LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-30-2003, 11:22 PM   #1
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Rep: Reputation: 58
Portscan detection with standard unix tools?


Because of conflicts with NAT, I could not secure our firewall as much as I wanted, and I could not find any popular non-GUI tools for our Unix to detect port scans, either.

So I thought I might establish a port scan detector using standard unix tools like tcpdump (we have a relatively slow, 256k line), Cron, and a bash script regularly checking the tcpdump log file, and automatically putting deny rules into the firewall, if necessary.

Some work is made and the concept seems to work, but I am not a network guru, so I would like to know your opinion about the concept before I spend much more time to establish something that maybe does not work in a real-world situation.

So, here it is:
1. Tcpdump is continuously running and logging into a file
2. A script is started in each minute to check the logfile as to whether there were incoming packages
- to a troian port in the last minute (immediately placing a deny rule for the IP address of the sender into the firewall)
- to ports of regular services (http, pop3, etc.) we do not run (two requests to two different ports in the last minute would be punished with a deny rule of certain lifetime)
- to ports of regular services we do run (4? requests to 4? different ports in the last minute could be regarded as a portscan and punished with a deny rule of certain lifetime)

However, I wonder whether port scans can be efficiently catched by the IP address of sender and whether the one minute response time is short enough?
Does NAT use known troian ports? If so, maybe not to check all troian ports only those not used by NAT?

What is your opinion?

Last edited by J_Szucs; 05-31-2003 at 12:02 AM.
 
Old 05-31-2003, 12:53 AM   #2
Zotz
LQ Newbie
 
Registered: May 2003
Distribution: RH9 babeEE
Posts: 8

Rep: Reputation: 0
Sounds like your reinventing the wheel.
snort + guardian... protects you from portscans and other trojans nicely.

Check out www.snort.org before you go through all the work of programming... *g*
 
Old 05-31-2003, 01:04 AM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
snort doesn't really protect you from portscans it just lets you know that they are going on by sniffing traffic. Snort does not drop packets.

Not sure about guardian though. Is that a firewall?
 
Old 05-31-2003, 01:10 AM   #4
Zotz
LQ Newbie
 
Registered: May 2003
Distribution: RH9 babeEE
Posts: 8

Rep: Reputation: 0
Snort is the IDS, guardian is the perl script that listens to what snort has to say

Looks like it responds to portscans just fine ;]

Give it a good look, play with it and see if you like it. The guardian perl script is under the other downloads

Fri May 30 23:06:03 2003: Running: /usr/local/bin/guardian_unblock.sh 64.179.4.147 eth0 expiring block of 64.179.4.147
64.179.4.147 [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 51 ports in 24 seconds
Fri May 30 23:06:22 2003: Running '/usr/local/bin/guardian_block.sh 64.179.4.147 eth0'
Fri May 30 23:06:22 2003: Gatway block sport:64.179.4.147 dport:63.105.24.210
 
Old 05-31-2003, 10:33 AM   #5
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Well if you want to block port scans you should consider checking out my nailed down firewall.
 
Old 05-31-2003, 12:59 PM   #6
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
Snort uses tcpdump, so it can be used on any unixes, I suppose, but how about guardian?
Can it interface with Ipfirewall (ipfw)? I did not find a word about this program on the snort site, only its tarball.
As for nailed down, I saw it is designed for iptables, which is a different type of firewall not very common on FreeBSD.
Besides, our network topology is very special; services like mail, dns, etc. that normally run on the internet gateway are on an other server (which also runs NAT) inside the network, which in certain cases makes it impossible to find out which port they use on the internet gateway machine.
We can only use firewall solutions that are sufficiently configurable to take these facts into account.

Last edited by J_Szucs; 05-31-2003 at 01:00 PM.
 
Old 05-31-2003, 01:09 PM   #7
fancypiper
LQ Guru
 
Registered: Feb 2003
Location: Sparta, NC USA
Distribution: Ubuntu 10.04
Posts: 5,141

Rep: Reputation: 60
How about Portsentry?

Deploying Portsentry
 
Old 05-31-2003, 06:11 PM   #8
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
That is it!

I do not know how I missed it when I google searched the web and checked the FreeBSD ports, too.

Thank you for the tip!
 
Old 05-31-2003, 09:57 PM   #9
Zotz
LQ Newbie
 
Registered: May 2003
Distribution: RH9 babeEE
Posts: 8

Rep: Reputation: 0
Quote:
Originally posted by J_Szucs
Can it interface with Ipfirewall (ipfw)? I did not find a word about this program on the snort site, only its tarball.
As for nailed down, I saw it is designed for iptables, which is a different type of firewall not very common on FreeBSD.
Well like I said prior, if your using snort, guardian listens to what snort says then fires off a script that adds a ip table / chain / fwadmin rule to the firewall.

Block/Unblock Scripts
ipchains (Block / Unblock)
iptables (Block / Unblock)
ipfwadm (Block / Unblock)
FreeBSD using IPFW (Block / Unblock)
ipfilter (Block / Unblock)
Null Route for Linux systems with no other packet filter software (Block / Unblock)

Checkpoint Firewall (Block / Unblock)
Pix Firewall (Block / Unblock / Required perl script (also requires ssh perl module))


Here's a better blirb on it: http://www.chaotic.org/guardian/

Works pretty damn sweet.
 
Old 06-01-2003, 03:43 AM   #10
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
Well, I realised why I missed Portsentry at the beginning: it does not have a GPL licence; it is a shareware.
Now, I will check Guardian.
Besides, my script is almost ready...
 
Old 06-01-2003, 04:46 AM   #11
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Well it would be nice if you would post a summary after all of this :-)
 
Old 06-01-2003, 06:08 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
OT/Not that it matters much, but I'd like to cast my vote for Snort.
I'd choose Snort over portsentry or derivatives any day.
 
Old 06-02-2003, 06:05 PM   #13
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
My script is up and running for some hours now without any errors. It operates presently in test mode, where it is not allowed to add the deny rules into the firewall, it is only logs the add deny commands.
It actually detected, and would have punished all of my self-portscans (and many by separate 'testers') to troian ports.
It is just a bit too long to be published here, and, since I do not have a homepage, I cannot post here a link to it either. If anyone is interested in it, I can send it by e-mail.

However, as I expected, I have some troubles with false positive actions: NATD seems to use at least some of the troian ports for legal connections to the internet.
So I should
- either check the logfiles to find out which ports actually NATD uses and not to allow my script to catch portscans on these ports, or
- I should find a way to limit NATD to only use a specific port range, not including any troian ports.

There are also some other things on the todo list:
- give deny rules a lifetime, so that my firewall ruleset not to grow too lengthy
- let the script itself handle (empty) the tcpdump logfile, instead of syslogd (once when the logfile was emptied by syslogd, tcpdump refused to use the new, empty logfile and stopped logging)

Last edited by J_Szucs; 06-02-2003 at 06:46 PM.
 
Old 06-03-2003, 03:21 AM   #14
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
I found that NATD uses port range 1025 through 5000 to let the machines of the LAN out to the internet.
Most of the troian ports fall out of this range, so the concept seems to work.
Only some more experimentation is needed, and my script can go into production.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Free data wipe tools for Unix davholla Linux - General 1 12-21-2004 11:35 AM
urgent : Intrusion Detection Tools aneedz Linux - Security 1 09-17-2004 06:37 AM
Where to buy new pc with unix/linux standard,installed.? my-unix-dream Linux - Hardware 4 06-27-2004 10:44 PM
unix tools for windows help Javelin Programming 3 06-14-2004 03:28 PM
Windows Free Unix Tools swiftnet Linux - Software 11 03-11-2004 06:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration