Portscan??

Portscan??

[romaniuc]

Hi all,

	I´m trying to detect and block portscan.... and Im using 
rules below.....
	It´s doesn´t work... I use a lot of portscan and no one have been 
detected;;; what is wrong???

Thanks

RULES.....


$IPTABLES -F NOVA_CONEXAO
$IPTABLES -X NOVA_CONEXAO > /dev/null

## NAT
$IPTABLES -t nat -F

$IPTABLES -N NOVA_CONEXAO

## New packets
$IPTABLES -A INPUT -i $EXTIF -p ! icmp -m state --state NEW -j 
NOVA_CONEXAO

## PortScanners - Detection
#$IPTABLES -A NOVA_CONEXAO -j LOG --log-prefix 
"############################"
## NMAP FIN/URG/PSH
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN,URG,PSH -m limit 
--limit 2/s -j LOG --log-prefix "(Nmap) Stealth XMAS Scan: "
# SYN/RST
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,RST SYN,RST -m limit 
--limit 2/s -j LOG --log-prefix "SYN/RST Scan: "

# SYN/FIN (probably)
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit 
--limit 2/s -j LOG --log-prefix "SYN/FIN Scan(?): "
# NMAP FIN Stealth
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN -m limit --limit 2/s 
-j LOG --log-prefix "(Nmap) Stealth FYN Scan: "
# ALL/ALL Scan
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL ALL -m limit --limit 2/s 
-j LOG --log-prefix "ALL/ALL Scan: "
# NMAP Null Scan (probably)
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL NONE -m limit --limit 2/s 
-j LOG --log-prefix "(Nmap) Stealth Null Scan(?): "
## Now Dropping
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL NONE -j DROP

################################
## Now my rules..... INPUT

how to drop MP3 and other Downloads

[hare ram]

Hi all

i have small application here like
how do the drop all downloads more than 1MB from
the day time
and rest of the time open for all

any suggestion is greate
thanks
hare

Re: how to drop MP3 and other Downloads

[Alex Bennee]

hare ram said:
> Hi all
>
> i have small application here like
> how do the drop all downloads more than 1MB from
> the day time
> and rest of the time open for all
>
> any suggestion is greate
> thanks
> hare

You can try the connytes patch
http://libre.act-europe.fr/gvd/gvd-1.2.5-src.tgz
Alex
www.bennee.com/~alex/

Re: how to drop MP3 and other Downloads

[Alex Bennee]

hare ram said:
> Hi all
>
> i have small application here like
> how do the drop all downloads more than 1MB from
> the day time
> and rest of the time open for all

That of course was not the connbytes patch. You can find it at
http://luxik.cdi.cz/~devik/connbytes/.

You may need some sort of crontab to change the rules as you go. You can
also use connbytes with the --mark to move all long lived downloads to a
lower tc class if your doing traffic shaping.

Alex
www.bennee.com/~alex/

Re: how to drop MP3 and other Downloads

[Antony Stone]

On Tuesday 12 November 2002 12:13 pm, hare ram wrote:

> Hi all
>
> i have small application here like
> how do the drop all downloads more than 1MB from
> the day time
> and rest of the time open for all

I don't see that netfilter can know a download is going to be more than 
1Mbyte before it's already seen a million bytes downloaded...

Antony.

-- 

There are two possible outcomes.

If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

Re: how to drop MP3 and other Downloads

[hare ram]

hi some one guided in the news group

----
That of course was not the connbytes patch. You can find it at
http://luxik.cdi.cz/~devik/connbytes/.

You may need some sort of crontab to change the rules as you go. You can
also use connbytes with the --mark to move all long lived downloads to a
lower tc class if your doing traffic shaping.
------


what you think about this

thanks
hare
----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, November 12, 2002 6:13 PM
Subject: Re: how to drop MP3 and other Downloads


> On Tuesday 12 November 2002 12:13 pm, hare ram wrote:
>
> > Hi all
> >
> > i have small application here like
> > how do the drop all downloads more than 1MB from
> > the day time
> > and rest of the time open for all
>
> I don't see that netfilter can know a download is going to be more than
> 1Mbyte before it's already seen a million bytes downloaded...
>
> Antony.
>
> --
>
> There are two possible outcomes.
>
> If the result confirms the hypothesis, then you've made a measurement.
> If the result is contrary to the hypothesis, then you've made a discovery.
>
>  - Enrico Fermi
>
>

Re: how to drop MP3 and other Downloads

[Dharmendra.T]

Hi Ram
 YOu have to configure this in the proxy server. If you are natting the 
requests then you have to install iproute along with iptables and schedule 
the process accordingly.

Regards,
Dharmendra.T
Linux Security Expert
www.nsecure.net
dharmu@nsecure.net
On Tuesday 12 November 2002 17:43, hare ram wrote:
> Hi all
>
> i have small application here like
> how do the drop all downloads more than 1MB from
> the day time
> and rest of the time open for all
>
> any suggestion is greate
> thanks
> hare

-- 

Re: how to drop MP3 and other Downloads

[Andrew Magnus]

This, of course, brings up a question I've been thinking about.

Is there a patch that will allow iptables to read into the header for the 
presentation layer to filter out, for example, MP3s being downloaded?

Thanks.



>From: "hare ram" <hareram@sol.net.in>
>Reply-To: "hare ram" <hareram@sol.net.in>
>To: "Antony Stone" 
><Antony@Soft-Solutions.co.uk>,<netfilter@lists.netfilter.org>
>Subject: Re: how to drop MP3 and other Downloads
>Date: Tue, 12 Nov 2002 19:35:14 +0530
>
>hi some one guided in the news group
>
>----
>That of course was not the connbytes patch. You can find it at
>http://luxik.cdi.cz/~devik/connbytes/.
>
>You may need some sort of crontab to change the rules as you go. You can
>also use connbytes with the --mark to move all long lived downloads to a
>lower tc class if your doing traffic shaping.
>------
>
>
>what you think about this
>
>thanks
>hare
>----- Original Message -----
>From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
>To: <netfilter@lists.netfilter.org>
>Sent: Tuesday, November 12, 2002 6:13 PM
>Subject: Re: how to drop MP3 and other Downloads
>
>
> > On Tuesday 12 November 2002 12:13 pm, hare ram wrote:
> >
> > > Hi all
> > >
> > > i have small application here like
> > > how do the drop all downloads more than 1MB from
> > > the day time
> > > and rest of the time open for all
> >
> > I don't see that netfilter can know a download is going to be more than
> > 1Mbyte before it's already seen a million bytes downloaded...
> >
> > Antony.
> >
> > --
> >
> > There are two possible outcomes.
> >
> > If the result confirms the hypothesis, then you've made a measurement.
> > If the result is contrary to the hypothesis, then you've made a 
>discovery.
> >
> >  - Enrico Fermi
> >
> >


_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

Re: how to drop MP3 and other Downloads

[Alex Bennee]

Andrew Magnus said:
>
> This, of course, brings up a question I've been thinking about.
>
> Is there a patch that will allow iptables to read into the header for
> the  presentation layer to filter out, for example, MP3s being
> downloaded?

The fact you want something at the transport layer to be looking at data at
the application layer tells you something is wrong with the approach. This
is what proxies are for.

>
>>From: "hare ram" <hareram@sol.net.in>
>>Reply-To: "hare ram" <hareram@sol.net.in>
>>To: "Antony Stone"
>><Antony@Soft-Solutions.co.uk>,<netfilter@lists.netfilter.org>
>>Subject: Re: how to drop MP3 and other Downloads
>>Date: Tue, 12 Nov 2002 19:35:14 +0530
>>
>>hi some one guided in the news group
>>
>>----
>>That of course was not the connbytes patch. You can find it at
>>http://luxik.cdi.cz/~devik/connbytes/.
>>
>>You may need some sort of crontab to change the rules as you go. You
>>can also use connbytes with the --mark to move all long lived downloads
>>to a lower tc class if your doing traffic shaping.
>>------
>>
>>
>>what you think about this
>>
>>thanks
>>hare
>>----- Original Message -----
>>From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
>>To: <netfilter@lists.netfilter.org>
>>Sent: Tuesday, November 12, 2002 6:13 PM
>>Subject: Re: how to drop MP3 and other Downloads
>>
>>
>> > On Tuesday 12 November 2002 12:13 pm, hare ram wrote:
>> >
>> > > Hi all
>> > >
>> > > i have small application here like
>> > > how do the drop all downloads more than 1MB from
>> > > the day time
>> > > and rest of the time open for all
>> >
>> > I don't see that netfilter can know a download is going to be more
>> > than 1Mbyte before it's already seen a million bytes downloaded...
>> >
>> > Antony.
>> >
>> > --
>> >
>> > There are two possible outcomes.
>> >
>> > If the result confirms the hypothesis, then you've made a
>> > measurement. If the result is contrary to the hypothesis, then
>> > you've made a
>>discovery.
>> >
>> >  - Enrico Fermi
>> >
>> >
>
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus


Alex
www.bennee.com/~alex/