RE: detecting portscanning
# ============================================================
echo "Rejecting Portscans"
# ============================================================
# ============================================================
# Reject Xms Scans
# ============================================================
# Generic dirty interface maping
"$IPTABLES" -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-level "$LOG_LEVEL" \
-m limit --limit "$LIMIT_RATE"
"$IPTABLES" -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# This disallows ALL portscans that will hit the PREROUTING table
"$IPTABLES" -t nat -A PREROUTING -p tcp --tcp-flags ALL
FIN,URG,PSH -j LOG \
--log-level "$LOG_LEVEL" \
-m limit --limit "$LIMIT_RATE"
"$IPTABLES" -t nat -A PREROUTING -p tcp --tcp-flags ALL
FIN,URG,PSH -j DROP
# ============================================================
# ============================================================
# Reject Fin scans
# ============================================================
"$IPTABLES" -A INPUT -p tcp --tcp-flags ALL FIN -m state --state !
ESTABLISHED \
-j LOG --log-level "$LOG_LEVEL" \
-m limit --limit "$LIMIT_RATE"
"$IPTABLES" -A INPUT -p tcp --tcp-flags ALL FIN -m state --state !
ESTABLISHED -j DROP
# This disallows ALL portscans that will hit the PREROUTING table
"$IPTABLES" -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN \
-j LOG --log-level "$LOG_LEVEL" \
-m limit --limit "$LIMIT_RATE"
"$IPTABLES" -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
# ============================================================
# ============================================================
# Reject ANY station that opens and immediately closes a connection
# Some portscanners does this
# ============================================================
"$IPTABLES" -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG \
--log-level "$LOG_LEVEL" \
-m limit --limit "$LIMIT_RATE"
"$IPTABLES" -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
"$IPTABLES" -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN \
-j LOG --log-level "$LOG_LEVEL" \
-m limit --limit "$LIMIT_RATE"
"$IPTABLES" -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN -j
DROP
# ============================================================
# ============================================================
# invalid crap
# ============================================================
"$IPTABLES" -t mangle -A PREROUTING -j LOG --log-level "$LOG_LEVEL"
\
-m state --state INVALID \
-m limit --limit "$LIMIT_RATE"
# ============================================================
This isn't complete as the SYN scan will still get thru BUT it will take
ages to show anything. Also use of rp_filter ('spoof' protection) helps out
to.
Ed
-----Original Message-----
From: S.Salman Ahmed [mailto:ssahmed@pathcom.com]
Sent: Thursday, May 24, 2001 8:11 PM
To: debian-security@lists.debian.org
Subject: RE: detecting portscanning
>>>>> "Ed" == Ed Street <blacknet@phenixcable.net> writes:
Ed>
Ed> iptables has an awsome mechanism for portscans ;) in fact you
Ed> can set it up so that all portscans (well most I should say)
Ed> will literaly take HOURS to return nothing.
Ed>
What iptables rule(s) would cause that behaviour ?
--
Salman Ahmed
ssahmed AT pathcom DOT com
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: