On Apr 10, 2013, jxz6cjc...@snkmail.com wrote:

> Some of our users are launching port scans on Internet servers.
> These users connect to our servers using ssh and openvpn. We
> obviously suspend their accounts where appropriate however I'd like
> to find a technical solution that either prevents the scan or
> discourages them (e.g. by slowing it down). Obviously psad is
> designed to be used to scan the logs of servers being attacked
> however is it possible to use it to detect port scans on the
> originating server? i.e. could I create a set of rules on our server
> that would mimic the logs generated on the receiving server and
> point psad at it?

If I understand the question correctly, it sounds like you could add a
set of logging rules to the OUTPUT chain on the originating systems and
then have psad watch these logs.  You could exempt outbound connections
to ports that you expect people to use, and use conntrack to log NEW
and/or INVALID connections to other ports.  With psad thrown into the mix,
as soon as the thresholds are tripped that psad defines as a scan, then
you can have psad apply auto blocking rules if you want.  Logging both
NEW and INVALID connections will cover nmap -sS/-sT and other scan types
like -sF.

> The best solution I have come up with is to use the 'recent' module
> but it still blocks a lot of legitimate traffic.
> 
>  # Log suspected port scanners
> iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent
> --name port_scan --rcheck --seconds 10 --hitcount 30 -j LOG
> --log-prefix 'PORT SCANNER(?): '
> 
> # Drop connections where packets > 29 in 10 second period.
> iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent
> --update --name port_scan  --seconds 10 --hitcount 30 -j DROP
> 
> # Allow and add the source address of the packet to the port_scan list
> iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent
> --set --name port_scan

You can do things like this, but this is more of a solution that resides
within iptables itself vs. letting psad apply its threshold and timing
logic which is typically more sophisticated than what can be readily
accomplished with such a strategy.  Since iptables logs when properly
applied to NEW and INVALID packets won't be too burdensome (i.e. not
logging every packet of an established tcp connection), I would let psad
work out what kinds of malicious behaviors are represented by these
logs.

Thanks,

--Mike

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to