Adaptive firewall

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Adaptive firewall

Post by VladSun »

Well, it's not a question, but a solution :)
My firewall :)

Code: Select all

#!/bin/bash
 
/sbin/modprobe ipt_recent ip_list_tot=1000
 
ipt="/usr/local/sbin/iptables"
ips="/usr/local/sbin/ipset"
 
for TABLE in filter nat mangle; do
    $ipt -F -t $TABLE
    $ipt -X -t $TABLE
    $ipt -Z -t $TABLE
done
 
$ips -F
$ips -X
 
if [ "$1" == "stop" ]
then
    echo
    echo "Stopping firewall..."
    echo
    exit
fi
 
# White IP list
$ips -N WL iphash
$ips -A WL 127.0.0.1
$ips -A WL 90.90.0.1
 
# White nets list
$ips -N WLN nethash
$ips -A WLN 90.91.0.0/24
 
### ADAPTIVE TOTAL DROP ###
$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP
 
$ipt -N BANNED
$ipt -A BANNED -m limit --limit 1/s --limit-burst 1 -j LOG
$ipt -A BANNED -m recent --name banned-hosts --set -j RETURN
 
$ipt -N ADAPT
$ipt -A ADAPT -m limit --limit 1/s --limit-burst 1 -j LOG
$ipt -A ADAPT -m recent --hitcount 2 --name watch-hosts --update --seconds 180 -j BANNED
$ipt -A ADAPT -m recent --name watch-hosts --set -j RETURN
 
### MALFORMED PACKETS ###
 
# Smurf attack
$ipt -A INPUT -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
 
# Invalid tcp packets
$ipt -A INPUT -p tcp --tcp-option 128 -j DROP
$ipt -A INPUT -p tcp --tcp-option 64 -j DROP
 
# Malformed xmas packets
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Malformed null packets
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# New tcp connections must be SYN packets!
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# others
$ipt -A INPUT -m state --state INVALID -j DROP
 
# Local IP filter
$ipt -t mangle -A PREROUTING -i eth+ -s 172.16.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 172.16.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 192.168.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -s 192.168.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -s 10.0.0.0/8 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 10.0.0.0/8 -j DROP
$ipt -t mangle -A PREROUTING -i ! lo -s 127.0.0.0/8 -j DROP
 
# Block timestamp
$ipt -A INPUT -p icmp --icmp-type timestamp-request -j DROP
$ipt -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
# Always allow VPN users
$ipt -A INPUT -i ppp+ -j ACCEPT
$ipt -A OUTPUT -o ppp+ -j ACCEPT
 
# Always allow localhost
$ipt -A INPUT -i lo -j ACCEPT
 
# Port scan detection
$ipt -N PSD 
$ipt -A INPUT -m recent --name PSD --update --seconds 60 -j DROP
$ipt -A INPUT -m psd --psd-weight-threshold 10 --psd-delay-threshold 200 -j PSD
$ipt -A PSD -m set --set WL src -j RETURN
$ipt -A PSD -m recent --name PSD --set -j ADAPT
$ipt -A PSD -j DROP
 
# Syn-flood protection
$ipt -N syn-flood
$ipt -A INPUT -p tcp --syn -j syn-flood
$ipt -A syn-flood -m set --set WL src -j RETURN
$ipt -A syn-flood -m recent --name syn-flood --update --seconds 60 -j DROP
$ipt -A syn-flood -m hashlimit --hashlimit 1/s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name syn-flood -j RETURN
$ipt -A syn-flood -m recent --name syn-flood --set -j ADAPT
$ipt -A syn-flood -j DROP
 
# Furtive port scanner
$ipt -N port-scan
$ipt -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
$ipt -A port-scan -m recent --name port-scan --update --seconds 60 -j DROP
$ipt -A port-scan -m hashlimit --hashlimit 1/s --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name port-scan -j RETURN
$ipt -A port-scan -m recent --name port-scan --set -j ADAPT
$ipt -A port-scan -j DROP
 
# Ping of death
$ipt -N PoD
$ipt -A INPUT -p icmp --icmp-type echo-request -j PoD
$ipt -A PoD -m set --set WL src -j RETURN
$ipt -A PoD -m set --set WLN src -m limit --limit 50/s --limit-burst 60 -j RETURN
$ipt -A PoD -m recent --name PoD --update --seconds 60 -j DROP
$ipt -A PoD -m length --length 128: -m hashlimit --hashlimit 1/s --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
$ipt -A PoD -m hashlimit --hashlimit 5/s --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
$ipt -A PoD -m recent --name PoD --set -j ADAPT
$ipt -A PoD -j DROP
 
# Mail protection 
$ipt -N MAIL
$ipt -A INPUT -p tcp --dport 25 --syn -j MAIL
$ipt -A INPUT -p tcp --dport 143 --syn -j MAIL
$ipt -A MAIL -m set --set WL src -j RETURN
$ipt -A MAIL -p tcp -m connlimit --connlimit-above 2 --connlimit-mask 32 -j REJECT
$ipt -A MAIL -m recent --hitcount 2 --name mail --update --seconds 60 -j DROP
$ipt -A MAIL -m recent --name mail --update --seconds 60 -j RETURN
$ipt -A MAIL -m recent --name mail --set -j ADAPT
 
