September 17, Lecture 3 Conclude legal overview: CanSpam Act Discuss Peter Tippet Verizon paper Review Talk Recent data breaches (Heartland Systems) Similarities to TJX Stores (same individual involved) Data Breach Legislation http://web.math.jjay.cuny.edu/fcm745/codes/ Review first 20 pages of Tippet Paper NetFilter Router Configuration Details Overview of Linux Routing preprocess forward postprocess input output Tables (built-in and user defined) A TCP Digression: TCP Connections 3 way hand shake to start (syn, syn ack, ack) Identified by four values (src ip, src port, dst ip, dst port) TCP States SYN_SENT(syn), SYN_RECV (syn_ack), ESTABLISHED (ack) Current TCP congestion control in Linux is called CUBIC (Reno and Taho?) Note TCP provides flow control via sliding window protocol TCP Three Way Handshake http://www.tcpipguide.com/free/diagrams/tcpopen3way.png Complete TCP State Diagram http://www.night-ray.com/TCPIP_State_Transition_Diagram.pdf IPTABLES (The Nitty-Gritty) Good overview of IPTABLES Firewall Rules http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.1 Making a Linux Box a Router ip_forward # ---Enable forwarding and disable internal echo "1" > /proc/sys/net/ipv4/ip_forward A Digression into the linux proc file system /proc file system a wealth of OS (forensic data) many utilities get data from it know proc – know LINUX let’s take a tour /proc vmstat versus vmstat command modules versus lsmod command version versus uname –a cpuinfo /proc/pid/exe program file /proc/pid/mem process memory /proc/pid/maps memory map /proc/pid/cmdline command line compare with ps commandR /proc/net/sockstat sockets: used 227 TCP: inuse 6 orphan 0 tw 0 alloc 9 mem 1 UDP: inuse 7 mem 0 UDPLITE: inuse 0 RAW: inuse 0 FRAG: inuse 0 memory 0 /proc/net/arp_cache IP address HW type 192.168.1.160 0x1 10.2.47.16 0x1 10.2.47.1 0x1 192.168.0.51 0x1 Flags 0x0 0x2 0x2 0x2 HW address Mask Device 00:00:00:00:00:00 * eth1 00:20:6b:a1:85:30 * eth2 00:00:0c:07:ac:2f * eth2 00:12:3f:6f:82:03 * eth0 some commands that get info from proc lsof –ni shows all processes with active network ports netstat –n –inet netstat –nr ifconfig /proc/net/nf_conntrack shows connections the IP_Tables is currently tracking Remember: du, find, ls, pidof, ps, top, netstat, ifconfig often replaced by rootkits Back to Router Configuration Where it starts /etc/rc.d/rc.local A BASH shell loop to enable Reverse Path Filtering http://www.wlug.org.nz/ReversePathFiltering # ---disable internal network IP address spoofing (BASH script) for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > $f echo "$f set to 1 for route verification" done Basic Operating System Defense (From IP Tables Firewall HowTo) You can do several things before employing your firewall script to improve the resilience of your firewall to attack. For example, the Linux operating system has a number of builtin protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file. Using of /etc/sysctl.conf to modify kernel parameters is explained in more detail in , Appendix I "Miscellaneous Linux Topics". Here is a sample configuration: # File: /etc/sysctl.conf #--------------------------------------------------------------# Disable routing triangulation. Respond to queries out # the same interface, not another. Helps to maintain state # Also protects against IP spoofing #--------------------------------------------------------------net/ipv4/conf/all/rp_filter = 1 #--------------------------------------------------------------# Enable logging of packets with malformed IP addresses #--------------------------------------------------------------net/ipv4/conf/all/log_martians = 1 #--------------------------------------------------------------# Disable redirects # sending ip packets out over same interface on which they # arrived. #--------------------------------------------------------------net/ipv4/conf/all/send_redirects = 0 #--------------------------------------------------------------# Disable source routed packets # source specifies the path # See http://www.faqs.org/rfcs/rfc791.html page 19 #--------------------------------------------------------------net/ipv4/conf/all/accept_source_route = 0 #--------------------------------------------------------------# Disable acceptance of ICMP redirects #--------------------------------------------------------------net/ipv4/conf/all/accept_redirects = 0 #--------------------------------------------------------------# Turn on protection from Denial of Service (DOS) attacks # Resources are not reserved until hand shake completed #--------------------------------------------------------------net/ipv4/tcp_syncookies = 1 #--------------------------------------------------------------# Disable responding to ping broadcasts #--------------------------------------------------------------net/ipv4/icmp_echo_ignore_broadcasts = 1 #--------------------------------------------------------------# Enable IP routing. Required if your firewall is protecting a # network, NAT included #--------------------------------------------------------------- net/ipv4/ip_forward = 1 http://my.safaribooksonline.com/9781587053368/ch04lev1sec6 addition informtation ________________________________________ IP Tables is a stateful firewall Tracks TCP