Lecture3_PacketFiltering_Sept17

advertisement
September 17, Lecture 3
Conclude legal overview: CanSpam Act
Discuss Peter Tippet Verizon paper
Review Talk
Recent data breaches (Heartland Systems)
Similarities to TJX Stores (same individual involved)
Data Breach Legislation
http://web.math.jjay.cuny.edu/fcm745/codes/
Review first 20 pages of Tippet Paper
NetFilter Router Configuration Details
Overview of Linux Routing
preprocess
forward
postprocess
input
output
Tables (built-in and user defined)
A TCP Digression:
TCP Connections
3 way hand shake to start (syn, syn ack, ack)
Identified by four values (src ip, src port, dst ip, dst port)
TCP States SYN_SENT(syn), SYN_RECV (syn_ack), ESTABLISHED
(ack)
Current TCP congestion control in Linux is called CUBIC (Reno and
Taho?)
Note TCP provides flow control via sliding window protocol
TCP Three Way Handshake
http://www.tcpipguide.com/free/diagrams/tcpopen3way.png
Complete TCP State Diagram
http://www.night-ray.com/TCPIP_State_Transition_Diagram.pdf
IPTABLES (The Nitty-Gritty)
Good overview of IPTABLES Firewall Rules
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.1
Making a Linux Box a Router ip_forward
# ---Enable forwarding and disable internal
echo "1" > /proc/sys/net/ipv4/ip_forward
A Digression into the linux proc file system
/proc file system
a wealth of OS (forensic data)
many utilities get data from it
know proc – know LINUX
let’s take a tour
/proc
vmstat versus vmstat command
modules versus lsmod command
version versus uname –a
cpuinfo
/proc/pid/exe
program file
/proc/pid/mem
process memory
/proc/pid/maps
memory map
/proc/pid/cmdline
command line
compare with ps commandR
/proc/net/sockstat
sockets: used 227
TCP: inuse 6 orphan 0 tw 0 alloc 9 mem 1
UDP: inuse 7 mem 0
UDPLITE: inuse 0
RAW: inuse 0
FRAG: inuse 0 memory 0
/proc/net/arp_cache
IP address
HW type
192.168.1.160 0x1
10.2.47.16
0x1
10.2.47.1
0x1
192.168.0.51 0x1
Flags
0x0
0x2
0x2
0x2
HW address
Mask Device
00:00:00:00:00:00
*
eth1
00:20:6b:a1:85:30
*
eth2
00:00:0c:07:ac:2f
*
eth2
00:12:3f:6f:82:03
*
eth0
some commands that get info from proc
lsof –ni shows all processes with active network ports
netstat –n –inet
netstat –nr
ifconfig
/proc/net/nf_conntrack shows connections the IP_Tables is currently tracking
Remember: du, find, ls, pidof, ps, top, netstat, ifconfig often replaced by rootkits
Back to Router Configuration
Where it starts /etc/rc.d/rc.local
A BASH shell loop to enable Reverse Path Filtering
http://www.wlug.org.nz/ReversePathFiltering
# ---disable internal network IP address spoofing (BASH script)
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $f
echo "$f set to 1 for route verification"
done
Basic Operating System Defense (From IP Tables Firewall HowTo)
You can do several things before employing your firewall script to improve the resilience
of your firewall to attack. For example, the Linux operating system has a number of builtin protection mechanisms that you should activate by modifying the system kernel
parameters in the /proc filesystem via the /etc/sysctl.conf file. Using of /etc/sysctl.conf to
modify kernel parameters is explained in more detail in , Appendix I "Miscellaneous
Linux Topics".
Here is a sample configuration:
# File: /etc/sysctl.conf
#--------------------------------------------------------------# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#--------------------------------------------------------------net/ipv4/conf/all/rp_filter = 1
#--------------------------------------------------------------# Enable logging of packets with malformed IP addresses
#--------------------------------------------------------------net/ipv4/conf/all/log_martians = 1
#--------------------------------------------------------------# Disable redirects
# sending ip packets out over same interface on which they #
arrived.
