Fighting bad guys with an IPS from scratch
Daniel Conde Rodríguez BS Computer Engineer PCAE - LFCS Webhosting Service Operations Team Coordinator Acens (Telefónica) @daconde2 www.linkedin.com/in/daniconde
WHO ARE BAD GUYS?
WHO ARE BAD GUYS? Dimitry (Moskva)
Script Malware Plugin Wordpress, App Mobile, FIFA 2018 Webservers, Mobiles, PC, IoT Internet Target
In common IP of the attacker Script Malware Plugin Wordpress, App Mobile, FIFA 2018 Webservers, Mobiles, PC, IoT Internet Target
TARGETS VPS, SERVERS, WEBSITES, CLOUD SERVICES A FW IS NOT ENOUGH
Lets s fight bad guys! How? Defense, defense, defense with overall security solutions.
+ IPS (Intrusion Prevention System) + Opensource tools + Several defense layers An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations Events collected centrally using a security information and event management (SIEM) system Systems with response capabilities are typically referred to as an intrusion prevention system (IPS)
TRY TO BLOCK ATTACKS XSS, CSRF, CRAWLERS, BOTNETS, VULNERABILITY SCANNERS/PLUGINS, SQLi, COOKIE STEALING
LOGS 203.0.113.1 - - [20/Jun/2018:01:03:45 +0200] "GET api/specific_prices/?display=full&filter%5bid_product%5d=%5b1344%5d
INITIAL SCENARIO Botnet performing a WPSCAN BOTNET 203.0.113.1 BOTNET 203.0.113.2 TARGET 98.51.100.1 BOTNET 203.0.113.3
REQUEST FLOW BOTNET SERVER
TOOLS SNORT https://www.snort.org Alternatives: bro, suricata, etc.. IPSET http://ipset.netfilter.org/ IPTABLES https://netfilter.org/ IPTABLES WAF (modsecurity + owasp + comodo) https://www.modsecurity.org/ https://www.owasp.org/index.php/ https://waf.comodo.com/ GEOIP https://www.maxmind.com/es/geoip2-databases SCRIPTS (bash, python, perl, ruby, etc) ELK STACK https://www.elastic.co/elk-stack
REQUEST FLOW BOTNET SERVER
SNORT - Snort is an open-source, free and lightweight NIDS to detect emerging threats - Linux / Windows - Thousand or rules updated by community - Snort vs Suricata vs Bro
SNORT configuration Pulledpork OinkMaster Snorby Base ELK Helper scripts that will automatically download the latest rules for you./pulledpork.pl -o /usr/local/etc/snort/rules/ -O 1234520334234 -u http://www.snort.org/reg-rules/snortrules-snapshot- 2973.tar.gz GUI for rules and vulnerabilities
SNORT configuration
SNORT BOTNET (PORT MIRROR) HW IPS SNORT SERVER
IPSET - IP sets are a framework inside the Linux kernel (ipset utility) - Mass blocking IP addresses, networks, (TCP/UDP) port numbers, MAC +300.000 IP / Ranges blocked - IPSET Solves IPTABLES limitations High number of rules: slow vs FAST Linear evaluation vs SIMPLE EVALUATION Change rules: slow/inefficient vs SIMPLE STORAGE METHOD - Lighting set matching and blocking speed
IPSET Commands ipset create blacklist hash:net hashsize 4096 maxelem 40960 ipset create whitelist hash:net hashsize 4096 maxelem 40960 ipset destroy blacklist ipset add blacklist 203.0.113.1 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set whitelist src LOG_BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 match-set blacklist src Chain LOG_BLACKLIST (1 references)
IPSET SHOW LIST ipset list blacklist Name: blacklist Type: hash:net Header: family inet hashsize 262144 maxelem 600000 timeout 36000 Size in memory: 211388 References: 1 Members: 203.0.113.1 timeout 3478
IPSET BOTNET (PORT MIRROR) HW IPS SNORT IPSET
