sudo add-apt-repository ppa:ubuntu-lxc/lxd-stable
sudo apt-get update
sudo apt-get install lxd
========================

iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to 10.0.3.204:9000


vaheeD

More Posts - Website

Follow Me:

Ubuntu Server 10.10 64-bit with ZoneMinder 1.24.2 from source, FFmpeg, libjpeg-turbo, Webmin, Cambozola

#Install Ubuntu Server Edition 10.10 64-bit. (http://www.ubuntu.com/business/get-ubuntu/download)
#At software selection, select LAMP and OpenSSH server.
#After install completes, log in and set a static IP address in /etc/network/interfaces. Edit the addresses to suit YOUR network:

sudo nano /etc/network/interfaces

####################################
####################################

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1

####################################
####################################

# ctrl-o to save ctrl-x to exit nano

sudo ifdown -a

sudo ifup -a

#Once networking is in order and you can reach the internet, ssh into your zoneminder system from another linux computer on your LAN.
#Now you can copy/paste the following commands into a terminal unless you prefer to type. Multiple commands without an empty line in between 
#can be copied and pasted together. Do not paste lines that start with #

########################
#Update system software#
########################

sudo apt-get update

sudo apt-get dist-upgrade

sudo reboot

#############
#Become root#
#############

sudo su

#######################
#Optimize GCC compiler#
#######################

export CFLAGS="-march=native -O2 -pipe" && \
export CXXFLAGS="${CFLAGS}" && \
export CPPFLAGS="${CFLAGS}"

#########################################
#Install prerequisites from repositories#
#########################################

aptitude install build-essential linux-headers-`uname -r` automake perl libauthen-pam-perl \
libpam-runtime libio-pty-perl libmysqlclient-dev \
libarchive-zip-perl libdate-manip-perl libdevice-serialport-perl libjpeg62 libmime-perl libstdc++6 libwww-perl \
zlib1g zip unzip patch ntp openssl libpcre3-dev libssl-dev libjpeg-progs libcurl4-gnutls-dev munin munin-node libmime-lite-perl \
netpbm libbz2-dev subversion yasm libnet-ssleay-perl libauthen-pam-perl libio-pty-perl apt-show-versions git-core mysql-server mysql-client

################
#Install Webmin#
################

wget http://downloads.sourceforge.net/project/webadmin/webmin/1.540/webmin_1.540_all.deb?use_mirror=voxel

mv webmin_1.540_all.deb\?use_mirror\=voxel webmin_1.540_all.deb && \
dpkg -i webmin_1.540_all.deb

#######################
#Install libjpeg-turbo# (AMD64)
#######################

wget http://downloads.sourceforge.net/project/libjpeg-turbo/1.1.0/libjpeg-turbo_1.1.0_amd64.deb?use_mirror=voxel

mv libjpeg-turbo_1.1.0_amd64.deb?use_mirror=voxel libjpeg-turbo_1.1.0_amd64.deb && \
dpkg -i libjpeg-turbo_1.1.0_amd64.deb

ln -s /opt/libjpeg-turbo/lib/libjpeg.a /usr/lib/libjpeg.a && \
ln -s /opt/libjpeg-turbo/include/jconfig.h /usr/include/jconfig.h && \
ln -s /opt/libjpeg-turbo/include/jerror.h /usr/include/jerror.h && \
ln -s /opt/libjpeg-turbo/include/jmorecfg.h /usr/include/jmorecfg.h && \
ln -s /opt/libjpeg-turbo/include/jpeglib.h /usr/include/jpeglib.h

#######################
#Configure Lib Paths#
#######################
echo "/opt/libjpeg-turbo/lib" > /etc/ld.so.conf.d/libjpeg-turbo.conf && \
echo "/usr/local/lib" > /etc/ld.so.conf.d/ffmpeg.conf && \
echo "LD_LIBRARY_PATH=/usr/local/lib:/opt/libjpeg-turbo/lib:$LD_LIBRARY_PATH" >> /etc/bash.bashrc && \
echo "export LD_LIBRARY_PATH" >> /etc/bash.bashrc

ldconfig

######################
#Install Perl Modules#
######################

perl -MCPAN -e shell

install CPAN

exit

perl -MCPAN -e shell

install YAML PHP::Serialization Module::Load X10::ActiveHome

install Sys::Mmap

install DBI

install DBD::mysql

exit

################
#Install FFmpeg#
################

# subversion no longer maintained
#cd /usr/src && svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg

# use git resource: http://www.ffmpeg.org/download.html
cd /usr/src && git clone git://git.videolan.org/ffmpeg.git

cd /usr/src/ffmpeg/ && ./configure --enable-gpl --enable-shared --enable-pthreads

make

make install

make install-libs

cd /lib && ln -s /usr/local/lib/libswscale.so.0 && \
ln -s /usr/local/lib/libavformat.so.52 && \
ln -s /usr/local/lib/libavcodec.so.52 && \
ln -s /usr/local/lib/libavutil.so.50 && \
ln -s /usr/local/lib/libavdevice.so.52

ldconfig

#####################
##Install Zoneminder#
#####################

cd /usr/src && wget http://www2.zoneminder.com/downloads/ZoneMinder-1.24.2.tar.gz

tar -xvzf ZoneMinder-1.24.2.tar.gz

cd /usr/src/ZoneMinder-1.24.2/src && nano zm_utils.cpp

#Insert the following line after other includes,then Ctrl-o to save, Ctrl-x to exit nano
#include <cstdio>

cd /usr/src/ZoneMinder-1.24.2 && \ 
./configure --with-webdir=/var/www/zm --with-cgidir=/usr/lib/cgi-bin \
ZM_DB_HOST=localhost ZM_DB_NAME=zm ZM_DB_USER=zmuser \
ZM_DB_PASS=zmpass ZM_SSL_LIB=openssl --enable-debug=no \
--with-webgroup=www-data --with-webuser=www-data --enable-mmap CPPFLAGS="-D__STDC_CONSTANT_MACROS ${CPPFLAGS}"

autoconf

aclocal

automake

make

mysql -u root -p < db/zm_create.sql
#Password that is requested is Mysql root password that was entered during install, not your ubuntu password.

mysql -u root -p

grant select,insert,update,delete on zm.* to 'zmuser'@localhost identified by 'zmpass';

quit

mysqladmin -p reload

make install

####################
##Install Cambozola#
####################

cd /usr/src && wget http://www.charliemouse.com:8080/code/cambozola/cambozola-latest.tar.gz

tar -xzvf cambozola-latest.tar.gz

#replace xx with cambozola version downloaded
cp cambozola-0.xx/dist/cambozola.jar /var/www/zm

###################################
##Create Zoneminder startup script#
###################################

nano -w /etc/init.d/zm

#Paste everything BETWEEN the lines below.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
# description: Control ZoneMinder as a Service
# chkconfig: 2345 99 99

# Source function library.
#. /etc/rc.d/init.d/functions

prog=ZoneMinder
ZM_PATH_BIN="/usr/local/bin"
command="$ZM_PATH_BIN/zmpkg.pl"

start() {
        echo -n "Starting $prog: "
        $command start
        RETVAL=$?
        [ $RETVAL = 0 ] && echo success
        [ $RETVAL != 0 ] && echo failure
        return $RETVAL
}
stop() {
        echo -n "Stopping $prog: "
        $command stop
        RETVAL=$?
        [ $RETVAL = 0 ] && echo success
        [ $RETVAL != 0 ] && echo failure
}
status() {
        result=`$command status`
        if [ "$result" = "running" ]; then
                echo "ZoneMinder is running"
                RETVAL=0
        else
                echo "ZoneMinder is stopped"
                RETVAL=1
        fi
}

case "$1" in
'start')
        start
        ;;
'stop')
        stop
        ;;
'restart')
        stop
        start
        ;;
'status')
        status
        ;;
*)
        echo "Usage: $0 { start | stop | restart | status }"
        RETVAL=1
        ;;
esac
exit $RETVAL

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#ctrl-o to save, ctrl-x to exit nano

chmod 755 /etc/init.d/zm

####################
#Zoneminder Startup#
####################

#In firefox, go to https://YOUR_ZoneMinder.IP.ADDRESS.HERE:10000/ to reach the Webmin interface.(Login with Ubuntu username and password)
#In left menu, select System>Bootup and Shutdown. Tick the box next to zm and click StartNow and On Boot.
#In left menu, select Servers>Apache Webserver. Click virtual server under Existing virtual hosts tab. Under Virtual Server Details, change Document Root to /var/www/zm and then save.
#Click apply changes at top left of page.

#Go to http://YOUR_ZoneMinder.IP.ADDRESS.HERE/ to reach the Zoneminder interface.

vaheeD

More Posts - Website

Follow Me:

Default Config Files and SSH Port

• /etc/ssh/sshd_config – OpenSSH server configuration file.
• /etc/ssh/ssh_config – OpenSSH client configuration file.
• ~/.ssh/ – Users ssh configuration directory.
• ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
• /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
• /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
• SSH default port : TCP 22

#1: Disable OpenSSH Server

Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart

#2: Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

#3: Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#4: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

#5: Disable .rhosts Files

Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#6: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#7: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying “don’t login as root” is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You’d get your password spoofed but not root’s pw. Gimme a break. this is 2005 – We have ssh, used properly it’s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#8: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Sample /etc/pf.conf

