Back to site
Since 2004, our University project has become the Internet's most widespread web hosting directory. Here we like to talk a lot about web servers, web development, networking and security services. It is, after all, our expertise. To make things better we've launched this science section with the free access to educational resources and important scientific material translated to different languages.

Izgradnja GenII Honeynet Gateway-a

1. Uvod


Honeynet tehnologije su odličan način da se poboljša i da se upozna sa mrežama i sistemima bezbednosti. Međutim, primena ovih tehnika zahteva visok nivo znanja u ovim oblastima, a podrazumeva i izvestan stepen odgovornosti.

GenII Honeynet Gateway je najkritičniji element u GenII . U suštini, to je kapija za Honeynet , ali i firewall, IPS (Intrusion Prevention System), i mrežni saobraćaj/system logger.

Postoji butabilni CD-ROM koji čini implementaciju Honeynet Gateway lakšom, jednostavno nazvan Honeywall CDROM. Kako autori kažu: "Namera je da se Honeynet lakše rasporedi i prilagodi. Vi jednostavno pokrenete CDROM, podesite ga na osnovu vašeg okruženja, i trebalo bi da imate Honeywall Gateway spreman za rad." Ako ne želite da komplikujete stvari, možete jednostavno da preuzmete slike sa CDROM http://www.Honeynet.org/tools/cdrom/ i prestanete da čitate ovde. S druge strane, ako želite da naučite kako da se izgradi Honeywall od nule, molimo Vas da pročitate.

Ovaj rad objašnjava opšte korake pri izgradi Honeywall koristeći Red Hat Linux 9.0, ali većina instrukcija se može primeniti na bilo koju drugu Linux distribuciju. Pretpostavlja se da čitalac razume osnove honeypots i srodnih terminologija. Pored toga, ja bih preporučio čitanje "Know Your Enemy" serije radova iz Honeynet projekta na http://www.Honeynet .org/papers.

2. Dizajn mreže


Sledeći dijagram je uzorak mrežne arhitekture za sprovođenje Honeywall.

Slika 1. Predloženi GenII Honeynet



Kao što se može videti na Slici 1, Honeywall ima tri mrežna interfejsa. Dva u bridge modu (eth0 i eth1) i poslednji, eth2, sa IP stekom se koristi za svrhe upravljanja. Osnovna prednost bridge modu je da ga je teže otkriti od strane napadača. Na primer, pošto Honeywall nema IP adrese (osim eth2), to ne utiče na TTLS (Time To Live) vrednosti saobraćaja ulaska/izlaska iz Honeynet-a. Međutim, još uvek možete transparentno da kontrolišete snimanje svih podataka koji prolaze kroz Honeywall.

Stanica za menadžment ima jedan mrežni interfejs sa dve IP adrese, jednu za glavnu mrežu, a drugu da upravlja Honeywall-om. Još jedan način za direktnu komunikaciju sa Honeywall-om se takođe može postići upotrebom drugog namenskog mrežnog interfejsa, direktno povezanog sa Honeywall-om pomoću crossover kabla.

Obratite pažnju na Sliku 1 , host proizvodnja i honeypots su u istoj mreži. Iako ovo nije najsigurniji način da se sprovede Honeynet, to može biti izvodljiv scenario. Na primer, vi već znate posledice ove arhitekture i želite da proučite kolateralne efekte koje nudi. Ali, ako ne želite da proizvodni host direktno pristupi ugroženim honeypots, pravilna konfiguracija pravila bridge firewall-a će biti potrebna - čitajte presudna. U svakom slučaju, ako je potreban sigurniji scenario, preporučuje se da se Honeynet stavi u posebnu mrežu, kao što se može videti na Slici 2

Slika 2. Alternativni GenII Honeynet



Iz bezbednosnih razloga, takođe se preporučuje da se primeni daljinsko evidentiranje, do host upravljanja, ili na neki drugi host sa pravilnom firewall konfiguracijom (konfiguracija logovanja je izvan okvira ovog rada). U ovom radu, prvi dijagram će biti usvojen.

U sledećim poglavljima ćemo pokriti najvažnije korake za sprovođenje funkcije Honeywall, odnosno kontrolu podataka, prikupljanje podataka i obaveštavanje.

3. Kontrola podataka


Ovo je možda jedan od najkritičnijih aspekata Honeywall-a. U osnovi, svrha Honeynet je da kroz kompromis da priliku da uče od njega. Dobro, ali imajte na umu da ako je vaš Honeynet uspešno napadnut, može da se iskoristi za napade na druge sisteme! Morate biti spremni da zaobiđete tu situaciju. Kako? Dobro rešenje je da primenite neku vrstu zaštitnog zida. Jedan od razloga za izbor Linuxa je zato što ima IPTables, izuzetan firewall, koji između ostalih usluga, ograničava sposobnosti saobraćaja koje su veoma korisne u Honeynet tehnologiji. Drugi sloj zaštite se može ostvariti od strane IPS, kao što su snort_inline, korišćen u ovom scenariju da zaštiti spoljašnji svet od našeg (potencijalno opasno) Honeynet-a.

3.1. Firewall


Kao što je rečeno, mi ćemo staviti Honeywall u bridge mod. Da bi IPTables bio sposoban da vidi i filtrira premošćavanje IP saobraćaja, jezgro mora uključiti bridge-NF kod. Pored toga, jezgro mora da podrži opciju IP QUEUE ako želimo da instaliramo snort_inline IPS alat.

Bridge-NF kod i ebtables, moćne alatke za filtriranje koje deluju kao bridge firewall, mogu se naći na http://ebtables.sourceforge.net/ . Ebtables [ 1]je moćna alatka za filtriranje koja deluje kao bridge firewall, ona se fokusira na Link Layer i iako ima mnogo korisnih mogućnosti, zaista nam ne treba za Honeywall, jer imamo IPTables. I ebtables i bridge-nf izvorno podržavaju standardni 2.6 kernel. Postoji zakrpa dostupna za stabilan 2,4 kernel i kada je 2,6 kernel u stabilnom stadijumu, podrška za 2.4 biće odbačena.

Zbog toga, možemo da biramo između 2,4 i 2,6 kernel. U oba slučaja mi ćemo morati da kompajliramo kernel, verovatno i više nego jednom. U ovom trenutku trebao bih da pomenem, kao što sam ranije rekao, ovaj dokument pretpostavlja da čitalac ima iskustva u ovoj oblasti i da je radio zadatke kao što je kompajliranje kernela. Ako to nije slučaj, bojim se da je ova vrsta iskustva jedna od osnova potrebnih da se nastavi i ja predlažem da, ako to nije nivo na kojem se trenutno nalazite, da ovde pauzirate i preispitate, i instalirate prethodno ugrađen Honeywall CDROM na http://www.Honeynet .org/tools/cdrom/

3.2. Kernel 2.4.x


Ako želimo da gradimo naš Honeywall koristeći standardnu verziju kernel 2.4.x, moramo preuzeti odgovarajuću bridge-NF zakrpu. U vreme pisanja ovog teksta, najnovija verzija kernela podržavala je 2.4.26, a to je verovatno poslednja verzija podržana od 2.4 tree. Preuzmite verziju izvornog kernela 2.4.26 iz http://www.kernel.org i onda idite na ebtables sajt http://ebtables.sourceforge.net/ da preuzmete ebtables-brnf-6-vs-2.4.26 datoteku. Izdvojite sadržaj kernel izvora i zakrpu pod/usr/src/ i primenite zakrpu na kernel.
# gzip -d ebtables-brnf-6_vs_2.4.26.diff.gz # cd /usr/src/linux-2.4.26 # patch -p1 < /home/dggomez/downs/ebtables-brnf-6_vs_2.4.26.diff
Prilikom odabira kernel opcije, idite na opciju umrežavanja i izaberite kao modul 802.1D Ethernet premošćavanje, bridge: ebtables, kao i sve naknadne EBT opcije.




IP QUEUE opcija se ne pojavljuje u opcijama kernel menija. Mora se ručno sastaviti kao modul. Nije preporučljivo da ručno menjate kernel .config fajl da bi ste uključili opciju IP QUEUE, ako ne postoji po default-u. Bolje je da ručno kompajlirati modul QUEUE nezavisno. Sledi izvod iz .config fajla.
[...] # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m [...]

