Dynamic Firewalls with IPSetChris Cooper

Slides & Scripts:

http://QCCoLab.com/ipset

Where this all Started

MikroTik

• Linux Based

• Cheap

• Feature Rich

• Rugged

• Advanced

IPTables

MikroTik

IPSet

• Address Lists for IPTables

• IPSet project

– http://ipset.netfilter.org/

• Patch for Kernel 2.4.36

• Officially included in Kernel 2.6.39

• Nomatch & TC support added in 3.7

• Binary included in all major repos

A List of Things

• IPSet can store many types of data

– IP – Single IP addresses

– Net – Variable length subnets (using CIDR)

– Ports – Lump multiple service ports together

– IP,Port – A specific port at a specific IP

– IP,port,IP – A specific connection

– IP,MAC – For your Layer 2 filtering needs

– Set – Group sets together (Yo, dawg…)

Matching

• IPSet will match hosts inside networks

• Nomatch can be used for exceptions

So What?

• IPSet Simplifies Rules

• Creates objects to work with

Fail2Ban

• Fail2Ban – Bans IP’s that cause trouble

– http://www.fail2ban.org/

• Modular Design

• Watches logs for keys like failed logins

• Can take a variety of actions

– Default is IPTables rules to block

– Creates a long ugly list of block rules

Fail2Ban

• IPSet support added very recently

• Not yet in any repos. Check GitHub

– action.d/iptables-ipset-proto4.conf

• IPSet is IPv6 friendly

– action.d/iptables-ipset-proto6.conf

vs

Oops. This refers

to the version of

IPSet used by

fail2ban.

Although IPSet

does still support

IPv6, fail2ban

does not.

DenyHosts

• DenyHosts – Similar to fail2ban

– http://www.denyhosts.net/

• Centralized Server

DenyHosts

• 12,000 IPTables rules is not practical

– Adds ~5ms latency to every connection

• Uses hosts.deny

– Requires tcpwrapper

– Stock Apache & OpenSSH not supported

– Only protects local services (not a firewall)

It’s also Faster!

• IPSet’s Hash Tables are really fast

http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

DenyHosts

• DenyHosts supports external scripts

• Add a quick script for setup

• PLUGIN_DENY PLUGIN_PURGE

• Just called for local trips (not database)

DenyHosts

• Finally, add a script to cron

• Loads central databse entries

• Swap used for no interruption

What Happened to Dynamic?

• IPSet supports timeouts

– Create rules that automatically expire

• Iptables rules can add entries to a set

– Create your own IPS systems inside netfilter

Stop Brute Force Attempts

• Identify 3 SSH connections in 60 seconds

• Block the IP for 15 minutes

Port Knocking

• Hit TCP 123

• Within 5 seconds hit TCP 1338

• Within 5 seconds hit UDP 1175

• Open access for 5 minutes

More Ideas

• Detect & Block Port Scans

– UDP/TCP Port 0

– Look for invalid TCP Flags

• FIN,URG,PSH – Xmas Tree Scan

• FWSnort can convert Snort to IPTables

– Pick specific rules you understand

– http://www.cipherdyne.org/fwsnort/

• Beware of false positives!

You can do more than DROP

• Be creative with targets

• DNAT

– Forward hostile hosts to a honeypot

• REDIRECT

– Redirect to a “Captive Portal” page until auth

– Warn users (Don’t be Comcast)

• LIMIT

– Rate limit new connections

You can do more than DROP

• Mark packets for use with iproute2

– Route some users out a different connection

– Use statistic for source-based routing

• Throttle users with TC

– Detect p2p or bittorrent presence

• Easy to find, Hard to block

– Throttle all non-HTTP(s) traffic to dial-up

– Timeouts minimize false-positive impact

Questions?

• Chris Cooper

– Twitter: @CC_DKP

– CCooper@QCColab.com

• Slides & Scripts:

– http://QCCoLab.com/ipset