From: Tasha Smith <natasha3641@yahoo.com>
To: netfilter@lists.netfilter.org
Subject: Re: Logging Portscans
Date: Mon, 21 Oct 2002 16:33:12 -0700 (PDT) [thread overview]
Message-ID: <20021021233312.512.qmail@web40701.mail.yahoo.com> (raw)
you mean you never get any logs at all, or you get log entries on the screen
but not in a file, or you get logs sometimes, but not when you're doing a
particular type of scan ?
--->I am scanning my firewall machine from a machine on a "different network".
--->And when the scan is finished i check the log file of my firewall machine
and there are no reports of a scan to any port. My log file being
"/var/log/messages"
--->Here is what the nmap scan i used "namp -sS -sT -P0 -v 152.22.xx.xx"
> I even added this to my syslog.conf file......
>
> kern.warn /var/log/fwlog
Does this successfully log anything at all ? I mean, if you insert a rule
right at the start of your INPUT chain:
iptables -I INPUT -j LOG --log-prefix "fwlog: "
Does anything go into /var/log/fwlog ?
---> Yes, somehting does go into the "/var/log/fwlog" file. (All kernel messages
goes into this file like:
OCT 21 01:4443 HOSTNAME kernel : Linux version 2.4.19
(root@hostname.bc.hisa.telus.net) gcc version 2.96)
OCT 21 01:4443 HOSTNAME kernel Mount-cache has tables entyries: 1024 (order:
1, 8192 bytes
OCT 21 01:4443 HOSTNAME kernel : Buffer-cache hash tables entries:4096
(order:2, 16384
And and someother kernel messages
(I would expect you to have to add the option "--log-level=warn" to match the
entry in your syslog.conf file.)
> How can i get this machine to log STEALTH port scans and stuff???
Explain what you mean by a Stealth port scan ? If yu;re using nmap, what
options are you using ?
---> Here what options im using "namp -sS -sT -P0 -v 152.22.xx.xx"
> iptables --flush
> iptables -t -nat --flush
> iptables -t mangle --flush
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
--->#when this line is added to my script:
iptables -I INPUT -j LOG --log-prefix "fwlog: "
># When this line is added to my script and i run the nmap scan from a computer
with an ip address of 152.22.xx.xxx the only things that get log in the fwlog
file are:
OCT 21 01:4453 HOSTNAME kernel : fwlog: IN eth1 OUT= MAC=
ff:ff:ff:ff:00:43:xx:xx:xx src=192.168.0.11 DST=192.168.0.255 LEN=78 TOS=0x00
PREC=0x00 TTL=128 ID 63894 PROTO=UDP SPT=137 DPT=137 LEN=58
---> But nothing from the computers ip addressd that i did the port scan with
only tarffic that is getting logged is my machine behind the firewall and the
firewall machines eth1.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FOWWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i eth0 -p udp \
> -s ISP.DHCP --sport 67 \
> --dport 68 -j ACCEPT
> iptables -A OUTPUT -o eth0 -p udp \
> -s eth0 --sport 68 \
> -d ISP.DHCP --dport 67 -j ACCEPT
>
> iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables -A INPUT -i eth0 -p tcp \
> --dport 22,25,111,1024,1025 -j LOG --log-prefix "Log-test: "
Okay, so this LOGging rule is last in your INPUT chain, just before the
default DROP policy.
I assume you are scanning the Firewall address itself ?
--->Yes...im scanning the firewall computers ip addrsss, 152.22.xx.xx and im
not scanning from a machine behind the firewall.Its a machine on a different
network!
By the way, what result do you get from the scan ? Does it suggest you have
closed ports, open ones, nothing accessible, what ?
---> The relsut i get is: All 1601 scanned ports on "firewall machine" are
filtered."
What happens if you simply ssh to the Firewall, or telnet to port 25 ? Do
you see a log entry then ?
--->No, i dont!
--->The script is exactly what it look like now when i did the scan!
__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
next reply other threads:[~2002-10-21 23:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-21 23:33 Tasha Smith [this message]
2002-10-22 10:14 ` Logging Portscans Antony Stone
2002-10-22 10:44 ` Problem with iptables P-O-M hare ram
2002-10-22 16:10 ` hare ram
-- strict thread matches above, loose matches on Subject: below --
2002-10-21 10:15 Logging Portscans Ferry van Steen
2002-10-21 9:39 Tasha Smith
2002-10-21 9:52 ` netfilter
2002-10-21 11:18 ` Nick Drage
2002-10-21 11:27 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021021233312.512.qmail@web40701.mail.yahoo.com \
--to=natasha3641@yahoo.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox