ak47
Prev Kernun UTM Reference (7) Next

Name

ak47 — Adaptive Kernun 4.7

Description

Adaptive Kernun 4.7 is a new module that can protect against a globally shared list of attackers. It has an Intrusion Detection System (IDS) and Intrusion Protection System (IPS) part at each Kernun and one central server for collecting and distributing the list of suspicious addresses. IDS can collect attacker by the old Honeypot trap and by watching passowrd attacks on a ssh server.

The IDS part collects data about attackers in an IDS database implemented as SQLite file /data/ak47/ids.db. It contains following tables:

HPOT4

Addresses caught by the Honeypot trap.

Records in this table can have an HPOT_SYN flag, this means that this address occured only in SYN packet and so it might be faked. Such addresses are not blocked.

SSHD4

Addresses found in the /var/log/auth.log as a client unsuccessfully trying to log in an ssh server.

Records in this table can have an SSHD_REP flag, this means that number of attempts reached limit configured in the ak47(5) configuration and the address will be reported as an attacker.

AKBL4

Addresses already blocked and trying to access the firewall again.

The data from the IDS database are by default reported to the central server adaptive.kernun.com. The data from all IDS sensors are collected and processed there, then, a new IPS database is prepared to be ready for download back to firewalls.

Another way how to realize the blacklist protection of the firewall is the autonomous-mode. In this mode, the IDS database is converted to the IPS format periodically directly on the firewall.

When the new IPS database occurs on the firewall (either by the download from the server, or due to the autonomous mode) the ak47-reload program is started to apply the new address list in the packet filter (after filtering it using the local whitelist and limiting the set to max-entries).

The IPS database is implemented as SQLite file /data/ak47/ips.db. It contains following tables:

IPV4

Addresses collected by the central server or processed locally from the IDS database in autonomous mode.

The databases and PF tables related to AK47 can be managed by the kat.ak47 command. The IDS and IPS databases can be managed also manually by the ak-db.sh(8) script.

Honeypot

Honeypot is a special IDS/IPS function targeted against port scanning. There is a special IP address (or more), unused and unpublished. On a given port range (might be 1-65535) on this address, there is the pf-control(8)daemon listening. The daemon accepts and closes every connection, and it adds the client to the HPOT table in the IDS database.

If a client tries only sending a SYN packet, it is also added to the database, but no restriction is used since the source address can be faked.

See Also

Kernun:

pf-control.cfg(5), ak-db.sh(8), kat(8), pf-control(8)

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2020 Trusted Network Solutions, a. s.
All rights reserved.

Prev Up Next
access-control Home antivirus