LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-09-2001, 02:04 AM   #1
ashis
LQ Newbie
 
Registered: Jun 2001
Posts: 11

Rep: Reputation: 0


can anybody pliz tell me how to stop portscanning at the very beginning.i want to allow none to scan port. how will this possible? pliz let me know
ashis
 
Old 06-09-2001, 09:22 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
u *cant stop* ppl from portscanning (its their action) but u can stop ppl from getting detailed results if u:
-stop running services u dont need
-comment out these services from (x)inetd.conf sot hey wont be started when someone tries to access them
-allow only traffic to (tcpwrapped) services via hosts.allow and hosts.deny
-set up a firewall script like ipfwadm, ipchains or iptables (depending on kernelversion) to deny probing for (scanning) and access to ports & running services

u could also set up some detection like snort, scandetd, ippl or portsentry but I guess uve got to work out the stuff above first.
 
Old 06-09-2001, 10:24 AM   #3
jharris
Senior Member
 
Registered: May 2001
Location: Bristol, UK
Distribution: Slackware, Fedora, RHES
Posts: 2,243

Rep: Reputation: 46
Quote:
Originally posted by ashis

can anybody pliz tell me how to stop portscanning at the very beginning.i want to allow none to scan port. how will this possible? pliz let me know
ashis
Ashis,

Check out the following post on the forum, Raz seems to be hot on this area, certainly hotter than I am! http://www.linuxquestions.org/questi...?threadid=3082

HTH

Jamie...
 
Old 06-09-2001, 10:42 PM   #4
ccapoccia
LQ Newbie
 
Registered: Jun 2001
Posts: 3

Rep: Reputation: 0
The program portsentry will detect and log all port scans. Depending on how you configure it, portsentry will either add an ipchains rule that will block the offending address, put an entry in /etc/hosts.deny preventing traffic for all services to the scanner's machine, create a spurious gateway entry to co-opt all routes to his address, or do some combination of these three.

Portsentry is available in package format for several distributions. If you are using Red Hat you can install the Power Tools version. After the install, edit /etc/portsentry/portsentry.conf and fire it up with /etc/rc.d/init.d/portsentry.

Enjoy!
 
Old 06-11-2001, 12:22 PM   #5
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Ashis,

Give us more info on what OS version etc etc.
Then we could give you a more detailed answer.

Just to build on what ccapoccia said about portsentry, does anyone know if you spoof the source header of a TCP packet to match the targets main router, will it switch off internet access for the target system or it's it intelligent enough to work this out.

I was considering playing around with portsentry sometime ago and forgot about it.

If anyone has porsentry set-up and working with ipchains or tables, would they like to volunteer for a DOS attack as a test. send me details

Cheers,
Raz
 
Old 06-13-2001, 01:52 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Just to build on what ccapoccia said about portsentry, does anyone know if you spoof the source header of a TCP packet to match the targets main router, will it switch off internet access for the target system or it's it intelligent enough to work this out.
I guess it aint. It just binds to ports and reacts to that, if someone didnt drop it in the .ignore file itll kill the route depending on the rules set. the only history if keeps is for "offenders", there isnt a $HOME_NET like definition like snort has, I guess it's not LAN-aware.
 
Old 06-13-2001, 11:51 PM   #7
ashis
LQ Newbie
 
Registered: Jun 2001
Posts: 11

Original Poster
Rep: Reputation: 0
dear unSpawn
i install portentry in my machine. after portscanning it writes the ip no of the portscanner's machine in its /etc/hosts.deny file.after that from that ip anyone can not access my server. but they can accesss from another ip
 
Old 06-14-2001, 04:39 AM   #8
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Ashis,

UnSpawn knows that, what we're talking about is fooling portsentry into adding the systems own ISP's main router to it's deny file, thus rendering the system to a status of standalone.

Sounds to me like it doesn't do a verification check on the source address so it would work.

Ashis, tell me your IP address so I can test this..

only kidding, I'm going to play around with it later.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about portscanning eka Linux - Security 3 11-12-2005 12:10 AM
How do I stop services from restarting after I stop them? M$ISBS Linux - Software 3 10-27-2005 09:13 PM
How do I stop X? darkone66669 Linux - Software 4 03-25-2004 07:22 PM
spp_portscan - portscanning out? scammeh^ Linux - Networking 0 01-22-2004 02:28 PM
MNF spp_portscan... portscanning out? (Snort) scammeh^ Linux - Networking 0 01-21-2004 01:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration