Linux Firewalls: Attack Detection and Response with Iptables, PSAD, and Fwsnort

( 3 )


System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong ...

See more details below
$42.52 price
(Save 14%)$49.95 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (28) from $22.21   
  • New (11) from $31.45   
  • Used (17) from $22.21   
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort

Available on NOOK devices and apps  
  • NOOK Devices
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK Study
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$22.99 price
(Save 42%)$39.95 List Price


System administrators need to stay ahead of new security vulnerabilities that leave their networks exposed every day. A firewall and an intrusion detection systems (IDS) are two important weapons in that fight, enabling you to proactively deny access and monitor network traffic for signs of an attack.

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools. You'll learn how to deploy iptables as an IDS with psad and fwsnort and how to build a strong, passive authentication layer around iptables with fwknop.

Concrete examples illustrate concepts such as firewall log analysis and policies, passive network authentication and authorization, exploit packet traces, Snort ruleset emulation, and more with coverage of these topics:

  • Passive network authentication and OS fingerprinting
  • iptables log analysis and policies
  • Application layer attack detection with the iptables string match extension
  • Building an iptables ruleset that emulates a Snort ruleset
  • Port knocking vs. Single Packet Authorization (SPA)
  • Tools for visualizing iptables logs

Perl and C code snippets offer practical examples that will help you to maximize your deployment of Linux firewalls. If you're responsible for keeping a network secure, you'll find Linux Firewalls invaluable in your attempt to understand attacks and use iptables-along with psad and fwsnort-to detect and even prevent compromises.

The Netfilter firewall built into Linux provides capabilities that rival many commercial firewalls. Providing concrete examples to illustrate concepts, this new reference explores using Netfilter as an intrusion detection system (IDS) by combining it with Snort rule sets and custom software available from the author's site,

Read More Show Less

Product Details

  • ISBN-13: 9781593271411
  • Publisher: No Starch Press San Francisco, CA
  • Publication date: 7/1/2007
  • Pages: 336
  • Sales rank: 946,348
  • Product dimensions: 7.08 (w) x 9.14 (h) x 1.02 (d)

Meet the Author

Michael Rash is a Security Architect on the Dragon Intrusion DetectionSystem with Enterasys Networks, Inc., and is a frequent contributor toopen source projects. As the creator of psad, fwknop, and fwsnort, Rashis an expert on firewalls, IDSs, OS fingerprinting, and the Snort ruleslanguage. He is co-author of the book Snort 2.1 Intrusion Detection,lead-author and technical editor of the book Intrusion Prevention andActive Response, and has written security articles for Linux Journal,SysAdmin, and ;login:.

Read More Show Less

Table of Contents

Why Detect Attacks with iptables?;
Technical References;
About the Website;
Chapter Summaries;
1.1 iptables;
1.2 Packet Filtering with iptables;
1.3 Installing iptables;
1.4 Kernel Configuration;
1.5 Security and Minimal Compilation;
1.6 Kernel Compilation and Installation;
1.7 Installing the iptables Userland Binaries;
1.8 Default iptables Policy;
1.9 Concluding Thoughts;
2.1 Logging Network Layer Headers with iptables;
2.2 Network Layer Attack Definitions;
2.3 Abusing the Network Layer;
2.4 Network Layer Responses;
3.1 Logging Transport Layer Headers with iptables;
3.2 Transport Layer Attack Definitions;
3.3 Abusing the Transport Layer;
3.4 Transport Layer Responses;
4.1 Application Layer String Matching with iptables;
4.2 Application Layer Attack Definitions;
4.3 Abusing the Application Layer;
4.4 Encryption and Application Encodings;
4.5 Application Layer Responses;
5.1 History;
5.2 Why Analyze Firewall Logs?;
5.3 psad Features;
5.4 psad Installation;
5.5 psad Administration;
5.6 psad Configuration;
5.7 Concluding Thoughts;
6.1 Port Scan Detection with psad;
6.2 Alerts and Reporting with psad;
6.3 Concluding Thoughts;
7.1 Attack Detection with Snort Rules;
7.2 psad Signature Updates;
7.3 OS Fingerprinting;
7.4 DShield Reporting;
7.5 Viewing psad Status Output;
7.6 Forensics Mode;
7.7 Verbose/Debug Mode;
7.8 Concluding Thoughts;
8.1 Intrusion Prevention vs. Active Response;
8.2 Active Response Trade-offs;
8.3 Responding to Attacks with psad;
8.4 Active Response Examples;
8.5 Integrating psad Active Response with Third-Party Tools;
8.6 Concluding Thoughts;
9.1 Why Run fwsnort?;
9.2 Signature Translation Examples;
9.3 The fwsnort Interpretation of Snort Rules;
9.4 Concluding Thoughts;
10.1 Installing fwsnort;
10.2 Running fwsnort;
10.3 Observing fwsnort in Action;
10.4 Setting Up Whitelists and Blacklists;
10.5 Concluding Thoughts;
11.1 Tying fwsnort Detection to psad Operations;
11.2 Revisiting Active Response;
11.3 Thwarting Metasploit Updates;
11.4 Concluding Thoughts;
12.1 Reducing the Attack Surface;
12.2 The Zero-Day Attack Problem;
12.3 Port Knocking;
12.4 Single Packet Authorization;
12.5 Security Through Obscurity?;
12.6 Concluding Thoughts;
13.1 fwknop Installation;
13.2 fwknop Configuration;
13.3 fwknop SPA Packet Format;
13.4 Deploying fwknop;
13.5 Concluding Thoughts;
14.1 Seeing the Unusual;
14.2 Gnuplot;
14.3 AfterGlow;
14.4 iptables Attack Visualizations;
14.5 Concluding Thoughts;
Connection Tracking;

Read More Show Less

Customer Reviews

Average Rating 4.5
( 3 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 3 Customer Reviews
  • Posted April 6, 2009

    more from this reviewer

    Nice, accurate and interesting. Not like other books about firewalls

    When I bought "Linux Firewalls" I was expecting a good book because I already knew that the work of Michael Rash is excellent. However, I expected the traditional Iptables handbook that looks more like a "man page". Surprisingly I found that the book was much better than that. Instead of detailing every single feature of the Iptables infrastructure, Michael Rash explains how Iptables can be used as a powerful (and free) Intrusion Detection/Prevention System. To achieve that, Rash presents three open source tools developed by himself: psad, an iptables-based port scan detector, fwsnort, a tool that translates snort rules into iptables sentences, and fwknop, a Port Knocking and SPA authentication system.

    The book is very practical. It's amazing how everything is presented so clearly and with such useful examples. The author first introduces the potential threats that are associated with the Network Layer, Transport Layer and Application Layer (I loved those chapters). Then he starts discussing the detection of malicious attackers that try to break into the system. Finally he presents active response mechanisms against attackers and ways to secure the whole system with additional layers of security.

    The book is great if what you want is to secure your Linux system using IPtables and the open source tools developed by Rash. Rash is an expert on firewalls and intrusion detection systems. If you follow his suggestions you'll build a very secure system. Firewall enthusiasts and TCP/IP fans will also enjoy reading the book because its written by a geek and its written for geeks. However, if you are looking for an Iptables handbook, you are looking for a theoretical book about Firewalls or you want to use other tools than the ones presented in the book, then "Linux Firewalls" may not be the best option for you.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 21, 2007

    Excellent Read for any System/Network Administrator

    This is a great book for any administrator who has servers or hosts available to the internet or outside world beyond their own network who don't have expensive hardware firewalls in place to handle traffic, routing, etc. With the book covering from the basics of knowing iptables and the types of detections, it goes into more depth of network layer attacks, transport layer and application layer attacks. All of these cover great details and how to defend against such attacks. From this point on, it starts to cover psad, it's features, what can be done with psad deployed in your network and how to set it up to notify and auto respond to potential attacks, basically creating iptable rules to block suspicious traffic that is hitting your server or hosts. It goes on to cover deploying fwsnort, for further detection and protection. All around this is a great book and before I can say I obtained this book, we were already deploying psad in our own environment. Having a handy reference now makes things easier with setups and configurations explained in simpler terms without having to refer to online documentation or man pages. Everyone likes examples.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 20, 2007

    A reviewer

    Do you have any familiarity with TCP/IP networking concepts and Linux system administration? If you do, then this book is for you. Author Michael Rash, has done an outstanding job of writing a book that concentrates on network attacks--detecting them and responding to them. Rash, begins with an introduction to packet filtering with iptables, including kernal build specifics and iptables administration. Then, the author shows the types of attacks that exist in the network layer and what you can do about them. Next, he illustrates classes of application layer attacks that iptables can be made to detect, and introduces you to the iptables string match extension. The author also discusses installation and configuration of psad, and shows you why it is important to listen to the stories that iptables logs have to tell. He continues by introducing you to advanced psad functionality, including integrated passive OS fingerprinting, Snort signature detection via packet headers, verbose status information, and Dshield reporting. Then, the author discusses the culmination of the attack detection and mitigation strategies that are possible with iptables. Next, he compares and contrasts two passive authorization mechanisms: port knocking and SPA. The author continues by showing you how to install and make use of fwknop together with iptables to maintain a default-drop stance against all unauthenicated and unauthorized attempts to connect to your SSH daemon. Finally, the author wraps up with some graphical representations of iptables log data. This most excellent book takes on a highly applied approach. In other words, after reading this book, you will be armed with a strong working knowledge of how network attacks are detected and dealth with via iptables.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 3 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)