Skip to main content

Filtering IP Addresses With AIX IPSec

I want to deny IP address 8.211.1.243 from accessing my AIX system (for inbound connections).

The first step is to enable IPSec on the AIX. This example is for ipsec_v4.

# smit ipsec4
--> Start/Stop IP Security
--> Start IP Security
  Start IP Security                  [Now and After Reboot] +
  Deny All Non_Secure IP Packets     [no]
 
ipsec_v4 Available
Default rule for IPv4 in ODM has been changed.
Successfully set default action to PERMIT

# lsdev -C | grep ip
ipsec_v4    Available             IP Version 4 Security Extension
ipsec_v6    Available             IP Version 6 Security Extension

Note: I left the “Deny All Non_Secure IP Packets” set to no, as I would prefer to allow everything by default and only block/deny IP addresses by exception.

Creating Rules

Now that IPSec is enabled, I can create a new IP filter rule to block the IP address,  8.211.1.243, from accessing my host. This rule prevents 8.211.1.243 from accessing any protocol/service, on all interfaces, on my AIX host. They are now blocked from opening any network connections to my AIX host. The rule is created using the genfilt tool and then activated with the mkfilt utility.

# genfilt -v 4 -a D -s 8.211.1.243 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g N -c all -r B -w I -l Y -f Y -i all
 
# mkfilt -v 4 -u

Confirming Rules

Using the lsfilt command I can confirm that my new rule has been added to the IP filter rules on my AIX host.

# lsfilt | grep -p 8.211.1.243
Rule 3:
Rule action         : deny
Source Address      : 8.211.1.243
Source Mask         : 255.255.255.255
Destination Address : 0.0.0.0
Destination Mask    : 0.0.0.0
Source Routing      : no
Protocol            : all
Source Port         : any 0
Destination Port    : any 0
Scope               : both
Direction           : inbound
Logging control     : yes
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         :

Changing, Removing and Activating Rules

If I decide I would like to change a rule, I can use the chfilt command to alter an existing rule. If I choose to remove this rule, I can use the rmfilt command, as shown below. I first need to find the rule number associated with the IP filter (in this case, it’s rule number 3). To remove the rule, I run the rmfilt command and then activate the new rule set with mkfilt.

# lsfilt | grep -p 8.211.1.243
Rule 3:
Rule action         : deny
Source Address      : 8.211.1.243
Source Mask         : 255.255.255.255
Destination Address : 0.0.0.0
Destination Mask    : 0.0.0.0
Source Routing      : no
Protocol            : all
Source Port         : any 0
Destination Port    : any 0
Scope               : both
Direction           : inbound
Logging control     : yes
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         :
 
# rmfilt -v 4 -n '3'
Filter rule 3 for IPv4 has been removed successfully.
 
# mkfilt -v 4 -u
# lsfilt | grep -p 8.211.1.243
#

Preventing AIX Intrusion

I found myself in need of this type of solution when working with an AIX system that was directly connected to the Internet. Various services were open and available on the AIX host’s public interface. As a result, this host was subject to constant port probing by external IP addresses on the Internet. One service, Secure Shell (SSH), was unsurprisingly being probed more than others. SSH is a common service subjected to brute-force credentials attacks and is a popular protocol used by system administrators to gain secure remote access to a server to perform management tasks. As a result, it is one of the most targeted services for brute-force/dictionary attacks. Many other network services are also susceptible to brute force attacks, such as SMTP. Please refer to the references at the end of this article for more information. On a regular basis I would find failed SSH login attempts in the syslog file (as shown below).

Nov 25 23:38:09 myaixhost auth|security:info sshd[65539]: Failed password for root from 8.211.1.243 port 44968 ssh2
Nov 25 23:38:09 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 8.211.1.243
Nov 25 23:38:10 myaixhost auth|security:info sshd[65541]: Failed password for root from 8.211.1.243 port 45262 ssh2
Nov 25 23:38:10 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 8.211.1.243

By manually adding an IP filter rule to block the offending address, I could prevent this kind of “brute force” attack from recurring. In addition, I also wanted to automate this process. I wanted a way to detect this kind of attack and then automatically add new IP filter rules.

Syslog Sample Script

I wrote a script to scan my syslog file and look for any failed SSH login attempts from unknown external IP addresses and then automatically add IP filter rules for the offending IP address(es). Here’s an example of the output from the script:

# block_ip.ksh
IP address 168.167.134.1 already blocked by IP filter
 
IP address 176.111.173.242 already blocked by IP filter
 
IP address 176.111.173.44 already blocked by IP filter
 
IP address 177.249.42.39 already blocked by IP filter
 
IP address 193.169.255.199 already blocked by IP filter
 
Adding 193.3.19.87 to IP filter blocked list
Filter rule 27 for IPv4 has been added successfully.
 
IP address 31.184.219.20 already blocked by IP filter
 
IP address 45.9.20.25 already blocked by IP filter
 
IP address 45.9.20.73 already blocked by IP filter
 
IP address 47.252.32.114 already blocked by IP filter
 
IP address 47.253.106.222 already blocked by IP filter
 
IP address 47.253.197.231 already blocked by IP filter
 
IP address 47.90.250.31 already blocked by IP filter
 
IP address 62.35.127.104 already blocked by IP filter
 
The following IP addresses were added to the blocked IP filter list.
25a26
> Source Address      : 193.3.19.87
 
Statistics of IP Security packets:
IPSec Devices:
   ipsec_v4 Available
   ipsec_v6 Available
 
Authentication Algorithm:
   CMAC_AES_XCBC -- Cipher-based MAC using AES-XCBC Authentication Module
   HMAC_MD5 -- Hashed MAC MD5 Authentication Module
   HMAC_SHA -- Hashed MAC SHA Hash Authentication Module
   KEYED_MD5 -- Keyed MD5 Hash Authentication Module
 
Encryption Algorithm:
   3DES_CBC -- Triple DES CBC Encryption Module
   AES_CBC_128 -- AES CBC 128 bit key Encryption Module
   AES_CBC_192 -- AES CBC 192 bit key Encryption Module
   AES_CBC_256 -- AES CBC 256 bit key Encryption Module
   DES_CBC_4 -- DES CBC 4 Encryption Module
   DES_CBC_8 -- DES CBC 8 Encryption Module
   NULL -- Null Encryption Algorithm module
 
IPSec Statistics -
Total incoming packets:               820167
   Incoming AH packets:                    0
   Incoming ESP packets:                   0
   Srcrte packets allowed:                 0
Total outgoing packets:              1289450
   Outgoing AH packets:                    0
   Outgoing ESP packets:                   0
Total incoming packets dropped:         2978
  Filter denies on input:               2978
  AH did not compute:                      0
  ESP did not compute:                     0
  AH replay violation:                     0
  ESP replay violation:                    0
Total outgoing packets dropped:            0
  Filter denies on output:                 0
Tunnel cache entries added:                0
Tunnel cache entries expired:              0
Tunnel cache entries deleted:              0

In the example above, we found an IP address that was not already blocked. It was attempting to log in via SSH unsuccessfully, and then adding the IP address to the rule set. If we find a relevant event in syslog, we must first check if the IP address is already blocked before adding a new rule. If the IP address is not already blocked, we can go ahead and add a new rule. Below is the script header with a bit more of a description of what it does.

#!/usr/bin/ksh
#
#
# Script to block IP addresses that have reported failed login attempts (in /var/log/syslog) via SSH.
# Be very careful with this script. It DOES NOT DISCRIMINATE! If you fail to login, via SSH, with your
# username/password and it fails, because you entered the wrong password (for example), it will block you IP address
# then next time the script is run (assuming, of course, that the failed login attempt is still recorded in /var/log/syslog).
#
#

This script now runs once per hour from cron on the AIX host.

Note, to configure IPSec firewall on AIX, the following filesets must be installed on the AIX host:

bos.msg.en_US.net.ipsec    7.3.0.0  COMMITTED  IP Security Messages - U.S.
bos.net.ipsec.keymgt       7.3.0.1  COMMITTED  IP Security Key Management
bos.net.ipsec.rte          7.3.0.0  COMMITTED  IP Security

Additional Information

Please refer to the following links for more information about AIX firewall and IPSec filtering configuration. I highly recommend reading about “mkfilt -d” to recover from misconfiguration issues and “mkfilt -g start” to start the ipsec_logd daemon to “view which packets are being dropped.”