Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion...
Transcript of Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion...
![Page 1: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/1.jpg)
Fighting bad guys with
an IPS from scratch
![Page 2: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/2.jpg)
Daniel Conde Rodríguez BS Computer Engineer – PCAE - LFCS
Webhosting Service Operations Team Coordinator
Acens (Telefónica)
@daconde2
www.linkedin.com/in/daniconde
![Page 3: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/3.jpg)
WHO ARE BAD GUYS?
![Page 4: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/4.jpg)
WHO ARE BAD GUYS? Dimitry (Moskva)
![Page 5: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/5.jpg)
Script Malware
Plugin Wordpress, App Mobile, FIFA 2018
Webservers, Mobiles, PC, IoT
Internet
Target
![Page 6: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/6.jpg)
In common IP of the attacker
Script Malware
Plugin Wordpress, App Mobile, FIFA 2018
Webservers, Mobiles, PC, IoT
Internet
Target
![Page 7: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/7.jpg)
TARGETS
VPS, SERVERS, WEBSITES,
CLOUD SERVICES…
A FW IS NOT ENOUGH
![Page 8: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/8.jpg)
Lets’s fight bad guys! How?
Defense, defense, defense with
overall security solutions.
![Page 9: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/9.jpg)
+ IPS (Intrusion Prevention System)
+ Opensource tools
+ Several defense layers
An intrusion detection system (IDS) is a device or
software application that monitors a network or
systems for malicious activity or policy violations
Events collected centrally using a security
information and event management (SIEM) system
Systems with response capabilities are typically
referred to as an intrusion prevention system (IPS)
![Page 10: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/10.jpg)
TRY TO BLOCK ATTACKS
XSS, CSRF, CRAWLERS,
BOTNETS, VULNERABILITY
SCANNERS/PLUGINS, SQLi,
COOKIE STEALING…
![Page 11: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/11.jpg)
LOGS
203.0.113.1 - - [20/Jun/2018:01:03:45 +0200]
"GET api/specific_prices/?display=full&filter%5Bid_product%5D=%5B1344%5D”
![Page 12: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/12.jpg)
INITIAL SCENARIO
Botnet performing a WPSCAN
BOTNET
203.0.113.1
BOTNET
203.0.113.2
BOTNET
203.0.113.3
TARGET
98.51.100.1
![Page 13: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/13.jpg)
REQUEST FLOW
BOTNET
SERVER
HTTP REQUEST
![Page 14: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/14.jpg)
TOOLS
SNORT https://www.snort.org
Alternatives: bro, suricata, etc..
IPSET http://ipset.netfilter.org/
IPTABLES https://netfilter.org/
WAF (modsecurity + owasp + comodo)
https://www.modsecurity.org/
https://www.owasp.org/index.php/
https://waf.comodo.com/
GEOIP https://www.maxmind.com/es/geoip2-databases
SCRIPTS (bash, python, perl, ruby, etc)
ELK STACK https://www.elastic.co/elk-stack
IPTABLES
![Page 15: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/15.jpg)
REQUEST FLOW
BOTNET
SERVER
HTTP REQUEST
![Page 16: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/16.jpg)
SNORT
- Snort is an open-source, free and lightweight NIDS
to detect emerging threats
- Linux / Windows
- Thousand or rules updated by community
- Snort vs Suricata vs Bro
![Page 17: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/17.jpg)
SNORT configuration
Pulledpork
OinkMaster
Snorby
Base
ELK
Helper scripts that will automatically
download the latest rules for you
GUI for rules and vulnerabilities
./pulledpork.pl -o /usr/local/etc/snort/rules/ -O
1234520334234 -u
http://www.snort.org/reg-rules/snortrules-snapshot-
2973.tar.gz
![Page 18: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/18.jpg)
SNORT configuration
![Page 19: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/19.jpg)
HW
SNORT
BOTNET
SERVER
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
![Page 20: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/20.jpg)
IPSET
- IP sets are a framework inside the Linux kernel (ipset utility)
- Mass blocking IP addresses, networks, (TCP/UDP) port numbers, MAC …
+300.000 IP / Ranges blocked
- IPSET Solves IPTABLES limitations
High number of rules: slow vs FAST
Linear evaluation vs SIMPLE EVALUATION
Change rules: slow/inefficient vs SIMPLE STORAGE METHOD
- Lighting set matching and blocking speed
![Page 21: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/21.jpg)
ipset create blacklist hash:net hashsize 4096 maxelem 40960
ipset create whitelist hash:net hashsize 4096 maxelem 40960
ipset destroy blacklist
ipset add blacklist 203.0.113.1
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set whitelist src
LOG_BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 match-set blacklist src
Chain LOG_BLACKLIST (1 references)
IPSET Commands
![Page 22: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/22.jpg)
IPSET SHOW LIST
ipset list blacklist
Name: blacklist
Type: hash:net
Header: family inet hashsize 262144 maxelem 600000 timeout
36000
Size in memory: 211388
References: 1
Members:
203.0.113.1 timeout 3478
![Page 23: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/23.jpg)
HW
IPSET
BOTNET
IPSET
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
![Page 24: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/24.jpg)
IPTABLES
iptables -N LOG_BLACKLIST
iptables -I LOG_BLACKLIST 1 -m limit --limit 30/hour --limit-burst 30 -j LOG --log-prefix "IPBlacklisted: " --log-
level 4
iptables -A LOG_BLACKLIST -j DROP
Chain LOG_BLACKLIST (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 120 LOG flags 0 level 4 prefix
`IPTables-Dropped: ‘
DROP all -- 0.0.0.0/0 0.0.0.0/0
SCRIPTS > LOGS (var/log/iptables.log)
Oct 7 10:00:00 server kernel: IPBlacklisted: IN=XXX OUT= MAC=xx:xx:xx
SRC= 203.0.113.1 DST=OUR_SERVER LEN=XX TOS=0x00 PREC=0x00 TTL=XX
ID=XXXX DF PROTO=TCP SPT=XXX DPT=80
![Page 25: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/25.jpg)
HW
IPTABLES
BOTNET
IPSET
IPTABLES
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
![Page 26: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/26.jpg)
MODSECURITY WAF
Modsecurity is a web application firewall working in Layer 7.
