Evaluation of the CSF Firewall
Total Page:16
File Type:pdf, Size:1020Kb
Bachelor Thesis in Software Engineering, 15 credits May 2013 Evaluation of the CSF Firewall Ahmad Mudhar Contact Information: Ahmad Mudhar E-mail: [email protected] University advisor: Kari Rönkkö Nina Fogelström School of Computing Internet : www.bth.se/com Blekinge Institute of Technology Phone : +46 455 38 50 00 SE-371 79 Karlskrona Fax : +46 455 38 50 57 Sweden 1 Abstract The subject of web server security is vast, and it is becoming bigger as time passes by. Every year, researches, both private and public, are adding to the number of possible threats to the security of web servers, and coming up with possible solutions to them. A number of these solutions are considered to be expensive, complex, and incredibly time-consuming, while not able to create the perfect web to challenge any breach to the server security. In the study that follows, an attempt will be made to check whether a particular firewall can ensure a strong security measure and deal with some security breaches or severe threat to an existing web server. The research conducted has been done with the CSF Firewall, which provides a suit of scripts that ensure a portal’s security through a number of channels. The experiments conducted under the research provided extremely valuable insights about the application in hand, and the number of ways the CSF Firewall can help in safety of a portal against Secured Shell (SSH) attacks, dedicated to break the security of it, in its initial stages. It further goes to show how simple it is to actually detect the prospective attacks, and subsequently stop the Denial of Service (DoS) attacks, as well as the port scans made to the server, with the intent of breaching the security, by finding out an open port. By blocking the IP Addresses of the attackers dedicated to such an act, preventing them from creating nuisance, the CSF Firewall has been able to keep alien intrusions away from the server. It also aids in creating a secure zone for the server, to continue smoothly, while alerting the server administrators of the same, and gives them an opportunity to check those threatening IPs, and the time of attack, makes sure that the server administrators stay alert in the future, and is able to keep an eye on such attacks. In doing this, the experiment adds valuable data in the effective nature of the CSF Firewall. Keywords: CSF Firewall, Iptables, Firewall, Web server Security, SPI, Configserver Security & Firewall, SYN-flood, DoS attack, Port Scan, Exploit checks, Firewall notifications, SSH attacks 2 ACKNOWLEDGEMENT In the name of Allah, the most beneficial and merciful I begin writing this research paper. I am very thankful to Dr. Kari Rönkkö, my university supervisor, who has helped me, by giving me his support and guidance, and with his knowledge that helped in the completion of this thesis. I also want to thank the great man that I´m missing today, my grandfather, who taught me how to make sentences. I am very thankful to my father and mother for their endless support and love. Ahmad Mudhar 3 Table of Contents Page 1. Introduction 8 2. Theory 12 3. Methods 13 3.1 Literature Review 13 3.2 Experiment 14 3.3 Experiment Requirements 15 3.4 Experiment Configuration 17 3.5 Executing the Experiment 23 4. Results 24 4.1 Results of Literature Review 24 4.2 Experiment Results 25 5. Discussion 28 6. Conclusion 28 References 30 4 LIST OF FIGURES Figure Number Page 1: Operating System Share by Groups for Sites in All Locations, January 2012 10 2: Webmin dependencies installation 18 3: Webmin installation 18 4. CSF Firewall Installation 18 5: CSF Firewall Module installation 19 6: CSF Firewall – Firewall Configuration section 20 7: CSF Firewall - Connection Tracking section 21 8: Low Orbit Ion Cannon attacking the server 22 9: An Email about the DoS attack from the CSF Firewall 25 10: An Email from the CSF Firewall about the port scan attack 26 5 LIST OF TABLES Table Number Page Table 1: Evaluation tools and their usage 15 – 16 Table 2: Server specifications 17 6 List of Acronyms CPU Central processing Unit GUI Graphical User Interface HTTP Hypertext Transfer Protocol SSH Secure Shell RAM Random Access Memory IP Internet Protocol NIC Network Interface Card OS Operating System TCP Transmission Protocol HTML Hypertext Markup Language DoS Denial-of-service SYN Synchronize SYN Flood Synchronize Packet Flood SSL Secure Sockets Layer SPI Stateful Packet Inspection BTH Blekinge Institute of Technology 7 1. Introduction Every day datacenters are increasing in size [1]. More and more companies are using web servers to communicate with their customers. Businesses have begun to start online, on the Internet, to increase their profit by selling products, or providing services, not limited to or defined by a geographical