Netfilter Owner Module - Useful but Underused
Results 1 to 7 of 7

Thread: Netfilter Owner Module - Useful but Underused

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Netfilter Owner Module - Useful but Underused

    I've been asked to look over a couple of firewall scripts recently, these are for both desktops and for servers, and it strikes me that people aren't going to the additional lengths they could to lock down their rulesets. The most underutilized module I've seen is the owner module. This module allows you to restrict connections based on the uid, gid, pid, or sid of the connection. It even works for root.

    Now, some of you might be thinking of ways you can use this, some of you might not know how you can use it, so I will explain. Often the most commonly viewed difference between Linux firewalls and Windows personal firewalls is the lack of per-application control. While this is somewhat true, it is not as wide ranging as many might have you believe. To understand how the owner module applies to this situation, we must look at the way in which common Linux systems are setup. Commonly, you will find many services are given their own user (named for DNS, apache for apache, etc). This is both a hindrance and helpful in various situations, here it helps a great deal. Because each service has its own uid, you can basically control the network access of any service you like.

    Consider the following example: An attacker attempts to break into a hardened box, and manages to exploit a hole in Apache to get access to the box. After a bit of trial and error enumeration, the attacker sees that there are no tools of use to him on the box, so the next step is to download a rootkit or some tools from another site onto the target box. With a firewall setup to deny Apache outbound access, such attempts would fail. There may be other ways to get a file onto the target, or other havoc they can wreak, but this limits an attacker's options.

    Here's an example, where we deny all new outbound connections for uid 101 (apache).
    Code:
    $ iptables -A OUTPUT -o eth0 -m state --state NEW -m owner --uid-owner 101 -j REJECT
    $ su apache -c "telnet www.hotmail.com 80"
    Trying 207.68.171.233...
    telnet: connect to address 207.68.171.233: Connection refused
    $ iptables -F
    $ su apache -c "telnet www.hotmail.com 80"
    $ su vhost -c "telnet www.hotmail.com 80"
    Trying 207.68.173.245...
    Connected to www.hotmail.com.
    Escape character is '^]'.
    You could further limit all of these services by making them all members of a specific group called something like "noaccess", and then just denying the group. Alternately, you can drop in rules related to the process id, though keep in mind many process ids will be different between reboots.

    Anyhow, just keep the various modules in mind when writing firewall rulesets. Many of them can give you a greater level of control over your firewall.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Very Good.
    But i have some questions.
    To install rootkit, you need some kind of priviledge scalation to replace system files, dont you? or its a flaw?
    If you can get some priviledge, isnt easy to issue a "iptables -F" to clear any rules before trying to d/l rootkit to machine?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by cacosapo

    To install rootkit, you need some kind of priviledge scalation to replace system files, dont you? or its a flaw?
    If you can get some priviledge, isnt easy to issue a "iptables -F" to clear any rules before trying to d/l rootkit to machine?
    Well... Yes.

    The example would be better worded as to say that an attacker could download a local privilege escalation exploit (and then a rootkit) if there's no egress filtering...

    Using your firewall like this is a little like using systrace but only for sockets and on a user basis instead of program basis...

    Another situation that this might be really usefull is if you host a collocation server or shell server and you need to restrict some users but not others...

    The downside of this technique is that it can only filter on localy created sockets as it has no idea/concept of users for connections/packets not related to the local host. Hence it is only usefull as a "personal" style firewall feature and not as a router/network firewall...

    BTW, for those who might wonder, OpenBSD's pf has the same abilities (http://www.openbsd.org/cgi-bin/man.c...86&format=html see keywords "user" and "group")


    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Oh, just FYI, reviewing the pf man page I linked, it mentions an important detail:

    User and group refer to the effective (as opposed to the real) IDs,
    in case the socket is created by a setuid/setgid process. User and
    group IDs are stored when a socket is created; when a process cre-
    ates a listening socket as root (for instance, by binding to a
    privileged port) and subsequently changes to another user ID (to
    drop privileges), the credentials will remain root.
    I can't say if the same holds truth for Iptables although I don't see why it would be diffrent (chsh, can you confirm?)... Don't be fooled!


    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by cacosapo
    To install rootkit, you need some kind of priviledge scalation to replace system files, dont you? or its a flaw?
    Depends, many rootkits come with a number of priv. escalation exploits. The point I am making is if you render the possible ways a remote exploit may be used inoperable, it lessens the impact of a given remote exploit.

    Originally posted here by ammo
    Oh, just FYI, reviewing the pf man page I linked, it mentions an important detail:
    I can't say if the same holds truth for Iptables although I don't see why it would be diffrent (chsh, can you confirm?)... Don't be fooled!
    Yes, this applies for Netfilter. However it applies only to listening servers, or anything that does a privilege dminish after binding a reserved port number, thus it is irrelevant to how I mention its use above. Why? How privilege diminishing works (and why servers implement it), using Apache as an example:
    1. Apache boots up (as root), binds to port 80, and then drops privileges to apache:apache.
    2. An attacker hits on a working exploit in this particular copy of Apache.
    3. Attacker spawns a wget instance using apache. This wget instance runs under apache:apache, not root:root, therefore it is blocked.
    Once it has dropped privileges most servers are incapable of regaining those privileges.

    You are quite correct in that this is only useful on desktops and/or servers, which was the context I placed it in.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    However it applies only to listening servers, or anything that does a privilege dminish after binding a reserved port number, thus it is irrelevant to how I mention its use above.
    Yes, of course, I concure...
    I was just mentionning it in case people thought of other ways of using it and didn't think of this...


    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I feel sure that the various extra netfilter modules are there for a purpose - to make some Windows-like firewall GUI possible. Specificially, the QUEUE target allows packets to be passed into userspace where some Zonealarm-like app can pop up a message asking the user if they wish to allow it, then create a pid-based rule allow or deny the access.

    I don't know any Zonealarm-like GUI which exists using this functionality though. The kernel supports it.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •