how do I build iptable-protection for scanners like nmap
Hi, how have I to write a iptablerule to protect my box against portscanning with tools like nmap. Regards, Ruprecht
On Monday 26 May 2003 18:01, Ruprecht Helms wrote:
how have I to write a iptablerule to protect my box against portscanning with tools like nmap.
For a 100% secure firewall: http://www.ranum.com/pubs/a1fwall/ The following document will give you some hints what questions need to be answered before you can expect more specific help: http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/firewall_faq.html You may want to look at the personal-firewall and/or SuSEfirewall2 provided in the SuSE distribution before trying to write a set of rules yourself. Arjen -- 51 N 25' 05.1" - 05 E 29' 13.3" Key fingerprint - 66 4E 03 2C 9D B5 CB 9B 7A FE 7E C1 EE 88 BC 57
On Monday 26 May 2003 18:41, Arjen de Korte wrote:
<..... snip.....> You may want to look at the personal-firewall and/or SuSEfirewall2 provided in the SuSE distribution before trying to write a set of rules yourself.
Just buying a cheap DSL router, and let it function as some kind of "personal firewall", will help many people alot against misconfigurations. As well against insecure default installs. It's worth taking note that SSH is very often activated as part of the install, so when you log in for the first time, the SSH deamon is running. What if you are randomly hacked just after (during?) install because your machine was directly connected to the internet as a result of a new exploit? Windows has it's own problems, so to speak. Cheers, Sigfred.
On Monday 26 May 2003 21:03, Sigfred Håversen wrote:
Just buying a cheap DSL router, and let it function as some kind of "personal firewall", will help many people alot against misconfigurations.
I think most users with at least two brain cells can manage to set the single configuration parameter of the personal firewall. For modem, ISDN and DSL connections, it requires one mouse click to 'Activate Firewall'. Easy enough. Arjen -- 51 N 25' 05.1" - 05 E 29' 13.3" Key fingerprint - 66 4E 03 2C 9D B5 CB 9B 7A FE 7E C1 EE 88 BC 57
On Monday 26 May 2003 21:52, Arjen de Korte wrote:
On Monday 26 May 2003 21:03, Sigfred Håversen wrote:
Just buying a cheap DSL router, and let it function as some kind of "personal firewall", will help many people alot against misconfigurations.
I think most users with at least two brain cells can manage to set the single configuration parameter of the personal firewall.
You are talking out of your ass.
For modem, ISDN and DSL connections, it requires one mouse click to 'Activate Firewall'. Easy enough.
One click? From Yast? /Sigfred
----- Original Message ----- From: "Sigfred Håversen" <suselist@mumak.com> To: <suse-security@suse.com> Sent: Monday, May 26, 2003 11:43 PM Subject: Re: [suse-security] how do I build iptable-protection for scanners like nmap : On Monday 26 May 2003 21:52, Arjen de Korte wrote: : > On Monday 26 May 2003 21:03, Sigfred Håversen wrote: : > > Just buying a cheap DSL router, and let it function as some kind of : > > "personal firewall", will help many people alot against : > > misconfigurations. : > : > I think most users with at least two brain cells can manage to set the : > single configuration parameter of the personal firewall. : : You are talking out of your ass. : : > For modem, ISDN : > and DSL connections, it requires one mouse click to 'Activate Firewall'. : > Easy enough. : : One click? From Yast? : : : /Sigfred : : Good Mornning... To Drop Stealth Scan like nmap you can use the following rules in a simple firewall with iptables: iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP Thanos... Athanasios Plastiras Greece Athens
Good Mornning to Athens,
To Drop Stealth Scan like nmap you can use the following rules in a simple firewall with iptables:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
that is the respons in the kiss-style. Kiss = keep it short and stupid. And that was what I want. Regards, Ruprecht
Sounds like something I can adapt into my *ipchains* rules. But why use "!--syn -m state --state"? Anybody can explain? Thank you, Azman Salleh ----- Original Message ----- From: "Πλαστήρας Αθανάσιος" <t.plastiras@gsis.gov.gr> To: <suse-security@suse.com> Sent: 27 May, 2003 1:27 PM Subject: Re: [suse-security] how do I build iptable-protection for scanners like nmap
Good Mornning...
To Drop Stealth Scan like nmap you can use the following rules in a simple firewall with iptables:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Thanos...
Athanasios Plastiras Greece Athens
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
----- Original Message ----- From: "Azman Salleh" <azmansal@nti.com.my> To: <suse-security@suse.com> Sent: Wednesday, May 28, 2003 4:31 AM Subject: Re: [suse-security] how do I build iptable-protection for scanners like nmap : Sounds like something I can adapt into my *ipchains* rules. I do n't know. The ipchains do n't have "state" ... : But why use "!--syn -m state --state"? Anybody can explain? "!--syn -m state --state NEW": This mean new connection but the flag is not SYN. For normal connection must be SYN but some scanners (nmap...), send flag FIN or other to see if some ports respons... If response must be open.... : Thank you, : Azman Salleh : ----- Original Message ----- : From: "Πλαστήρας Αθανάσιος" <t.plastiras@gsis.gov.gr> : To: <suse-security@suse.com> : Sent: 27 May, 2003 1:27 PM : Subject: Re: [suse-security] how do I build iptable-protection for scanners : like nmap : : : > : > Good Mornning... : > : > To Drop Stealth Scan like nmap you can use the following rules in a simple : > firewall with iptables: : > : > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j : > LOG --log-prefix "Stealth scan" : > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP : > : > Thanos... : > : > : > Athanasios Plastiras : > Greece : > Athens : > : > : > : > -- : > Check the headers for your unsubscription address : > For additional commands, e-mail: suse-security-help@suse.com : > Security-related bug reports go to security@suse.de, not here : > : > : > : : : -- : Check the headers for your unsubscription address : For additional commands, e-mail: suse-security-help@suse.com : Security-related bug reports go to security@suse.de, not here : :
Sounds like something I can adapt into my *ipchains* rules. But why use "!--syn -m state --state"? Anybody can explain?
Just a guess: Module state tracks connections. Normal TCP connection starts with the SYN flag set. So if the connection does not exist already (so it is new in this sense) but does not have the SYN flag "on" THEN this particular packet is (almost 100% sure?) crafted, i.e. not originating from a nicely behaving IP stack but generated otherwise. If the TCP connection is opened the normal way - it has the SYN in the first packet, ACK/SYN (typically combined) in the reply and ACK in the third (second incoming) then it is following the specs correctly and is accepted (unless other rules DROP/REJECT it). Then the state module is used (and able) to track the connection - probably notices things such as hijacking attempts too (especially when packets are properly numbered). Does this answer your question? (And is this correct answer?)
----- Original Message ----- Subject: Re: [suse-security] how do I build iptable-protection for scanners like nmap
Good Mornning...
To Drop Stealth Scan like nmap you can use the following rules in a simple firewall with iptables:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
On Monday 26 May 2003 18:01, Ruprecht Helms wrote:
Hi,
how have I to write a iptablerule to protect my box against portscanning with tools like nmap.
Regards, Ruprecht
You can make it more difficult for them, forcing them to use more time scanning ports, making the results of the port scan less clear. Might not always be possible of course. If you offer public services (like web server), a firewall won't protect you much against exploits against the web server. A script kiddie wanting to use a SSL exploit on an Apache server, might just scan for port 80/443, and if you offer those services to the public, not much todo about the scan as such. The author of the book "Linux Firewalls 2nd ed" has a website http://linux-firewall-tools.com/linux/ where you may find the iptable rules he used in his book, as well as links to other resources. In his scripts you'll find example rules to stop common type of "stealth scans" for ip-table. One place to put such rules in SuSEfirewall2 is in the file /etc/sysconfig/scripts/SuSEfirewall2-custom, at least too have some logging of scannings as such. Cheers, Sigfred.
participants (6)
-
Arjen de Korte -
Azman Salleh -
Ruprecht Helms -
Sigfred Håversen -
timo -
Πλαστήρας Αθανάσιος