Network Attack Defense
Linux
This section contains details support of the Network Attack Defense module on Linux endpoints, including Linux distributions and dependencies, such as iptables rules and communication requirements.
Supported distributions
Distribution | Cloud platform availability | ||
|---|---|---|---|
Amazon Web Services | Microsoft Azure | Google Cloud Platform | |
RHEL 7.x |
|
|
|
RHEL 8.x |
|
|
|
Oracle Linux 7.x (UEK +RHCK) |
|
|
|
Oracle Linux 8.x (UEK +RHCK) |
|
|
|
CentOS 7.x |
|
|
|
CentOS 8.x |
|
|
|
Debian 9 |
|
|
|
Debian 10 |
|
|
|
Debian 11 |
|
|
|
Ubuntu 16.04.x |
|
|
|
Ubuntu 18.04.x |
|
|
|
Ubuntu 20.04.x |
|
|
|
Ubuntu 21.04.x |
|
|
|
Ubuntu 21.10.x |
|
|
|
Ubuntu 22.04 |
|
|
|
SLES 15 SP1 |
|
|
|
SLES 15 SP2 |
|
|
|
SLES 15 SP3 |
|
|
|
openSUSE Leap 15.2 |
|
|
|
Amazon Linux v2 |
|
|
|
Azure Mariner |
|
|
|
Fedora 31 - 36 |
|
|
|
AlmaLinux 8.x |
|
|
|
Rocky Linux 8.x |
|
|
|
CloudLinux 8.x |
|
|
|
CloudLinux 7.x |
|
|
|
Pardus 21 |
|
|
|
Mint 20.3 |
|
|
|
Miracle 8.4 |
|
|
|
Dependencies
Network Attack Defense depends on the
iptablesLinux package. You need to manually install the package on all endpoints where the NAD module is to be deployed.Network Attack Defense acts like a proxy, only for the FTP and SSH protocols, receiving traffic and protecting against Man in the Middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots and Trojans).
The package is available for all supported distributions, and can be downloaded by using the bellow commands:
For Debian based operating systems:
apt install -y iptables
For Red Hat based operating systems
dnf install -y iptables
For SUSE operating systems:
zypper install iptables
Network Attack Defense uses port
8887by default.If the port is already in use, NAD does not switch to another port dynamically. You need to make sure that the port is not in use.
Important
If port 8887 is used by another application or blocked by a firewall Network Attack Defense will not be able to receive traffic.
Setting up iptables rules
The iptables package Inserts rules on the endpoint operating system using iptables, which forward all traffic coming from our supported ports (21 & 22 ) to the 127.0.0.1:8887 IP address, except traffic made by the product itself.
Rules are set by a series of scripts, which are delivered when the BEST agent is installed on a endpoint. During installation, the scripts will be placed under /opt/bitdefender-security-tools/etc/nad.d/, sorted and then run.
Network Attack Defense sorts and runs these executable scripts passing the stop or start argument. They are located under /opt/bitdefender-security-tools/etc/nad.d/.
Note
You can add your own custom iptables scripts under the /opt/bitdefender-security-tools/etc/nad.d/ folder. They must support stop and start arguments.
The 01-ssh.sh and 02-ftp.sh scripts will be automatically overwritten when the product is updated.
Scripts are sorted based on their file name. They run in alphabetical order and stop in reversed order. Take this into consideration when naming your custom scripts.
Warning
Running Network Attack Defense alongside other applications which use iptables might cause undesired behavior, including loss of networking.
When deploying the Network Attack Defensemodule on an endpoint, incoming traffic from all ports will be routed through
127.0.0.1:8887. This causes all ports to be open while Network Attack Defense while the FTP monitoring is active.Incoming traffic will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps which rely on source IP to have a specific value (e.g. Zabbix) to malfunction.
All packets not routed through Network Attack Defense will be marked with the
0x3887tag. This may create conflicts with other applications which use Iptables, such as firewalls.
Learn how to configure Network Attack Defense in GravityZone Control Center.
Learn how to deploy Network Attack Defense on Windows servers.