LINUX SYSTEMS SECURITYFIREWALLS AND FILTERS NETS1028 FALL 2019

Firewall

A physical barrier designed to slow or prevent the spread of fire

In computer networks, a mechanism to slow or prevent the passage of network traffic

Several firewall software packages have come and gone over the past 20 years, iptables is ubiquitous for Linux now

netfilter.orgNetfilter is the home of several packet filtering projects including iptables, which is used in most modern Linux kernels

GPLv2 licensed, open source, in active development since approximately 1999

Corporate sponsors include Watchguard, LinuxCare Inc., Connectiva, Sophos, and many others

Stateful vs. Stateless1st generation packet filters were stateless network layer filters - each packet was examined on an individual basis and decisions about it were based solely on the contents of that packet

2nd generation packet filters incorporated connection information and could make stateful decisions as well - SPI

3rd generation adds application awareness and can make decisions based on unexpected traffic patterns - deep packet inspection

NAT

NAT was developed to deal with limited address space in IPV4

It was quickly recognized that it also provided the function of hiding internal addresses making reconnaissance more difficult for attackers

Many firewalls provide NAT as an added tool for slowing attackers

ProxiesA proxy is a software device which provides a middleman for connections and can perform additional filtering of traffic

Useful for implementing more complex application-specific rules such as url-based filtering

Email MTAs can perform a proxy function for email

Firewalling external connections from non-proxy hosts can add a layer of protection against internal hosts which have been compromised or have misuse attempted on them

iptables Tablesiptables uses 3 built-in tables as the basis for managing traffic

The filter table is the default table used to filter traffic

The NAT table is used to perform address modifications in order to provide NAT

The mangle table is used to modify packets in other ways

Tables contain chains of rules

Packet flow

"Netfilter-packet-flow" by Jengelh - Own work, Origin SVG PNG. Licensed under CC BY-SA 3.0 via Commons - https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg#/media/File:Netfilter-packet-flow.svg

iptables ChainsA chain is a sequence of rules

INPUT, OUTPUT, and FORWARD are the built-in chains

INPUT is applied to packets destined for this host from network interfaces

OUTPUT is applied to packets generated by this host

FORWARD is applied to packets not generated by, or destined for, this host

A chain also has a policy, which is what happens to packets not specified in the rules

Create your own chains with iptables -N, delete them with iptables -X

iptables Chain PolicyEach rule in a chain can specify parameters to identify packets that the rule applies to and an action to take if the packet matches the parameters

If a packet is compared to all the rules and does not match any of them, the policy for the chain is applied to the packet

The default policy after installation is ACCEPT

Other policies available include DROP and REJECT

iptables RulesEach rule in a chain can have a number of parameters including a target

Typical parameters might includechain nameinterface nameprotocol (name or number from /etc/protocols)source address name/number/cidr range and/or port name or number from /etc/servicesdestination address name/number/cidr range and/or port name or number from /etc/servicesjump target

Builtin targets include ACCEPT, DROP, REJECT, LOG

Additional targets can be other chains which allows you to clarify your chains

Extensions can also be targets - see iptables-extensions(8)

iptables Commandiptables -V to get version info

iptables -L [-v] to get config summary

iptables -S to show rules in iptables command line format

iptables -A to append rules to a chain

iptables -I to insert rules into a chain other than at the end

iptables -F to flush rules from a chain

ip6tables command builds rules for IPV6

iptables Examplesiptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -A INPUT -p tcp -j LOG --log-prefix "INPUTLOG "

What common network traffic might break because of this? How would you discover what was broken? Logging only input traffic only tells you who is trying to break in, not who is trying to get out.

ExercisesCreate a set of firewall rules to allow traffic on loopback, allow only ssh on eth0, and set the INPUT and OUTPUT policy to DROP

Verify you cannot connect to your vm using a protocol you are serving but not permitting through the firewall (install something like a telnet service for testing purposes), and that ssh still works

Add a rule to log all non-ssh tcp packets, retry the telnet and check your /var/log/kern.log to see what got logged

Reboot your vm, and check your iptables rules using the -L option

iptables Persistenceiptables is a memory-based utility

To have the rules take effect at boot, we need to use software that not only installs the rules, but saves those rules for reinstallation at next boot

Most higher level packages that try to automate firewall management save the rules you create

You can install the iptables-persistent package and save your rules to /etc/iptables/rules.v[46] using ip[6]tables-save

You can use one or more of several packages intended to manage an iptables configuration

ExercisesWith your own iptables rules installed, install the iptables-persistent package, having it save your IPV4 rules

Examine the contents of /etc/iptables/rules.v4 and compare it to the output of iptables-save

Reboot and verify your rules are automatically reinstalled

Remove the iptables-persistent package

iptables ExtensionsExtensions exist for iptables and add packet matching capabilities using modules as well as new targets to give more options about what to do with matched packets

