Building a dynamic firewall with iptables
Transcript of Building a dynamic firewall with iptables
Concept
Extend the stateful firewall with dynamic blocking of bad IPsblock malicious traffic and add penaltyseveral sensors detect suspicious behaviorWhitelist and Blacklistsdifferent blocking duration
Procedure
Sensor detects something -> srcip added to badset withtimeout X or increased timeout by YGood behavior -> srcip added to goodset with same logicAfterwards comparison between badset and goodsetThreshold of bad behavior reached -> srcip blocked for ZminutesFor longtime observation srcip added to xt_recent set aswellIncreased timeouts in blacklistset based on longtimebehavior
Sensors
Portscan/sweepDOStraceroutepingfakerestricted rules
ipset
Modifications made for ipset 6.16TARGET: –increaseMATCH: –compare-set –threshold
Examples:
iptables -A FOO -j SET –add-set badset src –exist –timeout300 –increase
iptables -A BAR -j CHECKING -m set –compare-set badset srcgoodset src –threshold 1000
portscan/portsweep
using xtables_addons psd with patches from Florianadded portsweep detection and syslog outputadding mixed mode in the future
traceroute and pingfake
detect traceroute with basic iptablesreply icmp requests instead of forwarding them
prospects
switch to nftablesget as much as possible into upstreamimprove IPv6 coverageconjunction with IDS/IPS Suricatalongtime analytics
Suggestions
Any suggestions?