Network Attack Defense
Linux
The Network Attack Defense module acts like a proxy, only for the FTP and SSH protocols, receiving traffic and protecting against man-in-the-middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots, and Trojans).
This section contains details support of the Network Attack Defense module on Linux endpoints, including Linux distributions and dependencies, such as iptables
rules and communication requirements.
Scanned protocols
SSH
The traffic capture rules for SSH are managed by the /opt/bitdefender-security-tools/etc/nad.d/01-ssh.sh
script.
Network Attack Defense receives and scans traffic for both incoming and outgoing connections, for port 22
only.
If Scan SCP/SSH
is enabled in GravityZone, Network Attack Defense will be able to decrypt outgoing connections and detect more potential attacks.
Warning
If PKI login is enabled without password login as a fallback, the login will fail unless the configuration outlined here is applied: Configuring authentication with SSH Keys when Network Attack Defense is enabled.
FTP and FTPS
Traffic capture rules for FTP are managed by the /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh
script.
Network Attack Defense receives and scans traffic for both incoming and outgoing connections, for port 21
.
If Scan FTPS
is enabled in GravityZone, Network Attack Defense will be able to also decrypt outgoing connections and detect more potential attacks.
For FTPS, the iptables
rules will route all incoming traffic from ports 1:65534
. Otherwise, FTP will raise issues about the routes for control and data connections being different.
For plain FTP only port 21
is routed, with a dynamic port determined by iptables
using nf_conntrack_helper
.
Supported distributions
Network Attack Defense supports the operating systems listed in the Endpoint protection – Supported operating systems – Linux article, in the following two subsections:
Fully Supported Linux Modern Distributions
Fully Supported Linux Modern Distributions for ARM architecture
Warning
32-bit systems are not supported by Network Attack Defense.
Legacy Linux distributions that do not use
systemctl
are not supported by Network Attack Defense.
Dependencies
Network Attack Defense depends on the
iptables
Linux package. You need to manually install the package on all endpoints where the Network Attack Defense module is to be deployed.The package is available for all supported distributions, and can be downloaded by using the below commands:
For Debian-based operating systems:
apt install -y iptables
For Red Hat based operating systems
dnf install -y iptables
For SUSE operating systems:
zypper install iptables
Network Attack Defense uses port
8887
by default.If the port is already in use, NAD does not switch to another port dynamically. You need to make sure that the port is not in use.
Important
If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not be able to receive traffic.
Setting up iptables
rules
The iptables
package is used to insert rules on the endpoint operating system, rules which forward all traffic coming from our supported ports (21
and 22
) to port 8887
, except traffic made by the product itself.
Rules are set by a series of scripts, delivered when the BEST agent is installed on an endpoint. During installation, the scripts will be placed under /opt/bitdefender-security-tools/etc/nad.d/
.
When Network Attack Defense is enabled or disabled, these scripts will be sorted by their name and then executed.
You should not run these scripts manually.
The scripts can be deactivated by stopping the product services, removing executable rights for the intended scripts, and subsequently restarting the services.
The permissions will persist during product updates, despite their contents being overwritten.
This is an example of deactivating a Network Attack Defense rules script:
sudo bd stop sudo chmod -x /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh sudo bd start
Warning
Running Network Attack Defense alongside other applications that use iptables might cause undesired behavior, including loss of networking.
Incoming traffic routed through Network Attack Defense will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps that rely on source IP to have a specific value (e.g. Zabbix) to malfunction.
Network Attack Defense does not support running alongside other applications that use routing, such as
cloudflare-warp
VPN.All packets not routed through Network Attack Defense will be marked with the
0x3887
tag. This may create conflicts with other applications that use iptables, such as firewalls.When Network Attack Defense is initiated or terminated, all connections on the protocols monitored will be terminated.
Network Attack Defense cannot run alongside Container Protection. If both are configured in the package, only Container Protection will be installed.
To avoid conflicts, Network Attack Defense will not start if either
firewalld
orufw
is running.
Learn how to configure Network Attack Defense in GravityZone Control Center.
Learn how to deploy Network Attack Defense on Windows servers.