212.19.51.190: Replaced content with "deleted"

2016-02-20T20:42:14Z

Replaced content with "deleted"

Matthias: Created page with "'''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''Coming soon''' This is an easy and small script to allow customized drop rules on your iptables Fi..."

2016-02-20T20:39:56Z

Created page with "'''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''Coming soon''' This is an easy and small script to allow customized drop rules on your iptables Fi..."

New page

'''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''Coming soon'''

This is an easy and small script to allow customized drop rules on your iptables Firewall to protect against intruders on your network. 
The script follows the same approach then [http://coolscript.org/index.php/Syslog_to_Firewall '''Syslog to Firewall'''] but runs on Linux together with [http://www.netfilter.org/ iptables] and [http://cipherdyne.org/psad/ psad]. 
Finally this goes into the direction of a [https://en.wikipedia.org/wiki/Intrusion_prevention_system IPS]
 
=Environment=
Psad2ipt has been tested on Linux Debian 8 (Jessie) but should run on any other recent Linux Distribution too.
=Features=
*Provides a easy [https://en.wikipedia.org/wiki/Intrusion_prevention_system IPS] based on [https://en.wikipedia.org/wiki/Open-source_software OSS] for nuts!
*It runs on it's own, no additional server software is required (such as [https://en.wikipedia.org/wiki/LAMP_%28software_bundle%29 LAMP]), only [http://perl.com/ Perl] with a few additional [http://www.cpan.org/ Modules] is needed.
*Sqlite3 is used (that's based on a flat file) to allow to cope a large activity with psad2ipt.
*Dynamic ramp up the drop time, an intruder get first blocked by default with 15, then 30, 60, 120 and so on minutes on every occurrence of an event.
*Tight ip address checking to avoid false blockings, psad2ipt does not want to get blamed.
*Optional reporting into a [http://splunk.com Splunk] server.
 

=Setup and Operation description=
Pad2ipt runs on it's own iptables chain to add or remove malicious ip addresses which has been identified by psad. 
The iptables chain must be present at runtime [abort if not] so creating the Psad2ipt chain is a essential step to do first. 
If psad2ipt get's called by psad then it takes immediatly action and blocks the ip by adding a iptables rule into it previous assigned chain. 
The rule is using the state connection module to identify incoming packages only and requires the outside interface name to specify the direction, 
this way it should be a '''save drop rule''' to avoid false blockings. We also offer a whitelist function to prevent wrong data assignment. 
However, psad2ipt will never add private ip addresses into it's chain, even if specified to do so.
 
=Installation=
Download and extract the archive to /usr/local/psad2ipt, a different path is possible by setup the configuration file.
==List of files==
*psad2ipt.pl - Script
*psad2ipt.xml - Configuration
*psad2ipt.db - Database
==Install Perl Modules==
*This will work with Debian
apt-get install libipc-run-perl
apt-get install libproc-processtable-perl
apt-get install libdbi-perl
apt-get install libdbd-sqlite3-perl
cpan Net::Syslog
=Setup=
==Setup psad2ipt==
*Edit '''psad2ipt.xml'''
{| style="border: 1px solid #FFF0C0;"
|+ '''psad2ipt.xml'''
|-----
! align="left" valign="top" bgcolor="#ffff99" style="padding:5px;"| XML Child Element
! align="left" valign="top" bgcolor="#ffff99" style="padding:5px;"| XML Attribute
! align="left" valign="top" bgcolor="#ffff99" style="padding:5px;"| Value
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
SETTINGS
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Chain
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Chain Name to be used with psad2ipt, the default is P2I
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
MaxEvents
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Maximum events with a single IP addrress, 
this is a counter which counts until the amount has been reached before blocking this ip address. 
The default is 1
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
MaxDBDays
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Maximum days of events which is keeped within the database, older records will be deleted
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
LookBehind
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Number of Days where psad2ipt looks behind to get get amount of events for the specified ip address 
This values is used when running psad2ipt with the options '''-A''' and '''-C'''
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
MaxRules
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Used for flooding prevention, it is the maximum number of rules allowed within the psad2ipt chain
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
BaseLock
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
This is the startup amount of mintes which psad2ipt will use when it's get called with the option '''-A''' 
The unit is '''Minutes''' 
The default is 15 Minutes 
The amount will dynamically increase on every event, first 15, then 30, 60, 120 and so on
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
UseSyslog
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
If set to '''1''' then psad2ipt will write into syslog to localhost using UDP 514, 
Note that this needs to be setup within the syslog daemon configuration before for doing this
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
DBFile
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Path to DB File, this is needed to be used with option '''-c'''
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
LogPath
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
If '''UseSyslog''' equals 0 then the specified path is used to wrtie the psa2ipt log files
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
WhiteListPath
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Path to be used for reading whitelist files
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
OutsideInterface
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Required: Name of outsite interface name, for exampe '''eth0''', this value has no default!
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
SplunkServer
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
IP address of the splunk server where psad2ipt is sending messages to UDP 514
|}
==Setup iptables==
To setup iptable it is essential to define the rule, example for the default rule 'P2I'
/sbin/iptables -N P2I
Note that the chain will have no affect unless it has been assigned to the INPUT or FORWARD rule of iptables. 
Assigning the chain:
/sbin/iptables -A INPUT -j P2I
/sbin/iptables -A FORWARD -j P2I
*Note that the assignment must be placed after the rule creation and before the default drop chain/rule
==Running psad2ipt==
psad2ipt can be applied with the following option:
*Check the inventory, delete expired addresses from the chain, use the configuration option to allow this command to be allowed from everywhere else then our home directory
#/psad2ipt -C -c /usr/local/psad2ipt/psad2ipt.xml
*Check the inventory, delete expired addresses from the chain
/usr/local/psad2ipt #./psad2ipt -C
*Add the sample address (1.2.3.4) to the specified chain '''(P2I)''', this is done immediately.
/usr/local/psad2ipt #./psad2ipt -A 1.2.3.4
*List the database records
/usr/local/psad2ipt #./psad2ipt -l
*Delete a single ip address from the environment
/usr/local/psad2ipt #./psad2ipt -D 1.2.3.4
*Flush the database
/usr/local/psad2ipt #./psad2ipt -F

=Examples=
*Example rule in chain P21
root@rb-mk01:/usr/local/psad2ipt# iptables -L P2I -n
Chain P2I (1 references)
target prot opt source destination
DROP all -- 11.1.2.5 0.0.0.0/0 state NEW /* Dynamic rule by P2I at 2016-02-19 19:16:02 */

Psad - Revision history

212.19.51.190: Replaced content with "deleted"

Matthias: Created page with "'''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''Coming soon''' This is an easy and small script to allow customized drop rules on your iptables Fi..."