| View previous topic :: View next topic |
| Author |
Message |
Velcro
n00b
Joined: 09 May 2004
Posts: 9
|
 Posted: Thu Jun 10, 2004 6:58 am Post subject: IPTables portscan detection |
 |
|
Hi everyone,
I was wanting to use psd matching module in IPTables to catch portscanners. Is there a gentoo kernel that has the necessary patches/etc applied? If not, how did you install the module? ATM I am using the plain gentto-sources kernel.
Thanks guys.
Martin
 |
|
| Back to top |
|
 |
flyinspirit001
Apprentice
Joined: 25 May 2004
Posts: 266
Location: localhost,localdomain
|
| Posted: Thu Jun 10, 2004 7:17 am Post subject: |
|
|
i found this, hope this could help ya
| Code: |
# iptables -m psd -h
--psd-weight-threshold threshhold Portscan detection weight threshold
--psd-delay-threshold delay Portscan detection delay threshold
--psd-lo-ports-weight lo Privileged ports weight
--psd-hi-ports-weight hi High ports weight
|
[/code]
_________________
"Ride the infinity, be your best. For you, for all"
Dungeon01 - linux registered user #362502 |
|
| Back to top |
|
|
Velcro
n00b
Joined: 09 May 2004
Posts: 9
|
| Posted: Thu Jun 10, 2004 7:51 am Post subject: |
|
|
Thanks, flyinspirit001
I tried your suggestion and received the response...
| Code: | #iptables -m psd -h
iptables v1.2.9: Couldn't load match `psd':/lib/iptables/libipt_psd.so: cannot open shared object file: No such file or directory
|
I did not notice any psd module options in the kernel either. I saw somewhere (please don't ask where!) that you need to apply a patch to the kernel. I was hoping that there was possibly a gentoo kernel (server one maybe?) that has the patch (if it is indeed a patch) applied already. Save me doing the hard work...
Cheers, Martin |
|
| Back to top |
|
|
primero.gentoo
Guru
Joined: 23 Dec 2003
Posts: 402
|
| Posted: Thu Jun 10, 2004 8:40 am Post subject: |
|
|
here it is:
PSD kernel patch
| Code: |
Status: Experimental
This option adds a `psd' match, which supplies portscan
detection match (psd). This match will attempt to detect TCP and UDP
port scans. This match was derived from Solar Designer's scanlogd.
Suppported options are:
--psd-weight-threshold <threshold>
Total weight of the latest TCP/UDP packets with different
destination ports coming from the same host to be treated as port
scan sequence.
--psd-delay-threshold <delay>
Delay (in hundredths of second) for the packets with different
destination ports coming from the same host to be treated as
possible port scan subsequence.
--psd-lo-ports-weight <weight>
Weight of the packet with privileged (<=1024) destination port.
--psd-hi-ports-weight <weight>
Weight of the packet with non-priviliged destination port.
|
Try it .... and make me know how it works , i'm really interested
bye
_________________
"Linux, the choice of a GNU generation"
==Micro$oft - just say NO==
(L#USER 353039) |
|
| Back to top |
|
|
Velcro
n00b
Joined: 09 May 2004
Posts: 9
|
| Posted: Thu Jun 10, 2004 7:23 pm Post subject: |
|
|
Thanks,
I will give it a go, then let you know.
Cheers, Martin |
|
| Back to top |
|
|
Velcro
n00b
Joined: 09 May 2004
Posts: 9
|
| Posted: Fri Jun 11, 2004 9:09 pm Post subject: |
|
|
OK, I have applied the kernel patch from www.netfilter.org (patch-o-matic-ng). This POM requires the source for iptables, so I copied my iptables source distfile from /usr/portage/distfiles to /tmp then extracted it. I then pointed POM to it when asked. After selecting the PSD patch to be applied I then did "make oldconfig" and selected the psd kernel option as a module (CONFIG_IP_NF_MATCH_PSD) then recompiled the kernel. After this iptables needs to be re-compiled... emerge iptables. Now things are sweet.
Cheers, Martin.  |
|
| Back to top |
|
|
|
Networking & Security
