Shorewall users - Jul 2003 - HOWTO: Temporary dynamic blocking with Shorewall and Portsentry

Hi, all:

This is just a note and suggestion, not a question; but I really like this 
system and thought it might be useful to others so I decided to share. Hope 
it helps someone, and comments or suggestions are always welcome.

         1. Overview: Shorewall accepts traffic on ports that I consider 
"hostile" (i.e. ports on which I would NEVER expect to see
connections) and
redirects them to a single high port on which Portsentry is listening. 
Portsentry in turn uses a custom shell script to block the offending IP 
address (using the "shorewall drop" command) and schedule an
"at" job for 5
days later unblocking the offender (using the "shorewall allow"
command).
This ensures that I don''t end up with 2000 rules in iptables or get
blocked
off from a large portion of the Net; also, since most hacks are attempted 
from dial-up connections, permanent blocking serves no real purpose anyway.

         2. The relevant rules from /etc/shorewall/rules:

# Redirect certain "hostile" ports (ones we don''t use and
where probes are
# immediately considered to be hostile in nature) to port 49999 where
# Portsentry is configured to block the attacking IP addresses. Note that
# addresses which are blocked will be dynamically unblocked five days later.
#
# PORTSENTRY.
REDIRECT        net     49999           tcp     23
REDIRECT        net     49999           tcp     110
REDIRECT        net     49999           tcp     111
REDIRECT        net     49999           udp     111
REDIRECT        net     49999           tcp     143
REDIRECT        net     49999           tcp     515
REDIRECT        net     49999           tcp     1080
REDIRECT        net     49999           tcp     1433
REDIRECT        net     49999           tcp     1434
REDIRECT        net     49999           tcp     3128
REDIRECT        net     49999           tcp     12345
REDIRECT        net     49999           tcp     27374

         3. The relevant lines from /etc/portsentry/portsentry.conf:

TCP_PORTS="49999"
UDP_PORTS="49999"
BLOCK_TCP="2"
KILL_RUN_CMD_FIRST = "1"
KILL_RUN_CMD="/root/bin/portsentry.temp.block $TARGET$ $PORT$"
SCAN_TRIGGER="0"

         4. Set up portsentry to run in "standard mode" for both TCP
and
UDP. Do NOT use the advanced or stealth modes.

         5. My shell script to drop and then later allow the attacking IP 
address:

#!/bin/bash

# portsentry.temp.block
# Rodolfo J. Paiz <rpaiz@simpaticus.com>
# version 2003.07.01

# Usage: portsentry.temp.block <bad_ip> <bad_port>

# portsentry.temp.block is a small script intended to be run by portsentry
# when its sensors are triggered. It uses iptables (more specifically, it
# uses the dynamic blacklisting capabilities of Shorewall) to deny all
# access to the server from the attacking host. Then, a set time interval
# later, the block is removed.
#
# This script can also be run directly if desired, although this is not a
# common form of usage.
#
# Experience shows that most attacks come from dial-up IP addresses, so
# blocking them permanently gives no real benefit, and removing them
# keeps our blocking table from becoming huge.

# Set appropriate variables (easy to customize on different systems).
DROP_INTERVAL_DAYS=5
HOSTNAME="Apollo"
NOTIFY_EMAIL="rpaiz@simpaticus.com"

# Get the attacker''s IP address and probed port from the command
# parameters. DO NOT CHANGE THIS!
BAD_IP=$1
BAD_PORT=$2

# Block the bad guy.
/sbin/shorewall drop $1

# Unblock him X days after midnight tonight.
echo "/sbin/shorewall allow $1" | at midnight + $DROP_INTERVAL_DAYS
days

# Mail me a note to notify me of each block.
# TEMPORARILY ENABLED.

echo "Portsentry has blocked $BAD_IP (`host $BAD_IP`) on `date`, \
from now until $DROP_INTERVAL_DAYS days from midnight tonight. At this \
point `at -l | wc -l` hosts are blocked ." | mail -s "$HOSTNAME: \
Portsentry blocked $BAD_IP on $BAD_PORT" $NOTIFY_EMAIL

         6. Test the system!!! Make sure it works properly!!!


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

Thanks, Rodolfo!

I''ve taken the liberty of placing your HOWTO in the Contributed
directory on the Shorewall sites (e.g.,
http://shorewall.net/pub/shorewall/contrib)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi, I have a big problem, I have a dns server behind my firewall and when i
check a domain name (http://www.afnic.fr/zonecheck/) it doesn''t work.

I have made a dnat in rules :
dnat net loc:10.0.0.2 tcp 53 - 213.30.138.253


My network :


dns serveur(and local machins)-------firewall---------router-------net


Thank

A+

On Wed, 2003-07-16 at 09:28, NCTEL - Fabien wrote:
> Hi, I have a big problem, I have a dns server behind my firewall and when i
> check a domain name (http://www.afnic.fr/zonecheck/) it doesn''t
work.
> 
> I have made a dnat in rules :
> dnat net loc:10.0.0.2 tcp 53 - 213.30.138.253
> 
DNS lookups normally use UDP -- you also need the rule:

	DNAT	net	loc:10.0.0.2 udp 53 - 213.30.138.253

When setting up a new service, it is a good idea to start with
http://www.shorewall.net/ports.htm -- it described the protocol/port(s)
used by many common services including DNS. Be sure you read the warning
there about opening TCP port 53 and Zone Transfer security.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

At 7/16/2003 09:16 -0700, Tom Eastep wrote:
>Thanks, Rodolfo!
Hey, my pleasure. Most of the work is actually done by Shorewall, as you 
can see, so thank *you*.
>I''ve taken the liberty of placing your HOWTO in the Contributed
>directory on the Shorewall sites (e.g.,
>http://shorewall.net/pub/shorewall/contrib)
Sure, no problem. The text does not mention anywhere how to get portsentry; 
is it OK to leave that "as an exercise to the reader" or do you think
that
some suggestion on how to get it are in order?

I couldn''t point to a website, since Cisco bought Psionic and promptly
shut
them down, but I usually get my portsentry (either binary or source) from 
freshrpms.net then rebuild the rpm as necessary.


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

> Hi, I have a big problem, I have a dns server behind my firewall and when
i
> check a domain name (http://www.afnic.fr/zonecheck/) it doesn''t
work.
>
> I have made a dnat in rules :
> dnat net loc:10.0.0.2 tcp 53 - 213.30.138.253
Well, first of all, DNS uses UDP as default. But if the answer is larger
then what will fit in a sigle datagram, the rest is sent via TCP.

On Wed, 2003-07-16 at 09:42, Rodolfo J. Paiz wrote:
> 
> Sure, no problem. The text does not mention anywhere how to get portsentry;
> is it OK to leave that "as an exercise to the reader" or do you
think that
> some suggestion on how to get it are in order?
Let''s assume that the readers will know how to use Google :-)

Thanks,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net