Hanumax

Wednesday, February 12, 2014

Iptables String Matching for Advanced Firewalling

Introduction.

When it comes to any server or network connected to the internet, security from malicious files and hack attempts is a matter of concern for any administrator. Linux provides its own firewall from the early releases itself. The current iptables firewall maintained by the netfilter team is advancing to more powerful security and network management tool with the recent releases.It will be a topic of interest for any linux based server/network administrator. This article covers effective configuration and optimization of the iptables firewall system in 2.6.x kernels in order to more effectively defend against TCP attacks and to drop unwanted packets without messing them up with your business critical services!!

Kernels from 2.6 include support for matching strings present in IP packets, inspecting the entire packet data. Earlier kernels supported matching at the IP header level only, which was a limitation as the rules can be formed only based on header values like IP addresses, ports, packet state etc. The netfilter iptables firewall system has undergone great advancements in the latest kernels, with the modified string matching option being more interesting among them for server administrators. The rules, based on string matching functions, are very easy to implement. This guide intends to introduce the method to users with a basic understanding of networking and iptables.

System Requirements.

Preferred kernel version : 2.6.18 or later.
The iptables program(1.3.5 or later) installed on your machine.
The kernel should be compiled with string matching support. To do this, the following line should be added to the .config file prior to compiling the kernel:
```
CONFIG_NETFILTER_XT_MATCH_STRING=m
```

If you use a pre-complied kernel, check for this option in the config file with the appropriate version of the kernel in your /boot directory. If present, it means that netfilter string matching is compiled as a module. Make sure that the module is loaded (using the lsmod command or by looking for the appropriate entry in the /proc/modules file). The minimum requirement is a 2.6.14 kernel, however it is a bit difficult to get it working on kernels before 2.6.18. Customising the kernel and iptables is required in that case. Suggested configuration options for older kernels can be detailed in another article, if there is demand.

Formating the Rules.

If iptables is installed with string matching support, its man page can be found with the following command:

iptables -m string -help Here is the relevant section from the iptables(8) man page:

   string

         This  modules  matches  a  given string by using some
pattern matching strategy. It requires a linux kernel >= 2.6.14.

        --algo  bm|kmp

              Select the pattern matching strategy. (bm = Boyer-
Moore, kmp = Knuth-Pratt-Morris)


        --from offset

              Set the offset from which it starts looking for any
matching. If not passed, default is 0.

        --to offset

              Set the offset to which it starts looking for any
matching. If not passed, default  is  the

              packet size.

        --string pattern

              Matches the given pattern.  --hex-string pattern
Matches the given pattern in hex notation.

In iptables 1.3.5, you need to specify the algorithm to use for string matching using the --algo option. We may limit the search by specifying the offset values as well. Two algorithms can be used, Boyer-Moore and Knuth-Morris-Pratt. More information regarding these algorithms can be found at Wikipedia - for Boyer-Moore the URL is:

http://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm

and for Knuth-Morris-Pratt the URL is:

http://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm

Boyer-Moore is efficient and fast and is preferable in most cases.

Common Applications and Useful Example Rules:

1) To prevent an intrusion attempt.

In case, a suspecious URL upload using the webserver was detected, You could frame similar rules as follows. iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP The rule blocks all packets to port 80 containing the string cmd.exe. Mod_security is an option for the same, but it can be an overload to your busy webservers.

2) To defend DDOS to a service.

It is a common case where we need to drop requests to a domain when it is under DDOS. mod_dosevasive is an option, but it really overloads the webserver. String matching option can be utilized here without overloading the webserver.


iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP

The rule, blocks all web requests to domain.com. These rules can also be used in conjunction with other iptables matches and options depending on what is required.

3) To Defend against E-mail Spoofing.

We can make use of the string matching option in numerous cases to drop intruder and spam packets before they enter the server. Another instance for example is, if the mail server is receiving many spoofed e-mails with a common 'Subject'.If the spammer is using a unique IP address, it is very easy to block him using RBLs, conventional iptables rules etc. But when the spammer is using different IP addresses, it makes things difficult for the administrator.In such a case, the following string based rule can be added to the firewall so that the mail server will not get overloaded by the spoofed mails. iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP

**Do it now with an optimised rule!

The same rule might be modified to one with less overhead (that is, it uses less resources) by limiting the search specifying offset values, and by assuming that the SMTP subject header will be within an offset limit of 15000 in the packet. iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm --to 15000 -j DROP

4) Other general cases.

Apart from the instances discussed above, you can make use of the string matching options, wherever you need to manage the packets entering a server or network,based on strings like URLs, file names, file contents etc.

Conclusion.

The string matching option can be effectively utilized when a network needs to be filtered using strings. We can block the packets right at the kernel level itself without overloading your server applications. However, there is a higher overhead involved for the kernel with string matching, compared to other ordinary iptables matchings. Offset limits should be specified for searching wherever possible in order to reduce this overhead.

Tuesday, September 10, 2013

Multiple IP addresses on One Interface

Interface aliasing allows one interface to have multiple IP addresses. This is useful when more than one server is to be visible via the Internet. Note that virtual hosts can support multiple Apache servers with a single IP address. Apache responds to the domain name supplied by the client in the HTTP header. In many other situations, one external IP is needed for each server using a port.

This /etc/network/interfaces text assigns three IP addresses to eth0.

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.42
    netmask 255.255.255.0
    gateway 192.168.1.1

auto eth0:0
allow-hotplug eth0:0
iface eth0:0 inet static
    address 192.168.1.43
    netmask 255.255.255.0

auto eth0:1
allow-hotplug eth0:1
iface eth0:1 inet static
    address 192.168.1.44
    netmask 255.255.255.0

An alias interface should not have "gateway" or "dns-nameservers"; dynamic IP assignment is permissible.

The above configuration is the previous traditional method that reflects the traditional use of ifconfig to configure network devices. ifconfig has introduced the concept of aliased or virtual interfaces. Those types of virtual interfaces have names of the form interface:integer and ifconfig treats them very similarly to real interfaces.

Nowadays ifupdown uses ip utility from the iproute2 package instead of ifconfig. The newer ip utility does not use the same concept of aliases or virtual interfaces. However, it supports assigning arbitrary names to the interfaces (they're called labels). ifupdown uses this feature to support aliased interfaces while using ip.

Also, ifupdown supports specifying multiple interfaces by repeating iface sections with the same interface name. The key difference from the method described above is that all such sections are treated by ifupdown as just one interface, so user can't add or remove them individually. However, up/down commands, as well as scripts, are called for every section as it used to be.

This /etc/network/interfaces text assigns three IP addresses to eth0.

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.42
    netmask 255.255.255.0
    gateway 192.168.1.1

iface eth0 inet static
    address 192.168.1.43
    netmask 255.255.255.0

iface eth0 inet static
    address 192.168.1.44
    netmask 255.255.255.0

# adding IP addresses from different subnets is also possible
iface eth0 inet static
    address 10.10.10.14
    netmask 255.255.255.0

Additional information can be found on the http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html page.

Thursday, July 25, 2013

How To Configure Wireless / WiFi Networking in Ubuntu via the Command Line (CLI)

There are a number of tutorials available on-line for sorting out WiFi in Ubuntu via the CLI, but most of them seem quite outdated, so I decided to do my own.

I did this on a minimal install of Ubuntu Lucid, so it is as up-to-date as possible. The PC I was using has no Windows Manager of Graphical Display Manager, just the good old terminal so all this is done via the CLI only. I did this using a USB WiFI dongle, but it should be the same whether you use an internal card or a USB card.

First, you need to install the relevant software. You need to have a wired connection at this point, otherwise this wont work.

sudo apt-get install wireless-tools wpasupplicant

If you are connecting to an open network, you wont need wpasupplicant. Next, you need to “bring up” (essentially this means activate) your WiFi interface. So, issue:

sudo ifconfig wlan0 up

Next, to make sure your wireless device is working as it should issue:

iwconfig

and then

sudo iwlist scan

This should show you some wireless networks as proof that the WiFi device is working, if something goes wrong here, then there is a problem with your device or driver and you need to get googling.
If you are accessing a secured network and you really should be, you need to access the correct version of your WiFi key. To get your key, issue this command:

wpa_passphrase YOURSSID YOURWIFIPASSWORD

This will result in something that looks like this:

network={

ssid="YOURSSID"

#psk="YOURWIFIPASSWORD"

psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a

}

You need to make a note of the long phrase after psk= (NOT #psk=) as this your WiFi password in hex format.
Next, you need to edit your interfaces file, so issue:

sudo nano /etc/network/interfaces

At the end of this file, you need to add your WiFi configuration. Here are the options you can add.

