Re: Port Scanner

[Martín <martin@familia-fiumara.com.ar>]

The bestway to stop portscanning is useing something like PORTSENTRY. I 
dont think useing iptables for this is a good idea, you may DROP legal 
traffic this way, PORTSENTRY is more inteligent and is specially developed 
for this task (and works together eith iptables by the way)



En Wed, 5 Nov 2003 15:06:55 +0000 (GMT), <tsh@mrc-lmb.cam.ac.uk> escribió:

> I was thinking about just this the other night, and is seems
> to me that such a rule should be rejecting stuff which exceeds the rate
> limit rather than accepting stuff which doesnt exceed it,
> since the -j ACCEPT will mean that any subsequent rules in
> a FORWARD table wont be tested.
>
> Something like
>
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit ! 
> limit 1/s -j DROP
>
> Cheers,
> Terry
>
>
>
>
>
>>> On Wednesday 05 November 2003 2:14 pm, Leandro Takashi Hirano wrote:
>>>
>>>> How does this rule work?
>>>>
>>>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
>>>> ?limit 1/s -j ACCEPT
>>>
>>> It means that any packets which have the RST flag set, and the SYN, 
>>> ACK,
>>> FIN  flags cleared, will only be allowed *through* the firewall at a
>>> maximum rate  of one packet per second.
>>>
>>>> Is it safe to use only this rule to avoid port scanners?
>>>
>>> Depends what you mean by "safe" and "avoid" :)
>>>
>>> Here are some observations on the above rule:
>>>
>>> 1. It is in the FORWARD chain, therefore it has no effect on people 
>>> port
>>> scanning the firewall itself (it would need to be in the INPUT chain to
>>> affect that).
>>>
>>> 2. One packet per second will be ACCEPTed.   What happens to the other
>>> packets (and whether anything gets returned to the scanner) depends on
>>> the  other rules following this one in the chain.
>>
>>
>> OK, one packet per second will be ACCEPTed, but aren_t the other packets
>> going to be DROPed?
>>
>>
>>
>>>
>>> 3. The rule only applies to packets with RST set, and SYN, ACK, FIN
>>> clear.    Therefore it will incfluence the outcome of a RST port scan,
>>> but have no  effect on a FIN scan, or a SYN scan.
>>>
>>
>> Do I have also to create a rule for FIN scan and SYN scan?
>> Do you have some port scanners rules to show me? (and other protection
>> rules too)
>>
>> And thanks very much for the help!!!
>>
>>> I think in order to answer your question we first need to know:
>>>
>>> - what response do you want someone to get when they attempt to port
>>> scan
>>> your system?
>>>
>>
>> no answer....
>>
>>> Regards,
>>>
>>> Antony.
>>>
>>>
>>> --
>>>
>>> "It is not the strongest of the species that survive, nor the most
>>> intelligent, but the ones most responsive to change."
>>>
>>> - Charles Darwin
>>> Please reply to the
>>> list;
>>> please don't
>>> CC me.
>>
>
>
>
>
> ----- End of forwarded message from Leandro Takashi Hirano -----
>
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/