Detecting and Countering Server Intrusions

Windows update

For all others in the world, there is of course Windows update. Microsoft tends to release monthly patches every first Tuesday of the month. So, on those Tuesdays, if you are running a Windows server, I would skip my dinner plans, kick off the download process, and order a pizza.

All the major operating systems have a vehicle for distributing patches. Figure out which one is right for you, and implement a procedure for checking for updates regularly.

Host Firewall

Remember, Isaid that this machine needs to act like there is no firewall or other device protecting it from unsavory network traffic. Most Linux systems, including my Ubuntu system, come with a firewall built-in. It’s called iptables—or ipchains if you are using a kernel of version 2.2 or older.

Using iptables

This is some black magic, but well worth it. On my Ubuntu system, iptables comes installed and enabled, but it is configured to let all network traffic through.

Because this machine must defend itself, we should alter this default configuration with some basic firewall rules locally. Example 4-3 shows an iptables script for a bastion server running HTTP.

Example 4-3. A sample IPTables script

#!/bin/s h
#
# IPTables Local Firewall Script for bastion web servers.
#
# Adapted from bastion script found in:
# Bauer, Michael, Linux Server Security, second edition (O'Reilly)
#
###

# Please enter the name of your server MYSERVER=MyServer

# Your server's IP Address IPADDRESS=192.168.1.101

# IPTABLES Location IPTABLES=/usr/sbin/iptables
test -x $IPTABLES || exit 5

case "$1" in
start)
echo -n "Loading $MYSERVER's ($IPADDRESS) Packet Filters..."

# Load kernel modules first
modprobe ip_tables
modprobe ip_conntrack_ftp

# Flush old custom tables
$IPTABLES --flush
$IPTABLES --delete-chain

# Set default-deny policies for all three default chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Exempt Loopback address
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Spoofing this host?
$IPTABLES -A INPUT -s $IPADDRESS -j LOG --log-prefix "Spoofed $MYSERVER's ($IPADDRESS)!"
$IPTABLES -A INPUT -s $IPADDRESS -j DROP

# Add some generic Anti-spoofing rules $IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!"
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP

# Too Popular?
$IPTABLES -A INPUT -s www.slashdot.org -j LOG --log-prefix "Slashdotted!"
$IPTABLES -A INPUT -s www.slashdot.org -j DROP
$IPTABLES -A INPUT -s www.digg.com -j LOG --log-prefix "Dugg!"
$IPTABLES -A INPUT -s www.digg.org -j DROP

# INBOUND POLICY -----------------------

# Accept inbound packets that are part of previosly-OK'ed sessions
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept inbound packets that initiate HTTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW

# Accept inbound packets that initiate Secure HTTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 443 -m state --state NEW

# Allow outbound SSH (23)
#$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# OUTBOUND POLICY -----------------------

# If it's part of an approved connection, let it out
$IPTABLES -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outbound DNS queries
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Allow outbound HTTP (80) for web services? $IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

# Allow outbound ping (debug)
#$IPTABLES -A OUTPUT -p icmp -j ACCEPT --icmp-type echo-request

# Allow outbound SMTP (25) for notifications #$IPTABLES -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

# Allow outbound SSH (23)
#$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow outbound NTP (123) for time sync? #$IPTABLES -A OUTPUT -p tcp --dport 123 -m state --state NEW -j ACCEPT

# Log everything that gets rejected/DROP'd $IPTABLES -A OUTPUT -j LOG --log-prefix "Packet dropped by default
(OUTPUT): "

;;

wide-open)
echo -n "*** WARNING ***"
echo -n "Unloading $MYSERVER's ($IPADDRESS) Packet Filters!"
# Flush current table
$IPTABLES --flush
# Open up the gates.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
;;

stop)
echo "Shutting down packet filtering..." $IPTABLES --flush
;;
status)
echo "$MYSERVER Firewall (IPTables) running status:"
$IPTABLES --line-numbers -v --list
;;

*)
echo "Usage: $0 {start|stop|wide_open|status}"
exit 1
;;
esac

Running this script is a good place to start. It sets up the basics. I really can’t get into an in-depth discussion about iptables here, but if you are interested in more informa tion on the subject, I again urge you to read Linux Server Security (O’Reilly) or read any number of online resources to learn this powerful yet complicated packet filtering system.