|
GateKeeper - Automatic hostile host blocker for snort IDS.
|
/ /
/ /
/ /
/ /
/ /
/ /
/ /
|
|
GateKeeper is a program that was written in order to enhance Linux security.
It is working in conjunction with the "snort ™ " (*) intrusion detection system (IDS)
and with a firewall like "iptables"
to automatically updates the firewall rules based on the IDS generated reports.
|
| |
|
Installation and configuration:
|
/ /
/ /
/ /
/ /
/ /
/ /
/ /
|
|
Note: GateKeeper was developed and tested under the "Red Hat ®" (**) Linux distribution (AS-3). In principle it should be able to perform on other platforms but some tweaks might be needed.
|
|
RPM: For easy installation. Binary, startup script, configuration files and documentation. No source included.
Tarball: The distributed archive contains an installation script. This script will install the binary, startup script and sample configuration files from the 'distro' directory and will set up gatekeeper to start at boot time. The source files can be found under the ‘src’ directory.
The installation process will create two configuration files:
/etc/gatekeeper/gatekeeper.conf
/etc/gatekeeper/gatekeeper.ignore
Modify these files as needed.
|
Warning: using this program is not risk free. A common problem might be denial of unwanted IP address. GateKeepr will attempt to get the IP address of the local machine together with its gateway address and the addresses of any name servers it uses. Any other privileged IP addresses should be added to the ignore file.
Special attention should be given for the "snort" rules configuration. Remember, Gatekeeper will react on any incident reported by "snort".
It is recommended to use "snort" with the '-z est' option so only an established connection will generate a report. This is important in order to avoid "Denial of Service" (DoS) attack by spoofed requests.
|
| |
|
Usage:
|
/ /
/ /
/ /
/ /
/ /
/ /
/ /
|
|
In order for GateKeeper to function, you must configure "snort" to generate a unified-log and a port scan log. For details on how to do that consult your "snort" documentation.
On startup GateKeeper will parse the IDS reports and will apply firewall rules to those IP addresses which fall within the blocking time limit (Look at the configuration file for more details). From this point on, GateKeeper will continue monitoring the log files for any new entries and will add new firewall rules as needed.
Any rule which reached the blocking time limit (if used) will be released.
|
|
Note: as the port scan log dose not contain a full timestamp, all entries are assumed to be from the current year.
|
If you would like to invoke GateKeeper manually you can do one of the following:
"service gatekeeper {start|stop|status|restart|reset}"
The only command which probably needs an explanation is "reset". "reset" will instruct GateKeeper to release all currently blocked IP addresses.
"status" will give detailed information about GateKeeper's used parameters and any ignored or denied IP addresses. For example:
GateKeeper v1.01 status:
PID: 649
IP address: 192.168.1.33
Gateway address: 192.168.1.1
Interface: eth0
Blocking time: 86400 sec
Target only: yes
Ignored name servers:
192.168.1.1
Ignored servers:
192.168.1.34
Denied servers:
213.245.242.44 Blocked until Tuesday, 27-Jan-2004 11:54:06
213.46.36.82 Blocked until Wednesday, 28-Jan-2004 05:53:08
213.46.99.145 Blocked until Wednesday, 28-Jan-2004 08:46:26
|
|
|
| |
License:
|
/ /
/ /
/ /
/ /
/ /
/ /
/ /
|
|
GateKeeper - automatic hostile host blocker for snort IDS.
By Alon Noy <alon [a-t] noy [d-o-t] cc>
Copyright © 2004 Alon Noy
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (GPL) as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (GPL) for more details.
|
| |
Download GateKeeper v1.01:
|
/ /
/ /
/ /
/ /
/ /
/ /
/ /
|
RPM (md5sum=21e9619e3bf0c05644c59a406a59480c)
Tarball (md5sum=a5cd9fb4ce41c8ea79bf683ba1b2860c)
|
| |
| |
| |
|
* "Snort" is a Trademark or a Registered Trademark of Sourcefire, Inc.
** "Red Hat" is a Registered Trademark of Red Hat Inc.
Any and all trademarks or registered trademarks used in this document are the property of their respective owners.
The author of this document is not affiliated with any and all mentioned organizations.
|