thr3ads.net - Shorewall users - Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY [May 2004]

If this information is useful, please help other people find it:
Share via:

Analabha Roy

2004-May-12 10:14 UTC

Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY

Hi,


  Before I begin my long rant, let me admit first that I am very new to linux
(as a
desktop admin, I mean) and know very little about firewalls, packet filtering,
port
monitoring and such things beyond what I have read in web howto''s and
man pages.


 Now, as per the howto in the shorewall website regarding the integration
between
portsentry & shorewall ( 

http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt


)> I followed the instructions. I added the following rules to
"/etc/shorewall/rules"




##################################################################################
# **************** INTEGRATION WITH
PORTSENTRY************************************
##################################################################################
# Redirect certain "hostile" ports (ones we don''t use and
where probes are
# immediately considered to be hostile in nature) to port 49999 where
# Portsentry is configured to block the attacking IP addresses. Note that
# addresses which are blocked will be dynamically unblocked five days later.
#
# PORTSENTRY.
REDIRECT        net     49999           tcp     23
REDIRECT        net     49999           tcp     110
REDIRECT        net     49999           tcp     111
REDIRECT        net     49999           udp     111
REDIRECT        net     49999           tcp     143
REDIRECT        net     49999           tcp     515
REDIRECT        net     49999           tcp     1080
REDIRECT        net     49999           tcp     1433
REDIRECT        net     49999           tcp     1434
REDIRECT        net     49999           tcp     3128
REDIRECT        net     49999           tcp     12345
REDIRECT        net     49999           tcp     27374
REDIRECT        net     49999           tcp     113
REDIRECT        net     49999           tcp     139
REDIRECT        net     49999           udp     520     
REDIRECT        net     49999           udp     138
REDIRECT        net     49999           udp     137
REDIRECT        net     49999           udp     67



NB: I added a few extra ports of my own as shown above.


 I then went to "/etc/portsentry/portsentry.conf" and edited the
following variables to
their values as given below:



TCP_PORTS="49999"
UDP_PORTS="49999"
#
# Hosts to ignore
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/var/log/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/var/log/portsentry/portsentry.blocked"


BLOCK_UDP="1"
BLOCK_TCP="1"
KILL_HOSTS_DENY="ALL: $TARGET$"
KILL_RUN_CMD_FIRST = "1"
KILL_RUN_CMD="/opt/portsentry/portsentry.temp.block $TARGET$ $PORT$"
SCAN_TRIGGER="0"
PORT_BANNER="** HACK ATTEMPT DETECTED ON landau! LEAVE NOW OR DIE!!!!
**"




 I then added the script  "/opt/portsentry/portsentry.temp.block"
(shown below):


#!/bin/bash

# portsentry.temp.block
# Rodolfo J. Paiz <rpaiz@simpaticus.com>
# version 2003.07.01

# Usage: portsentry.temp.block <bad_ip> <bad_port>

# portsentry.temp.block is a small script intended to be run by portsentry
# when its sensors are triggered. It uses iptables (more specifically, it
# uses the dynamic blacklisting capabilities of Shorewall) to deny all
# access to the server from the attacking host. Then, a set time interval
# later, the block is removed.
#
# This script can also be run directly if desired, although this is not a
# common form of usage.
#
# Experience shows that most attacks come from dial-up IP addresses, so
# blocking them permanently gives no real benefit, and removing them
# keeps our blocking table from becoming huge.

# Set appropriate variables (easy to customize on different systems).
DROP_INTERVAL_DAYS=5
HOSTNAME="landau"
NOTIFY_EMAIL="aroy_802701@yahoo.com"



<THE REST OF IT WAS COPY-PASTED FROM THE HOWTO & IS IDENTICAL TO IT>






 Then I restarted shorewall & portsentry. To test the settings above I went
to my
roommate''s laptop & ran "nmap" on my linux box (w/out
ping) as an RCP scan on port 113 &
a UDP scan on port 520.

 As per my understanding, the sequence of events should go as follows:


1.  Shorewall has already told iptables to redirect packets in port 520 to port
49999. so
it should do that.

2.  Portsentry;s bound to that port, so it should interpret those packets as an
attack
and add my roommate''s laptop ip to "/etc/hosts.deny" and run
the "portsentry.temp.block"
script

3. This script should instruct shorewall to drop the ip address & instruct
the "at"
daemon to reset the drop after 5 days. It should then email me the activity
record.

4. nmap in my roommate''s laptop should show that my box either does not
exist or is
hiding or something





 Instead, what ACTUALLY HAPPENED is as follows:

1. I was monitoring netfilter log outputs from "/var/log/messages"
while running nmap
from my roommate''s laptop. It gave the following readings:

12/05/04 03:28:51: TCP  192.168.xxx.xx(33318) to 38594(unknown), flags SYN
12/05/04 03:28:51: UDP  192.168.xxx.xx(33307) to 38594(unknown)
12/05/04 03:29:21: TCP  192.168.xxx.xx(33318) to 38594(unknown), flags SYN
12/05/04 03:29:21: UDP  192.168.xxx.xx(33307) to 38594(unknown)
12/05/04 03:29:53: TCP  192.168.xxx.xx(33318) to 31294(unknown), flags SYN
12/05/04 03:29:53: UDP  192.168.xxx.xx(33307) to 31294(unknown)
12/05/04 03:30:23: TCP  192.168..xxx.xx(33318) to 31294(unknown), flags SYN
12/05/04 03:30:23: UDP  192.168..xxx.xx(33307) to 31294(unknown)
12/05/04 03:30:55: TCP  192.168..xxx.xx(33318) to 30320(unknown), flags SYN
12/05/04 03:30:55: UDP  192.168..xxx.xx(33307) to 30320(unknown)
12/05/04 03:31:25: TCP  192.168..xxx.xx(33318) to 30320(unknown), flags SYN
12/05/04 03:31:25: UDP  192.168..xxx.xx(33307) to 30320(unknown)
12/05/04 03:39:59: TCP  192.168..xxx.xx(55023) to 41735(unknown), flags SYN
12/05/04 03:39:59: UDP  192.168..xxx.xx(55012) to 41735(unknown)
12/05/04 03:40:29: TCP  192.168..xxx.xx(55023) to 41735(unknown), flags SYN
12/05/04 03:40:29: UDP  192.168..xxx.xx(55012) to 41735(unknown)
12/05/04 03:41:01: TCP  192.168..xxx.xx(55023) to 44616(unknown), flags SYN
12/05/04 03:41:01: UDP  192.168..xxx.xx(55012) to 44616(unknown)
12/05/04 03:41:31: TCP  192.168..xxx.xx(55023) to 44616(unknown), flags SYN
12/05/04 03:41:31: UDP  192.168..xxx.xx(55012) to 44616(unknown)
12/05/04 03:42:03: TCP  192.168..xxx.xx(55023) to 36277(unknown), flags SYN







2. No emails came. I ran "at -l|wc -l" & got nothing


3. My roommate''s ip WAS added to "/etc/hosts.deny", however.

4. I checked "/var/log/messages" by grep''ing
"portsentry", & this is what I got:





May 12 03:01:55 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:01:55 landau portsentry[1635]: attackalert: External command run for
host:
xxx.xxx.xxx..10 using command: "1"
May 12 03:01:55 landau portsentry[1635]: attackalert: Host xxx.xxx.xxx..10 has
been
blocked via wrappers with string: "ALL: xxx.xxx.xxx..10"
May 12 03:02:09 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:02:09 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:02:10 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:02:10 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:02:11 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:02:11 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:12:25 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:12:25 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:14:16 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:14:16 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:14:17 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:14:17 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:14:18 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:14:18 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:16:55 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:16:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:24:23 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:24:23 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:26:23 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:26:23 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:26:24 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:26:24 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:26:25 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:26:25 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:28:34 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:28:34 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:28:36 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:28:36 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:28:37 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:28:37 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:28:39 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:28:39 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:28:45 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:28:45 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:31:55 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:31:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:36:21 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:36:21 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:38:30 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:38:30 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:38:31 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:38:31 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:38:32 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:38:32 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:39:06 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:39:06 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:39:07 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:39:07 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:39:09 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:39:09 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:46:55 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:46:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:48:19 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:48:19 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:50:37 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:50:37 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:50:38 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:50:38 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 03:50:39 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 03:50:39 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 04:00:20 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 04:00:20 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring
May 12 04:01:55 landau portsentry[1635]: attackalert: Connect from host:
xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999
May 12 04:01:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is
already
blocked. Ignoring





4. FINALLY, I checked nmapfe''s output on my roommate''s laptop,
& it said that the ports I
scanned were open!






 Now, I''m running Mandrake Linux 10.0 on a Gateway 310XL. I have the
following questions:


A. Does the above mean that the configuration basically worked, but it did not
warn me by
email as it should? I checked the postfix configuration & test sent myself
an email using
"mail -s" & it worked, so no probs there.



B. Should I be worried about event #4? Those ports are listed as open, but
they''re not
really, right? I''ve configured shorewall to block all ports but for the
ones I''ve listed
in the rules file.



C. Did I do "nmap" properly? Should I have added additional flags that
would adequately
test this configuration?

D.If the answer to question A is "yes", then what''s wrong
with the portsentry.temp.block
script ? I have "at" installed and everything and "atd" is
running.


 Rant ends here.



 I would greatly appreciate any guidance & help in this matter. Please do be
so kind as
top advise.


Thanks,
AR





 


====


	
		
__________________________________
Do you Yahoo!?
Yahoo! Movies - Buy advance tickets for ''Shrek 2''
http://movies.yahoo.com/showtimes/movie?mid=1808405861

Tom Eastep

2004-May-12 14:44 UTC

head link

Re: Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY

Analabha Roy wrote:
> 
> 
> B. Should I be worried about event #4? Those ports are listed as open, but
they''re not
> really, right? I''ve configured shorewall to block all ports but
for the ones I''ve listed
> in the rules file.
> 
Since this question is the only one in your post that directly applies 
to Shorewall, I''ll respond by saying that you should carefully review 
the "Open Ports" section of the Shorewall FAQ before becoming upset 
about what nmap tells you, especially when it comes to UDP.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - May 2004 - Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY

Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY

Re: Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY