Dynamic firewalls
On my way home today I thought abut all the intrusion attacks and pondered the possibilities to update the firewall automatically.
I get logs mailed from my various systems on a daily basis. Several times a week they are filled with failed attempts to pick up mail from adam, annie, alonzo, bert, bill, caesar, daniel, david… as well as requests for /phpadmin/index.php /phpdbadmin/index.php, /phpsqladmin/index.php and so on.
The idea I dreamed up was fairly simple; either hook onto an existing intrusion detection system (IDS) like snort or write some other simple rules, maybe by analyzing log files from apache; “if an ip# requested 10 non-existing pages in 5 seconds, drop all packets from that source”.
I didn’t get very far in my thinking, before I realized someone else may have already done this. My first search yielded quite a few hits, including some stating it’s a bad idea to auto-block ip# based on IDS rules, mainly because of the many false positives.
However, one guy was right along my thinking with a Dynamic Firewall Daemon. The specs matched much of what I would eventually have set up myself (he said humbly). Other applications in the same area include fwsnort.
On the other hand, this article from linuxsecurity.com states “intrusion prevention is still at its early stage and there is no out-of-the-box product that will perfectly fits your requirements.” – though that was written ages ago (2006 I would guess based on the date of the first comment).
An insightful article from IBM gives some handy scripts, but not quite automation.
I readily admit to not being an expert in package filtering, but I do run firewalls, IDS and open only the ports required. What worries me a bit is that the majority of people out there are unaware of even the most basic facts about how to protect themselves from attacks. And even Pentagon have a problem securing their perimeter…
Before I completely take off on something else, I recommend the OnPoint Radio show on Cyber warfare. Much more high level than mere firewall scripts, but very eye-opening.
Anyway, if you have any experience on dynamic firewalls, open source or commercial, please feel free to share!
–Jesper Högström
