Date: Mon, 22 Sep 2008 15:12:18 -0700 From: "David Allen" <the.real.david.allen@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans Message-ID: <2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66@mail.gmail.com> In-Reply-To: <48D80D54.8060802@infracaninophile.co.uk> References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> <48D80D54.8060802@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/22/08, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > David Allen wrote: >> On 9/22/08, Ghirai <ghirai@ghirai.com> wrote: >>> On Mon, 22 Sep 2008 08:17:02 -0700 >>> "David Allen" <the.real.david.allen@gmail.com> wrote: >> However, receiving SYN packets to ports 1024-40000 isn't going to >> match anything than a default "block all" rule, which creates no >> state. That gives you zero such features to work with, but does give >> you 38976 individual log entries. > > Most of this sort of port scanning is automated by infected machines > -- it doesn't indicate a directed attack at you. it's been described as > the 'background radiation of the Internet'. So long as your systems > aren't vulnerable to the specific problems the malware is attempting to > exploit -- and assuming you aren't running windows then you're almost > certainly immune from this automated stuff -- then why bother putting any > effort into blocking the source hosts? Just dump the traffic and ignore. > > Drop the traffic using a 'block log all' default action and 'set > block-policy drop' in pf.conf. I'm not sure I agree that a single host scanning 30K ports can be so easily dismissed as the result of a bot. That said, I agree with your comments generally, but I prefer to log blocked traffic (with the exception of certain categories of "noise"). That means when the "block log all" rule matches, I'm at risk of tens of thousands of Mostly Useless log entries as pointed out earlier. The fact that those log entries or that activity is also Mostly Harmless, could mean that your Don't Panic is the right advice. But then, what if it's someone trying to build an interspace bypass and all I have is a bathrobe and a towel to work with? > Don't open up high-port ranges to incoming traffic, either UDP or TCP > -- if you have to run FTP servers then use ftp/ftp-proxy to avoid having > to open your firewall too much. I could write a rule to explicity block (and not log) high port ranges, but I'd prefer at least to be aware of someone actively scanning my network. Which suggests, at least to me, that limited logging with automagic table creation are the way to go. > Also consider the following sysctls: > > # Blackhole packets to ports without listeners > net.inet.tcp.blackhole=1 > net.inet.udp.blackhole=1 > > although these will be redundant if your firewalling is effective. I wonder, though, would using a block-policy setting of return (which I'm currently using) render the above redundant, or would the above take precedence? I'll have to add that to the list of Stuff to Check. > Cheers, Same to you, mate. and thanks for gracing me with your presence once again.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66>