Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I run SSH on a publicly open server and see following attempts in /var/log/auth.log which I was told by some one could be port scanning attempts.(Not sure though)
Code:
Nov 18 23:50:19 server sshd[21716]: Did not receive identification string from 186.0.80.197
Nov 19 00:05:57 server sshd[24056]: Did not receive identification string from 85.108.110.66
No that is not possible.The legitimate users come from internet and various ISP's and I want to know how can port scan attempts be blocked not blocking the port itself.
You did not understood my answer.I do know what rate limiting IPTABLE is.I mentioned the link to stop port scan attempt not to rate LIMIT iptables.The logs I posted above are from a server where Rate limited IPTABLEs are working.Rate limiting connections to a port via IPTABLES ensures that incoming connection to the port or service restricted via IPTABLES more than specified threshold is blocked for a specified time.
An example would be
Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 name: DEFAULT side: source
tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: DEFAULT side: source
Where ssh attempt more than 4 time i.e. 5th time would be blocked for next 60 seconds.
But that does not deal when some one does not wants to login but just want to scan the service running on the port.Hence I gave the second link.
The link I just mentioned above your post means this thread is solved.
I welcome if you have any thing else to add to block port scan attempt not to RATE Limit IPTABLES,
IMHO, this is overkill for simply getting rid of some relatively harmless (and even potentially useful) log entries.
In any case, just wanted to chime in and say that if you do go down this path then you should make sure you have TCP SYN cookies enabled (while understanding the implications), and that your rules match SYN packets specifically (not just packets in state NEW). Otherwise, you'd have created a brand new denial-of-service vulnerability on your server.
Having said that, aren't those iptables rules kinda ridiculous in this specific case? I mean, does your current firewall log show evidence that the DROP rule would have been triggered for any of the offending IPs? Nothing you've posted so far would indicate that.
IMHO, this is overkill for simply getting rid of some relatively harmless (and even potentially useful) log entries.
In any case, just wanted to chime in and say that if you do go down this path then you should make sure you have TCP SYN cookies enabled (while understanding the implications), and that your rules match SYN packets specifically (not just packets in state NEW). Otherwise, you'd have created a brand new denial-of-service vulnerability on your server.
I do not understand this part of your message.Please elaborate it so that many others who might read it may find this thread useful.I am not clear with
1) TCP SYN cookies (this part I can Google and read since you mentioned so I asked you can choose to ommit)
2) but how it creates a brand new dos vulnerability
Also I came across one more tool http://sourceforge.net/projects/sentrytools/
I do not understand this part of your message.Please elaborate it so that many others who might read it may find this thread useful.I am not clear with
1) TCP SYN cookies (this part I can Google and read since you mentioned so I asked)
Wikipedia has a good article. It's an anti-SYN flood technique, but since what it achieves is anti-spoofing it's also useful in non-flood cases such as this one. On GNU/Linux, you enable them like:
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Quote:
2) but how it creates a brand new dos vulnerability
Because, without TCP SYN cookies (and with the iptables rules from the blog you linked), you're making it possible for the bad guys to lock out your legitimate users by simply sending spoofed packets to your server (with your clients' source IPs on them).
I would be hesitant to recommend such an old, unmaintained software tool to anyone. If you want a port scan detector, my advice is to go with something like psad instead. Granted, it gets fed from an iptables log file, so although it's great for detecting scans in general, it's probably not a solution to your current dilemma (unconfirmed scans against one particular publicly-available service).
Also note that you can use fail2ban for this sort of thing, which would eliminate the need for any of this iptables absurdity. As always, though, verify that you don't create new problems (such as the previously mentioned DoS vulnerability).
tkmsr, I writtee scripts which read logs i.e. auth.log and count frecuently occurs unique IP adress. Scripts has rule which talks him when and what iptables rule add. Unfortunately is not documentations in english but polish: http://debian.linux.pl/entries/30-Im...Pythonie-cz.-1 (3 part)
His work like fail2ban
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
