Network Attack Defense
Linux
This section contains details support of the Network Attack Defense module on Linux endpoints, including Linux distributions and dependencies, such as iptables rules and communication requirements.
Supported distributions
Distribution | Cloud platform availability | ||
|---|---|---|---|
Amazon Web Services | Microsoft Azure | Google Cloud Platform | |
RHEL 7.x |
|
|
|
RHEL 8.x |
|
|
|
Oracle Linux 7.x (UEK +RHCK) |
|
|
|
Oracle Linux 8.x (UEK +RHCK) |
|
|
|
CentOS 7.x |
|
|
|
CentOS 8.x |
|
|
|
Debian 9 |
|
|
|
Debian 10 |
|
|
|
Debian 11 |
|
|
|
Ubuntu 16.04.x |
|
|
|
Ubuntu 18.04.x |
|
|
|
Ubuntu 20.04.x |
|
|
|
Ubuntu 21.04.x |
|
|
|
Ubuntu 21.10.x |
|
|
|
Ubuntu 22.04 |
|
|
|
SLES 15 SP1 |
|
|
|
SLES 15 SP2 |
|
|
|
SLES 15 SP3 |
|
|
|
openSUSE Leap 15.2 |
|
|
|
Amazon Linux v2 |
|
|
|
Azure Mariner |
|
|
|
Fedora 31 - 36 |
|
|
|
AlmaLinux 8.x |
|
|
|
Rocky Linux 8.x |
|
|
|
CloudLinux 8.x |
|
|
|
CloudLinux 7.x |
|
|
|
Pardus 21 |
|
|
|
Mint 20.3 |
|
|
|
Miracle 8.4 |
|
|
|
Dependencies
Network Attack Defense depends on the
iptablesLinux package. You need to manually install the package on all endpoints where the NAD module is to be deployed.Network Attack Defense acts like a proxy, only for the FTP and SSH protocols, receiving traffic and protecting against Man in the Middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots and Trojans).
The package is available for all supported distributions, and can be downloaded by using the bellow commands:
For Debian based operating systems:
apt install -y iptables
For Red Hat based operating systems
dnf install -y iptables
For SUSE operating systems:
zypper install iptables
Network Attack Defense uses port
8887by default.If the port is already in use, NAD does not switch to another port dynamically. You need to make sure that the port is not in use.
Important
If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not be able to receive traffic.
Network Attack Defense depends on 64-bit machines.
Network Attack Defense depends on machines using
systemctlto manage services.
Setting up iptables rules
The iptables package is used to insert rules on the endpoint operating system, which forward all traffic coming from our supported ports (21 & 22) to port 8887, except traffic made by the product itself.
Rules are set by a series of scripts, which are delivered when the BEST agent is installed on a endpoint. During installation, the scripts will be placed under /opt/bitdefender-security-tools/etc/nad.d/.
When Network Attack Defense is enabled/disabled, these scripts will be sorted by their name and then executed.
You should not run these scripts manually.
The scripts can be deactivated by stopping the product services, removing executable rights for the intended scripts, and subsequently restarting the services.
The permissions will persist during product updates, despite their contents being overwritten.
This is an example of deactivating a Network Attack Defense rules script:
sudo bd stop sudo chmod -x /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh sudo bd start
Iptables rules for FTP routing differ if "Scan FTPS" is enabled or disabled:
For FTPS, the iptables rules will route all incoming traffic from ports 1:65534, because otherwise, FTP will complain about routes for connection and data being different.
For plain FTP only port 21 is routed for FTP, along with a dynamic port determined by iptables for the FTP data connection (determined by using "nf_conntrack_helper").
Warning
Running Network Attack Defense alongside other applications which use iptables might cause undesired behavior, including loss of networking.
Incoming traffic routed through Network Attack Defense will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps which rely on source IP to have a specific value (e.g. Zabbix) to malfunction.
All packets not routed through Network Attack Defense will be marked with the
0x3887tag. This may create conflicts with other applications which use Iptables, such as firewalls.When Network Attack Defense is initiated or terminated, all connections on the protocols monitored will be terminated.
Network Attack Defense cannot run alongside Container Protection. If both are configured in the package, only Container Protection will be installed.
In order to avoid conflicts, Network Attack Defense will not start if either
firewalldorufwis running.
Learn how to configure Network Attack Defense in GravityZone Control Center.
Learn how to deploy Network Attack Defense on Windows servers.