Thanks to osor at linuxquestions.org I finally got the tarpit module to work. I know it seems real noobish taking so long to get a simple iptable module to compile and work but its truly been a challenge, mainly because of incompatible code and lack of maintenance on the tarpit dev’s part.
Now I got it compiled and can use it, I just have to figure out HOW to integrate this into my current firewall scripts. It seems to work the same as other modules but when I tried to get csf to tarpit instead of drop I got an error immediately. It also says in patch-o-matic that you need to have the contrack table unloaded in order to use tarpit or you will use resources per connection.
Here is the description in patch-o-matic for Tarpit
Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.
This offers similar functionality to LaBrea
or IPs. Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.
To tarpit connections to TCP port 80 destined for the current machine:
iptables -A INPUT -p tcp -m tcp –dport 80 -j TARPIT
To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. “ip route 10.0.0.0 255.0.0.0 ip.of.linux.box” on a Cisco), enable IP
forwarding on the Linux box, and add:
iptables -A FORWARD -p tcp -j TARPIT
iptables -A FORWARD -j DROP
You probably don’t want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.
And here is how to get tarpit. Will not work with newer kernels, well at least not for me. But I did get to work with 2.6.19.2 grsecurity kernel which is still a pretty solid kernel and wilol continue to be for some time.
Here is a walkthrough
cd /usr/src
Grab the kernel source, feel free to get and patch your own but this source will save you some time, dont worry its clean.
wget http://nix101.com/linux-2.6.19.2-grsec.tar.gz
Get patch-o-matic snapshot
wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070929.tar.bz2
Get iptables source
wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.8.tar.bz2
untar everything
tar zxvf linux-2.6.19.2-grsec.tar.gz
tar xvjf patch-o-matic-ng-20070929.tar.bz2
tar xvjf iptables-1.3.8.tar.bz2
Make your links
ln -s linux-2.6.19.2-grsec linux
ln -s iptables-1.3.8 iptables
Get ready to patch
cd patch-o-matic-ng-20070929
Get new tarpit patchlet
wget http://enterprise.bidmc.harvard.edu/pub/tarpit-updates/tarpit-2.6.19.tar.gz
tar zxvf tarpit-2.6.19.tar.gz
rm -rf patchlets/TARPIT/linux-2.6/*
mv tarpit-2.6.*/* patchlets/TARPIT/linux-2.6/
Start patching
./runme extra
It will show you a few options of different modules, I dont know anything about those so thats up to you. When you get to TARPIT make sure you select Y.
Now all of our source is patched and its time to start compiling. First let’s hit iptables
cd /usr/src/iptables
make KERNEL_DIR=/usr/src/linux
make install
Now let’s get the kernel. The first thing we are going to do is fix a few options.
cd /usr/src/linux
make menuconfig
Do your normal configurations then go to Networking > Networking Options
Make extra sure that Network packet debugging is unchecked. I knoiw it ius enabled in my source, you need to disable it or tarpit will not compile.
Then go to Netfilter > IP Netfilter config and check tarpit all the way at the bottom. Save and exit when you are done with everything.
make bzImage ; make modules
Make sure everything compiled right and then
make modules_install ; make install
And as always, lets not forget grub and to be prepared in case of panic
grub
savedefault --default=0 --once
quit
Reboot and try it out with this turkish ip
iptables -A INPUT -s 85.104.56.36 -p tcp -j TARPIT
If you dont get no errors then everything is ok, It would also help to get a friend help you test by banning his ip and asking him if he can connect and whats up when he tries to.
And there ya go. Now Im looking into making a firewall script based on tarpit and to integrate it into my anti-dos scripts as well. I think once I do this the ddos protection will be even better then it already is.
Thanks for those who read my tut, hope it helped you and happy experimenting!
Related Articles
No user responded in this post