# SSH bruteforce attack protection
$ipt -N SSH
$ipt -A INPUT -p tcp --dport 22 --syn -j SSH
$ipt -A SSH -m set --set WL src -j RETURN
$ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j DROP
$ipt -A SSH -p tcp -m recent --name SSH --update --seconds 60 -j RETURN
$ipt -A SSH -m recent --name SSH --set -j ADAPT
 
# FTP bruteforce attack protection
$ipt -N FTP
$ipt -A INPUT -p tcp --dport 21 --syn -j FTP
$ipt -A FTP -m set --set WL src -j RETURN
$ipt -A FTP -m set --set WLN src -j RETURN
$ipt -A FTP -p tcp -m recent --hitcount 2 --name FTP --update --seconds 60 -j DROP
$ipt -A FTP -p tcp -m recent --name FTP --update --seconds 60 -j RETURN
$ipt -A FTP -m recent --name FTP --set -j ADAPT
If you feel like it will lead to a DoS, change the target of this line:

Code: Select all

$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP
to (random or n-th match) + DROP

Also, for those who really hate to be probed - use TARPIT or MIRROR targets ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Adaptive firewall

Post by VladSun »

I think I should have written some explanations about it ;)

We have several special user defined chains for discovering attacks:
  • Port scan detection
  • Syn-flood protection
  • Ping of death
  • Mail protection
  • SSH bruteforce attack protection
  • FTP bruteforce attack protection
Each of these chains defends the corresponding service (or the server itself) from being attacked.
Also, each of them has a jump-to-ADDAPT-chain rule which is reached when an attack to a particular service is performed several times in a defined (relatively short) period of time. The "execution" of this rule leads to dropping *all* of the packets sent by the attacking IP for a relatively long period of time (1 hour in my script). The timer for this period is reseted on every incoming packet with source address of the attacking IP. This way the attacker's packets can be rejected for a *much* longer time than the specified in the "### ADAPTIVE TOTAL DROP ###" rule.
Last edited by VladSun on Mon Jul 14, 2008 1:52 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Re: Adaptive firewall

Post by Ollie Saunders »

iptables confuses the crap out of me. I use firehol and find it very good.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Adaptive firewall

Post by VladSun »

:) I love iptables ;)

In fact, firehol is just a wrapper around iptables - it would be easy for you to write firewalls in plain iptables rules.
And I did stress on the adaptiveness of the firewall - that's the important one :)
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Adaptive firewall

Post by alex.barylski »

Is this for a production server?

My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf. :P

I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Adaptive firewall

Post by VladSun »

Hockey wrote:Is this for a production server?
Yes.
Hockey wrote:My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf. :P
Probably you don't need one unless you are doing some port-forwarding.
Hockey wrote:I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.
Try it :)
From time to time you may wish run:

Code: Select all

iptables -nxvL
to see what's happening in the firewall.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Adaptive firewall

Post by alex.barylski »

I'm not even remotely familiar with IP tables...everything above is just gibberish for the most part...your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it? :P

I'll re-read your explanation and then go over some articles and see if I can't understand it better and how everything fits togather.

p.s-I do use port forwarding but only for a few minutes a day to let people test my application then I close the ports. :P
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Adaptive firewall

Post by VladSun »

Hockey wrote:your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it?
:P
Sounds like: "Wouldn't be nice to have a mouse-driven-only, no-keyboard-needed PHP visual editor." ;)
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Adaptive firewall

Post by alex.barylski »

Or drop the mouse all togather and have an iris tracking device move the cursor to wherever my eyes are and blinking should click...instead of typing the deivce should just pick up brain signals and over time build an entire vocabularly of words I frequently use and automatically inject them based on heuristics and a artificial intelligence algorithm that keeps getting smarter. :P

Honestly I would love to get rid of the mouse...it slows me down so much in my daily bump and grind...mastering accelerator keys is nice but way to verbose. I've wondered if any kinf o iris tracker exists which I could install on the top of my monitor and move the cursor with my eyes. That would be sweet. If I ever went into computer science for my masters, that would be my thesis. :P
rcain
Forum Newbie
Posts: 1
Joined: Wed Aug 25, 2010 3:49 pm

Re: Adaptive firewall

Post by rcain »

Hi VladSun

This is a really neat script - thanks - exactly what I have been after.

However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?

(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).

If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.

cheers
Doug G
Forum Contributor
Posts: 282
Joined: Sun Sep 09, 2007 6:27 pm

Re: Adaptive firewall

Post by Doug G »

Another 'thank you' for this posting, and for the detailed explanation.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Adaptive firewall

Post by VladSun »

rcain wrote:Hi VladSun

This is a really neat script - thanks - exactly what I have been after.

However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?

(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).

If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.

cheers
ipset is used only for creating "white" IP lists (i.e. IP addresses marked as "safe") - you can remove all references to ipset and this firewall will be still working. But you must be more careful when trying to connect through it, otherwise you may become marked as attacker ;) (i.e. don't send wrong passwords to your SSH server).

PS: You can substitute the "ipset-lines" with several per-IP lines.
Last edited by VladSun on Thu Aug 26, 2010 2:23 pm, edited 3 times in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Adaptive firewall

Post by VladSun »

Doug G wrote:Another 'thank you' for this posting, and for the detailed explanation.
:drunk:
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply