Filtering IP Addresses With AIX IPSec
Do you need to block a specific IP address or host from accessing your AIX system? One approach is to use AIX IP security (IPSec) to filter specific IP addresses. Learn how here.
The first step is to enable IPSec on the AIX. This example is for ipsec_v4.
# smit ipsec4 --> Start/Stop IP Security --> Start IP Security Start IP Security [Now and After Reboot] + Deny All Non_Secure IP Packets [no] ipsec_v4 Available Default rule for IPv4 in ODM has been changed. Successfully set default action to PERMIT # lsdev -C | grep ip ipsec_v4 Available IP Version 4 Security Extension ipsec_v6 Available IP Version 6 Security ExtensionNote: I left the "Deny All Non_Secure IP Packets" set to no, as I would prefer to allow everything by default and only block/deny IP addresses by exception.
Creating RulesNow that IPSec is enabled, I can create a new IP filter rule to block the IP address, 126.96.36.199, from accessing my host. This rule prevents 188.8.131.52 from accessing any protocol/service, on all interfaces, on my AIX host. They are now blocked from opening any network connections to my AIX host. The rule is created using the genfilt tool and then activated with the mkfilt utility.
# genfilt -v 4 -a D -s 184.108.40.206 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g N -c all -r B -w I -l Y -f Y -i all # mkfilt -v 4 -u
Confirming RulesUsing the lsfilt command I can confirm that my new rule has been added to the IP filter rules on my AIX host.
# lsfilt | grep -p 220.127.116.11 Rule 3: Rule action : deny Source Address : 18.104.22.168 Source Mask : 255.255.255.255 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : inbound Logging control : yes Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description :
Changing, Removing and Activating RulesIf I decide I would like to change a rule, I can use the chfilt command to alter an existing rule. If I choose to remove this rule, I can use the rmfilt command, as shown below. I first need to find the rule number associated with the IP filter (in this case, it’s rule number 3). To remove the rule, I run the rmfilt command and then activate the new rule set with mkfilt.
# lsfilt | grep -p 22.214.171.124 Rule 3: Rule action : deny Source Address : 126.96.36.199 Source Mask : 255.255.255.255 Destination Address : 0.0.0.0 Destination Mask : 0.0.0.0 Source Routing : no Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : inbound Logging control : yes Fragment control : all packets Tunnel ID number : 0 Interface : all Auto-Generated : no Expiration Time : 0 Description : # rmfilt -v 4 -n '3' Filter rule 3 for IPv4 has been removed successfully. # mkfilt -v 4 -u # lsfilt | grep -p 188.8.131.52 #
Preventing AIX IntrusionI found myself in need of this type of solution when working with an AIX system that was directly connected to the Internet. Various services were open and available on the AIX host’s public interface. As a result, this host was subject to constant port probing by external IP addresses on the Internet. One service, Secure Shell (SSH), was unsurprisingly being probed more than others. SSH is a common service subjected to brute-force credentials attacks and is a popular protocol used by system administrators to gain secure remote access to a server to perform management tasks. As a result, it is one of the most targeted services for brute-force/dictionary attacks. Many other network services are also susceptible to brute force attacks, such as SMTP. Please refer to the references at the end of this article for more information. On a regular basis I would find failed SSH login attempts in the syslog file (as shown below).
Nov 25 23:38:09 myaixhost auth|security:info sshd: Failed password for root from 184.108.40.206 port 44968 ssh2 Nov 25 23:38:09 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 220.127.116.11 Nov 25 23:38:10 myaixhost auth|security:info sshd: Failed password for root from 18.104.22.168 port 45262 ssh2 Nov 25 23:38:10 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 22.214.171.124By manually adding an IP filter rule to block the offending address, I could prevent this kind of “brute force” attack from recurring. In addition, I also wanted to automate this process. I wanted a way to detect this kind of attack and then automatically add new IP filter rules.
Syslog Sample ScriptI wrote a script to scan my syslog file and look for any failed SSH login attempts from unknown external IP addresses and then automatically add IP filter rules for the offending IP address(es). Here’s an example of the output from the script:
# block_ip.ksh IP address 126.96.36.199 already blocked by IP filter IP address 188.8.131.52 already blocked by IP filter IP address 184.108.40.206 already blocked by IP filter IP address 220.127.116.11 already blocked by IP filter IP address 18.104.22.168 already blocked by IP filter Adding 22.214.171.124 to IP filter blocked list Filter rule 27 for IPv4 has been added successfully. IP address 126.96.36.199 already blocked by IP filter IP address 188.8.131.52 already blocked by IP filter IP address 184.108.40.206 already blocked by IP filter IP address 220.127.116.11 already blocked by IP filter IP address 18.104.22.168 already blocked by IP filter IP address 22.214.171.124 already blocked by IP filter IP address 126.96.36.199 already blocked by IP filter IP address 188.8.131.52 already blocked by IP filter The following IP addresses were added to the blocked IP filter list. 25a26 > Source Address : 184.108.40.206 Statistics of IP Security packets: IPSec Devices: ipsec_v4 Available ipsec_v6 Available Authentication Algorithm: CMAC_AES_XCBC -- Cipher-based MAC using AES-XCBC Authentication Module HMAC_MD5 -- Hashed MAC MD5 Authentication Module HMAC_SHA -- Hashed MAC SHA Hash Authentication Module KEYED_MD5 -- Keyed MD5 Hash Authentication Module Encryption Algorithm: 3DES_CBC -- Triple DES CBC Encryption Module AES_CBC_128 -- AES CBC 128 bit key Encryption Module AES_CBC_192 -- AES CBC 192 bit key Encryption Module AES_CBC_256 -- AES CBC 256 bit key Encryption Module DES_CBC_4 -- DES CBC 4 Encryption Module DES_CBC_8 -- DES CBC 8 Encryption Module NULL -- Null Encryption Algorithm module IPSec Statistics - Total incoming packets: 820167 Incoming AH packets: 0 Incoming ESP packets: 0 Srcrte packets allowed: 0 Total outgoing packets: 1289450 Outgoing AH packets: 0 Outgoing ESP packets: 0 Total incoming packets dropped: 2978 Filter denies on input: 2978 AH did not compute: 0 ESP did not compute: 0 AH replay violation: 0 ESP replay violation: 0 Total outgoing packets dropped: 0 Filter denies on output: 0 Tunnel cache entries added: 0 Tunnel cache entries expired: 0 Tunnel cache entries deleted: 0In the example above, we found an IP address that was not already blocked. It was attempting to log in via SSH unsuccessfully, and then adding the IP address to the rule set. If we find a relevant event in syslog, we must first check if the IP address is already blocked before adding a new rule. If the IP address is not already blocked, we can go ahead and add a new rule. Below is the script header with a bit more of a description of what it does.
#!/usr/bin/ksh # # # Script to block IP addresses that have reported failed login attempts (in /var/log/syslog) via SSH. # Be very careful with this script. It DOES NOT DISCRIMINATE! If you fail to login, via SSH, with your # username/password and it fails, because you entered the wrong password (for example), it will block you IP address # then next time the script is run (assuming, of course, that the failed login attempt is still recorded in /var/log/syslog). # #
This script now runs once per hour from cron on the AIX host.
Note, to configure IPSec firewall on AIX, the following filesets must be installed on the AIX host:
bos.msg.en_US.net.ipsec 220.127.116.11 COMMITTED IP Security Messages - U.S. bos.net.ipsec.keymgt 18.104.22.168 COMMITTED IP Security Key Management bos.net.ipsec.rte 22.214.171.124 COMMITTED IP Security
Additional InformationPlease refer to the following links for more information about AIX firewall and IPSec filtering configuration. I highly recommend reading about “mkfilt -d” to recover from misconfiguration issues and “mkfilt -g start” to start the ipsec_logd daemon to “view which packets are being dropped.”
About the author
Chris Gibson is an AIX and PowerVM specialist. He's an IBM Champion for Power Systems, IBM CATE and a technical editor.
See more by Chris Gibson