Static and dynamic packet filtering on lightly managed systems
Regis University operates servers that must be open to external access for a variety of educational purposes. These servers were managed by student and faculty, hence the experience level was generally low, and the time available for expert oversight was limited. In May of 2006 unauthorized attempts to gain access were noted and steps were taken to reduce risk of system compromise. The attempts increased in sophistication and severity with time. The pattern of access attempts seemed to follow a training curriculum from simple to more complex based on our responses to the attempts. The need to understand the threat profile resulted in the design of a HoneyNet to capture attack characteristics. When large numbers of login attempts were noted involving extremely long lists of pseudo user names and well known system account names, the following defensive measures were implemented. Password strength requirements were increased, IPTables was set up to block entire Class A network ranges, pinholes were defined to allow trusted host access, throttling was defined to slow down probes, and monitoring via swatch was implemented to block attempts from unexpected sources. The dynamic blocking process uses TCPWrappers and the hosts.deny file to immediately block the source address of the suspected activity. The addresses were then manually reviewed to determine both the location and associated network ranges. Depending on the circumstances, the host address was left in the hosts.deny file, or it was removed and the entire associated network range was permanently blocked by an IPTables filtering rule. Since the system was implemented, intrusion attempts have dropped from several thousand per day to approximately 1 per week. And after a year of operation, no legitimate access has been blocked.
Lupo, James and Likarish, Daniel, "Static and dynamic packet filtering on lightly managed systems" (2008). Regis University Faculty Publications. 923.