Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Logging port scans with IPtables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jerri
Guru
Guru


Joined: 03 Apr 2003
Posts: 353

PostPosted: Mon Jan 31, 2005 4:36 am    Post subject: Logging port scans with IPtables Reply with quote

Well, as the topic suggests, i'm trying to log any attempts to port scan my server, however, I'm having some troubles defining rules that will actual log any attempts.

If you look at the section titled "Port Scan Filtering", you will notice I have tried a couple ways, applying rules to the INPUT chain, defining a new chain, but they both don't work....

Each time I apply the new rules, i'll scan my server with a number of different scan types, but I have yet to see a single logged packet during a scan (scan types are usually NULL, SYN, Xmas tree, and FIN stealth scans - using nmap v3.55).

I feel like i'm missing something pretty obvious, grr. Anyways, i followed this thread when creating the rules and this one when trying to get port scan logging to work.

Anyways, if you have any advice, i'm all ears :)

Code:
#!/bin/sh

# External interface
EXTIF="eth0"

# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/bin/awk"

# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":"); split(a[2],a," ");print a[1];exit}'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"


# ********** INITIALIZATION **********
#
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT       -P FORWARD      DROP

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
for i in $CHAINS;
do
    $IPT -t $i -X
done

# enable syncookies & ignore icmp broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done

# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

# Log Martians
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
        echo 1 > $i
done

# ********** SANE COMMON RULES **********
#
# Now we are going to accept all traffic from or to our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -d   $LPDIP  -j ACCEPT
$IPT -A OUTPUT  -o $LPDIF -d   $EXTIP  -j ACCEPT

# Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROP
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROP


#######################
# Port Scan Filtering #
#######################

# Check for incorrect TCP state flags (port scans).
#$IPT -N valid-tcp-flags
#$IPT -N LOG-ps-and-drop

#$IPT -A valid-tcp-flags -p tcp --tcp-flags ALL NONE                -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags ALL ALL                 -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags ALL FIN,URG,PSH         -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN FIN             -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH             -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG             -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN         -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST         -j LOG-ps-and-drop
#$IPT -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST         -j LOG-ps-and-drop


# Generic Log and drop chain
#$IPT -A LOG-ps-and-drop -m limit --limit 30/minute -j LOG --log-ip-options \
#   --log-tcp-options --log-level warning --log-prefix "PORT SCAN:"
#$IPT -A LOG-ps-and-drop -j DROP


$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
   --limit 30/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit \
   30/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
   -m limit --limit 30/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit \
   --limit 30/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
   --limit 30/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
   --limit 30/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


# Block WAN access to internal network
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROP

# An additional Egress check
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROP

# Block outbound ICMP (except for PING)
$IPT -A OUTPUT  -o $EXTIF -p icmp  --icmp-type ! 8 -j DROP

# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  --icmp-type 8 -m state --state NEW -j ACCEPT


# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********
#
# This is where things go you want to use from your network on the
# internet. We start with defining some common chat clients. Remove
# these from your accepted list for better security.

EXTRA_SERV="ircd nntp rsync"
EXTRA_PORT="1046 1024 1214 17006 15151 14141"

# All services ports are read from /etc/services

TCPSERV="$EXTRA_SERV $EXTRA_PORT domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time xdmcp"
UDPSERV="domain time"
echo "---------------------------------------------------------------------"
echo "FW: Allowing inside systems to use services (tcp): "
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo "---------------------------------------------------------------------"
echo "FW: Allowing inside systems to use services (udp): "
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  --dport $i -m state --state NEW -j ACCEPT
done
echo ""


# ********** ALLOWING SERVICES ON FIREWALL **********
#
# DAEMONS on firewall which should be accessible to inside/outside.
# it is presumed that DAEMONS advertised to the outside can also
# be advertised safely to the inside

EXTTCPDAEMONS="ssh http https smtp"
EXTUDPDAEMONS=""

echo "---------------------------------------------------------------------"
echo "FW: Allowing external systems to use tcp services on localhost: "
for i in $EXTTCPDAEMONS;
do
   echo -n "$i "
   $IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""


echo "---------------------------------------------------------------------"
echo "FW: Allowing external systems to use udp services on localhost: "
for i in $EXTUDPDAEMONS;
do
    echo -n "$i "
    $IPT -A INPUT -i $EXTIF -p udp -d $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
echo ""

echo "---------------------------------------------------------------------"


# allow existing connections
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT


# block what me may have forgot
$IPT -A INPUT             -j DROP
$IPT -A OUTPUT            -j REJECT
Back to top
View user's profile Send private message
mariourk
l33t
l33t


Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands

PostPosted: Mon Jan 31, 2005 8:51 am    Post subject: Reply with quote

If you want to log any portscan attempts, you might want to take a look at this
It's not an iptables howto, it's much better! :wink:
I have ut running here and it works like a charm. Anything that happens to your server
can be viewed by a nice graphical frontend. Every alert has it's own link to the Snort homepage
so can can see what the alert acutally means, in case you don't know.
If you want to log things for security reasons, this is what you want. :D
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum