LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Where do these dropped packets come from?

[ILUG] Where do these dropped packets come from?

Paul Jakma paul at clubi.ie
Sun May 1 18:11:14 IST 2005 

Ah, if you want such rules yourself, here are the relevant snippets 
from my /etc/sysconfig/iptables (which iptables-restore restores 
rules from at boot), which should help:

:scans - [0:0]
:ssh-scan - [0:0]

-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j LOG --log-prefix "SSH Scan: "
-A ssh-scan -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP

-A scans -p tcp -m tcp --dport 1243 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 4899 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 4898 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p udp -m udp --dport 135 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 12345 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p udp -m udp --dport 1026 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 17300 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 135 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 139 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 3127 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 1433 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 2745 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 6129 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 901 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p tcp -m tcp --dport 1025 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p udp -m udp --dport 137 -j REJECT --reject-with icmp-admin-prohibited
-A scans -p udp -m udp --dport 1434 -j REJECT --reject-with icmp-admin-prohibited

Then just hook the above to a chain that is applied to incoming 
packets on external interfaces (i have an 'infilter' chain for that, 
but '-t filter -A INPUT -i ppp0 -j scans' type of thing might work 
for you).

The 'ssh-scan' chain was an idea I read on a Debian Planet aggregated 
blog a while ago.

The 'scans' chain was built by analysing my logs with a script to 
total up DROPped packets by src and destination port, logged by the 
end of my 'infilter' rule (ie those packets get dropped anyway, just 
i dont want to have my logs filled up by 'known-scan ports'). The 
above is a reasonably good list of ports AFAICT, at least if I look 
at my logs from the last 60 days, there are no regularly scanned 
ports it doesn't catch:

# zcat /var/log/messages.*.gz | awk -f ~/infilter.awk

<stripping out lines of DROPs corresponding to ephemeral ports>
tport:    DPT=135       5
tport:    DPT=139       1
tport:    DPT=445       10
uport:   DPT=1434       1
sport:   SPT=1263       1
sport:   SPT=4180       1
sport:   SPT=6042       1
sport:    SPT=113       22
sport:   SPT=4368       1
sport:   SPT=4761       1
sport:   SPT=3245       1
sport:  SPT=19607       5
sport:  SPT=18392       2
sport:   SPT=2198       1
sport:   SPT=1125       1
sport:  SPT=16488       5
sport:   SPT=4805       1
sport:   SPT=3081       1
sport:  SPT=26452       2
sport:   SPT=1461       1
sport:     SPT=43       11
sport:     SPT=25       663
sport:   SPT=3346       1
sport:     SPT=80       1750
sport:   SPT=3180       1
sport:   SPT=1771       1
sport:   SPT=4057       1
sport:  SPT=61763       5
sport:   SPT=6667       206

A few of those (6667, 80, 25, etc.) would probably be due to timeouts 
of connections which should have been matched by an 'ESTABLISHED' 
rule I have, others I'm filtering already and were packets which came 
in maybe while i restarted my iptables. All the rest are not 
filtering out (cause i get < 10/(60 days)).

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
I have had my television aerials removed.  It's the moral equivalent
of a prostate operation.
 		-- Malcolm Muggeridge

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell