September 17, Lecture 3 - City University of New York
September 17, Lecture 3
Conclude legal overview: CanSpam Act
Discuss Peter Tippet Verizon paper
Review Talk
Recent data breaches (Heartland Systems)
Similarities to TJX Stores (same individual involved)
Data Breach Legislation
Review first 20 pages of Tippet Paper
NetFilter Router Configuration Details
Overview of Linux Routing
preprocess forward postprocess
input output
Tables (built-in and user defined)
A TCP Digression:
TCP Connections
3 way hand shake to start (syn, syn ack, ack)
Identified by four values (src ip, src port, dst ip, dst port)
TCP States SYN_SENT(syn), SYN_RECV (syn_ack), ESTABLISHED (ack)
Current TCP congestion control in Linux is called CUBIC (Reno and Taho?)
Note TCP provides flow control via sliding window protocol
TCP Three Way Handshake
Complete TCP State Diagram
IPTABLES (The Nitty-Gritty)
Good overview of IPTABLES Firewall Rules
Making a Linux Box a Router ip_forward
# ---Enable forwarding and disable internal
echo "1" > /proc/sys/net/ipv4/ip_forward
A Digression into the linux proc file system
/proc file system
a wealth of OS (forensic data)
many utilities get data from it
know proc – know LINUX
let’s take a tour
/proc
vmstat versus vmstat command
modules versus lsmod command
version versus uname –a
cpuinfo
/proc/pid/exe program file
/proc/pid/mem process memory
/proc/pid/maps memory map
/proc/pid/cmdline command line
compare with ps commandR
/proc/net/sockstat
sockets: used 227
TCP: inuse 6 orphan 0 tw 0 alloc 9 mem 1
UDP: inuse 7 mem 0
UDPLITE: inuse 0
RAW: inuse 0
FRAG: inuse 0 memory 0
/proc/net/arp_cache
IP address HW type Flags HW address Mask Device
192.168.1.160 0x1 0x0 00:00:00:00:00:00 * eth1
10.2.47.16 0x1 0x2 00:20:6b:a1:85:30 * eth2
10.2.47.1 0x1 0x2 00:00:0c:07:ac:2f * eth2
192.168.0.51 0x1 0x2 00:12:3f:6f:82:03 * eth0
some commands that get info from proc
lsof –ni shows all processes with active network ports
netstat –n –inet
netstat –nr
ifconfig
/proc/net/nf_conntrack shows connections the IP_Tables is currently tracking
Remember: du, find, ls, pidof, ps, top, netstat, ifconfig often replaced by rootkits
Back to Router Configuration
Where it starts /etc/rc.d/rc.local
A BASH shell loop to enable Reverse Path Filtering
# ---disable internal network IP address spoofing (BASH script)
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $f
echo "$f set to 1 for route verification"
done
Basic Operating System Defense (From IP Tables Firewall HowTo)
You can do several things before employing your firewall script to improve the resilience of your firewall to attack. For example, the Linux operating system has a number of built-in protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file. Using of /etc/sysctl.conf to modify kernel parameters is explained in more detail in , Appendix I "Miscellaneous Linux Topics".
Here is a sample configuration:
