Linux Firewalls - Michael Rash [84]
For reference, the default IPT_AUTO_CHAIN{n} variables in the /etc/psad/psad.conf file appear below:
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD1, 1;
* * *
[45] 1 As discussed in Chapter 3, iptables can send a reset packet in order to knock down a TCP connection through the use of the REJECT target, but psad does not support this in conjunction with instantiating a general DROP rule against an attacker.
[46] 2 The two iptables rules in this case are created through the use of the both directive in the corresponding IPT_AUTO_CHAIN variable (i.e., only a single IPT_AUTO_CHAIN variable is required to create the two rules).
Active Response Examples
In this section, we'll dive into a few juicy examples of using psad in active response mode, and we'll show how it detects and blocks an IP address that is consistently scanning a Linux system that has iptables facilities enabled. See the standard network diagram in Figure 8-1 for all active response examples in this section. As usual, the default iptables policy implemented by the iptablesfw script from "Default iptables Policy" on page 20 is implemented on the firewall.
Figure 8-1. Default network diagram
Active Response Configuration Settings
Given the highly configurable nature of psad, the active response examples in this section can be made rigorous only if we agree upon a specific set of values for the configuration of psad. Although not every configuration variable in /etc/psad/psad.conf is listed, the relevant active response and danger level variables are as follows. (More detailed explanations of some of these variables can be found in Chapter 5, and a complete psad.conf file can be downloaded from http://www.cipherdyne.org/linuxfirewalls.)
DANGER_LEVEL1 5; ### number of packets
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
PORT_RANGE_SCAN_THRESHOLD 1;
ENABLE_PERSISTENCE Y; ### do not allow a scan to time out
CHECK_INTERVAL 5; ### seconds
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 3;
AUTO_BLOCK_TIMEOUT 3600; ### seconds
ENABLE_AUTO_IDS_REGEX N;
AUTO_BLOCK_REGEX ESTABLISHED; ### from fwsnort log prefixes
ENABLE_RENEW_BLOCK_EMAILS N; # disable emails for old blocking rules
IPTABLES_BLOCK_METHOD Y; # use iptables
FLUSH_IPT_AT_INIT Y; # flush old rules at psad initialization
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
There are several things to note about this active response configuration. First, psad will not permanently block an attacker by virtue of the AUTO_BLOCK_TIMEOUT variable (it will only add the blocking rules against an attacker for 3,600 seconds—one hour). Secondly, an attacker must reach at least DANGER_LEVEL3 before a blocking rule is instantiated; this implies that no action will be taken for scans that do not involve at least 150 packets, trip a signature with psad_dl set to 3 in /etc/psad/signatures, or have an automatically assigned danger level of at least 3 in /etc/psad/auto_dl. Finally, because ENABLE_AUTO_IDS_REGEX is set to N, psad will not require the filtering policy to generate any special logging prefixes in order for an IP address to be blocked.
SYN Scan Response
We'll open our scan examples with a standard Nmap SYN scan from the attacker against the iptables firewall. Here, we'll let Nmap choose the set of ports to scan instead of manually specifying a port list or range:
[ext_scanner]# nmap -sS -P0 -n 71.157.X.X
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2007-03-05 15:33 EST
Interesting ports on 71.157.X.X
(The 1671 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
Nmap finished: 1 IP address