Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort

Listing your firewall rules with iptables -L is the main tool available for checking for open ports. Open ports are defined to be open by your ACCEPT rules. Beyond the iptables -L command, other tools such as netstat are helpful for finding out what ports are listening on the firewall.

netstat has several uses. In the next section, we'll use it to check for active ports so that we can double-check that the TCP and UDP ports in use are the ports that the firewall rules are accounting for.

Just because netstat reports the port as listening or open doesn't mean that it's accessible through the firewall rules. Following this, two third-party port-scanning toolsstrobe and nmapare introduced. These tools should be used from an external location to test exactly which ports are listening on the firewall. netstat is a good indicator of services that are running on the machine. Remember, if the service isn't absolutely necessary, you should disable it and consider removing it entirely, especially from a firewall. Let firewalls be firewallsthey shouldn't run extra services.

netstat -a [ -n -p -A inet ]

netstat reports various network status information. Quite a few command-line options are documented to select what information netstat reports. The following options are useful for identifying open ports, reporting whether they are in active use and by whom, and reporting which programs and which specific processes are listening on the ports:

  • -a lists all ports that either are in active use or are being listened to by local servers.

  • -n displays the hostnames and port identifiers in numeric format. Without the -n option, the hostnames and port identifiers are displayed as symbolic names, as much as will fit in 80 columns. Using -n avoids a potentially long wait while remote hostnames are looked up. Not using -n produces a more readable listing.

  • -p lists the name of the program listening on the socket. You must be logged in as root to use the -p option.

  • -A inet specifies the address family reported. The listing includes the ports in use as they are associated with your network interface cards. Local address family socket connections aren't reported, including local network-based connections in use by programs (such as any X Windows program you might have running).

TYPES OF SOCKETSTCP/IP AND LINUX

Sockets were introduced in BSD 4.3 UNIX in 1986 and the concepts have largely been adopted by Linux. Two main socket types were the Internet domain, AF_INET, and the UNIX domain, AF_UNIX, sockets. AF_INET is the TCP/IP socket used across a network. AF_UNIX is a socket type local to the kernel. The UNIX domain socket type is used for interprocess communication on the same computer; it is more efficient than using TCP/IP for local sockets. Nothing goes out on the network.

The following netstat output is limited to the INET domain sockets. The listing reports all ports being listened to by network services, including the program name and the specific process ID of the listening program:

> netstat -a -p -A inet 1. Active Internet connections (servers and established) 2. Proto Recv-Q Send-Q Local Address Foreign Address State PID/ Program name 3. tcp 0 143 internal:ssh netserver:62360 ESTABLISHED 15392/sshd 4. tcp 0 0 *:smtp *:* LISTEN 3674/sendmail: acce 5. tcp 0 0 my.host.domain:www *:* LISTEN 638/httpd 6. tcp 0 0 internal:domain *:* LISTEN 588/named 7. tcp 0 0 localhost:domain *:* LISTEN 588/named 8. tcp 0 0 *:pop-3 *:* LISTEN 574/xinetd 9. udp 0 0 *:domain *:* 588/named 10. udp 0 0 internal:domain *:* 588/named 11. udp 0 0 localhost:domain *:* 588/named

Line 1 identifies the listing as including local servers and active Internet connections. This selection was indicated with the -A inet option to netstat.

Line 2 contains these column headings:

  • Proto refers to the transport protocol the service runs over, TCP or UDP.

  • Recv-Q is the number of bytes received from the remote host but not yet delivered to the local program.

  • Send-Q is the number of bytes sent from the local program that haven't been acknowledged by the remote host yet.

  • Local Address is the local socket, network interface, and service port pair.

  • Foreign Address is the remote socket, remote network interface, and service port pair.

  • State is the local socket's connection state for sockets using the TCP protocol, either ESTABLISHED connection or LISTENing for a connection request, as well as a number of intermediate connection establishment and shutdown states.

  • PID/Program name is the process ID (PID) and program name that owns the local socket.

Line 3 shows that an SSH connection is established over the internal LAN network interface from a machine known as netserver. The netstat command was typed from this connection.

Line 4 is a sendmail listening for incoming mail on the SMTP port associated with all network interfaces, including the external interface connected to the Internet, the internal LAN interface, and the loopback, localhost interface.

Line 5 shows that a local web server is listening for connections on the external interface to the Internet.

Line 6 shows that the name server is listening on the internal LAN interface for DNS lookup connection requests from local machines over TCP.

Line 7 shows that the name server is listening on the loopback interface for DNS lookup connection requests from clients on this machine over TCP.

Line 8 shows that xinetd is listening for connections on the POP port associated with all interfaces on behalf of popd. (xinetd is listening on all interfaces for incoming POP connections. If a connection request arrives, xinetd starts a popd server to service the request.) The firewall and higher-level security mechanisms at the tcp_wrappers level and the popd configuration level limit incoming connections to the LAN machines.

Line 9 shows that the name server is listening on all interfaces for DNS server-to-server communications and is accepting local lookup requests over UDP.

Line 10 shows that the name server is listening on the internal LAN network interface for DNS server-to-server communications and lookup requests over UDP.

Line 11 shows that the name server is listening on the loopback interface for DNS lookup requests from local clients on this machine over UDP.

netstat OUTPUT REPORTING CONVENTIONS

In netstat output, the local and foreign (that is, remote) addresses are listed as <address:port>. Under the Local Address column, the address is the name or IP address of one of your network interface cards. When the address is listed as *, it means that the server is listening on all network interfaces rather than on just a single interface. The port is either the symbolic or the numeric service port identifier that the server is using. Under the Foreign Address column, the address is the name or IP address of the remote client currently participating in a connection. The *.* is printed when the port is idle or for the default daemon. The port is the remote client's port on its end.

Idle servers listening over the TCP protocol are reported as listening for a connection request. Idle servers listening over the UDP protocol are reported as blank. UDP has no statethe netstat output is simply making a distinction between stateful TCP and stateless UDP.

Checking a Process Bound to a Particular Port with fuser

The fuser command identifies which processes are using a particular file, filesystem, or network port. netstat -a -A inet will report a port number rather than a service name if the port doesn't have an entry in /etc/services. fuser can be useful to determine which program is bound to that port.

The general fuser command format to identify which program is bound to a given port is as follows:

fuser -n tcp|udp -v <port number>[,<remote address>[,<remote port>]

For example,

> fuser -n tcp -v 515

produces the following output:

USER PID ACCESS COMMAND 515/tcp root 718 f.... lpd

The -v option produces the USER, ACCESS, and COMMAND fields. Without the -v option, the port/protocol and PID would be reported. You would need to use ps to identify the program assigned that process id.

The access field codes refer to the type of access that the file or filesystem is being accessed by the process as. The f indicates that the object is open.

The next two sections describe two third-party tools available from the Internet: strobe and nmap.

strobe

strobe is a simple TCP port scanner. Use it to report which TCP ports are open on your network interfaces. strobe is available at http://metalab.unc.edu/pub/Linux/ system/ network/admin.

The following sample strobe output reports the TCP ports where strobe has found servers listening. strobe's default output includes the scanned hostname and the entry from /etc/services describing the port. With a firewall installed, additional servers could be running on the machine, as well, hidden behind publicly blocked ports:

> strobe firewall strobe 1.04 (c) 1995-1997 Julian Assange (proff@suburbia.net). firewall ssh 22/tcp # SSH Remote Login Protocol firewall smtp 25/tcp mail firewall domain 53/tcp nameserver # name-domain server firewall http 80/tcp www www-http # WorldWideWeb HTTP firewall auth 113/tcp authentication tap ident

nmap

nmap is a much more powerful network security auditing tool that includes many of the newer stealth scanning techniques in use today. You should check your system security with nmap; it's a given that other people will. nmap is available at http://www.insecure.org/nmap/. You should use nmap from a host outside of your firewall to check that the firewall isn't listening on unexpected ports.

The following sample nmap output reports the state of all TCP and UDP ports. Because the verbose option isn't used, nmap reports only the ports that are open and that have servers listening on them. nmap output includes the scanned hostname, IP address, port, open or closed state, transport protocol in use on that port, and symbolic service port name from /etc/ services. Because choke is an internal host, additional ssh and ftp ports are open for internal LAN access:

> nmap -sT router Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on choke.private.lan (192.168.1.2): (The 3100 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 236 seconds

Категории