Hi,

Why don't you want to use extra package ?

Visit:
http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/

Best Regards,
Jalal Hajigholamali

Please also share one video with the robot working please.

I don't want to use psad. Can I do it only with iptables?

I want to use only iptables. I don't want to use psad. Can I do it?

Yes, you can block port scans using only iptables.
Here is one example using many methods to secure against common methods
http://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/

If that's too complex, check out this simple tutorial for basic protection
http://www.techrepublic.com/blog/10-things/10-iptables-rules-to-help-secure-your-linux-box/

To add logging, add the following to the end of any line with a DROP command
--log-level 6

I strongly suggest using psad. It's a great tool. Myself I use SNORT with Barnyard.

Hi,

Use these rules:

IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

Thanks a lot all. It helps me a lot.

@mohammad moeini,

How do those rules protect against port scanning tools? Please explain your rules.

Hi,

First I explain each of these statements.

You know for insert rules on iptables (standard Rule) using command iptables.

-A switch mean append rule ( don't forget iptables working seem chains that mean last rule .run last)

-p switch selecting protocol -p tcp using protocol tcp
--tcp-flags switch selecting special flags . Flags are: SYN ACK FIN RST URG PSH ALL NONE

Blocking null packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Null packets are, simply said, recon packets. The attack patterns use these to try and find out weaknesses.

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

In brief, we need to drop bogus packets, such as with SYN+FIN flags set. you can drop this particular packet by adding rule

IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
DROP invalid SYN,RST flags

I refer you to see my reference, sorry My phone was stolen and I don't have access to INTERNET with my phone.

MY reference is :

Build a Home Webserver Using Fedora 12
By Roy Ellwood

and

Data Privacy Management and Autonomous Spontaneous Security: 7th
edited by Roberto Di Pietro, Javier Herranz, Ernesto Damiani, Radu State

@mohammad moeini,

Thanks for the breakdown, but I don't see a way to stop a port scan. Dropping malformed and null packets is a good idea but it doesn't do anything for port scans.

Check out the links in my previous post for info on port scan mitigation ideas. The most basic is something like this - (note: port-scan is just the same I assigned to this chain. you can use your own)

iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP --log-level 6
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan

These four lines are all you need for basic port scan protection and logging on home and SOHO setups. By using the limit option, we can stop most port scans. These simple rules may not be enough for business class or enterprise setups. For those follow the first link in my original post for a more robust setup.