Saturday, November 6, 2010

Server Firewalls

Server firewall are used to protect the server from the hackers those who are trying to access the sever for the destruction purpose.

There are so many functionality present and those are:

1.We can block the unwanted port in the server firewall.
2.We will allow the limited IP address to access the server.
3.We can deny a particular IP address to access the server.
4. We can prevent the server from DDOS attacks.
5.From a particular IP address one is trying to access the server with the wrong credential repeatedly, then that IP will be automatically blocked in the server firewall.
6.The Ip address can be temporary blocked.

Some of the important firewalls are listed below:

1.CSF(Config Server Firewall)
2.APF(Advance Policy Firewall)
3. BFD(Brute Force Detection)
4. RkHunter
5. ChkRootkit
6. DDOS-Deflate
7. Secure-Nobody

1.CSF(Config Server Firewall)

The idea with csf, as with most iptables firewall configurations, is to block
everything and then allow through only those connections that you want. This is
done in iptables by DROPPING all connections in and out of the server on all
protocols. Then allow traffic in and out from existing connections. Then open
ports up in and outgoing for both TCP and UDP individually.

This way we can control exactly what traffic is allowed in and out of the
server and helps protect the server from malicious attack.

In particular it prevents unauthorised access to network daemons that we want
to restrict access by IP address, and also should a service suffer a
compromise, it can help prevent access to compromise networks daemons, a
typical example being a hackers sshd daemon running on a random open port.
Perhaps the greatest of reasons is to help mitigate the effects of suffering a
root compromise where often they only way to take advantage of such a failure
is to open a daemon for the hacker to access the server on. While this won't
prevent root compromises, it can help slow them down enough for you to notice
and react.

Another way that a port filtering firewall can help is when a user level
compromise occurs and a hacker installs DOS tools to effect other servers. A
firewall configured to block outgoing connections except on specific ports can
help prevent DOS attacks from working and make it immediately apparent to you
from the system logs.

csf has been designed to keep this configuration simple, but still flexible
enough to give you options to suit your server environment. Often firewall
scripts can become cumbersome of complex making it impossible to identify where problems lie and to easily fix them.

To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.

Installation steps:
 
 
1) Log into your server as root

2) cd /usr/local/src/

3) wget http://www.configserver.com/free/csf.tgz

4) Untar the package: tar -xzf csf.tgz

5) cd csf


6.Run the installer by type the command  ./install.sh


Now CSF is installed in your server.


The following commnad are used for handling the csf firewall in the server


Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules
-r, --restart       Restart firewall rules
-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-c, --check         Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP address to the temporary IP ban list. ttl is how
                    long to blocks for in seconds. Optional port. Optional
                    direction of block can be one of in, out or inout. Default
                    is in
-tf, --tempf        Flush all IP addresses from the temporary IP ban list
-u, --update        Checks for updates to csf+lfd and performs an upgrade if
                    available
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version



2.APF(Advance Policy Firewall)

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.
The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies
The first, static rule based policies, is the most traditional method of firewalling. This is when the firewall has an unchanging set of instructions (rules) on how traffic should be handled in certain conditions. An example of a static rule based policy would be when you allow/deny an address access to the server with the trust system or open a new port with conf.apf. So the short of it is rules that infrequently or never change while the firewall is running.
The second, connection based stateful policies, is a means to distinguish legitimate packets for different types of connections. Only packets matching a known connection will be allowed by the firewall; others will be rejected. An example of this would be FTP data transfers, in an older era of firewalling you would have to define a complex set of static policies to allow FTA data transfers to flow without a problem. That is not so with stateful policies, the firewall can see that an address has established a connection to port 21 then “relate” that address to the data transfer portion of the connection and dynamically alter the firewall to allow the traffic.
The third, sanity based policies, is the ability of the firewall to match various traffic patterns to known attack methods or scrutinize traffic to conform to Internet standards. An example of this would be when a would-be attacker attempts to forge the source IP address of data they are sending to you, APF can simply discard this traffic or optionally log it then discard it. To the same extent another example would be when a broken router on the Internet begins to relay malformed packets to you, APF can simply discard them or in other situations reply to the router and have it stop sending you new packets (TCP Reset).

Installation Steps: 


1.cd /usr/local/src

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3.tar -xvzf apf-current.tar.gz

4. cd apf-0.9.5-1/

5. ./install.sh

You will receive a message that "Now APF is installed in your server".



Installing APF XXXX: Completed.

Other Details: Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082, 2083,2086,2087,2095,2096,3306 Listening UDP ports: 53,55880 Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

The configuration file for APF is conf.apf which is /etc/apf/conf.apf. Using that file we can configure the firewall according to our requirement.

Search for ingress. Open the port which are listening. (We got the listening ports at the end of installation.)

Cpanel Servers We like to use the following on our Cpanel Server.

===============

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,208 3, 2086,2087, 2095, 2096,3000_3500?
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53?

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF=”1?

# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43,2089?
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53?

===============

Starting the firewall ----->  /usr/local/sbin/apf -s

After everything is fine, change the DEV option. Stop the firewall from automatically clearing itself every 5 minutes from cron. Change this back to “0? By following the below given steps:

====
vi /etc/apf/conf.apf
FIND: DEVM=”1?
CHANGE TO: DEVM=”0?
====

The following commands are used to handle and manipulate the server firewall:

==========

--> To add an IP address to Allow list

    apf -a
    This will add the IP address to /etc/apf/allow_hosts.rule
  
--> To add an IP address to Deny list

    apf -d
    This will add the IP address to /etc/apf/deny_hosts.rules

-->To start APF :

    apf -s  or  /etc/init.d/apf start
                

-->To restart APF :

apf -r or /etc/init.d/apf restart
 

==========

Bogon Filtering:

One of the features used by APF to prevent address spoofing is that it filters reserved IP address space, also known as BOGON filtering. This is an otherwise very reliable method to keep out random unallocated spoofed addresses from injecting traffic towards your server, assuming of course the list is updated regularly.


