Re: Dealing with portscans
David Allen wrote: On 9/22/08, Matthew Seaman <[EMAIL PROTECTED]> wrote: Also consider the following sysctls: # Blackhole packets to ports without listeners net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 although these will be redundant if your firewalling is effective. I wonder, though, would using a block-policy setting of return (which I'm currently using) render the above redundant, or would the above take precedence? I'll have to add that to the list of Stuff to Check. Yes. If the firewall disposes of the packet via a block rule, then those sysctls will not have any effect. The firewall can either drop the packet or send an ICMP port unreachable message according to how it is configured. If the firewall passes the packet then either it is dealt with by a program listening on the appropriate port, or the network stack itself will generate an ICMP message (by default) or else just drop the packet if the blackhole sysctls are enabled. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Dealing with portscans
On 9/22/08, Matthew Seaman <[EMAIL PROTECTED]> wrote: > David Allen wrote: >> On 9/22/08, Ghirai <[EMAIL PROTECTED]> wrote: >>> On Mon, 22 Sep 2008 08:17:02 -0700 >>> "David Allen" <[EMAIL PROTECTED]> wrote: >> However, receiving SYN packets to ports 1024-4 isn't going to >> match anything than a default "block all" rule, which creates no >> state. That gives you zero such features to work with, but does give >> you 38976 individual log entries. > > Most of this sort of port scanning is automated by infected machines > -- it doesn't indicate a directed attack at you. it's been described as > the 'background radiation of the Internet'. So long as your systems > aren't vulnerable to the specific problems the malware is attempting to > exploit -- and assuming you aren't running windows then you're almost > certainly immune from this automated stuff -- then why bother putting any > effort into blocking the source hosts? Just dump the traffic and ignore. > > Drop the traffic using a 'block log all' default action and 'set > block-policy drop' in pf.conf. I'm not sure I agree that a single host scanning 30K ports can be so easily dismissed as the result of a bot. That said, I agree with your comments generally, but I prefer to log blocked traffic (with the exception of certain categories of "noise"). That means when the "block log all" rule matches, I'm at risk of tens of thousands of Mostly Useless log entries as pointed out earlier. The fact that those log entries or that activity is also Mostly Harmless, could mean that your Don't Panic is the right advice. But then, what if it's someone trying to build an interspace bypass and all I have is a bathrobe and a towel to work with? > Don't open up high-port ranges to incoming traffic, either UDP or TCP > -- if you have to run FTP servers then use ftp/ftp-proxy to avoid having > to open your firewall too much. I could write a rule to explicity block (and not log) high port ranges, but I'd prefer at least to be aware of someone actively scanning my network. Which suggests, at least to me, that limited logging with automagic table creation are the way to go. > Also consider the following sysctls: > > # Blackhole packets to ports without listeners > net.inet.tcp.blackhole=1 > net.inet.udp.blackhole=1 > > although these will be redundant if your firewalling is effective. I wonder, though, would using a block-policy setting of return (which I'm currently using) render the above redundant, or would the above take precedence? I'll have to add that to the list of Stuff to Check. > Cheers, Same to you, mate. and thanks for gracing me with your presence once again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dealing with portscans
David Allen wrote: On 9/22/08, Ghirai <[EMAIL PROTECTED]> wrote: On Mon, 22 Sep 2008 08:17:02 -0700 "David Allen" <[EMAIL PROTECTED]> wrote: Over the last few weeks I've been getting numerous ports scans, each from unique hosts. The situation is more of an annoyance than anything else, but I would prefer not seeing or having to deal with an extra 20-30K entries in my logs as was the case recently. I use pf for firewalling, and while it does offer different methods (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it doesn't seem to offer much in the way of dealing with repeated blocked (non-stateful) connection attempts from a given host. Short of running something like snort, is there a suitable tool for dealing with this? If not, I'll probably resort to running a cronjob to parse the logfile and add the offending hosts manually. Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate, etc., then add near the top of your ruleset: block drop quick from You either didn't read my message or have misunderstood pf. The features you (and I) mention apply only to rules which create state. If your rules are written for port 22, 25, and 80 traffic, for example, you can most certainly can make use of those features. However, receiving SYN packets to ports 1024-4 isn't going to match anything than a default "block all" rule, which creates no state. That gives you zero such features to work with, but does give you 38976 individual log entries. Most of this sort of port scanning is automated by infected machines -- it doesn't indicate a directed attack at you. it's been described as the 'background radiation of the Internet'. So long as your systems aren't vulnerable to the specific problems the malware is attempting to exploit -- and assuming you aren't running windows then you're almost certainly immune from this automated stuff -- then why bother putting any effort into blocking the source hosts? Just dump the traffic and ignore. Drop the traffic using a 'block log all' default action and 'set block-policy drop' in pf.conf. Don't open up high-port ranges to incoming traffic, either UDP or TCP -- if you have to run FTP servers then use ftp/ftp-proxy to avoid having to open your firewall too much. Also consider the following sysctls: # Blackhole packets to ports without listeners net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 although these will be redundant if your firewalling is effective. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Dealing with portscans
- Original Message - From: "David Allen" <[EMAIL PROTECTED]> To: Sent: Monday, September 22, 2008 4:06 PM Subject: Re: Dealing with portscans On 9/22/08, Greg Larkin <[EMAIL PROTECTED]> wrote: David Allen wrote: Over the last few weeks I've been getting numerous ports scans, each from unique hosts. The situation is more of an annoyance than anything else, but I would prefer not seeing or having to deal with an extra 20-30K entries in my logs as was the case recently. I use pf for firewalling, and while it does offer different methods (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it doesn't seem to offer much in the way of dealing with repeated blocked (non-stateful) connection attempts from a given host. Short of running something like snort, is there a suitable tool for dealing with this? If not, I'll probably resort to running a cronjob to parse the logfile and add the offending hosts manually. Hi David, You might want to try security/portsentry from the ports tree. It's a bit dated, and it has no maintainer at the moment, but a cursory glance at it tells me it might work for you. It supports pf for blocking connections once your trigger conditions are met. I'll give it a try. FWIW, I did discover that parsing the log files to get a list of offending hosts (denied a number of times above a given certain threshold) wasn't really as slow or troublesome as I thought. That slightly hackish approach might be useful for port scans in addition to the various rubbish I get sent. Thanks to both you and Jeff Laine for the replies. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hiyas, Would it work with IPFW or just PF? Can PF and IPFW run at the same time? -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dealing with portscans
On 9/22/08, Greg Larkin <[EMAIL PROTECTED]> wrote: > David Allen wrote: >> Over the last few weeks I've been getting numerous ports scans, each from >> unique hosts. The situation is more of an annoyance than anything else, >> but I would prefer not seeing or having to deal with an extra 20-30K >> entries in my logs as was the case recently. >> >> I use pf for firewalling, and while it does offer different methods >> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it >> doesn't seem to offer much in the way of dealing with repeated blocked >> (non-stateful) connection attempts from a given host. >> >> Short of running something like snort, is there a suitable tool for >> dealing with this? If not, I'll probably resort to running a cronjob to >> parse the logfile and add the offending hosts manually. > > Hi David, > > You might want to try security/portsentry from the ports tree. It's a > bit dated, and it has no maintainer at the moment, but a cursory glance > at it tells me it might work for you. It supports pf for blocking > connections once your trigger conditions are met. I'll give it a try. FWIW, I did discover that parsing the log files to get a list of offending hosts (denied a number of times above a given certain threshold) wasn't really as slow or troublesome as I thought. That slightly hackish approach might be useful for port scans in addition to the various rubbish I get sent. Thanks to both you and Jeff Laine for the replies. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dealing with portscans
On 9/22/08, Ghirai <[EMAIL PROTECTED]> wrote: > On Mon, 22 Sep 2008 08:17:02 -0700 > "David Allen" <[EMAIL PROTECTED]> wrote: > >> Over the last few weeks I've been getting numerous ports scans, each >> from unique hosts. The situation is more of an annoyance than >> anything else, but I would prefer not seeing or having to deal with >> an extra 20-30K entries in my logs as was the case recently. >> >> I use pf for firewalling, and while it does offer different methods >> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive >> hosts, it doesn't seem to offer much in the way of dealing with >> repeated blocked (non-stateful) connection attempts from a given host. >> >> Short of running something like snort, is there a suitable tool for >> dealing with this? If not, I'll probably resort to running a cronjob >> to parse the logfile and add the offending hosts manually. > > Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate, > etc., then add near the top of your ruleset: > > block drop quick from You either didn't read my message or have misunderstood pf. The features you (and I) mention apply only to rules which create state. If your rules are written for port 22, 25, and 80 traffic, for example, you can most certainly can make use of those features. However, receiving SYN packets to ports 1024-4 isn't going to match anything than a default "block all" rule, which creates no state. That gives you zero such features to work with, but does give you 38976 individual log entries. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dealing with portscans
2008/9/22 David Allen <[EMAIL PROTECTED]>: > Over the last few weeks I've been getting numerous ports scans, each from > unique hosts. The situation is more of an annoyance than anything else, > but I would prefer not seeing or having to deal with an extra 20-30K > entries in my logs as was the case recently. > > I use pf for firewalling, and while it does offer different methods > (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it > doesn't seem to offer much in the way of dealing with repeated blocked > (non-stateful) connection attempts from a given host. > > Short of running something like snort, is there a suitable tool for > dealing with this? If not, I'll probably resort to running a cronjob to > parse the logfile and add the offending hosts manually. Give a try for portsentry from ports collection. -- --Jeff-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dealing with portscans
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Allen wrote: > Over the last few weeks I've been getting numerous ports scans, each from > unique hosts. The situation is more of an annoyance than anything else, > but I would prefer not seeing or having to deal with an extra 20-30K > entries in my logs as was the case recently. > > I use pf for firewalling, and while it does offer different methods > (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it > doesn't seem to offer much in the way of dealing with repeated blocked > (non-stateful) connection attempts from a given host. > > Short of running something like snort, is there a suitable tool for > dealing with this? If not, I'll probably resort to running a cronjob to > parse the logfile and add the offending hosts manually. Hi David, You might want to try security/portsentry from the ports tree. It's a bit dated, and it has no maintainer at the moment, but a cursory glance at it tells me it might work for you. It supports pf for blocking connections once your trigger conditions are met. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI19Q00sRouByUApARAskrAJ9kY4inBSR/VmYvXHgV1iw0mfc6HwCglxsE FNlFennVqnulX2EB5PzSw4s= =O6FF -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dealing with portscans
On Mon, 22 Sep 2008 08:17:02 -0700 "David Allen" <[EMAIL PROTECTED]> wrote: > Over the last few weeks I've been getting numerous ports scans, each > from unique hosts. The situation is more of an annoyance than > anything else, but I would prefer not seeing or having to deal with > an extra 20-30K entries in my logs as was the case recently. > > I use pf for firewalling, and while it does offer different methods > (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive > hosts, it doesn't seem to offer much in the way of dealing with > repeated blocked (non-stateful) connection attempts from a given host. > > Short of running something like snort, is there a suitable tool for > dealing with this? If not, I'll probably resort to running a cronjob > to parse the logfile and add the offending hosts manually. Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate, etc., then add near the top of your ruleset: block drop quick from Hope it helps. Regards, Ghirai. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dealing with portscans
Over the last few weeks I've been getting numerous ports scans, each from unique hosts. The situation is more of an annoyance than anything else, but I would prefer not seeing or having to deal with an extra 20-30K entries in my logs as was the case recently. I use pf for firewalling, and while it does offer different methods (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it doesn't seem to offer much in the way of dealing with repeated blocked (non-stateful) connection attempts from a given host. Short of running something like snort, is there a suitable tool for dealing with this? If not, I'll probably resort to running a cronjob to parse the logfile and add the offending hosts manually. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"