Date: Mon, 22 Sep 2008 22:25:40 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: David Allen <the.real.david.allen@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans Message-ID: <48D80D54.8060802@infracaninophile.co.uk> In-Reply-To: <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig613BC8491332FE7AF11C3401
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
David Allen wrote:
> On 9/22/08, Ghirai <ghirai@ghirai.com> wrote:
>> On Mon, 22 Sep 2008 08:17:02 -0700
>> "David Allen" <the.real.david.allen@gmail.com> wrote:
>>
>>> Over the last few weeks I've been getting numerous ports scans, each
>>> from unique hosts. The situation is more of an annoyance than
>>> anything else, but I would prefer not seeing or having to deal with
>>> an extra 20-30K entries in my logs as was the case recently.
>>>
>>> I use pf for firewalling, and while it does offer different methods
>>> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive
>>> hosts, it doesn't seem to offer much in the way of dealing with
>>> repeated blocked (non-stateful) connection attempts from a given host=
=2E
>>>
>>> Short of running something like snort, is there a suitable tool for
>>> dealing with this? If not, I'll probably resort to running a cronjob=
>>> to parse the logfile and add the offending hosts manually.
>> Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rat=
e,
>> etc., then add near the top of your ruleset:
>>
>> block drop quick from <x>
>=20
> You either didn't read my message or have misunderstood pf.
>=20
> The features you (and I) mention apply only to rules which create
> state. If your rules are written for port 22, 25, and 80 traffic,
> for example, you can most certainly can make use of those features.
>=20
> However, receiving SYN packets to ports 1024-40000 isn't going to
> match anything than a default "block all" rule, which creates no
> state. That gives you zero such features to work with, but does give
> you 38976 individual log entries.
Most of this sort of port scanning is automated by infected machines
-- it doesn't indicate a directed attack at you. it's been described as =
the 'background radiation of the Internet'. So long as your systems
aren't vulnerable to the specific problems the malware is attempting to=20
exploit -- and assuming you aren't running windows then you're almost=20
certainly immune from this automated stuff -- then why bother putting any=
=20
effort into blocking the source hosts? Just dump the traffic and ignore.=
Drop the traffic using a 'block log all' default action and 'set=20
block-policy drop' in pf.conf.
Don't open up high-port ranges to incoming traffic, either UDP or TCP
-- if you have to run FTP servers then use ftp/ftp-proxy to avoid having
to open your firewall too much. Also consider the following sysctls:
# Blackhole packets to ports without listeners
net.inet.tcp.blackhole=3D1
net.inet.udp.blackhole=3D1
although these will be redundant if your firewalling is effective.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig613BC8491332FE7AF11C3401
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkjYDVwACgkQ8Mjk52CukIzmXACeKzEJ+75aJrqhxb9hr931s+nN
ShEAn0OuoA17bXGKhOQc8ggSCIhbjuV5
=M04c
-----END PGP SIGNATURE-----
--------------enig613BC8491332FE7AF11C3401--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D80D54.8060802>