Fighting bad guys with an IPS from scratch

Transcription

1 Fighting bad guys with an IPS from scratch

2 Daniel Conde Rodríguez BS Computer Engineer PCAE - LFCS Webhosting Service Operations Team Coordinator Acens

3 WHO ARE BAD GUYS?

4 WHO ARE BAD GUYS? Dimitry (Moskva)

5 Script Malware Plugin Wordpress, App Mobile, FIFA 2018 Webservers, Mobiles, PC, IoT Internet Target

6 In common IP of the attacker Script Malware Plugin Wordpress, App Mobile, FIFA 2018 Webservers, Mobiles, PC, IoT Internet Target

7 TARGETS VPS, SERVERS, WEBSITES, CLOUD SERVICES A FW IS NOT ENOUGH

8 Lets s fight bad guys! How? Defense, defense, defense with overall security solutions.

9 + IPS (Intrusion Prevention System) + Opensource tools + Several defense layers An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations Events collected centrally using a security information and event management (SIEM) system Systems with response capabilities are typically referred to as an intrusion prevention system (IPS)

10 TRY TO BLOCK ATTACKS XSS, CSRF, CRAWLERS, BOTNETS, VULNERABILITY SCANNERS/PLUGINS, SQLi, COOKIE STEALING

11 LOGS [20/Jun/2018:01:03: ] "GET api/specific_prices/?display=full&filter%5bid_product%5d=%5b1344%5d

12 INITIAL SCENARIO Botnet performing a WPSCAN BOTNET BOTNET TARGET BOTNET

13 REQUEST FLOW BOTNET SERVER

14 TOOLS SNORT Alternatives: bro, suricata, etc.. IPSET IPTABLES IPTABLES WAF (modsecurity + owasp + comodo) GEOIP SCRIPTS (bash, python, perl, ruby, etc) ELK STACK

15 REQUEST FLOW BOTNET SERVER

16 SNORT - Snort is an open-source, free and lightweight NIDS to detect emerging threats - Linux / Windows - Thousand or rules updated by community - Snort vs Suricata vs Bro

17 SNORT configuration Pulledpork OinkMaster Snorby Base ELK Helper scripts that will automatically download the latest rules for you./pulledpork.pl -o /usr/local/etc/snort/rules/ -O u tar.gz GUI for rules and vulnerabilities

18 SNORT configuration

19 SNORT BOTNET (PORT MIRROR) HW IPS SNORT SERVER

20 IPSET - IP sets are a framework inside the Linux kernel (ipset utility) - Mass blocking IP addresses, networks, (TCP/UDP) port numbers, MAC IP / Ranges blocked - IPSET Solves IPTABLES limitations High number of rules: slow vs FAST Linear evaluation vs SIMPLE EVALUATION Change rules: slow/inefficient vs SIMPLE STORAGE METHOD - Lighting set matching and blocking speed

21 IPSET Commands ipset create blacklist hash:net hashsize 4096 maxelem ipset create whitelist hash:net hashsize 4096 maxelem ipset destroy blacklist ipset add blacklist Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp / /0 match-set whitelist src LOG_BLACKLIST tcp / /0 match-set blacklist src Chain LOG_BLACKLIST (1 references)

22 IPSET SHOW LIST ipset list blacklist Name: blacklist Type: hash:net Header: family inet hashsize maxelem timeout Size in memory: References: 1 Members: timeout 3478

23 IPSET BOTNET (PORT MIRROR) HW IPS SNORT IPSET

24 IPTABLES iptables -N LOG_BLACKLIST iptables -I LOG_BLACKLIST 1 -m limit --limit 30/hour --limit-burst 30 -j LOG --log-prefix "IPBlacklisted: " --loglevel 4 iptables -A LOG_BLACKLIST -j DROP Chain LOG_BLACKLIST (1 references) target prot opt source destination LOG all / /0 limit: avg 1/min burst 120 LOG flags 0 level 4 prefix `IPTables-Dropped: DROP all / /0 SCRIPTS > LOGS (var/log/iptables.log) Oct 7 10:00:00 server kernel: IPBlacklisted: IN=XXX OUT= MAC=xx:xx:xx SRC= DST=OUR_SERVER LEN=XX TOS=0x00 PREC=0x00 TTL=XX ID=XXXX DF PROTO=TCP SPT=XXX DPT=80

25 IPTABLES BOTNET (PORT MIRROR) SNORT HW IPSET IPTABLES IPS

26 MODSECURITY WAF Modsecurity is a web application firewall working in Layer 7. - Covers Most critical security risks to web applications - No code modification required - Easy to configure - Flexible Custom rules (OWASP, COMODO,ATOMIC)

27 MODSECURITY LOGS b61c-A-- [20/Jun/2018:21:07: ] b61c-B-- GET /app/wordpress/wp-config.php HTTP/1.1 Host: Connection: keep-alive Accept: image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5 User-Agent: Mozilla/5.0 (iphone; CPU iphone OS 11_4 like Mac OS X) AppleWebKit/ (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/ b61c-F-- HTTP/ Forbidden b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase SN" at GEO:COUNTRY_CODE. [file "/apache/modsecurity_rules/country_block_geoip.conf"] [line "2"] [msg "IP block Country"] Action: Intercepted (phase 1) Producer: ModSecurity for Apache Server: Apache Engine-Mode: "ENABLED" 1 RULE 2 BLOCKING CONDITIONS (WPSCAN+GEOIP) TAGGED ATTACK EXEC() ACTION MODSEC SCRIPT BLOCKS IP IN IPSET

28 WAF BOTNET HW (PORT MIRROR) IPS SNORT IPSET IPTABLES WAF GEOIP BLOCK IP/RANGE/HOST

29 SCRIPTS MODSECURITY RULE SecGeoLookupDb /usr/share/geoip/geoip.dat SecRule URI "wp-config.php" chain,id:11111,initcol:ip=%{remote_addr},phase:1, exec:/path/to/your/script,deny,status:403,msg:'ip %{REMOTE_ADDR} block Country'" SecRule REMOTE_ADDR "chain, SecRule GEO:COUNTRY_CODE SN" MODSECURITY LOGS Message: Access denied with code 403 (phase 1). Matched phrase SN" at GEO:COUNTRY_CODE. [file "/apache/modsecurity_rules/country_block_geoip.conf"] [msg "IP block Country "] #!/usr/bin/lua --ipaddress = m.getvar("remote_addr", "none"); function main() local remote_ip = m.getvar("remote_addr"); local handle = io.popen("ipset add blacklist remote_ip") file = io.open('/tmp/lua_output.txt','w') file:write(remote_ip) file:close() m.log(1, "LUA block IP exec!"); end TAGGED ATTACK EXEC() ACTION MODSEC SCRIPT BLOCKS IP IN IPSET

30 SCRIPTS BOTNET HW (PORT MIRROR) IPS SNORT IPSET IPTABLES WAF GEOIP LOGS BLOCK IP/RANGE/HOST SCRIPTS

31 ELK "ELK" is the acronym for three open source projects: Elasticsearch is a search and analytics engine. Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch

32 ELK

33 ELK SNORT TOP ATTACKS 1 DAY SYN Port Scan BitTorrent Meta-Info Retrieving Wordpress wp-login.php Login Attempt Microsoft Windows RDP Server Mercury Mail IMAP Command Buffer Overflow Password Brute Force Windows SMB Remote Code Execution Vulnerability 7693 Possible HTTP DoS Attack with Invalid HTML Page Access 7460 SQL Injection - Exploit II 7219 Exim Buffer Overflow (CVE ) 6999 Drupal Remote Code Execution (CVE ) 6866 Monero Mining Possible ADB.Miner Worm Activity Detected

34 IPS BOTNET HW (PORT MIRROR) IPS ELK SNORT PARSED DATA IPSET IPTABLES WAF GEOIP LOGS BLOCK IP/RANGE/HOST SCRIPTS

35 INITIAL SCENARIO Botnet performing a WPSCAN BOTNET BOTNET BOTNET GOOD LUCK DIMITRY!!! I M BEHIND 7 PROXIES AND 1 IPS TARGET

36 THANK YOU!!! Fighting bad guys with an IPS from scratch Daniel Conde Rodriguez EuskalHack Security Congress III 2018