Michael Rash, Security Researcher

Cipherdyne Projects in the News    [Summary View]

Next »

IPTables::ChainMgr Used in PacketFence

IPTables::ChainMgr used in packetfence The IPTables::ChainMgr module is now used by the PacketFence NAC system in the latest 1.8.0 release. The module is used to build iptables rules that match on source MAC addresses, set a connection mark, and jump packets into a dedicated MARK chain.

The latest release of the IPTables::ChainMgr module is 0.9 (available as of Feb 11th), and can be downloaded from CPAN. The changes since the 0.8 release are:

  • Added Net::IPv4Addr prerequisite to Makefile.PL (patch submitted by Dominik Gehl).
  • Updated perldoc documentation to properly discuss the delete_chain() API. The material about the $jump_from_chain was missing (Darien Kindlund reported this issue).
  • Applied patch from Darien Kindlund to add the ability to specify the source MAC address via the --mac-source <addr> command line argument to iptables.

Art of Information Security Interview

artofinfosec interview part 1 Erik Heidt from the Art of Information Security recently interviewed me on various topics in computer security, and this is the first part. The history of the psad project from its roots in Bastille Linux along with psad's three main goals for enhancing Linux system security are covered. Erik concentrates on current issues in Information Security, and writes a series called "Secure Your Linux Host". Some of the latest articles in this series discuss locking down SSH. Thanks to Erik for the opportunity to respond to his interview questions.

The Security Properties of Port Knocking and SPA

There has been a recent thread on the Security Focus Security Basics mailing list entitled Port Knocking Vulnerabilities. It seems that a common concern in this thread is to concentrate on whether a service that is protected by a default-drop packet filter and associated port knocking or Single Packet Authorization system can be detected remotely by an attacker. That is, people seem to associate the security of port knocking and SPA with whether or not a service protected by such a mechanism can be detected. Some in the thread make a case that protected services can be detected through timing attacks whereby packet latencies with surrounding systems are monitored for variances which indicate the existence of a particular service or services behind the packet filter. To this I responded:

   Timing attacks can come up with some really interesting information, I agree. However, I'm not aware of an application of timing attacks against default drop packet filters to answer the question "is service XYZ really running behind the filter". Sure, as an attacker, you can collect timing differences between round trip times to all sorts of devices that the target system may be communicating with, but I doubt if there is a reliable way to infer that a _particular_ service is listening as result. After all, the steady state of such as service may be that there are no sessions at all; only the occasional administrative session to run a couple of commands and then it exits. Note that I'm not questioning whether it is possible to determine if a _system_ exists; I'm questioning whether it is possible to determine if a particular service running on a system exists. To do so, such a timing attack would have to differentiate between "tcp port 22" communicating vs. "tcp port 23", etc. I'm skeptical, and if people think it is possible, I would like to see relevant papers that make this clear.

I find it interesting that people concentrate on whether a service protected by a default-drop packet filter and a port knocking or SPA system is detectable. Let's assume for a moment that such a timing attack is able to give an attacker a high probability that SSH is really running behind a port knocking or SPA system. Now, what would the attacker be able to do to exploit a vulnerability (zero day or otherwise) in the SSH daemon? It is easier to subvert the port knocking protocol (I wrote a paper on this here if anyone is interested:, but how about SPA?

Perhaps this discussion could be extended on Sebastien Jeanquier's online Single Packet Authorization forum.

Art of Information Security Blog About psad

Art of Information Security Blog About psad Erik Heidt who runs the Art of Information Security Blog has started a dedicated blog about psad. He discusses monitoring of psad via a custom shell script, as well as some of the attack information that psad reports on. This information is derived from Snort rules/signatures that are matched by psad within iptables LOG messages. Such signature matching is possible (for signatures that do not contain content matches) because of the completeness of the iptables logging format, which includes most of the interesting fields in the network and transport layer headers. Here is an example of the type of reporting that Erik has included in one of his blog posts:
"ICMP PING" (icmp), Count: 223, Unique sources: 89, Sid: 384
"MISC Windows popup spam attempt" (udp), Count: 154, Unique sources: 38, Sid: 100196
"MISC Microsoft SQL Server communication attempt" (tcp), Count: 37, Unique sources: 16, Sid: 100205
"MISC VNC communication attempt" (tcp), Count: 14, Unique sources: 6, Sid: 100202
"PSAD-CUSTOM Nachi worm reconnaisannce" (icmp), Count: 10, Unique sources: 5, Sid: 100209
"MISC Ghostsurf communication attempt" (tcp), Count: 6, Unique sources: 1, Sid: 100203
"MISC HP Web JetAdmin communication attempt" (tcp), Count: 6, Unique sources: 2, Sid: 100084
"BACKDOOR DoomJuice file upload attempt" (tcp), Count: 4, Unique sources: 1, Sid: 2375
"MISC Radmin Default install options attempt" (tcp), Count: 2, Unique sources: 1, Sid: 100204
There was also more publicity for psad and fwsnort at where John Bambenek referenced both projects in an article entitled "iptables as a replacement for commercial enterprise firewalls". I completely agree that in many cases iptables can function as a complete replacement for commercial firewall products. While not appropriate perhaps for all deployments depending on various corporate factors (such as the level of expertise of the local IT staff and the need for support), I think these barriers are waning in importance considering the quality of iptables, modern Linux distributions, and user interfaces (mentioned by John in his article) such as Firewall Builder.

Slashdot review of Linux Firewalls

Slashdot review of Linux Firewalls For the first post to the Cipherdyne blog for 2008 and for anyone who reads this blog but doesn't read Slashdot (ok, so maybe there are two of you), the Linux Firewalls: Attack Detection and Response book was reviewed on Slashdot by David Martinjak. David gave the book a rating of 9 out of a possible 10, and had some great things to say about it such as the following quotes:

   The chapters about iptables packet filtering are crucial for any reader new to networking or firewall administration. Experienced users might pick up a tip or two, as well. Linux Firewalls contained a wealth of knowledge about packet structure in addition to a solid explanation of iptables usage. I was rather impressed by the variety of information presented in the early chapters. The book of course detailed the syntax and logistics of iptables, but also provided detailed examples of attacks at the network, transport, and application layers.

There were no real disappointments with this book. The reading did get a bit tedious at times with regard to configuration specifics, but it was only due to the depth of helpful explanation. Had I been working with the applications while reading (instead of just reading), the content would have been much more relevant. In the end, however, the variety resulted in a rather impressive and enjoyable book. The coverage of psad, fwsnort, and fwknop were welcomed additions. Each of the central topics were thoroughly explained in an informative, yet engaging manner. Essentially, I did not want to stop reading.

There was also a favorable review of the book in Free Software Magazine.

EnGarde Secure Linux Bundles fwknop and psad

EnGarde Secure Linux Bundles fwknop and psad The EnGarde Linux distribution, which focuses on security, has announced that they now bundle both fwknop and psad within their latest release (3.0.18). Here is a quote from their press release:

   Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes many updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, and a few new features.

In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce.

Coupled with the EnGarde annoucement, has published an article about how to configure fwknop on EnGarde systems to add a strong default-drop stance for SSHD:

   This article will walk the reader through an EnGarde Secure Linux implementation of fwknop, from the initial iptables rules setup to the deployment of fwknop on both the server and client side. By the end of the article, the user will be able to explicitly shutdown all access to the EnGarde Secure Linux SSH daemon to only those with fwknop credentials.

Single Packet Authorization and Port Knocking Forum

Single Packet Authorization and Port Knocking Forum Sebastien Jeanquier has started a dedicated online forum for the discussion of port knocking and Single Packet Authorization. I think this is a great idea, and will help to increase awareness in SPA and related technologies. Here is Sebastien's first post that introduces the forum:

   There have been numerous debates around the subjects of Port Knocking and Single Packet Authorization (SPA). Does it increase security? Does it not? What are the drawbacks? Although I would definitely group Port Knocking and SPA under the "Port Knocking" banner, the two methods are actually quite different, and many people sometimes confuse them.

