Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Similar documents
iptables and ip6tables An introduction to LINUX firewall

Certification. Securing Networks

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Introduction to Firewalls using IPTables

Università Ca Foscari Venezia

Linux System Administration, level 2

Linux Security & Firewall

CSC 474/574 Information Systems Security

This material is based on work supported by the National Science Foundation under Grant No

CS Computer and Network Security: Firewalls

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

PXC loves firewalls (and System Admins loves iptables) Written by Marco Tusa Monday, 18 June :00 - Last Updated Wednesday, 18 July :25

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

IPtables and Netfilter

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Laboratory 2 Dynamic routing using RIP. Iptables. Part1. Dynamic Routing

Linux Firewalls. Frank Kuse, AfNOG / 30

it isn't impossible to filter most bad traffic at line rate using iptables.

Definition of firewall

CSCI 680: Computer & Network Security

IP Packet. Deny-everything-by-default-policy

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Assignment 3 Firewalls

Dual-stack Firewalling with husk

Suricata IDPS and Nftables: The Mixed Mode

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

History Page. Barracuda NextGen Firewall F

Firewalls. October 13, 2017

ECE 435 Network Engineering Lecture 23

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Static and source based routing

Chapter 8 roadmap. Network Security

Quick guide for configuring a system with multiple IP-LINKs

Stateless Firewall Implementation

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

Computer Security and Privacy

VPN-against-Firewall Lab: Bypassing Firewalls using VPN

CyberP3i Course Module Series

Preventing Brute Force Attacks With Fail2ban On Debian Etch

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

ECE 435 Network Engineering Lecture 23

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Computer and Network Security

Firewalls, VPNs, and SSL Tunnels

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Firewall Evasion Lab: Bypassing Firewalls using VPN

Lab 1: Creating Secure Architectures (Revision)

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

Distributed Systems Security

Web Server ( ): FTP, SSH, HTTP, HTTPS, SMTP, POP3, IMAP, POP3S, IMAPS, MySQL (for some local services[qmail/vpopmail])

Once the VM is started, the VirtualBox OS Manager window can be closed. But our Ubuntu VM is still running.

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter


NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

PVS Deployment in the Cloud. Last Updated: June 17, 2016

Introduction to Cisco ASA Firewall Services

Lab 2: Creating Secure Architectures

Network Security Laboratory 23 rd May STATEFUL FIREWALL LAB

LAB THREE STATIC ROUTING

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Configuring Access Rules

Information About NAT

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

CSE543 - Computer and Network Security Module: Firewalls

Amazon Web Services Hands- On VPC

There are separate firewall daemons for for IPv4 and IPv6 and hence there are separate commands which are provided below.

Implementing Firewall Technologies

Network Security Fundamentals

Unit 4: Firewalls (I)

COSC 301 Network Management

Computer Network Vulnerabilities

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

RHCSA BOOT CAMP. Network Security

How To Manually Open Ports In Internet Connection Firewall In Windows 8 >>>CLICK HERE<<<

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Netfilter Iptables for Splunk Documentation

CIS 192 Linux Lab Exercise

Monitoring the Update Time of Virtual Firewalls in the Cloud. Abstract

IK2206 Internet Security and Privacy Firewall & IP Tables

JARAMOGI OGINGA ODINGA UNIVERSITY OF SCIENCE & TECHNOLOGY UNIVERSITY EXAMINATIONS 2012/2013 LINUX FOR ENGINEERING AND IT APPLICATIONS

HP High-End Firewalls

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

CSC 4900 Computer Networks: Security Protocols (2)

Cisco PCP-PNR Port Usage Information

VG422R. User s Manual. Rev , 5

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Three interface Router without NAT Cisco IOS Firewall Configuration

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Lab 8: Firewalls ASA Firewall Device

INBOUND AND OUTBOUND NAT

Transcription:

Linux Systems Security Firewalls and Filters NETS1028 Fall 2016

Firewall A physical barrier designed to slow or prevent the spread of fire In computer networks, a mechanism to slow or prevent the passage of network traffic Several firewall software packages have come and gone over the past 20 years, iptables is ubiquitous for Linux now

netfilter.org Netfilter is the home of several packet filtering projects including iptables, which is used in more or less all modern Linux kernels GPLv2 licensed, open source, in active development since approximately 1999 Corporate sponsors include Watchguard, LinuxCare Inc., Connectiva, Sophos, and many others

Stateful vs. Stateless 1st generation packet filters were stateless network layer filters - each packet was examined on an individual basis and decisions about it were based solely on the contents of that packet 2nd generation packet filters incorporated connection information and could make stateful decisions as well - SPI 3rd generation adds application awareness and can make decisions based on unexpected traffic patterns - deep packet inspection

NAT NAT was developed to deal with limited address space in IPV4 It was quickly recognized that it also provided the function of hiding internal addresses making reconnaissance more difficult for attackers Many firewalls provide NAT as an added tool for slowing attackers

Proxies A proxy is a software device which provides a middleman for connections and can perform additional filtering of traffic Useful for implementing more complex applicationspecific rules such as url-based filtering Email MTAs can perform a proxy function for email Firewalling external connections from non-proxy hosts can add a layer of protection against internal hosts which have been compromised or have misuse attempted on them

iptables Tables iptables uses 3 built-in tables as the basis for managing traffic The filter table is the default table used to filter traffic The NAT table is used to perform address modifications in order to provide NAT The mangle table is used to modify packets in other ways Tables contain chains of rules

Packet flow "Netfilter-packet-flow" by Jengelh - Own work, Origin SVG PNG. Licensed under CC BY-SA 3.0 via Commons - https://commons.wikimedia.org/wiki/file:netfilter-packet-flow.svg#/media/file:netfilter-packet-flow.svg

iptables Chains A chain is a sequence of rules INPUT, OUTPUT, and FORWARD are the built-in chains INPUT is applied to packets destined for this host from network interfaces OUTPUT is applied to packets generated by this host FORWARD is applied to packets not generated by, or destined for, this host A chain also has a policy, which is what happens to packets not specified in the rules Create your own chains with iptables -N, delete them with iptables -X

iptables Chain Policy Each rule in a chain can specify parameters to identify packets that the rule applies to and an action to take if the packet matches the parameters If a packet is compared to all the rules and does not match any of them, the policy for the chain is applied to the packet The default policy after installation is ACCEPT Other policies available include DROP and REJECT

iptables Rules Each rule in a chain can have a number of parameters including a target Typical parameters might include chain name interface name protocol (name or number from etc/protocols) source address name/number/cidr range and/or port name or number from /etc/services destination address name/number/cidr range and/or port name or number from /etc/services jump target Builtin targets include ACCEPT, DROP, REJECT, LOG Additional targets can be other chains which allows you to clarify your chains Extensions can also be targets - see iptables-extensions(8)

iptables Command iptables -V to get version info iptables -L [-v] to get config summary iptables -S to show rules in iptables command line format iptables -A to append rules to a chain iptables -I to insert rules into a chain other than at the end iptables -F to flush rules from a chain ip6tables command builds rules for IPV6

iptables Examples iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A INPUT -p tcp -j LOG --log-prefix "INPUTLOG " What common network traffic might break because of this? How would you discover what was broken? Logging only input traffic only tells you who is trying to break in, not who is trying to get out.

Exercises Create a set of firewall rules to allow traffic on loopback, allow only ssh on eth0, and set the INPUT and OUTPUT policy to DROP Verify you cannot connect to your vm using a protocol you are serving but not permitting through the firewall (install something like a telnet service for testing purposes), and that ssh still works Add a rule to log all non-ssh tcp packets, retry the telnet and check your /var/log/kern.log to see what got logged Reboot your vm, and check your iptables rules using the -L option

iptables Persistence iptables is a memory-based utility To have the rules take effect at boot, we need to use software that not only installs the rules, but saves those rules ofr reinstallation at next boot Most higher level packages that try to automate firewall management save the rules you create you can install the iptables-persistent package and save your rules to /etc/iptables/rules.v[46] using ip[6]tables-save You can use one or more of several packages intended to manage an iptables configuration

Exercises With your own iptables rules installed, install the iptables-persistent package, having it save your IPV4 rules Examine the contents of /etc/iptables/rules.v4 and compare it to the output of iptables-save Reboot and verify your rules are automatically reinstalled Remove the iptables-persistent package

iptables Extensions Extensions exist for iptables and add packet matching capabilities using modules as well as new targets to give more options about what to do with matched packets -m option can be used to enable modules to extend the capabilities of iptables Some modules permit options Interesting modules: limit, connlimit, conntrack, iprange, multiport, comment Interesting targets: LOG, REDIRECT, TEE http://ipset.netfilter.org/iptables-extensions.man.html

Common Attack Handling Drop or limit pings from all non-local hosts, limiting icmp rates across the board can help against smurfs Drop packets sourced from private netblocks which you aren t using yourself Drop malformed packets using --tcp-flags, port scans often use these Configure appropriate kernel tuning parameters to increase resilience to attacks Modern Linux kernel is quite robust in major distros, most attacks are on services so block or limit them and use whatever config options are available to you in those services

Exercises Run sysctl -a to get an idea of the kernel parameters currently set up on your system What do you suppose are the implications of being able to retrieve this type of information as an ordinary user? https://www.kernel.org/doc/documentation/sysctl/vm.txt has excellent sysctl documentation for kernel version 2.6, find the swappiness parameter in that document to see what it can do for you, check out the wikipedia article for more info Performance tuning also affects resiliency, example references on tuning for performance include: http://wiki.mikejung.biz/ubuntu_performance_tuning https://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vmdirty_ratio/ https://lonesysadmin.net/2013/12/19/account-bandwidth-delay-product-largernetwork-buffers/

iptstate top-style tool for observing connection states Requires at least one rule that uses conntrack or state extension in order to provide state capture help screen available with h key, shows current sort and display settings buggy on Ubuntu 16.04 currently

Exercises Install iptstate package Add a rule to your INPUT table for protocol tcp, destination port ssh, module conntrack, option ctstate INVALID Run iptstate and observe the various connections being tracked by iptables Use iptables -L -v to see the packet and byte counts being seen by the various rules you have in place

UFW Uncomplicated Firewall A command line utility to simplify firewall management Uses pre-configured rulesets for common configurations, with catch-all rules in /etc/ufw It is a front end to the iptables command, but conflicts are probable if you use both to set up your firewall - instead use the pre and post rules files in ufw to set up custom rulesets Provides enable/disable and configuration save gufw is a graphical frontend to ufw http://docs.ansible.com/ansible/ufw_module.html https://help.ubuntu.com/lts/serverguide/firewall.html

Exercises Install the ufw package Use ufw to allow ssh traffic Check your status with ufw, enable it, recheck your status Run iptables -L -v with the ufw firewall tool in enabled state Disable the ufw firewall tool and see what is left behind in your live iptables Reboot to clear out your tables for the next exercise

ipkungfu Another frontend to iptables (there are many, e.g. https://taufanlubis.wordpress.com/2007/09/23/needproctection-for-your-ubuntu/) Uses a relatively friendly configuration file and supports automatic config at boot Groups many rule ideas into simpler concepts and makes them options in config files https://help.ubuntu.com/community/firewall/ipkungfu

Exercises Install the ipkungfu package Review the configuration files in /etc/ipkungfu Modify ipkungfu.conf to set GATEWAY=0, DISALLOW_PRIVATE=0 Modify services.conf to ACCEPT ftp and ssh traffic Run ipkungfu show-vars to see your current configuration with ipkungfu s guesses Run ipkungfu -t to test and install your new configuration Use iptables -L to see the new iptables configuration Check /etc/default/ipkungfu to see if it is enabled on system startup (IPKFSTART setting)

fail2ban fail2ban is a package that can scan log files looking for repeated login failures and then block the source hosts using iptables It does not require chain DROP policy, so if you don t have a deny policy, it will still work fail2ban knows many common log file formats such as ssh, web servers, email servers, ftp, and many applications that sit on top of those services see /etc/fail2ban/filter.d for the logs it knows, /var/log/fail2ban.log to see what it has been doing when running copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify to enable or configure jails fail2ban.org, 2014 PyCon video: https://www.youtube.com/watch? v=xcxheawy7cu#t=190

Exercises Install vsftpd and fail2ban, you may need a reboot to have a clean set of iptables to work with depending on the state you left things in from previous exercises Configure the vsftpd jail to be enabled in jail.local and restart fail2ban service - use iptables -L -v to see what it installed Use a second terminal window to perform several login failures using ftp Watch the fail2ban.log using tail -f to see what it does While you have a vsftpd ban in place, try: fail2ban-client status vsftpd fail2ban-client get vsftpd bantime fail2ban-client -help

Additional Filtering Reduce DNS spoofing by setting nospoof on in /etc/ host.conf - see http://manpages.ubuntu.com/ manpages/precise/man5/host.conf.5.html for additional host name lookup filtering Proxy servers (email, web, etc.) can be set up, use iptables to prevent connections for proxied services that try to bypass the proxies, proxies can do application-level filtering

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback