On Thu, 11 Apr 2002 13:18:19 -0400, "Steve Werby" <[EMAIL PROTECTED]>
wrote:
:>Are you using IPCHAINS to block the IPs, your router or something else? How
:>many IPs or subnets are you blocking at any given time and do you find that
:>affects performance? My philosophy is generally to only block IPs for a
:>short period of time (hours or days). I base that on my experience that
:>most portscans and hacking attempts are from dialup IPs or rooted machines
:>so the threat from those IPs after a short period of time seems to be much
:>less. Any thoughts?
The below is best viewed with fixed font.
My scheme is dynamic depending on the amount of activity. A full scan gets you
in my firewall. A port 22 scan gets you in my firewall (I do ssh on a
different port). A port 21 scan gets you watched. Ever increasing problems
from a range gets the range blocked. No activity for a while gets you removed.
As you can see below, some items could be removed since the activity level
seems to have gotten quiet while others are still quite active. I handle all
this with portsentry (via portsentry.init). My portsentry config parameters
and portsentry.init definitions follow the ipfwadm list (Qube2 does not have
ipchains; however, I use the same scheme with ipchains on other boxes). I
modify portsentry.init based on the activity I monitor in the log and
periodically restart portsentry. The following is probably more than you
wanted, but it was easier to show what I was doing than to describe it.
I have edited the list to only show items of interest to the discussion. I
last restarted portsentry about 2 weeks ago. My last attack was from a local
security test machine which my portsentry locked out of my box immediately.
>From my portlog:
Apr 8 18:09:14 vanecek portsentry[5457]: attackalert: SYN/Normal scan from
host: test.xxx/xxx.xxx.56.233 to TCP port: 467
Apr 8 18:09:14 vanecek portsentry[5457]: attackalert: External command run
for host: xxx.xxx.56.233 using command: "/sbin/ipfwadm -I -W eth0 -P udp -i
deny -S xxx.xxx.56.233 -D 0.0.0.0/0 467; /sbin/ipfwadm -I -W eth0 -P tcp -i
deny -S xxx.xxx.56.233 -D 0.0.0.0/0 467 "
Apr 8 18:09:14 vanecek portsentry[5457]: attackalert: Host xxx.xxx.56.233 has
been blocked via wrappers with string: "ALL: xxx.xxx.56.233"
Apr 8 18:09:14 vanecek portsentry[5457]: attackalert: Host xxx.xxx.56.233 has
been blocked via dropped route using command: "/sbin/ipfwadm -I -i deny -S
xxx.xxx.56.233"
Then the rest of the scan is blocked:
tail -5 /var/log/portlog
Apr 8 18:09:15 vanecek portsentry[5457]: attackalert: Host:
test.xxx/xxx.xxx.56.233 is already blocked Ignoring
Apr 8 18:09:16 vanecek portsentry[5457]: attackalert: SYN/Normal scan from
host: test.xxx/xxx.xxx.56.233 to TCP port: 753
Apr 8 18:09:16 vanecek portsentry[5457]: attackalert: Host:
test.xxx/xxx.xxx.56.233 is already blocked Ignoring
Apr 8 18:09:16 vanecek portsentry[5457]: attackalert: SYN/Normal scan from
host: test.xxx/xxx.xxx.56.233 to TCP port: 566
Apr 8 18:09:16 vanecek portsentry[5457]: attackalert: Host:
test.xxx/xxx.xxx.56.233 is already blocked Ignoring
ipfwadm -I -len
IP firewall input rules, default policy: accept
pkts bytes type prot opt ifname source destination ports
The following 3 entries were triggered by portsentry as a result of a port
scan by our local security administrator. Note it tells me who and what. I get
the date and time from my portsentry log (shown above).
5795 235K deny all ---- * xxx.xxx.56.233 0.0.0.0/0 n/a
0 0 deny tcp ---- eth0 xxx.xxx.56.233 0.0.0.0/0 * -> 467
0 0 deny udp ---- eth0 xxx.xxx.56.233 0.0.0.0/0 * -> 467
The rest of this is started as a result of portsentry.init.