-m option can be used to enable modules to extend the capabilities of iptables

Some modules permit options

Interesting modules:limit, connlimit, conntrack, iprange, multiport, comment

Interesting targets:LOG, REDIRECT, TEE

http://ipset.netfilter.org/iptables-extensions.man.html

Common Attack HandlingDrop or limit pings from all non-local hosts, limiting icmp rates across the board can help against smurfs

Drop packets sourced from private netblocks which you aren’t using yourself

Drop malformed packets using --tcp-flags, port scans often use these

Configure appropriate kernel tuning parameters to increase resilience to attacks

Modern Linux kernel is quite robust in major distros, most attacks are on services so block or limit them and use whatever config options are available to you in those services

ExercisesRun sysctl -a to get an idea of the kernel parameters currently set up on your system

What are the implications of being able to retrieve this type of information as an ordinary user?

https://www.kernel.org/doc/Documentation/sysctl/vm.txt has excellent sysctl documentation for kernel version 2.6 (still in use in production systems and embedded systems), find the swappiness parameter in that document to see what it can do for you, check out the wikipedia article for more info

Performance tuning also affects resiliency, example references on tuning for performance include:

http://wiki.mikejung.biz/Ubuntu_Performance_Tuninghttps://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vm-dirty_ratio/ https://lonesysadmin.net/2013/12/19/account-bandwidth-delay-product-larger-network-buffers/

iptstate

top-style tool for observing connection states

Requires at least one rule that uses conntrack or state extension in order to provide state capture

help screen available with h key, shows current sort and display settings

ExercisesInstall iptstate package

Add a rule to your INPUT table for protocol tcp, destination port ssh, module conntrack, option ctstate INVALID

Run iptstate and observe the various connections being tracked by iptables

Use iptables -L -v to see the packet and byte counts being seen by the various rules you have in place

UFWUncomplicated Firewall

A command line utility to simplify firewall management

Uses pre-configured rulesets for common configurations, with catch-all rules in /etc/ufw

It is a front end to the iptables command, but conflicts are probable if you use both to set up your firewall - instead use the pre and post rules files in ufw to set up custom rulesets

Provides enable/disable and configuration save

gufw is a graphical frontend to ufw

https://help.ubuntu.com/lts/serverguide/firewall.html

https://help.ubuntu.com/community/Gufw

Exercises

Install the ufw package

Use ufw to allow ssh traffic

Check your status with ufw, enable it, recheck your status

Run iptables -L -v with the ufw firewall tool in enabled state

Disable the ufw firewall tool and see what is left behind in your live iptables

Reboot to clear out your tables for the next exercise

ipkungfuAnother frontend to iptables (there are many, e.g. https://taufanlubis.wordpress.com/2007/09/23/need-proctection-for-your-ubuntu/)

Uses a relatively friendly configuration file and supports automatic config at boot

Groups many rule ideas into simpler concepts and makes them options in config files

https://help.ubuntu.com/community/firewall/ipkungfu

ExercisesInstall the ipkungfu package

Review the configuration files in /etc/ipkungfu

Modify ipkungfu.conf to set GATEWAY=0, DISALLOW_PRIVATE=0

Modify services.conf to ACCEPT ftp and ssh traffic

Run ipkungfu --show-vars to see your current configuration with ipkungfu’s guesses

Run ipkungfu -t to test and install your new configuration

Use iptables -L to see the new iptables configuration

Check /etc/default/ipkungfu to see if it is enabled on system startup (IPKFSTART setting)

fail2banfail2ban is a package that can scan log files looking for repeated login failures and then block the source hosts using iptables

It does not require chain DROP policy, so if you don’t have a deny policy, it will still work

fail2ban knows many common log file formats such as ssh, web servers, email servers, ftp, and many applications that sit on top of those services

see /etc/fail2ban/filter.d for the logs it knows, /var/log/fail2ban.log to see what it has been doing when running

copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify to enable or configure jails

fail2ban.org, 2014 PyCon video: https://www.youtube.com/watch?v=xcXheAWy7cU#t=190

ExercisesInstall vsftpd and fail2ban, you may need a reboot to have a clean set of iptables to work with depending on the state you left things in from previous exercises

Configure the vsftpd jail to be enabled in jail.local and restart fail2ban service - use iptables -L -v to see what it installed

Use a second terminal window to perform several login failures using ftp

Watch the fail2ban.log using tail -f to see what it does

While you have a vsftpd ban in place, try:

fail2ban-client status vsftpdfail2ban-client get vsftpd bantimefail2ban-client -help

Additional Filtering

Proxy servers (email, web, etc.) can be set up, use iptables to prevent connections for proxied services that try to bypass the proxies, proxies can do application-level filtering