* Re: Logging Portscans
@ 2002-10-21 23:33 Tasha Smith
2002-10-22 10:14 ` Antony Stone
0 siblings, 1 reply; 4+ messages in thread
From: Tasha Smith @ 2002-10-21 23:33 UTC (permalink / raw
To: netfilter
you mean you never get any logs at all, or you get log entries on the screen
but not in a file, or you get logs sometimes, but not when you're doing a
particular type of scan ?
--->I am scanning my firewall machine from a machine on a "different network".
--->And when the scan is finished i check the log file of my firewall machine
and there are no reports of a scan to any port. My log file being
"/var/log/messages"
--->Here is what the nmap scan i used "namp -sS -sT -P0 -v 152.22.xx.xx"
> I even added this to my syslog.conf file......
>
> kern.warn /var/log/fwlog
Does this successfully log anything at all ? I mean, if you insert a rule
right at the start of your INPUT chain:
iptables -I INPUT -j LOG --log-prefix "fwlog: "
Does anything go into /var/log/fwlog ?
---> Yes, somehting does go into the "/var/log/fwlog" file. (All kernel messages
goes into this file like:
OCT 21 01:4443 HOSTNAME kernel : Linux version 2.4.19
(root@hostname.bc.hisa.telus.net) gcc version 2.96)
OCT 21 01:4443 HOSTNAME kernel Mount-cache has tables entyries: 1024 (order:
1, 8192 bytes
OCT 21 01:4443 HOSTNAME kernel : Buffer-cache hash tables entries:4096
(order:2, 16384
And and someother kernel messages
(I would expect you to have to add the option "--log-level=warn" to match the
entry in your syslog.conf file.)
> How can i get this machine to log STEALTH port scans and stuff???
Explain what you mean by a Stealth port scan ? If yu;re using nmap, what
options are you using ?
---> Here what options im using "namp -sS -sT -P0 -v 152.22.xx.xx"
> iptables --flush
> iptables -t -nat --flush
> iptables -t mangle --flush
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
--->#when this line is added to my script:
iptables -I INPUT -j LOG --log-prefix "fwlog: "
># When this line is added to my script and i run the nmap scan from a computer
with an ip address of 152.22.xx.xxx the only things that get log in the fwlog
file are:
OCT 21 01:4453 HOSTNAME kernel : fwlog: IN eth1 OUT= MAC=
ff:ff:ff:ff:00:43:xx:xx:xx src=192.168.0.11 DST=192.168.0.255 LEN=78 TOS=0x00
PREC=0x00 TTL=128 ID 63894 PROTO=UDP SPT=137 DPT=137 LEN=58
---> But nothing from the computers ip addressd that i did the port scan with
only tarffic that is getting logged is my machine behind the firewall and the
firewall machines eth1.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FOWWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i eth0 -p udp \
> -s ISP.DHCP --sport 67 \
> --dport 68 -j ACCEPT
> iptables -A OUTPUT -o eth0 -p udp \
> -s eth0 --sport 68 \
> -d ISP.DHCP --dport 67 -j ACCEPT
>
> iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables -A INPUT -i eth0 -p tcp \
> --dport 22,25,111,1024,1025 -j LOG --log-prefix "Log-test: "
Okay, so this LOGging rule is last in your INPUT chain, just before the
default DROP policy.
I assume you are scanning the Firewall address itself ?
--->Yes...im scanning the firewall computers ip addrsss, 152.22.xx.xx and im
not scanning from a machine behind the firewall.Its a machine on a different
network!
By the way, what result do you get from the scan ? Does it suggest you have
closed ports, open ones, nothing accessible, what ?
---> The relsut i get is: All 1601 scanned ports on "firewall machine" are
filtered."
What happens if you simply ssh to the Firewall, or telnet to port 25 ? Do
you see a log entry then ?
--->No, i dont!
--->The script is exactly what it look like now when i did the scan!
__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Logging Portscans
2002-10-21 23:33 Logging Portscans Tasha Smith
@ 2002-10-22 10:14 ` Antony Stone
2002-10-22 10:44 ` Problem with iptables P-O-M hare ram
0 siblings, 1 reply; 4+ messages in thread
From: Antony Stone @ 2002-10-22 10:14 UTC (permalink / raw
To: netfilter
On Tuesday 22 October 2002 12:33 am, Tasha Smith wrote:
> Here is what the nmap scan i used "namp -sS -sT -P0 -v 152.22.xx.xx"
I don't understand the use of -sS and -sT at the same time.
-sS is for a SYN scan - nmap sends out a SYN packet, looks to see if a
SYN/ACK comes back, but doesn't send anything back after that.
-sT is a connect() scan - nmap sends out a SYN as before, but if it gets a
SYN/ACK back again, it replies with an ACK so that a full connection is
established with the remote end.
Unless you don't have root access on the machine you're running nmap from, I
don't see why you'd normally want to use the connect() type of scan, but in
any case I think it's inappropriate to use both -sS and -sT in the same nmap
command.
> > > I even added this to my syslog.conf file......
> > >
> > > kern.warn /var/log/fwlog
> >
> > Does this successfully log anything at all ? I mean, if you insert a rule
> > right at the start of your INPUT chain:
> > iptables -I INPUT -j LOG --log-prefix "fwlog: "
> >
> > Does anything go into /var/log/fwlog ?
>
> Yes, somehting does go into the "/var/log/fwlog" file. (All kernel
> messages goes into this file like:
> OCT 21 01:4443 HOSTNAME kernel : Linux version 2.4.19
> (root@hostname.bc.hisa.telus.net) gcc version 2.96)
No, I actually meant "does anything from netfilter get logged into
/var/log/fwlog ?" - however you have answered this below and it seems that
the logging is working correctly.
> iptables -I INPUT -j LOG --log-prefix "fwlog: "
>
> When this line is added to my script and i run the nmap scan from a
> computer with an ip address of 152.22.xx.xxx the only things that get log
> in the fwlog file are:
> OCT 21 01:4453 HOSTNAME kernel : fwlog: IN eth1 OUT= MAC=
> ff:ff:ff:ff:00:43:xx:xx:xx src=192.168.0.11 DST=192.168.0.255 LEN=78
> TOS=0x00 PREC=0x00 TTL=128 ID 63894 PROTO=UDP SPT=137 DPT=137 LEN=58
Okay, so you are getting log entries from *a* logging rule, just not from the
one you're trying to detect the scan from...
(By the way, there's no need to disguise mac addresses when you post your
logfile entries - nobody outside your local network can do anything useful
with a mac address, and anybody inside your local network can find it out for
themselves anyway.)
> But nothing from the computers ip addressd that i did the port scan
> with only tarffic that is getting logged is my machine behind the firewall
> and the firewall machines eth1.
> > By the way, what result do you get from the scan ? Does it suggest you
> > have closed ports, open ones, nothing accessible, what ?
> The relsut i get is: All 1601 scanned ports on "firewall machine" are
> filtered."
Hmmm. Is this true ? Or should someof your ports be accessible from the
machine you're scanning from ? (eg SSH, SMTP...?)
> > What happens if you simply ssh to the Firewall, or telnet to port 25 ?
> > Do you see a log entry then ?
> No, i dont!
Okay, let's step back a bit a see if we can successfully log things which are
connecting, and then try to log things which are being blocked.
Try adding the following to the start of your INPUT chain:
iptables -I INPUT -s a.b.c.d -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j LOG --log-prefix="ssh "
(Entering them in that order should insert the "accept ssh" rule, and then
insert the "log ssh"rule in front of it.)
a.b.c.d is any machine outside your firewall (eg the one you've been scanning
from with nmap) from which you can ssh back into your firewall.
If for some reason you don't happen to have sshd running on your firewall
simply change the port number to any other service you can connect to (80 ?
110 ? 25 ? 23 ?) in order to test things.
Then from the remote machine a.b.c.d connect to your firewall and make sure
you have a valid connection (eg yoou do successfully log in by ssh, or
whatever), and then see what comes up in your log file.
Antony.
--
I vote "no" to this proposal to form a committee to investigate whether we
should or should not hold a ballot on whether to vote yet.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Problem with iptables P-O-M
2002-10-22 10:14 ` Antony Stone
@ 2002-10-22 10:44 ` hare ram
2002-10-22 16:10 ` hare ram
0 siblings, 1 reply; 4+ messages in thread
From: hare ram @ 2002-10-22 10:44 UTC (permalink / raw
To: Antony Stone, netfilter
Hi all
iam using redhat 7.2 with iptable 1.2.5 rpm
iam trying to patch the iptables with P-o-M
i was patched only one option iplimit
its patched with
/var/tmp/patchomatic/netfilter/patch-o-matic/runme
../userspace/extensions/libipt_iplimit.c
patch is applied
then
i run in kernal
make dep
make
make bzImage
make modules
make install
make modules_install
when iam doing make modules_install, iam getting following error
any one can point me where iam doing wrong
find kernel -path '*/pcmcia/*' -name '*.o' | xargs -i -r ln -sf ../{} pcmcia
if [ -r System.map ]; then /sbin/depmod -ae -F System.map 2.4.18-3custom;
fi
depmod: *** Unresolved symbols in
/lib/modules/2.4.18-3custom/kernel/net/ipv4/netfilter/ipt_iplimit.o
depmod: ip_conntrack_find_get
make: *** [_modinst_post] Error 1
thanks
advance
hare
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with iptables P-O-M
2002-10-22 10:44 ` Problem with iptables P-O-M hare ram
@ 2002-10-22 16:10 ` hare ram
0 siblings, 0 replies; 4+ messages in thread
From: hare ram @ 2002-10-22 16:10 UTC (permalink / raw
To: Antony Stone, netfilter
Hi all
thanks to Hard__warE
i have rectified my problem
hare
----- Original Message -----
From: "hare ram" <hareram@sol.net.in>
To: "Antony Stone" <Antony@Soft-Solutions.co.uk>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, October 22, 2002 4:14 PM
Subject: Problem with iptables P-O-M
> Hi all
>
> iam using redhat 7.2 with iptable 1.2.5 rpm
> iam trying to patch the iptables with P-o-M
> i was patched only one option iplimit
> its patched with
>
> /var/tmp/patchomatic/netfilter/patch-o-matic/runme
> ../userspace/extensions/libipt_iplimit.c
>
> patch is applied
> then
> i run in kernal
>
> make dep
> make
> make bzImage
> make modules
> make install
> make modules_install
>
> when iam doing make modules_install, iam getting following error
> any one can point me where iam doing wrong
>
>
>
> find kernel -path '*/pcmcia/*' -name '*.o' | xargs -i -r ln -sf ../{}
pcmcia
> if [ -r System.map ]; then /sbin/depmod -ae -F System.map 2.4.18-3custom;
> fi
> depmod: *** Unresolved symbols in
> /lib/modules/2.4.18-3custom/kernel/net/ipv4/netfilter/ipt_iplimit.o
> depmod: ip_conntrack_find_get
> make: *** [_modinst_post] Error 1
>
> thanks
> advance
>
> hare
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-10-22 16:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-21 23:33 Logging Portscans Tasha Smith
2002-10-22 10:14 ` Antony Stone
2002-10-22 10:44 ` Problem with iptables P-O-M hare ram
2002-10-22 16:10 ` hare ram
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.