iptables and port scans

iptables and port scans

Post by Tony » Sun, 10 Feb 2002 03:37:25



Does anyone know of a rule that will limit or detect and log port scans with
iptables?

Thanks

 
 
 

iptables and port scans

Post by Michael Wandinge » Sun, 10 Feb 2002 06:08:29


Hi Tony,


> Does anyone know of a rule that will limit or detect and log port scans with
> iptables?

it is important which type of scan comes: Stealth scans like the
XMAS-Scan (all Flags High) are usually illegal. You can build a rule like:

iptables -A INPUT -p tcp --tcp-flags ....  -j LOG

manpage says:

  --tcp-flags [!] mask comp
               Match when the TCP flags are as specified.  The first
argument is the flags  which  we  should
               examine,  written as a comma-separated list, and the
second argument is a comma-separated list
               of flags which must be set.  Flags are: SYN ACK FIN RST
URG PSH ALL NONE.  Hence the command
                iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
               will only match packets with the SYN flag set, and the
ACK, FIN and RST flags unset.

But usually a port scan make so much noise, your firewall-logs would
burst...

usually you go the other way round: everything which is not allowed
would be logged.

there is a tool called "logsnorter" which brings the iptables-logs into
the snort-format for identifying port-scans in snort

look at www.snort.org

Which FW-Script do you use?

greetings

Michael

Quote:

> Thanks


 
 
 

iptables and port scans

Post by TJE » Sun, 10 Feb 2002 07:29:51


Provided that memory serves, this will LOG most types of stealthy scans:
iptables -A INPUT -m state --state INVALID -j LOG

This should log ACK scans (since there was no previous 3-way handshake,
thus the ACK packet is invalid), XMAS scans, and various other scans.

-tj-

Quote:> Does anyone know of a rule that will limit or detect and log port scans
> with iptables?

> Thanks

 
 
 

iptables and port scans

Post by Yan Seine » Tue, 12 Feb 2002 08:44:05




> Does anyone know of a rule that will limit or detect and log port scans
> with iptables?

> Thanks

Sure.  patch-o-matic the psd module.  It does it for you.  It basically
blackholes the scanning IP for the duration of the scan.

--Yan

 
 
 

1. iptables and port scan detection

Either the various portscans I constantly recieve have suddenly stopped, or
the firewall is blocking them before they reach portsentry.  Is there a way
to permit information in, yet still show the system as stealthed?  (There
are some open ports, so I want to be able to block an IP temporarially,
before their scan finds any of the open ports)

Furthermore, the firewall makes it difficult to stealth everything, and yet
still be able to run programs which need to open up temporary listening
ports.  Can an iptables rule be set to match any new connection to a
non-listening port?

Also, I've seen rules thrown about for all sorts of strange tcp flags and
addresses.  What rules for strange behaviour do people use?

2. how to back to shell ?

3. MIRROR port scan with iptables, is it advisable?

4. ppp callback on Solaris 2.5.1 ?

5. Open ports when i scan my own box, closed when others scan it

6. Info on Installing new Kernel using Xconfig sort

7. port scans on tcp port 3663

8. help with .so libs !

9. Tracking port scans from port 80

10. Port scanning Solaris - nmap "filtered" ports and Nessus output

11. Matrox Mystique ands X.

12. IPTables and a simple script to port forward port 80

13. MIRROR scans with iptables, is it advisable?