connections (source ip, source port, des ip, dest port) IPTables States INVALID packet associate with no known connection ESTABLISHED packet associated with a connection that has seen packet in both directions NEW packet has started a new connection or associated with a connection that has not seen packages in both directions RELATED packet is starting a new connection but is associated with an existing connection Connection Tracking in IP_Tables http://www.kalamazoolinux.org/presentations/20010417/conntrack.html /proc/net/nf_conntrack /proc/sys/net/netfilter/nf_conntrack_max /proc/net nf_conntrack (a sample) ipv4 2 tcp 6 51 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2511 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2511 packets=0 bytes=0 mark=0 secmark=0 use=1 ipv4 2 udp 17 7 src=192.168.0.51 dst=10.2.45.76 sport=1025 dport=161 packets=4 bytes=424 [UNREPLIED] src=10.2.45.76 dst=10.2.47.30 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1 ipv4 2 tcp 6 299 ESTABLISHED src=192.168.0.51 dst=192.168.0.1 sport=2321 dport=22 packets=1709 bytes=155564 src=192.168.0.1 dst=192.168.0.51 sport=22 dport=2321 packets=1434 bytes=164477 [ASSURED] mark=0 secmark=0 use=1 ipv4 2 udp 17 13 src=192.168.0.51 dst=10.2.47.16 sport=1025 dport=161 packets=1 bytes=106 src=10.2.47.16 dst=10.2.47.30 sport=161 dport=1025 packets=1 bytes=109 mark=0 secmark=0 use=1 ipv4 2 tcp 6 77 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2512 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2512 packets=0 bytes=0 mark=0 secmark=0 use=1 ipv4 2 tcp 6 24 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2510 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2510 packets=0 bytes=0 mark=0 secmark=0 use=1 ipv4 2 udp 17 26 src=192.168.0.51 dst=192.168.1.160 sport=1025 dport=161 packets=7 bytes=742 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1 ipv4 2 tcp 6 103 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2513 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2513 packets=0 bytes=0 mark=0 secmark=0 use=1 A good guide to IP Tables Firewalls http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux _Firewalls_Using_iptables rc.firewall.new (started in rc.local, a BASH script) #---------------[ start ]-------------------ipt="/sbin/iptables" # eth2 is backbone (uplink to college network) #eth0 is internal network 192.168.0.0 #eth1 is internal network 192.168.1.0 bbone="eth2" subnet1="eth0" subnet2="eth1" AnyAddr="0/0" modprobe ip_tables modprobe iptable_nat #---Clear Rules from Tables $ipt -F $ipt -t nat -F #--------------[ end init ]------------------ # ---Enable forwarding and disable internal # ---network IP address spoofing. echo "1" > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo "1" > $f echo "$f set to 1 for route verification" done # --Disable all initial connections from the backbone. # --Allow only those that are responses to connections initiated from router. # --Drop packets from problem IP address # --log any traffic to ports 138 or 22 $ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP $ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP $ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --logprefix "[ RPC Warm ]" $ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING -log-prefix "[ssh]" #--------------[ end default ]--------------- # --Disable all initial connections from the backbone. # --Allow only those that are responses to connection initiatiated from router. # --Drop packets from problem ip address # --log any traffic to ports 138 or 22 $ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP $ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP $ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --logprefix "[ RPC Warm ]" $ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING -log-prefix "[ssh]" #--------------[ end default ]--------------- # --Redirect traffic to internal addresses based on port assignments. #$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3501 -j DNAT --to 192.168.0.159:3389 # remote admin to windows box $ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3500 -j DNAT --to 192.168.1.9:22 # worldnode #$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3503 -j DNAT --to 192.168.0.50:4899 # remote admin workstation2 in 4214 $ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3502 -j DNAT --to 192.168.0.51:4899 # D Salane Remote Admin #$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3505 -j DNAT --to 192.168.0.159:3505 # Test #------------[ end redirects ]-----------#drop packets from problem domains #blocked=`cat /root/firewall/blocks.fw` blocked=`cat /root/blocks.fw` for host in $blocked; do $ipt -A INPUT -s ${host} -j DROP $ipt -A OUTPUT -d ${host} -j DROP $ipt -A FORWARD -s ${host} -j DROP $ipt -A FORWARD -d ${host} -j DROP done #Apply IP Masquerading to packets sent out to the backbone #Forward packets identified as ESTABLISHED or RELATED #Forward all packets from internal subnets $ipt -t nat -A POSTROUTING -o $bbone -j MASQUERADE $ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $subnet1 -j ACCEPT $ipt -A FORWARD -i $subnet2 -j ACCEPT #-------------[ end masquerading ]--------~ ~ ~ References: D. Farmer and W. Venema, Forensic Discovery, Addison Weseley 2008 (see links in text)