# File: /etc/sysctl.conf
#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------
net/ipv4/conf/all/rp_filter = 1
#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------
net/ipv4/conf/all/log_martians = 1
#---------------------------------------------------------------
# Disable redirects
# sending ip packets out over same interface on which they # arrived.
#---------------------------------------------------------------
net/ipv4/conf/all/send_redirects = 0
#---------------------------------------------------------------
# Disable source routed packets
# source specifies the path
# See page 19
#---------------------------------------------------------------
net/ipv4/conf/all/accept_source_route = 0
#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------
net/ipv4/conf/all/accept_redirects = 0
#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
# Resources are not reserved until hand shake completed
#---------------------------------------------------------------
net/ipv4/tcp_syncookies = 1
#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------
net/ipv4/icmp_echo_ignore_broadcasts = 1
#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------
net/ipv4/ip_forward = 1
addition informtation
________________________________________
IP Tables is a stateful firewall
Tracks TCP connections (source ip, source port, des ip, dest port)
IPTables States
INVALID packet associate with no known connection
ESTABLISHED packet associated with a connection that has seen packet in both directions
NEW packet has started a new connection or associated with a connection that has not
seen packages in both directions
RELATED packet is starting a new connection but is associated with an existing connection
Connection Tracking in IP_Tables
/proc/net/nf_conntrack
/proc/sys/net/netfilter/nf_conntrack_max
/proc/net nf_conntrack (a sample)
ipv4 2 tcp 6 51 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2511 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2511 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 udp 17 7 src=192.168.0.51 dst=10.2.45.76 sport=1025 dport=161 packets=4 bytes=424 [UNREPLIED] src=10.2.45.76 dst=10.2.47.30 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.0.51 dst=192.168.0.1 sport=2321 dport=22 packets=1709 bytes=155564 src=192.168.0.1 dst=192.168.0.51 sport=22 dport=2321 packets=1434 bytes=164477 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 udp 17 13 src=192.168.0.51 dst=10.2.47.16 sport=1025 dport=161 packets=1 bytes=106 src=10.2.47.16 dst=10.2.47.30 sport=161 dport=1025 packets=1 bytes=109 mark=0 secmark=0 use=1
ipv4 2 tcp 6 77 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2512 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2512 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 tcp 6 24 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2510 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2510 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 udp 17 26 src=192.168.0.51 dst=192.168.1.160 sport=1025 dport=161 packets=7 bytes=742 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 tcp 6 103 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2513 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2513 packets=0 bytes=0 mark=0 secmark=0 use=1
A good guide to IP Tables Firewalls
rc.firewall.new (started in rc.local, a BASH script)
#---------------[ start ]--------------------
ipt="/sbin/iptables"
# eth2 is backbone (uplink to college network)
#eth0 is internal network 192.168.0.0
#eth1 is internal network 192.168.1.0
bbone="eth2"
subnet1="eth0"
subnet2="eth1"
AnyAddr="0/0"
modprobe ip_tables
modprobe iptable_nat
#---Clear Rules from Tables
$ipt -F
$ipt -t nat -F
#--------------[ end init ]------------------
# ---Enable forwarding and disable internal
# ---network IP address spoofing.
echo "1" > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $f
echo "$f set to 1 for route verification"
done
# --Disable all initial connections from the backbone.
# --Allow only those that are responses to connections initiated from router.
# --Drop packets from problem IP address
# --log any traffic to ports 138 or 22
$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP
$ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP
$ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --log-prefix "[ RPC Warm ]"
$ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING --log-prefix "[ssh]"
#--------------[ end default ]---------------
# --Disable all initial connections from the backbone.
# --Allow only those that are responses to connection initiatiated from router.
# --Drop packets from problem ip address
# --log any traffic to ports 138 or 22
$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP
$ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP
$ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --log-prefix "[ RPC Warm ]"
$ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING --log-prefix "[ssh]"
#--------------[ end default ]---------------
# --Redirect traffic to internal addresses based on port assignments.
#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3501 -j DNAT --to 192.168.0.159:3389 # remote admin to windows box
$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3500 -j DNAT --to 192.168.1.9:22 # worldnode
#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3503 -j DNAT --to 192.168.0.50:4899 # remote admin workstation2 in 4214
$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3502 -j DNAT --to 192.168.0.51:4899 # D Salane Remote Admin
#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3505 -j DNAT --to 192.168.0.159:3505 # Test
#------------[ end redirects ]------------
#drop packets from problem domains
#blocked=`cat /root/firewall/blocks.fw`
blocked=`cat /root/blocks.fw`
for host in $blocked; do
$ipt -A INPUT -s ${host} -j DROP
$ipt -A OUTPUT -d ${host} -j DROP
$ipt -A FORWARD -s ${host} -j DROP
$ipt -A FORWARD -d ${host} -j DROP
done
#Apply IP Masquerading to packets sent out to the backbone
#Forward packets identified as ESTABLISHED or RELATED
#Forward all packets from internal subnets
$ipt -t nat -A POSTROUTING -o $bbone -j MASQUERADE
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $subnet1 -j ACCEPT
$ipt -A FORWARD -i $subnet2 -j ACCEPT
#-------------[ end masquerading ]---------
~
~
~
References:
D. Farmer and W. Venema, Forensic Discovery, Addison Weseley 2008
(see links in text)
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- city of new york benefits
- city of new york employee benefits program
- city of new york health benefits program
- university of new york ranking
- city of new york payroll
- city of new york retiree health benefits
- 3 and 4 digit new york lottery
- city of new york employment verification
- city of new york health insurance
- city of new york jobs portal
- city of new york employee discounts
- city of new york fms