Despite all the discussion, there has not been any dedicated forum for those with interests in these great subjects... until now. This forum is open to any and all discussions about PK and SPA ideas, developments, and uses; and you will undoubtedly get plenty of clarifications or help with regards to how PK/SPA work and how to use them in your security implementations.

One topic that I would like to see discussed is what the ideal features, design, and implementation would be in an SPA system. There are many considerations here, everything from what the right way is to interact with the packet filter to which language to use.

Ubuntu Howto on Single Packet Authorization

Ubuntu fwknop Howto Gilbert Mendoza of has written an excellent howto guide for making use of Single Packet Authorization with fwknop on the Ubuntu Linux distribution. While fwknop is not yet released as a Debian package (although this should be coming soon), Gilbert's guide provides instructions for bootstrapping fwknop into a functional state on Ubuntu. He covers the installation of fwknop, configuring fwknopd to authenticate SPA clients with GnuPG (including construction of a specific set of GnuPG keys for this purpose), and setting up a default-drop iptables policy. Here is a portion of the introduction:

   Single Packet Authorization (SPA) using "fwknop" is probably one of the coolest recent innovations in server and network access control technology. Just what is SPA, you ask? SPA is a method of limiting access to server and network resources by cryptographically authenticating users before any type of TCP/IP stack access is allowed.

In it's simplest form, your Linux server can have an inbound firewall rule that by default drops all access to any of it's listening services. Nmap scans will completely fail to detect any open ports, and zero-day attacks will not have any effect on vulnerable services since the firewall is blocking access to the applications.

Gilbert made a posting to his blog a few months ago about SPA as well. Online Interview

Digg Michael Rash Interview Online Interview interviewed me about various topics in computer security (with an emphasis on Linux security). The interview grew out of the publication of the Linux Firewalls book, and Mirko Zorz wrote the (excellent) interview questions. Writing answers to these questions was a thought provoking process, and I'm grateful for having the opportunity to write for The interview opens with a question about how I became interested in computer security, and I'd like to mention the following note (I didn't put this in the interview):

One of the best books I have ever read in the field of computer security is Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick and Bellovin. It was 1997, and I was getting my feet wet working with Check Point firewalls and a few Cisco NetRanger systems for network IDS, and with the help of the book to provide some fascinating examples, I was hooked. I have not yet read the second edition of the book, but the first edition was outstanding. A nice balance is struck between theory and practical examples (such as concepts in cryptography vs. tracking the movements of a malicious individual with a custom modifications to an STMP daemon). Anyone looking for an authoritative introduction to computer security should read the book.

On an unrelated note, there have been a couple of additional reviews of the Linux Firewalls book; one at and the other by A.P. Lawrence. The later even includes a video review at

Book Review of Linux Firewalls: Attack Detection and Response

Linux Firewalls Book Review Mirko Zorz of has written a postive review of my book Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort. Here are a couple of excerpts from his review:

Rash illustrates why you should run fwsnort, a tool that translates Snort rules into equivalent iptables rules and guides you through a deployment with a myriad of other details. The practical aspect of the book continues and you see how fwsnort operates with specific real-world attacks. After all this material, the chapter that ties together a significant part of the book shows you how to combine fwsnort together with psad.

A firewall can generate a vast amount of data and visualizing iptables logs is a necessity for many. The author explains how to use Gnuplot and AfterGlow with psad in order to get a graphical depiction of iptables log data. You learn how to interpret data based on several examples.

If you want to master Linux firewalls get this title, it is outstanding.

Thanks for the kind words, Mirko. O'Reilly also made a press release about the book as well, and soon after the hit counts in Google went from about 600 to over 49,000 in the span of a week (I run a set of queries against Google every day and watch for trends in the results).
Next »