Skip to main content

Network Attack Defense

Linux

The Network Attack Defense module acts like a proxy for the FTP and SSH protocols, receiving traffic and protecting against man-in-the-middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots, and Trojans).

This section contains detailed support for the Network Attack Defense module on Linux endpoints.

Traffic capture technologies

Two traffic capture mechanisms route traffic to port 8887, the port that the Network Attack Defense server listens on. These technologies are iptables and eBPF.

iptables

The standard technology for routing traffic for Network Attack Defense uses the iptables package. It adds rules to the endpoint's operating system that forward traffic coming from the supported ports 21 and 22 to port 8887, excluding traffic generated by the product itself.

These rules are set by a series of scripts, delivered when the BEST agent is installed on an endpoint. During installation, the scripts are placed under /opt/bitdefender-security-tools/etc/nad.d/.

When Network Attack Defense is started or stopped, these scripts are sorted by name and then executed. You should not run these scripts manually.

The scripts can be deactivated by stopping the product services, removing executable rights for the intended scripts, and subsequently restarting the services. The permissions will persist during product updates, despite their contents being overwritten.

This is an example of deactivating a Network Attack Defense rules script:

sudo bd stop
sudo chmod -x /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh
sudo bd start

eBPF

This routing technology is currently used only on Debian 12 (aarch64), SLES 15 SP6 (x86_64), Ubuntu 24.04 (x86_64), and Fedora 39 (x86_64). It hooks to relevant kernel functions to route traffic to port 8887, the port that the Network Attack Defense server listens on.

It does not use iptables to route traffic, but it still needs the iptables package to correlate traffic.

If it fails to enable, the routing mechanism will be switched to iptables entirely.

Scanned protocols

SSH

The traffic capture rules for SSH are managed either by the /opt/bitdefender-security-tools/etc/nad.d/01-ssh.sh script for the iptables traffic capture technology, or internally by Network Attack Defense for the eBPF traffic capture technology.

Network Attack Defense receives and scans traffic for both incoming and outgoing connections, for port 22 only.

If Scan SCP/SSH is enabled in GravityZone, Network Attack Defense will be able to decrypt outgoing connections and detect more potential attacks.

Warning

If PKI login is enabled without password login as a fallback, the login will fail unless the configuration outlined here is applied: Configuring authentication with SSH Keys when Network Attack Defense is enabled.

FTP and FTPS

Traffic capture rules for FTP are managed either by the /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh script for the iptables traffic capture technology, or internally by Network Attack Defense for the eBPF traffic capture technology.

Since FTP active does not work with proxies, only passive and extended passive modes are supported.

Network Attack Defense receives and scans traffic for both incoming and outgoing connections, for port 21. The dynamic data port for inbound FTP traffic is also captured. Outbound FTP data can only be captured when the eBPF technology is used.

If Scan FTPS is enabled in GravityZone, Network Attack Defense is also able to decrypt outgoing connections and detect more potential attacks.

For FTPS, when using the iptables routing technology, all incoming traffic from ports 1:65534 is routed to Network Attack Defense. This avoids FTP failures caused by control and data connections using different routes. When using eBPF routing, no equivalent workaround is available, so the FTP server’s security check must be disabled (for example, pasv_promiscuous in vsftpd).

Supported distributions

Network Attack Defense supports the operating systems listed in the Endpoint protection – Supported operating systems – Linux article, in the following two subsections:

  • Fully Supported Linux Modern Distributions

  • Fully Supported Linux Modern Distributions for ARM architecture

Warning

  • 32-bit systems are not supported by Network Attack Defense.

  • Legacy Linux distributions that do not use systemctl are not supported by Network Attack Defense.

Dependencies

  • Network Attack Defense depends on the iptables Linux package. You need to manually install the package on all endpoints where the Network Attack Defense module is to be deployed.

    The package is available for all supported distributions and can be downloaded by using the commands below:

    • For Debian-based operating systems:

      apt install -y iptables

    • For Red Hat based operating systems:

       dnf install -y iptables

    • For SUSE operating systems:

      zypper install iptables

  • Network Attack Defense uses port 8887 by default.

    If the port is already in use, Network Attack Defense does not switch to another port dynamically. You need to make sure that the port is not in use.

    Important

    If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not be able to receive traffic.

  • eBPF requires Linux kernel 5.9 or later.

  • eBPF relies on the cgroupv2 subsystem for traffic routing capabilities.

  • eBPF requires BTF (BPF Type Format) support to be enabled in the kernel. It enables safe, portable, and introspectable eBPF programs by supplying kernel-type information in a lightweight format.

Warning

  • Running Network Attack Defense alongside other applications using iptables or eBPF might cause undesired behavior, including loss of networking.

  • Incoming traffic routed through Network Attack Defense will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps that rely on source IP to have a specific value (e.g. Zabbix) to malfunction.

  • Network Attack Defense does not support running alongside other applications that use routing, such as cloudflare-warp VPN.

  • For the iptables traffic capture mechanism, all packets not routed through Network Attack Defense will be marked with the 0x3887 tag. This may create conflicts with other applications that use iptables, such as firewalls.

  • When Network Attack Defense is initiated or terminated, all connections on the protocols monitored will be terminated.

  • Network Attack Defense cannot run alongside Container Protection. If both are configured in the package, only Container Protection will be installed.

  • To avoid conflicts, Network Attack Defense will not start if either firewalld or ufw is running.

Useful links

Learn how to configure Network Attack Defense in GravityZone Control Center.

Learn how to deploy Network Attack Defense on Windows servers.

In this section: