I'd suggest looking into Snort for intrusion detection. It has a whole module dedicated to the detection of (various kinds) of port scans. Snort is available as a standard package in sarge.
Toby. -----Original Message----- From: eduardgv [mailto:[EMAIL PROTECTED] Sent: Tuesday, 21 September 2004 9:37 PM To: debian-firewall Subject: How to detect open tcp scan ports? Hi all, An open scan consists in a client opening a connection using the typical three-way TCP handshake. Once established (and so, opened port detected), the client suddenly sends a reset (or a FIN?). client -> SYN server -> SYN | ACK client -> ACK client -> RST | ACK Since it's not an odd behaviour, how can it be differentiated from a normal (not from a Port Scan) reset? In addition, I send some iptables rules to detect and log usual port scans. If anybody finds a hole, please tell me. $IPT -A INPUT -p tcp -j SCAN $IPT -N SCAN $IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/s --limit-burst 2 -j RETURN $IPT -A SCAN -p tcp --tcp-flags ALL SYN -m limit --limit 1/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FLOOD?: " $IPT -A SCAN -p tcp --tcp-flags ALL SYN -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - Xmas PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN FIN PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL SYN,FIN -j DROP $IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - SYN RST PortScan: " $IPT -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL FIN -m limit --limit 2/m --limit-burst 2 -m state --state ! ESTABLISHED -j LOG --log-prefix "IPTABLES - FYN PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL ALL -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - ALL PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL ALL -j DROP $IPT -A SCAN -p tcp --tcp-flags ALL NONE -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix "IPTABLES - NONE PortScan: " $IPT -A SCAN -p tcp --tcp-flags ALL NONE -j DROP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
