Skip to main content

Network Attack Defense

Linux

This section contains details support of the Network Attack Defense module on Linux endpoints, including Linux distributions and dependencies, such as iptables rules and communication requirements.

Supported distributions

Distribution

Cloud platform availability

Amazon Web Services

Microsoft Azure

Google Cloud Platform

RHEL 7.x

yes.png

yes.png

yes.png

RHEL 8.x

yes.png

yes.png

yes.png

Oracle Linux 7.x (UEK +RHCK)

yes.png

yes.png

no.png

Oracle Linux 8.x (UEK +RHCK)

yes.png

no.png

no.png

CentOS 7.x

yes.png

yes.png

yes.png

CentOS 8.x

yes.png

yes.png

yes.png

Debian 9

yes.png

yes.png

yes.png

Debian 10

yes.png

yes.png

yes.png

Debian 11

yes.png

yes.png

yes.png

Ubuntu 16.04.x

yes.png

yes.png

yes.png

Ubuntu 18.04.x

yes.png

yes.png

yes.png

Ubuntu 20.04.x

yes.png

yes.png

yes.png

Ubuntu 21.04.x

yes.png

yes.png

yes.png

Ubuntu 21.10.x

yes.png

yes.png

yes.png

Ubuntu 22.04

yes.png

yes.png

yes.png

SLES 15 SP1

yes.png

yes.png

no.png

SLES 15 SP2

yes.png

yes.png

yes.png

SLES 15 SP3

yes.png

yes.png

yes.png

openSUSE Leap 15.2

no.png

yes.png

no.png

Amazon Linux v2

yes.png

no.png

no.png

Azure Mariner

no.png

yes.png

no.png

Fedora 31 - 36

yes.png

no.png

no.png

AlmaLinux 8.x

yes.png

yes.png

yes.png

Rocky Linux 8.x

yes.png

yes.png

yes.png

CloudLinux 8.x

yes.png

yes.png

yes.png

CloudLinux 7.x

yes.png

yes.png

yes.png

Pardus 21

yes.png

yes.png

yes.png

Mint 20.3

no.png

no.png

no.png

Miracle 8.4

no.png

no.png

no.png

Dependencies

  • Network Attack Defense depends on the iptables Linux package. You need to manually install the package on all endpoints where the NAD module is to be deployed.

    Network Attack Defense acts like a proxy, only for the FTP and SSH protocols, receiving traffic and protecting against Man in the Middle attacks, as well as other attack types (brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots and Trojans).

    The package is available for all supported distributions, and can be downloaded by using the bellow commands:

    For Debian based operating systems:

    apt install -y iptables

    For Red Hat based operating systems

     dnf install -y iptables

    For SUSE operating systems:

    zypper install iptables
  • Network Attack Defense uses port 8887 by default.

    If the port is already in use, NAD does not switch to another port dynamically. You need to make sure that the port is not in use.

  • Important

    If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not be able to receive traffic.

  • Network Attack Defense depends on 64-bit machines.

  • Network Attack Defense depends on machines using systemctl to manage services.

Setting up iptables rules

The iptables package is used to insert rules on the endpoint operating system, which forward all traffic coming from our supported ports (21 & 22) to port 8887, except traffic made by the product itself.

Rules are set by a series of scripts, which are delivered when the BEST agent is installed on a endpoint. During installation, the scripts will be placed under /opt/bitdefender-security-tools/etc/nad.d/.

When Network Attack Defense is enabled/disabled, these scripts will be sorted by their name and then executed.

You should not run these scripts manually.

The scripts can be deactivated by stopping the product services, removing executable rights for the intended scripts, and subsequently restarting the services.

The permissions will persist during product updates, despite their contents being overwritten.

This is an example of deactivating a Network Attack Defense rules script:

sudo bd stop
sudo chmod -x /opt/bitdefender-security-tools/etc/nad.d/02-ftp.sh
sudo bd start

Iptables rules for FTP routing differ if "Scan FTPS" is enabled or disabled:

For FTPS, the iptables rules will route all incoming traffic from ports 1:65534, because otherwise, FTP will complain about routes for connection and data being different.

For plain FTP only port 21 is routed for FTP, along with a dynamic port determined by iptables for the FTP data connection (determined by using "nf_conntrack_helper").

Warning

  • Running Network Attack Defense alongside other applications which use iptables might cause undesired behavior, including loss of networking.

  • Incoming traffic routed through Network Attack Defense will appear to be coming from a local IP address, even though it might come from an external IP. This might cause some apps which rely on source IP to have a specific value (e.g. Zabbix) to malfunction.

  • All packets not routed through Network Attack Defense will be marked with the 0x3887 tag. This may create conflicts with other applications which use Iptables, such as firewalls.

  • When Network Attack Defense is initiated or terminated, all connections on the protocols monitored will be terminated.

  • Network Attack Defense cannot run alongside Container Protection. If both are configured in the package, only Container Protection will be installed.

  • In order to avoid conflicts, Network Attack Defense will not start if either firewalld or ufw is running.

Learn how to configure Network Attack Defense in GravityZone Control Center.

Learn how to deploy Network Attack Defense on Windows servers.