cipherdyne.org

22 August, 2008

The 2.1.4 release of psad is available for download. This release moves all dependencies into a new deps/ directory - including all perl modules, Snort rules files, and the whois client (from Marco d'Itri). This makes for a cleaner integration of psad with the Debian Linux distribution, thanks to Franck Joncourt. There are also a couple of minor bugfixes and feature enhancements according to the ChangeLog entries below. Finally, all cipherdyne.org projects are now signed with a new GnuPG key available here.

• Restructured perl module paths to make it easy to introduce a "nodeps" distribution of psad that does not contain any perl modules. This allows better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). The main driver for this work is to make all cipherdyne.org projects easily integrated with distributions based on Debian, and Franck Joncourt has been instrumental in making this process a reality. All perl modules are now placed within the "deps" directory, and the install.pl script checks to see if this directory exists - a separate psad-nodeps-<ver> tarball will be distributed without this directory. The Debian package for psad can then reference the -nodeps tarball, and a new "psad-nodeps.spec" file has been added to build an RPM from the psad sources that does not install any perl modules.
• Updated to use the normal system whois client if the /usr/bin/whois_psad path does not exist, and moved the whois/ directory into the deps/ directory. This removes /usr/bin/whois_psad as a strict dependency.
• Bugfix to honor the IPT_SYSLOG_FILE variable in --Analyze-msgs mode.
• Switched from the deprecated bleeding-all.rules file to the new emerging-all.rules available from Matt Jonkman at Emerging Threats (http://www.emergingthreats.net).

20 January, 2008

Erik Heidt who runs the Art of Information Security Blog has started a dedicated blog about psad. He discusses monitoring of psad via a custom shell script, as well as some of the attack information that psad reports on. This information is derived from Snort rules/signatures that are matched by psad within iptables LOG messages. Such signature matching is possible (for signatures that do not contain content matches) because of the completeness of the iptables logging format, which includes most of the interesting fields in the network and transport layer headers. Here is an example of the type of reporting that Erik has included in one of his blog posts:
"ICMP PING" (icmp), Count: 223, Unique sources: 89, Sid: 384
"MISC Windows popup spam attempt" (udp), Count: 154, Unique sources: 38, Sid: 100196
"MISC Microsoft SQL Server communication attempt" (tcp), Count: 37, Unique sources: 16, Sid: 100205
"MISC VNC communication attempt" (tcp), Count: 14, Unique sources: 6, Sid: 100202
"PSAD-CUSTOM Nachi worm reconnaisannce" (icmp), Count: 10, Unique sources: 5, Sid: 100209
"MISC Ghostsurf communication attempt" (tcp), Count: 6, Unique sources: 1, Sid: 100203
"MISC HP Web JetAdmin communication attempt" (tcp), Count: 6, Unique sources: 2, Sid: 100084
"BACKDOOR DoomJuice file upload attempt" (tcp), Count: 4, Unique sources: 1, Sid: 2375
"MISC Radmin Default install options attempt" (tcp), Count: 2, Unique sources: 1, Sid: 100204 There was also more publicity for psad and fwsnort at linux.com where John Bambenek referenced both projects in an article entitled "iptables as a replacement for commercial enterprise firewalls". I completely agree that in many cases iptables can function as a complete replacement for commercial firewall products. While not appropriate perhaps for all deployments depending on various corporate factors (such as the level of expertise of the local IT staff and the need for support), I think these barriers are waning in importance considering the quality of iptables, modern Linux distributions, and user interfaces (mentioned by John in his article) such as Firewall Builder.

04 January, 2008

Drew Bentley, a long time user of psad, emailed me to mention that he had voted for psad to be included within the 2007 LinuxQuestions.org Members Choice Awards in the category of Network Security Application of the Year. Although there are many security projects out there that outstrip the Cipherdyne projects, my personal hope would be that eventually fwknop might be included in the Members Choice Awards someday. The rise of service authorization via passive means embodied by Single Packet Authorization allows the security model employed by VPN services and software such as SSH to be strengthened with a default-drop packet filter. This reduces the number of functions - any one of which has a non-zero probability of containing a security vulnerability - that an attacker can tweak from arbitrary source IP addresses.
     I personally sleep better at night knowing that my SSH daemon can only be reached after a would-be client is passively authenticated and authorized to communicate through the iptables policy by sending a properly encrypted and non-replayed SPA packet. Anyone scanning for my SSH daemon with nmap cannot even see that it is listening.

20 December, 2007

The EnGarde Linux distribution, which focuses on security, has announced that they now bundle both fwknop and psad within their latest release (3.0.18). Here is a quote from their press release:

   Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes many updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, and a few new features.

In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce.

Coupled with the EnGarde annoucement, linuxsecurity.com has published an article about how to configure fwknop on EnGarde systems to add a strong default-drop stance for SSHD:

   This article will walk the reader through an EnGarde Secure Linux implementation of fwknop, from the initial iptables rules setup to the deployment of fwknop on both the server and client side. By the end of the article, the user will be able to explicitly shutdown all access to the EnGarde Secure Linux SSH daemon to only those with fwknop credentials.