Post on 20-Jun-2020
LINUX SYSTEMS SECURITYFIREWALLS AND FILTERS NETS1028 FALL 2019
Firewall
A physical barrier designed to slow or prevent the spread of fire
In computer networks, a mechanism to slow or prevent the passage of network traffic
Several firewall software packages have come and gone over the past 20 years, iptables is ubiquitous for Linux now
netfilter.orgNetfilter is the home of several packet filtering projects including iptables, which is used in most modern Linux kernels
GPLv2 licensed, open source, in active development since approximately 1999
Corporate sponsors include Watchguard, LinuxCare Inc., Connectiva, Sophos, and many others
Stateful vs. Stateless1st generation packet filters were stateless network layer filters - each packet was examined on an individual basis and decisions about it were based solely on the contents of that packet
2nd generation packet filters incorporated connection information and could make stateful decisions as well - SPI
3rd generation adds application awareness and can make decisions based on unexpected traffic patterns - deep packet inspection
NAT
NAT was developed to deal with limited address space in IPV4
It was quickly recognized that it also provided the function of hiding internal addresses making reconnaissance more difficult for attackers
Many firewalls provide NAT as an added tool for slowing attackers
ProxiesA proxy is a software device which provides a middleman for connections and can perform additional filtering of traffic
Useful for implementing more complex application-specific rules such as url-based filtering
Email MTAs can perform a proxy function for email
Firewalling external connections from non-proxy hosts can add a layer of protection against internal hosts which have been compromised or have misuse attempted on them
iptables Tablesiptables uses 3 built-in tables as the basis for managing traffic
The filter table is the default table used to filter traffic
The NAT table is used to perform address modifications in order to provide NAT
The mangle table is used to modify packets in other ways
Tables contain chains of rules
Packet flow
"Netfilter-packet-flow" by Jengelh - Own work, Origin SVG PNG. Licensed under CC BY-SA 3.0 via Commons - https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg#/media/File:Netfilter-packet-flow.svg
iptables ChainsA chain is a sequence of rules
INPUT, OUTPUT, and FORWARD are the built-in chains
INPUT is applied to packets destined for this host from network interfaces
OUTPUT is applied to packets generated by this host
FORWARD is applied to packets not generated by, or destined for, this host
A chain also has a policy, which is what happens to packets not specified in the rules
Create your own chains with iptables -N, delete them with iptables -X
iptables Chain PolicyEach rule in a chain can specify parameters to identify packets that the rule applies to and an action to take if the packet matches the parameters
If a packet is compared to all the rules and does not match any of them, the policy for the chain is applied to the packet
The default policy after installation is ACCEPT
Other policies available include DROP and REJECT
iptables RulesEach rule in a chain can have a number of parameters including a target
Typical parameters might includechain nameinterface nameprotocol (name or number from /etc/protocols)source address name/number/cidr range and/or port name or number from /etc/servicesdestination address name/number/cidr range and/or port name or number from /etc/servicesjump target
Builtin targets include ACCEPT, DROP, REJECT, LOG
Additional targets can be other chains which allows you to clarify your chains
Extensions can also be targets - see iptables-extensions(8)
iptables Commandiptables -V to get version info
iptables -L [-v] to get config summary
iptables -S to show rules in iptables command line format
iptables -A to append rules to a chain
iptables -I to insert rules into a chain other than at the end
iptables -F to flush rules from a chain
ip6tables command builds rules for IPV6
iptables Examplesiptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -j LOG --log-prefix "INPUTLOG "
What common network traffic might break because of this? How would you discover what was broken? Logging only input traffic only tells you who is trying to break in, not who is trying to get out.
ExercisesCreate a set of firewall rules to allow traffic on loopback, allow only ssh on eth0, and set the INPUT and OUTPUT policy to DROP
Verify you cannot connect to your vm using a protocol you are serving but not permitting through the firewall (install something like a telnet service for testing purposes), and that ssh still works
Add a rule to log all non-ssh tcp packets, retry the telnet and check your /var/log/kern.log to see what got logged
Reboot your vm, and check your iptables rules using the -L option
iptables Persistenceiptables is a memory-based utility
To have the rules take effect at boot, we need to use software that not only installs the rules, but saves those rules for reinstallation at next boot
Most higher level packages that try to automate firewall management save the rules you create
You can install the iptables-persistent package and save your rules to /etc/iptables/rules.v[46] using ip[6]tables-save
You can use one or more of several packages intended to manage an iptables configuration
ExercisesWith your own iptables rules installed, install the iptables-persistent package, having it save your IPV4 rules
Examine the contents of /etc/iptables/rules.v4 and compare it to the output of iptables-save
Reboot and verify your rules are automatically reinstalled
Remove the iptables-persistent package
iptables ExtensionsExtensions exist for iptables and add packet matching capabilities using modules as well as new targets to give more options about what to do with matched packets
-m option can be used to enable modules to extend the capabilities of iptables
Some modules permit options
Interesting modules:limit, connlimit, conntrack, iprange, multiport, comment
Interesting targets:LOG, REDIRECT, TEE
http://ipset.netfilter.org/iptables-extensions.man.html
Common Attack HandlingDrop or limit pings from all non-local hosts, limiting icmp rates across the board can help against smurfs
Drop packets sourced from private netblocks which you aren’t using yourself
Drop malformed packets using --tcp-flags, port scans often use these
Configure appropriate kernel tuning parameters to increase resilience to attacks
Modern Linux kernel is quite robust in major distros, most attacks are on services so block or limit them and use whatever config options are available to you in those services
ExercisesRun sysctl -a to get an idea of the kernel parameters currently set up on your system
What are the implications of being able to retrieve this type of information as an ordinary user?
https://www.kernel.org/doc/Documentation/sysctl/vm.txt has excellent sysctl documentation for kernel version 2.6 (still in use in production systems and embedded systems), find the swappiness parameter in that document to see what it can do for you, check out the wikipedia article for more info
Performance tuning also affects resiliency, example references on tuning for performance include:
http://wiki.mikejung.biz/Ubuntu_Performance_Tuninghttps://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vm-dirty_ratio/ https://lonesysadmin.net/2013/12/19/account-bandwidth-delay-product-larger-network-buffers/
iptstate
top-style tool for observing connection states
Requires at least one rule that uses conntrack or state extension in order to provide state capture
help screen available with h key, shows current sort and display settings
ExercisesInstall iptstate package
Add a rule to your INPUT table for protocol tcp, destination port ssh, module conntrack, option ctstate INVALID
Run iptstate and observe the various connections being tracked by iptables
Use iptables -L -v to see the packet and byte counts being seen by the various rules you have in place
UFWUncomplicated Firewall
A command line utility to simplify firewall management
Uses pre-configured rulesets for common configurations, with catch-all rules in /etc/ufw
It is a front end to the iptables command, but conflicts are probable if you use both to set up your firewall - instead use the pre and post rules files in ufw to set up custom rulesets
Provides enable/disable and configuration save
gufw is a graphical frontend to ufw
https://help.ubuntu.com/lts/serverguide/firewall.html
https://help.ubuntu.com/community/Gufw
Exercises
Install the ufw package
Use ufw to allow ssh traffic
Check your status with ufw, enable it, recheck your status
Run iptables -L -v with the ufw firewall tool in enabled state
Disable the ufw firewall tool and see what is left behind in your live iptables
Reboot to clear out your tables for the next exercise
ipkungfuAnother frontend to iptables (there are many, e.g. https://taufanlubis.wordpress.com/2007/09/23/need-proctection-for-your-ubuntu/)
Uses a relatively friendly configuration file and supports automatic config at boot
Groups many rule ideas into simpler concepts and makes them options in config files
https://help.ubuntu.com/community/firewall/ipkungfu
ExercisesInstall the ipkungfu package
Review the configuration files in /etc/ipkungfu
Modify ipkungfu.conf to set GATEWAY=0, DISALLOW_PRIVATE=0
Modify services.conf to ACCEPT ftp and ssh traffic
Run ipkungfu --show-vars to see your current configuration with ipkungfu’s guesses
Run ipkungfu -t to test and install your new configuration
Use iptables -L to see the new iptables configuration
Check /etc/default/ipkungfu to see if it is enabled on system startup (IPKFSTART setting)
fail2banfail2ban is a package that can scan log files looking for repeated login failures and then block the source hosts using iptables
It does not require chain DROP policy, so if you don’t have a deny policy, it will still work
fail2ban knows many common log file formats such as ssh, web servers, email servers, ftp, and many applications that sit on top of those services
see /etc/fail2ban/filter.d for the logs it knows, /var/log/fail2ban.log to see what it has been doing when running
copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify to enable or configure jails
fail2ban.org, 2014 PyCon video: https://www.youtube.com/watch?v=xcXheAWy7cU#t=190
ExercisesInstall vsftpd and fail2ban, you may need a reboot to have a clean set of iptables to work with depending on the state you left things in from previous exercises
Configure the vsftpd jail to be enabled in jail.local and restart fail2ban service - use iptables -L -v to see what it installed
Use a second terminal window to perform several login failures using ftp
Watch the fail2ban.log using tail -f to see what it does
While you have a vsftpd ban in place, try:
fail2ban-client status vsftpdfail2ban-client get vsftpd bantimefail2ban-client -help
Additional Filtering
Proxy servers (email, web, etc.) can be set up, use iptables to prevent connections for proxied services that try to bypass the proxies, proxies can do application-level filtering