Hi, Is there any way to automatically block all traffic from IP''s that try more than X number of blocked ports for a preset amount of time? The log I get every morning seems to be getting bigger and bigger with port scans and attempts to access various services, it would be nice if these IP''s could be automatically blocked for like a week or two.. I wouldn''t want to block them permanently since some me be dynamic IP''s that legitimate browsers may make use of at another time.. Thanks..
On Sun, 24 Oct 2004 09:06:56 +0100, WipeOut <wipe_out@users.sourceforge.net> wrote:> Is there any way to automatically block all traffic from IP''s that try > more than X number of blocked ports for a preset amount of time? > [...] > I wouldn''t want to block them permanently since some me be dynamic IP''s > that legitimate browsers may make use of at another time..hmh, be carefull - many scanners like f.e. nmap allow to set the source-address of such scans to arbitrary values. So you risk to block completely inocent IPs. If you wonder why someone would do this: Mostly to confuse the targets admin and to make it impossible to auto-blacklist. nmap''s decoy-option even allows to mix real sources with arbitrary source-addresses. # nmap -D 216.211.130.20,207.46.156.188 www.somesite.at will scan www.somesite.at and the admin there will not be able to know wther this comes from you, from shorewall.net (216.211.130.20) or from microsoft.com (207.46.156.188) (at least not w/o analysing the routertrafic). Regards, Ingo.
Ingo Lantschner wrote:> On Sun, 24 Oct 2004 09:06:56 +0100, WipeOut > <wipe_out@users.sourceforge.net> wrote: > > >> Is there any way to automatically block all traffic from IP''s that >> try more than X number of blocked ports for a preset amount of time? >> [...] >> I wouldn''t want to block them permanently since some me be dynamic >> IP''s that legitimate browsers may make use of at another time.. > > hmh, be carefull - many scanners like f.e. nmap allow to set the > source-address of such scans to arbitrary values. So you risk to > block completely inocent IPs. If you wonder why someone would do > this: Mostly to confuse the targets admin and to make it impossible > to auto-blacklist. nmap''s decoy-option even allows to mix real > sources with arbitrary source-addresses. > > # nmap -D 216.211.130.20,207.46.156.188 www.somesite.at > > will scan www.somesite.at and the admin there will not be able to > know wther this comes from you, from shorewall.net (216.211.130.20) > or from microsoft.com (207.46.156.188) (at least not w/o analysing > the routertrafic). > > Regards, Ingo. > >Thanks for the reply.. Thats certainly interesting.. How are the responses routed back to the person running the scan if they are using some other source address? Surely the return traffic would be routed back to the specified source address and if that was some other address then what would be the point of the scan in the first place since no results would be produced?? Maybe I am just missing something.. :)
Hithere, I think it could be possible using the same way to detect IPs behind a NAT,that would require a packet analizer, not just a logger. Regards,> How are the responses routed back to the person running the scan if they > are using some other source address? > Surely the return traffic would be routed back to the specified source > address and if that was some other address then what would be the point > of the scan in the first place since no results would be produced?? > > Maybe I am just missing something.. :)__________________________________________________________________________ Urivan Saaib Director General CiberLinux Networking saaib@ciberllinux.net http://www.ciberlinux.net Tel/Fax: +52 (646) 1757195
Hi, On Mon, 2004-10-25 at 12:18, Urivan Saaib wrote:> Hithere, > > I think it could be possible using the same way to detect IPs behind a NAT,that > would require a packet analizer, not just a logger. >Port Sentry might be what you are looking for. It will output to a file IP''s which meet criteria for an attack you can then take that file via a cron job and make your shorewall blacklist. However Port Sentry is not the best program IMHO I installed it on a computer a while back and attacks against that computer actually went up. The reason for this is getting way off topic. Anyway for something quick and easy Port Sentry will do. Snort is the program that I have started to use coupled with a mysql database and ACID it does really well giving few false positives however it is a little more in depth to setup you may also want to look at that. Google for intrusion detection systems and you will find exactly what you are looking for. -- _ /-\ ndrew
The nmap feature mentioned is called "Decoy Scanning" and is basically intended to be a way to hide your (the scanner''s) IP inside of a bunch of other apparent scan traffic. This can be used to bypass many IDS systems as well as to give the target admin a headache when he tries to figure out which of the 25 systems that appear to have scanned him actually did. Auto-blacklisting an apparent attacker also has an additional drawback, which has sort of already been mentioned. An attacker who notices this feature could simply spoof traffic from your upstream router and knock you offline. As far as I''ve been able to tell, auto-blacklisting is generally considered an unsafe practice. On Mon, 25 Oct 2004 11:18:13 -0700 (PDT), Urivan Saaib <saaib@c-ber.net> wrote:> Hithere, > > I think it could be possible using the same way to detect IPs behind a NAT,that > would require a packet analizer, not just a logger. > > Regards, > > > How are the responses routed back to the person running the scan if they > > are using some other source address? > > Surely the return traffic would be routed back to the specified source > > address and if that was some other address then what would be the point > > of the scan in the first place since no results would be produced?? > > > > Maybe I am just missing something.. :) > > __________________________________________________________________________ > Urivan Saaib > Director General > CiberLinux Networking > saaib@ciberllinux.net > http://www.ciberlinux.net > Tel/Fax: +52 (646) 1757195 > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >