Skip to main content

CLOUD SOLUTIONS

Network Attack Defense

Linux

This section contains details support of the Network Attack Defense module on Linux endpoints, including Linux distributions and dependencies, such as iptables rules and communication requirements.

Supported distributions

Distribution

Cloud platform availability

Amazon Web Services

Microsoft Azure

Google Cloud Platform

RHEL 7.x

yes.png

yes.png

yes.png

RHEL 8.x

yes.png

yes.png

yes.png

Oracle Linux 7.x (UEK +RHCK)

yes.png

yes.png

no.png

Oracle Linux 8.x (UEK +RHCK)

yes.png

no.png

no.png

CentOS 7.x

yes.png

yes.png

yes.png

CentOS 8.x

yes.png

yes.png

yes.png

Debian 9

yes.png

yes.png

yes.png

Debian 10

yes.png

yes.png

yes.png

Debian 11

yes.png

yes.png

yes.png

Ubuntu 16.04.x

yes.png

yes.png

yes.png

Ubuntu 18.04.x

yes.png

yes.png

yes.png

Ubuntu 20.04.x

yes.png

yes.png

yes.png

Ubuntu 21.04.x

yes.png

yes.png

yes.png

Ubuntu 21.10.x

yes.png

yes.png

yes.png

Ubuntu 22.04

yes.png

yes.png

yes.png

SLES 15 SP1

yes.png

yes.png

no.png

SLES 15 SP2

yes.png

yes.png

yes.png

SLES 15 SP3

yes.png

yes.png

yes.png

openSUSE Leap 15.2

no.png

yes.png

no.png

Amazon Linux v2

yes.png

no.png

no.png

Azure Mariner

no.png

yes.png

no.png

Fedora 31 - 36

yes.png

no.png

no.png

AlmaLinux 8.x

yes.png

yes.png

yes.png

Rocky Linux 8.x

yes.png

yes.png

yes.png

CloudLinux 8.x

yes.png

yes.png

yes.png

CloudLinux 7.x

yes.png

yes.png

yes.png

Pardus 21

yes.png

yes.png

yes.png

Mint 20.3

no.png

no.png

no.png

Miracle 8.4

no.png

no.png

no.png

Dependencies
  • Network Attack Defense depends on the iptables Linux package. You need to manually install the package on all endpoints where the NAD module is to be deployed.

    Network Attack Defense acts like a proxy, only for the FTP and SSH protocols, receiving traffic and protecting against Man in the Middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots and Trojans).

    The package is available for all supported distributions, and can be downloaded by using the bellow commands:

    For Debian based operating systems:

    apt install -y iptables

    For Red Hat based operating systems

     dnf install -y iptables

    For SUSE operating systems:

    zypper install iptables
  • Network Attack Defense uses port 8887 by default.

    If the port is already in use, NAD does not switch to another port dynamically. You need to make sure that the port is not in use.

  • Important

    If port 8887 is used by another application or blocked by a firewall Network Attack Defense will not be able to receive traffic.

Setting up iptables rules

The iptables package Inserts rules on the endpoint operating system using iptables, which forward all traffic coming from our supported ports (21 & 22 ) to the 127.0.0.1:8887 IP address, except traffic made by the product itself.

Rules are set by a series of scripts, which are delivered when the BEST agent is installed on a endpoint. During installation, the scripts will be placed under /opt/bitdefender-security-tools/etc/nad.d/, sorted and then run.

Network Attack Defense sorts and runs these executable scripts passing the stop or start argument. They are located under /opt/bitdefender-security-tools/etc/nad.d/.

Note

You can add your own custom iptables scripts under the /opt/bitdefender-security-tools/etc/nad.d/ folder. They must support stop and start arguments.

The 01-ssh.sh and 02-ftp.sh scripts will be automatically overwritten when the product is updated.

Scripts are sorted based on their file name. They run in alphabetical order and stop in reversed order. Take this into consideration when naming your custom scripts.

Warning

  • Running Network Attack Defense alongside other applications which use iptables might cause undesired behavior, including loss of networking.

  • When deploying the Network Attack Defensemodule on an endpoint, incoming traffic from all ports will be routed through 127.0.0.1:8887. This causes all ports to be open while Network Attack Defense while the FTP monitoring is active.

  • Incoming traffic will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps which rely on source IP to have a specific value (e.g. Zabbix) to malfunction.

  • All packets not routed through Network Attack Defense will be marked with the 0x3887 tag. This may create conflicts with other applications which use Iptables, such as firewalls.

Learn how to configure Network Attack Defense in GravityZone Control Center.

Learn how to deploy Network Attack Defense on Windows servers.