Ili, još bolje, možete ručno kompajlirati i instalirati ip_QUEUE.o modul.
# cd /usr/src/linux-2.4.26/net/ipv4/netfilter # gcc -D__KERNEL__ -I/usr/src/linux-2.4.26/include -Wall \ -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing \ -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 \ -march=i686 -DMODULE -DMODVERSIONS \ -include /usr/src/linux-2.4.26/include/linux/modversions.h \ -nostdinc -iwithprefix include -DKBUILD_BASENAME=ip_queue -c \ -o ip_queue.o ip_queue.c # cp ip_queue.o /lib/modules/2.4.26/kernel/net/ipv4/netfilter # cd /lib/modules/2.4.26/kernel/net/ipv4/netfilter # insmod ip_queue.o

Nakon sačuvavanja kernel opcije, kompajlirajte je
# make dep ; make bzImage ; make modules ; make modules_install

Savet
Možete ubrzati proces objedinjavanja kernela dodajući opciju'-J n' komandi izvršiti. 'n' vrednost je broj istovremenih poslova. Preporučujem vrednost 5 ili manje. Imajte na umu da ako koristite tu opciju, sveobuhvatni sistem performanse će opasti tokom kompajliranja.


Nakon izrade, ažurirate svoj image boot i boot loader konfiguraciju i ako je vaš kernel boot bez problema, možete da proverite da li podržava ip_QUEUE kucanjem:
# modprobe ip_queue # lsmod
Trebalo bi da vidite ip_QUEUE u izlaznoj listi

3.3. Kernel 2.6.x


Ako ste odabrali standardna kernel 2.6.x ne morate da primenite bridge-NF zakrpu jer je izvorno podržava. Kompajlirate kernel sa sledećim opcijama:

Za bridge firewall podršku, idite na 'Device Drivers', 'Networking Support', 'Networking Support', a zatim izaberite '802 .1 d Ethernet Bridging '. Zatim idite na "Network Packet Filtering" i izaberite "Bridged IP/ARP packets filtering'.

Za IP QUEUE podršku, idite na 'Device Drivers', 'Networking Support', 'Networking Support', 'IP: Netfilter configuration', i izaberite 'Userspace queueing via NETLINK'.

Na kraju, ako želite ebtables podršku možete izabrati' bridge: Netfilter Configuration" pod 'Network Packet Filtering




"Tabela ispod sadrži zajednički skup komandi potrebnih da rekompajlirate kernel

Tabela.1. Komande za Kernel kompajliranje

Kernel 2.4.XKernel 2.6.X
make mrpropermake mrproper
make menuconfig, or make xconfigmake menuconfig, or make xconfig
make depmake, or make install (if you have LILO)
make cleanmake modules_install
make bzImage 
make modules 
make modules_install 

3.4. Bridge-utils


Nakon kompajliranja kernela sa bridgea firewall podrškom i IP QUEUE (setite se, samo ako planirate da instalirate snort_inline), vreme je da instalirate bridge-utils alate.

Bridge-utils paket omogućava postavljanje i upravljanje bridge-ovima pod Linux-om. Pre svega, proverite da li ste ga već instalirali. U suprotnom, najnovija verzija se može preuzeti sa Linuks Ethernet premošćavanje http://bridge.sourceforge.net strane ili koristite apt-get alat (od http://apt.freshrpms.net/) da ga instalirate. Korišćenje apt-get je mnogo jednostavnije, mada verovatno nećete dobiti najnoviju verziju (nije neophodno) komande.

Za izgradnju bridge-a koristeći interfejse eth0 i eth1 moramo da izdamo sledeće komande.

Onemogućili smo STP (Spanning Tree Protocol) podršku, jer nam to ne treba i da bi zaustavili nepotrebni saobraćaj. ARP (Address Resolution Protocol) je takođe onemogućen jer mrežni uređaji nemaju IP stek i zato što može da otkrije njihov identitet i položaj.

3.5. firewall pravila i bridge režim


Nakon instaliranja IPTables, bridge firewall podrška, a opciono ip_QUEUE modula, treba da se izgradi bridge i konfiguriše firewall. U suštini, mi treba da prihvatimo sve konekcije, i ograničimo svaku odlaznu konekciju koja prolazi preko bridge-a. Međutim, to može biti težak zadatak, a može čak da postane i opasan, ako se ne postupa pažljivo.

Srećom, Honeynet Projekat pruža dokumentovanu skriptu koja automatski gradi bridge i stvara odgovarajuća IPTables pravila za kontrolu podataka. Originalni scenario se može naći na http://www.Honeynet .org/tools/ . Modifikovana kopija skripta može se naći u Dodatnoj sekciji

3.6. Snort_inline


Kao što možete pročitati na početnoj stranici, http://snort-inline.sourceforge.net, snort_inline je modifikovana verzija Snort-a koja prihvata pakete sa IPTables, preko libipq, umesto libpcap. Pored toga, mogu da obavljaju mangling paketa koristeći libnet biblioteku.

Prema tome, mi ćemo morati da instalirmo libipq i libnet biblioteke pre instaliranja Snort_inline. Snort_inline dobija pakete preko IPTables QUEUE mete, i ne zaboravite da ova opcija mora biti podržana od strane jezgra. Pogledajte kako da obezbedite podršku IP QUEUE u stavovima prethodnog kernela.

U sledećem primeru, mi smo se uverili da imamo ip_QUEUE.o instaliran kao modul.
# modprobe ip_queue # lsmod | grep ip_queue ip_queue 8044 0 (unused)

3.6.1. libipq


Da biste instalirali libipq, morate dobiti izvorni kod iste verzije IPTables koju ste instalirali na vašem sistemu. Skinite ga sa http://www.netfilter.org/, izdvojite ga i izdajte "napravi
# rpm -q iptables iptables-VERSION # wget http://www.netfilter.org/files/iptables-VERSION.tar.bz2 [...] # tar xvjf iptables-VERSION.tar.bz2 [...] # cd iptables-VERSION # make install-devel

3.6.2. libnet

At the time of this writing, the most current version of snort_inline is v2.1.3b, and it needs a libnet library version 1.0.x. The 1.0.x tree is deprecated, and the latest version is 1.0.2a. You can download it from http://www.packetfactory.net/libnet/.

# wget http://www.packetfactory.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz [...] # tar xvzf libnet-1.0.2a.tar.gz [...] # cd libnet-1.0.2a # ./configure ; make ; make install

3.6.2. libnet


U vreme pisanja ovog teksta, najnovija verzija snort_inline je v2.1.3b, i treba joj libnet biblioteka verzije 1.0.k. 1.0.x tree je zastarelo, a najnovija verzija je 1.0.2a. Možete ga preuzeti sa http://www.packetfactori.net/libnet/
# wget http://www.packetfactory.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz [...] # tar xvzf libnet-1.0.2a.tar.gz [...] # cd libnet-1.0.2a # ./configure ; make ; make install

3.6.3. Izgradi snort_inline


Kada su ip_QUEUE modul i potrebne biblioteke instalirani, konačno možete podesiti i instalirati snort_inline na uobičajen način (config,make; make install)

Ako prilikom izvršenja komande izvršiti dobijete sličnu vrstu izlaza kao ispod:
[...] gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I/usr/include/pcre -DENABLE_RESPONSE -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -I/usr/local/include -I/sw/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c spo_alert_fast.c In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10, from /usr/local/include/libipq.h:37, from ../../src/inline.h:8, from ../../src/snort.h:38, from spo_alert_fast.c:51: /usr/include/linux/if.h:59: redefinition of `struct ifmap' /usr/include/linux/if.h:77: redefinition of `struct ifreq' /usr/include/linux/if.h:126: redefinition of `struct ifconf' make[3]: *** [spo_alert_fast.o] Error 1 make[3]: Leaving directory `/home/dggomez/downs/snort_inline-2.1.3b/src/output-plugins' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/dggomez/downs/snort_inline-2.1.3b/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/dggomez/downs/snort_inline-2.1.3b' make: *** [all-recursive-am] Error 2

