Skip to main content

Network Attack Defense

Linux

The Network Attack Defense module acts like a proxy, only for the FTP and SSH protocols, receiving traffic and protecting against man-in-the-middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots, and Trojans).

This section contains details support of the Network Attack Defense module on Linux endpoints, including Linux distributions and dependencies, such as iptables rules and communication requirements.

Scanned protocols

SSH

The traffic capture rules for SSH are managed by the /opt/bitdefender-security-tools/etc/nad.d/01-ssh.sh script.

Network Attack Defense receives and scans traffic for both incoming and outgoing connections, for port 22 only.

If Scan SCP/SSH is enabled in GravityZone, Network Attack Defense will be able to decrypt outgoing connections and detect more potential attacks.

Warning

If PKI login is enabled without password login as a fallback, the login will fail unless the configuration outlined here is applied: Configuring authentication with SSH Keys when Network Attack Defense is enabled.

FTP and FTPS

Traffic capture rules for FTP are managed by the /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh script.

Network Attack Defense receives and scans traffic for both incoming and outgoing connections, for port 21.

If Scan FTPS is enabled in GravityZone, Network Attack Defense will be able to also decrypt outgoing connections and detect more potential attacks.

For FTPS, the iptables rules will route all incoming traffic from ports 1:65534. Otherwise, FTP will raise issues about the routes for control and data connections being different.

For plain FTP only port 21 is routed, with a dynamic port determined by iptables using nf_conntrack_helper.

Supported distributions

Network Attack Defense supports the operating systems listed in the Endpoint protection – Supported operating systems – Linux article, in the following two subsections:

  • Fully Supported Linux Modern Distributions

  • Fully Supported Linux Modern Distributions for ARM architecture

Warning

  • 32-bit systems are not supported by Network Attack Defense.

  • Legacy Linux distributions that do not use systemctl are not supported by Network Attack Defense.

Dependencies

  • Network Attack Defense depends on the iptables Linux package. You need to manually install the package on all endpoints where the Network Attack Defense module is to be deployed.

    The package is available for all supported distributions, and can be downloaded by using the below commands:

    For Debian-based operating systems:

    apt install -y iptables

    For Red Hat based operating systems

     dnf install -y iptables

    For SUSE operating systems:

    zypper install iptables
  • Network Attack Defense uses port 8887 by default.

    If the port is already in use, NAD does not switch to another port dynamically. You need to make sure that the port is not in use.

    Important

    If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not be able to receive traffic.

Setting up iptables rules

The iptables package is used to insert rules on the endpoint operating system, rules which forward all traffic coming from our supported ports (21 and 22) to port 8887, except traffic made by the product itself.

Rules are set by a series of scripts, delivered when the BEST agent is installed on an endpoint. During installation, the scripts will be placed under /opt/bitdefender-security-tools/etc/nad.d/.

When Network Attack Defense is enabled or disabled, these scripts will be sorted by their name and then executed.

You should not run these scripts manually.

The scripts can be deactivated by stopping the product services, removing executable rights for the intended scripts, and subsequently restarting the services.

The permissions will persist during product updates, despite their contents being overwritten.

This is an example of deactivating a Network Attack Defense rules script:

sudo bd stop
sudo chmod -x /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh
sudo bd start

Warning

  • Running Network Attack Defense alongside other applications that use iptables might cause undesired behavior, including loss of networking.

  • Incoming traffic routed through Network Attack Defense will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps that rely on source IP to have a specific value (e.g. Zabbix) to malfunction.

  • Network Attack Defense does not support running alongside other applications that use routing, such as cloudflare-warp VPN.

  • All packets not routed through Network Attack Defense will be marked with the 0x3887 tag. This may create conflicts with other applications that use iptables, such as firewalls.

  • When Network Attack Defense is initiated or terminated, all connections on the protocols monitored will be terminated.

  • Network Attack Defense cannot run alongside Container Protection. If both are configured in the package, only Container Protection will be installed.

  • To avoid conflicts, Network Attack Defense will not start if either firewalld or ufw is running.

Learn how to configure Network Attack Defense in GravityZone Control Center.

Learn how to deploy Network Attack Defense on Windows servers.