1. #### First declare a couple of variables ####
2. ### Outgoing tcp / udp port ####
3. ### 43 – whois, 22 – ssh ###
4. tcp_services = “{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}”
5. udp_services = “{ domain, ntp }”
6. ### allow ping / pong ####
7. icmp_types = “{ echoreq, unreach }”
9. #### define tables. add all subnets and ips to block
10. table <blockedip> persist file “/etc/pf.block.ip.conf”
12. martians = “{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }”
14. ### admin server ranges ###
15. adminrange = “112.220.11.0/23”
17. # connected to internet
18. ext_if = “em1”
19. # connected to vpn / lan
20. int_if = “em0”
22. ##### ftp proxy
23. #proxy=”127.0.0.1″
24. #proxyport=”8021″
26. #### Normalization
27. #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
28. scrub in all
30. #### NAT and RDR start
31. #nat-anchor “ftp-proxy/*”
32. #rdr-anchor “ftp-proxy/*”
34. # redirect ftp traffic
35. #rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
37. # Drop incoming everything
38. block in all
39. block return
41. # keep stats of outgoing connections
42. pass out keep state
44. # We need to have an anchor for ftp-proxy
45. #anchor “ftp-proxy/*”
47. # unlimited traffic for loopback and lan / vpn
48. set skip on {lo0, $int_if}
50. # activate spoofing protection for all interfaces
51. block in quick from urpf-failed
53. #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
54. antispoof log for $ext_if
56. #Block RFC 1918 addresses
57. block drop in log (all) quick on $ext_if from $martians to any
58. block drop out log (all) quick on $ext_if from any to $martians
61. # Block all ips
62. # pfctl -t blockedip -T show
63. block drop in log (all) quick on $ext_if from <blockedip> to any
64. block drop out log (all) quick on $ext_if from any to <blockedip>
66. # allow outgoing
67. pass out on $ext_if proto tcp to any port $tcp_services
68. pass out on $ext_if proto udp to any port $udp_services
70. # Allow trace route
71. pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
73. # Allow admin to get into box
74. pass in on $int_if from $adminrange to any
76. # Allow incoming ssh, http, bind traffic
77. # pass in on $ext_if proto tcp from any to any port 25
78. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
79. pass in on $ext_if proto udp from any to any port domain
80. pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
81. pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
82. pass inet proto icmp all icmp-type $icmp_types keep state
83. ## add your rule below ##

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#10: Use Strong SSH Passwords and Passphrase

It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):

genpasswd() {
	local l=$1
       	[ "$l" == "" ] && l=20
      	tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

Run it:
genpasswd 16
Output:

uw8CnDVMwC6vOKgW

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

Create the cryptographic Key on FreeBSD / Linux / UNIX workstation, enter:
ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don’t want a passphrase). It will create 2 files in ~/.ssh directory as follows:

• ~/.ssh/id_rsa : identification (private) key
• ~/.ssh/id_rsa.pub : public key

Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
From FreeBSD workstation login to server:
ssh rh9linux.nixcraft.org
Changing the pass-phrase on workstation (if needed):
ssh-keygen -p
Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
ssh-agent $BASH
ssh-add
Type your pass-phrase

Now ssh server will not use prompt for the password. Above two commands can be added to your ~/.bash_profile file so that as soon as you login into workstation you can set the agent.

Deleting the keys hold by ssh-agent

To list keys, enter:
ssh-add -l
To delete all keys, enter:
ssh-add -D
To delete specific key, enter:
ssh-add -d key

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

Install keychain on CentOS / RHEL / Fedora Linux

You need RPMForge repo enabled to install keychain package.
# yum install keychain

Install keychain on Debian / Ubuntu Linux

# apt-get update && apt-get install keychain

Install keychain on FreeBSD

# portsnap fetch update
# cd /usr/ports/security/keychain
# make install clean

How Do I Setup SSH Keys With passphrase?

Simply type the following commands:
$ ssh-keygen -t rsa
OR
$ ssh-keygen -t dsa
Assign the pass phrase when prompted. See the following step-by-step guide for detailed information:

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

Install rssh

CentOS / Fedora / RHEL Linux rssh installation

Visit Dag’s repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

Debian / Ubuntu Linux rssh installation

Use apt-get command:
$ sudo apt-get install rssh

FreeBSD installation

# cd /usr/ports/shells/rssh
# make install clean

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

• DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
• Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
• Fail2ban is a similar program that prevents brute force attacks against SSH.
• security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
• security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
• security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
• security/sshblock block abusive SSH login attempts.
• security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
• BlockHosts Automatic blocking of abusive IP hosts.
• Blacklist Get rid of those bruteforce attempts.
• Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
• IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip="202.54.1.5"
table <abusive_ips> persist
block in quick from <abusive_ips>
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo

• fwknop is an implementation that combines port knocking and passive OS fingerprinting.
• Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

.

