September 17, Lecture 3 - City University of New York



September 17, Lecture 3

Conclude legal overview: CanSpam Act

Discuss Peter Tippet Verizon paper

Review Talk

Recent data breaches (Heartland Systems)

Similarities to TJX Stores (same individual involved)

Data Breach Legislation



Review first 20 pages of Tippet Paper

NetFilter Router Configuration Details

Overview of Linux Routing

preprocess forward postprocess

input output

Tables (built-in and user defined)

A TCP Digression:

TCP Connections

3 way hand shake to start (syn, syn ack, ack)

Identified by four values (src ip, src port, dst ip, dst port)

TCP States SYN_SENT(syn), SYN_RECV (syn_ack), ESTABLISHED (ack)

Current TCP congestion control in Linux is called CUBIC (Reno and Taho?)

Note TCP provides flow control via sliding window protocol

TCP Three Way Handshake



Complete TCP State Diagram



IPTABLES (The Nitty-Gritty)

Good overview of IPTABLES Firewall Rules



Making a Linux Box a Router ip_forward

# ---Enable forwarding and disable internal

echo "1" > /proc/sys/net/ipv4/ip_forward

A Digression into the linux proc file system

/proc file system

a wealth of OS (forensic data)

many utilities get data from it

know proc – know LINUX

let’s take a tour

/proc

vmstat versus vmstat command

modules versus lsmod command

version versus uname –a

cpuinfo

/proc/pid/exe program file

/proc/pid/mem process memory

/proc/pid/maps memory map

/proc/pid/cmdline command line

compare with ps commandR

/proc/net/sockstat

sockets: used 227

TCP: inuse 6 orphan 0 tw 0 alloc 9 mem 1

UDP: inuse 7 mem 0

UDPLITE: inuse 0

RAW: inuse 0

FRAG: inuse 0 memory 0

/proc/net/arp_cache

IP address HW type Flags HW address Mask Device

192.168.1.160 0x1 0x0 00:00:00:00:00:00 * eth1

10.2.47.16 0x1 0x2 00:20:6b:a1:85:30 * eth2

10.2.47.1 0x1 0x2 00:00:0c:07:ac:2f * eth2

192.168.0.51 0x1 0x2 00:12:3f:6f:82:03 * eth0

some commands that get info from proc

lsof –ni shows all processes with active network ports

netstat –n –inet

netstat –nr

ifconfig

/proc/net/nf_conntrack shows connections the IP_Tables is currently tracking

Remember: du, find, ls, pidof, ps, top, netstat, ifconfig often replaced by rootkits

Back to Router Configuration

Where it starts /etc/rc.d/rc.local

A BASH shell loop to enable Reverse Path Filtering



# ---disable internal network IP address spoofing (BASH script)

for f in /proc/sys/net/ipv4/conf/*/rp_filter

do

echo "1" > $f

echo "$f set to 1 for route verification"

done

Basic Operating System Defense (From IP Tables Firewall HowTo)

You can do several things before employing your firewall script to improve the resilience of your firewall to attack. For example, the Linux operating system has a number of built-in protection mechanisms that you should activate by modifying the system kernel parameters in the /proc filesystem via the /etc/sysctl.conf file. Using of /etc/sysctl.conf to modify kernel parameters is explained in more detail in , Appendix I "Miscellaneous Linux Topics".

Here is a sample configuration:

# File: /etc/sysctl.conf

#---------------------------------------------------------------

# Disable routing triangulation. Respond to queries out

# the same interface, not another. Helps to maintain state

# Also protects against IP spoofing

#---------------------------------------------------------------

net/ipv4/conf/all/rp_filter = 1

#---------------------------------------------------------------

# Enable logging of packets with malformed IP addresses

#---------------------------------------------------------------

net/ipv4/conf/all/log_martians = 1

#---------------------------------------------------------------

# Disable redirects

# sending ip packets out over same interface on which they # arrived.

#---------------------------------------------------------------

net/ipv4/conf/all/send_redirects = 0

#---------------------------------------------------------------

# Disable source routed packets

# source specifies the path

# See page 19

#---------------------------------------------------------------

net/ipv4/conf/all/accept_source_route = 0

#---------------------------------------------------------------

# Disable acceptance of ICMP redirects

#---------------------------------------------------------------

net/ipv4/conf/all/accept_redirects = 0

#---------------------------------------------------------------

# Turn on protection from Denial of Service (DOS) attacks

# Resources are not reserved until hand shake completed

#---------------------------------------------------------------

net/ipv4/tcp_syncookies = 1

#---------------------------------------------------------------

# Disable responding to ping broadcasts

#---------------------------------------------------------------

net/ipv4/icmp_echo_ignore_broadcasts = 1

#---------------------------------------------------------------

# Enable IP routing. Required if your firewall is protecting a

# network, NAT included

#---------------------------------------------------------------

net/ipv4/ip_forward = 1

addition informtation

________________________________________

IP Tables is a stateful firewall

Tracks TCP connections (source ip, source port, des ip, dest port)

IPTables States

INVALID packet associate with no known connection

ESTABLISHED packet associated with a connection that has seen packet in both directions

NEW packet has started a new connection or associated with a connection that has not

seen packages in both directions

RELATED packet is starting a new connection but is associated with an existing connection

Connection Tracking in IP_Tables



/proc/net/nf_conntrack

/proc/sys/net/netfilter/nf_conntrack_max

/proc/net nf_conntrack (a sample)

ipv4 2 tcp 6 51 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2511 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2511 packets=0 bytes=0 mark=0 secmark=0 use=1

ipv4 2 udp 17 7 src=192.168.0.51 dst=10.2.45.76 sport=1025 dport=161 packets=4 bytes=424 [UNREPLIED] src=10.2.45.76 dst=10.2.47.30 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1

ipv4 2 tcp 6 299 ESTABLISHED src=192.168.0.51 dst=192.168.0.1 sport=2321 dport=22 packets=1709 bytes=155564 src=192.168.0.1 dst=192.168.0.51 sport=22 dport=2321 packets=1434 bytes=164477 [ASSURED] mark=0 secmark=0 use=1

ipv4 2 udp 17 13 src=192.168.0.51 dst=10.2.47.16 sport=1025 dport=161 packets=1 bytes=106 src=10.2.47.16 dst=10.2.47.30 sport=161 dport=1025 packets=1 bytes=109 mark=0 secmark=0 use=1

ipv4 2 tcp 6 77 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2512 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2512 packets=0 bytes=0 mark=0 secmark=0 use=1

ipv4 2 tcp 6 24 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2510 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2510 packets=0 bytes=0 mark=0 secmark=0 use=1

ipv4 2 udp 17 26 src=192.168.0.51 dst=192.168.1.160 sport=1025 dport=161 packets=7 bytes=742 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=161 dport=1025 packets=0 bytes=0 mark=0 secmark=0 use=1

ipv4 2 tcp 6 103 SYN_SENT src=192.168.0.51 dst=192.168.1.160 sport=2513 dport=9100 packets=3 bytes=144 [UNREPLIED] src=192.168.1.160 dst=192.168.0.51 sport=9100 dport=2513 packets=0 bytes=0 mark=0 secmark=0 use=1

A good guide to IP Tables Firewalls



rc.firewall.new (started in rc.local, a BASH script)

#---------------[ start ]--------------------

ipt="/sbin/iptables"

# eth2 is backbone (uplink to college network)

#eth0 is internal network 192.168.0.0

#eth1 is internal network 192.168.1.0

bbone="eth2"

subnet1="eth0"

subnet2="eth1"

AnyAddr="0/0"

modprobe ip_tables

modprobe iptable_nat

#---Clear Rules from Tables

$ipt -F

$ipt -t nat -F

#--------------[ end init ]------------------

# ---Enable forwarding and disable internal

# ---network IP address spoofing.

echo "1" > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter

do

echo "1" > $f

echo "$f set to 1 for route verification"

done

# --Disable all initial connections from the backbone.

# --Allow only those that are responses to connections initiated from router.

# --Drop packets from problem IP address

# --log any traffic to ports 138 or 22

$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP

$ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP

$ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --log-prefix "[ RPC Warm ]"

$ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING --log-prefix "[ssh]"

#--------------[ end default ]---------------

# --Disable all initial connections from the backbone.

# --Allow only those that are responses to connection initiatiated from router.

# --Drop packets from problem ip address

# --log any traffic to ports 138 or 22

$ipt -A INPUT -i eth2 -m state --state NEW,INVALID -j DROP

$ipt -t nat -A PREROUTING -i eth2 -d 172.16.0.0/12 -j DROP

$ipt -t nat -A PREROUTING -i eth2 -p tcp --dport 138 -j LOG --log-level 4 --log-prefix "[ RPC Warm ]"

$ipt -A INPUT -d 10.2.47.30 -p tcp --dport 22 -j LOG --log-level WARNING --log-prefix "[ssh]"

#--------------[ end default ]---------------

# --Redirect traffic to internal addresses based on port assignments.

#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3501 -j DNAT --to 192.168.0.159:3389 # remote admin to windows box

$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3500 -j DNAT --to 192.168.1.9:22 # worldnode

#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3503 -j DNAT --to 192.168.0.50:4899 # remote admin workstation2 in 4214

$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3502 -j DNAT --to 192.168.0.51:4899 # D Salane Remote Admin

#$ipt -t nat -A PREROUTING -d 10.2.47.30 -p tcp --dport 3505 -j DNAT --to 192.168.0.159:3505 # Test

#------------[ end redirects ]------------

#drop packets from problem domains

#blocked=`cat /root/firewall/blocks.fw`

blocked=`cat /root/blocks.fw`

for host in $blocked; do

$ipt -A INPUT -s ${host} -j DROP

$ipt -A OUTPUT -d ${host} -j DROP

$ipt -A FORWARD -s ${host} -j DROP

$ipt -A FORWARD -d ${host} -j DROP

done

#Apply IP Masquerading to packets sent out to the backbone

#Forward packets identified as ESTABLISHED or RELATED

#Forward all packets from internal subnets

$ipt -t nat -A POSTROUTING -o $bbone -j MASQUERADE

$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A FORWARD -i $subnet1 -j ACCEPT

$ipt -A FORWARD -i $subnet2 -j ACCEPT

#-------------[ end masquerading ]---------

~

~

~

References:

D. Farmer and W. Venema, Forensic Discovery, Addison Weseley 2008

(see links in text)

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download