PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Jun 19, 2019 7:17 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: Adaptive firewall
PostPosted: Mon Jun 16, 2008 5:24 pm 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
Well, it's not a question, but a solution :)
My firewall :)

Syntax: [ Download ] [ Hide ]
#!/bin/bash
 
/sbin/modprobe ipt_recent ip_list_tot=1000
 
ipt="/usr/local/sbin/iptables"
ips="/usr/local/sbin/ipset"
 
for TABLE in filter nat mangle; do
    $ipt -F -t $TABLE
    $ipt -X -t $TABLE
    $ipt -Z -t $TABLE
done
 
$ips -F
$ips -X
 
if [ "$1" == "stop" ]
then
    echo
    echo "Stopping firewall..."
    echo
    exit
fi
 
# White IP list
$ips -N WL iphash
$ips -A WL 127.0.0.1
$ips -A WL 90.90.0.1
 
# White nets list
$ips -N WLN nethash
$ips -A WLN 90.91.0.0/24
 
### ADAPTIVE TOTAL DROP ###
$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP
 
$ipt -N BANNED
$ipt -A BANNED -m limit --limit 1/s --limit-burst 1 -j LOG
$ipt -A BANNED -m recent --name banned-hosts --set -j RETURN
 
$ipt -N ADAPT
$ipt -A ADAPT -m limit --limit 1/s --limit-burst 1 -j LOG
$ipt -A ADAPT -m recent --hitcount 2 --name watch-hosts --update --seconds 180 -j BANNED
$ipt -A ADAPT -m recent --name watch-hosts --set -j RETURN
 
### MALFORMED PACKETS ###
 
# Smurf attack
$ipt -A INPUT -p icmp -d 0.0.0.255/0.0.0.255 -j DROP
 
# Invalid tcp packets
$ipt -A INPUT -p tcp --tcp-option 128 -j DROP
$ipt -A INPUT -p tcp --tcp-option 64 -j DROP
 
# Malformed xmas packets
$ipt -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Malformed null packets
$ipt -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# New tcp connections must be SYN packets!
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# others
$ipt -A INPUT -m state --state INVALID -j DROP
 
# Local IP filter
$ipt -t mangle -A PREROUTING -i eth+ -s 172.16.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 172.16.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 192.168.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -s 192.168.0.0/16 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -s 10.0.0.0/8 -j DROP
$ipt -t mangle -A PREROUTING -i eth+ -d 10.0.0.0/8 -j DROP
$ipt -t mangle -A PREROUTING -i ! lo -s 127.0.0.0/8 -j DROP
 
# Block timestamp
$ipt -A INPUT -p icmp --icmp-type timestamp-request -j DROP
$ipt -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
# Always allow VPN users
$ipt -A INPUT -i ppp+ -j ACCEPT
$ipt -A OUTPUT -o ppp+ -j ACCEPT
 
# Always allow localhost
$ipt -A INPUT -i lo -j ACCEPT
 
# Port scan detection
$ipt -N PSD
$ipt -A INPUT -m recent --name PSD --update --seconds 60 -j DROP
$ipt -A INPUT -m psd --psd-weight-threshold 10 --psd-delay-threshold 200 -j PSD
$ipt -A PSD -m set --set WL src -j RETURN
$ipt -A PSD -m recent --name PSD --set -j ADAPT
$ipt -A PSD -j DROP
 
# Syn-flood protection
$ipt -N syn-flood
$ipt -A INPUT -p tcp --syn -j syn-flood
$ipt -A syn-flood -m set --set WL src -j RETURN
$ipt -A syn-flood -m recent --name syn-flood --update --seconds 60 -j DROP
$ipt -A syn-flood -m hashlimit --hashlimit 1/s --hashlimit-burst 50 --hashlimit-mode srcip --hashlimit-name syn-flood -j RETURN
$ipt -A syn-flood -m recent --name syn-flood --set -j ADAPT
$ipt -A syn-flood -j DROP
 
# Furtive port scanner
$ipt -N port-scan
$ipt -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
$ipt -A port-scan -m recent --name port-scan --update --seconds 60 -j DROP
$ipt -A port-scan -m hashlimit --hashlimit 1/s --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name port-scan -j RETURN
$ipt -A port-scan -m recent --name port-scan --set -j ADAPT
$ipt -A port-scan -j DROP
 
# Ping of death
$ipt -N PoD
$ipt -A INPUT -p icmp --icmp-type echo-request -j PoD
$ipt -A PoD -m set --set WL src -j RETURN
$ipt -A PoD -m set --set WLN src -m limit --limit 50/s --limit-burst 60 -j RETURN
$ipt -A PoD -m recent --name PoD --update --seconds 60 -j DROP
$ipt -A PoD -m length --length 128: -m hashlimit --hashlimit 1/s --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
$ipt -A PoD -m hashlimit --hashlimit 5/s --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name PoD -j RETURN
$ipt -A PoD -m recent --name PoD --set -j ADAPT
$ipt -A PoD -j DROP
 
# Mail protection
$ipt -N MAIL
$ipt -A INPUT -p tcp --dport 25 --syn -j MAIL
$ipt -A INPUT -p tcp --dport 143 --syn -j MAIL
$ipt -A MAIL -m set --set WL src -j RETURN
$ipt -A MAIL -p tcp -m connlimit --connlimit-above 2 --connlimit-mask 32 -j REJECT
$ipt -A MAIL -m recent --hitcount 2 --name mail --update --seconds 60 -j DROP
$ipt -A MAIL -m recent --name mail --update --seconds 60 -j RETURN
$ipt -A MAIL -m recent --name mail --set -j ADAPT
 
