Hi, Is it possible to block the port scanning through shorewall, if yes then how? Thanks and Best Regards, Arif
>>Is it possible to block the port scanning through shorewall, if yesthen>>how?You can add IPTables rules to connection attempts on ports 1-19 (or as high as you can go) tcp/udp that will reply with a destination host unreachable (Credit goes to Chris Brenton of SANS for this tactic). Add these rules to /etc/shorewall/start. when port scanners, such as nmap, see the first few ports reply with a destination host unreachable, they give up and return that the host is down. I don''t have the syntax handy, but the man page should get you there. Jeff.
Jeff Falgout wrote:>>>Is it possible to block the port scanning through shorewall, if yes >> > then > >>>how? >> > > You can add IPTables rules to connection attempts on ports 1-19 (or as > high as you can go) tcp/udp > that will reply with a destination host unreachable (Credit goes to > Chris Brenton of SANS for this tactic). > > Add these rules to /etc/shorewall/start. > > when port scanners, such as nmap, see the first few ports reply with a > destination host unreachable, > they give up and return that the host is down. > > I don''t have the syntax handy, but the man page should get you there. >Use at your own risk....... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Jeff Thanks... I was thinking if we can capture the ip of port scanner and dynamically ban that ip for any further traffic. Thanks and Best Regards, Arif -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Jeff Falgout Sent: Monday, September 23, 2002 9:57 AM To: arif786@rogers.com; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Blocking port scanning>>Is it possible to block the port scanning through shorewall, if yesthen>>how?You can add IPTables rules to connection attempts on ports 1-19 (or as high as you can go) tcp/udp that will reply with a destination host unreachable (Credit goes to Chris Brenton of SANS for this tactic). Add these rules to /etc/shorewall/start. when port scanners, such as nmap, see the first few ports reply with a destination host unreachable, they give up and return that the host is down. I don''t have the syntax handy, but the man page should get you there. Jeff. _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Arif Mahmood wrote:> Jeff Thanks... > > I was thinking if we can capture the ip of port scanner and dynamically > ban that ip for any further traffic. >That kind of facility needs to ban the IP for only a short period of time. In my experience, the incidence of repeat scans from the same IP is almost nil... I don''t know about others on the list but I see almost no port scans; I rather see probes of individual ports that are known to have the current ''vulnerability du jour''. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Possibly Parallel Threads
- How does one use a module?
- Upcoming USENIX/LISA conference
- N00B questions: How to dynamically set hostname in a config file . . .
- How Does the Interaction Between Facter, Clients, and the Server work
- Bug or misconfiguration? Trying to add local user in NIS environment