- Covers Most critical security risks to web applications
- No code modification required
- Easy to configure
- Flexible Custom rules (OWASP, COMODO,ATOMIC)
![Page 27: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/27.jpg)
MODSECURITY LOGS --9650b61c-A--
[20/Jun/2018:21:07:36 +0200] Wyql@LAcZ84ALHn77WUAAAAr 203.0.113.1 14250 98.51.100.1 80
--9650b61c-B--
GET /app/wordpress/wp-config.php HTTP/1.1
Host: www.myserver.com
Connection: keep-alive
Accept: image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/11.0 Mobile/15E148 Safari/604.1
--9650b61c-F--
HTTP/1.1 403 Forbidden
--9650b61c-H--
Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE.
[file "/apache/modsecurity_rules/country_block_geoip.conf"] [line "2"]
[msg "IP 203.0.113.1 block Country"]
Action: Intercepted (phase 1)
Producer: ModSecurity for Apache
Server: Apache
Engine-Mode: "ENABLED"
1 RULE
2 BLOCKING CONDITIONS
(WPSCAN+GEOIP)
TAGGED ATTACK
EXEC() ACTION MODSEC
SCRIPT BLOCKS IP IN IPSET
![Page 28: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/28.jpg)
HW
WAF
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
SNORT BLOCK IP/RANGE/HOST
![Page 29: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/29.jpg)
SCRIPTS
MODSECURITY LOGS Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE.
[file "/apache/modsecurity_rules/country_block_geoip.conf"]
[msg "IP 203.0.113.1 block Country "]
TAGGED ATTACK
EXEC() ACTION MODSEC
SCRIPT BLOCKS IP IN IPSET
#!/usr/bin/lua
--ipaddress = m.getvar("REMOTE_ADDR", "none");
function main()
local remote_ip = m.getvar("REMOTE_ADDR");
local handle = io.popen("ipset add blacklist remote_ip")
file = io.open('/tmp/lua_output.txt','w')
file:write(remote_ip)
file:close()
m.log(1, "LUA block IP exec!");
end
MODSECURITY RULE
SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
SecRule URI "wp-config.php" “chain,id:11111,initcol:ip=%{REMOTE_ADDR},phase:1,
exec:/path/to/your/script,deny,status:403,msg:'IP %{REMOTE_ADDR} block Country'"
SecRule REMOTE_ADDR "@geoLookup" "chain, SecRule GEO:COUNTRY_CODE "@pm SN"
![Page 30: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/30.jpg)
HW
SCRIPTS
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
LOGS
SCRIPTS
SNORT BLOCK IP/RANGE/HOST
![Page 31: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/31.jpg)
ELK
"ELK" is the acronym for three open source projects:
Elasticsearch is a search and analytics engine.
Logstash is a server-side data processing pipeline that ingests
data from multiple sources simultaneously, transforms it,
and then sends it to a "stash" like Elasticsearch.
Kibana lets users visualize data with charts and graphs in Elasticsearch
![Page 32: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/32.jpg)
ELK
![Page 33: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/33.jpg)
ELK
SNORT TOP ATTACKS 1 DAY
87128 SYN Port Scan
34685 BitTorrent Meta-Info Retrieving
29371 Wordpress wp-login.php Login Attempt
27273 Microsoft Windows RDP Server
17086 Mercury Mail IMAP Command Buffer Overflow
15310 Password Brute Force
12440 Windows SMB Remote Code Execution Vulnerability
7693 Possible HTTP DoS Attack with Invalid HTML Page Access
7460 SQL Injection - Exploit II
7219 Exim Buffer Overflow (CVE-2018-6789)
6999 Drupal Remote Code Execution (CVE-2018-7600)
6866 Monero Mining Possible ADB.Miner Worm Activity Detected
![Page 34: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/34.jpg)
HW
IPS
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
LOGS
ELK SCRIPTS
SNORT BLOCK IP/RANGE/HOST
PARSED DATA
![Page 35: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/35.jpg)
INITIAL SCENARIO
Botnet performing a WPSCAN
BOTNET
203.0.113.1
BOTNET
203.0.113.2
BOTNET
203.0.113.3
TARGET
98.51.100.1
GOOD LUCK DIMITRY !!! I’M BEHIND 7 PROXIES AND 1 IPS
![Page 36: Fighting bad guys with an IPS from scratch › securitycongress2018 › ... · An intrusion detection system (IDS) is a device or software application that monitors a network or systems](https://reader034.fdocuments.in/reader034/viewer/2022042311/5ed9d29fbdc0e9247365903e/html5/thumbnails/36.jpg)
Fighting bad guys with an IPS from scratch
Daniel Conde Rodriguez
EuskalHack Security Congress III 2018
THANK YOU !!!