Re: detecting portscanning
Hello, --- Rudy Gevaert [EMAIL PROTECTED] wrote: Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but [skip] Could I use this with ippl? Or just on portscanning system? As you wish, but you don`t needed any additional ip-logging systems, when you use snort. You can log only headers, you can log full packets in various formats (text, syslog, tcpdump-compatible etc, include logging into sql-base). Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate alert file, or even to a Windows computer via Samba. When I installed snort on my computer, I delete tcplogd, icmplog, and other such systems. = Regards, Vladislav. --- http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
Hello, On Thu, 24 May 2001, Vladislav wrote: Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other strange activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). Could I use this with ippl? Or just on portscanning system? Greets, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be
Re: detecting portscanning
Hello, --- Rudy Gevaert [EMAIL PROTECTED] wrote: Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but [skip] Could I use this with ippl? Or just on portscanning system? As you wish, but you don`t needed any additional ip-logging systems, when you use snort. You can log only headers, you can log full packets in various formats (text, syslog, tcpdump-compatible etc, include logging into sql-base). Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate alert file, or even to a Windows computer via Samba. When I installed snort on my computer, I delete tcplogd, icmplog, and other such systems. = Regards, Vladislav. --- http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Re: detecting portscanning
On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
On Thursday 24 May 2001 14:01, Rudy Gevaert wrote: On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ed -Original Message- From: Rudy Gevaert [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 4:17 PM To: [EMAIL PROTECTED] Subject: detecting portscanning Hello Everyone, It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
On Thu, 24 May 2001, Ed Street wrote: Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ok thanks, I'll use iptable when I got my network running. Now it is just a standalone box. I'm running ippl and it logs the most things. It will work for now I think ;) Thanks to everyone for all the help! Greetings, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
#
echo Rejecting Portscans
#
#
#Reject Xms Scans
#
# Generic dirty interface maping
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# This disallows ALL portscans that will hit the PREROUTING table
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL
FIN,URG,PSH -j LOG \
--log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL
FIN,URG,PSH -j DROP
#
#
#Reject Fin scans
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state !
ESTABLISHED \
-j LOG --log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state !
ESTABLISHED -j DROP
# This disallows ALL portscans that will hit the PREROUTING table
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN \
-j LOG --log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
#
#
# Reject ANY station that opens and immediately closes a connection
# Some portscanners does this
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG \
--log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN \
-j LOG --log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN -j
DROP
#
#
# invalid crap
#
$IPTABLES -t mangle -A PREROUTING -j LOG --log-level $LOG_LEVEL
\
-m state --state INVALID \
-m limit --limit $LIMIT_RATE
#
This isn't complete as the SYN scan will still get thru BUT it will take
ages to show anything. Also use of rp_filter ('spoof' protection) helps out
to.
Ed
-Original Message-
From: S.Salman Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 24, 2001 8:11 PM
To: [EMAIL PROTECTED]
Subject: RE: detecting portscanning
Ed == Ed Street [EMAIL PROTECTED] writes:
Ed
Ed iptables has an awsome mechanism for portscans ;) in fact you
Ed can set it up so that all portscans (well most I should say)
Ed will literaly take HOURS to return nothing.
Ed
What iptables rule(s) would cause that behaviour ?
--
Salman Ahmed
ssahmed AT pathcom DOT com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
Hello, --- Rudy Gevaert [EMAIL PROTECTED] wrote: It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other strange activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). = Regards, Vladislav. --- http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be
Re: detecting portscanning
On Thursday 24 May 2001 14:01, Rudy Gevaert wrote: On Thu, 24 May 2001, Rudy Gevaert wrote: Hello again, Some people suggested ippl, I installed it, and it runs. It works :-) Some other people, said I should use portsentry. And I look for it on the website, and it is a tar.gz file, but in the unstable section I can find a deb file. But I'm using stable. Will this give any problems? Or can I just download it? I think I will have to add a line to my apt-get config file. Right? Again, thanks in advance, Rudy The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware.
Re: detecting portscanning
The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware. Although it binds to all the ports portsentry can blackhole the scanner as soon as it detects it with an IP chains rule. Once the user starts a scan they will be immediately blackholed and will never even complete the scan. :wq Tim Uckun Due Diligence Inc. http://www.diligence.com/Americas Background Investigation Expert. If your company isn't doing background checks, maybe you haven't considered the risks of a bad hire.