0 0 deny udp ---- eth0 2.9.0.164 0.0.0.0/0 * -> 137
0 0 deny udp ---- eth0 13.0.0.0/8 0.0.0.0/0 * -> 67
118 67968 deny udp ---- eth0 169.254.0.0/16 0.0.0.0/0 * -> 67
0 0 deny all ---- eth0 10.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 172.16.0.0/12 0.0.0.0/0 n/a
0 0 deny all ---- eth0 224.0.0.0/4 0.0.0.0/0 n/a
0 0 deny all ---- eth0 127.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 255.255.255.255 0.0.0.0/0 n/a
0 0 deny all ---- eth0 0.0.0.0/0 0.0.0.0 n/a
14 672 deny all ---- eth0 4.0.0.0/8 0.0.0.0/0 n/a
18 884 deny all ---- eth0 61.0.0.0/8 0.0.0.0/0 n/a
3 144 deny all ---- eth0 62.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 64.230.160.0/24 0.0.0.0/0 n/a
12 564 deny all ---- eth0 80.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 80.13.0.0/16 0.0.0.0/0 n/a
2 120 deny all ---- eth0 141.0.0.0/8 0.0.0.0/0 n/a
3 144 deny all ---- eth0 163.0.0.0/8 0.0.0.0/0 n/a
2 96 deny all ---- eth0 193.248.0.0/13 0.0.0.0/0 n/a
0 0 deny all ---- eth0 195.33.0.0/16 0.0.0.0/0 n/a
0 0 deny all ---- eth0 195.92.95.0/24 0.0.0.0/0 n/a
0 0 deny all ---- eth0 195.229.0.0/16 0.0.0.0/0 n/a
0 0 deny all ---- eth0 199.172.144.0/24 0.0.0.0/0 n/a
0 0 deny all ---- eth0 200.128.0.0/16 0.0.0.0/0 n/a
3 918 deny all ---- eth0 202.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 203.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 209.244.0.0/16 0.0.0.0/0 n/a
771 206K deny all ---- eth0 210.0.0.0/8 0.0.0.0/0 n/a
8 368 deny all ---- eth0 211.0.0.0/8 0.0.0.0/0 n/a
14 2660 deny all ---- eth0 212.0.0.0/8 0.0.0.0/0 n/a
481 126K deny all ---- eth0 213.0.0.0/8 0.0.0.0/0 n/a
18 1607 deny all ---- eth0 217.0.0.0/8 0.0.0.0/0 n/a
0 0 deny all ---- eth0 218.0.0.0/8 0.0.0.0/0 n/a
31 9004 deny icmp ---- eth0 0.0.0.0/0 0.0.0.0/0 8
Some folks really want to get into my system.
My portsentry.init follows.
xxx.xxx. inserted with replace to protect the site
Some of the items here keep out Window packets that are floating around on the
local net.
I modify this init file as hack attempts change and restart portsentry on a
periodic basis using this init file. It also runs whenever a reboot occurs.
$ cat /home/local/portsentry/portsentry.init
#!/bin/sh
#
# portsentry.init Starts and stops portsentry
# Source function library.
. /etc/rc.d/init.d/functions
[ -f /home/local/portsentry/portsentry ] || exit 0
# ipfwadm definitions
EXTERNAL_INTERFACE="eth0"
IPADDR="xxx.xxx.26.245"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
BROADCAST_DEST="255.255.255.255"
BROADCAST_SRC="0.0.0.0"
LOOPBACK="127.0.0.0/8"
PSPATH="/home/local/portsentry"
