Fighting bad guys with an IPS from scratch

Similar documents
haltdos - Web Application Firewall

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Blacklisting Badguys With IPTables. Gary Smith Cyber Security Analyst Pacific Northwest National Laboratory

Protect your apps and your customers against application layer attacks

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Base64 The Security Killer

Let me secure that for you!

Umbra. Embedded Web Security through Application-Layer Firewalls. 1st Workshop on the Security of Cyber-Physical Systems 22 September 2015

Meet the Anti-Nmap: PSAD (EnGarde Secure Linux)

Snapt WAF Manual. Version 1.2. February pg. 1

Sucuri Technical Overview

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CIS 4360 Secure Computer Systems XSS

IDS signature matching with iptables, psad, and fwsnort

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Corrigendum 3. Tender Number: 10/ dated

Intelligent and Secure Network

Application security : going quicker

Penetration Test Report

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Web Security. Thierry Sans

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

McAfee Network Security Platform 9.2

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Defense Wins Championships. April 16, 2014 For Educational Purposes Only

How to manage evolving threats on evolving ICT assets across Enterprise

CyberP3i Hands-on Lab Series

Web Application Firewall

Certified Secure Web Application Engineer

Solutions Business Manager Web Application Security Assessment

Sharing is Caring: Improving Detection with Sigma

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Integrate Apache Web Server

epldt Web Builder Security March 2017

Content Security Policy

Who am I? Sandro Gauci and EnableSecurity Over 8 years in the security industry Published security research papers Tools - SIPVicious and SurfJack

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

McAfee Network Security Platform 9.2

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

How to Configure DNS Sinkholing in the Firewall

CSCI 680: Computer & Network Security

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Curso: Ethical Hacking and Countermeasures

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Application Defense with Bayesian Attack Analysis

Config Server Firewall. Đặng Thanh Bình

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

All Attacks. Filter Name Filter No. Severity. Hit Count : IP: Source IP Address Spoofed (Reserved for Testing) 0055 Minor 6,942,665

Security report Usuario de Test

Imperva Incapsula Website Security

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Introduction to Ethical Hacking

Penetration Testing with Kali Linux

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Advanced Techniques for DDoS Mitigation and Web Application Defense

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Configuring User Defined Patterns

Symantec Endpoint Protection Family Feature Comparison

Q Web Attack Analysis Report

WEB SECURITY: XSS & CSRF

Bring Context To Your Machine Data With Hadoop, RDBMS & Splunk

Hackveda Training - Ethical Hacking, Networking & Security

Advanced Web Application Defense with ModSecurity. Daniel Fernández Bleda & Christian Martorella

SecurityPi. Secure your Raspberry Mozilla Tech Speaker RICE University. OpenIoT Summit 2017

Save All or Save Costs? Big Data Universe 2018 Peter Czanik / Balabit

WHITE PAPER. Best Practices for Web Application Firewall Management

Copyright

How to Configure ATP in the HTTP Proxy

McAfee Network Security Platform 9.1

Endpoint Protection : Last line of defense?

IronWASP (Iron Web application Advanced Security testing Platform)

Cyber Moving Targets. Yashar Dehkan Asl

AKAMAI THREAT ADVISORY. Satori Mirai Variant Alert

Finding Vulnerabilities in Source Code

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

An Alert has Fired. Now What?

Post-Exploitation Hunting with ATT&CK & Elastic

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

TEL

Release Notes Version 7.8

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Transcription:

Fighting bad guys with an IPS from scratch

Daniel Conde Rodríguez BS Computer Engineer PCAE - LFCS Webhosting Service Operations Team Coordinator Acens (Telefónica) @daconde2 www.linkedin.com/in/daniconde

WHO ARE BAD GUYS?

WHO ARE BAD GUYS? Dimitry (Moskva)

Script Malware Plugin Wordpress, App Mobile, FIFA 2018 Webservers, Mobiles, PC, IoT Internet Target

In common IP of the attacker Script Malware Plugin Wordpress, App Mobile, FIFA 2018 Webservers, Mobiles, PC, IoT Internet Target

TARGETS VPS, SERVERS, WEBSITES, CLOUD SERVICES A FW IS NOT ENOUGH

Lets s fight bad guys! How? Defense, defense, defense with overall security solutions.

+ IPS (Intrusion Prevention System) + Opensource tools + Several defense layers An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations Events collected centrally using a security information and event management (SIEM) system Systems with response capabilities are typically referred to as an intrusion prevention system (IPS)

TRY TO BLOCK ATTACKS XSS, CSRF, CRAWLERS, BOTNETS, VULNERABILITY SCANNERS/PLUGINS, SQLi, COOKIE STEALING

LOGS 203.0.113.1 - - [20/Jun/2018:01:03:45 +0200] "GET api/specific_prices/?display=full&filter%5bid_product%5d=%5b1344%5d

INITIAL SCENARIO Botnet performing a WPSCAN BOTNET 203.0.113.1 BOTNET 203.0.113.2 TARGET 98.51.100.1 BOTNET 203.0.113.3

REQUEST FLOW BOTNET SERVER

TOOLS SNORT https://www.snort.org Alternatives: bro, suricata, etc.. IPSET http://ipset.netfilter.org/ IPTABLES https://netfilter.org/ IPTABLES WAF (modsecurity + owasp + comodo) https://www.modsecurity.org/ https://www.owasp.org/index.php/ https://waf.comodo.com/ GEOIP https://www.maxmind.com/es/geoip2-databases SCRIPTS (bash, python, perl, ruby, etc) ELK STACK https://www.elastic.co/elk-stack

REQUEST FLOW BOTNET SERVER

SNORT - Snort is an open-source, free and lightweight NIDS to detect emerging threats - Linux / Windows - Thousand or rules updated by community - Snort vs Suricata vs Bro

SNORT configuration Pulledpork OinkMaster Snorby Base ELK Helper scripts that will automatically download the latest rules for you./pulledpork.pl -o /usr/local/etc/snort/rules/ -O 1234520334234 -u http://www.snort.org/reg-rules/snortrules-snapshot- 2973.tar.gz GUI for rules and vulnerabilities

SNORT configuration

SNORT BOTNET (PORT MIRROR) HW IPS SNORT SERVER

IPSET - IP sets are a framework inside the Linux kernel (ipset utility) - Mass blocking IP addresses, networks, (TCP/UDP) port numbers, MAC +300.000 IP / Ranges blocked - IPSET Solves IPTABLES limitations High number of rules: slow vs FAST Linear evaluation vs SIMPLE EVALUATION Change rules: slow/inefficient vs SIMPLE STORAGE METHOD - Lighting set matching and blocking speed

IPSET Commands ipset create blacklist hash:net hashsize 4096 maxelem 40960 ipset create whitelist hash:net hashsize 4096 maxelem 40960 ipset destroy blacklist ipset add blacklist 203.0.113.1 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set whitelist src LOG_BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 match-set blacklist src Chain LOG_BLACKLIST (1 references)

IPSET SHOW LIST ipset list blacklist Name: blacklist Type: hash:net Header: family inet hashsize 262144 maxelem 600000 timeout 36000 Size in memory: 211388 References: 1 Members: 203.0.113.1 timeout 3478

IPSET BOTNET (PORT MIRROR) HW IPS SNORT IPSET

IPTABLES iptables -N LOG_BLACKLIST iptables -I LOG_BLACKLIST 1 -m limit --limit 30/hour --limit-burst 30 -j LOG --log-prefix "IPBlacklisted: " --loglevel 4 iptables -A LOG_BLACKLIST -j DROP Chain LOG_BLACKLIST (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 120 LOG flags 0 level 4 prefix `IPTables-Dropped: DROP all -- 0.0.0.0/0 0.0.0.0/0 SCRIPTS > LOGS (var/log/iptables.log) Oct 7 10:00:00 server kernel: IPBlacklisted: IN=XXX OUT= MAC=xx:xx:xx SRC= 203.0.113.1 DST=OUR_SERVER LEN=XX TOS=0x00 PREC=0x00 TTL=XX ID=XXXX DF PROTO=TCP SPT=XXX DPT=80

IPTABLES BOTNET (PORT MIRROR) SNORT HW IPSET IPTABLES IPS

MODSECURITY WAF Modsecurity is a web application firewall working in Layer 7. - Covers Most critical security risks to web applications - No code modification required - Easy to configure - Flexible Custom rules (OWASP, COMODO,ATOMIC)

MODSECURITY LOGS --9650b61c-A-- [20/Jun/2018:21:07:36 +0200] Wyql@LAcZ84ALHn77WUAAAAr 203.0.113.1 14250 98.51.100.1 80 --9650b61c-B-- GET /app/wordpress/wp-config.php HTTP/1.1 Host: www.myserver.com Connection: keep-alive Accept: image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5 User-Agent: Mozilla/5.0 (iphone; CPU iphone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 --9650b61c-F-- HTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase SN" at GEO:COUNTRY_CODE. [file "/apache/modsecurity_rules/country_block_geoip.conf"] [line "2"] [msg "IP 203.0.113.1 block Country"] Action: Intercepted (phase 1) Producer: ModSecurity for Apache Server: Apache Engine-Mode: "ENABLED" 1 RULE 2 BLOCKING CONDITIONS (WPSCAN+GEOIP) TAGGED ATTACK EXEC() ACTION MODSEC SCRIPT BLOCKS IP IN IPSET

WAF BOTNET HW (PORT MIRROR) IPS SNORT IPSET IPTABLES WAF GEOIP BLOCK IP/RANGE/HOST

SCRIPTS MODSECURITY RULE SecGeoLookupDb /usr/share/geoip/geoip.dat SecRule URI "wp-config.php" chain,id:11111,initcol:ip=%{remote_addr},phase:1, exec:/path/to/your/script,deny,status:403,msg:'ip %{REMOTE_ADDR} block Country'" SecRule REMOTE_ADDR "@geolookup" "chain, SecRule GEO:COUNTRY_CODE "@pm SN" MODSECURITY LOGS Message: Access denied with code 403 (phase 1). Matched phrase SN" at GEO:COUNTRY_CODE. [file "/apache/modsecurity_rules/country_block_geoip.conf"] [msg "IP 203.0.113.1 block Country "] #!/usr/bin/lua --ipaddress = m.getvar("remote_addr", "none"); function main() local remote_ip = m.getvar("remote_addr"); local handle = io.popen("ipset add blacklist remote_ip") file = io.open('/tmp/lua_output.txt','w') file:write(remote_ip) file:close() m.log(1, "LUA block IP exec!"); end TAGGED ATTACK EXEC() ACTION MODSEC SCRIPT BLOCKS IP IN IPSET

SCRIPTS BOTNET HW (PORT MIRROR) IPS SNORT IPSET IPTABLES WAF GEOIP LOGS BLOCK IP/RANGE/HOST SCRIPTS

ELK "ELK" is the acronym for three open source projects: Elasticsearch is a search and analytics engine. Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch

ELK

ELK SNORT TOP ATTACKS 1 DAY 87128 SYN Port Scan 34685 BitTorrent Meta-Info Retrieving 29371 Wordpress wp-login.php Login Attempt 27273 Microsoft Windows RDP Server 17086 Mercury Mail IMAP Command Buffer Overflow 15310 Password Brute Force 12440 Windows SMB Remote Code Execution Vulnerability 7693 Possible HTTP DoS Attack with Invalid HTML Page Access 7460 SQL Injection - Exploit II 7219 Exim Buffer Overflow (CVE-2018-6789) 6999 Drupal Remote Code Execution (CVE-2018-7600) 6866 Monero Mining Possible ADB.Miner Worm Activity Detected

IPS BOTNET HW (PORT MIRROR) IPS ELK SNORT PARSED DATA IPSET IPTABLES WAF GEOIP LOGS BLOCK IP/RANGE/HOST SCRIPTS

INITIAL SCENARIO Botnet performing a WPSCAN BOTNET 203.0.113.1 BOTNET 203.0.113.2 BOTNET 203.0.113.3 GOOD LUCK DIMITRY!!! I M BEHIND 7 PROXIES AND 1 IPS TARGET 98.51.100.1

THANK YOU!!! Fighting bad guys with an IPS from scratch Daniel Conde Rodriguez EuskalHack Security Congress III 2018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback