prerouting logging

prerouting logging

[Brent Clark]

Hi all

I got tips for nmap blocking from someone on this list.
Im trying to log the problems that logged.
Would anyone care to recheck my rulset, just to make to I got this right.

# Xmas scan, caught nmap v3.00
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG 
--log-prefix "PREROUTING: " --log-tcp-options --log-ip-options
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# Generic Xmas scan, haven't checked if nmap triggers this
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j LOG --log-prefix 
"PREROUTING: " --log-tcp-options --log-ip-options
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

# Misc scan - everyone tests for this, but what scan does it match?
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG 
--log-prefix "PREROUTING: " --log-tcp-options --log-ip-options
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN scan, nmap v3.0 sends ACK,FIN FIN
# SYN,FIN SYN,FIN does not match nmap
# FIN FIN gets false positives when using SSH TARPIT
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state 
--state NEW -j LOG --log-prefix "PREROUTING: " --log-tcp-options 
--log-ip-options
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state 
--state NEW -j DROP

Kind Regards and thanks in advance
Brent Clark

P.s. If anyone knows of any other rules I can add, it would be 
greatfully be appreciated.

Re: prerouting logging

[Jörg Harmuth]

Brent Clark schrieb:
> Hi all
> 
> I got tips for nmap blocking from someone on this list.
> Im trying to log the problems that logged.
> Would anyone care to recheck my rulset, just to make to I got this right.
> 
> # Xmas scan, caught nmap v3.00
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG
> --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> 
> # Generic Xmas scan, haven't checked if nmap triggers this
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j LOG --log-prefix
> "PREROUTING: " --log-tcp-options --log-ip-options
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP

As far as I know and can see - no.

> # Misc scan - everyone tests for this, but what scan does it match?
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG
> --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> 
> # FIN scan, nmap v3.0 sends ACK,FIN FIN
> # SYN,FIN SYN,FIN does not match nmap
> # FIN FIN gets false positives when using SSH TARPIT
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state
> --state NEW -j LOG --log-prefix "PREROUTING: " --log-tcp-options
> --log-ip-options
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state
> --state NEW -j DROP

I think at least the NULL scan (--tcp-flags ALL NONE) is missing and ACK
scan (--tcp-flags ACK|ALL ACK -m state --state NEW).

But the latter situation may also occur, if your TCP crashes (loosing
all connection information) durind data transfer or the like and then
comes back (however this may happen). Dropping the packet leaves the
sender, who thinks there is a connection, waiting until timeout. So, to
see, if this is a scan, it may be more secure to combine it with the
recent match (personally I think, that this will happen very seldom on a
Linux box, but I may be totally wrong).

Have a nice time,

Joerg

Re: prerouting logging

[curby .]

On 7/27/05, Brent Clark <bclark@eccotours.dyndns.org> wrote:
> I got tips for nmap blocking from someone on this list.

I think I'm that someone.  This looks like my post in the "Defeating
NMAP Null scans (and Nessus scans)" thread.

> Im trying to log the problems that logged.
> Would anyone care to recheck my rulset, just to make to I got this right.

You might consider more informative prefixes than just "PREROUTING: ".
 It's fine if some automated parser is going through and will
determine scan type by the options logged, but a human reading the log
might be helped by an indicator like "PREROUTING NULLscan: " or
something of the sort.

> P.s. If anyone knows of any other rules I can add, it would be
> greatfully be appreciated.

My original post did include a NULL scan rule, but not the ACK scan
that Jörg mentioned.

Re: prerouting logging

[Jan Engelhardt]

> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG
                 ^^^^^^^^^^

There has also been a debate over whether -t nat should be used in favor of
-t filter and the answer was: do it in -t filter -A INPUT.

> #  FIN scan, nmap v3.0 sends ACK,FIN FIN

It send what matches --tcp-flags ALL FIN

> #  SYN,FIN SYN,FIN does not match nmap
> #  FIN FIN gets false positives when using SSH TARPIT
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state --state NEW
> -j LOG --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options
> $IPT -t nat -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m state --state NEW
> -j DROP
>
> Kind Regards and thanks in advance
> Brent Clark
>
> P.s. If anyone knows of any other rules I can add, it would be greatfully be
> appreciated.

You can make it simpler:
http://lists.netfilter.org/pipermail/netfilter/2005-July/061531.html


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/