Cloudflare and Dome9 Blacklister Scripts (Bash/Python)
One of my servers was under attack from an IP in China recently (some lame automated SQLi), but I figured I’d blackhole the source IP anyway.
My first step was to blacklist in Dome9, which I use to manage that server’s firewall, but after noticing that the attacks were still hitting my server I remembered that because I also use Cloudflare and those attacks were getting tunnelled through their network. So the solution (for that particular attack) was to also blacklist the source IP in Cloudflare. When another stupid attack came in a day or so later, I did the same and realised that it would be much easier if I automated the whole process.
So I threw together a Bash script (and then a Python script) that leverages the Cloudflare and Dome9 APIs to submit a given IP address to one or both services.
I’ve put these into my scripts repo on GitHub. Simply insert your Cloudflare and/or Dome9 API keys into the configuration portion of the script and go. Using this you could conceivably fully automate it by auto-detecting brute-force type attacks using a script on the server and calling this script to make the blacklist updates.
Bearing in mind these were very hastily put together, any feedback/improvements are welcome!
Dome9 Package for Synology NAS
I own a Synology DS413j NAS, and without wanting to write a whole review about it, these things are awesome, the management UI is great, and you can run all kinds of packages on them. One thing I like to do with mine is run an OpenVPN server so that I can VPN into home and do cool stuff.
But I was a bit concerned about the notion of having my NAS internet-facing, even if it was only OpenVPN’s UDP port. So, powering through with my love for all things Dome9 (I swear they don’t pay me), I wrote my own little package that installs the Dome9 Agent onto a Synology NAS and allows you to control its firewall (and make dynamic access requests) through the Dome9 service. Now I can make pretty much any of my NAS’ services available to the internet, and not have to worry about random attackers discovering those services. Similar to Single Packet Authorization (although easier to set up and use), Dome9 allows you to dynamically open one or more ports to a given IP for a period of time, and so while the port is available to you, the services remain completely invisible to everyone else.
This is the first release of the Dome9 package, and while it may need more work to support other VPN protocols, it’s ready for testing. If you do use this package, I’d be keen to hear from you, as I’ve yet to find another Synology-owning Dome9 user!
To install this package, simply download the dome9.spk file (below) and use the Manual Install option in the Package Center in DSM. You will need to have a Dome9 account and enter your pairing key to allow the agent to pair with the Dome9 service.
Honeyport Python Script with Local Firewall and Dome9 Support
Following on from my linux bash honeyport script (read this first if you don’t know what a Honeyport is), I wanted to write a script that works across platforms to accept connections on a given port and block that IP using the local firewall – IPFW on Mac OS X, iptables on Linux, or Windows Firewall – or using the Dome9 service (I’m hoping to add Unix support soon).
I chose to write this one in Python as the cross-platform language of choice, and it’s compatible with Python 2.7 to 3.4. One feature of this script is that you can optionally configure it to run another Python script whenever a client connects to the honeyport. The client’s IP will be passed to the called script as an argument, allowing you to do whatever you want with it. The script’s output is then sent back to the connected client before they are blacklisted.
Check it out on GitHub, improvements and additional ideas are welcome!
Linux Bash Ncat Honeyport Script with IPTables and Dome9 Support
After securing systems by hiding them completely from the network/internet using Single Packet Authorization, I’ve recently been interested in doing more so-called ‘active’ defense, by implementing solutions to delay, confuse, or thwart attackers. Completely hiding one’s system is not always feasible (ie. in the case of an internet-facing server), and monitoring, apart from being purely reactive, is not always easy and requires the involvement of a human. An alternative to these is to do some automated active defense. One simple tool in the bag of active defense tricks is the honeyport. Read more
Fwknop in BackTrack 5 Repository
Just a quick update to say that fwknop (Single Packet Authorization tool) has made it into the BackTrack 5 repository. Although it’s not installed by default, it’s a few keystrokes away, and can be installed by typing the following into the terminal:
apt-get install fwknop-client
apt-get install fwknop-server (if you want to use the server on your BackTrack install)
Note that it’s still version 1.9.12 of the Perl implementation, as the the C++ port (v 2.0) is still in the Release Candidate stage. Those of you who have been meaning to experiment with Single Packet Authorization and have already downloaded BT5, now’s a good time to install fwknop and give it a try! When installing fwknop-server it brings up an ultra-simple config screen that allows you to set up your initial passphrase.
Read more
Talking Single Packet Authorization on Pauldotcom Security Weekly
I’ve been invited to give a technical segment on Single Packet Authorization on the Pauldotcom Security Weekly podcast ‘Thanksgiving Special’ episode on Tuesday 23rd November. I’ve been listening to PSW practically from its very beginning, and if you’re only going to listen to one weekly security podcast, it’s definitely the one I’d recommend.
I’ll be giving an introduction into Single Packet Authorization, and show you how to install fwknop to protect your system and potentially vulnerable services from attack and exploitation.
[Update] Episode 221 is out!
fwknop 2.0 (C implementation)
After many months of work, fwknop (the Perl Single Packet Authorization implementation) has been entirely rewritten in C. The purpose of the C redesign has been primarily to allow an even more widespread deployment of SPA to devices on which the Perl implementation may not be suitable. One example of this is the OpenWRT platform which turns many entry-level routers into more flexible and powerful network devices. This now allows border routers to perform SPA and firewall manipulation, instead of doing this at the host-level (although it can be done at both).
The core of the C implementation is the libfko library which can be used by other applications to perform fwknop-compatible SPA. The Perl and C implementations are compatible with each other and the Perl version will continue being maintained. At the moment fwknop is still in Release Candidate, and will initially only support iptables. Further versions will bring it in line with the Perl version which supports additional firewall software and features.
fwknop offers both a server-side daemon – which listens for valid authorization packets and performs pre-defined activities (such as opening a firewall port) – as well as an SPA client which is used to construct authorization packets and send them to the target server. The Perl version of fwknop runs on Linux/Unix, Mac OS X, Windows and anything else capable of running Perl. The fwknop-C implementation should run on any device capable of compiling the necessary libraries. I haven’t yet tested it on OSX, but expect it will probably compile. The server-side functionality on OSX will have to wait until ipfw (OSX’s firewall) support is ported over.
The fwknop 2.0 source as well as a package for OpenWRT are available for download here.
ipt_pkd – Single Packet Authorization iptables Extension
I stumbled onto the ipt_pkd project recently, although apparently it’s been around since 2007. ipt_pkd is an iptables extension that allows you to do hash-based Single Packet Authorization directly within the iptables firewall. The project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. The knock program (either a Python script or Windows exe) is used to send a UDP authorization packet.
The authorization packet consists of a SHA-256 hash of the following parameters: packet source port number, current time, some random data and a secret key. The current time and random bytes are then sent in the clear so that the server can recreate the hash. The final knock packet is 64 bytes long consisting of an 8-byte header, 4-byte id, 8-byte time, 12-byte random value, and the 32-byte SHA-256 hash.
The daemon does do some replay protection by storing valid hashes it has received and comparing newly received hashes against that list. It also does a verification of the timestamp to check for freshness.
I haven’t yet had the chance to try this one out or assess the security of the implementation, but it’s interesting to see an implementation in the form of an kernel module/iptables extension. If anyone’s tried this out I’d be interested to hear about it.