1) This change will make APF download and update to the latest reserved network file daily at 4am (recommended):
edit /etc/apf/conf.apf and set the option DLIST_RESERVED=”1″
restart APF with /etc/init.d/apf restart

OR

2) This change will disable the use of reserved network filtering from APF all together (not recommended!):
edit /etc/apf/conf.apf and set the option BLK_RESNET=”0″
restart APF with /etc/init.d/apf restart


3. Brute Force Detection

Description

BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file.

You can leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for every day use or you can open it up and modify it. The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for diskless devices. There is also an attack pool where trending data is stored on all hosts that have been blocked including which rule the block was triggered by.

In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable frame work for consistent execution of BFD in a very simplified fashion across all *nix platforms.


Installaton
-----------
1.cd /usr/local/src
2.wget http://www.rfxn.com/downloads/bfd-current.tar.gz
3.tar -xvzf bfd-current.tar.gz
4.cd bfd-1.4
5../install.sh

Now the BFD is installed in your server.


The configuration file for the BFD is conf. which is having the path "/usr/local/bfd/conf.bfd"

installation path
INSTALL_PATH="/usr/local/bfd"

rule files path
RULES_PATH="$INSTALL_PATH/rules"

track log script path
TLOG_PATH="$INSTALL_PATH/tlog"

syslog kernel log path
KERNEL_LOG_PATH="/var/log/messages"

syslog auth log path
AUTH_LOG_PATH="/var/log/secure"

bfd application log path
BFD_LOG_PATH="/var/log/bfd_log"

log all events to syslog [0 = off; 1 = on]
OUTPUT_SYSLOG="1"

log file path for syslog logging
OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"

template of the email message body
EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"

contains list of files to search for addresses that are excluded from bans
IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"

4.Rkhunter

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems.

Installation Steps

1.wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
2.tar -zxvf rkhunter-1.2.7.tar.gz
3.cd rkhunter-1.2.7
4. ./installer.sh

Now you can run a test scan with the following command:

/usr/local/bin/rkhunter -c

How to setup a daily scan report?

pico /etc/cron.daily/rkhunter.sh

add the following replacing your email address:

#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report" email@domain.com)

chmod +x /etc/cron.daily/rkhunter.sh

Updating rkhunter
gets the latest database updates from their central server and matches your OS better to prevent false positives.

rkhunter --update

5.Chkroot

Chkrootkit is a powerful tool to scan your Linux server for trojans. The following steps are given to  install it, scan your server and setup a daily automated scanning job that emails you the report.

Installing CHKROOTKIT

Version 0.42b

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

--> Change to root
su -

--> Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

--> Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

--> Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

--> Change to the directory it created
cd chkrootkit*

--> Compile by typing
make sense

--> To use chkrootkit, just type the command
./chkrootkit

Everything it outputs should be 'not found' or 'not infected'...

Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS:  465)' read on.
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

Important:
1. Replace 'yourinstallpath' with the actual path to where you unpacked Chkrootkit.
2. Change 'Servername' to the server your running so you know where it's coming from.
3. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.

 Usage: ./chkrootkit [options] [testname ...]
 Options:
         -h                show this help and exit
         -V                show version information and exit
         -l                show available tests
         -d                debug
         -q                quiet mode
         -x                expert mode
         -r dir            use dir as the root directory
         -p dir1:dir2:dirN path for the external commands used by chkrootkit
         -n                skip NFS mounted dirs


6.DOS-Deflate


(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features

    * It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
    * Simple configuration file: /usr/local/ddos/ddos.conf
    * IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
    * The script can run at a chosen frequency via the configuration file (default: 1 minute)
    * You can receive email alerts when IP addresses are blocked.

Installation Steps


wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

7.Secure Nobody:

Installation Steps

1) cd /usr/src

2) wget http://www.mycutelife.net/sanju/securenobody/securenobody.rpm

3) rpm -ivh securenobody.rpm

4) vi /usr/local/securenobody/checknames
replace suspicious=".... section with the section given below.
suspicious="/..|/.,|/. |/eggdrop|/mybot|/amech|/emech|/fastmech|/udp.pl|/asw.txt|/ |/chanarybot|/ary.tar|/.zk/|/.dat/|/.bot/|/psybnc|/r0nin|/elflbl|/krad|/hackea|/.adolf|/.whitepride|/.bitz|/.psy|/dc.pl|/c99|/r57|/krad3|/randhtml.cgi|/SpIcA.php|/s4.sh|/makesalt|/xh|/fuck|/plekih|/y2kupdate|/run-maker|/yac|/r00t|/brute|/trybind|/x496|/tsig|/woot-exploit|/getaddr.sh|/forcer|/doit|/wus|/tryftpd|/pre123|/bscan|/lpd1|/trylpd|/scanssh"
or add the section below to the existing one
|/c99|/r57|/krad3|/randhtml.cgi|/SpIcA.php|/s4.sh|/makesalt|/xh|/fuck|/plekih|/y2kupdate|/run-maker|/yac|/r00t|/brute|/trybind|/x496|/tsig|/woot-exploit|/getaddr.sh|/forcer|/doit|/wus|/tryftpd|/pre123|/bscan|/lpd1|/trylpd|/scanssh


5) Run the command # securenobody from the shell

I hope you have got something from the above firewall concept.





No comments:

Post a Comment