Logging Portscans

Logging Portscans

[Tasha Smith]

Hii,
I was wandering why iptables is NOT logging to my /var/log/messages/ NMAPS
stealth port scans or when i telnet any port?.  Here are what the first part of
my rules look like. How can u add some rules soo i can see (LOG) all ports scans
or connection attemps on my machine????
iptables 1.2.7
kernel 2.4.19

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables -A INPUT -i lo -j ACEPT
iptables -A OUTPUT -o lo -j ACCEPT

# I tryed to put in a logging rule here and it didnt log the port scan!
iptables -A INPUT -i eth0 -p tcp \
         --dport 111 -j LOG-prefix "DROP sunrpc: "

iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT

# I tryed a LOG Policy here too like this!
iptables -i INPUT -p tcp -j LOG --log-prefix "log-tcp-test: "

iptables -A INPUT -m state --state ESTABLSIHED,RELATED -j ACCEPT
iptables -A FOWARD -m state --state ESTABLSIHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLSIHED,RELATED -j ACCEPT

And then after this i have all stuff that is allowed on my machine like DNS,
DHCP, and my forwarding rules! 
 

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Re: Logging Portscans

[netfilter]

On Mon, Oct 21, 2002 at 02:39:12AM -0700, Tasha Smith wrote:
> 
> iptables -i INPUT -p tcp -j LOG --log-prefix "log-tcp-test: "

iptables -I INPUT -p tcp -j LOG --log-prefix "log-tcp-test: "

It's a CAPITAL -I for insert.

- Tomas Edwardsson
- Unix/Linux Support
- Opin Kerfi

Re: Logging Portscans

[Nick Drage]

On Mon, Oct 21, 2002 at 02:39:12AM -0700, Tasha Smith wrote:
> Hii,
> I was wandering why iptables is NOT logging to my /var/log/messages/ NMAPS
> stealth port scans or when i telnet any port?.  Here are what the first part of
> my rules look like. How can u add some rules soo i can see (LOG) all ports scans
> or connection attemps on my machine????
> iptables 1.2.7
> kernel 2.4.19

Out of interest, why log all port scans?

Also, do keep a close eye on this when you get it working - depending on the
kind of site you're running iptables on you might find your logs filling up
*very* quickly.

<snip>

-- 
FunkyJesus System Administration Team

Re: Logging Portscans

[Antony Stone]

On Monday 21 October 2002 10:39 am, Tasha Smith wrote:

> Hii,
> I was wandering why iptables is NOT logging to my /var/log/messages/ NMAPS
> stealth port scans or when i telnet any port?.  Here are what the first
> part of my rules look like. How can u add some rules soo i can see (LOG)
> all ports scans or connection attemps on my machine????
>
> # I tryed to put in a logging rule here and it didnt log the port scan!
> iptables -A INPUT -i eth0 -p tcp \
>          --dport 111 -j LOG-prefix "DROP sunrpc: "
>
> # I tryed a LOG Policy here too like this!
> iptables -i INPUT -p tcp -j LOG --log-prefix "log-tcp-test: "
>
> iptables -A INPUT -m state --state ESTABLSIHED,RELATED -j ACCEPT
> iptables -A FOWARD -m state --state ESTABLSIHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLSIHED,RELATED -j ACCEPT
>
> And then after this i have all stuff that is allowed on my machine like
> DNS, DHCP, and my forwarding rules!

I notice you have rules in both the INPUT and the FORWARD chains, but your 
LOG rules are only in INPUT.

Are you trying to scan the firewall itself, or perhaps a machine on the other 
side, which is being routed by the firewall ?   You might need the LOG rules 
in the FORWARD chain.

So long as we assume that the various typos in the rules you've given are not 
actually in the scripts you are using (eg -i instead of -I, misspellings of 
ACCEPT, FORWARD and ESTABLISHED) then there's no reason why you shouldn't be 
logging all TCP packets using your "log-tcp-test" rule shown above.

Antony.

-- 

The first ninety percent of an engineering project takes ninety percent
of the time, and the last ten percent takes the remaining ninety percent.

RE: Logging Portscans

[Ferry van Steen]

You supplied insufficient information :-)
/var/log/messages doesn't necessarily catch/log all messages send to
syslogd/klogd this depends on the configuration in your /etc/syslog.conf

Try this

add this line to /etc/syslog.conf
*.*			/var/log/allmessages

then
killall -1 syslogd
killall -1 klogd

Hmm that is for linux

maybe
killall -HUP syslogd
and
killall -HUP klogd
would be safer.

Anyways, make sure they're still running after that killall command it
should only make it reread the config.
ps -Af | grep log
to see

then you should get the lines in
/var/log/allmessages file
please note this file can grow quite quickly
do
man syslog.conf
for more info


> -----Oorspronkelijk bericht-----
> Van: Tasha Smith [mailto:natasha3641@yahoo.com] 
> Verzonden: maandag 21 oktober 2002 11:39
> Aan: netfilter@lists.netfilter.org
> Onderwerp: Logging Portscans
> 
> 
> Hii,
> I was wandering why iptables is NOT logging to my 
> /var/log/messages/ NMAPS stealth port scans or when i telnet 
> any port?.  Here are what the first part of my rules look 
> like. How can u add some rules soo i can see (LOG) all ports 
> scans or connection attemps on my machine???? iptables 1.2.7 
> kernel 2.4.19
> 
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
> 
> iptables -A INPUT -i lo -j ACEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # I tryed to put in a logging rule here and it didnt log the 
> port scan! iptables -A INPUT -i eth0 -p tcp \
>          --dport 111 -j LOG-prefix "DROP sunrpc: "
> 
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
> 
> # I tryed a LOG Policy here too like this!
> iptables -i INPUT -p tcp -j LOG --log-prefix "log-tcp-test: "
> 
> iptables -A INPUT -m state --state ESTABLSIHED,RELATED -j 
> ACCEPT iptables -A FOWARD -m state --state 
> ESTABLSIHED,RELATED -j ACCEPT iptables -A OUTPUT -m state 
> --state ESTABLSIHED,RELATED -j ACCEPT
> 
> And then after this i have all stuff that is allowed on my 
> machine like DNS, DHCP, and my forwarding rules! 
>  
> 
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site 
http://webhosting.yahoo.com/

Re: Logging Portscans

[Tasha Smith]

you mean you never get any logs at all, or you get log entries on the screen 
but not in a file, or you get logs sometimes, but not when you're doing a 
particular type of scan ?

--->I am scanning my firewall machine from a machine on a "different network".

--->And when the scan is finished i  check the log file of my firewall machine
and there are no reports of a scan to any port. My log file being
"/var/log/messages"

--->Here is what the nmap scan i used   "namp -sS -sT -P0 -v 152.22.xx.xx"
    

> I even added this to my syslog.conf file......
>
>  kern.warn                            /var/log/fwlog

Does this successfully log anything at all ?  I mean, if you insert a rule 
right at the start of your INPUT chain:
iptables -I INPUT -j LOG --log-prefix "fwlog: "

Does anything go into /var/log/fwlog ?
---> Yes, somehting does go into the "/var/log/fwlog" file. (All kernel messages
goes into this file like:
OCT 21 01:4443 HOSTNAME   kernel : Linux version 2.4.19
(root@hostname.bc.hisa.telus.net) gcc version 2.96)
OCT 21 01:4443 HOSTNAME   kernel Mount-cache has tables entyries: 1024 (order:
1, 8192 bytes
OCT 21 01:4443 HOSTNAME   kernel : Buffer-cache hash tables entries:4096
(order:2, 16384
And and someother kernel messages 

(I would expect you to have to add the option "--log-level=warn" to match the 
entry in your syslog.conf file.)

>  How can i get this machine to log STEALTH port scans and stuff???

Explain what you mean by a Stealth port scan ?   If yu;re using nmap, what 
options are you using ?

---> Here what options im using "namp -sS -sT -P0 -v 152.22.xx.xx"

> iptables           --flush
> iptables -t -nat   --flush
> iptables -t mangle --flush
>
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
--->#when this line is added to my script:
  iptables -I INPUT -j LOG --log-prefix "fwlog: "
># When this line is added to my script and i run the nmap scan from a computer
with an ip address of 152.22.xx.xxx  the only things that get log in the fwlog
file are:
OCT 21 01:4453 HOSTNAME   kernel : fwlog: IN eth1 OUT= MAC=
ff:ff:ff:ff:00:43:xx:xx:xx src=192.168.0.11 DST=192.168.0.255 LEN=78 TOS=0x00
PREC=0x00 TTL=128 ID 63894 PROTO=UDP SPT=137 DPT=137 LEN=58
---> But nothing from the computers ip addressd that i did the port scan with
only tarffic that is getting logged is my machine behind the firewall and the
firewall machines eth1.

 
  iptables -A INPUT      -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A FORWARD    -p tcp --tcp-flags ALL NONE -j DROP

> iptables -A INPUT    -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FOWWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i eth0 -p udp \
>          -s ISP.DHCP  --sport 67 \
>          --dport 68 -j ACCEPT
> iptables -A OUTPUT -o eth0 -p udp \
>          -s eth0 --sport 68 \
>          -d ISP.DHCP --dport 67 -j ACCEPT
>
> iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables -A INPUT -i eth0 -p tcp \
>          --dport 22,25,111,1024,1025 -j LOG --log-prefix "Log-test: "

Okay, so this LOGging rule is last in your INPUT chain, just before the 
default DROP policy.

I assume you are scanning the Firewall address itself ?
--->Yes...im scanning the firewall computers ip addrsss,  152.22.xx.xx and im
not scanning  from a machine behind the firewall.Its a machine on a different
network!

By the way, what result do you get from the scan ?   Does it suggest you have 
closed ports, open ones, nothing accessible, what ?
---> The relsut i get is: All 1601 scanned ports on "firewall machine" are
filtered."

What happens if you simply ssh to the Firewall, or telnet to port 25 ?   Do 
you see a log entry then ?
--->No, i dont!
--->The script is exactly what it look like now when i did the scan!


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Re: Logging Portscans

[Antony Stone]

On Tuesday 22 October 2002 12:33 am, Tasha Smith wrote:

> Here is what the nmap scan i used   "namp -sS -sT -P0 -v 152.22.xx.xx"

I don't understand the use of -sS and -sT at the same time.

-sS is for a SYN scan - nmap sends out a SYN packet, looks to see if a 
SYN/ACK comes back, but doesn't send anything back after that.

-sT is a connect() scan - nmap sends out a SYN as before, but if it gets a 
SYN/ACK back again, it replies with an ACK so that a full connection is 
established with the remote end.

Unless you don't have root access on the machine you're running nmap from, I 
don't see why you'd normally want to use the connect() type of scan, but in 
any case I think it's inappropriate to use both -sS and -sT in the same nmap 
command.

> > > I even added this to my syslog.conf file......
> > >
> > >  kern.warn                            /var/log/fwlog
> >
> > Does this successfully log anything at all ?  I mean, if you insert a rule
> > right at the start of your INPUT chain:
> > iptables -I INPUT -j LOG --log-prefix "fwlog: "
> >
> > Does anything go into /var/log/fwlog ?
>
> Yes, somehting does go into the "/var/log/fwlog" file. (All kernel
> messages goes into this file like:
> OCT 21 01:4443 HOSTNAME   kernel : Linux version 2.4.19
> (root@hostname.bc.hisa.telus.net) gcc version 2.96)

No, I actually meant "does anything from netfilter get logged into 
/var/log/fwlog ?" - however you have answered this below and it seems that 
the logging is working correctly.

> iptables -I INPUT -j LOG --log-prefix "fwlog: "
>
> When this line is added to my script and i run the nmap scan from a
> computer with an ip address of 152.22.xx.xxx  the only things that get log
> in the fwlog file are:
> OCT 21 01:4453 HOSTNAME   kernel : fwlog: IN eth1 OUT= MAC=
> ff:ff:ff:ff:00:43:xx:xx:xx src=192.168.0.11 DST=192.168.0.255 LEN=78
> TOS=0x00 PREC=0x00 TTL=128 ID 63894 PROTO=UDP SPT=137 DPT=137 LEN=58

Okay, so you are getting log entries from *a* logging rule, just not from the 
one you're trying to detect the scan from...

(By the way, there's no need to disguise mac addresses when you post your 
logfile entries - nobody outside your local network can do anything useful 
with a mac address, and anybody inside your local network can find it out for 
themselves anyway.)

> But nothing from the computers ip addressd that i did the port scan
> with only tarffic that is getting logged is my machine behind the firewall
> and the firewall machines eth1.

> > By the way, what result do you get from the scan ?   Does it suggest you
> > have closed ports, open ones, nothing accessible, what ?
> The relsut i get is: All 1601 scanned ports on "firewall machine" are
> filtered."

Hmmm.   Is this true ?   Or should someof your ports be accessible from the 
machine you're scanning from ?   (eg SSH, SMTP...?)

> > What happens if you simply ssh to the Firewall, or telnet to port 25 ?
> > Do you see a log entry then ?

> No, i dont!

Okay, let's step back a bit a see if we can successfully log things which are 
connecting, and then try to log things which are being blocked.

Try adding the following to the start of your INPUT chain:

iptables -I INPUT -s a.b.c.d -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j LOG --log-prefix="ssh "

(Entering them in that order should insert the "accept ssh" rule, and then 
insert the "log ssh"rule in front of it.)

a.b.c.d is any machine outside your firewall (eg the one you've been scanning 
from with nmap) from which you can ssh back into your firewall.

If for some reason you don't happen to have sshd running on your firewall 
simply change the port number to any other service you can connect to (80 ? 
110 ? 25 ? 23 ?) in order to test things.

Then from the remote machine a.b.c.d connect to your firewall and make sure 
you have a valid connection (eg yoou do successfully log in by ssh, or 
whatever), and then see what comes up in your log file.

Antony.

-- 

I vote "no" to this proposal to form a committee to investigate whether we 
should or should not hold a ballot on whether to vote yet.