David Allen wrote:
On 9/22/08, Ghirai <[EMAIL PROTECTED]> wrote:On Mon, 22 Sep 2008 08:17:02 -0700 "David Allen" <[EMAIL PROTECTED]> wrote:Over the last few weeks I've been getting numerous ports scans, each from unique hosts. The situation is more of an annoyance than anything else, but I would prefer not seeing or having to deal with an extra 20-30K entries in my logs as was the case recently. I use pf for firewalling, and while it does offer different methods (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it doesn't seem to offer much in the way of dealing with repeated blocked (non-stateful) connection attempts from a given host. Short of running something like snort, is there a suitable tool for dealing with this? If not, I'll probably resort to running a cronjob to parse the logfile and add the offending hosts manually.Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate, etc., then add near the top of your ruleset: block drop quick from <x>You either didn't read my message or have misunderstood pf. The features you (and I) mention apply only to rules which create state. If your rules are written for port 22, 25, and 80 traffic, for example, you can most certainly can make use of those features. However, receiving SYN packets to ports 1024-40000 isn't going to match anything than a default "block all" rule, which creates no state. That gives you zero such features to work with, but does give you 38976 individual log entries.
Most of this sort of port scanning is automated by infected machines-- it doesn't indicate a directed attack at you. it's been described as the 'background radiation of the Internet'. So long as your systems aren't vulnerable to the specific problems the malware is attempting to exploit -- and assuming you aren't running windows then you're almost certainly immune from this automated stuff -- then why bother putting any effort into blocking the source hosts? Just dump the traffic and ignore.
Drop the traffic using a 'block log all' default action and 'set block-policy drop' in pf.conf.
Don't open up high-port ranges to incoming traffic, either UDP or TCP
-- if you have to run FTP servers then use ftp/ftp-proxy to avoid having
to open your firewall too much. Also consider the following sysctls:
# Blackhole packets to ports without listeners
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=1
although these will be redundant if your firewalling is effective.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
