Re: port scare

To: Glenn Becker <glenn@icarus.usanetworks.com>
Cc: Roberto Diaz <rdiazmartin@vivaldi.ddts.net>, Dave Sherohman <esper@sherohman.org>, Debian Users List <debian-user@lists.debian.org>
Subject: Re: port scare
From: Osamu Aoki <debian@aokiconsulting.com>
Date: Sun, 18 Feb 2001 12:06:18 -0800
Message-id: <[🔎] 20010218120618.A15935@mickey.lan.aokiconsulting.com>
In-reply-to: <[🔎] Pine.GSO.4.21.0102181355010.22763-100000@icarus.usanetworks.com>; from glenn@icarus.usanetworks.com on Sun, Feb 18, 2001 at 02:00:47PM -0500
References: <[🔎] Pine.LNX.4.21.0102181941090.25489-100000@vivaldi.ddts.net> <[🔎] Pine.GSO.4.21.0102181355010.22763-100000@icarus.usanetworks.com>

Use ipchains ASAP. 

Going after all services are impossible when experimenting
unless you use this approach.

I block all ports 1-1023 except ones I use for my connection to
cable modem by using ipchains on gateway machine. (See atached
script for details.  This is "ipmasq -l" output. You can get 
my script to harden ipmasq package from 
        www.aokiconsulting.com/pub/ipmasq-fw.tar.gz
It may require some manual editting but should give you good start.)
---------------
FYI: My log has many unsuccessful atacks (excet known portscan on
NNTP by ISP), 21 ftp 111 sunrpc 53 nameserver (DNS) 510 ??? 
515 line printer spooler 109 POP version 2 are recent atttacks.

I used to get netbios (137-139) connections but not recently.  
Maybe ISP is blocking them for windoze clients???

You will be surprized how many of these comes in.

Osamu

PS: I allow telnet. Do not laugh pls.

On Sun, Feb 18, 2001 at 02:00:47PM -0500, Glenn Becker wrote:
> solutions later, like ipchains/firewalls.
-- 
+  Osamu Aoki <debian@aokiconsulting.com>, GnuPG-key: 1024D/D5DE453D  +
+   Fingerprint: 814E BD64 3288 40E7 E88E  3D92 C3F8 EA94 D5DE 453D   +
+   === http://www.aokiconsulting.com ======= Cupertino, CA USA ===   +

#: Interfaces found:
#:   eth0	24.19.???.???/255.255.255.0
#:   eth1	192.168.1.1/255.255.255.0
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/ip_always_defrag
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains --no-warnings -P forward DENY
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains --no-warnings -F forward
/sbin/ipchains -A input -j ACCEPT -i lo
/sbin/ipchains -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
/sbin/ipchains -A input -j ACCEPT -i eth1 -d 255.255.255.255/32
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/ipchains -A input -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! tcp
/sbin/ipchains -A input -j DENY -i eth0 -s 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.???/32 ssh -p tcp
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.???/32 auth -p tcp
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.???/32 smtp -p tcp
/sbin/ipchains -A input -j DENY -i eth0 -s 24.0.0.0/8 -d 24.19.???.???/32 www -p tcp
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.???/32 www -p tcp
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.???/32 telnet -p tcp
/sbin/ipchains -A input -j DENY -i eth0 -d 0.0.0.0/0 bootpc -p udp
/sbin/ipchains -A input -j DENY -i eth0 -d 24.19.???.???/32 nntp -s 24.0.0.0/8 -p tcp
/sbin/ipchains -A input -j DENY -i eth0 -d 0.0.0.0/0 1:1023 -p tcp -l
/sbin/ipchains -A input -j DENY -i eth0 -d 0.0.0.0/0 1:1023 -p udp -l
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 255.255.255.255/32
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.???/32
/sbin/ipchains -A input -j ACCEPT -i eth0 -d 24.19.???.255/32
/sbin/ipchains --no-warnings -A forward -j MASQ -i eth0 -s 192.168.1.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i lo
/sbin/ipchains -A output -j ACCEPT -i eth1 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! tcp
/sbin/ipchains -A output -j DENY -i eth0 -d 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.???/32 ssh -p tcp
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.???/32 auth -p tcp
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.???/32 smtp -p tcp
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.???/32 www -p tcp
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.???/32 telnet -p tcp
/sbin/ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 bootps -p udp
/sbin/ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 137:139 -p udp
/sbin/ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 137:139 -p tcp
/sbin/ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 1:1023 -p tcp -l
/sbin/ipchains -A output -j DENY -i eth0 -s 0.0.0.0/0 1:1023 -p udp -l
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.???/32
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 24.19.???.255/32
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
Warning: you must enable IP forwarding for packets to be forwarded at all:
 Use `echo 1 > /proc/sys/net/ipv4/ip_forward'
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
/sbin/ipchains -M -S 7200 10 160
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l

Reply to:

Follow-Ups:
- Re: port scare
  - From: Glenn Becker <glenn@icarus.usanetworks.com>

References:
- Re: port scare
  - From: Roberto Diaz <rdiazmartin@vivaldi.ddts.net>
- Re: port scare
  - From: Glenn Becker <glenn@icarus.usanetworks.com>

Prev by Date: Re: Insecure permission for swap partition.
Next by Date: Using DSL connection.
Previous by thread: Re: port scare
Next by thread: Re: port scare
Index(es):
- Date
- Thread