LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-10-2007, 11:49 PM   #16
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36

You know, there is a newer XT Tarpit. I've been using it awhile now. There's an ipset patch too, but you didn't ask. Here's the ones I used from the 2.6.22.6 I put together last night. Vanilla kernel and iptables snapshot, I started with. Make sure ip_TARPIT is cleared out of your config, and <M> (module) the XT_TARPIT option:

CONFIG_NETFILTER_XT_TARGET_TARPIT=m
# CONFIG_IP_NF_TARGET_TARPIT is not set

Code:
Gumming up an infested Win32 host (iptraf w/o the colors):

203.81.47.211:4150    =    11461   --A-     ppp0
atr2.ath.cx:ssc-agent =    11440   --A-     ppp0


tftp://atr2.ath.cx/tarpit-xt.zip

(Note tftp, not ftp- I find people stumbling around ftp directories looking for files that aren't there sometimes, but possibly that's an MSIE bug^H^H^Hfeature...)

See the zip comment for a few, umm... comments


Update: in.tftp evidently has its own idea of how hosts_access should be looked up when the service doesn't appear in either allow or deny, so if the link doesn't work, switch protocol to https and use the same path. Sorry 'bout that.

Last edited by jayjwa; 09-11-2007 at 10:30 AM. Reason: in.tftpd being flaky
 
Old 09-11-2007, 01:55 PM   #17
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by jayjwa View Post
You know, there is a newer XT Tarpit. I've been using it awhile now. There's an ipset patch too, but you didn't ask.
Just for confirmation, x_tables is the new netfilter framework designed to unify the backend for {ip,ip6,arp}_tables, correct?

Do you know if/whether xt_TARPIT coming into POM-ng or mainline kernel anytime soon? This thread suggests it is ready, but may not make it until after 2.6.24.
 
Old 09-29-2007, 09:36 PM   #18
felosi
LQ Newbie
 
Registered: Jan 2006
Location: USA
Distribution: CentOS for servers and Ubuntu for desktop
Posts: 25

Original Poster
Rep: Reputation: 15
Update on this. I finally got the module compiled using the fixes in this thread but could not get the module loaded no matter what. Just said module didnt exist.

So the other night in irc someone found this site
http://enterprise.bidmc.harvard.edu/pub/tarpit-updates/

Didnt compile, tried on 2.6.19.2-grsec and 2.6.22.9-grsec (testing patch) similar errors as the old one.

2.6.22.9-grsec errors - http://pastebin.ca/720168
2.6.19.2-grsec errors - http://pastebin.ca/720174

Doesnt look like the tarpit module is gonna work out with any newer kernel. If someone has got this to work with at least a 2.6.19 kernel please elaborate how you did it.

But I think I will pretty much give up on it, will have to. Doesnt look like its gonna be maintained anymore and there is a real lack of interest in it. So probably another good idea that is gonna fade away
 
Old 09-29-2007, 10:46 PM   #19
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by felosi View Post
Update on this. I finally got the module compiled using the fixes in this thread but could not get the module loaded no matter what. Just said module didnt exist.
What was the exact message? Was the module in /lib/modules? Did you run “depmod” after installation? Did you try insmoding the object by hand? Was there any output in dmesg?
Quote:
Originally Posted by felosi View Post
So the other night in irc someone found this site
http://enterprise.bidmc.harvard.edu/pub/tarpit-updates/

Didnt compile, tried on 2.6.19.2-grsec and 2.6.22.9-grsec (testing patch) similar errors as the old one.

2.6.22.9-grsec errors - http://pastebin.ca/720168
2.6.19.2-grsec errors - http://pastebin.ca/720174
Both of those errors seem to be addressed in the bottom portion of post 13. Basically, the fix is to remove the line that references nf_debug. Alternatively, you could compile your kernel without selecting CONFIG_NETFILTER_DEBUG. My guess is that nobody has noticed this compilation error since almost nobody builds their kernel with CONFIG_NETFILTER_DEBUG.
Quote:
Originally Posted by felosi View Post
Doesnt look like the tarpit module is gonna work out with any newer kernel. If someone has got this to work with at least a 2.6.19 kernel please elaborate how you did it.
I actually have an almost-vanilla 2.6.21 kernel running it as we speak. It’s the vanilla patch-o-matic-ng version, and my kernel’s .config file says “# CONFIG_NETFILTER_DEBUG is not set” (you can check if this is the case on your running kernel with “zgrep CONFIG_NETFILTER_DEBUG /proc/config.gz”). I also have an older version of tarpit running on 2.6.16-grsec on which I made a few minor changes, the details of which escape me after so long. In both cases, the modules seem to work as intended.
Quote:
Originally Posted by felosi View Post
But I think I will pretty much give up on it, will have to. Doesnt look like its gonna be maintained anymore and there is a real lack of interest in it. So probably another good idea that is gonna fade away
You don’t have to give up on it. In any case, it seems that this module is being supplanted by its x_tables-compatible counterpart, as mentioned here. Hopefully, it will be in the kernel within a few releases.
 
Old 09-30-2007, 01:07 AM   #20
felosi
LQ Newbie
 
Registered: Jan 2006
Location: USA
Distribution: CentOS for servers and Ubuntu for desktop
Posts: 25

Original Poster
Rep: Reputation: 15
Thank you very much!
unchecking the netfilter debig option fixed it, now am able to load and use the module just fine.
Thanks for all your help
 
Old 10-16-2007, 03:15 PM   #21
justdiy
LQ Newbie
 
Registered: Oct 2007
Posts: 3

Rep: Reputation: 0
I'm having trouble compiling the xt_tarpit module as well.

kernel is a vanilla 2.6.22.10 kernel from kernel.org, I first tried applying the patch offered on page one of this thread, and wound up with the compile failing:

ERROR: "secure_tcp_sequence_number" [net/netfilter/xt_TARPIT.ko] undefined!

so I tried the patch-o-matic patch for 2.6.22 as well, and it comes up with a similar error:

ERROR: "secure_tcp_sequence_number" [net/ipv4/netfilter/ipt_TARPIT.ko] undefined!

google found reference to this:
http://archives.free.net.ph/message/...8f567d.en.html

which deals with secure_tcp_sequence_number not being exported from drivers/char/random.c ... I looked in random.c and found this:

#ifdef CONFIG_INET
EXPORT_SYMBOL(secure_tcp_sequence_number);
#endif

which indicates to me that it is exported, right?

any thoughts?
 
Old 10-16-2007, 10:29 PM   #22
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by justdiy View Post
#ifdef CONFIG_INET
EXPORT_SYMBOL(secure_tcp_sequence_number);
#endif

which indicates to me that it is exported, right?
It indicates the symbol is exported if and only if CONFIG_INET is defined. Are you trying to compile for a kernel configured without a network stack (or perhaps it is IPv6 only)? In any case, check the output of
Code:
grep 'CONFIG_INET' .config
where .config is the config file for the target kernel.
 
Old 10-17-2007, 09:21 AM   #23
justdiy
LQ Newbie
 
Registered: Oct 2007
Posts: 3

Rep: Reputation: 0
turns out that secure_tcp export was added by the xt_tarpit patch ... so I did a make clean on the kernel source, then a make to rebuild everything (ditto on the iptables source, just to be safe). after rebooting with the new kernel, the module loads just fine.
 
Old 10-18-2007, 08:45 PM   #24
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
Still working on 2.6.23.1, with fuzzy matchup. I should do a cleaned up diff. More stuff seems to be moving to the XT format with the 2.6.23 series. I think patch-o-matic is of little or no use with these kernels; wish they'd update it.
 
Old 05-09-2008, 10:04 AM   #25
thehungle
LQ Newbie
 
Registered: May 2008
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by jayjwa View Post
Still working on 2.6.23.1, with fuzzy matchup. I should do a cleaned up diff. More stuff seems to be moving to the XT format with the 2.6.23 series. I think patch-o-matic is of little or no use with these kernels; wish they'd update it.
I tried to compile iptables 1.4.0 TARPIT with 2.26.23 vanilla using the following patches:

http:
enterprise.bidmc.harvard.edu/pub/tarpit-updates/

Unfortunately, there is error when compiling it. It has something to do with the following lines of code:

net/netfilter/xt_TARPIT.c: In function ‘tarpit_tcp’:
net/netfilter/xt_TARPIT.c:114: error: implicit declaration of function ‘nf_conntrack_put’
net/netfilter/xt_TARPIT.c:114: error: ‘struct sk_buff’ has no member named ‘nfct’
net/netfilter/xt_TARPIT.c:115: error: ‘struct sk_buff’ has no member named ‘nfct’
make[2]: *** [net/netfilter/xt_TARPIT.o] Error 1
make[1]: *** [net/netfilter] Error 2


Could someone point me to a patch that could fix the problem? Sorry for the broken URL because I am a newbie. This is my first post and I cannot post URL.

Thanks in advance!

Hung

Last edited by thehungle; 05-09-2008 at 02:02 PM.
 
Old 05-10-2008, 01:10 AM   #26
felosi
LQ Newbie
 
Registered: Jan 2006
Location: USA
Distribution: CentOS for servers and Ubuntu for desktop
Posts: 25

Original Poster
Rep: Reputation: 15
make sure you deselect the netfilter debugging in kernel config. I recently got the new updates from that hardvard site and they have worked flawlessly with the latest kernels.

Here is a config for the 2.6.24.3 kernel with grsecurity and tarpit, works like a charm

Last edited by felosi; 05-10-2008 at 01:11 AM.
 
  


Reply

Tags
iptables, kernel, linux, tarpit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slack 11 newer kernels break networking octetstream Slackware 7 12-11-2006 02:41 PM
all the newer kernels im compiling pause on udev darksmiley Linux - General 6 12-28-2005 10:05 AM
Is there something similar to ip personality for newer 2.4 kernels ? Menestrel Linux - Security 0 08-07-2005 04:30 AM
AMD bug problem fixed in newer kernels??? pkathgr Slackware 1 01-12-2005 07:48 AM
kmod is used in newer kernels but... hampel Linux - General 1 08-27-2003 03:56 PM


All times are GMT -5. The time now is 11:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration