2018-01-30 10:40:13 +00:00
|
|
|
|
=================================
|
|
|
|
|
IPS SSLBlacklists & Feodo Tracker
|
|
|
|
|
=================================
|
|
|
|
|
|
|
|
|
|
This tutorial explains how to setup the IPS system to drop SSL certificates
|
|
|
|
|
listed on the `abuse.ch <https://www.abuse.ch>`__ SSL Blacklists & Feodo Tracker.
|
|
|
|
|
|
|
|
|
|
Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud
|
|
|
|
|
and steal sensitive information from the victim’s computer, such as credit card
|
|
|
|
|
details or credentials. For more information see https://feodotracker.abuse.ch
|
|
|
|
|
|
|
|
|
|
-------------
|
|
|
|
|
Prerequisites
|
|
|
|
|
-------------
|
|
|
|
|
* Always upgrade to latest release first.
|
|
|
|
|
See :doc:`/manual/install` and/or upgrade to latest release:
|
2019-03-06 17:27:21 +00:00
|
|
|
|
:menuselection:`System --> Firmware --> Fetch updates`
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
.. image:: images/firmware.png
|
2018-07-31 14:51:11 +00:00
|
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
|
2018-11-07 16:45:54 +00:00
|
|
|
|
logging (>10 GB advisable).
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
* Disable all Hardware Offloading
|
|
|
|
|
Under **Interface-Settings**
|
|
|
|
|
|
|
|
|
|
.. image:: images/disable_offloading.png
|
2018-07-31 14:51:11 +00:00
|
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
.. warning::
|
|
|
|
|
|
|
|
|
|
After applying you need to reboot OPNsense otherwise offloading may not
|
|
|
|
|
completely be disabled and IPS mode will not function.
|
|
|
|
|
|
|
|
|
|
.. Note::
|
|
|
|
|
|
|
|
|
|
Some features described on this page were added in version 16.1.1.
|
|
|
|
|
Always keep your system up to date.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
--------------------------------------
|
|
|
|
|
Setup Intrusion Detection & Prevention
|
|
|
|
|
--------------------------------------
|
2019-03-11 11:36:32 +00:00
|
|
|
|
To enable IDS/IPS just go to :menuselection:`Services --> Intrusion Detection` and select
|
2019-03-06 17:27:21 +00:00
|
|
|
|
**enabled & IPS mode**. Make sure you have selected the right interface for the intrusion
|
2018-01-30 10:40:13 +00:00
|
|
|
|
detection system too run on. For our example we will use the WAN interface, as
|
|
|
|
|
that will most likely be you connection with the public Internet.
|
|
|
|
|
|
|
|
|
|
.. image:: images/idps.png
|
2018-07-31 14:51:11 +00:00
|
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
-------------------
|
|
|
|
|
Apply configuration
|
|
|
|
|
-------------------
|
|
|
|
|
First apply the configuration by pressing the **Apply** button at the bottom of
|
|
|
|
|
the form.
|
|
|
|
|
|
|
|
|
|
.. image:: images/applybtn.png
|
|
|
|
|
|
|
|
|
|
---------------
|
|
|
|
|
Fetch Rule sets
|
|
|
|
|
---------------
|
|
|
|
|
For this example we will only fetch the abuse.ch SSL & Dodo Tracker rulesets.
|
|
|
|
|
To do so: select Enabled after each one.
|
|
|
|
|
|
|
|
|
|
.. image:: images/rulesets_enable.png
|
2018-07-31 14:51:11 +00:00
|
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
To download the rule sets press **Download & Update Rules**.
|
|
|
|
|
|
|
|
|
|
.. image:: images/downloadbtn.png
|
|
|
|
|
|
|
|
|
|
-----------------------
|
|
|
|
|
Change default behavior
|
|
|
|
|
-----------------------
|
|
|
|
|
|
2020-12-08 16:53:03 +00:00
|
|
|
|
To block matches instead of alerting on them, go to the :menuselection:`Service -> Intrusion Detection -> Policies` page
|
|
|
|
|
and add a new policy. You can easily select the associated rulesets here (all staring with abuse.ch) and select action "Alert"
|
|
|
|
|
next go to the new action, which should be "Drop".
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
2020-12-08 16:53:03 +00:00
|
|
|
|
Apply the settings at the bottom of the page when done.
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
------------------------
|
|
|
|
|
Apply fraud drop actions
|
|
|
|
|
------------------------
|
|
|
|
|
Now press **Download & Update Rules** again to change the behavior to drop.
|
|
|
|
|
|
|
|
|
|
.. image:: images/downloadbtn.png
|
|
|
|
|
|
|
|
|
|
---------------
|
|
|
|
|
Keep up to date
|
|
|
|
|
---------------
|
|
|
|
|
Now schedule a regular fetch to keep your server up to date.
|
|
|
|
|
|
|
|
|
|
Click on schedule, a popup window will appear:
|
|
|
|
|
|
|
|
|
|
.. image:: images/schedule.png
|
2018-07-31 14:51:11 +00:00
|
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
|
|
Select **enabled** and choose a time. For the example it is set to each day at 11:12.
|
|
|
|
|
Select **Save changes** and wait until you have returned to the IDS screen.
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
DONE
|
|
|
|
|
----
|
|
|
|
|
Your system has now been fully setup to drop known fraudulent SSL certificates
|
|
|
|
|
as well data phishing attempts by utilizing the Feodo tracking list.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------------
|
|
|
|
|
Sample alert
|
|
|
|
|
------------
|
|
|
|
|
Currently there is no test service available to check your block rules against,
|
|
|
|
|
however here is a sample of an actual alert that has been blocked:
|
|
|
|
|
|
|
|
|
|
.. image:: images/alerts.jpg
|
2018-07-31 14:51:11 +00:00
|
|
|
|
:width: 100%
|