* Preventing port scanning using iptables ?
@ 2006-08-05 6:23 Elvir Kuric
2006-08-05 7:14 ` Ruprecht Helms
0 siblings, 1 reply; 9+ messages in thread
From: Elvir Kuric @ 2006-08-05 6:23 UTC (permalink / raw)
To: netfilter
Hi all,
I am trying to implement proper firewall to my
network using iptables
and I have to admit that I am amazing by amount of
iptables features
it offers.
But I can not understand is there any way to prevent
port scanning
using iptables?
So if anyone out there know something about this and
have some links,
pdf , chm files, will help me a lot if it posts on
this mailing list.
Thanks in advance
Regards
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-05 6:23 Preventing port scanning using iptables ? Elvir Kuric
@ 2006-08-05 7:14 ` Ruprecht Helms
2006-08-05 8:00 ` Elvir Kuric
2006-08-05 13:41 ` Sietse van Zanen
0 siblings, 2 replies; 9+ messages in thread
From: Ruprecht Helms @ 2006-08-05 7:14 UTC (permalink / raw)
To: Elvir Kuric; +Cc: netfilter
Elvir Kuric schrieb:
> Hi all,
> I am trying to implement proper firewall to my
> network using iptables
> and I have to admit that I am amazing by amount of
> iptables features
> it offers.
> But I can not understand is there any way to prevent
> port scanning
> using iptables?
Yes by checking the tcp-flags. The connections are not established
because only the port is checked if it is reachabele.
Regards,
Ruprecht
-------------------------------------------------------------------
Ruprecht Helms IT-Service & Softwareentwicklung
let worktools be individual
Web: http://www.rheyn.de
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-05 7:14 ` Ruprecht Helms
@ 2006-08-05 8:00 ` Elvir Kuric
2006-08-05 13:41 ` Sietse van Zanen
1 sibling, 0 replies; 9+ messages in thread
From: Elvir Kuric @ 2006-08-05 8:00 UTC (permalink / raw)
To: Ruprecht Helms; +Cc: netfilter
Thanks Ruprecht, but I still can not figure out how
the rule for that will look, is there any example?
I want my firewall be persistent on port scanning,
how write iptables rule ?
Regards
--- Ruprecht Helms <rhelms@mymail.ch> wrote:
> Elvir Kuric schrieb:
> > Hi all,
> > I am trying to implement proper firewall to my
> > network using iptables
> > and I have to admit that I am amazing by amount
> of
> > iptables features
> > it offers.
> > But I can not understand is there any way to
> prevent
> > port scanning
> > using iptables?
>
> Yes by checking the tcp-flags. The connections are
> not established
> because only the port is checked if it is
> reachabele.
>
> Regards,
> Ruprecht
>
>
-------------------------------------------------------------------
> Ruprecht Helms IT-Service & Softwareentwicklung
> let worktools be individual
>
> Web: http://www.rheyn.de
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Preventing port scanning using iptables ?
2006-08-05 7:14 ` Ruprecht Helms
2006-08-05 8:00 ` Elvir Kuric
@ 2006-08-05 13:41 ` Sietse van Zanen
2006-08-06 9:26 ` former03 | Baltasar Cevc
1 sibling, 1 reply; 9+ messages in thread
From: Sietse van Zanen @ 2006-08-05 13:41 UTC (permalink / raw)
To: Ruprecht Helms, Elvir Kuric; +Cc: netfilter
If you set the policy of the INPUT and FORWARD chains to DROP and only allow connection to ports you need from IP's that need to access these ports, you're automagically protected against portscans. Iptables will drop all connections to ports you have not opened, and the scanner will not know anything about them. Any ports you have opened will be visible to scanners ofcourse.
-Sietse
________________________________
From: netfilter-bounces@lists.netfilter.org on behalf of Ruprecht Helms
Sent: Sat 05-Aug-06 9:14
To: Elvir Kuric
Cc: netfilter@lists.netfilter.org
Subject: Re: Preventing port scanning using iptables ?
Elvir Kuric schrieb:
> Hi all,
> I am trying to implement proper firewall to my
> network using iptables
> and I have to admit that I am amazing by amount of
> iptables features
> it offers.
> But I can not understand is there any way to prevent
> port scanning
> using iptables?
Yes by checking the tcp-flags. The connections are not established
because only the port is checked if it is reachabele.
Regards,
Ruprecht
-------------------------------------------------------------------
Ruprecht Helms IT-Service & Softwareentwicklung
let worktools be individual
Web: http://www.rheyn.de <http://www.rheyn.de/>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-05 13:41 ` Sietse van Zanen
@ 2006-08-06 9:26 ` former03 | Baltasar Cevc
2006-08-06 11:15 ` Pascal Hambourg
2006-08-09 8:47 ` Marc Haber
0 siblings, 2 replies; 9+ messages in thread
From: former03 | Baltasar Cevc @ 2006-08-06 9:26 UTC (permalink / raw)
To: netfilter; +Cc: Ruprecht Helms
On 05.08.2006, at 15:41, Sietse van Zanen wrote:
> If you set the policy of the INPUT and FORWARD chains to DROP and only
> allow connection to ports you need from IP's that need to access these
> ports, you're automagically protected against portscans. Iptables will
> drop all connections to ports you have not opened, and the scanner
> will not know anything about them. Any ports you have opened will be
> visible to scanners ofcourse.
Just for the record: there is a side effect the dropping behaviour.
While not exposing whether the port is open or closed, show some
scanners will conclude that there is a filter. If you want the scanner
to think the ports are closed, you could issue send back a port
unreachable packet (-j REJECT --reject-with icmp-port-unreachable)
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-06 9:26 ` former03 | Baltasar Cevc
@ 2006-08-06 11:15 ` Pascal Hambourg
2006-08-09 2:29 ` Michael Rash
2006-08-09 8:47 ` Marc Haber
1 sibling, 1 reply; 9+ messages in thread
From: Pascal Hambourg @ 2006-08-06 11:15 UTC (permalink / raw)
To: netfilter
Hello,
former03 | Baltasar Cevc a écrit :
>
> Just for the record: there is a side effect the dropping behaviour.
> While not exposing whether the port is open or closed, show some
> scanners will conclude that there is a filter. If you want the scanner
> to think the ports are closed, you could issue send back a port
> unreachable packet (-j REJECT --reject-with icmp-port-unreachable)
This works only against UDP scans or basic TCP scans using the "connect"
method. A more advanced TCP scan will detect a packet filter when
receiving an ICMP port unreachable instead of a TCP RST which is the
normal reply for a closed TCP port. A TCP port is properly firewalled
using "-j REJECT --reject-with tcp-reset".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-06 11:15 ` Pascal Hambourg
@ 2006-08-09 2:29 ` Michael Rash
0 siblings, 0 replies; 9+ messages in thread
From: Michael Rash @ 2006-08-09 2:29 UTC (permalink / raw)
To: netfilter
On Aug 06, 2006, Pascal Hambourg wrote:
> Hello,
>
> former03 | Baltasar Cevc a écrit :
> >
> >Just for the record: there is a side effect the dropping behaviour.
> >While not exposing whether the port is open or closed, show some
> >scanners will conclude that there is a filter. If you want the scanner
> >to think the ports are closed, you could issue send back a port
> >unreachable packet (-j REJECT --reject-with icmp-port-unreachable)
>
> This works only against UDP scans or basic TCP scans using the "connect"
> method. A more advanced TCP scan will detect a packet filter when
> receiving an ICMP port unreachable instead of a TCP RST which is the
> normal reply for a closed TCP port. A TCP port is properly firewalled
> using "-j REJECT --reject-with tcp-reset".
You may not want to generate RST packets at all because a clever
attacker can examine the specific manner in which the RST packets were
constructed to differentiate the response software. For example, the
Netfilter REJECT target always hard-codes the TTL value at 255, sets
the TCP Window size to zero, and only sends one RST packet per rule
match. In contrast, the Snort flexreponse2 detection plugin examines
the TTL value of the matching packet and chooses a near multiple of
64, sets the Window size to the same value in the matching packet, and
typically sends a minimum of five RST packets... very different.
If you just drop the packet, then the attacker only knows that there is
_some_ inline device that is getting in the way.
In response to the original poster, if you are interested in detecting
and preventing port scans via Netfilter, you might like psad:
http://www.cipherdyne.org/psad/
--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-06 9:26 ` former03 | Baltasar Cevc
2006-08-06 11:15 ` Pascal Hambourg
@ 2006-08-09 8:47 ` Marc Haber
2006-08-10 1:28 ` R. DuFresne
1 sibling, 1 reply; 9+ messages in thread
From: Marc Haber @ 2006-08-09 8:47 UTC (permalink / raw)
To: netfilter
On Sun, Aug 06, 2006 at 11:26:33AM +0200, former03 | Baltasar Cevc wrote:
> If you want the scanner
> to think the ports are closed, you could issue send back a port
> unreachable packet (-j REJECT --reject-with icmp-port-unreachable)
The scanner will think as well that there is a filter since a port
with no listening service will generate a TCP RST packet. You can do
so with iptables, but, alas, that's the same behavior you get without
packet filter and no service on the port.
I'd say, if you don't want a service to be visible, don't run it. No
packet filter needed here.
Port scan protection might have a place should you decide to drop
packets from a certain IP if you have seen a suspicious pattern from
that IP, but that can be trivially be abused as a DoS device, and I
generally think it is not worth the trouble.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Preventing port scanning using iptables ?
2006-08-09 8:47 ` Marc Haber
@ 2006-08-10 1:28 ` R. DuFresne
0 siblings, 0 replies; 9+ messages in thread
From: R. DuFresne @ 2006-08-10 1:28 UTC (permalink / raw)
To: Marc Haber; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 9 Aug 2006, Marc Haber wrote:
> On Sun, Aug 06, 2006 at 11:26:33AM +0200, former03 | Baltasar Cevc wrote:
>> If you want the scanner
>> to think the ports are closed, you could issue send back a port
>> unreachable packet (-j REJECT --reject-with icmp-port-unreachable)
>
> The scanner will think as well that there is a filter since a port
> with no listening service will generate a TCP RST packet. You can do
> so with iptables, but, alas, that's the same behavior you get without
> packet filter and no service on the port.
use DROP.
>
> I'd say, if you don't want a service to be visible, don't run it. No
> packet filter needed here.
>
There are various reasons to have a service available to just the inside
or to selct places from the outside. Your thinking is far too narrow
here.
> Port scan protection might have a place should you decide to drop
> packets from a certain IP if you have seen a suspicious pattern from
> that IP, but that can be trivially be abused as a DoS device, and I
> generally think it is not worth the trouble.
>
Again too narrow the focus and ignores DROP.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE2ovHst+vzJSwZikRAt8iAJ4iR+dgNMzygO6+luArATrNrthY6gCgkNxk
U8eIxxil71/d27j6KxTCeS8=
=Mpdk
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2006-08-10 1:28 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-05 6:23 Preventing port scanning using iptables ? Elvir Kuric
2006-08-05 7:14 ` Ruprecht Helms
2006-08-05 8:00 ` Elvir Kuric
2006-08-05 13:41 ` Sietse van Zanen
2006-08-06 9:26 ` former03 | Baltasar Cevc
2006-08-06 11:15 ` Pascal Hambourg
2006-08-09 2:29 ` Michael Rash
2006-08-09 8:47 ` Marc Haber
2006-08-10 1:28 ` R. DuFresne
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.