RE: How to detect open tcp scan ports?

To: "debian-firewall" <debian-firewall@lists.debian.org>
Subject: RE: How to detect open tcp scan ports?
From: "McLaughlin, Toby" <tmclaughlin@csu.edu.au>
Date: Wed, 22 Sep 2004 16:14:05 +1000
Message-id: <[🔎] 211F78EFD1D870409CC3E4158F4881DA09602A9F@xcww01.riv.csu.edu.au>

I'd suggest looking into Snort for intrusion detection.  It has a whole
module dedicated to the detection of (various kinds) of port scans.
Snort is available as a standard package in sarge.

Toby.

-----Original Message-----
From: eduardgv [mailto:eduardgv@gmail.com] 
Sent: Tuesday, 21 September 2004 9:37 PM
To: debian-firewall
Subject: How to detect open tcp scan ports?


Hi all,

An open scan consists in a client opening a connection using the
typical three-way TCP handshake. Once established (and so, opened port
detected), the client suddenly sends a reset (or a FIN?).

client -> SYN
server -> SYN | ACK
client -> ACK
client -> RST | ACK


Since it's not an odd behaviour, how can it be differentiated from a
normal (not from a Port Scan) reset?


In addition, I send some iptables rules to detect and log usual port
scans. If anybody finds a hole, please tell me.





$IPT -A INPUT -p tcp -j SCAN
$IPT -N SCAN

$IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/s
--limit-burst 2 -j RETURN
$IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FLOOD?: "
$IPT -A SCAN -p tcp --tcp-flags ALL SYN -j DROP

$IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - Xmas PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FIN PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -j DROP

$IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN RST PortScan: "
$IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A SCAN -p tcp --tcp-flags ALL FIN -m limit --limit 2/m
--limit-burst 2 -m state --state ! ESTABLISHED -j LOG --log-prefix
"IPTABLES - FYN PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED
-j DROP

$IPT -A SCAN -p tcp --tcp-flags ALL ALL -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - ALL PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A SCAN -p tcp --tcp-flags ALL NONE -m limit --limit 2/m
--limit-burst 2 -j LOG --log-prefix "IPTABLES - NONE PortScan: "
$IPT -A SCAN -p tcp --tcp-flags ALL NONE -j DROP


-- 
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Prev by Date: Virus in Ihrer Email entdeckt
Next by Date: wondershaper issue on Woody-30 stock kernel
Previous by thread: How to detect open tcp scan ports?
Next by thread: FireHOL Question
Index(es):
- Date
- Thread