Chris Cooper - - PowerPoint PPT Presentation

chris cooper slides scripts
SMART_READER_LITE
LIVE PREVIEW

Chris Cooper - - PowerPoint PPT Presentation

Feb 23, 2024 177 likes •408 views

Chris Cooper Slides & Scripts: http://QCCoLab.com/ipset

slide-1
SLIDE 1
  • Chris Cooper

Slides & Scripts: http://QCCoLab.com/ipset

slide-2
SLIDE 2
slide-3
SLIDE 3
  • Linux Based
  • Cheap
  • Feature Rich
  • Rugged
  • Advanced

IPTables

slide-4
SLIDE 4
slide-5
SLIDE 5
  • Address Lists for IPTables
  • IPSet project

– http://ipset.netfilter.org/

  • Patch for Kernel 2.4.36
  • Officially included in Kernel 2.6.39
  • Nomatch & TC support added in 3.7
  • Binary included in all major repos
slide-6
SLIDE 6
  • IPSet can store many types of data

– IP – Single IP addresses – Net – Variable length subnets (using CIDR) – Ports – Lump multiple service ports together – IP,Port – A specific port at a specific IP – IP,port,IP – A specific connection – IP,MAC – For your Layer 2 filtering needs – Set – Group sets together (Yo, dawg…)

slide-7
SLIDE 7
  • IPSet will match hosts inside networks
  • Nomatch can be used for exceptions
slide-8
SLIDE 8
  • IPSet Simplifies Rules
  • Creates objects to work with
slide-9
SLIDE 9
  • Fail2Ban – Bans IP’s that cause trouble

– http://www.fail2ban.org/

  • Modular Design
  • Watches logs for keys like failed logins
  • Can take a variety of actions

– Default is IPTables rules to block – Creates a long ugly list of block rules

slide-10
SLIDE 10
  • IPSet support added very recently
  • Not yet in any repos. Check GitHub

– action.d/iptables-ipset-proto4.conf

  • IPSet is IPv6 friendly

– action.d/iptables-ipset-proto6.conf

vs

  • Oops. This refers

to the version of IPSet used by fail2ban. Although IPSet does still support IPv6, fail2ban does not.

slide-11
SLIDE 11

!

  • DenyHosts – Similar to fail2ban

– http://www.denyhosts.net/

  • Centralized Server
slide-12
SLIDE 12

!

  • 12,000 IPTables rules is not practical

– Adds ~5ms latency to every connection

  • Uses hosts.deny

– Requires tcpwrapper – Stock Apache & OpenSSH not supported – Only protects local services (not a firewall)

slide-13
SLIDE 13

"#

  • IPSet’s Hash Tables are really fast

http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

slide-14
SLIDE 14

!

  • DenyHosts supports external scripts
  • Add a quick script for setup
  • PLUGIN_DENY PLUGIN_PURGE
  • Just called for local trips (not database)
slide-15
SLIDE 15

!

  • Finally, add a script to cron
  • Loads central databse entries
  • Swap used for no interruption
slide-16
SLIDE 16

!$$

  • IPSet supports timeouts

– Create rules that automatically expire

  • Iptables rules can add entries to a set

– Create your own IPS systems inside netfilter

slide-17
SLIDE 17

$ %$

  • Identify 3 SSH connections in 60 seconds
  • Block the IP for 15 minutes
slide-18
SLIDE 18

&

  • Hit TCP 123
  • Within 5 seconds hit TCP 1338
  • Within 5 seconds hit UDP 1175
  • Open access for 5 minutes
slide-19
SLIDE 19
  • Detect & Block Port Scans

– UDP/TCP Port 0 – Look for invalid TCP Flags

  • FIN,URG,PSH – Xmas Tree Scan
  • FWSnort can convert Snort to IPTables

– Pick specific rules you understand – http://www.cipherdyne.org/fwsnort/

  • Beware of false positives!
slide-20
SLIDE 20

'%()

  • Be creative with targets
  • DNAT

– Forward hostile hosts to a honeypot

  • REDIRECT

– Redirect to a “Captive Portal” page until auth – Warn users (Don’t be Comcast)

  • LIMIT

– Rate limit new connections

slide-21
SLIDE 21

'%()

  • Mark packets for use with iproute2

– Route some users out a different connection – Use statistic for source-based routing

  • Throttle users with TC

– Detect p2p or bittorrent presence

  • Easy to find, Hard to block

– Throttle all non-HTTP(s) traffic to dial-up – Timeouts minimize false-positive impact

slide-22
SLIDE 22

*%

  • Chris Cooper

– Twitter: @CC_DKP – CCooper@QCColab.com

  • Slides & Scripts:

– http://QCCoLab.com/ipset