Đang tải... (xem toàn văn)
Đây là bộ sách tiếng anh cho dân công nghệ thông tin chuyên về bảo mật,lập trình.Thích hợp cho những ai đam mê về công nghệ thông tin,tìm hiểu về bảo mật và lập trình.
www.nostarch.com TH E F I N E S T I N G E E K E N T E R TA I N M E N T ™ SHELVE IN: COMPUTER SECURITY/ NETWORKING $49.95 ($59.95 CDN) ® U S E I P T A B L E S T O D E T E C T A N D P R E V E N T N E T W O R K - B A S E D A T T A C K S U S E I P T A B L E S T O D E T E C T A N D P R E V E N T N E T W O R K - B A S E D A T T A C K S “I LAY FLA T.” This book uses RepKover —a durable binding that won’t snap shut. Printed on recycled paper System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection system (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack. Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You’ll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentica- tion layer around iptables with fwknop. Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentica- tion and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of: • Application layer attack detection with the iptables string match extension and fwsnort • Building an iptables ruleset that emulates a Snort ruleset • Port knocking vs. Single Packet Authorization (SPA) • Tools for visualizing iptables logs • Passive OS fingerprinting with iptables Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you’re responsible for keeping a network secure, you’ll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables—along with psad and fwsnort—to detect and even prevent compromises. A B O U T T H E A U T H O R Michael Rash is a security architect with Enterasys Networks, Inc., where he develops the Dragon intrusion detection and prevention system. He is a frequent contributor to open source projects and the creator of psad, fwknop, and fwsnort. Rash is an expert on firewalls, intrusion detection systems, passive OS fingerprinting, and the Snort rules language. He is co-author of Snort 2.1 Intrusion Detection (Syngress, 2004) and author of Intrusion Prevention and Active Response (Syngress, 2005), and he has written security articles for Linux Journal, Sys Admin maga- zine, and ;login:. L I N U X F I R E W A L L S L I N U X F I R E W A L L S A T T A C K D E T E C T I O N A N D R E S P O N S E W I T H I P T A B L E S , P S A D , A N D F W S N O R T M I C H A E L R A S H ® Linux Firewalls is a great book. —From the foreword by Richard Bejtlich of TaoSecurity.com L I N U X F I R E W A L L S L I N U X F I R E W A L L S R A S H LINUX FIREWALLS LINUX FIREWALLS Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash San Francisco ® LINUX FIREWALLS. Copyright © 2007 by Michael Rash. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 11 10 09 08 07 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-141-7 ISBN-13: 978-1-59327-141-1 Publisher: William Pollock Production Editor: Christina Samuell Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Pablo Neira Ayuso Copyeditors: Megan Dunchak and Bonnie Granat Compositors: Christina Samuell and Riley Hoffman Proofreaders: Karol Jurado and Riley Hoffman Indexer: Nancy Guenther For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com Library of Congress Cataloging-in-Publication Data Rash, Michael. Linux firewalls : attack detection and response with iptables, psad, and fwsnort / Michael Rash. p. cm. Includes index. ISBN-13: 978-1-59327-141-1 ISBN-10: 1-59327-141-7 1. Computers Access control. 2. Firewalls (Computer security) 3. Linux. I. Title. QA76.9.A25R36 2007 005.8 dc22 2006026679 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. Printed on recycled paper in the United States of America To Katie and little Bella BRIEF CONTENTS Acknowledgments xv Foreword by Richard Bejtlich xvii Introduction 1 Chapter 1: Care and Feeding of iptables 9 Chapter 2: Network Layer Attacks and Defense 35 Chapter 3: Transport Layer Attacks and Defense 49 Chapter 4: Application Layer Attacks and Defense 69 Chapter 5: Introducing psad: The Port Scan Attack Detector 81 Chapter 6: psad Operations: Detecting Suspicious Traffic 99 Chapter 7: Advanced psad Topics: From Signature Matching to OS Fingerprinting 113 Chapter 8: Active Response with psad 131 Chapter 9: Translating Snort Rules into iptables Rules 149 Chapter 10: Deploying fwsnort 173 Chapter 11: Combining psad and fwsnort 193 Chapter 12: Port Knocking vs. Single Packet Authorization 213 Chapter 13: Introducing fwknop 231 Chapter 14: Visualizing iptables Logs 257 Appendix A: Attack Spoofing 279 Appendix B: A Complete fwsnort Script 285 Index 291 . A S H LINUX FIREWALLS LINUX FIREWALLS Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash San Francisco ® LINUX FIREWALLS. . to maximize your deployment of Linux firewalls. If you’re responsible for keeping a network secure, you’ll find Linux Firewalls invaluable in your attempt