I would like to see the code of the packets that my firewall blocks and wondered how FireStarter; or the like, determines what type of service the attack was. Is it just based on what ports they target or is there more?
Thanks for your expertise!

This article is good primer as to how firewalls work: http://computer.howstuffworks.com/firewall.htm

A web search for "how firewalls work" will turn up many more tutorials.

So it's just the port they are using? If they target port 22, it HAS to be a SSH attack?

Possible, or more likely a random port scan looking for a system with a vulnerable port. Random port scans are a fact of life on the internet and have been for years. Bad guys are always looking for easy marks.

If you are getting lots of them, you could install Fail2Ban.

It is possible to block specific ip addresses with iptables, but, if what you are getting is random port scans, it's likely not worth the effort.

I tried to get information on a phishing attack and investigated a few other attacks that FireStarter had blocked.They were from a French Server like the equivalent to 'Go Daddy' or something. I could not get a IP address on them,just a domain name and I could notify the administrator ,(the hacker) of malicious acts by their server, LOL. I suspect that France has weak hacking laws so the hackers tend to have proxy servers in that country.

Thank you for the link on Fail2ban. I will have some fun with it.

Or the ip address was spoofed. It happens. Or that particular address may have been commandeered by a bot.

That's more likely than that France's regulations are somehow lax.

Not necessarily. I see all kinds of HTTP-based attacks on ports running SSH. Some crackers just throw everything at the wall and then see what sticks. Check your logs, to see the failed attempts. Depending on your distro you may find the relevant data in /var/log/auth if you have an SSH server running.

My guess is that they build inventory lists so they know where to hit when a vulnerability becomes known.

As for automated blocking, fail2ban has the name recognition but I would say to also check sshguard. Despite the name it covers about the same use-cases as fail2ban but has several advantages over it including IPv6 support. Compare the two and then make a choice as to which one is the best fit for your case, if automated blocking is your thing.

1 members found this post helpful.

sshguard is new to me. Thanks.

I guess I will have to blame someone else then.

If the IP is spoofed then they can't get info back,correct? What good does this do them?

A firewall is stupid. It sees an incoming packet and decides what to do with it. That's it. It does not look at the content of the packets.

Requests to connect to a TCP/IP service will always reference a "well-known port." So, if it's port #22, you know what the outsider must be trying to connect to.

If you want to actually protect your system, use OpenVPN with the tls-auth feature and one-of-a-kind digital certificates. Cause all other services to "listen" only to the virtual network adapter that represents an OpenVPN-connected client, and use firewalls to prevent direct access to-or-from the outside world.

When you do this, you create a secret(!) door that can only be discovered, let alone entered, by someone bearing the proper non-revoked credentials. All of the traffic passing in or out is securely encrypted, even though the users do not perceive the presence of encryption at all and need take no further special precautions. (The remote system simply appears to be "part of the local network.") The server and each client can securely identify each other, so you are certain who it is you're talking to.

There are no "open ports" to be scanned, and the presence of the OpenVPN server cannot be detected. (Some routers are capable of supporting OpenVPN "in the box.")

So if you like the sound of "number of unauthorized access attempts: Zero", this is the technology for you.

1 members found this post helpful.

Thanks for all of the great advise. I'm working on Fail2ban right now just for the experience and plan on moving to OpenVPN as well.

I tried doing a web search on "How data gets back to a hacker with a spoofed address" and besides for a go-between it does not seem possible but than some suggest that it is possible.

Are the attacks a 'One Shot thing' with the hackers IP in the packet if my O.S gets infected?

Thanks for your expertise!

Remember: "a digital computer is a machine, not a biological organism." Therefore, it cannot "get infected." (In spite of the advertising campaigns that refer to malicious software as "viruses.")

You can "catch a cold" if you walk into an elevator in which someone else with a cold just sneezed, and if your immune system does not successfully fight it off. But a digital computer is just not like that. It runs programming, that's it, that's all. Unfortunately, it might "run programming" that you didn't know had been introduced to it, and this "programming" might have malicious intent. But there are relatively simple and effective ways to prevent that.

Remember also that most computer exploits are simply "crimes of opportunity." Robots throw attempts at tens-of-thousands of IP addresses. They don't "know you," nor do they care about you, nor have they singled you out. They're basically looking for "doors that are unlocked," owned by users who aren't paying the slightest bit of attention.