Linux Firewalls - Michael Rash [1]
Active Response Examples
Active Response Configuration Settings
SYN Scan Response
UDP Scan Response
Nmap Version Scan
FIN Scan Response
Maliciously Spoofing a Scan
Integrating psad Active Response with Third-Party Tools
Command-Line Interface
Integrating with Swatch
Integrating with Custom Scripts
Concluding Thoughts
9. TRANSLATING SNORT RULES INTO IPTABLES RULES
Why Run fwsnort?
Defense in Depth
Target-Based Intrusion Detection and Network Layer Defragmentation
Lightweight Footprint
Inline Responses
Signature Translation Examples
Nmap command attempt Signature
Bleeding Snort "Bancos Trojan" Signature
PGPNet connection attempt Signature
The fwsnort Interpretation of Snort Rules
Translating the Snort Rule Header
Translating Snort Rule Options: iptables Packet Logging
Snort Options and iptables Packet Filtering
Unsupported Snort Rule Options
Concluding Thoughts
10. DEPLOYING FWSNORT
Installing fwsnort
Running fwsnort
Configuration File for fwsnort
Structure of fwsnort.sh
Command-Line Options for fwsnort
Observing fwsnort in Action
Detecting the Trin00 DDoS Tool
Detecting Linux Shellcode Traffic
Detecting and Reacting to the Dumador Trojan
Detecting and Reacting to a DNS Cache-Poisoning Attack
Setting Up Whitelists and Blacklists
Concluding Thoughts
11. COMBINING PSAD AND FWSNORT
Tying fwsnort Detection to psad Operations
WEB-PHP Setup.php access Attack
Revisiting Active Response
psad vs. fwsnort
Restricting psad Responses to Attacks Detected by fwsnort
Combining fwsnort and psad Responses
DROP vs. REJECT Targets
Thwarting Metasploit Updates
Metasploit Update Feature
Signature Development
Busting Metasploit Updates with fwsnort and psad
Concluding Thoughts
12. PORT KNOCKING VS. SINGLE PACKET AUTHORIZATION
Reducing the Attack Surface
The Zero-Day Attack Problem
Zero-Day Attack Discovery
Implications for Signature-Based Intrusion Detection
Defense in Depth
Port Knocking
Thwarting Nmap and the Target Identification Phase
Shared Port-Knocking Sequences
Encrypted Port-Knocking Sequences
Architectural Limitations of Port Knocking
Single Packet Authorization
Addressing Limitations of Port Knocking
Architectural Limitations of SPA
Security Through Obscurity?
Concluding Thoughts
13. INTRODUCING FWKNOP
fwknop Installation
fwknop Configuration
/etc/fwknop/fwknop.conf
/etc/fwknop/access.conf
Example /etc/fwknop/access.conf File
fwknop SPA Packet Format
Deploying fwknop
SPA via Symmetric Encryption
SPA via Asymmetric Encryption
Detecting and Stopping a Replay Attack
Spoofing the SPA Packet Source Address
fwknop OpenSSH Integration Patch
SPA over Tor
Concluding Thoughts
14. VISUALIZING IPTABLES LOGS
Seeing the Unusual
Gnuplot
Gnuplot Graphing Directives
Combining psad and Gnuplot
AfterGlow
iptables Attack Visualizations
Port Scans
Port Sweeps
Slammer Worm
Nachi Worm
Outbound Connections from Compromised Systems
Concluding Thoughts
A. ATTACK SPOOFING
Connection Tracking
Spoofing exploit.rules Traffic
Spoofed UDP Attacks
B. A COMPLETE FWSNORT SCRIPT
Linux Firewalls
Michael Rash
Editor
William Pollock
Copyright © 2009
No Starch Press
* * *
LINUX FIREWALLS. Copyright © 2007 by Michael Rash.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.
Printed on recycled paper in the United States of America
11 10 09 08 07 1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-141-7
ISBN-13: 978-1-59327-141-1
Publisher:
William Pollock
Production Editor:
Christina Samuell