2
0
mirror of https://github.com/opnsense/docs synced 2024-11-15 06:12:58 +00:00
opensense-docs/source/manual/how-tos/ips-feodo.rst

119 lines
3.6 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=================================
IPS SSLBlacklists & Feodo Tracker
=================================
This tutorial explains how to setup the IPS system to drop SSL certificates
listed on the `abuse.ch <https://www.abuse.ch>`__ SSL Blacklists & Feodo Tracker.
Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud
and steal sensitive information from the victims computer, such as credit card
details or credentials. For more information see https://feodotracker.abuse.ch
-------------
Prerequisites
-------------
* Always upgrade to latest release first.
See :doc:`/manual/install` and/or upgrade to latest release:
:menuselection:`System --> Firmware --> Fetch updates`
.. image:: images/firmware.png
:width: 100%
* Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for
logging (>10 GB advisable).
* Disable all Hardware Offloading
Under **Interface-Settings**
.. image:: images/disable_offloading.png
:width: 100%
.. warning::
After applying you need to reboot OPNsense otherwise offloading may not
completely be disabled and IPS mode will not function.
.. Note::
Some features described on this page were added in version 16.1.1.
Always keep your system up to date.
--------------------------------------
Setup Intrusion Detection & Prevention
--------------------------------------
To enable IDS/IPS just go to :menuselection:`Services --> Intrusion Detection` and select
**enabled & IPS mode**. Make sure you have selected the right interface for the intrusion
detection system too run on. For our example we will use the WAN interface, as
that will most likely be you connection with the public Internet.
.. image:: images/idps.png
:width: 100%
-------------------
Apply configuration
-------------------
First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
---------------
Fetch Rule sets
---------------
For this example we will only fetch the abuse.ch SSL & Dodo Tracker rulesets.
To do so: select Enabled after each one.
.. image:: images/rulesets_enable.png
:width: 100%
To download the rule sets press **Download & Update Rules**.
.. image:: images/downloadbtn.png
-----------------------
Change default behavior
-----------------------
To block matches instead of alerting on them, go to the :menuselection:`Service -> Intrusion Detection -> Policies` page
and add a new policy. You can easily select the associated rulesets here (all staring with abuse.ch) and select action "Alert"
next go to the new action, which should be "Drop".
Apply the settings at the bottom of the page when done.
------------------------
Apply fraud drop actions
------------------------
Now press **Download & Update Rules** again to change the behavior to drop.
.. image:: images/downloadbtn.png
---------------
Keep up to date
---------------
Now schedule a regular fetch to keep your server up to date.
Click on schedule, a popup window will appear:
.. image:: images/schedule.png
:width: 100%
Select **enabled** and choose a time. For the example it is set to each day at 11:12.
Select **Save changes** and wait until you have returned to the IDS screen.
----
DONE
----
Your system has now been fully setup to drop known fraudulent SSL certificates
as well data phishing attempts by utilizing the Feodo tracking list.
------------
Sample alert
------------
Currently there is no test service available to check your block rules against,
however here is a sample of an actual alert that has been blocked:
.. image:: images/alerts.jpg
:width: 100%