Installation
Debian Linux type the following command::

apt-get install logwatch

Fedora Linux type the following command::

yum install logwatch

RedHat Enterprise Linux type the following command::

up2date logwatch

To customize logwatch go to /usr/share/doc/logwatch-*/ directory and read the file HOWTO-Customize-LogWatch

Or Open logwatch.conf file:

vi /etc/logwatch/conf/logwatch.conf

OR

vi /usr/share/logwatch/default.conf/logwatch.conf

Read man page of logwatch for more information.

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

#  Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on  reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
#  Specifies whether password authentication is allowed.  The default is yes.
PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t

Tighter SSH security with two-factor or three-factor (or more) authentication.

References:

1. The official OpenSSH project.
2. Forum thread: Failed SSH login attempts and how to avoid brute ssh attacks
3. man pages sshd_config, ssh_config, tcpd, yum, and apt-get.

If you have a technique or handy software not mentioned here, please share in the comments below to help your fellow readers keep their openssh based server secure.

vaheeD

More Posts - Website

Follow Me:

what is the difference between authentication and authorization? Why it is important to understand difference between the two? Authentication vs. Authorization — what are they and how do they differ?

Authentication

Authentication verifies who you are. For example, you can login into your Unix server using the ssh client, or access your email server using the POP3 and SMTP client. Usually, PAM (Pluggable Authentication Modules) are used as low-level authentication schemes into a high-level application programming interface (API), which allows programs that rely on authentication to be written independently of the underlying authentication scheme.

Authorization

Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication. Authorization can be controlled at file system level or using various application level configuration options such as chroot(2).

Usually, the connection attempt must be both authenticated and authorized by the system. You can easily find out why connection attempts are either accepted or denied with the help of these two factors.

Example: Authentication And Authorization

A user called vivek is allowed to login to www.yahoo.com server securely using the OpenSSH ssh client/server module. In this example authentication is the mechanism whereby system running at www.yahoo.com may securely identify user vivek. The authentication systems provide an answers to the questions:

• Who is the user vivek?
• Is the user vivek really who he represents himself to be?

The server running at www.yahoo.com depend on some unique bit of information known only to the vivek user. It may be as simple as a password, public key authentication, or as complicated as Kerberos based system. In all cases user vivek needs some sort of secret to login into www.yahoo.com server via the ssh client. In order to verify the identity of a user called vivek, the authenticating system running at www.yahoo.com will challenges the vivek to provide his unique information (his password, or fingerprint, etc.) — if the authenticating system can verify that the shared secret was presented correctly, the user vivek is considered authenticated.

vivek is Authenticated? What Next?

Authorization.

The Unix server running at www.yahoo.com determines what level of access a particular authenticated user called vivek should have. For example, vivek can compile programs using GNU gcc compilers but not allowed to upload or download files. So

1. Is user vivek authorized to access resource called ABC?
2. Is user vivek authorized to perform operation XYZ?
3. Is user vivek authorized to perform operation P on resource R?
4. Is user vivek authorized to download or upload files?
5. Is user vivek authorized to apply patches to the Unix systems?
6. Is user vivek authorized to make backups?

In this example Unix server used the combination of authentication and authorization to secure the system. The system ensures that user claiming to be vivek is the really user vivek and thus prevent unauthorized users from gaining access to secured resources running on the Unix server at www.yahoo.com.

Dealing With Large Linux / Unix Setups

Large Linux / UNIX installation equipped with central LDAP directory servers to authenticate users. A user must provide username and password against all services such as Squid proxy, Wi-Fi, SMTP, POP3 email server etc. LDAP directory allows you to obtain required information such as employee number, email address, department code, and much more. The directory provides additional data lookup and search capabilities. OpenLDAP and the Fedora Directory Server (FDS) is an LDAP (Lightweight Directory Access Protocol) servers for Linux and Unix like operating systems. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology.

Red Hat Directory Server is an LDAP-compliant server that centralizes user identity and application information. It provides an operating system-independent, network-based registry for storing application settings, user profiles, group data, policies, and access control information.

vaheeD

More Posts - Website

Follow Me:

apt-get install knockd.

You’ll be able to start the daemon by enabling it in /etc/default/knockd.
Configuration file is /etc/knockd.conf:

vi /etc/knockd.conf

[options]
logfile = /var/log/knockd.log

[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Ok…so, this configuration, listens for TCP packets, with the flag syn, in a sequence of 7000, 8000, 9000, with a timeout of 10 seconds. After it detects that, it automatically grants port 22 access to the incoming IP. If the daemon gets the reverse order of knocking, it will automatically delete the rule, so, closing the port again for all IPs. Unfortunately, those knockings can be easily read on a packet sniffer between you and the secured server, but, it’s how you can secure more a SSH server.
But because I won’t post my personal config here, this will have to do for the blog’s purpose.
Note: Oh, and, in case you don’t want to be left outside on the server, in case of daemon failure, you should get a script running that automatically checks if the daemon is running, and automatically restart it in case it’s stopped.

vaheeD

More Posts - Website

Follow Me:

#!/bin/sh
#
#############################################################################
#
# File: iptables.sh
#
# Purpose: To build a basic iptables policy with default log and drop rules.
#          This script was written for the book "Linux Firewalls: Attack
#          Detection and Response" published by No Starch Press.
#
# Copyright (C) 2006-2012 Michael Rash (mbr@cipherdyne.org)
#
# License (GNU Public License):
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
#   USA
#
#
#############################################################################
#

IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
MODPROBE=/sbin/modprobe
INT_NET=192.168.10.0/24
INT_INTF=eth1
EXT_INTF=eth0

### flush existing rules and set chain policy setting to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### this policy does not handle IPv6 traffic except to drop it.
#
echo "[+] Disabling IPv6 traffic..."
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

### load connection-tracking modules
#
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######
#
echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A INPUT -i $INT_INTF ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i $INT_INTF ! -s $INT_NET -j DROP

### ACCEPT rules
$IPTABLES -A INPUT -i $INT_INTF -p tcp -s $INT_NET --dport 22 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

### make sure that loopback traffic is accepted
$IPTABLES -A INPUT -i lo -j ACCEPT

###### OUTPUT chain ######
#
echo "[+] Setting up OUTPUT chain..."

### state tracking rules
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

### make sure that loopback traffic is accepted
$IPTABLES -A OUTPUT -o lo -j ACCEPT

###### FORWARD chain ######
#
echo "[+] Setting up FORWARD chain..."

### state tracking rules
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A FORWARD -i $INT_INTF ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A FORWARD -i $INT_INTF ! -s $INT_NET -j DROP

### ACCEPT rules
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 21 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 22 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 25 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 43 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 4321 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default LOG rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### NAT rules ######
#
echo "[+] Setting up NAT rules..."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_INTF -j DNAT --to 192.168.10.3:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i $EXT_INTF -j DNAT --to 192.168.10.3:443
$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i $EXT_INTF -j DNAT --to 192.168.10.4:53
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o $EXT_INTF -j MASQUERADE

###### forwarding ######
#
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward

exit
### EOF ###

vaheeD

More Posts - Website

Follow Me:

A port scanner (such as nmap) is a piece of software designed to search a network host for open ports. Cracker can use nmap to scan your network before starting attack. You can always see scan patterns by visiting /var/log/messages. But, I recommend the automated tool called psad – the port scan attack detector under Linux which is a collection of lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.

psad makes use of Netfilter log messages to detect, alert, and (optionally) block port scans and other suspect traffic. For tcp scans psad analyzes tcp flags to determine the scan type (syn, fin, xmas, etc.) and corresponding command line options that could be supplied to nmap to generate such a scan. In addition, psad makes use of many tcp, udp, and icmp signatures contained within the Snort intrusion detection system.

Install psad under Debian / Ubuntu Linux

Type the following command to install psad, enter:
$ sudo apt-get update
$ sudo apt-get install psad

Configure psad

Open /etc/syslog.conf file, enter:
# vi /etc/syslog.conf
Append following code

kern.info       |/var/lib/psad/psadfifo

Alternatively, you can type the following command to update syslog.conf:
echo -e ’kern.info\t|/var/lib/psad/psadfifo’ >> /etc/syslog.conf
psad Syslog needs to be configured to write all kern.info messages to a named pipe /var/lib/psad/psadfifo. Close and save the file. Restart syslog:
# /etc/init.d/sysklogd restart
# /etc/init.d/klogd
The default psad file is located at /etc/psad/psad.conf:
# vi /etc/psad/psad.conf
You need to setup correct email ID to get port scan detections messages and other settings as follows:

EMAIL_ADDRESSES             vivek@nixcraft.in;

Set machine hostname (FQDN):

HOSTNAME                    server.nixcraft.in;

If you have only one interface on box (such as colo web server or mail server), sent HOME_NET to none:

HOME_NET                NOT_USED;  ### only one interface on box

You may also need to adjust danger levels as per your setup. You can also define a set of ports to ignore, for example to have psad ignore udp ports 53 and 5000, use:

IGNORE_PORTS                udp/53, udp/5000;

You can also enable real time iptables blocking, by setting following two variables:

ENABLE_AUTO_IDS             Y;
IPTABLES_BLOCK_METHOD       Y;

psad has many more options, please read man pages for further information. Save and close the file. Restart psad:
# /etc/init.d/psad restart

Update iptables rules

psad need following two rules with logging enabled:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

Here is my sample Debian Linux desktop firewall script with logging enabled at the end:

#!/bin/bash
IPT="/sbin/iptables"

echo "Starting IPv4 Wall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
modprobe ip_conntrack

BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.fw)
PUB_IF="eth0"

#unlimited 
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# block all bad ips
for ip in $BADIPS
do
    $IPT -A INPUT -s $ip -j DROP
    $IPT -A OUTPUT -d $ip -j DROP
done

# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"

$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allow ssh only
$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT

# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT

# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP

# Start ipv6 firewall
# echo "Starting IPv6 Wall..."
/root/scripts/start6.fw

exit 0

How do I view port scan report?

Simply type the following command:
# psad -S
Sample output (some of the sensitive / personally identified parts have been removed):

[+] psadwatchd (pid: 2540)  %CPU: 0.0  %MEM: 0.0
    Running since: Sun Jul 27 07:14:56 2008
[+] kmsgsd (pid: 2528)  %CPU: 0.0  %MEM: 0.0
    Running since: Sun Jul 27 07:14:55 2008
[+] psad (pid: 2524)  %CPU: 0.0  %MEM: 0.8
    Running since: Sun Jul 27 07:14:55 2008
    Command line arguments: -c /etc/psad/psad.conf
    Alert email address(es): radhika.xyz@xxxxxxxx.co.in
    src:            dst:            chain:  intf:  tcp:  udp:  icmp:  dl:  alerts:  os_guess:
    117.32.xxx.149  xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    118.167.xxx.219 xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    118.167.xxx.250 xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    118.167.xxx.5   xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    122.167.xx.11   xx.22.zz.121    INPUT   eth0   4642  0     0      4    50       -
    122.167.xx.80   xx.22.zz.121    INPUT   eth0   0     11    0      1    2        -
    123.134.xx.34   xx.22.zz.121    INPUT   eth0   20    0     0      2    9        -
    125.161.xx.3    xx.22.zz.121    INPUT   eth0   0     9     0      1    4        -
    125.67.xx.7     xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    190.159.xxx.220 xx.22.zz.121    INPUT   eth0   0     9     0      1    3        -
    193.140.xxx.210 xx.22.zz.121    INPUT   eth0   0     10    0      1    2        -
    202.xx.23x.196  xx.22.zz.121    INPUT   eth0   0     13    0      1    10       -
    202.xx.2x8.197  xx.22.zz.121    INPUT   eth0   0     20    0      2    17       -
    202.97.xxx.198  xx.22.zz.121    INPUT   eth0   0     17    0      2    12       -
    202.97.xxx.199  xx.22.zz.121    INPUT   eth0   0     18    0      2    15       -
    202.97.xxx.200  xx.22.zz.121    INPUT   eth0   0     17    0      2    14       -
    202.97.xxx.201  xx.22.zz.121    INPUT   eth0   0     15    0      2    12       -
    202.97.xxx.202  xx.22.zz.121    INPUT   eth0   0     21    0      2    16       -
    203.xxx.128.65  xx.22.zz.121    INPUT   eth0   12    0     0      2    6        Windows XP/2000
    211.90.xx.14    xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    213.163.xxx.9   xx.22.zz.121    INPUT   eth0   0     0     1      2    2        -
    221.130.xxx.124 xx.22.zz.121    INPUT   eth0   0     35    0      2    31       -
    221.206.xxx.10  xx.22.zz.121    INPUT   eth0   0     33    0      2    21       -
    221.206.xxx.53  xx.22.zz.121    INPUT   eth0   0     33    0      2    27       -
    221.206.xxx.54  xx.22.zz.121    INPUT   eth0   0     39    0      2    26       -
    221.206.xxx.57  xx.22.zz.121    INPUT   eth0   0     33    0      2    19       -
    60.222.xxx.146  xx.22.zz.121    INPUT   eth0   0     40    0      2    33       -
    60.222.xxx.153  xx.22.zz.121    INPUT   eth0   0     14    0      1    11       -
    60.222.xxx.154  xx.22.zz.121    INPUT   eth0   0     18    0      2    15       -
    Netfilter prefix counters:
        "SPAM DROP Block": 161519
        "Drop Syn Attacks": 136
    Total scan sources: 95
    Total scan destinations: 1
    Total packet counters:
        tcp:  5868
        udp:  164012
        icmp: 2

How do I remove automatically blocked ips?

Simply type the following command to remove any auto-generated firewall block
# psad -F

How do I view detailed log for each IP address?

Go to /var/log/psad/ip.address/ directory. For example, view log for IP address 11.22.22.33, enter:
# cd /var/log/psad/11.22.22.33
# ls -l
Sample output:

-rw------- 1 root root 2623 2008-07-30 13:02 xx.22.zz.121_email_alert
-rw------- 1 root root   32 2008-07-30 13:02 xx.22.zz.121_packet_ctr
-rw------- 1 root root    0 2008-07-29 00:27 xx.22.zz.121_signatures
-rw------- 1 root root   11 2008-07-30 13:02 xx.22.zz.121_start_time
-rw------- 1 root root    2 2008-07-30 13:02 danger_level
-rw------- 1 root root    2 2008-07-30 13:02 email_count
-rw------- 1 root root 1798 2008-07-29 00:27 whois

Use cat / more or less command to view rest of the information.