location. These websites are increasingly becoming the first stop when one look for something, even when on the road, with the aid of smartphones and tablets, whose use have been increasing dramatically. Attacks are increasing continually, and every day it is heard and read in the news, about the new laws created to criminalize those who attack or hack a website. Cybercrime is becoming more popular every passing day and in recent news, CNN published an article about “Hackers access Federal Reserve website, data” [2] which described the latest events in cybercrime. There are many news articles about attacks against websites and hackers all over the Internet, the newspapers, the magazines and the TV. Some hackers have been using services from websites that allows them to archive their attacks, and such service like the one from zone- h.org, which has recorded more than 8 million digital attacks [3]. “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts”. Eugene H. Spafford Websites are very common, extremely useful, everyday shopping portals. They gather details of many of the transactions made every day. There are many threats to the web services that require people to secure them against unauthorized access, disclosure of confidential customer information, data alteration, and spying network privacy [4]. Secure Shell (SSH) is one of the services that have always been under attack. It is a service that lets administrators to remotely connect to a machine to execute commands and manage the server remotely. Thus, this machine can be fully managed by a root user login. SSH dictionary attack is one of the common attacks against Secure Shell, and once the dictionary guesses the right login information, the server is then fully compromised and server may face real problems [5]. 8 Synchronize Packet Flood (SYN Flood) attacks are another security issue that prevents legitimate users from using a service such as the Hypertext Transfer Protocol (HTTP) web server service. It is a form of denial-of-service attack. An attacker floods a service by sending many synchronize (SYN) requests and that affects the server resources heavily which in turn leads to the point when the server may become overloaded and a user is not able to connect to it [6]. The Denial-of-Service Attack (DoS) impact is a very costly one, and it becomes popular every day. It does not result in a direct hacking to the system but its impact may lead to failure in a security service or application and then the hackers may get inside the server. Some attackers are making money by attacking a website [7]. Port scan is an attack whose object is to scan a server for open ports, and it is considered to be the first stage of an attack. Attackers are interested in all possible doors of the server, and are willing to exploit any window to attack the server. Detecting such attacks may prevent the server from being hacked or compromised [8]. Some server operating systems have many services that come attached with the core system, and a number of them are superficial. To have unused service in a server may lead to the whole server get hacked, and may create many security issues in it. Therefore, eliminating unnecessary services is a good start to decrease exploitation by hackers [9]. One of the server’s base security elements is the firewall which controls each of the incoming and outgoing packets, and decides, based on the firewall, the rules whether to pass the packets or not [9]. The firewall controls all the server’s services, connectivity, et al, with the aid of the iptables policy rules. Managing the firewall rules is not an easy task and a misconfiguration may lead to block traffic, which would mean that a user would not be able to connect to the network [10]. Researching web security issues in general will take unlimited time, as there are many operating systems, tools, solutions and aspects to the matter. The operating system Linux seems to be the most used server operating system as Netcraft´s Secure Sockets Layer (SSL) survey shown in the figure 1 below [11]. 9 Figure 1: Operating System Share by Groups for Sites in All Locations, January 2012 The web server security is a challenging task that involves many aspects. It requires long term planning, using the right hardware and software, isolating services in different environments, restricting server access, creating security policies, implementing methods to control the events, disabling unnecessary server modules, disabling unused service functions, disabling directory browsing, disabling services versions, and the requirements never end because there are always new threats emerging. As the search for researches and solutions continued, it was found that managing the iptables firewall to secure web servers is not a simple task and it requires considerable expertise.