Create dynamic Security Intelligence Custom Feed in Firepower

Create dynamic Security Intelligence Custom Feed in Firepower

Any service that is exposed to the internet is susceptible to attacks from malicious parties. If your service requires authentication, illegitimate users and bots will attempt to break into your system by repeatedly trying to authenticate using different credentials.

A common example of this is SSH. While connecting to your server through SSH can be very secure, exposing SSH service to the internet comes with some inherent risk and creates a vector of attack for offenders.

If you pay attention to application logs, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike.

There are a number of tools available to dynamically block or log connection/authentication attempts. For Linux systems are two that work well, Denyhosts and Fail2Ban.

We can leverage the ability of these tools to parse log files and generate a list of blocked IP addresses. This list can be used as a Blacklist in Firepower Management Center using Security Intelligence Feeds.

Security Intelligence is an early phase of access control, before the system performs more resource intensive evaluation. Using blacklisting improves performance by quickly excluding traffic that does not require inspection.

Next, we’ll see how we can create our own security information flow to block hosts trying to connect to the SSH server and fail authentication multiple times.

For demonstration i will use a host with Ubuntu 18.04, this will be the victim and the feed source for Firepower system. In order to decide which option is the right choice for your environment, first i install Denyhosts and then Fail2ban on a fresh installed Ubuntu.

Denyhosts

Denyhosts is a python-based utility that analyses SSH log messages and prevents brute force attacks, by blacklisting the IP addresses of multiple failed login attempts.

Run the following command to install Denyhosts on Ubuntu host:

sudo apt update
sudo apt install denyhosts

The main configuration file is located under /etc/denyhosts.conf. Use the text editor of your choice, and adjust as follows (only pertinent entryes are shown):

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
#IPTABLES = /sbin/iptables
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Now it’s time to create a simple script to parse the blocked IP addresses from hosts.deny and output them to a file that will be the feed for Firepower. Following script saves data to denyhosts.txt placed in the virtual root folder of apache http server.

#! /bin/bash
ipblocklist =`cat /etc/hosts.deny | grep -v \# | awk '{print $2}' > /var/www/html/dhostsblock.txt`

Pasete the script content to a new file named dhosts.sh and save it in /home/user. Make the script executable with chmod +x dhosts.sh and then add the following line at the end of /etc/crontab file, to run the script at every five minute:

*/5 * * * * root /home/user/dhosts.sh

Enable on boot start and restart denyhosts service.

sudo systemctl enable denyhosts
sudo systemctl restart denyhosts

Make sure your web server root is pointing to /var/www/html (you can change dhosts.sh to save the file in other place). It’s a good idea to host the file on a HTTP server reachable internally only, rather than one accessible to the outside world.

Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses and check /var/log/denyhosts and /var/www/html/dhostsblock.txt.

Be careful, denyhosts will by default ban your IP address in the hosts.deny file.

Fail2Ban

Fail2Ban is similar to Denyhosts but unlike Denyhosts which focuses on SSH, Fail2Ban can be configured to monitor any service that writes login attempts to a log file, and instead of using /etc/hosts.deny only to block IP addresses/hosts, Fail2Ban can use Netfilter/iptables and TCP Wrappers.

The standard configuration ships with filters for Apache, Lighttpd, sshd, vsftpd, qmail, Postfix and Courier Mail Server. Filters are defined by Python regexes, which may be conveniently customized by an administrator familiar with regular expressions. A combination of a filter and an action is known as a “jail” and is what causes a malicious host to be blocked from accessing specified network services.

For installation, clone the source from GitHub to a directory of your choice, and do the installation from there. (version 0.10.2-2 available in Ubuntu distribution repository seems to have a issue with action.d/hostsdeny.conf)

user@ubnt-01:~$ git clone https://github.com/fail2ban/fail2ban.git
user@ubnt-01:~$ cd fail2ban/
user@ubnt-01:~/fail2ban$ sudo python setup.py install
user@ubnt-01:~/fail2ban$ sudo cp files/debian-initd /etc/init.d/fail2ban
user@ubnt-01:~/fail2ban$ sudo update-rc.d fail2ban defaults
user@ubnt-01:~/fail2ban$ sudo systemctl enable fail2ban
user@ubnt-01:~/fail2ban$ sudo systemctl start fail2ban

Fail2Ban is built on client/server architecture. The Server daemon monitors log file(s) and executes actions when a host is to be banned. The configuration of the Server is done by the Client which handles reading of configuration files.

You can check the status of Fail2Ban Server using fail2ban-client.

user@user-PC:~/fail2ban$ sudo fail2ban-client status
Status
|- Number of jail:      0
`- Jail list:

Fail2Ban reads .conf configuration files first, then .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.

Make a copy of fail2ban.conf to fail2ban.local.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Adjust your jail.local to match the next settings.

# Permanent ban
bantime = -1
# Number of tries before ban address
maxretry = 5
#
[sshd]
enabled = true
mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = fwblock

Create the action script based on hostsdeny.conf that will save the “blocked” ip addresses in to the file /var/www/html/f2b-block.txt. The script is shown bellow and should be saved as fwblock.conf in /etc/fail2ban/action.d/.

[Definition]
# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = 

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = 

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = 

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = printf %%b "<ip_value>\n" >> <file>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = IP=$(echo "<ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^$IP$/d" <file>

[Init]
# Option:  file
# Notes.:  f2b-block.txt file path.
# Values:  STR  Default: /var/www/html/f2b-block.txt
#
file = /var/www/html/f2b-block.txt

# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets):
ip_value = <ip>

[Init?family=inet6]
ip_value = [<ip>]

After saving the script restart fail2ban and check fail2ban server status.

sudo fail2ban-client restart
sudo fail2ban-client status

Generate some SSH traffic, with failed logins, to make sure you are capturing the addresses and check the following log files.

sudo tail -f /var/log/fail2ban.log
sudo cat /var/www/html/f2b-block.txt

As mentioned in Denyhosts case, make sure your web server root is pointing to /var/www/html and use a HTTP server reachable internally only.

For quick testing you can use Python web server module, already installed with Python on Ubuntu. The server should be started in /var/www/html/ directory.

# for python 2.7 use command
sudo python -m SimpleHTTPServer 8080		
# for python 3 use 
sudo python3 -m http.server 8080

After web server is started, check if you can download the file using a web browser.

Firepower Management Center

To create the Feed, on Firepower Management Center (FMC) go to Objects > Object Management > Security Intelligence > Network Lists and Feeds. Click “Add Network Lists and Feeds” in the upper right corner. Select type as Feed, and populate the URL information and Update Frequency. In the current software release (6.5.0), updates are limited to no shorter than every 30 minutes.

In your Access Policy, click the Security Intelligence tab, and add the new feed to the Blacklist.

FTD Access Policy

Generate again some SSH traffic with failed logins, go to Analysis > Connection Events and check that the blocks are occurring.

FTD Connection Events

Use of these feeds is not limited to Firepower, with the same ease this data can be consumed in Firewall/UTM systems produced by Fortinet, Juniper, Paloalto Networks, Checkpoint.

Links
Block ssh server attacks brute force attacks using denyhosts
Use Fail2ban to Secure Your Server

Leave a Reply