auto wlan0     #change this to the name of your WiFi interface
iface wlan0 inet dhcp     #this is normally fine, if you want a static IP address replace “dhcp” with “static”
netmask 255.255.255.0     #change this as appropriate for your network, this value is usually right
gateway 192.168.1.1     #change this as appropriate for your network
address 192.168.1.100     #only needed for a static IP address
dns-nameservers 192.168.1.1     #only needed for a static IP address
wpa-driver wext     #you shouldn’t need to change this
wpa-ssid YOURSSID     #just type the name of your SSID here
wpa-ap-scan 1     #if the name of your SSID is hidden usually, type 2 instead of 1
wpa-proto WPA    #if you use WPA1 type WPA, if you use WPA2 type RSN
wpa-pairwise CCMP     #if you use AES type CCMP, if you use TKIP type TKIP
wpa-group CCMP     #if you use AES type CCMP, if you use TKIP type TKIP
wpa-key-mgmt WPA-PSK     #usually WPA-PSK (if you share a key) but sometimes WPA-EAP (for enterprises)
wpa-psk YOURHEXKEYFROMABOVE     #the hex key that you generated earlier

Thus, since I am using a WiFi card that is identified as wlan0 and am connecting to a WPA1 AES encrypted network called MYPLACE that isn’t hidden without a static IP address, this is what I added:



auto wlan0

iface wlan0 inet dhcp

netmask 255.255.255.0

gateway 192.168.1.1

wpa-driver wext

wpa-ssid MYPLACE

wpa-ap-scan 1

wpa-proto WPA

wpa-pairwise CCMP

wpa-group CCMP

wpa-key-mgmt WPA-PSK

wpa-psk 71c81a844973ae7bb1243141e5caa7b6bb0e2d7eetcetcetc

Finally, comment out the top section so it looks like this:



#auto eth0

#iface eth0 inet dhcp

This stops your wired network from working. This helps to ensure there are no conflicts. Remember, if you want your wired network to work again, remove these two comments (the #).
Finally, save the file by pressing CTRL and X and then pressing Y to save to the file. Now, reboot and your network should come up. Yay!
Some people have found that this doesn’t always work, so the next thing to do is to edit the configuration file for the wpasupplicant program. Do this by issuing:

sudo nano /etc/wpa_supplicant.conf

Basically, you add pretty much the same information here as you did to the interfaces file, except without the wpa- part. So, my file looks like this:



ap_scan=1

ctrl_interface=/var/run/wpa_supplicant

network={

ssid="MYPLACE"

scan_ssid=0

psk=71c81a844973ae7bb1243141e5caa7b6bb0e2d7eetcetcetc

key_mgmt=WPA-PSK

proto=WPA

pairwise=CCMP

group=CCMP

}

As far as I am aware, the options are the same. So, edit this file as necessary, make sure you add the ctrl_interface and network={ at the beginning and the } part at the end. Save it and try restarting again. If it still doesn’t work, then kick your PC, wish you had installed Windows 7 instead and go off and do some Googling. You’ll find the answer on the Ubuntu forums and you’ll be happy again.

Best of luck!

Wednesday, July 10, 2013

Setup PPTP Server on Ubuntu 12.4 Server.

This guide has been tested with Ubuntu 12.4 Server.

Setup PPTP Server

First we need to install pptp server using apt-get

# sudo apt-get install pptpd

Then we need to configure the pptpd.

# sudo nano /etc/pptpd.conf

Add server IP and client IP at the end of the file. You can add like below:

localip 192.168.0.1
remoteip 192.168.0.100-200

This sets up the PPTP server to use IP 192.168.0.1 while distributing the IP range 192.168.0.100 to 192.168.0.200 to PPTP clients. Change these as you wish as long as they are private IP addresses and do not conflict with IP addresses already used by your server.

Configure DNS servers to use when clients connect to this PPTP server

# sudo nano /etc/ppp/pptpd-options

Uncomment the ms-dns and add google like below or OpenDNS

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Now add a VPN user in /etc/ppp/chap-secrets file.

# sudo nano /etc/ppp/chap-secrets

The column is username. Second column is server name, you can put “pptpd” in there. Third column is password. The last column is the IP addresses, you can put * to allow all IP.

# client        server  secret                  IP addresses
username * myPassword *

Finally start your server

# /etc/init.d/pptpd restart

Setup IP Forwarding

To enable IPv4 forward. Change /etc/sysctl.conf file, add forward rule blew.

# sudo nano /etc/sysctl.conf

Uncomnent the line

net.ipv4.ip_forward=1

Then reload the configuration

sudo sysctl -p

Add forward rule in iptables

# sudo nano /etc/rc.local

adding to the bottom just before the exit 0

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --syn -s 192.168.0.0/24 -j TCPMSS --set-mss 1356

This example is using 192.168.0 for its PPTP subnet. The second rule adjusts the MTU size :

You are done. Just reboot your server and you should be able to connect to using PPTPD and send all your traffic through this server.