# See how we were called.
case "$1" in
start)
echo -n "S/B run as Root, Starting Portsentry: "
echo -n "Changing hosts.deny file"
# cd /home/local/portsentry/
cp /etc/hosts.deny.master /etc/hosts.deny
# Flush all existing state
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
#Set the default policy
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -O -p accept
# Filters only
# Begin rules
# Refuse spoofed packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $IPADDR
# Refuse packets claiming to be private network
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_A
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_B
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_C
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_D_MULTICAST
# Refuse loopback packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $LOOPBACK
# Refuse malformed broadcast packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $BROADCAST_DEST
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -D $BROADCAST_SRC
# Refuse udp 9 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 9
# Refuse udp 67/68 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 67
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 68
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S 169.254.0.0/16
-D 0.0.0.0/0 67
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S 13.0.0.0/8
-D 0.0.0.0/0 67
# Refuse udp 137/138/139 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 137
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 138
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 139
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S 12.9.0.164
-D 0.0.0.0/0 137
# Refuse tcp 113 packets
# /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P tcp -i deny -S xxx.xxx.48.55
-D 0.0.0.0/0 113
# /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P tcp -i deny -S xxx.xxx.220.1
-D 0.0.0.0/0 113
# Refuse udp 111 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 111
# Refuse tcp 161/2 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 161
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 162
# Refuse tcp 177 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 177
# Refuse udp 520 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 520
# Refuse udp 524 packets
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S xxx.xxx.0.0/16
-D 0.0.0.0/0 524
# Refuse nosey domains
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 4.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 61.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 62.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 64.230.160.0/24
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 80.11.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 80.13.0.0/16
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 141.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 163.239.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 193.251.0.0/13
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 195.33.0.0/16
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 195.92.95.0/24
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 195.229.0.0/16
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 199.172.144.0/24
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 200.128.0.0/16
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 202.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 203.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 209.244.0.0/16
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 210.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 211.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 212.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 213.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 217.0.0.0/8
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S 218.0.0.0/8
# Add the ping protection
/sbin/ipfwadm -I -a deny -P icmp -S 0/0 8 -W $EXTERNAL_INTERFACE
# Remove history files
rm $PSPATH/portsentry.blocked.atcp
rm $PSPATH/portsentry.blocked.audp
rm $PSPATH/portsentry.history
$PSPATH/portsentry -atcp
$PSPATH/portsentry -audp
echo
;;
stop)
echo -n "Shutting down Portsentry: "
killproc portsentry -9
echo
;;
flush)
echo -n "Flushing the Firewall: "
# Flush all existing state
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
#Set the default policy
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -O -p accept
echo
;;
*)
echo "Usage: portsentry.init {start|stop}"
exit 1
esac
exit 0
Here is my config file with the commented items removed. The Ignore Options
section is really the heart of what I do. I run in advanced mode.
$ cat /home/local/portsentry/portsentry.conf
# PortSentry Configuration
# $Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
# These really do not do anything in advanced mode (which is what I run).
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#ADVANCED_EXCLUDE_TCP="20,21,22,23,25,80,81,110,123,143,443"
# Dropped ftp from allowed list 02/11/01
# Changed ssh port from 22 to xxx on 11/12/01
ADVANCED_EXCLUDE_TCP="23,25,53,80,81,110,113,123,143,443,xxx"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
#ADVANCED_EXCLUDE_UDP="20,21,22,23,25,80,81,110,123,143,443"
# Dropped ftp from allowed list 02/11/01 added 53 on 5/26/01
# Changed ssh port from 22 to xxx on 11/12/01
ADVANCED_EXCLUDE_UDP="23,25,53,80,81,110,113,123,143,443,xxx"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/home/local/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/home/local/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/home/local/portsentry/portsentry.blocked"
###################
# Response Options#
###################
##################
# Ignore Options #
##################
# The following sequence of events are really the heart of my
# portsentry scheme
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ $PORT$ -o"
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
# This version does not log denied packets after activation
KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
###############
# TCP Wrappers#
###############
KILL_HOSTS_DENY="ALL: $TARGET$"
###################
# External Command#
###################
KILL_RUN_CMD="/sbin/ipfwadm -I -W eth0 -P udp -i deny -S $TARGET$ -D 0.0.0.0/0
$PORT$; /sbin/ipfwadm -I -W eth0 -P tcp -i deny -S $TARGET$ -D 0.0.0.0/0
$PORT$ "
#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms.
SCAN_TRIGGER="2"
######################
# Port Banner Section#
######################
# EOF
HTHs.
Mike.
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
