Linux firewalls by Michael Rash

Author:Michael Rash [Michael Rash]
Language: eng
Format: epub
Tags: Sciences
ISBN: 9781593272289
Published: 2009-08-19T10:00:00+00:00

SYN Scan Response

We'll open our scan examples with a standard Nmap SYN scan from the attacker against the iptables firewall. Here, we'll let Nmap choose the set of ports to scan instead of manually specifying a port list or range:

[ext_scanner]# nmap -sS -P0 -n 71.157.X.X Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2007-03-05 15:33 EST Interesting ports on 71.157.X.X (The 1671 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http Nmap finished: 1 IP address (1 host up) scanned in 227.911 seconds

psad detects the SYN scan and generates the following two syslog messages, which indicate that the 144.202.X.X IP address has been blocked for 3,600 seconds and that 237 TCP packets in the range of ports from 2 to 32787 were monitored in this particular checking interval:

Mar 5 15:33:46 iptablesfw psad: added iptables auto-block against 144.202.X.X for 3600 seconds Mar 5 15:33:52 iptablesfw psad: scan detected: 144.202.X.X -> 71.157.X.Xtcp= [2-32787] SYN tcp=237 udp=0 icmp=0 dangerlevel: 3

psad has indeed blocked the attacker by adding blocking rules into the custom psad chains (defined by the IPT_AUTO_CHAIN{n} variables as discussed earlier), and instead of rummaging through the output of iptables-v -n -L, psad makes it easy for you to see the new blocking rules in the psad chains:

[iptablesfw]# psad --fw-list [+] Listing chains from IPT_AUTO_CHAIN keywords... Chain PSAD_BLOCK_INPUT (1 references) pkts bytes target prot opt in out source destination 1599 70356 DROP all -- * * 144.202.X.X 0.0.0.0/0 Chain PSAD_BLOCK_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 144.202.X.X Chain PSAD_BLOCK_FORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 144.202.X.X 0 0 DROP all -- * * 144.202.X.X 0.0.0.0/0

From a status perspective, it is also possible to see how many seconds the blocking rules against an IP address will remain in effect by using the psad --Status command. The complete output of this command is not displayed here, but toward the end of the output, the following two lines are displayed. These lines show that, in this case, the IP 144.202.X.X has a total of 3,445 seconds left to be blocked:

Iptables auto-blocked IPs: 144.202.X.X (3445 seconds remaining)

Lastly, to confirm that the target has now become inaccessible from the attacker's perspective, we can try our scan again. This time, not even port 80 can be reached:

[ext_scanner]# nmap -sS -P0 -n 71.157.X.X Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2007-03-05 15:47 EST All 1672 scanned ports on 71.157.X.X are: filtered Nmap finished: 1 IP address (1 host up) scanned in 35.906 seconds

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.