Some of our users are launching port scans on Internet servers. These
users connect to our servers using ssh and openvpn. We obviously suspend
their accounts where appropriate however I'd like to find a technical
solution that either prevents the scan or discourages them (e.g. by
slowing it down). Obviously psad is designed to be used to scan the logs
of servers being attacked however is it possible to use it to detect
port scans on the originating server? i.e. could I create a set of rules
on our server that would mimic the logs generated on the receiving
server and point psad at it?
The best solution I have come up with is to use the 'recent' module but
it still blocks a lot of legitimate traffic.
# Log suspected port scanners
iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent
--name port_scan --rcheck --seconds 10 --hitcount 30 -j LOG --log-prefix
'PORT SCANNER(?): '
# Drop connections where packets > 29 in 10 second period.
iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent
--update --name port_scan --seconds 10 --hitcount 30 -j DROP
# Allow and add the source address of the packet to the port_scan list
iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent
--set --name port_scan
Thanks,
Jerome.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
