FalconGate – A smart gateway to stop hackers and Malware attacks

on

Motivation

Cyber attacks are on the raise. Hacker and cyber criminals are continuously improving their methods and building new tools and Malware with the purpose of hacking your network, spying on you and stealing valuable data. Recently a new business model has become popular among hackers: the use of Ransomware to encrypt your data and ask for a ransom to unlock it. These attacks have extended also to the Internet of Things (IoT) devices since many of them are vulnerable by design and hackers can leverage them to compromise other devices in your network or launch DDoS attacks towards other targets. Traditionally securing a network against such attacks has been an expensive item which could be afforded just by medium to large companies. With FalconGate we’re aiming to change this and bring “out of the box” security for free to people, small businesses and anyone else in need.

Features

FalconGate is an open source smart gateway which can protect your home devices against hackers, Malware like Ransomeware and other threats. It detects and alerts on hacker intrusions on your home network as well as other devices misbehaving and attacking targets within your network or in the Internet.

Currently FalconGate is able to:

  • Block several types of Malware based on open source blacklists (see detailed list in file intel-sources.md)
  • Block Malware using the Tor network
  • Detect and report potential Malware DNS requests based on VirusTotal reports
  • Detect and report the presence of Malware executables and other components based on VirusTotal reports
  • Detect and report Domain Generation Algorithm (DGA) Malware patterns
  • Detect and report on Malware spamming activity
  • Detect and report on internal and outbound port scans
  • Report details of all new devices connected to your network
  • Block ads based on open source lists
  • Monitor a custom list of personal or family accounts used in online services for public reports of hacking

Supported Platforms

Currently FalconGate has been successfully tested and implemented on Raspberry Pi (RPi 2 model B) and Banana Pi (BPI-M2+) using Raspian Jessie Lite as base image.

Jessie Lite for RPi

Jessie Lite for BPi

It should be compatible with other Debian ARM images as well but this has not been tested yet.

Prerequisites

FalconGate has a number of software dependencies:

  • Bro IDS
  • Python 2.7
  • Nginx
  • Dnsmasq
  • Exim
  • PHP

The devices’s malware detection can be enhanced with the utilization of VirusTotal’s personal free API

Currently FalconGate uses have i been pwned public API to detect whether credentials and/or other data from personal accounts have been stolen by hackers from third party sites.

Deploying FalconGate from a supported image

This is the fastest way to get FalconGate up and running in your network.

  • Download the correct system image for your device from the downloads page.
  • Extract the image to a folder in your computer.
  • Write the image to your SD card.

You can use the guides below as reference for Raspberry Pi:

Linux

Mac OS

Windows

  • Insert the SD card in your device and plug it to any available ethernet port in your router.
  • Power on your device and wait few minutes until it will acquire the correct configuration for your network.
  • Login to your router and disable its DHCP server function
  • Login to FalconGate’s web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
https://[FalconGate IP address]
Username: admin
Password: falcongate

Usually FalconGate will assign to its administration interface an IP ending in “.2” (e.g. 192.168.0.2) which is derived from the network’s gateway IP Change the default password after the first logon to the application

  • Navigate to the “Configuration” page and fill in the correct fields

This configuration it’s not mandatory but highly desired if you want to unleash FalconGate’s full power. In order to obtain a free VirusTotal API key you must register at (https://www.virustotal.com/).

Installing FalconGate from source

Follow the steps below to configure your device and install FalconGate from this repository.

  • Download and install the OS image to your Raspberry Pi or Banana Pi device

This is well documented in multiple sources out there.

  • Connect to your device via SSH
$ ssh pi@<IP assigned to your RPi>
  • Install Git if you don’t have it yet
$ sudo apt-get update
$ sudo apt-get install git
  • Clone FalconGate’s repository to a local folder
$ cd /opt
$ sudo git clone https://github.com/A3sal0n/FalconGate.git
  • Run the installation script inside FalconGate’s folder
$ cd FalconGate/
$ sudo python install.py

Now you can go for a walk and prepare a coffee or any other beverage of your choice because the installation usually takes some time. The script will print the progress to the console.

The script should finish without issues if you’re using the supported platforms. If you’re attempting to install FalconGate experimentally to a new hardware platform/OS and you get some errors during the installation you could try to correct the issues manually and continue to execute the steps listed in the installation script.

  • Login to your router and disable its DHCP server function

FalconGate was designed to work connected to a router over ethernet. It does not replaces the functions of your router. Instead it becomes a layer of security between your devices and your router. Disabling your router’s DHCP allows FalconGate to become the new gateway for all the devices connected to the same router in your VLAN.

  • Reboot your device to apply all the configuration changes
  • Login to FalconGate’s web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key

Deployment

Some important considerations to keep in mind when deploying FalconGate to a real environment: home or production network.

  • Change the default SSH password in your Raspberry Pi or Banana Pi devices
  • Regenerate the openssh-server certificates for SSH encryption

Limitations

Currently the RPi 2 model B and the Banana Pi M2+ have both a single ethernet interface so the traffic forwarding in the gateway it’s done using this single interface. This has an impact in networks with fast Internet connection (e.g. > 50Mb/s). However it’s still good enough for the home networks of many people’s and even some small businesses.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s