RE: detecting portscanning
Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ed -Original Message- From: Rudy Gevaert [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 4:17 PM To: debian-security@lists.debian.org Subject: detecting portscanning Hello Everyone, It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Thanks in advance, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: detecting portscanning
On Thu, 24 May 2001, Ed Street wrote: Hello, there's several methods to tell that. a) use a product like portsentry b) use iptables/ipchains to reject all forms of portscans c) don't connect the box to the inet as portscans are a fact of life ;) portsentry will trashcan any system that attempts to portscan you. If your using 2.2.x you may want to put on the stealth kernel patch (freshmeat.net search for stealth) that helps hinder scans iptables has an awsome mechanism for portscans ;) in fact you can set it up so that all portscans (well most I should say) will literaly take HOURS to return nothing. Ok thanks, I'll use iptable when I got my network running. Now it is just a standalone box. I'm running ippl and it logs the most things. It will work for now I think ;) Thanks to everyone for all the help! Greetings, Rudy -- ___ _ _ ___ |_ / / _ \| | | |/ __| e:[EMAIL PROTECTED] phone: 0486/690159 / / | __/| |_| |\__ \ url: http://studwww.rug.ac.be/~rgevaert/ /___| \___| \__,_||___/ http://zeus.rug.ac.be
RE: detecting portscanning
#
echo Rejecting Portscans
#
#
#Reject Xms Scans
#
# Generic dirty interface maping
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# This disallows ALL portscans that will hit the PREROUTING table
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL
FIN,URG,PSH -j LOG \
--log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL
FIN,URG,PSH -j DROP
#
#
#Reject Fin scans
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state !
ESTABLISHED \
-j LOG --log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state !
ESTABLISHED -j DROP
# This disallows ALL portscans that will hit the PREROUTING table
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN \
-j LOG --log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
#
#
# Reject ANY station that opens and immediately closes a connection
# Some portscanners does this
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG \
--log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN \
-j LOG --log-level $LOG_LEVEL \
-m limit --limit $LIMIT_RATE
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN -j
DROP
#
#
# invalid crap
#
$IPTABLES -t mangle -A PREROUTING -j LOG --log-level $LOG_LEVEL
\
-m state --state INVALID \
-m limit --limit $LIMIT_RATE
#
This isn't complete as the SYN scan will still get thru BUT it will take
ages to show anything. Also use of rp_filter ('spoof' protection) helps out
to.
Ed
-Original Message-
From: S.Salman Ahmed [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 24, 2001 8:11 PM
To: debian-security@lists.debian.org
Subject: RE: detecting portscanning
Ed == Ed Street [EMAIL PROTECTED] writes:
Ed
Ed iptables has an awsome mechanism for portscans ;) in fact you
Ed can set it up so that all portscans (well most I should say)
Ed will literaly take HOURS to return nothing.
Ed
What iptables rule(s) would cause that behaviour ?
--
Salman Ahmed
ssahmed AT pathcom DOT com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
Re: detecting portscanning
On Thu, May 24, 2001 at 03:47:33PM -0600, Tim Uckun wrote: The problem with portsentry is that it binds to all the ports you are watching, so people that are scanning actually see those ports open. It is better to use snort, which will let you know that the scans have happened without the attacker being aware. Although it binds to all the ports portsentry can blackhole the scanner as soon as it detects it with an IP chains rule. Once the user starts a scan they will be immediately blackholed and will never even complete the scan. Don't do that unless you know what you are doing. If somebody fakes a portscan coming from somewhere you really wouldn't want to blackhole (e.g. your name server), you could lose bigtime. If you know what you're doing, and understand the risks, then do whatever tickles your fancy. Just be careful about suggesting potentially dangerous stuff. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: detecting portscanning
Hello, --- Rudy Gevaert [EMAIL PROTECTED] wrote: It is my first time i'm putting up a server (at home, cable modem) with ftp/ssh/apache on it. Now I would like to know who does portscans on my machine, and when. And how many. Is there a package for it in debian? Or do I have to install something else. Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other strange activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). = Regards, Vladislav. --- http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
