Hi, Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP? Many thanks, Radu
On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
Hi,
Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP?
Many thanks,
Radu
1. What kernel version are you using? It makes a difference for the command to use. 2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed issue a command (as root) along the lines of : iptables -I INPUT 1 -s addr.of.bad.ip -j DROP (for 2.4.x) see man iptables for an explanation of this. if you are on a 2.2.x kernel, use ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY NOTE : this doesn't stop them scanning, it just stops you from replying! HTH Maf -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
you can use a REJECT instead of DENY for the ipchains rule and your machine will not appear to even be online. if you use the deny rule, they can still tell what ports you have open, but cannot connect to them. On Thu, 6 Sep 2001, maf king wrote:
On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
Hi,
Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP?
Many thanks,
Radu
1. What kernel version are you using? It makes a difference for the command to use.
2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed
issue a command (as root) along the lines of :
iptables -I INPUT 1 -s addr.of.bad.ip -j DROP
(for 2.4.x)
see man iptables for an explanation of this.
if you are on a 2.2.x kernel, use
ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY
NOTE : this doesn't stop them scanning, it just stops you from replying!
HTH Maf
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Dog, On 2001.09.06 18:06:23 +0100 dog@intop.net wrote:
you can use a REJECT instead of DENY for the ipchains rule and your machine will not appear to even be online. if you use the deny rule, they can still tell what ports you have open, but cannot connect to them.
Its the other way round: from man 8 ipchains : ACCEPT means to let the packet through. DENY means to drop the packet on the floor. REJECT means the same as drop, but is more polite and easier to debug, since an ICMP message is sent back to the sender indicating that the packet was dropped. (Note that DENY and REJECT are the same for ICMP packets). Maf, -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What does that mean? How can anyone tell which ports have programs listening on them, if the firewall has DENY on all ports? And if by open you mean unfiltered, why wouldn't they be able to connect to them? Anders On Thursday 06 September 2001 19.06, dog@intop.net wrote:
you can use a REJECT instead of DENY for the ipchains rule and your machine will not appear to even be online. if you use the deny rule, they can still tell what ports you have open, but cannot connect to them.
On Thu, 6 Sep 2001, maf king wrote:
On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
Hi,
Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP?
Many thanks,
Radu
1. What kernel version are you using? It makes a difference for the command to use.
2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed
issue a command (as root) along the lines of :
iptables -I INPUT 1 -s addr.of.bad.ip -j DROP
(for 2.4.x)
see man iptables for an explanation of this.
if you are on a 2.2.x kernel, use
ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY
NOTE : this doesn't stop them scanning, it just stops you from replying!
HTH Maf
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
well, when i do a port scan and have DENY in the firwall rules, i get the message that the port is in a filtered state. maybe this is just my thinking, but if its filtered, then there must be a daemon listening on that port. why would i filter access to the port if there is nothing listening on that port. so i use REJECT so that the port does not even show up as filtered but rather closed. and just because the port is unfiltered doesnt mean that someone cannot connect to it. telnet, ftp, ssh, etc can all be blocked with /etc/hosts.allow, and i use this, along with ipchains/iptables rules to block access as well. On Thu, 6 Sep 2001, Anders Johansson wrote:
What does that mean? How can anyone tell which ports have programs listening on them, if the firewall has DENY on all ports? And if by open you mean unfiltered, why wouldn't they be able to connect to them?
Anders
On Thursday 06 September 2001 19.06, dog@intop.net wrote:
you can use a REJECT instead of DENY for the ipchains rule and your machine will not appear to even be online. if you use the deny rule, they can still tell what ports you have open, but cannot connect to them.
On Thu, 6 Sep 2001, maf king wrote:
On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
Hi,
Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP?
Many thanks,
Radu
1. What kernel version are you using? It makes a difference for the command to use.
2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed
issue a command (as root) along the lines of :
iptables -I INPUT 1 -s addr.of.bad.ip -j DROP
(for 2.4.x)
see man iptables for an explanation of this.
if you are on a 2.2.x kernel, use
ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY
NOTE : this doesn't stop them scanning, it just stops you from replying!
HTH Maf
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thursday 06 September 2001 19.54, dog@intop.net wrote:
well, when i do a port scan and have DENY in the firwall rules, i get the message that the port is in a filtered state. maybe this is just my thinking, but if its filtered, then there must be a daemon listening on that port. why would i filter access to the port if there is nothing listening on that port. so i use REJECT so that the port does not even
Well, if you have only a few services running, it's a lot simpler to have policy DENY (or REJECT) and just open up the ports you need, than to have policy ACCEPT and close the ports you have programs listening on but don't want exposed on the net. This is the default behaviour of SuSEfirewall, and I assume all other firewall programs as well. I don't think it's possible for a scanner to tell the difference between a blanket DENY rule, and a port that has a rule like src ip != some.allowed.machine.com, so the use of the word 'filtered' here is I believe a bit wrong. The words 'open' and 'closed' here also doesn't reflect the way TCP/IP ports work, IMHO
show up as filtered but rather closed. and just because the port is unfiltered doesnt mean that someone cannot connect to it. telnet, ftp, ssh, etc can all be blocked with /etc/hosts.allow, and i use this, along with ipchains/iptables rules to block access as well.
On 2001.09.06 19:24:38 +0100 Anders Johansson wrote:
well, when i do a port scan and have DENY in the firwall rules, i get
On Thursday 06 September 2001 19.54, dog@intop.net wrote: the
message that the port is in a filtered state. maybe this is just my thinking, but if its filtered, then there must be a daemon listening on that port. why would i filter access to the port if there is nothing listening on that port. so i use REJECT so that the port does not even
Maybe this is "smart" portscanners assuming that no reply means there is a firewall in the way filtering packets - after all, why portscan a non-existant host? Whereas the unreachable icmp could be interpreted by the same scanner as non-existant - as would be the case if there is no machine at that IP address. <SNIP>
I don't think it's possible for a scanner to tell the difference between a blanket DENY rule, and a port that has a rule like src ip != some.allowed.machine.com, so the use of the word 'filtered' here is I believe a bit wrong. The words 'open' and 'closed' here also doesn't reflect the way TCP/IP ports work, IMHO
FWIW, I agree that portscanners can't tell how or why a firewall DENYs packets, only that they *are* DENYed (or not :-) )! As for the terminology - perhaps ports are "[not-] blocked" or "[un-]available", but since iptables is part of the netfilter project, "filter" my not be too bad a description of what happens. Just 2c worth Maf. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jo, On 06-Sep-01 dog@intop.net wrote:
you can use a REJECT instead of DENY for the ipchains rule and your machine will not appear to even be online. if you use the deny rule, they can still tell what ports you have open, but cannot connect to them.
For the records, ipchains REJECT sends out ICMP type 3 (host/port unreachable) messages to the client, telling him to stop sending packets because there would be no service on the port the client is hammering on. DENY silently drops the packet, telling the client nothing, who may keep on scanning and filling your logs. By starting an nmap scan against a target and using tcpdump on another console you would be able to see these port-unreachable messages in case the host you're scanning uses some REJECT. This may indicate an active but firewalled port. Same with DENY; an attacker could measure the timeouts of his scans and do some "comparison scans" as well, finding that he may have hit a firewalled port. If there would be no service/firewall in place, the scan would go much faster. So, neither DENY nor REJECT are capable of "hiding" any of your ports. Use return-rst ( http://www.bellamy.co.nz/section5.html ) for that purpose, which sends a RST packet back to the client, thus cancelling the connection at once.
On Thu, 6 Sep 2001, maf king wrote:
On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
Hi,
Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP?
Many thanks,
Radu
1. What kernel version are you using? It makes a difference for the command to use.
2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed
issue a command (as root) along the lines of :
iptables -I INPUT 1 -s addr.of.bad.ip -j DROP
(for 2.4.x)
see man iptables for an explanation of this.
if you are on a 2.2.x kernel, use
ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY
NOTE : this doesn't stop them scanning, it just stops you from replying!
[...]
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
participants (5)
-
Anders Johansson -
Boris Lorenz -
dog@intop.net -
maf king -
Radu Anghel