Linux Firewalls - Michael Rash [0]
Table of Contents
ACKNOWLEDGMENTS
FOREWORD
INTRODUCTION
Why Detect Attacks with iptables?
What About Dedicated Network Intrusion Detection Systems?
Defense in Depth
Prerequisites
Technical References
About the Website
Chapter Summaries
1. CARE AND FEEDING OF IPTABLES
iptables
Packet Filtering with iptables
Tables
Chains
Matches
Targets
Installing iptables
Kernel Configuration
Essential Netfilter Compilation Options
Finishing the Kernel Configuration
Loadable Kernel Modules vs. Built-in Compilation and Security
Security and Minimal Compilation
Kernel Compilation and Installation
Installing the iptables Userland Binaries
Default iptables Policy
Policy Requirements
iptables.sh Script Preamble
The INPUT Chain
The OUTPUT Chain
The FORWARD Chain
Network Address Translation
Activating the Policy
iptables-save and iptables-restore
Testing the Policy: TCP
Testing the Policy: UDP
Testing the Policy: ICMP
Concluding Thoughts
2. NETWORK LAYER ATTACKS AND DEFENSE
Logging Network Layer Headers with iptables
Logging the IP Header
Network Layer Attack Definitions
Abusing the Network Layer
Nmap ICMP Ping
IP Spoofing
IP Fragmentation
Low TTL Values
The Smurf Attack
DDoS Attacks
Linux Kernel IGMP Attack
Network Layer Responses
Network Layer Filtering Response
Network Layer Thresholding Response
Combining Responses Across Layers
3. TRANSPORT LAYER ATTACKS AND DEFENSE
Logging Transport Layer Headers with iptables
Logging the TCP Header
Logging the UDP Header
Transport Layer Attack Definitions
Abusing the Transport Layer
Port Scans
Port Sweeps
TCP Sequence Prediction Attacks
SYN Floods
Transport Layer Responses
TCP Responses
UDP Responses
Firewall Rules and Router ACLs
4. APPLICATION LAYER ATTACKS AND DEFENSE
Application Layer String Matching with iptables
Observing the String Match Extension in Action
Matching Non-Printable Application Layer Data
Application Layer Attack Definitions
Abusing the Application Layer
Snort Signatures
Buffer Overflow Exploits
SQL Injection Attacks
Gray Matter Hacking
Encryption and Application Encodings
Application Layer Responses
5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
History
Why Analyze Firewall Logs?
psad Features
psad Installation
psad Administration
Starting and Stopping psad
Daemon Process Uniqueness
iptables Policy Configuration
syslog Configuration
whois Client
psad Configuration
/etc/psad/psad.conf
/etc/psad/auto_dl
/etc/psad/signatures
/etc/psad/snort_rule_dl
/etc/psad/ip_options
/etc/psad/pf.os
Concluding Thoughts
6. PSAD OPERATIONS: DETECTING SUSPICIOUS TRAFFIC
Port Scan Detection with psad
TCP connect() Scan
TCP SYN or Half-Open Scan
TCP FIN, XMAS, and NULL Scans
UDP Scan
Alerts and Reporting with psad
psad Email Alerts
psad syslog Reporting
Concluding Thoughts
7. ADVANCED PSAD TOPICS: FROM SIGNATURE MATCHING TO OS FINGERPRINTING
Attack Detection with Snort Rules
Detecting the ipEye Port Scanner
Detecting the LAND Attack
Detecting TCP Port 0 Traffic
Detecting Zero TTL Traffic
Detecting the Naptha Denial of Service Attack
Detecting Source Routing Attempts
Detecting Windows Messenger Pop-up Spam
psad Signature Updates
OS Fingerprinting
Active OS Fingerprinting with Nmap
Passive OS Fingerprinting with p0f
DShield Reporting
DShield Reporting Format
Sample DShield Report
Viewing psad Status Output
Forensics Mode
Verbose/Debug Mode
Concluding Thoughts
8. ACTIVE RESPONSE WITH PSAD
Intrusion Prevention vs. Active Response
Active Response Trade-offs
Classes of Attacks
False Positives
Responding to Attacks with psad
Features
Configuration Variables