Portscan??
romaniuc@edumed.org.br
romaniuc@edumed.org.br
Tue, 12 Nov 2002 09:57:31 -0200 (BRST)
Hi all,
Iīm trying to detect and block portscan.... and Im using
rules below.....
Itīs doesnīt work... I use a lot of portscan and no one have been
detected;;; what is wrong???
Thanks
RULES.....
$IPTABLES -F NOVA_CONEXAO
$IPTABLES -X NOVA_CONEXAO > /dev/null
## NAT
$IPTABLES -t nat -F
$IPTABLES -N NOVA_CONEXAO
## New packets
$IPTABLES -A INPUT -i $EXTIF -p ! icmp -m state --state NEW -j
NOVA_CONEXAO
## PortScanners - Detection
#$IPTABLES -A NOVA_CONEXAO -j LOG --log-prefix
"############################"
## NMAP FIN/URG/PSH
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
--limit 2/s -j LOG --log-prefix "(Nmap) Stealth XMAS Scan: "
# SYN/RST
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 2/s -j LOG --log-prefix "SYN/RST Scan: "
# SYN/FIN (probably)
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit 2/s -j LOG --log-prefix "SYN/FIN Scan(?): "
# NMAP FIN Stealth
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN -m limit --limit 2/s
-j LOG --log-prefix "(Nmap) Stealth FYN Scan: "
# ALL/ALL Scan
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL ALL -m limit --limit 2/s
-j LOG --log-prefix "ALL/ALL Scan: "
# NMAP Null Scan (probably)
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL NONE -m limit --limit 2/s
-j LOG --log-prefix "(Nmap) Stealth Null Scan(?): "
## Now Dropping
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL NONE -j DROP
################################
## Now my rules..... INPUT