#--------------------------------------------------------------net/ipv4/conf/all/send_redirects = 0
#--------------------------------------------------------------# Disable source routed packets
# source specifies the path
# See http://www.faqs.org/rfcs/rfc791.html page 19
#--------------------------------------------------------------net/ipv4/conf/all/accept_source_route = 0
#--------------------------------------------------------------# Disable acceptance of ICMP redirects
#--------------------------------------------------------------net/ipv4/conf/all/accept_redirects = 0
#--------------------------------------------------------------# Turn on protection from Denial of Service (DOS) attacks
# Resources are not reserved until hand shake completed
#--------------------------------------------------------------net/ipv4/tcp_syncookies = 1
#--------------------------------------------------------------# Disable responding to ping broadcasts
#--------------------------------------------------------------net/ipv4/icmp_echo_ignore_broadcasts = 1
#--------------------------------------------------------------# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------
net/ipv4/ip_forward = 1
http://my.safaribooksonline.com/9781587053368/ch04lev1sec6 addition
informtation
________________________________________
IP Tables is a stateful firewall
Tracks TCP connections (source ip, source port, des ip, dest port)
IPTables States
INVALID
packet associate with no known connection
ESTABLISHED packet associated with a connection that has seen packet in
both directions
NEW
packet has started a new connection or associated with a
connection that has not
seen packages in both directions
RELATED
packet is starting a new connection but is associated with an
existing connection
Connection Tracking in IP_Tables
http://www.kalamazoolinux.org/presentations/20010417/conntrack.html
/proc/net/nf_conntrack
/proc/sys/net/netfilter/nf_conntrack_max
/proc/net nf_conntrack (a sample)
ipv4 2 tcp
6 51 SYN_SENT src=192.168.0.51 dst=192.168.1.160
sport=2511 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160
dst=192.168.0.51 sport=9100 dport=2511 packets=0 bytes=0 mark=0 secmark=0
use=1
ipv4 2 udp
17 7 src=192.168.0.51 dst=10.2.45.76 sport=1025 dport=161
packets=4 bytes=424 [UNREPLIED] src=10.2.45.76 dst=10.2.47.30 sport=161
dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 tcp
6 299 ESTABLISHED src=192.168.0.51 dst=192.168.0.1
sport=2321 dport=22 packets=1709 bytes=155564 src=192.168.0.1
dst=192.168.0.51 sport=22 dport=2321 packets=1434 bytes=164477 [ASSURED]
mark=0 secmark=0 use=1
ipv4 2 udp
17 13 src=192.168.0.51 dst=10.2.47.16 sport=1025 dport=161
packets=1 bytes=106 src=10.2.47.16 dst=10.2.47.30 sport=161 dport=1025
packets=1 bytes=109 mark=0 secmark=0 use=1
ipv4 2 tcp
6 77 SYN_SENT src=192.168.0.51 dst=192.168.1.160
sport=2512 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160
dst=192.168.0.51 sport=9100 dport=2512 packets=0 bytes=0 mark=0 secmark=0
use=1
ipv4 2 tcp
6 24 SYN_SENT src=192.168.0.51 dst=192.168.1.160
sport=2510 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160
dst=192.168.0.51 sport=9100 dport=2510 packets=0 bytes=0 mark=0 secmark=0
use=1
ipv4 2 udp
17 26 src=192.168.0.51 dst=192.168.1.160 sport=1025
dport=161 packets=7 bytes=742 [UNREPLIED] src=192.168.1.160
dst=192.168.0.51 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0
use=1
ipv4 2 tcp
6 103 SYN_SENT src=192.168.0.51 dst=192.168.1.160
sport=2513 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160
dst=192.168.0.51 sport=9100 dport=2513 packets=0 bytes=0 mark=0 secmark=0
use=1
A good guide to IP Tables Firewalls
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux
_Firewalls_Using_iptables
rc.firewall.new (started in rc.local, a BASH script)
#---------------[ start ]-------------------ipt="/sbin/iptables"
# eth2 is backbone (uplink to college network)
#eth0 is internal network 192.168.0.0
#eth1 is internal network 192.168.1.0
bbone="eth2"
subnet1="eth0"
subnet2="eth1"
AnyAddr="0/0"
modprobe ip_tables
modprobe iptable_nat
#---Clear Rules from Tables
$ipt -F
$ipt -t nat -F
#--------------[ end init ]------------------
# ---Enable forwarding and disable internal
# ---network IP address spoofing.
echo "1" > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $f
echo "$f set to 1 for route verification"
done
# --Disable all initial connections from the backbone.
# --Allow only those that are responses to connections initiated from router.
# --Drop packets from problem IP address
# --log any traffic to ports 138 or 22
$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP
$ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP
$ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --logprefix "[ RPC Warm ]"
$ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING -log-prefix "[ssh]"
#--------------[ end default ]---------------
# --Disable all initial connections from the backbone.
# --Allow only those that are responses to connection initiatiated from router.
# --Drop packets from problem ip address
# --log any traffic to ports 138 or 22
$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP
$ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP
$ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --logprefix "[ RPC Warm ]"
$ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING -log-prefix "[ssh]"
#--------------[ end default ]---------------
# --Redirect traffic to internal addresses based on port assignments.
#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3501 -j DNAT --to
192.168.0.159:3389 # remote admin to windows box
$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3500 -j DNAT --to
192.168.1.9:22 # worldnode
#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3503 -j DNAT --to
192.168.0.50:4899 # remote admin workstation2 in 4214
$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3502 -j DNAT --to
192.168.0.51:4899 # D Salane Remote Admin
#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3505 -j DNAT --to
192.168.0.159:3505 # Test
#------------[ end redirects ]-----------#drop packets from problem domains
#blocked=`cat /root/firewall/blocks.fw`
blocked=`cat /root/blocks.fw`
for host in $blocked; do
$ipt -A INPUT -s ${host} -j DROP
$ipt -A OUTPUT -d ${host} -j DROP
$ipt -A FORWARD -s ${host} -j DROP
$ipt -A FORWARD -d ${host} -j DROP
done
#Apply IP Masquerading to packets sent out to the backbone
#Forward packets identified as ESTABLISHED or RELATED
#Forward all packets from internal subnets
$ipt -t nat -A POSTROUTING -o $bbone -j MASQUERADE
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $subnet1 -j ACCEPT
$ipt -A FORWARD -i $subnet2 -j ACCEPT
#-------------[ end masquerading ]--------~
~
~
References:
D. Farmer and W. Venema, Forensic Discovery, Addison Weseley 2008
(see links in text)
Download