Filtering IP Addresses With AIX IPSec
I want to deny IP address 8.211.1.243 from accessing my AIX system (for inbound connections).
The first step is to enable IPSec on the AIX. This example is for ipsec_v4.
# smit ipsec4 --> Start/Stop IP Security --> Start IP Security Start IP Security [Now and After Reboot] + Deny All Non_Secure IP Packets [no] ipsec_v4 Available Default rule for IPv4 in ODM has been changed. Successfully set default action to PERMIT # lsdev -C | grep ip ipsec_v4 Available IP Version 4 Security Extension ipsec_v6 Available IP Version 6 Security Extension
Note: I left the “Deny All Non_Secure IP Packets” set to no, as I would prefer to allow everything by default and only block/deny IP addresses by exception.
Creating Rules
Now that IPSec is enabled, I can create a new IP filter rule to block the IP address, 8.211.1.243, from accessing my host. This rule prevents 8.211.1.243 from accessing any protocol/service, on all interfaces, on my AIX host. They are now blocked from opening any network connections to my AIX host. The rule is created using the genfilt tool and then activated with the mkfilt utility.
# genfilt -v 4 -a D -s 8.211.1.243 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g N -c all -r B -w I -l Y -f Y -i all # mkfilt -v 4 -u
Confirming Rules
Using the lsfilt command I can confirm that my new rule has been added to the IP filter rules on my AIX host.
# lsfilt | grep -p 8.211.1.243 Rule 3: Rule action : deny Source Address : 8.211.1.243 Source Mask : 255.255.255.255 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : inbound Logging control : yes Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description :
Changing, Removing and Activating Rules
If I decide I would like to change a rule, I can use the chfilt command to alter an existing rule. If I choose to remove this rule, I can use the rmfilt command, as shown below. I first need to find the rule number associated with the IP filter (in this case, it’s rule number 3). To remove the rule, I run the rmfilt command and then activate the new rule set with mkfilt.
# lsfilt | grep -p 8.211.1.243 Rule 3: Rule action : deny Source Address : 8.211.1.243 Source Mask : 255.255.255.255 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : inbound Logging control : yes Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : # rmfilt -v 4 -n '3' Filter rule 3 for IPv4 has been removed successfully. # mkfilt -v 4 -u # lsfilt | grep -p 8.211.1.243 #
Preventing AIX Intrusion
I found myself in need of this type of solution when working with an AIX system that was directly connected to the Internet. Various services were open and available on the AIX host’s public interface. As a result, this host was subject to constant port probing by external IP addresses on the Internet. One service, Secure Shell (SSH), was unsurprisingly being probed more than others. SSH is a common service subjected to brute-force credentials attacks and is a popular protocol used by system administrators to gain secure remote access to a server to perform management tasks. As a result, it is one of the most targeted services for brute-force/dictionary attacks. Many other network services are also susceptible to brute force attacks, such as SMTP. Please refer to the references at the end of this article for more information. On a regular basis I would find failed SSH login attempts in the syslog file (as shown below).
Nov 25 23:38:09 myaixhost auth|security:info sshd[65539]: Failed password for root from 8.211.1.243 port 44968 ssh2 Nov 25 23:38:09 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 8.211.1.243 Nov 25 23:38:10 myaixhost auth|security:info sshd[65541]: Failed password for root from 8.211.1.243 port 45262 ssh2 Nov 25 23:38:10 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 8.211.1.243
By manually adding an IP filter rule to block the offending address, I could prevent this kind of “brute force” attack from recurring. In addition, I also wanted to automate this process. I wanted a way to detect this kind of attack and then automatically add new IP filter rules.
Syslog Sample Script
I wrote a script to scan my syslog file and look for any failed SSH login attempts from unknown external IP addresses and then automatically add IP filter rules for the offending IP address(es). Here’s an example of the output from the script:
# block_ip.ksh IP address 168.167.134.1 already blocked by IP filter IP address 176.111.173.242 already blocked by IP filter IP address 176.111.173.44 already blocked by IP filter IP address 177.249.42.39 already blocked by IP filter IP address 193.169.255.199 already blocked by IP filter Adding 193.3.19.87 to IP filter blocked list Filter rule 27 for IPv4 has been added successfully. IP address 31.184.219.20 already blocked by IP filter IP address 45.9.20.25 already blocked by IP filter IP address 45.9.20.73 already blocked by IP filter IP address 47.252.32.114 already blocked by IP filter IP address 47.253.106.222 already blocked by IP filter IP address 47.253.197.231 already blocked by IP filter IP address 47.90.250.31 already blocked by IP filter IP address 62.35.127.104 already blocked by IP filter The following IP addresses were added to the blocked IP filter list. 25a26 > Source Address : 193.3.19.87 Statistics of IP Security packets: IPSec Devices: ipsec_v4 Available ipsec_v6 Available Authentication Algorithm: CMAC_AES_XCBC -- Cipher-based MAC using AES-XCBC Authentication Module HMAC_MD5 -- Hashed MAC MD5 Authentication Module HMAC_SHA -- Hashed MAC SHA Hash Authentication Module KEYED_MD5 -- Keyed MD5 Hash Authentication Module Encryption Algorithm: 3DES_CBC -- Triple DES CBC Encryption Module AES_CBC_128 -- AES CBC 128 bit key Encryption Module AES_CBC_192 -- AES CBC 192 bit key Encryption Module AES_CBC_256 -- AES CBC 256 bit key Encryption Module DES_CBC_4 -- DES CBC 4 Encryption Module DES_CBC_8 -- DES CBC 8 Encryption Module NULL -- Null Encryption Algorithm module IPSec Statistics - Total incoming packets: 820167 Incoming AH packets: 0 Incoming ESP packets: 0 Srcrte packets allowed: 0 Total outgoing packets: 1289450 Outgoing AH packets: 0 Outgoing ESP packets: 0 Total incoming packets dropped: 2978 Filter denies on input: 2978 AH did not compute: 0 ESP did not compute: 0 AH replay violation: 0 ESP replay violation: 0 Total outgoing packets dropped: 0 Filter denies on output: 0 Tunnel cache entries added: 0 Tunnel cache entries expired: 0 Tunnel cache entries deleted: 0
In the example above, we found an IP address that was not already blocked. It was attempting to log in via SSH unsuccessfully, and then adding the IP address to the rule set. If we find a relevant event in syslog, we must first check if the IP address is already blocked before adding a new rule. If the IP address is not already blocked, we can go ahead and add a new rule. Below is the script header with a bit more of a description of what it does.
#!/usr/bin/ksh # # # Script to block IP addresses that have reported failed login attempts (in /var/log/syslog) via SSH. # Be very careful with this script. It DOES NOT DISCRIMINATE! If you fail to login, via SSH, with your # username/password and it fails, because you entered the wrong password (for example), it will block you IP address # then next time the script is run (assuming, of course, that the failed login attempt is still recorded in /var/log/syslog). # #
This script now runs once per hour from cron on the AIX host.
Note, to configure IPSec firewall on AIX, the following filesets must be installed on the AIX host:
bos.msg.en_US.net.ipsec 7.3.0.0 COMMITTED IP Security Messages - U.S. bos.net.ipsec.keymgt 7.3.0.1 COMMITTED IP Security Key Management bos.net.ipsec.rte 7.3.0.0 COMMITTED IP Security
Additional Information
Please refer to the following links for more information about AIX firewall and IPSec filtering configuration. I highly recommend reading about “mkfilt -d” to recover from misconfiguration issues and “mkfilt -g start” to start the ipsec_logd daemon to “view which packets are being dropped.”
- Setting up a firewall with AIX TCP/IP filtering
- Accessing filter rules from SMIT
- AIX intrusion prevention
- Blocking an IP address
- AIX network services
- Securing AIX Network Services