# SSH bruteforce attack protection
$ipt -N SSH
$ipt -A INPUT -p tcp --dport 22 --syn -j SSH
$ipt -A SSH -m set --set WL src -j RETURN
$ipt -A SSH -p tcp -m recent --hitcount 2 --name SSH --update --seconds 60 -j DROP
$ipt -A SSH -p tcp -m recent --name SSH --update --seconds 60 -j RETURN
$ipt -A SSH -m recent --name SSH --set -j ADAPT
 
# FTP bruteforce attack protection
$ipt -N FTP
$ipt -A INPUT -p tcp --dport 21 --syn -j FTP
$ipt -A FTP -m set --set WL src -j RETURN
$ipt -A FTP -m set --set WLN src -j RETURN
$ipt -A FTP -p tcp -m recent --hitcount 2 --name FTP --update --seconds 60 -j DROP
$ipt -A FTP -p tcp -m recent --name FTP --update --seconds 60 -j RETURN
$ipt -A FTP -m recent --name FTP --set -j ADAPT


If you feel like it will lead to a DoS, change the target of this line:
Syntax: [ Download ] [ Hide ]
$ipt -A INPUT -m recent --name banned-hosts --update --seconds 36000 -j DROP

to (random or n-th match) + DROP

Also, for those who really hate to be probed - use TARPIT or MIRROR targets ;)

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Sun Jul 13, 2008 3:30 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
I think I should have written some explanations about it ;)

We have several special user defined chains for discovering attacks:
    Port scan detection
    Syn-flood protection
    Ping of death
    Mail protection
    SSH bruteforce attack protection
    FTP bruteforce attack protection

Each of these chains defends the corresponding service (or the server itself) from being attacked.
Also, each of them has a jump-to-ADDAPT-chain rule which is reached when an attack to a particular service is performed several times in a defined (relatively short) period of time. The "execution" of this rule leads to dropping *all* of the packets sent by the attacking IP for a relatively long period of time (1 hour in my script). The timer for this period is reseted on every incoming packet with source address of the attacking IP. This way the attacker's packets can be rejected for a *much* longer time than the specified in the "### ADAPTIVE TOTAL DROP ###" rule.

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Last edited by VladSun on Mon Jul 14, 2008 1:52 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Sun Jul 13, 2008 11:35 am 
Offline
DevNet Master
User avatar

Joined: Tue May 24, 2005 6:01 pm
Posts: 3179
Location: UK
iptables confuses the crap out of me. I use firehol and find it very good.


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Mon Jul 14, 2008 2:00 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
:) I love iptables ;)

In fact, firehol is just a wrapper around iptables - it would be easy for you to write firewalls in plain iptables rules.
And I did stress on the adaptiveness of the firewall - that's the important one :)

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Mon Jul 14, 2008 7:47 pm 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
Is this for a production server?

My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf. :P

I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Tue Jul 15, 2008 1:15 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
Hockey wrote:
Is this for a production server?

Yes.

Hockey wrote:
My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf. :P


Probably you don't need one unless you are doing some port-forwarding.

Hockey wrote:
I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.


Try it :)
From time to time you may wish run:
Syntax: [ Download ] [ Hide ]
iptables -nxvL

to see what's happening in the firewall.

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Tue Jul 15, 2008 6:56 am 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
I'm not even remotely familiar with IP tables...everything above is just gibberish for the most part...your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it? :P

I'll re-read your explanation and then go over some articles and see if I can't understand it better and how everything fits togather.

p.s-I do use port forwarding but only for a few minutes a day to let people test my application then I close the ports. :P


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Tue Jul 15, 2008 7:38 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
Hockey wrote:
your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it?


:P
Sounds like: "Wouldn't be nice to have a mouse-driven-only, no-keyboard-needed PHP visual editor." ;)

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Mon Jul 21, 2008 1:50 pm 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
Or drop the mouse all togather and have an iris tracking device move the cursor to wherever my eyes are and blinking should click...instead of typing the deivce should just pick up brain signals and over time build an entire vocabularly of words I frequently use and automatically inject them based on heuristics and a artificial intelligence algorithm that keeps getting smarter. :P

Honestly I would love to get rid of the mouse...it slows me down so much in my daily bump and grind...mastering accelerator keys is nice but way to verbose. I've wondered if any kinf o iris tracker exists which I could install on the top of my monitor and move the cursor with my eyes. That would be sweet. If I ever went into computer science for my masters, that would be my thesis. :P


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Wed Aug 25, 2010 3:59 pm 
Offline
Forum Newbie

Joined: Wed Aug 25, 2010 3:49 pm
Posts: 1
Hi VladSun

This is a really neat script - thanks - exactly what I have been after.

However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?

(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).

If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.

cheers


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Wed Aug 25, 2010 10:23 pm 
Offline
Forum Contributor

Joined: Sun Sep 09, 2007 6:27 pm
Posts: 282
Another 'thank you' for this posting, and for the detailed explanation.


Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Thu Aug 26, 2010 2:21 pm 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
rcain wrote:
Hi VladSun

This is a really neat script - thanks - exactly what I have been after.

However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?

(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).

If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.

cheers


ipset is used only for creating "white" IP lists (i.e. IP addresses marked as "safe") - you can remove all references to ipset and this firewall will be still working. But you must be more careful when trying to connect through it, otherwise you may become marked as attacker ;) (i.e. don't send wrong passwords to your SSH server).

PS: You can substitute the "ipset-lines" with several per-IP lines.

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Last edited by VladSun on Thu Aug 26, 2010 2:23 pm, edited 3 times in total.

Top
 Profile  
 
 Post subject: Re: Adaptive firewall
PostPosted: Thu Aug 26, 2010 2:21 pm 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria
Doug G wrote:
Another 'thank you' for this posting, and for the detailed explanation.

:drunk:

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group