Table Of ContentUUSSEE IIPPTTAABBLLEESS TTOO
LL II NN UU XX
DDEETTEECCTT AANNDD
PPRREEVVEENNTT
NNEETTWWOORRKK--BBAASSEEDD
FF II RR EE WW AA LL LL SS
AATTTTAACCKKSS LL
II
NN A T T A C K D E T E C T I O N A N D R E S P O N S E W I T H
System administrators need to stay ahead of new • Tools for visualizing iptables logs I P T A B L E S , P S A D , A N D F W S N O R T
UU
security vulnerabilities that leave their networks exposed
• Passive OS fingerprinting with iptables
every day. A firewall and an intrusion detection system
(IDS) are two important weapons in that fight, enabling Perl and C code snippets offer practical examples XX M I C H A E L R A S H
you to proactively deny access and monitor network that will help you to maximize your deployment of
traffic for signs of an attack. Linux firewalls.
Linux Firewalls discusses the technical details of the If you’re responsible for keeping a network secure, FF Linux Firewalls is a great book.
iptables firewall and the Netfilter framework that are you’ll find Linux Firewalls invaluable in your attempt to —From the foreword by Richard Bejtlich
II
built into the Linux kernel, and it explains how they understand attacks and use iptables—along with psad of TaoSecurity.com
provide strong filtering, Network Address Translation and fwsnort—to detect and even prevent compromises. RR
(NAT), state tracking, and application layer inspection
ABOUT THE AUTHOR
capabilities that rival many commercial tools. You’ll
EE
learn how to deploy iptables as an IDS with psad and Michael Rash is a security architect with Enterasys
fwsnort and how to build a strong, passive authentica- Networks, Inc., where he develops the Dragon
WW
tion layer around iptables with fwknop. intrusion detection and prevention system. He is a
frequent contributor to open source projects and the
Concrete examples illustrate concepts such as firewall
creator of psad, fwknop, and fwsnort. Rash is an
log analysis and policies, passive network authentica- expert on firewalls, intrusion detection systems, passive AA
tion and authorization, exploit packet traces, Snort
OS fingerprinting, and the Snort rules language. He is
ruleset emulation, and more with coverage of:
co-author of Snort 2.1 Intrusion Detection (Syngress, LL
• Application layer attack detection with the iptables 2004) and author of Intrusion Prevention and Active
string match extension and fwsnort Response (Syngress, 2005), and he has written LL
security articles for Linux Journal, Sys Admin maga-
• Building an iptables ruleset that emulates a Snort ruleset
zine, and ;login:. SS
• Port knocking vs. Single Packet Authorization (SPA)
R
A
S
H
THE FINEST IN GEEK ENTERTAINMENT™ $49.95 ($59.95 CDN)
® w Thiws b wo o .k n u“osIes sL tRAaeYprK cFohLveA.rcT—.o”am durable binding that won’t snap shut. NETWORKINGCOMPUTER SECURITY/SHELVE IN: ®
Printed on recycled paper
www.it-ebooks.info
www.it-ebooks.info
fire_PRAISE.fm Page i Wednesday, April 9, 2008 5:18 PM
PRAISE FOR LINUX FIREWALLS
“Right from the start, the book presented valuable information and pulled me in.
Each of the central topics were thoroughly explained in an informative, yet
engaging manner. Essentially, I did not want to stop reading.”
–SLASHDOT
“What really makes this book different from the others I’ve seen over the years
isthat the author approaches the subject in a layered method while exposing
potential vulnerabilities at each step. So for those that are new to the security
game, the book also takes a stab at teaching the basics of network security while
teaching you the tools to build a modern firewall.”
–INFOWORLD
“This admirable, eminently usable text goes much further than advertised.”
–LINUX USER AND DEVELOPER
“This well-researched book heightens an average system administrator’s
awareness to the vulnerabilities in his or her infrastructure, and the potential
tofind hardening solutions.”
–FREE SOFTWARE MAGAZINE
“If you or anyone you know is responsible for keeping a secure network, Linux
Firewalls is an invaluable resource to have by your side.”
–LINUXSECURITY.COM
“If you’re building a Linux firewall and want to know what all the bells and
whistles are, when you might want to set them off, and how to hook them
together, here you go.”
–;LOGIN
“If you run one or more Linux based firewalls, this book will not only help you to
configure them securely, it will help you understand how they can be monitored
to discover evidence of probes, abuse and denial of service attacks.”
–RON GULA, CTO & CO-FOUNDER OF TENABLE NETWORK SECURITY
www.it-ebooks.info
www.it-ebooks.info
LINUX FIRE WALLS
Attack Detection and
Response with iptables,
psad, and fwsnort
by Michael Rash
®
San Francisco
www.it-ebooks.info
fire_TITLE_COPY.fm Page iv Monday, April 14, 2008 10:48 AM
LINUX FIREWALLS. Copyright © 2007 by Michael Rash.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior
written permission of the copyright owner and the publisher.
Printed on recycled paper in the United States of America
11 10 09 08 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-141-7
ISBN-13: 978-1-59327-141-1
Publisher: William Pollock
Production Editor: Christina Samuell
Cover and Interior Design: Octopod Studios
Developmental Editor: William Pollock
Technical Reviewer: Pablo Neira Ayuso
Copyeditors: Megan Dunchak and Bonnie Granat
Compositors: Christina Samuell and Riley Hoffman
Proofreaders: Karol Jurado and Riley Hoffman
Indexer: Nancy Guenther
For information on book distributors or translations, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
555 De Haro Street, Suite 250, San Francisco, CA 94107
phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com
Library of Congress Cataloging-in-Publication Data
Rash, Michael.
Linux firewalls : attack detection and response with iptables, psad, and fwsnort / Michael Rash.
p. cm.
Includes index.
ISBN-13: 978-1-59327-141-1
ISBN-10: 1-59327-141-7
1. Computers--Access control. 2. Firewalls (Computer security) 3. Linux. I. Title.
QA76.9.A25R36 2007
005.8--dc22
2006026679
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and
company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark
symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been
taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the
information contained in it.
www.it-ebooks.info
To Katie and little Bella
www.it-ebooks.info
www.it-ebooks.info
B R I E F C O N T E N T S
Acknowledgments..........................................................................................................xv
Foreword by Richard Bejtlich.........................................................................................xvii
Introduction....................................................................................................................1
Chapter 1: Care and Feeding ofiptables...........................................................................9
Chapter 2: Network Layer Attacks andDefense................................................................35
Chapter 3: Transport Layer Attacks and Defense...............................................................49
Chapter 4: Application Layer Attacks and Defense............................................................69
Chapter 5: Introducing psad: The Port Scan Attack Detector...............................................81
Chapter 6: psad Operations: Detecting Suspicious Traffic..................................................99
Chapter 7: Advanced psad Topics: From Signature Matching toOSFingerprinting.............113
Chapter 8: Active Response with psad...........................................................................131
Chapter 9: Translating Snort Rules into iptables Rules......................................................149
Chapter 10: Deploying fwsnort.....................................................................................173
Chapter 11: Combining psad and fwsnort.....................................................................193
Chapter 12: Port Knocking vs. Single Packet Authorization..............................................213
Chapter 13: Introducing fwknop...................................................................................231
Chapter 14: Visualizing iptables Logs............................................................................257
Appendix A: Attack Spoofing.......................................................................................279
Appendix B: A Complete fwsnort Script.........................................................................285
Index.........................................................................................................................291
www.it-ebooks.info
www.it-ebooks.info
