Antidos beta - 0.6 [antidos@r-fx.org] Copyright (C) 1999-2004, R-fx Networks Copyright (C) 2004, Ryan MacDonald This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA IMPORTANT NOTE: The APF project under goes many revisions per release and as such documentation may not be the latest in relation too features. The documentation is often revised with every major version release. Review the CHANGELOG file for information on changes too each revision; likewise configuration files contain comments on all new and current features. Contents: 1 ............. Introduction 2 ............. Configuration 3 ............. Usage 4 ............. License 5 ............. Support 1) Introduction: Antidos is a log parsing script made for r-fx.org's APF (advanced policy firewall). It's purpose is too parse specific log formats for network attacks against a given system; then take certian actions. it is designed to be modular so it can be removed from APF and used in other environments. The two supported log formats are standard iptable log entries (as seen in a systems kernel log), and snort portscan.log format. 2) Configuration: The configuration file for antidos is well commented and easy to configure & navigate. Antidos main configuration file is located at: /etc/apf/ad/conf.antidos You will need to go through it and configure options you feel meet your environment settings. Below is a definition breakdown of each feature in the conf.apf file (except misc. options), listed in the format of Option (config option and default value) followed by definition. Option: APF_BASE="/etc/apf" Definition: The base install path of APF, should not need to be changed on default installations. Option: APF_CNF="$APF_BASE/conf.apf" Definition: The absolute location of the APF config file, should not need to be changed on default installations. Option: INSPATH="$APF_BASE/ad" Definition: The base install path of antidos, should not need to be changed on default installations. Option: ANTILOG="/var/log/apfados_log" Definition: This is absolute file path that antidos should log events to. It's creation and permissions are set by antidos however logrotate.d or the likes can be used to handle rotation of this file. Option: LP_KLOG="0" Definition: Enable parsing of the kernel log file for attack events, if this or another LP_* (log parsing) option is not enabled then antidos will not operate. [0 = Disabled / 1 = Enabled] Option: LP_SNORT="0" Definition: Enable parsing of the snort portscan.log file for attack events, if this or another LP_* (log parsing) option is not enabled then antidos will not operate. [0 = Disabled / 1 = Enabled] Option: DET_SF="0" Definition: Detect SYN_RECV connections from the netstat output; this is primarily intended to stop syn-flood attacks against web servers. [0 = Disabled / 1 = Enabled] Option: KLOG="/var/log/messages Definition: The path to the system's kernel log file, iptables logs by default to the systems kernel log. Option: SLOG="/var/log/snort/portscan.log" Definition: The path to your snort installation's portscan.log file. Option: LN="100" Definition: The amount of lines that should be checked at the end of a given log file. The higher this value; the slower antidos will run, 100-300 is offten a safe bet. Option: TRIG="12" Definition: This value is the trigger value, if a remote IP is found present in the given log file more than this amount; an attack is assumed to be in progress. Setting this to low may result in a high false positive ratio, but to high of a value may miss attacks all together. A 10-20% value in relation to the LN option is a good bet. Option: SF_TRIG="25" Definition: This value is the trigger value for syn-flood bans. If a remote IP is found present more than this amount of times with a SYN_RECV connection; an attack is assumed to be in progress. This value is naturally lower than standard TRIG, and the LN option does not apply to this tigger. A value of 25 is often ideal for this option but should be increased/decreased based on load. Option: ROUTE_REJ="0" Definition: This option controles if attacking hosts should be rejected from the systems route table. This is not a recommended feature but is nonetheless common method. [0 = Disabled / 1 = Enabled] Option: DROP_IF="0" Definition: This option controles if the DESTINATION IP of an attack should be droped on your system. In other words unbinding the victim ip from your system, this is wise on networks with zero tolerence for attacks. The main adapter ip address is obviously excempted from this feature. [0 = Disabled / 1 = Enabled] Option: NCRIT_PORTS="$INSPATH/noncrit.ports" Definition: Non-critical ports file; ports (destination port) defined in this file will not trigger DROP_IF function (if set to 1). Remote hosts will still be banned as applicable to other options (ROUTE_REJ etc..). Effective for ignoring common scanned ports that pose no threat (e.g: netbios). This file has a line seperated format. Option: IPT_BL="1" Definition: This options controles standard iptables block of an attack and should be enabled. [0 = Disabled / 1 = Enabled] Option: FWRST="$APF_BASE/apf -r" Definition: The command method of restart/reloading firewall rules after an attack ban is generated. Option: BLOCKR="$INSPATH/ad.rules" Definition: The location to write out iptables based blocks of an attack, this file should be included during loadtime of your given iptables firewall(already the case with APF). Option: ARTOPIC="Urgent: Administrative issue enclosed, please read." Definition: The subject string for e-mail alerts sent by antidos. Option: MAX_MNUM="12" Definition: This value is used to prevent email flooding from antidos. No more than this value of e-mail alerts will be sent out per/day. Logging events will still be made. Option: CONAME="Your Company" Definition: The name of your company/Organization as will be displayed in arin abuse notices. Option: USR_ALERT="0" Definition: This value controles the sending of e-mail alerts to a defined user. This and/or another *_ALERT setting should be enabled for some form of notifcation of attacks. The e-mail contents of this alert can be configured from the usr.msg file inside your antidos path. [0 = Disabled / 1 = Enabled] Option: USR="you@yourco.com" Definition: The user e-mail address that antidos sends attack alerts to. Option: ARIN_ALERT="0" Definition: This value controles the sending of e-mail alerts to the listed arin contact info for an attacking IP (if present). This and/or another *_ALERT setting should be enabled for some form of notifcation of attacks. The e-mail contents of this alert can be configured from the arin.msg file inside your antidos path. [0 = Disabled / 1 = Enabled] Option: IPW_SRV="whois.arin.net" Definition: This value controles the server used to query an ip for a contact e-mail address. If needed this should be changed to a prefered ip-whois server. Option: RETUSR="$USR" Definition: This value controles the return e-mail address as listed in the arin e-mail alert sent to remote network admins. By default this value will be taken from the USR option above. 3) Usage: Antidos is intended to operate via cron. This is a critical setup point as if not done, antidos will simply not operate. The following string can be placed into /etc/crontab or similar file: */2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1 This will run antidos every two minutes. I dont recommend running it once a minute as it may cause a bottleneck for itself and the CPU. Likewise running it beyound a period of once every 5 minutes is not recommended either, for obviouse reasons. 4) License: APF is developed and supported on a volunteer basis by Ryan MacDonald [ryan@r-fx.org] APF (Advanced policy firewall) is distributed under the GNU General Public License (GPL) without restrictions on usage or redistribution. The APF copyright statement, and GNU GPL, "COPYING.GPL" are included in the top-level directory of the distribution. Credit must be given for derivative works as required under GNU GPL. 5) Support: All inquiries relating to APF should be directed to apf@r-fx.org and/or check the APF homepage at: http://www.r-fx.org/apf.php