IPTABLES iptables -N LOG_BLACKLIST iptables -I LOG_BLACKLIST 1 -m limit --limit 30/hour --limit-burst 30 -j LOG --log-prefix "IPBlacklisted: " --loglevel 4 iptables -A LOG_BLACKLIST -j DROP Chain LOG_BLACKLIST (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 120 LOG flags 0 level 4 prefix `IPTables-Dropped: DROP all -- 0.0.0.0/0 0.0.0.0/0 SCRIPTS > LOGS (var/log/iptables.log) Oct 7 10:00:00 server kernel: IPBlacklisted: IN=XXX OUT= MAC=xx:xx:xx SRC= 203.0.113.1 DST=OUR_SERVER LEN=XX TOS=0x00 PREC=0x00 TTL=XX ID=XXXX DF PROTO=TCP SPT=XXX DPT=80
IPTABLES BOTNET (PORT MIRROR) SNORT HW IPSET IPTABLES IPS
MODSECURITY WAF Modsecurity is a web application firewall working in Layer 7. - Covers Most critical security risks to web applications - No code modification required - Easy to configure - Flexible Custom rules (OWASP, COMODO,ATOMIC)
MODSECURITY LOGS --9650b61c-A-- [20/Jun/2018:21:07:36 +0200] Wyql@LAcZ84ALHn77WUAAAAr 203.0.113.1 14250 98.51.100.1 80 --9650b61c-B-- GET /app/wordpress/wp-config.php HTTP/1.1 Host: www.myserver.com Connection: keep-alive Accept: image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5 User-Agent: Mozilla/5.0 (iphone; CPU iphone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 --9650b61c-F-- HTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase SN" at GEO:COUNTRY_CODE. [file "/apache/modsecurity_rules/country_block_geoip.conf"] [line "2"] [msg "IP 203.0.113.1 block Country"] Action: Intercepted (phase 1) Producer: ModSecurity for Apache Server: Apache Engine-Mode: "ENABLED" 1 RULE 2 BLOCKING CONDITIONS (WPSCAN+GEOIP) TAGGED ATTACK EXEC() ACTION MODSEC SCRIPT BLOCKS IP IN IPSET
WAF BOTNET HW (PORT MIRROR) IPS SNORT IPSET IPTABLES WAF GEOIP BLOCK IP/RANGE/HOST
SCRIPTS MODSECURITY RULE SecGeoLookupDb /usr/share/geoip/geoip.dat SecRule URI "wp-config.php" chain,id:11111,initcol:ip=%{remote_addr},phase:1, exec:/path/to/your/script,deny,status:403,msg:'ip %{REMOTE_ADDR} block Country'" SecRule REMOTE_ADDR "@geolookup" "chain, SecRule GEO:COUNTRY_CODE "@pm SN" MODSECURITY LOGS Message: Access denied with code 403 (phase 1). Matched phrase SN" at GEO:COUNTRY_CODE. [file "/apache/modsecurity_rules/country_block_geoip.conf"] [msg "IP 203.0.113.1 block Country "] #!/usr/bin/lua --ipaddress = m.getvar("remote_addr", "none"); function main() local remote_ip = m.getvar("remote_addr"); local handle = io.popen("ipset add blacklist remote_ip") file = io.open('/tmp/lua_output.txt','w') file:write(remote_ip) file:close() m.log(1, "LUA block IP exec!"); end TAGGED ATTACK EXEC() ACTION MODSEC SCRIPT BLOCKS IP IN IPSET
SCRIPTS BOTNET HW (PORT MIRROR) IPS SNORT IPSET IPTABLES WAF GEOIP LOGS BLOCK IP/RANGE/HOST SCRIPTS
ELK "ELK" is the acronym for three open source projects: Elasticsearch is a search and analytics engine. Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch
ELK
ELK SNORT TOP ATTACKS 1 DAY 87128 SYN Port Scan 34685 BitTorrent Meta-Info Retrieving 29371 Wordpress wp-login.php Login Attempt 27273 Microsoft Windows RDP Server 17086 Mercury Mail IMAP Command Buffer Overflow 15310 Password Brute Force 12440 Windows SMB Remote Code Execution Vulnerability 7693 Possible HTTP DoS Attack with Invalid HTML Page Access 7460 SQL Injection - Exploit II 7219 Exim Buffer Overflow (CVE-2018-6789) 6999 Drupal Remote Code Execution (CVE-2018-7600) 6866 Monero Mining Possible ADB.Miner Worm Activity Detected
IPS BOTNET HW (PORT MIRROR) IPS ELK SNORT PARSED DATA IPSET IPTABLES WAF GEOIP LOGS BLOCK IP/RANGE/HOST SCRIPTS
INITIAL SCENARIO Botnet performing a WPSCAN BOTNET 203.0.113.1 BOTNET 203.0.113.2 BOTNET 203.0.113.3 GOOD LUCK DIMITRY!!! I M BEHIND 7 PROXIES AND 1 IPS TARGET 98.51.100.1
THANK YOU!!! Fighting bad guys with an IPS from scratch Daniel Conde Rodriguez EuskalHack Security Congress III 2018