I seem to work best at night, it’s dark out, and generally quite dark inside too; there is more bandwidth because it is off peek, and in general there is nobody coming over or phoning and interrupting me. Incidentally, its also when I do the majority of my reading, at home; in bed, at night. Much more pleasant that way…
PSAD
Anyway, the latest book I have been reading is called “Linux Firewalls – Attack detection and response with iptables, PSAD and FWSNORT” by Michael Rash who, incidentally runs CipherDyne.org – the site where PSAD, FWSNORT and a fair few other Linux and security tools are developed. Now, you may think that with a title like that your going to have to know a lot about Linux and Firewalls before you begin but that is simply not true, Linux Firewalls takes you right from the very start of how iptables works to manually porting Snort rules over to iptables for detection, and in my humble opinion, it does a damn good job of it. In fact, it done such a good job of it, I have used the reference firewall scripts and PSAD configurations to install and configure iptables and PSAD on my new VPS, which I will hopefully be moving some of my sites to.
Some of the things you should probably have already if you want to get the best out of Linux Firewalls is…
- A comfortable familiarity with the distribution of Linux you wish to use.
- Basic understanding of how networks communicate.
- Reasonable understanding of how TCP works (ie. the three way handshake)
- Reasonable understanding of how UDP works
- A system to test this stuff on, if you don’t have a system to test this stuff out on, you could always set up a few virtual machines using VirtualBox or VMWare.
- A will to learn about this kind of stuff
Missing any one of these things (except the will to learn, thats pretty important) probably isn’t going to be a huge deal, but if your missing a lot of them, you might struggle a bit with some of the concepts.
Here is a sample of one of the basic Linux Firewall scripts that I have adapted from the book…
#!/bin/sh #Port and IP addresses changed to protect the innocent. IPTABLES=/sbin/iptables MODPROBE=/sbin/modprobe ### Flush existing rules and settings. Set to default drop. echo "[+] Flushing existing iptables rules..." $IPTABLES -F $IPTABLES -X #$IPTABLES -t nat -F $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP #$IPTABLES -P FORWARD DROP ### Load the connection tracking modules. Not going to bother with NAT echo "[+] Loading conntrack support..." $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp ### Input Chain echo "[+] Setting up INPUT chain..." $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### Allowing Broadcasts $IPTABLES -A INPUT -d 255.255.255.255 -j ACCEPT $IPTABLES -A INPUT -d x.x.x.x -j ACCEPT #Replace the x's with your network's broadcast address ### Anti-spoofing measures #$IPTABLES -A INPUT -i eth0 -j LOG --log-prefix "SPOOFED PKT " #$IPTABLES -A INPUT -i eth0 -j DROP ### Accept rules... $IPTABLES -A INPUT -i lo -j ACCEPT #All local connections $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT #Webserver $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT #SSHd $IPTABLES -A INPUT -i eth0 -p tcp --dport 1000 --syn -m state --state NEW -j ACCEPT #Webmin $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #Accept Ping's ### Output Chain echo "[+] Setting up OUTPUT chain - Allowing all!" $IPTABLES -A OUTPUT -j ACCEPT ### Forward Chain echo "[+] Setting up FORWARD chain - Nothing to do." $IPTABLES -A FORWARD -j LOG --log-prefix "DROP FORWARD " --log-ip-options --log-tcp-options $IPTABLES -A FORWARD -j DROP
I hope that this impromptu book review is of at least some help to you.
Side Note: The bold bits in the posting are for a little test that I am doing on keyword density… I’ll let you all know how it goes.
