Analabha Roy
2004-May-12 10:14 UTC
Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY
Hi, Before I begin my long rant, let me admit first that I am very new to linux (as a desktop admin, I mean) and know very little about firewalls, packet filtering, port monitoring and such things beyond what I have read in web howto''s and man pages. Now, as per the howto in the shorewall website regarding the integration between portsentry & shorewall ( http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt )> I followed the instructions. I added the following rules to "/etc/shorewall/rules" ################################################################################## # **************** INTEGRATION WITH PORTSENTRY************************************ ################################################################################## # Redirect certain "hostile" ports (ones we don''t use and where probes are # immediately considered to be hostile in nature) to port 49999 where # Portsentry is configured to block the attacking IP addresses. Note that # addresses which are blocked will be dynamically unblocked five days later. # # PORTSENTRY. REDIRECT net 49999 tcp 23 REDIRECT net 49999 tcp 110 REDIRECT net 49999 tcp 111 REDIRECT net 49999 udp 111 REDIRECT net 49999 tcp 143 REDIRECT net 49999 tcp 515 REDIRECT net 49999 tcp 1080 REDIRECT net 49999 tcp 1433 REDIRECT net 49999 tcp 1434 REDIRECT net 49999 tcp 3128 REDIRECT net 49999 tcp 12345 REDIRECT net 49999 tcp 27374 REDIRECT net 49999 tcp 113 REDIRECT net 49999 tcp 139 REDIRECT net 49999 udp 520 REDIRECT net 49999 udp 138 REDIRECT net 49999 udp 137 REDIRECT net 49999 udp 67 NB: I added a few extra ports of my own as shown above. I then went to "/etc/portsentry/portsentry.conf" and edited the following variables to their values as given below: TCP_PORTS="49999" UDP_PORTS="49999" # # Hosts to ignore IGNORE_FILE="/etc/portsentry/portsentry.ignore" # Hosts that have been denied (running history) HISTORY_FILE="/var/log/portsentry/portsentry.history" # Hosts that have been denied this session only (temporary until next restart) BLOCKED_FILE="/var/log/portsentry/portsentry.blocked" BLOCK_UDP="1" BLOCK_TCP="1" KILL_HOSTS_DENY="ALL: $TARGET$" KILL_RUN_CMD_FIRST = "1" KILL_RUN_CMD="/opt/portsentry/portsentry.temp.block $TARGET$ $PORT$" SCAN_TRIGGER="0" PORT_BANNER="** HACK ATTEMPT DETECTED ON landau! LEAVE NOW OR DIE!!!! **" I then added the script "/opt/portsentry/portsentry.temp.block" (shown below): #!/bin/bash # portsentry.temp.block # Rodolfo J. Paiz <rpaiz@simpaticus.com> # version 2003.07.01 # Usage: portsentry.temp.block <bad_ip> <bad_port> # portsentry.temp.block is a small script intended to be run by portsentry # when its sensors are triggered. It uses iptables (more specifically, it # uses the dynamic blacklisting capabilities of Shorewall) to deny all # access to the server from the attacking host. Then, a set time interval # later, the block is removed. # # This script can also be run directly if desired, although this is not a # common form of usage. # # Experience shows that most attacks come from dial-up IP addresses, so # blocking them permanently gives no real benefit, and removing them # keeps our blocking table from becoming huge. # Set appropriate variables (easy to customize on different systems). DROP_INTERVAL_DAYS=5 HOSTNAME="landau" NOTIFY_EMAIL="aroy_802701@yahoo.com" <THE REST OF IT WAS COPY-PASTED FROM THE HOWTO & IS IDENTICAL TO IT> Then I restarted shorewall & portsentry. To test the settings above I went to my roommate''s laptop & ran "nmap" on my linux box (w/out ping) as an RCP scan on port 113 & a UDP scan on port 520. As per my understanding, the sequence of events should go as follows: 1. Shorewall has already told iptables to redirect packets in port 520 to port 49999. so it should do that. 2. Portsentry;s bound to that port, so it should interpret those packets as an attack and add my roommate''s laptop ip to "/etc/hosts.deny" and run the "portsentry.temp.block" script 3. This script should instruct shorewall to drop the ip address & instruct the "at" daemon to reset the drop after 5 days. It should then email me the activity record. 4. nmap in my roommate''s laptop should show that my box either does not exist or is hiding or something Instead, what ACTUALLY HAPPENED is as follows: 1. I was monitoring netfilter log outputs from "/var/log/messages" while running nmap from my roommate''s laptop. It gave the following readings: 12/05/04 03:28:51: TCP 192.168.xxx.xx(33318) to 38594(unknown), flags SYN 12/05/04 03:28:51: UDP 192.168.xxx.xx(33307) to 38594(unknown) 12/05/04 03:29:21: TCP 192.168.xxx.xx(33318) to 38594(unknown), flags SYN 12/05/04 03:29:21: UDP 192.168.xxx.xx(33307) to 38594(unknown) 12/05/04 03:29:53: TCP 192.168.xxx.xx(33318) to 31294(unknown), flags SYN 12/05/04 03:29:53: UDP 192.168.xxx.xx(33307) to 31294(unknown) 12/05/04 03:30:23: TCP 192.168..xxx.xx(33318) to 31294(unknown), flags SYN 12/05/04 03:30:23: UDP 192.168..xxx.xx(33307) to 31294(unknown) 12/05/04 03:30:55: TCP 192.168..xxx.xx(33318) to 30320(unknown), flags SYN 12/05/04 03:30:55: UDP 192.168..xxx.xx(33307) to 30320(unknown) 12/05/04 03:31:25: TCP 192.168..xxx.xx(33318) to 30320(unknown), flags SYN 12/05/04 03:31:25: UDP 192.168..xxx.xx(33307) to 30320(unknown) 12/05/04 03:39:59: TCP 192.168..xxx.xx(55023) to 41735(unknown), flags SYN 12/05/04 03:39:59: UDP 192.168..xxx.xx(55012) to 41735(unknown) 12/05/04 03:40:29: TCP 192.168..xxx.xx(55023) to 41735(unknown), flags SYN 12/05/04 03:40:29: UDP 192.168..xxx.xx(55012) to 41735(unknown) 12/05/04 03:41:01: TCP 192.168..xxx.xx(55023) to 44616(unknown), flags SYN 12/05/04 03:41:01: UDP 192.168..xxx.xx(55012) to 44616(unknown) 12/05/04 03:41:31: TCP 192.168..xxx.xx(55023) to 44616(unknown), flags SYN 12/05/04 03:41:31: UDP 192.168..xxx.xx(55012) to 44616(unknown) 12/05/04 03:42:03: TCP 192.168..xxx.xx(55023) to 36277(unknown), flags SYN 2. No emails came. I ran "at -l|wc -l" & got nothing 3. My roommate''s ip WAS added to "/etc/hosts.deny", however. 4. I checked "/var/log/messages" by grep''ing "portsentry", & this is what I got: May 12 03:01:55 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:01:55 landau portsentry[1635]: attackalert: External command run for host: xxx.xxx.xxx..10 using command: "1" May 12 03:01:55 landau portsentry[1635]: attackalert: Host xxx.xxx.xxx..10 has been blocked via wrappers with string: "ALL: xxx.xxx.xxx..10" May 12 03:02:09 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:02:09 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:02:10 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:02:10 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:02:11 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:02:11 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:12:25 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:12:25 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:14:16 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:14:16 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:14:17 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:14:17 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:14:18 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:14:18 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:16:55 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:16:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:24:23 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:24:23 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:26:23 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:26:23 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:26:24 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:26:24 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:26:25 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:26:25 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:28:34 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:28:34 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:28:36 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:28:36 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:28:37 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:28:37 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:28:39 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:28:39 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:28:45 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:28:45 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:31:55 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:31:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:36:21 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:36:21 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:38:30 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:38:30 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:38:31 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:38:31 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:38:32 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:38:32 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:39:06 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:39:06 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:39:07 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:39:07 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:39:09 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:39:09 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:46:55 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:46:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:48:19 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:48:19 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:50:37 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:50:37 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:50:38 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:50:38 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 03:50:39 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 03:50:39 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 04:00:20 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 04:00:20 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring May 12 04:01:55 landau portsentry[1635]: attackalert: Connect from host: xxx.xxx.xxx..10/xxx.xxx.xxx..10 to UDP port: 49999 May 12 04:01:55 landau portsentry[1635]: attackalert: Host: xxx.xxx.xxx..10 is already blocked. Ignoring 4. FINALLY, I checked nmapfe''s output on my roommate''s laptop, & it said that the ports I scanned were open! Now, I''m running Mandrake Linux 10.0 on a Gateway 310XL. I have the following questions: A. Does the above mean that the configuration basically worked, but it did not warn me by email as it should? I checked the postfix configuration & test sent myself an email using "mail -s" & it worked, so no probs there. B. Should I be worried about event #4? Those ports are listed as open, but they''re not really, right? I''ve configured shorewall to block all ports but for the ones I''ve listed in the rules file. C. Did I do "nmap" properly? Should I have added additional flags that would adequately test this configuration? D.If the answer to question A is "yes", then what''s wrong with the portsentry.temp.block script ? I have "at" installed and everything and "atd" is running. Rant ends here. I would greatly appreciate any guidance & help in this matter. Please do be so kind as top advise. Thanks, AR ==== __________________________________ Do you Yahoo!? Yahoo! Movies - Buy advance tickets for ''Shrek 2'' http://movies.yahoo.com/showtimes/movie?mid=1808405861
Tom Eastep
2004-May-12 14:44 UTC
Re: Temporary dynamic blocking with Shorewall and Portsentry DOES NOT SEEM TO WORK FULLY
Analabha Roy wrote:> > > B. Should I be worried about event #4? Those ports are listed as open, but they''re not > really, right? I''ve configured shorewall to block all ports but for the ones I''ve listed > in the rules file. >Since this question is the only one in your post that directly applies to Shorewall, I''ll respond by saying that you should carefully review the "Open Ports" section of the Shorewall FAQ before becoming upset about what nmap tells you, especially when it comes to UDP. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net