ak47 — Adaptive Kernun 4.7
Adaptive Kernun 4.7 is a new module that can protect against a globally shared list of attackers. It has an Intrusion Detection System (IDS) and Intrusion Protection System (IPS) part at each Kernun and one central server for collecting and distributing the list of suspicious addresses. IDS can collect attacker by the old Honeypot trap and by watching passowrd attacks on a ssh server.
The IDS part collects data about attackers in an IDS database
implemented as SQLite file /data/ak47/ids.db
.
It contains following tables:
HPOT4
Addresses caught by the Honeypot trap.
Records in this table can have
an HPOT_SYN
flag, this means that
this address occured only in SYN packet and
so it might be faked.
Such addresses are not blocked.
SSHD4
Addresses found in
the /var/log/auth.log
as a client unsuccessfully trying to log in
an ssh server.
Records in this table can have
an SSHD_REP
flag, this means that
number of attempts reached limit configured
in the ak47(5) configuration and the address
will be reported as an attacker.
AKBL4
Addresses already blocked and trying to access the firewall again.
The data from the IDS database are by default reported to the central server adaptive.kernun.com. The data from all IDS sensors are collected and processed there, then, a new IPS database is prepared to be ready for download back to firewalls.
Another way how to realize the blacklist protection of the firewall is
the autonomous-mode
.
In this mode, the IDS database is converted to the IPS format
periodically directly on the firewall.
When the new IPS database occurs on the firewall
(either by the download from the server, or due to the autonomous mode)
the ak47-reload program is started
to apply the new address list in the packet filter
(after filtering it using the local whitelist
and limiting the set to max-entries
).
The IPS database is
implemented as SQLite file /data/ak47/ips.db
.
It contains following tables:
IPV4
Addresses collected by the central server or processed locally from the IDS database in autonomous mode.
The databases and PF tables related to AK47 can be managed by the kat.ak47 command. The IDS and IPS databases can be managed also manually by the ak-db.sh(8) script.
Honeypot is a special IDS/IPS function targeted against port scanning. There is a special IP address (or more), unused and unpublished. On a given port range (might be 1-65535) on this address, there is the pf-control(8)daemon listening. The daemon accepts and closes every connection, and it adds the client to the HPOT table in the IDS database.
If a client tries only sending a SYN packet, it is also added to the database, but no restriction is used since the source address can be faked.