On Apr 10, 2013, jxz6cjc...@snkmail.com wrote: > Some of our users are launching port scans on Internet servers. > These users connect to our servers using ssh and openvpn. We > obviously suspend their accounts where appropriate however I'd like > to find a technical solution that either prevents the scan or > discourages them (e.g. by slowing it down). Obviously psad is > designed to be used to scan the logs of servers being attacked > however is it possible to use it to detect port scans on the > originating server? i.e. could I create a set of rules on our server > that would mimic the logs generated on the receiving server and > point psad at it?
If I understand the question correctly, it sounds like you could add a set of logging rules to the OUTPUT chain on the originating systems and then have psad watch these logs. You could exempt outbound connections to ports that you expect people to use, and use conntrack to log NEW and/or INVALID connections to other ports. With psad thrown into the mix, as soon as the thresholds are tripped that psad defines as a scan, then you can have psad apply auto blocking rules if you want. Logging both NEW and INVALID connections will cover nmap -sS/-sT and other scan types like -sF. > The best solution I have come up with is to use the 'recent' module > but it still blocks a lot of legitimate traffic. > > # Log suspected port scanners > iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent > --name port_scan --rcheck --seconds 10 --hitcount 30 -j LOG > --log-prefix 'PORT SCANNER(?): ' > > # Drop connections where packets > 29 in 10 second period. > iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent > --update --name port_scan --seconds 10 --hitcount 30 -j DROP > > # Allow and add the source address of the packet to the port_scan list > iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent > --set --name port_scan You can do things like this, but this is more of a solution that resides within iptables itself vs. letting psad apply its threshold and timing logic which is typically more sophisticated than what can be readily accomplished with such a strategy. Since iptables logs when properly applied to NEW and INVALID packets won't be too burdensome (i.e. not logging every packet of an established tcp connection), I would let psad work out what kinds of malicious behaviors are represented by these logs. Thanks, --Mike ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
