I was recently tasked with replacing an old LaBrea Tarpit server. Due to the unfortunate outcome of the LaBrea project I opted to use xtables addons for IPTables and built-in logging features to implement the new tarpit. Some of the information about putting together a tarpit from scratch is a little scarce so I decided to share how and what I did to put this server together. For my setup I had two network interfaces, one open to for traffic to tarpit, and one for administrators to use for remote management. The management interface was locked down to an internal subnet. For general purposes one network interface will work just fine, you can skip the part about dual network card setups. This operation was performed on a Red Hat Enterprise Linux 6.3 install but should in fact be identical on any version 5.5 and up.
This is my first attempt at blogging a tutorial so please forgive me if it seems a bit erratic.
I am writing this under the assumption that most people that are setting up a tarpit server already have a basic to intermediate knowledge of linux. Lets get started!
1. Installing XTables
XTables is a very powerful set of extensions for IPTables that includes the tarpit target and many others such as geo ip etc. For more on XTables please visit http://sourceforge.net/projects/xtables-addons
We can download the free and open sourced add ons from their site at sourceforge.net. To download the zipped package straight to our machine lets use the wget command.
# wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/
This will place the current version of xtables in your current working directory, we can install using this command line syntax:
# cd xtables-addons-1.46 (Version may be replaced, at the time of this writing it was 1.46)
# make && make install
2. Network Configuration
Now this is a bit tricky since we have 2 network cards and each of them will be assigned to a different subnet, we are going to have to take advantage of Red Hat's advanced routing tables. First however lets make sure we properly have the interfaces setup. We will need to check the network script files and make sure they are configured properly. We will use eth0 as our management interface, and eth1 as the tarpit interface. For this example eth0 will be on the 192.168.2.0 subnet and eth1 will be on 10.3.128.0 subnet, please place your own network information. If you are only using one network interface then skip any information with eth1.
Move to the network-scripts directory
# cd /etc/sysconfig/network-scripts
Using your favorite text editor, open ifcfg-eth0. It should look similar to below, of course the IP's will differ. It should look something like what is listed below.
DEVICE="eth0" ONBOOT="yes" BOOTPROTO="static" IPADDR="192.168.2.10" NETMASK="255.255.255.0" NETWORK="192.168.2.0" BROADCAST="192.168.2.255"
Next open the file ifcfg-eth1, and change the information to the subnet that you wish to have as your tarpit, if you are using one network interface you need not edit this file or it may not exist.
DEVICE="eth0" ONBOOT="yes" BOOTPROTO="static" IPADDR="10.3.128.10" NETMASK="255.255.255.0" NETWORK="10.3.128.0" BROADCAST="10.3.128.255"
After configuring ifcfg-eth1 you will need to restart the network service using:
# service network restart
Now here is where we need to define individual gateways for each subnet. This step is much easier if you take the commands and store them in an executable script. Reason being that if you need to restart the network services you wont have to go through several steps as a opposed to just re-running the script. So create a file called route-script or something of your liking and copy this information into it only with your networking information. If you have only one network interface you may skip this step.
#Set up the first subnet's routing table (we'll name it 1 eth0)
/sbin/ip route flush table 1
/sbin/ip route add table 1 to 192.168.2.0/24 dev eth0
/sbin/ip route add table 1 to default via 192.168.2.1 dev eth0
#Set up the second subnet's routing table (we'll call it 2)
/sbin/ip route flush table 2
/sbin/ip route add table 2 to 10.3.128.0/24 dev eth1
/sbin/ip route add table 2 to default via 10.3.128.1 dev eth1
#Create the rules to choose what table to use. Choose based on source IP
#We need to give the rules different priorities; for convenience name priority
#after the table
/sbin/ip rule add from 192.168.2.0/24 table 1 priority 1
/sbin/ip rule add from 10.3.128.0/24 table 2 priority 2
#Flush the cache to make effective
/sbin/ip route flush cache
This script sets up 2 routing tables, giving priority 1 to eth0 and priority 2 to eth1. Next make the script executable.
# chmod 755 route-script
Then run the script.
Now to verify that each interface is working use:
# ping -I eth0 google.com
If you get results, (assuming that eth0 is not an internal network) then its working. Do the same for eth1
# ping -I eth1 google.com
Next we want to assign multiple addresses or in my case and entire subnet to eth1. In order to this we will need to create a file inside /etc/sysconfig/network-scripts/ called ifcfg-eth1-range0 . Creating this script will effectivley create virtual network interfaces that are bound to eth1, eth1:1 eth1:2 etc.
# cd /etc/sysconfig/network-scripts/
# touch ifcfg-eth1-range0
Now open ifcfg-eth1-range0 in your text editor and add the your IP range.
The IPADDR_START is your starting IP, and IPADDR_END is your ending IP respectively CLONENUM_START is the number in which the virtual interfaces will start use 0 for the first virtual interface to be eth1:1.
Now we will need to restart the network services again.
# service network restart
Now that we have multiple IP's on the same interface they will also need defined a default gateway. So we will need to re-run our route-script (aren't you glad you saved it!)
Check to see if your virtual interfaces are getting to the internet
# ping -I eth1:1 google.com
If it pings successfully then all is well. You can also check the default routes of your interfaces by running the command route -n.
3 IPtables Rules
Now that XTables is installed and both network interfaces are up and running we will need to use iptables to lock down eth0 to port 22 only (ssh for management) and open eth1 to incoming connections. IPTables will also log incoming connections to /var/log/messages for viewing with a custom prefix to make it easy to spot or use grep with. Later in the tutorial I will show you how to remove the IPTables logs from /var/log/messages into their own log.
Ill start by sharing the rules I wrote, you may copy and paste them into /etc/sysconfig/iptables using your own network information. Open /etc/sysconfig/iptables in your editor and add the following rules.
-A INPUT -m state --state NEW -m tcp -p tcp -i eth0 --dport 22 -j ACCEPT
-A INPUT -m iprange --dst-range 10.3.128.2-10.3.128.254 -j LOGGING
-A LOGGING -j LOG -m limit --limit 30/min --log-prefix "inbound : " --log-level 7
-A LOGGING -p tcp -j TARPIT
The first line opens only port 22 on eth0 for us to use ssh and manage our server. The LogChain creates a new chain of rules called LOGGING and specifies the iprange on eth1 must pass through it. It then passes the traffic to the logging rule where we have limited the log entries to 30 a min. (You may change this to whatever suites you.) with the prefix "inbound" and logs all traffic on log-level 7 (Debug, highest level of detail). The traffic is then tarpitted, now we need to restart iptables with
# service iptables restart
If all goes will you should see /var/log/messages filling up with kernel"inbound" messages. These will look something like this:
Oct 16 12:01:47 kernel: inbound : IN=eth1 OUT= MAC=00:13:21:1c:5a:1c:00:15:c7:dc:54:80:08:00 SRC=18.104.22.168 DST=10.3.128.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=51866 DF PROTO=TCP SPT=56124 DPT=3389 WINDOW=5840 RES=0x00 ACK URGP=0
Showing us source and destination adresses, as well as source and destination ports.
The tarpit is now running!
4. Setting up a tarpit log.
In order to remove the logged connections from /var/log/messages we will need to edit our syslog configuration file. This file is located in /etc/ and is called rsyslog.conf. So using your editor open /etc/rsyslog.conf and add this line in the rules section:
:msg, startswith, "inbound: " -/var/log/iptables
This will tell the kernel that any messages it recieves with the prefix "inbound: " will need to be placed in /var/log/iptables instead of /var/log/messages.
Now restart rsyslog with the command:
# service rsyslogd restart
Now if you look in /var/log you should see an iptables file. After restarting the syslog it should now fill up with all of the tarpit logs!
Now we have a functioning tarpit server with logs! Of course custom scripting can take this much farther and organize the data but that will be up to you. You may also want to set in place proper log rotation rules to prevent the iptables log from filling up your drive space.
Please feel free to comment, ask questions, or point out mistakes. I for see several edits as I re-read this several times.