 
# FTP bruteforce attack protection
$ipt -N FTP
$ipt -A INPUT -p tcp --dport 21 --syn -j FTP
$ipt -A FTP -m set --set WL src -j RETURN
$ipt -A FTP -m set --set WLN src -j RETURN
$ipt -A FTP -p tcp -m recent --hitcount 2 --name FTP --update --seconds 60 -j DROP
$ipt -A FTP -p tcp -m recent --name FTP --update --seconds 60 -j RETURN
$ipt -A FTP -m recent --name FTP --set -j ADAPT

If you feel like it will lead to a DoS, change the target of this line:

Code: Select all

$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP

to (random or n-th match) + DROP

Also, for those who really hate to be probed - use TARPIT or MIRROR targets

[VladSun]

I think I should have written some explanations about it

We have several special user defined chains for discovering attacks:

• Port scan detection

• Syn-flood protection

• Ping of death

• Mail protection

• SSH bruteforce attack protection

• FTP bruteforce attack protection

Each of these chains defends the corresponding service (or the server itself) from being attacked.
Also, each of them has a jump-to-ADDAPT-chain rule which is reached when an attack to a particular service is performed several times in a defined (relatively short) period of time. The "execution" of this rule leads to dropping *all* of the packets sent by the attacking IP for a relatively long period of time (1 hour in my script). The timer for this period is reseted on every incoming packet with source address of the attacking IP. This way the attacker's packets can be rejected for a *much* longer time than the specified in the "### ADAPTIVE TOTAL DROP ###" rule.

[Ollie Saunders]

iptables confuses the crap out of me. I use firehol and find it very good.

[VladSun]

I love iptables

In fact, firehol is just a wrapper around iptables - it would be easy for you to write firewalls in plain iptables rules.
And I did stress on the adaptiveness of the firewall - that's the important one

[alex.barylski]

Is this for a production server?

My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf.

I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.

[VladSun]

Is this for a production server?

Yes.

My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf.

Probably you don't need one unless you are doing some port-forwarding.

I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.

Try it
From time to time you may wish run:

Code: Select all

iptables -nxvL

to see what's happening in the firewall.

[alex.barylski]

I'm not even remotely familiar with IP tables...everything above is just gibberish for the most part...your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it?

I'll re-read your explanation and then go over some articles and see if I can't understand it better and how everything fits togather.

p.s-I do use port forwarding but only for a few minutes a day to let people test my application then I close the ports.

[VladSun]

your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it?

Sounds like: "Wouldn't be nice to have a mouse-driven-only, no-keyboard-needed PHP visual editor."

[alex.barylski]

Or drop the mouse all togather and have an iris tracking device move the cursor to wherever my eyes are and blinking should click...instead of typing the deivce should just pick up brain signals and over time build an entire vocabularly of words I frequently use and automatically inject them based on heuristics and a artificial intelligence algorithm that keeps getting smarter.

Honestly I would love to get rid of the mouse...it slows me down so much in my daily bump and grind...mastering accelerator keys is nice but way to verbose. I've wondered if any kinf o iris tracker exists which I could install on the top of my monitor and move the cursor with my eyes. That would be sweet. If I ever went into computer science for my masters, that would be my thesis.

[rcain]

Hi VladSun

This is a really neat script - thanks - exactly what I have been after.

However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?

(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).

If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.

cheers

[Doug G]

Another 'thank you' for this posting, and for the detailed explanation.

[VladSun]

Hi VladSun

This is a really neat script - thanks - exactly what I have been after.

However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?

(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).

If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.

cheers

ipset is used only for creating "white" IP lists (i.e. IP addresses marked as "safe") - you can remove all references to ipset and this firewall will be still working. But you must be more careful when trying to connect through it, otherwise you may become marked as attacker (i.e. don't send wrong passwords to your SSH server).

PS: You can substitute the "ipset-lines" with several per-IP lines.

[VladSun]

Another 'thank you' for this posting, and for the detailed explanation.