Linux Firewalls - Michael Rash [89]
# cat sshauth.pl
#!/usr/bin/perl -w
### perl modules
use IO::Socket;
use IO::Handle;
use strict;
#============== config ===============
my $auth_failed_threshold = 20;
my $auth_failed_regex =
'sshd.*Authentication\s*failure.*?((?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2})';
my $sockfile = '/var/run/psad/auto_ipt.sock';
my $sleep_interval = 5; ### seconds
#============ end config =============
### cache previously seen IP addresses and associated failed login
### counts
my %ip_cache = ();
### open the psad domain socket for writing
❶ my $psad_sock = IO::Socket::UNIX->new($sockfile)
or die "[*] Could not acquire psad domain ",
"socket $sockfile: $!";
my $file = $ARGV[0] or die "$0 ### open the logfile open F, $file or die "[*] Could not open $file: $!"; my $skip_first_loop = 0; for (;;) { unless ($skip_first_loop) { seek F,0,2; ### seek to the end of the file $skip_first_loop = 1; } my @messages = for my $msg (@messages) { if ($msg =˜ m|$auth_failed_regex|) { $ip_cache{$1}++; } } for my $src (keys %ip_cache) { ### block the IP address if the threshold is exceeded ❷ if ($ip_cache{$src} % $auth_failed_threshold == 0) { print $psad_sock "add $src\n"; } } F->clearerr(); ### be ready for new data sleep $sleep_interval; } close F; close $psad_sock; exit 0; The code in ❶ opens the psad-monitored domain socket for incoming messages instructing the addition or removal of blocking rules. The code in ❷ interfaces with the running psad daemon over the /var/run/psad/auto_ipt.sock domain socket. This code writes the string add IP once an IP address has exceeded the threshold defined by the $auth_failed_threshold variable (set to 20, in this case). By running this script, any IP address that commits 20 authentication failures against the OpenSSH daemon will be blocked by psad, according to the values set in /etc/psad/psad.conf for active response configuration variables. * * * [47] 3 Some attacks against SSH, such as the CRC32 attack (CVE 2001-0144) are detectable in the clear even though SSH is an encrypted protocol. In general, however, it is not feasible for a cleartext IDS to make detailed inferences about the characteristics of an encrypted session. Concluding Thoughts This chapter has presented techniques for using psad to aggressively respond to malicious traffic. At several points, the arguments were tempered with recommendations for minimizing the potentially damaging effects of allowing any piece of software to respond to attacks, since this allows the potential for false positives and even the possibility that an attacker may attempt to turn an active response mechanism against the target. To combat these damaging effects, psad offers the ability to respond only to attacks that are delivered over established TCP connections; more on this topic will be presented in Chapter 11. Chapter 9. TRANSLATING SNORT RULES INTO IPTABLES RULES In this chapter we'll introduce fwsnort or Firewall Snort[48] (see http://www.cipherdyne.org/fwsnort). This software is written in Perl and translates Snort rules into equivalent iptables rules. The fwsnort project utilizes the filtering and inspection capabilities of iptables—including heavy use of the iptables string match extension—in order to match Snort rules as closely as possible within an iptables ruleset. Although it is not always possible to cleanly translate many Snort rules, due to the complexity of the Snort rules language, fwsnort is nonetheless able to translate about 60 percent of all rules contained in Snort version 2.3.3.[49] Although fwsnort is not able to translate the complete Snort signature set into iptables rules, fwsnort is always deployed inline to network traffic. Snort is typically deployed in a passive stance and used to monitor a network for suspicious activity—it is not usually deployed inline, although it does offer this capability. Any policy