Scanning detection, Single Packet Authorization
Dear All, I am new member here, also noob in OpenBSD. And have some simple question. Can you please tell me if there any technique to detect port scanning. Is there any PF feature which I can use? Or any independent package similar to linux psad? I am also interested in port knocking is there any support for it in OpenBSD. I am looking for similar functionality like fwknop - Single Packet Authorization. Best regards.
Re: Scanning detection, Single Packet Authorization
On 11 October 2011 13:36, Cezary Cieplinski forsakenli...@gmx.com wrote: Dear All, I am new member here, also noob in OpenBSD. And have some simple question. Can you please tell me if there any technique to detect port scanning. Is there any PF feature which I can use? Or any independent package similar to linux psad? I am also interested in port knocking is there any support for it in OpenBSD. I am looking for similar functionality like fwknop - Single Packet Authorization. Best regards. PF has excellent logging capabilities - which should help in detecting port scanning, and if you read the src tracking part of the man page it should prove useful. Port knocking has been discussed many times on the mailing list: http://marc.info/?l=openbsd-miscw=2r=1s=port+knockingq=b hth Fred
Re: Scanning detection, Single Packet Authorization
Fred Crowson fred.crow...@gmail.com writes: PF has excellent logging capabilities - which should help in detecting port scanning, and if you read the src tracking part of the man page it should prove useful. Very true. The various state tracking options can help detect and head off various types of floods and scans. An example of a distantly related use case (heading off ssh bruteforcers) can be found at http://home.nuug.no/~peter/pf/en/bruteforce.html, that and the pf.conf man page should give you a few ideas. There is a good number of approaches that may fit your scenarios. Port knocking has been discussed many times on the mailing list: http://marc.info/?l=openbsd-miscw=2r=1s=port+knockingq=b Heh. That search turns up quite a few gems, even mention (but not detailed explanation, mind you) of the fact that port knocking can be implemented via PF features if you have a mind to. For single packet authorization, I'm not aware of any tool in base with that capability, but a quick web search on OpenBSD single packet authorization turns up evidence that others have been at least considering the combination (and written some code). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Scanning detection, Single Packet Authorization
On Tue, 11 Oct 2011 14:31:01 +0100 Fred Crowson wrote: Port knocking has been discussed many times on the mailing list: Single packet authorisation is a lot more useful and less falible than port knocking, though you could do similar with ssh, some magic and have the benefit of lots of clients to use, though maybe? it's not quite so convenient to add commands etc..