Today I’m going to show you how to setup a statefull packet
filter(nftables) with an Intrusion Prevention System (IPS/suricata). We
will be using nftables for two reasons. One being that it is the
successor to iptables/ufw and two being we can chain nftables with
suricata using priority ranking, something that iptables cannot do. We
will use suricata instead of snort. With suricata we get
multi-threading and IBM’s hyperscan to speed up the scanning of packets.
Suricata will be used in IPS mode which differs from IDS. With IPS the
packet is dropped in real time before reaching userspace using NFQUEUE.
We will be using the free rules from Emerging Threats because the paid
ones are around $700-800, and have them updated everytime we reboot.
Additionally we will send the suricata alerts in real time as desktop
notifications.What will happen is this:
sent packet → nftables(accept/drop based on rules) → suricata(proccessing signatures to accept or drop in real time) → Alert(sent to desktop)
READY??? LET’S GET STARTED!!!
First We will add the packages we need
Next we need to modify suricata.service
Code: Select all
Then we will make a new systemd service to download suricata ruleset on boot
sudo sed -i 's|^ExecStart.*|ExecStart=/usr/bin/suricata.hyperscan -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -q 1|' /lib/systemd/system/suricata.serviceAnd paste this code below into nano Shift-Ctrl-V then close nano with Ctrl-X then enter Y followed by Enter key
Code: Select all
Next we want to modify /etc/suricata/suricata-oinkmaster.conf[Unit]
Description=Update Suricata Rules
After=network.target
Wants=suricata.service
[Service]
Type=simple
User=root
WorkingDirectory=/usr/sbin
ExecStart=/usr/sbin/suricata-oinkmaster-updater
Restart=on-failure
SuccessExitStatus=0
[Install]
WantedBy=multi-user.target
And paste this code below into nano Shift-Ctrl-V then close nano with Ctrl-X then enter Y followed by Enter key
Code: Select all
Next we will work with nftables
modifysid botcc.portgrouped.rules, botcc.rules, ciarmy.rules, \
compromised.rules, drop.rules, dshield.rules, emerging-dos.rules, \
emerging-malware.rules, emerging-scan.rules, emerging-shellcode.rules, \
emerging-trojan.rules, emerging-worm.rules "^alert" | "drop"
And paste this code below into nano Shift-Ctrl-V then close nano with Ctrl-X then enter Y followed by Enter key
Code: Select all
Then change file permissions
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop
ct state established,related counter accept
iif "lo" counter accept
# Allow Multicast for cups ipp/networking printing
pkttype { broadcast, multicast } udp dport mdns counter accept
# Allow ipv6
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets counter drop
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } counter accept
# Uncomment below to allow ssh from local network
#ip saddr { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } tcp dport ssh ct state new limit rate 15/minute counter accept
# Uncomment the 2 bellow to allow icmp
#ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets counter drop
#ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } counter accept
counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
counter drop
}
chain output {
type filter hook output priority 0; policy accept;
counter accept
}
chain IPS_input {
type filter hook input priority 10; policy drop;
counter queue num 0
counter drop
}
chain IPS_output {
type filter hook output priority 10; policy drop;
counter queue num 1
counter drop
}
}
Next we will add desktop notifications of suricata alerts
And paste this code below into nano Shift-Ctrl-V then close nano with Ctrl-X then enter Y followed by Enter key
Code: Select all
Then commit these 3 file pernissions
#!/bin/bash
# Desktop alerts for suricata.
tail -n0 -f /var/log/suricata/fast.log | while read line; do notify-send "Suricata Alert!" "$line"; done
Open up the MENU and search for Startup Applications
Hit the + button and choose Custom command
Give the command a name
Set the command to:
Now we will enable the services and mask ufw
Disable UFW using the gui or mask it
AND LASTLY reboot
After rebooting you can check to see if the desktop notifications are working correctly by refreshing the update manager. You should get alert which is a policy alert that apt is being used. You can keep this on or stop it by:
Code: Select all
Note: If you're using TOR you may want to comment out the TOR category
in /etc/suricata/suricata.yaml and re-run suricata-oinkmaster-updaterecho 'disablesid 2013504' | sudo tee -a /etc/suricata/suricata-oinkmaster.conf && sudo suricata-oinkmaster-updater
Note: if you want to go back to UFW and you masked it, just run: sudo unlink /etc/systemd/system/ufw.service && sudo systemctl enable ufw.service
Note: If you want to see firewall stats just run: sudo nft list ruleset
TODO: add snort community and VRT rules... oinkmaster doesn't seem to work well with oinkcode
TODO: make a script on github
Font: Linux Mint Forum, Posted by Mollydarknet
0 comentários:
Postar um comentário