How to detect open tcp scan ports?
Hi all,
An open scan consists in a client opening a connection using the
typical three-way TCP handshake. Once established (and so, opened port
detected), the client suddenly sends a reset (or a FIN?).
client -> SYN
server -> SYN | ACK
client -> ACK
client -> RST | ACK
Since it's not an odd behaviour, how can it be differentiated from a
normal (not from a Port Scan) reset?
In addition, I send some iptables rules to detect and log usual port
scans. If anybody finds a hole, please tell me.
$IPT -A INPUT -p tcp -j SCAN
$IPT -N SCAN
$IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/s
--limit-burst 2 -j RETURN
$IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FLOOD?: "
$IPT -A SCAN -p tcp --tcp-flags ALL SYN -j DROP
$IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - Xmas PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FIN PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -j DROP
$IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN RST PortScan: "
$IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A SCAN -p tcp --tcp-flags ALL FIN -m limit --limit 2/m
--limit-burst 2 -m state --state ! ESTABLISHED -j LOG --log-prefix
"IPTABLES - FYN PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP
$IPT -A SCAN -p tcp --tcp-flags ALL ALL -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - ALL PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A SCAN -p tcp --tcp-flags ALL NONE -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - NONE PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL NONE -j DROP
Reply to: