Top
Related Tags:
  • Linux

    Some name

    41k Followers
    Follow
  • Ubuntu

    Some name

    Follow

How to Block Port Scanning Tools and Log Them With iptables?

I have a problem. How can I block port scanning tools and log them with iptables? I should not use any extra application for my ubuntu.

a
asked
10 Answers | Add an answer

Hi,

Why don't you want to use extra package ?

Visit:
http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/

Best Regards,
Jalal Hajigholamali

answered
Sorry! Something went wrong on our end. Please try again later.

Please also share one video with the robot working please.

answered
Sorry! Something went wrong on our end. Please try again later.

I don't want to use psad. Can I do it only with iptables?

answered
Sorry! Something went wrong on our end. Please try again later.

I want to use only iptables. I don't want to use psad. Can I do it?

answered
Sorry! Something went wrong on our end. Please try again later.

Yes, you can block port scans using only iptables.
Here is one example using many methods to secure against common methods
http://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/

If that's too complex, check out this simple tutorial for basic protection
http://www.techrepublic.com/blog/10-things/10-iptables-rules-to-help-secure-your-linux-box/

To add logging, add the following to the end of any line with a DROP command
--log-level 6

I strongly suggest using psad. It's a great tool. Myself I use SNORT with Barnyard.

answered
Sorry! Something went wrong on our end. Please try again later.

Hi,

Use these rules:


IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

answered
Sorry! Something went wrong on our end. Please try again later.

Thanks a lot all. It helps me a lot.

answered
Sorry! Something went wrong on our end. Please try again later.

@mohammad moeini,

How do those rules protect against port scanning tools? Please explain your rules.

answered
Sorry! Something went wrong on our end. Please try again later.

Hi,

First I explain each of these statements.

You know for insert rules on iptables (standard Rule) using command iptables.

-A switch mean append rule ( don't forget iptables working seem chains that mean last rule .run last)

-p switch selecting protocol -p tcp using protocol tcp
--tcp-flags switch selecting special flags . Flags are: SYN ACK FIN RST URG PSH ALL NONE


Blocking null packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Null packets are, simply said, recon packets. The attack patterns use these to try and find out weaknesses.

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

In brief, we need to drop bogus packets, such as with SYN+FIN flags set. you can drop this particular packet by adding rule


IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
DROP invalid SYN,RST flags


I refer you to see my reference, sorry My phone was stolen and I don't have access to INTERNET with my phone.

MY reference is :

Build a Home Webserver Using Fedora 12
By Roy Ellwood


and

Data Privacy Management and Autonomous Spontaneous Security: 7th
edited by Roberto Di Pietro, Javier Herranz, Ernesto Damiani, Radu State

answered
Sorry! Something went wrong on our end. Please try again later.

@mohammad moeini,

Thanks for the breakdown, but I don't see a way to stop a port scan. Dropping malformed and null packets is a good idea but it doesn't do anything for port scans.

Check out the links in my previous post for info on port scan mitigation ideas. The most basic is something like this - (note: port-scan is just the same I assigned to this chain. you can use your own)

iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP --log-level 6
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan

These four lines are all you need for basic port scan protection and logging on home and SOHO setups. By using the limit option, we can stop most port scans. These simple rules may not be enough for business class or enterprise setups. For those follow the first link in my original post for a more robust setup.

answered
Sorry! Something went wrong on our end. Please try again later.
Sign In to Post an Answer
Sorry! Something went wrong on our end. Please try again later.
Looking for more?
Browse resources on Linux Ubuntu
Search the archive of solutions and how-to's
Ask a new question to a community of peers