Kernelovi nosaci koje je vas glibc koristio moraju se obnoviti.Napravite link izmedju /usr/include directory and the include directory vaseg kernelovog izvora.Vise informacija mozete naci u FAQ sekciji snort_inline stranice.
# cd /usr/include # mv linux linux.backup # ln -s /usr/src/linux-2.4.26/include/linux linux
snort_inline direktorijum obnovite ga sa ,b> 'make clean'.
# snort_inline -D -c /etc/snort_inline/snort_inline.conf -u snort -Q \ -N -l /var/log/snort_inline/YYYYMMDD -t /var/log/snort_inline/YYYYMMDD

Objašnjenje parametara

-D Run in daemon mode
-c Load configuration file
-u Run as UID user
-Q Read packets form QUEUE
-N Turn off logging (does not affect alerts)
-l Log to directory
-t Chroots process to directory after initialization


Ako vaš sistem nije snort korisnik, dodajte jedan po izdavanju 'addusersnort-R/bin/nologin/'. Zamenite"YYYYMMDD" niz sa stvarnim datumom. Dodati "-t 'opciju prvo da proverite da li snort_inline radi dobro. Imajte na umu da nije neophodno da ovde koristite "-i" (interfejs) parametar, jer snort_inline će samo primiti pakete, već samo IPTables pravila sa QUEUE mete.

Možete naći automatsku skriptu za pokretanje snort_inline u Dodatnoj sekciji

3.7. Snort (IDS mod)


Svestrani snort alat Ovde će se koristiti u režimu koji treba da otkriju poznate napade. On se može preuzeti sa http://www.snort.org . Ovaj program je veoma jednostavan za instalaciju i dobro dokumentovan. Možete preuzeti prekompajlirane binarne ili izvorne datoteke. Ako izaberete drugu opciju, samo pokrenite komandu 'config,make; make install' da instalirate.

Da biste pokrenuli Snort u IDS režimu pogledajte sledeću komandu. Imajte na umu da mrežni interfejs koji se koristi je na Honeynet strani (vidi Slika 1 ).
# snort -D -c /etc/snort/snort.conf -i eth1 -u snort \ -N -l /var/log/snort/YYYYMMDD -t /var/log/snort/YYYYMMDD

Parametri objašnjenja:

-D Run in daemon mode
-c Load configuration file
-i Input network interface
-u Run as UID user
-N Turn off logging (does not affect alerts)
-l Log to directory
-t Chroots process to directory after initialization


Ako vaš sistem nema snort korisnika, dodajte jednog izdavanjem 'addusersnort-R/bin/nologin/' komande. Zamenite"YYYYMMDD" niz iznad, stvarnim datumom. Možete da pokrenete snort sa opcijom "-t ' prvo, da proverite da li pravilno funkcioniše.

Postoji automatska skripta za pokretanje Snort IDS u režimu Dodatna sekcija

4. Hvatanje podataka


Sledeći korak za izgradnju Honeynet-a je da instalirate neki alat za hvatanje aktivnosti, kao što su tcpdump (mrežni saobraćaj) ili Šebek (sistem aktivnost), za snimanje detalja razgovora između Honeynet i napadača. U ovom dokumentu, snort će se koristiti u režimu paket logovanja, za snimanje mrežnog saobraćaja na tcpdump binarnim datotekama.

4.1. Snort (Režim logovanja paketa)


Ako ste instalirali Snort ranije, ne morate da ga instalirate ponovo. Ako niste instalirali Snort za upotrebu kao NIDS, pročitajte uputstva gore o tome kako da ga instalirate.

Za pokretanje snort u režimu logovanja, izdajte sledeće. Imajte na umu da mrežni interfejs koji se koristi je na Honeynet strani (vidi dijagram na početku).
# snort -D -i eth1 -u snort -l /var/log/snort/YYYYMMDD \ -L tcpdump.YYYYMMDD -t /var/log/snort/YYYYMMDD

Parametri objasnjenja

-D Run in daemon mode
-i Input network interface
-u Run as UID user
-l Log to directory
-L Log to a tcpdump file
-t Chroots process to directory after initialization


Ako vaš sistem nema snort korisnika, dodajte jednog pokretanjem 'addusersnort-R / bin / nologin/'. Zamenite 'YYYYMMDD' niz, stvarnim datumom. Možete da pokrenete snort sa opcijom "-t ' prvo, da proverite da li pravilno funkcioniše.

Možete naći automatsku skriptu za pokretanje snort u režimu dnevnika Dodatna sekcija

5. Upozorenja
Funkcije upozorenja su izuzetno korisne, i pomažu pri upravljanju Honeynet-om jer mogu da obavestite administratora kada se događaji, koji su mu od interesa, dogode. Na primer, pokretanje izlazne veze sa Honeynet (koja može da otkrije mogući kompromis), ili učestalost specifičnih napada (možda od interesa za administratora), itd

Funkcije upozorenja vrše monitoring programa koji traže promene u određenim elementima sistema, ili u mrežnom saobraćaju. U našem slučaju, mi koristimo uzorak (Simple Watcher) kao što je razmatrano u narednom odeljku.

5.1. Swatch


Ova alatka zasnovana na Perl-u traži događaje u log fajlovima. Kada se događaj podudara, može da pošalje e-mail upozorenja administratoru sa sadržajem pronađenog događaja. Možete preuzeti uzorak sa http://swatch.sourceforge.net/. Swatch se instalira baš kao cpan modul. Možete dobiti više informacija izdavanjem man komande:
# man ExtUtils::MakeMaker

Alternativno, možete da koristite perldoc komandu ako man ne može da pronađe dokument. Instalacija Swatch je laka, jednostavno pokrenite sledeće komande:
# perl Makefile.PL # make # make test # make install # make realclean

Ako dobijete izlaz kao ispod:

Warning: prerequisite Date::Calc 0 not found at (eval 1) line 219.
Warning: prerequisite Date::Parse 0 not found at (eval 1) line 219.
Warning: prerequisite File::Tail 0 not found at (eval 1) line 219.
Warning: prerequisite Time::HiRes 1.12 not found at (eval 1) line 219.


Onda morate instalirati cpan module koji nisu pronađeni da biste mogli da koristite uzorak. Mnogi operativni sistemi već pružaju perl-ov RPM, pa bi trebalo da proverite prvo sa njima. Alternativno, možete naći ove module na linkovima ispod.


Da biste instalirali svaki Perl modul, isti skup komandi, koji je korišćen i gore, upotrebite da instalirate Swatch.

Napomena
Još jedna opcija za instaliranje Perl modula je da izdate komandu -E Shell"i da dobijete interaktivnu instalaciju/shell. Shell je veoma jednostavan i obavlja sve. Međutim, kao i kod svakog instalatera, manuelni intervencija može biti potrebna da instalirate najnoviji potrebni paket. Jednom kada je u shell, pokrenite 'Install' komandu za kojom sledi ime modula (Date::Calc, Date::Parse, File::Tail, Time::HiRes) kao u nastavku.
# perl -MCPAN -e shell cpan shell -- CPAN exploration and modules installation (v1.61) ReadLine support available (try 'install Bundle::CPAN') cpan> install Date::Calc [...]

Kada se Swatch instalira, sledeći korak je da se napravi konfiguracioni fajl za generisanje upozorenja. Najočiglednija upozorenja su one kada Honeynet inicira odlazne konekcije ili kada se ispune ograničenja veza.

Možete naći script i primer konfiguracionog fajla za pokretanje ,b>Swatch-a u Dodatnoj sekciji

6. Testiranje


Kada su potrebni alati za kontrolu podataka, prikupljanje podataka i funkcije upozoravanja, instalirani, može biti dobra ideja da se testiraju kako bi se bilo sigurno da će pravilno funkcionisati. Koristite dijagram koji ste dobili na početku dokumenta za testove, a pretpostavlja se da će skripte koje se koriste, biti one koje se nalaze u dodacima.

6.1. Kontrola podataka


Hajde da vidimo da li IPTables mehanizmi za logovanje ispravno rade. Mi smo koristili bridge-firewall skriptu i pokušli da otvorimo jednu vezu iz jednog production host-a na . Ako pokušate da otvorite telnet konekciju sa IP 10.1.1.11 na Honeypot sa IP 10.1.1.21, trebalo bi da vidite nešto slično ovome u /var/log/poruke fajlu:

Jul 22 18:47:35 hpot kernel: INBOUND TCP: IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=10.1.1.11 DST=10.1.1.21 LEN=52 TOS=0x00 PREC=0x00 TTL=96 ID=57225 DF PROTO=TCP SPT=1351 DPT=23 WINDOW=3768 RES=0x00 SYN URGP=0


Onda smo omogućili opciju 'Lan Blokiranja' i ponavili telnet vezu sa Honeypot na host iz LAN-a. Kao što se očekivalo, nismo pronašli nijednu stavku u evidenciji, jer su paketi su tiho ispali.

Sada idemo proveriti da li IPTables ograničavaju odlazne veze iz Honeypot. Na primer, mi ćemo napraviti nekoliko HTTP veza sa spoljnim svetom i pročitati rezultate /var/log/messages 2.

Jul 22 18:47:46 hpot kernel: OUTBOUND TCP: IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=10.1.1.11 DST=192.168.1.20 LEN=52 TOS=0x00 PREC=0x00 TTL=96 ID=57332 DF PROTO=TCP SPT=1032 DPT=80 WINDOW=3768 RES=0x00 SYN URGP=0


Ovo je ono što smo očekivali. Da bi bili u potpunosti sigurni, možete proveriti UDP i ICMP protokole.

Za testiranje <> možemo koristiti pravila navedena u test.rules datoteci . Uključite ovu datoteku pravila u konfiguracioni fajl i pokrenite IPS. Uradili smo to i pokušali da otvorimo spoljnu telnet vezu. Onda smo otvorili HTTP vezu i konačno poslali nekoliko pingova. snort_inline datoteka za upozorenje beleži sledeće [3]

07/22-18:48:13.349121 [**] [1:0:0] Dropping Telnet connection [**] [Priority: 0] {TCP} 10.1.1.21:1067 -> 192.168.0.1:23

07/22-18:48:16.527301 [**] [1:0:0] Dropping Telnet connection [**] [Priority: 0] {TCP} 10.1.1.21:1067 -> 192.168.0.1:23

07/22-18:48:23.189037 [**] [1:0:0] Dropping Telnet connection [**] [Priority: 0] {TCP} 10.1.1.21:1067 -> 192.168.0.1:23

07/22-18:48:49.416280 [**] [1:0:0] Modifying HTTP GET command [**] [Priority: 0] {TCP} 10.1.1.21:1070 -> 216.239.59.104:80

07/22-18:48:54.476601 [**] [1:0:0] Dropping ICMP packet [**] [Priority: 0] {ICMP} 10.1.1.21 -> 192.168.0.1

07/22-18:48:55.636633 [**] [1:0:0] Dropping ICMP packet [**] [Priority: 0] {ICMP} 10.1.1.21 -> 192.168.0.1

07/22-18:48:57.084787 [**] [1:0:0] Dropping ICMP packet [**] [Priority: 0] {ICMP} 10.1.1.21 -> 192.168.0.1

07/22-18:48:58.603217 [**] [1:0:0] Dropping ICMP packet [**] [Priority: 0] {ICMP} 10.1.1.21 -> 192.168.0.1


IPS radi kao što se očekuje. Slični testovi mogu se obavljati da se proveri Snort u IDS modu. Pokrenite ih i pročitajte rezultate u /var/log/snort/YYYYMMDD direktorijumu.

6.2. Hvatanje podataka


Ako je snort pokrenut u režimu prijave tokom navedenih testova, trebalo bi da bude u stanju da pronađe binarne datoteke evidencije u /var/log/snort/YYYYMMDD direktorijumu sa mrežnim saobraćajom generisanim tokom testova. One se mogu čitati sa tcpdump ili snort.

6.3. Upozoravanje


Swatch se, po defaultu, konfiguriše da upozori samo na izlazne veze koje snimi IPTables, ali može biti konfigurisan i za generisanje upozorenja na različite događaje. Na primer, on takođe može pratiti snort i snort_inline.

Tokom prethodnih testova smo otvorili veze sa Honeynet. Ako je Swatch bio pokrenut, trebalo bi da dobije i nekoliko email-ova upozorenja koji opisuju događaje. Evo primera:

Date: Thu, 22 Jul 2004 18:48:14 +0200 From: swatcher <swatcher@origin-domain.com> To: admin@example.org Subject: ------ ALERT! OUTBOUND TCP --------

Jul 22 18:48:13 hpot kernel: OUTBOUND TCP: IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=10.1.1.21 DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=7327 DF PROTO=TCP SPT=1067 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0


Ukoliko su svi testovi bili uspešni, možemo konfigurisati skripte da rade u vreme boot-ovanja. Jedan od načina da se to uradi je kopiranje skripte u /etc/init.d direktorijum i dodavanje komande za pokretanje /etc/rc.d/rc.local fajla.

7. Zaključak


Honeywall je ključni element u okviru Honeynet arhitekture. U ovom radu, mi samo pokrivamo najčešće korake neophodne da instalirate jedan od ovih uređaja, sa minimalnim bezbednosnim zahtevima. Nepotrebno je reći da postoji mnogo stvari koje se mogu uraditi da se poboljša bezbednost. Međutim, namera je da se čitaocu pruži prilika da ima baznu konfiguraciju i polaznu tačka za eksperimentisanje, da uči u ovoj oblasti i da nastavi dalje.

Srećom, Honeynet tehnologija ima puno mogućnosti i može se podesiti na mnogo različitih načina. Ako je ovaj dokument rešio bar neke od najčešćih problema koji su nastali pri izgradnji Honeywall, ja vas pozivam da podelite svoja iskustva.

A. Honeywall skripte


Ovaj odeljak sadrži skripte potrebne da podesite i upravljate alatima pomenutim u ovom radu. Bridge-firewall scenario i glavni konfiguracioni fajl je preuzet iz Honeywall CDROM iz Honeynet projekta (sa nekim manjim izmenama) radi jednostavnosti i očuvanja kompatibilnosti. Ostale skripte, za ovaj članak, su razvijene od strane Španskog Honeynet Projekta.

1. honeywall.conf - Honeywall Configuration File

##################################################################### # # Spanish Honeynet Project <project@honeynet.org.es> # August, 2004 # # This file is an improved version of honeywall.conf config file # included in the Honeywall CDROM from # http://www.honeynet.org/tools/cdrom by The Honeynet Project. # It has two new options: LAN_BLOCK and LAN_ALLOWDED_IP. # ##################################################################### # Specify whether or not the Honeywall will operate as either a bridge or NAT # [Valid modes: bridge | nat] MODE=bridge # This Honeywall's public IP address(es) # [Valid argument: IP address | space delimited IP addresses] PUBLIC_IP=192.168.1.10 # DNS servers honeypots are allowed to communicate with # [Valid argument: IP address | space delimited IP addresses] DNS_SVRS= # To restrict DNS access to a specific honeypot or group of honeypots, list # them here, otherwise leave this variable blank # [Valid argument: IP address | space delimited IP addresses | blank] DNS_HOST= # The name of the externally facing network interface # [Valid argument: eth* | br* | ppp*] INET_IFACE=eth0 # The name of the internally facing network interface # [Valid argument: eth* | br* | ppp*] LAN_IFACE=eth1 # The IP internal connected to the internally facing interface # [Valid argument: IP network in CIDR notation] LAN_IP_RANGE=192.168.1.0/24 # The IP broadcast address for internal network # [Valid argument: IP broadcast address] LAN_BCAST_ADDRESS=192.168.1.255 # Enable traffic blocking from the honeypots to the LAN, to protect # the LAN hosts against any attack from the honeypots # [Valid argument: yes | no] LAN_BLOCK=no # The list of the LAN IP addresses that can be accesed from the honeypots, # such as the gateway, internal DNS servers, ... This variable is used # only if LAN_BLOCK is enabled # [Valid argument: space delimited IP addresses] LAN_ALLOWED_IP=192.168.1.1 # Enable QUEUE support to integrate with Snort-Inline filtering # [Valid argument: yes | no] QUEUE=yes # The unit of measure for setting oubtbound connection limits # [Valid argument: second, minute, hour, day, week, month, year] SCALE=hour # The number of TCP connections per unit of measure (Scale) # [Valid argument: integer] TCPRATE=9 # The number of UDP connections per unit of measure (SCALE) # [Valid argument: integer] UDPRATE=20 # The number of ICMP connections per unit of measure (SCALE) # [Valid argument: integer] ICMPRATE=50 # The number of other IP connections per unit of measure (SCALE) # [Valid argument: integer] OTHERRATE=10 # Enable the SEBEK collector which delivers keystroke and files # to a remote system even if an attacker replaces daemons such as sshd # [Valid argument: yes | no] SEBEK=no # Specify whether whether to drop SEBEK packets or allow them to be sent # outside of the Honeynet. # [Valid argument: ACCEPT | DROP] SEBEK_FATE=DROP # Specify the SEBEK destination host IP address # [Valid argument: IP address] SEBEK_DST_IP=10.0.0.1 # Specify the SEBEK destination port # [Valid argument: port] SEBEK_DST_PORT=1101 # Enable SEBEK logging in the Honeywall firewall logs # [Valid argument: yes | no] SEBEK_LOG=no # Specify the IP netmask for interface alises. One aliases will be created # on the external interface for each Honeypot # [Valid argument: IP netmask] ALIAS_MASK=255.255.255.0 # Space delimited list of Honeypot ips # NOTE: MUST HAVE SAME NUMBER OF IPS AS PUBLIC_IP VARIABLE. # [Valid argument: IP address] HPOT_IP=10.10.10.3 # Specify the IP address of the honeywall's internal ip address. This is # used in nat mode. # [Valid argument: IP address] PRIV_IP=10.0.0.1 # Specy the network interface for remote management. If set to br0, it will # assign MANAGE_IP to the logical bridge interface and allow its use as a # management interface. Set to none to disable the management interface. # [Valid argument: eth* | br* | ppp* | none] MANAGE_IFACE=eth2 # IP of management Interface # [Valid argument: IP address] MANAGE_IP=192.168.1.13 # Netmask of management Interface # [Valid argument: IP netmask] MANAGE_NETMASK=255.255.255.0 # Default Gateway of management Interface # [Valid argument: IP address] MANAGE_GATEWAY=192.168.1.1 # DNS Servers of management Interface # [Valid argument: space delimited IP addresses] MANAGE_DNS= # TCP ports allowed into the management interface. If SSH is used this list # must include the port SSHD is listening on. # [Valid argument: space delimited list of TCP ports] ALLOWED_TCP_IN=22 # Specify the IP address(es) and/or networks that are allowed to connect # to the management interface. Specify any to allow unrestricted access. # [Valid argument: IP address(es) | IP network(s) in CIDR notation | any] MANAGER=any # Specify whether or not the Honeywall will restrict outbound network # connections to specific destination ports. When bridge mode is utilized, # a management interface is required to restrict outbound network connections. # [Valid argument: yes | no] RESTRICT=yes # Specity the TCP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] ALLOWED_TCP_OUT="22 25 43 80 443" # Specity the UDP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] ALLOWED_UDP_OUT="53 123" # List of files that Swatch should monitor # [Valid argument: space delimited list of files with full path name] WATCH_FILES="/var/log/messages" # Specify email address to use for email alerting. # [Valid argument: any email address] ALERT_EMAIL=

2. rc.firewall - Bridge-Firewall Script File

#!/bin/sh # # Copyright 2003 Honeynet Project <project@honeynet.org> # License BSD http://www.opensource.org/licenses/bsd-license.php # # This is an improved version of the rc.firewall script v0.8 # found in Honeywall CDROM from http://www.honeynet.org/tools/cdrom # that supports the new LAN_BLOCK option. On the other hand, the # handlers' section has been simplified. # # Spanish Honeynet Project <project@honeynet.org.es> # August, 2004 # PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin" . /etc/default/honeywall.conf start () { lsmod | grep ipchain IPCHAINS=$? if [ "$IPCHAINS" = 0 ]; then echo "" echo "Dooh, IPChains is currently running! IPTables is required by" echo "the rc.firewall script. IPChains will be unloaded to allow" echo "IPTables to run. It is recommened that you permanently" echo "disable IPChains in the /etc/rc.d startup scripts and enable" echo "IPTables instead." ipchains -F rmmod ipchains fi ######### # Flush rules # iptables -F iptables -F -t nat iptables -F -t mangle iptables -X echo "" ########## # Let's setup the firewall according to the Mode selected: bridge or nat # if [ ${MODE} = "nat" ]; then echo "Starting up Routing mode and enabling Network Address Translation." #Let's bring up our internal interface ifconfig ${LAN_IFACE} ${PRIV_IP} netmask ${LAN_BCAST_ADDRESS} up i=0 z=1 tempPub=( ${PUBLIC_IP} ) for host in ${HPOT_IP}; do if [ ${i} = "0" ]; then #This is the first honeypot. Let's attach it to our nic ifconfig ${INET_IFACE} ${tempPub[$i]} netmask ${ALIAS_MASK} up else # Bring up eth aliases ifconfig ${INET_IFACE}:${z} ${tempPub[$i]} netmask ${ALIAS_MASK} up let "z += 1" fi # Ensure proper NATing is performed for all honeypots iptables -t nat -A POSTROUTING -o ${INET_IFACE} -s ${host} \ -j SNAT --to-source ${tempPub[$i]} iptables -t nat -A PREROUTING -i ${INET_IFACE} -d ${tempPub[$i]} \ -j DNAT --to-destination ${host} let "i += 1" done fi # Let's figure out dns if [ -z "${DNS_HOST}" ]; then if [ "${MODE}" = "bridge" ]; then DNS_HOST="${PUBLIC_IP}" else DNS_HOST="${HPOT_IP}" fi fi ######### # Load all required IPTables modules # ### Needed to initially load modules #/sbin/depmod -a ### Add iptables target LOG. modprobe ipt_LOG ### Add iptables QUEUE support (Experimental) if [ ${QUEUE} = "yes" ]; then # Insert kernel mod modprobe ip_queue # check to see if it worked, if not exit with error lsmod | grep ip_queue &>/dev/null IPQUEUE=$? if [ "$IPQUEUE" = 1 ]; then echo "" echo "It appears you do not have the ip_queue kernel module compiled" echo "for your kernel. This module is required for Snort-Inline and" echo "QUEUE capabilities. You either have to disable QUEUE, or compile" echo "the ip_queue kernel module for your kernel. This module is part" echo "of the kernel source." exit fi echo "Enabling Snort-Inline capabilities, make sure Snort-Inline is" echo "running in -Q mode, or all outbound traffic will be blocked" fi ### Support for connection tracking of FTP and IRC. modprobe ip_conntrack_ftp modprobe ip_conntrack_irc ### Enable ip_forward echo "1" > /proc/sys/net/ipv4/ip_forward ### Create protocol handling chains iptables -N tcpHandler iptables -N udpHandler iptables -N icmpHandler iptables -N otherHandler # Forward Chain: # Some of these rules may look redundant, but they allow us to catch # 'other' protocols. # Internet -> honeypot - # This logs all inbound new connections and we must # specifically allow all inbound traffic because # the default policy for forwarding traffic # will be drop. This will ensure if something # goes wrong with outbound connections, we # default to drop. # # Also, in case we have something listening to the QUEUE, we # will send all packets via the QUEUE. # Since this is a bridge, we want to allow broadcast. By default, we allow all # inbound traffic (including broadcast). We also want to allow outbound # broadcast # (such as NetBIOS) but we do not want to count it as an outbound # session. So we allow it here *before* we begin counting outbound connections #iptables -A FORWARD -i ${LAN_IFACE} -d ${LAN_BCAST_ADDRESS} -j LOG \ #--log-prefix "Legal Broadcast: " iptables -A FORWARD -d ${LAN_BCAST_ADDRESS} -j ACCEPT #iptables -A FORWARD -i ${LAN_IFACE} -d 255.255.255.255 -j LOG \ #--log-prefix "Legal Broadcast: " iptables -A FORWARD -d 255.255.255.255 -j ACCEPT ### Inbound TCP iptables -A FORWARD -i ${INET_IFACE} -p tcp -m state --state NEW -j LOG \ --log-prefix "INBOUND TCP: " iptables -A FORWARD -i ${INET_IFACE} -p tcp -m state --state NEW -j ACCEPT ### Inbound UDP iptables -A FORWARD -i ${INET_IFACE} -p udp -m state --state NEW -j LOG \ --log-prefix "INBOUND UDP: " iptables -A FORWARD -i ${INET_IFACE} -p udp -m state --state NEW -j ACCEPT ### Inbound ICMP iptables -A FORWARD -i ${INET_IFACE} -p icmp -m state --state NEW -j LOG \ --log-prefix "INBOUND ICMP: " iptables -A FORWARD -i ${INET_IFACE} -p icmp -m state --state NEW -j ACCEPT ### Inbound anything else iptables -A FORWARD -i ${INET_IFACE} -m state --state NEW -j LOG \ --log-prefix "INBOUND OTHER: " iptables -A FORWARD -i ${INET_IFACE} -m state --state NEW -j ACCEPT # The remainder of established connections will be ACCEPTED. The rules above # are required in order to log new inbound connections. iptables -A FORWARD -i ${INET_IFACE} -j ACCEPT # Okay, this is where the magic all happens. All outbound traffic is counted, # logged, and limited here. Targets (called Handlers) are what actually limit # the connections. All 'Handlers' are defined at the bottom of the script. # Egress filtering, don't want to let our compromised honeypot send spoofed # packets. Stops most outbound DoS attacks. However, we might want to allow # our honeypots to use dhcp to get an ip while in bridge mode. if [ ${MODE} = "bridge" ]; then iptables -A FORWARD -i ${LAN_IFACE} -p udp --sport 68 \ -d 255.255.255.255 --dport 67 -j LOG \ --log-prefix "DHCP OUT REQUEST: " iptables -A FORWARD -i ${LAN_IFACE} -p udp --sport 68 \ -d 255.255.255.255 --dport 67 -j ACCEPT fi # This rule is for use with sebek. If sebek is used, and we don't want # the logs filled by SPOOFED SOURCE entries because sebek uses spoofed # IPs, we should drop all traffic in the sebek ip range. if [ ${SEBEK} = "yes" ]; then if [ ${SEBEK_LOG} = "yes" ]; then iptables -A FORWARD -i ${LAN_IFACE} -p udp -d ${SEBEK_DST_IP} \ --dport ${SEBEK_DST_PORT} -j LOG --log-prefix "SEBEK" fi iptables -A FORWARD -i ${LAN_IFACE} -p udp -d ${SEBEK_DST_IP} \ --dport ${SEBEK_DST_PORT} -j ${SEBEK_FATE} fi ### DNS / NTP Perhaps one of your honeypots needs consistent ### outbound access to provide internal service. # If we did not identify a specific destination dns server, let's go ahead # and allow any. if [ -z "${DNS_SVRS}" ]; then DNS_SVRS="0.0.0.0/0" fi for srvr in ${DNS_SVRS}; do for host in ${DNS_HOST}; do iptables -A FORWARD -p udp -i ${LAN_IFACE} -s ${host} -d ${srvr} \ --dport 53 -j LOG --log-prefix "Legal DNS: " iptables -A FORWARD -p tcp -i ${LAN_IFACE} -s ${host} -d ${srvr} \ --dport 53 -j LOG --log-prefix "Legal DNS: " iptables -A FORWARD -p udp -i ${LAN_IFACE} -s ${host} -d ${srvr} \ --dport 53 -j ACCEPT iptables -A FORWARD -p tcp -i ${LAN_IFACE} -s ${host} -d ${srvr} \ --dport 53 -j ACCEPT done done ### Count and limit all other outbound connections # This will ensure we don't restrict Honeypots talking to eachother, and # we don't log them as outbound connections (in bridge mode, the # firewall sees all packets; therefore, we have to make sure it doesn't # log packets incorrectly and give false positives). # If you do not want to see this log, comment out the logging rule. # You will still need the ACCEPT rule to ensure they honeypots can talk # to eachother freely. iptables -A FORWARD -i ${LAN_IFACE} -o ${LAN_IFACE} -j LOG \ --log-prefix "Honeypot -> Honeypot: " iptables -A FORWARD -i ${LAN_IFACE} -o ${LAN_IFACE} -j ACCEPT # LAN Protect/Blocking denies access to the LAN IP addresses not included # in the LAN_ALLOWED_IP variable. # If we activated this feature, allow access to the sepecified IP addresses # and finally block the access to the rest of the LAN IP address space if [ ${LAN_BLOCK} = "yes" ]; then for host in ${LAN_ALLOWED_IP}; do iptables -A FORWARD -i ${LAN_IFACE} -d ${host} -j ACCEPT done iptables -A FORWARD -i ${LAN_IFACE} -d ${LAN_IP_RANGE} -j DROP fi if [ ${LAN_BLOCK} = "yes" ]; then for host in ${LAN_ALLOWED_IP}; do iptables -A FORWARD -i ${INET_IFACE} -s ${host} -j ACCEPT done iptables -A FORWARD -i ${INET_IFACE} -s ${LAN_IP_RANGE} -j DROP fi if [ ${MODE} = "nat" ]; then LIMIT_IP="${HPOT_IP}" elif [ ${MODE} = "bridge" ]; then LIMIT_IP="${PUBLIC_IP}" fi for host in ${LIMIT_IP}; do # TCP: # This next rule is the connection limiter. If it has not exceeded # the limit, the packet will be sent to the tcpHandler. The # tcpHandler will log and either QUEUE or ACCEPT depending on # the Architecture selected. # # NOTE: The purpose of the drop rule is to ensure we can catch 'other' # protocols that enter our network. If this statement is not here # we will get false log entries stating Drop other after xxx # connections. iptables -A FORWARD -p tcp -i ${LAN_IFACE} -m state --state NEW \ -m limit --limit ${TCPRATE}/${SCALE} \ --limit-burst ${TCPRATE} -s ${host} -j tcpHandler iptables -A FORWARD -p tcp -i ${LAN_IFACE} -m state --state NEW \ -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} \ -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts" iptables -A FORWARD -p tcp -i ${LAN_IFACE} -m state --state NEW \ -s ${host} -j DROP # This rule is for Mike Clark in order to give him RELATED information. For # example, this will tell him the data channel related to an ftp command # channel of a connection. iptables -A FORWARD -p tcp -i ${LAN_IFACE} -m state --state RELATED \ -s ${host} -j tcpHandler # # UDP - see TCP comments above. # iptables -A FORWARD -p udp -i ${LAN_IFACE} -m state --state NEW \ -m limit --limit ${UDPRATE}/${SCALE} \ --limit-burst ${UDPRATE} -s ${host} -j udpHandler iptables -A FORWARD -p udp -i ${LAN_IFACE} -m state --state NEW \ -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG \ --log-prefix "Drop udp after ${UDPRATE} attempts" iptables -A FORWARD -p udp -i ${LAN_IFACE} -m state --state NEW \ -s ${host} -j DROP # # ICMP - see TCP comments above. # iptables -A FORWARD -p icmp -i ${LAN_IFACE} -m state --state NEW \ -m limit --limit ${ICMPRATE}/${SCALE} \ --limit-burst ${ICMPRATE} -s ${host} -j icmpHandler iptables -A FORWARD -p icmp -i ${LAN_IFACE} -m state --state NEW \ -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG \ --log-prefix "Drop icmp after ${ICMPRATE} attempts" iptables -A FORWARD -p icmp -i ${LAN_IFACE} -m state --state NEW \ -s ${host} -j DROP # # EVERYTHING ELSE - see TCP comments above. # iptables -A FORWARD -i ${LAN_IFACE} -m state --state NEW -m limit \ --limit ${OTHERRATE}/${SCALE} --limit-burst ${OTHERRATE} \ -s ${host} -j otherHandler iptables -A FORWARD -i ${LAN_IFACE} -m state --state NEW -m limit \ --limit 1/${SCALE} --limit-burst 1 -s ${host} -j LOG \ --log-prefix "Drop other after ${OTHERRATE} attempts" done # This portion of the script will ensure that established or related # connections that were allowed, continue to work. If these lines # are not here, only the first packet of each connection that hasn't # reached the limit will be allowed in because we are dropping # all outbound connections by default. if [ "${QUEUE}" = "yes" ]; then TARGET=QUEUE else TARGET=ACCEPT fi iptables -A FORWARD -i ${LAN_IFACE} -m state --state RELATED,ESTABLISHED \ -j ${TARGET} ### These define the handlers that actually limit outbound connection. # # tcpHandler - The only packets that should make it into these chains are new # connections, as long as the host has not exceeded their limit. # iptables -A tcpHandler -j LOG --log-prefix "OUTBOUND TCP: " iptables -A tcpHandler -j ${TARGET} # # udpHandler - see tcpHandler comments above. # iptables -A udpHandler -j LOG --log-prefix "OUTBOUND UDP: " iptables -A udpHandler -j ${TARGET} # # icmpHandler - see tcpHandler comments above. # iptables -A icmpHandler -j LOG --log-prefix "OUTBOUND ICMP: " iptables -A icmpHandler -j ${TARGET} # # otherHandler - see tcpHandler comments above. # iptables -A otherHandler -j LOG --log-prefix "OUTBOUND OTHER: " iptables -A otherHandler -j ${TARGET} iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ### Lets make sure our firewall can talk to itself iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ############################## # MANAGEMENT INTERFACE RULES # ############################## if [ ${MANAGE_IFACE} != "none" ]; then for ports in ${ALLOWED_TCP_IN}; do if [ "${MANAGER}" = "any" ]; then #iptables -A INPUT -i ${MANAGE_IFACE} -p tcp --dport $ports \ #-m state --state NEW -j LOG \ #--log-prefix "MANAGE port:$ports=>" iptables -A INPUT -i ${MANAGE_IFACE} -p tcp --dport $ports \ -m state --state NEW -j ACCEPT else for ips in ${MANAGER}; do #iptables -A INPUT -i ${MANAGE_IFACE} -p tcp -s $ips \ #--dport $ports -m state --state NEW -j LOG \ #--log-prefix "MANAGE port:$ports=>" iptables -A INPUT -i ${MANAGE_IFACE} -p tcp -s $ips \ --dport $ports -m state --state NEW -j ACCEPT done fi done iptables -A OUTPUT -o ${MANAGE_IFACE} -p tcp -m state \ --state RELATED,ESTABLISHED -j ACCEPT fi ### Set default policies for the INPUT, FORWARD and OUTPUT chains # By default, drop all connections sent to firewall iptables -P INPUT DROP # If we selected to restrict the firewall, lets implement it here. if [ ${RESTRICT} = "yes" ]; then for port in ${ALLOWED_TCP_OUT}; do iptables -A OUTPUT -p tcp --dport $port -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT done for port in ${ALLOWED_UDP_OUT}; do iptables -A OUTPUT -p udp --dport $port -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT done # By default, drop firewall outbound connection iptables -P OUTPUT DROP else # By default, accept firewall outbound connection iptables -P OUTPUT ACCEPT fi # By default, if FORWARDED connections are not within limit, DROP. # This is a fail close policy, and more secure. iptables -P FORWARD DROP } stop () { echo "Stopping Firewall." ######### # Flush rules # iptables -F iptables -F -t nat iptables -F -t mangle iptables -X # Set default forward to drop iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Allow the firewall to talk to itself iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT if [ -n ${MANAGE_IFACE} ]; then iptables -A INPUT -i ${MANAGE_IFACE} -j ACCEPT iptables -A OUTPUT -o ${MANAGE_IFACE} -j ACCEPT fi } initial () { ######### # Flush rules # iptables -F iptables -F -t nat iptables -F -t mangle iptables -X # Set default forward to drop iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Allow the firewall to talk to itself iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT } restart () { stop start &>/dev/null } case "$1" in start) start ;; stop) stop ;; restart) restart ;; initial) initial ;; *) echo $"Usage: $0 {start|stop|restart|initial)" exit 1 esac

3. snort_inline.conf - Snort_inline Configuration File

var HOME_NET any var HONEYNET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,\ 64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort_inline/rules/drop-rules config checksum_mode: none preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble: both preprocessor http_inspect: global \ iis_unicode_map /etc/snort_inline/unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode output alert_full: snort_inline-full.log output alert_fast: snort_inline-fast.log include $RULE_PATH/classification.config include $RULE_PATH/reference.config #include $RULE_PATH/test.rules include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules # include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules

4. snort_inline.sh - Snort_inline Script File

#!/bin/sh # # Copyright 2004 Spanish Honeynet Project <project@honeynet.org.es> # License BSD http://www.opensource.org/licenses/bsd-license.php # # NAME: snort_inline.sh # DATE: August, 2004 # VERSION: 0.1 # DESCRIPTION: Setup script for running snort_inline # # Load variables . /etc/default/honeywall.conf # Script variables RETVAL=0 BINARY=/usr/local/bin/snort_inline PATH=/bin:/usr/local/bin PID=/var/run/snort_inline.pid DIR="/var/log/snort_inline" DATE=`/bin/date +%Y%m%d` CONF_FILE=/etc/snort_inline/snort_inline.conf PROG=snort_inline USER=snort if [ ! -x "$BINARY" ]; then echo "ERROR: $BINARY not found." exit 1 fi if [ ! -r "$CONF_FILE" ]; then echo "ERROR: $CONF_FILE not found." exit 1 fi start() { # Check if log directory is present. Otherwise, create it. if [ ! -d $DIR/$DATE ]; then mkdir $DIR/$DATE chown -R $USER $DIR/$DATE fi /bin/echo "Starting $PROG: " # Snort_inline parameters # -D Run snort_inline in background (daemon) mode # -Q Use ip_queue for input vice libpcap (iptables only) # -u <uname> Run snort_inline uid as <uname> user (or uid) # -c Load configuration file # -N Turn off logging (alerts still work) # -l Log to directory # -t Chroots process to directory after initialization $BINARY -D -Q -u $USER -c $CONF_FILE -N -l $DIR/$DATE -t $DIR/$DATE /bin/echo "$PROG startup complete." return $RETVAL } stop() { if [ -s $PID ]; then /bin/echo "Stopping $PROG, with PID `cat $PID`: " kill -TERM `cat $PID` /bin/echo "$PROG shutdown complete." rm -f $PID else /bin/echo "ERROR: PID in $PID file not found." RETVAL=1 fi return $RETVAL } restart() { stop start RETVAL=$? return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart|reload) restart ;; *) /bin/echo "Usage: $0 {start|stop|restart|reload}" RETVAL=1 esac exit $RETVAL

5. snort.conf - Snort Configuration File

var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,\ 64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts detect_scans preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map /etc/snort/unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 4 portscan-snort.log preprocessor perfmonitor: time 600 file /var/log/snort/snort.stats pktcnt 10000 output alert_fast: snort-fast.log include /etc/snort/classification.config include /etc/snort/reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules

6. snort.sh - Snort Script File (NIDS)

#!/bin/sh # # Copyright 2004 Spanish Honeynet Project <project@honeynet.org.es> # License BSD http://www.opensource.org/licenses/bsd-license.php # # NAME: snort.sh # DATE: August, 2004 # VERSION: 0.1 # DESCRIPTION: Setup script for running snort # # Load variables . /etc/default/honeywall.conf # Script variables RETVAL=0 BINARY=/usr/local/bin/snort PATH=/bin:/usr/local/bin PID=/var/run/snort_${LAN_IFACE}_ids.pid DIR="/var/log/snort" DATE=`/bin/date +%Y%m%d` CONF_FILE=/etc/snort/snort.conf PROG=snort USER=snort if [ ! -x "$BINARY" ]; then echo "ERROR: $BINARY not found." exit 1 fi if [ ! -r "$CONF_FILE" ]; then echo "ERROR: $CONF_FILE not found." exit 1 fi start() { # Check if log diratory is present. Otherwise, create it. if [ ! -d $DIR/$DATE ]; then mkdir $DIR/$DATE chown -R $USER $DIR/$DATE fi /bin/echo "Starting $PROG: " # Snort parameters # -D Run Snort in background (daemon) mode # -i <if> Listen on interface <if> # -u <uname> Run snort uid as <uname> user (or uid) # -c Load configuration file # -N Turn off logging (alerts still work) # -l Log to directory # -R <id> Include 'id' in snort_intf<id>.pid file name $BINARY -D -i $LAN_IFACE -u $USER -c $CONF_FILE -N -l $DIR/$DATE -R _ids /bin/echo "$PROG startup complete." return $RETVAL } stop() { if [ -s $PID ]; then /bin/echo "Stopping $PROG with PID `cat $PID`: " kill -TERM `cat $PID` 2>/dev/null RETVAL=$? /bin/echo "$PROG shutdown complete." rm -f $PID else /bin/echo "ERROR: PID in $PID file not found." RETVAL=1 fi return $RETVAL } restart() { stop start RETVAL=$? return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart|reload) restart ;; *) /bin/echo "Usage: $0 {start|stop|restart|reload}" RETVAL=1 esac exit $RETVAL

7. snort_pcap.sh - Snort Script File (Packet logging)

#!/bin/sh # # Copyright 2004 Spanish Honeynet Project <project@honeynet.org.es> # License BSD http://www.opensource.org/licenses/bsd-license.php # # NAME: snort_pcap.sh # DATE: August, 2004 # VERSION: 0.1 # DESCRIPTION: Setup script for running snort # # Load variables . /etc/default/honeywall.conf # Script variables RETVAL=0 BINARY=/usr/local/bin/snort PATH=/bin:/usr/local/bin PID=/var/run/snort_${LAN_IFACE}_pcap.pid DIR="/var/log/snort" DATE=`/bin/date +%Y%m%d` CONF_FILE=/etc/snort/snort.conf PROG=snort USER=snort if [ ! -x "$BINARY" ]; then echo "ERROR: $BINARY not found." exit 1 fi if [ ! -r "$CONF_FILE" ]; then echo "ERROR: $CONF_FILE not found." exit 1 fi start() { # Check if log diratory is present. Otherwise, create it. if [ ! -d $DIR/$DATE ]; then mkdir $DIR/$DATE chown -R $USER $DIR/$DATE fi /bin/echo "Starting $PROG: " # Snort parameters # -D Run Snort in background (daemon) mode # -i <if> Listen on interface <if> # -u <uname> Run snort uid as <uname> user (or uid) # -l Log to directory # -L Log to a tcpdump file # -t Chroots process to directory after initialization # -R <id> Include 'id' in snort_intf<id>.pid file name $BINARY -D -i $LAN_IFACE -u $USER -l $DIR/$DATE -L tcpdump.$DATE -t $DIR/$DATE -R _pcap /bin/echo "$PROG startup complete." return $RETVAL } stop() { if [ -s $PID ]; then /bin/echo "Stopping $PROG with PID `cat $PID`: " kill -TERM `cat $PID` 2>/dev/null RETVAL=$? /bin/echo "$PROG shutdown complete." rm -f $PID else /bin/echo "ERROR: PID in $PID file not found." RETVAL=1 fi return $RETVAL } restart() { stop start RETVAL=$? return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart|reload) restart ;; *) /bin/echo "Usage: $0 {start|stop|restart|reload}" RETVAL=1 esac exit $RETVAL

8. tcpdump.sh - tcpdump Script File

#!/bin/sh # # Copyright 2004 Spanish Honeynet Project <project@honeynet.org.es> # License BSD http://www.opensource.org/licenses/bsd-license.php # # NAME: tcpdump.sh # DATE: August, 2004 # VERSION: 0.1 # DESCRIPTION: Setup script for running tcpdump. # # Comments: The default log directory is /var/log/tcpdump # The filter file is optional # # Load global variables . /etc/default/honeywall.conf # Script variables RETVAL=0 BINARY=/usr/sbin/tcpdump PATH=/bin:/usr/local/bin FILTER_FILE=/etc/tcpdump/tcpdump.filter DATE=`/bin/date +%Y%m%d` LOG_DIR=/var/log/tcpdump LOG_FILE=tcpdump.log.`/bin/date +%s` PROG=tcpdump if [ ! -x "$BINARY" ]; then echo "ERROR: $BINARY not found." exit 1 fi start() { # Check if log directory is present. Otherwise, create it. if [ ! -d $LOG_DIR/$DATE ]; then mkdir $LOG_DIR/$DATE chown -R $USER $LOG_DIR/$DATE fi /bin/echo "Starting $PROG: " if [ -s "$FILTER_FILE" ]; then $BINARY -i $LAN_IFACE -F $FILTER_FILE -w $LOG_DIR/$DATE/$LOG_FILE & else $BINARY -i $LAN_IFACE -w $LOG_DIR/$DATE/$LOG_FILE & fi /bin/echo "$PROG startup complete." return $RETVAL } stop() { /bin/echo "Stopping $PROG: " for pid in `/sbin/pidof $PROG`; do /bin/kill -TERM $pid 2>/dev/null RETVAL=$? done /bin/echo "$PROG shutdown complete." return $RETVAL } restart() { stop start RETVAL=$? return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart|reload) restart ;; *) /bin/echo "Usage: $0 {start|stop|restart|reload}" RETVAL=1 esac exit $RETVAL

9. swatch.conf - Swatch Configuration File

watchfor /OUTBOUND TCP/ mail=admin@example_domain.com,subject=------ ALERT! OUTBOUND TCP -------- throttle 10:0:0 watchfor /OUTBOUND UDP/ mail=admin@example_domain.com,subject=------ ALERT! OUTBOUND UDP -------- throttle 10:0:0 watchfor /OUTBOUND ICMP/ mail=admin@example_domain.com,subject=------ ALERT! OUTBOUND ICMP -------- throttle 10:0:0 watchfor /OUTBOUND OTHER/ mail=admin@example_domain.com,subject=------ ALERT! OUTBOUND OTHER -------- throttle 10:0:0 watchfor /Drop/ mail=admin@example_domain.com,subject=------ ALERT! Connection Limit Reached -------- throttle 10:0:0

10. swatch.sh - Swatch Script File

#!/bin/sh # # Copyright 2004 Spanish Honeynet Project <project@honeynet.org.es> # License BSD http://www.opensource.org/licenses/bsd-license.php # # NAME: swatch.sh # DATE: August, 2004 # VERSION: 0.1 # DESCRIPTION: Setup script for running Swatch. # # Load variables . /etc/default/honeywall.conf # Script variables RETVAL=0 BINARY=/usr/bin/swatch PATH=/bin:/usr/local/bin:/usr/bin CONF_FILE=/etc/swatch/swatch.conf PROG=swatch if [ ! -x "$BINARY" ]; then echo "ERROR: $BINARY not found." exit 1 fi if [ ! -r "$CONF_FILE" ]; then echo "ERROR: $CONF_FILE not found." exit 1 fi start() { /bin/echo "Starting $PROG: " # Launch one Swatch process for each file included in $WATCH_FILES var for FILE in $WATCH_FILES; do $BINARY --config-file=$CONF_FILE --tail-file=$FILE --daemon & done /bin/echo "$PROG startup complete." return $RETVAL } stop() { /bin/echo "Stopping $PROG: " for PID in `/sbin/pidof $PROG`; do /bin/kill -TERM -$PID 2>/dev/null RETVAL=$? done /bin/echo "$PROG shutdown complete." return $RETVAL } restart() { stop start RETVAL=$? return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart|reload) restart ;; *) /bin/echo "Usage: $0 {start|stop|restart|reload}" RETVAL=1 esac exit $RETVAL





Published (Last edited): 20-09-2012 , source: http://www.honeynet.org.es/papers/honeywall/