Re: [tlug] iptable blocking IP addresses

Date: Mon, 23 Feb 2004 17:41:56 +0900
From: "Stephen J. Turnbull" <stephen@example.com>
Subject: Re: [tlug] iptable blocking IP addresses
References: <20040223025748.74578.qmail@example.com>
Organization: The XEmacs Project
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.5 (celeriac, linux)

>>>>> "Gerald" == Gerald Naughton <naughton123@example.com> writes:

    Gerald> IPCOP uses iptables and I can`t see in the docs on howto
    Gerald> to stop scanning etc

    Gerald> Anyone recommend a way to stop these scans etc ?

You can't stop a scan.  If somebody's got a big enough pipe, they can
DOS you by port scanning (google for, uh, Trinoo or DDOS).  All you
can do is block the probes at the firewall, which is the same thing as
blocking attempts to access those ports---by definition.  An attempt
to access a port is exactly what a "scan" is; it's just not followed
up with any data if it succeeds.  Here's a dataflow diagram:

                              log
                               A
                               |
                     +---------0-------+
                     |         |       |
allowed connection --0---------+-------0--> local service or inside host
                     |                 |
                     | firewall router | 
                     |                 |
blocked connection --0---------+       X -> local service or inside host
                     |         |       |
                     +---------0-------+
                               |
                         +-----+-----+
                         |           |
                         V           V
                        log     ICMP reject

The "log" and "ICMP reject" actions are optional.  Evidently IPCOP is
logging the scans.  What you need to find out is if those scans are
getting through to the services or hosts.  Look for logs on the inside
from either the service daemons or inetd.  If not, you're done.  If
they are, you just block them as usual, with iptables rules having
DROP or REJECT as the target.

Whether to use the "reject" option depends on your preferences, the
source, and the port.  The practical implications of using REJECT
rather than DROP are (1) you'd like to tell honest people that they've
made an error, and your machine is not unplugged, and (2) for some
services (eg, mail) a firm "go away" may actually make some bad guys
go away (eg, spammers would prefer not to waste many milliseconds
trying to connect to a machine that is never going to accept mail from
them).

In the case of FTP or a shotgun port scan, chances are good that
they're looking for a single chance to suborn your machine, and
they'll be back, sooner or later.  In the case of mail, though, they
want to use your machine _now_, and if you definitively reject them,
they may very well give up.


-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.

Follow-Ups:
- [tlug] Re: iptable blocking IP addresses
  - From: Tobias Diedrich

References:
- [tlug] iptable blocking IP addresses
  - From: Gerald Naughton

Prev by Date: [tlug] Things that should be replaced with a NOOP
Next by Date: Re: [tlug] SevenFilesFromOneOpnOf?
Previous by thread: Re: [tlug] iptable blocking IP addresses
Next by thread: [tlug] Re: iptable blocking IP addresses
Index(es):
- Date
- Thread

Home | Main Index | Thread Index