| View previous topic :: View next topic |
| Author |
Message |
senectus
Guru
Joined: 17 Jul 2003
Posts: 534
|
 Posted: Mon Aug 02, 2004 10:06 pm Post subject: odd nmap/shorewall stuff. |
 |
|
My ISP recently suffered from a DDoS attack and that woke me up a bit.
So i decided to tweak the firewall a bit more, just so I can say I'm "safe"(er) 
I jumped onto an outside box that I have and used nmap to poke at my firewall this is what i got:
| Quote: | senectus@spark:~$ nmap www.xxxxxxx.net
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning: You are not root -- using TCP pingscan rather than ICMP
Interesting ports on dsl-xxx-72-xxx-53.wa.xxxxxx.com.au (xxx.72.xxx.53):
(The 1549 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
80/tcp open http
113/tcp closed auth
873/tcp open rsync
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 414 seconds
|
I thought "ok I don't need port 80 right now" so I went and hashed out the associated rules in shorewall.
Then I did it again:
| Quote: | senectus@spark:~$ nmap www.xxxxxxx.net
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning: You are not root -- using TCP pingscan rather than ICMP
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 54 seconds
|
o.0
ok.. not sure why that happened.. but I then did a "nmap -P0 www.xxxxxxx.net" and I got the same result as before...
so now it seems I can't strobe my ports anymore.. is this a "feature" of shorewall?
Also after I #'d out the port 80 lines in shorewall and restarted shorewall I did a "nmap localhost" from the firewall itself:
| Quote: | root@croaker silent # nmap localhost
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-08-03 05:50 WST
Interesting ports on localhost (127.0.0.1):
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
873/tcp open rsync
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 1.093 seconds
|
For some reason its showing port 80 still to be open and its not showing port 113/tcp to be closed anymore?!?!
Why the different results?
one last question.
is there a way to have the firewall detect a DoS and to do a controlled shutdown in response?
_________________
2800+XP A7N8X FX6600GT
www.modmeup.net |
Belief is 9/10 of YOUR reality.
Wise man say: A skilled troll is a master baiter. |
|
| Back to top |
|
 |
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Tue Aug 03, 2004 2:50 am Post subject: Re: odd nmap/shorewall stuff. |
|
|
| senectus wrote: |
Why the different results?
|
Sorry, I don't use shorewall so I can't help you there.
| senectus wrote: |
is there a way to have the firewall detect a DoS and to do a controlled shutdown in response?
|
Do a shutdown because of DoS? If you could just make a (your) machine remotelly shut down, it would be a really effective DoS -- you would be helping the attacker if you did this.
In case you meant anything else, or really want to do this, then no, the firewall (at kernel level) can't do any heuristic detection of attacks. There are user-level daemons (called IDS's, short for Intrusion Detection Systems), that can execute a set of commands in case of any suspicious activity.
There are several IDS's out there, search Google (or Portage) for one that fits your needs.
Last edited by intgr on Tue Aug 03, 2004 4:03 am; edited 2 times in total |
|
| Back to top |
|
|
senectus
Guru
Joined: 17 Jul 2003
Posts: 534
|
| Posted: Tue Aug 03, 2004 3:01 am Post subject: Re: odd nmap/shorewall stuff. |
|
|
| integor wrote: | | Do a shutdown because of DoS? If you could just make a (your) remote machine shut down, it would be a really effective DoS -- you would be helping the attacker. |
My concern is for the fact that I will be chewing data, not for the uptime as annoying as it would be to loose my gateway due to a DoS, I would find it a lot worse to have to fork out hundreds more for data used that I didn't want to use.
Also its an effective way to stop the idiot at the other end.
_________________
2800+XP A7N8X FX6600GT
www.modmeup.net |
Belief is 9/10 of YOUR reality.
Wise man say: A skilled troll is a master baiter. |
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Tue Aug 03, 2004 5:21 am Post subject: |
|
|
| senectus wrote: | | Also its an effective way to stop the idiot at the other end. |
How so? The people who launch DoS attacks don't always care about the data returning to their zombie boxes. 
| senectus wrote: | | so now it seems I can't strobe my ports anymore.. is this a "feature" of shorewall? |
Shorewall is just a nice GUI for iptables, right? What does a "iptables -L" show?
| senectus wrote: | | For some reason its showing port 80 still to be open and its not showing port 113/tcp to be closed anymore?!?! |
Is the webserver still running on the localhost? And does your ISP filter 113/tcp? If I filter something at the router and run an nmap to a machine behind it, nmap reports that service I am filtering as closed or filtered.
| Code: | $ nmap x.x.x
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-08-03 01:09 EDT
Interesting ports on x.x.x (x.x.x.x):
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open https
993/tcp open imaps
1434/tcp filtered ms-sql-m |
The router ACL drops the packet and doesn't reject. I changed the ACL to reject the packet and I got closed.
| Code: | $ nmap x.x.x -p 1434
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-08-03 01:19 EDT
Interesting ports on x.x.x (x.x.x.x):
PORT STATE SERVICE
1434/tcp closed ms-sql-m
Nmap run completed -- 1 IP address (1 host up) scanned in 0.689 seconds |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
