Hi all, An open scan consists in a client opening a connection using the typical three-way TCP handshake. Once established (and so, opened port detected), the client suddenly sends a reset (or a FIN?).
client -> SYN server -> SYN | ACK client -> ACK client -> RST | ACK Since it's not an odd behaviour, how can it be differentiated from a normal (not from a Port Scan) reset? In addition, I send some iptables rules to detect and log usual port scans. If anybody finds a hole, please tell me. $IPT -A INPUT -p tcp -j SCAN $IPT -N SCAN $IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/s --limit-burst 2 -j RETURN $IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FLOOD?: " $IPT -A SCAN -p tcp --tcp-flags ALL SYN -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - Xmas PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FIN PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -j DROP $IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN RST PortScan: " $IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL FIN -m limit --limit 2/m --limit-burst 2 -m state --state ! ESTABLISHED -j LOG --log-prefix "IPTABLES - FYN PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL ALL -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - ALL PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL ALL -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL NONE -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - NONE PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL NONE -j DROP