Further readings:

• man pages – psad, syslog.conf
• psad project home page
• I highly recommend – Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort for further information.

vaheeD

More Posts - Website

Follow Me:

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

More about nmap

From the man page:

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

It was originally written by Gordon Lyon and it can answer the following questions easily:

1. What computers did you find running on the local network?
2. What IP addresses did you find running on the local network?
3. What is the operating system of your target machine?
4. Find out what ports are open on the machine that you just scanned?
5. Find out if the system is infected with malware or virus.
6. Search for unauthorized servers or network service on your network.
7. Find and remove computers which don’t meet the organization’s minimum level of security.

Sample setup (LAB)

Port scanning may be illegal in some jurisdictions. So setup a lab as follows:

                              +---------+
        +---------+           | Network |         +--------+
        | server1 |-----------+ swtich  +---------|server2 |
        +---------+           | (sw0)   |         +--------+
                              +----+----+
                                   |
                                   |
                         +---------+----------+
                         | wks01 Linux/OSX    |
                         +--------------------+

Where,

• wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
• server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
• server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
• All three systems are connected via switch.

How do I install nmap?

See:

Install nmap Network Security Scanner

#1: Scan a single host or an IP address (IPv4)

### Scan a single ip address ###
nmap 192.168.1.1

## Scan a host name ###
nmap server1.vaheed.net

## Scan a host name with more info###
nmap -v server1.vaheed.net

Sample outputs:

Starting Nmap 6.25 ( http://nmap.org/ ) at 2013-01-06 20:44 IRST
Initiating Ping Scan at 20:44
Scanning 192.168.1.1 [2 ports]
Completed Ping Scan at 20:44, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:44
Completed Parallel DNS resolution of 1 host. at 20:44, 0.25s elapsed
Initiating Connect Scan at 20:44
Scanning 192.168.1.1 [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 1723/tcp on 192.168.1.1

#2: Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3
## works with same subnet i.e. 192.168.1.0/24
nmap 192.168.1.1,2,3

You can scan a range of IP address too:

nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

Finally, you scan an entire subnet:

nmap 192.168.1.0/24

#3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:

server1.vaheed.net
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost

The syntax is:

nmap -iL /tmp/test.txt

#4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:

nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

OR exclude list from a file called /tmp/exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

#5: Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt

#6: Find out if a host/network is protected by a firewall

nmap -sA 192.168.1.254
nmap -sA server1.vaheed.net

#7: Scan a host when protected by the firewall

nmap -PN 192.168.1.1
nmap -PN server1.vaheed.net

#8: Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here
nmap -6 server1.vaheed.net
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

#9: Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:

nmap -sP 192.168.1.0/24

Sample outputs:

Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

#10: How do I perform a fast scan?

nmap -F 192.168.1.1

#11: Display the reason a port is in a particular state

nmap --reason 192.168.1.1
nmap --reason server1.vaheed.net

#12: Only show open (or possibly open) ports

nmap --open 192.168.1.1
nmap --open server1.vaheed.net

#13: Show all packets sent and received

nmap --packet-trace 192.168.1.1
nmap --packet-trace server1.vaheed.net

14#: Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)

nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org/ ) at 2012-11-27 02:01 IST
************************INTERFACES************************
DEV    (SHORT)  IP/MASK          TYPE        UP MAC
lo     (lo)     127.0.0.1/8      loopback    up
eth0   (eth0)   192.168.1.5/24   ethernet    up B8:AC:6F:65:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet    up 00:50:56:C0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet    up 00:50:56:C0:00:08
ppp0   (ppp0)   10.1.19.69/32    point2point up

**************************ROUTES**************************
DST/MASK         DEV    GATEWAY
10.0.31.178/32   ppp0
209.133.67.35/32 eth0   192.168.1.2
192.168.1.0/0    eth0
192.168.121.0/0  vmnet1
192.168.179.0/0  vmnet8
169.254.0.0/0    eth0
10.0.0.0/0       ppp0
0.0.0.0/0        eth0   192.168.1.2

#15: How do I scan specific ports?

map -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1

## Scan TCP port 80
nmap -p T:80 192.168.1.1

## Scan UDP port 53
nmap -p U:53 192.168.1.1

## Scan two ports ##
nmap -p 80,443 192.168.1.1

## Scan port ranges ##
nmap -p 80-200 192.168.1.1

## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.vaheed.net
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1

## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org/ ) at 2012-11-27 01:23 IST
Interesting ports on 192.168.1.1:
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios-ssn
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

#16: The fastest way to scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24

#17: How do I detect remote operating system?

You can identify a remote host apps and OS using the -O option:

 
nmap -O 192.168.1.1
nmap -O  --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org/ ) at 2012-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
           Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

See also: dns server command line tools for more information.

#18: How do I detect remote services (server / daemon) version numbers?

nmap -sV 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org/ ) at 2012-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 0.52 (protocol 2.0)
80/tcp open  http?
1 service unrecognized despite returning data.

