Iptables String Matching for Advanced Firewalling

Introduction.

When it comes to any server or network connected to the internet, security from malicious files and hack attempts is a matter of concern for any administrator. Linux provides its own firewall from the early releases itself. The current iptables firewall maintained by the netfilter team is advancing to more powerful security and network management tool with the recent releases.It will be a topic of interest for any linux based server/network administrator. This article covers effective configuration and optimization of the iptables firewall system in 2.6.x kernels in order to more effectively defend against TCP attacks and to drop unwanted packets without messing them up with your business critical services!!

Kernels from 2.6 include support for matching strings present in IP packets, inspecting the entire packet data. Earlier kernels supported matching at the IP header level only, which was a limitation as the rules can be formed only based on header values like IP addresses, ports, packet state etc. The netfilter iptables firewall system has undergone great advancements in the latest kernels, with the modified string matching option being more interesting among them for server administrators. The rules, based on string matching functions, are very easy to implement. This guide intends to introduce the method to users with a basic understanding of networking and iptables.

System Requirements.

1. Preferred kernel version : 2.6.18 or later.
2. The iptables program(1.3.5 or later) installed on your machine.
3. The kernel should be compiled with string matching support. To do this, the following line should be added to the .config file prior to compiling the kernel:

   CONFIG_NETFILTER_XT_MATCH_STRING=m
   

If you use a pre-complied kernel, check for this option in the config file with the appropriate version of the kernel in your /boot directory. If present, it means that netfilter string matching is compiled as a module. Make sure that the module is loaded (using the lsmod command or by looking for the appropriate entry in the /proc/modules file). The minimum requirement is a 2.6.14 kernel, however it is a bit difficult to get it working on kernels before 2.6.18. Customising the kernel and iptables is required in that case. Suggested configuration options for older kernels can be detailed in another article, if there is demand.

Formating the Rules.

If iptables is installed with string matching support, its man page can be found with the following command:

iptables -m string -help

Here is the relevant section from the iptables(8) man page:

   string

         This  modules  matches  a  given string by using some
pattern matching strategy. It requires a linux kernel >= 2.6.14.

        --algo  bm|kmp

              Select the pattern matching strategy. (bm = Boyer-
Moore, kmp = Knuth-Pratt-Morris)


        --from offset

              Set the offset from which it starts looking for any
matching. If not passed, default is 0.

        --to offset

              Set the offset to which it starts looking for any
matching. If not passed, default  is  the

              packet size.

        --string pattern

              Matches the given pattern.  --hex-string pattern
Matches the given pattern in hex notation.

In iptables 1.3.5, you need to specify the algorithm to use for string matching using the --algo option. We may limit the search by specifying the offset values as well. Two algorithms can be used, Boyer-Moore and Knuth-Morris-Pratt. More information regarding these algorithms can be found at Wikipedia - for Boyer-Moore the URL is:

http://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm

and for Knuth-Morris-Pratt the URL is:

http://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm

Boyer-Moore is efficient and fast and is preferable in most cases.

Common Applications and Useful Example Rules:

1) To prevent an intrusion attempt.

In case, a suspecious URL upload using the webserver was detected, You could frame similar rules as follows.

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP

The rule blocks all packets to port 80 containing the string cmd.exe. Mod_security is an option for the same, but it can be an overload to your busy webservers.

2) To defend DDOS to a service.

It is a common case where we need to drop requests to a domain when it is under DDOS. mod_dosevasive is an option, but it really overloads the webserver. String matching option can be utilized here without overloading the webserver.

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP

The rule, blocks all web requests to domain.com. These rules can also be used in conjunction with other iptables matches and options depending on what is required.

3) To Defend against E-mail Spoofing.

We can make use of the string matching option in numerous cases to drop intruder and spam packets before they enter the server. Another instance for example is, if the mail server is receiving many spoofed e-mails with a common 'Subject'.If the spammer is using a unique IP address, it is very easy to block him using RBLs, conventional iptables rules etc. But when the spammer is using different IP addresses, it makes things difficult for the administrator.In such a case, the following string based rule can be added to the firewall so that the mail server will not get overloaded by the spoofed mails.

iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP

**Do it now with an optimised rule!

The same rule might be modified to one with less overhead (that is, it uses less resources) by limiting the search specifying offset values, and by assuming that the SMTP subject header will be within an offset limit of 15000 in the packet.

iptables -I INPUT -p tcp --dport 25 -m string --string "Subject"  --algo bm --to 15000 -j DROP

4) Other general cases.

Apart from the instances discussed above, you can make use of the string matching options, wherever you need to manage the packets entering a server or network,based on strings like URLs, file names, file contents etc.

Conclusion.

The string matching option can be effectively utilized when a network needs to be filtered using strings. We can block the packets right at the kernel level itself without overloading your server applications. However, there is a higher overhead involved for the kernel with string matching, compared to other ordinary iptables matchings. Offset limits should be specified for searching wherever possible in order to reduce this overhead.

How To Configure Wireless / WiFi Networking in Ubuntu via the Command Line (CLI)

How To Configure Wireless / WiFi Networking in Ubuntu via the Command Line (CLI)

There are a number of tutorials available on-line for sorting out WiFi in Ubuntu via the CLI, but most of them seem quite outdated, so I decided to do my own.

I did this on a minimal install of Ubuntu Lucid, so it is as up-to-date as possible. The PC I was using has no Windows Manager of Graphical Display Manager, just the good old terminal so all this is done via the CLI only. I did this using a USB WiFI dongle, but it should be the same whether you use an internal card or a USB card.

First, you need to install the relevant software. You need to have a wired connection at this point, otherwise this wont work.

sudo apt-get install wireless-tools wpasupplicant

If you are connecting to an open network, you wont need wpasupplicant. Next, you need to “bring up” (essentially this means activate) your WiFi interface. So, issue:

sudo ifconfig wlan0 up

Next, to make sure your wireless device is working as it should issue:

iwconfig

and then

sudo iwlist scan

This should show you some wireless networks as proof that the WiFi device is working, if something goes wrong here, then there is a problem with your device or driver and you need to get googling.
If you are accessing a secured network and you really should be, you need to access the correct version of your WiFi key. To get your key, issue this command:

wpa_passphrase YOURSSID YOURWIFIPASSWORD 

This will result in something that looks like this:

network={
ssid="YOURSSID"
#psk="YOURWIFIPASSWORD"
psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a
} 

You need to make a note of the long phrase after psk= (NOT #psk=) as this your WiFi password in hex format.
Next, you need to edit your interfaces file, so issue:

sudo nano /etc/network/interfaces

At the end of this file, you need to add your WiFi configuration. Here are the options you can add.

auto wlan0     #change this to the name of your WiFi interface
iface wlan0 inet dhcp     #this is normally fine, if you want a static IP address replace “dhcp” with “static”
netmask 255.255.255.0     #change this as appropriate for your network, this value is usually right
gateway 192.168.1.1     #change this as appropriate for your network
address 192.168.1.100     #only needed for a static IP address
dns-nameservers 192.168.1.1     #only needed for a static IP address
wpa-driver wext     #you shouldn’t need to change this
wpa-ssid YOURSSID     #just type the name of your SSID here
wpa-ap-scan 1     #if the name of your SSID is hidden usually, type 2 instead of 1
wpa-proto WPA    #if you use WPA1 type WPA, if you use WPA2 type RSN
wpa-pairwise CCMP     #if you use AES type CCMP, if you use TKIP type TKIP
wpa-group CCMP     #if you use AES type CCMP, if you use TKIP type TKIP
wpa-key-mgmt WPA-PSK     #usually WPA-PSK (if you share a key) but sometimes WPA-EAP (for enterprises)
wpa-psk YOURHEXKEYFROMABOVE     #the hex key that you generated earlier

Thus, since I am using a WiFi card that is identified as wlan0 and am connecting to a WPA1 AES encrypted network called MYPLACE that isn’t hidden without a static IP address, this is what I added:

auto wlan0
iface wlan0 inet dhcp
netmask 255.255.255.0
gateway 192.168.1.1
wpa-driver wext
wpa-ssid MYPLACE
wpa-ap-scan 1
wpa-proto WPA
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk 71c81a844973ae7bb1243141e5caa7b6bb0e2d7eetcetcetc

Finally, comment out the top section so it looks like this:

#auto eth0
#iface eth0 inet dhcp

This stops your wired network from working. This helps to ensure there are no conflicts. Remember, if you want your wired network to work again, remove these two comments (the #).
Finally, save the file by pressing CTRL and X and then pressing Y to save to the file. Now, reboot and your network should come up. Yay!
Some people have found that this doesn’t always work, so the next thing to do is to edit the configuration file for the wpasupplicant program. Do this by issuing:

sudo nano /etc/wpa_supplicant.conf

Basically, you add pretty much the same information here as you did to the interfaces file, except without the wpa- part. So, my file looks like this:

ap_scan=1
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="MYPLACE"
scan_ssid=0
psk=71c81a844973ae7bb1243141e5caa7b6bb0e2d7eetcetcetc
key_mgmt=WPA-PSK
proto=WPA
pairwise=CCMP
group=CCMP
}

As far as I am aware, the options are the same. So, edit this file as necessary, make sure you add the ctrl_interface and network={ at the beginning and the } part at the end. Save it and try restarting again. If it still doesn’t work, then kick your PC, wish you had installed Windows 7 instead and go off and do some Googling. You’ll find the answer on the Ubuntu forums and you’ll be happy again.

Best of luck!