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:

nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1

#20: Scan a host using IP protocol ping

nmap -PO 192.168.1.1

#21: Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1

#22: Find out the most commonly used TCP ports using TCP SYN Scan

 
### Stealthy scan ###
nmap -sS 192.168.1.1

### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)
###  OS Fingerprinting ###
nmap -sT 192.168.1.1

### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1

### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1

### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1

#23: Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

nmap -sU nas03
nmap -sU 192.168.1.1

Sample outputs:

 
Starting Nmap 5.00 ( http://nmap.org/ ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT     STATE         SERVICE
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
161/udp  open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)

Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

#24: Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

nmap -sO 192.168.1.1

#25: Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

 
## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254

## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254

## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX 192.168.1.254

See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

nmap -f 192.168.1.1
nmap -f fw2.nixcraft.net.in
nmap -f 15 fw2.nixcraft.net.in
## Set your own offset size with the --mtu option ##
nmap --mtu 32 192.168.1.1

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

#28: Scan a firewall for MAC address spoofing

 
### Spoof your MAC address ##
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

### Add other options ###
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

sudo nmap -sS -sU -p 1-65535 -T4 -A -v 192.168.1.1 

### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN --spoof-mac 0 192.168.1.1

#29: How do I save output to a text file?

The syntax is:

nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1

#30: Not a fan of command line tools?

Try zenmap the official network mapper front end:

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

You can install zenmap using the following apt-get command:
$ sudo apt-get install zenmap
Sample outputs:

[sudo] password for vivek:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  zenmap
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 616 kB of archives.
After this operation, 1,827 kB of additional disk space will be used.
Get:1 http://debian.osuosl.org/debian/ squeeze/main zenmap amd64 5.00-3 [616 kB]
Fetched 616 kB in 3s (199 kB/s)
Selecting previously deselected package zenmap.
(Reading database ... 281105 files and directories currently installed.)
Unpacking zenmap (from .../zenmap_5.00-3_amd64.deb) ...
Processing triggers for desktop-file-utils ...
Processing triggers for gnome-menus ...
Processing triggers for man-db ...
Setting up zenmap (5.00-3) ...
Processing triggers for python-central ...

Type the following command to start zenmap:
$ sudo zenmap
Sample outputs

Fig.02: zenmap in action

How do I detect and block port scanning?

Try the following resources:

1. How to use psad tool to detect and block port scan attacks in real time.
2. CentOS / Redhat Iptables Firewall Configuration Tutorial.
3. Linux: 20 Iptables Examples For Administrator.

REFERENCES:

• The official Nmap project guide to network discovery and security Scanning.
• The official Nmap project home page.

vaheeD

More Posts - Website

Follow Me:

Following list summaries the common attack on any type of Linux computer:

Syn-flood protection

In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:

iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP

Block Spoofing and bad addresses

Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.

Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.

Filter incoming ICMP, PING traffic

It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.

Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP

Block Access To Outgoing IP Address

The following rule will block ip address 202.54.1.22 from making any outgoing connection:
iptables -A OUTPUT -d 202.54.1.22 -j DROP

The above will block chat server ip address or site having dangerous contains such as viruses or malware.

Block Access To Outgoing IP TCP / UDP Port Number

It is also possible to block specific port numbers. For example, you can block tcp port # 5050 as follows:
iptables -A OUTPUT -p tcp –dport 5050 -j DROP

To block tcp port # 5050 for an IP address 192.168.1.2 only, enter:
iptables -A OUTPUT -p tcp -d 192.168.1.2 –dport 5050 -j DROP

Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter:
# /sbin/service iptables save
OR
# /etc/init.d/iptables save

Further readings

• Man page : hping2(8), nmap(1), iptables(8)

vaheeD

More Posts - Website

Follow Me:

Examples: Saving and Restoring Iptables Rules

In this example, save current iptables firewall rules to a file called /root/dsl.fw, enter:
# iptables-save > /root/dsl.fw
To restore iptables rules, enter:
# iptables-restore < /root/dsl.fw

To restore rules automatically upon Linux system reboot add following command to your /etc/rc.local file, enter:
# vi /etc/rc.local
Append the line:
/sbin/iptables-restore < /root/dsl.fw
Save and close the file. Please note that under Red Hat enterprise Linux (RHEL) / CentOS / Fedora Linux you can use following commands to save and restore firewall rules. To Save the rules to /etc/sysconfig/iptables file:
# /etc/init.d/iptables save
To restore the rules from /etc/sysconfig/iptables file:
# /etc/init.d/iptables start
If you are using Debian / Ubuntu Linux open /etc/network/interfaces:
# vi /etc/network/interfaces
Append the line to eth0 section:
post-up iptables-restore
Close and save the file. Reboot the system.

vaheeD

More Posts - Website

Follow Me: