|
||||
How to block Port Scans?
Hi,
I'm trying to figure out how to block port scans from the net on my OpenBSD router. Currently the closest I've come is a site: http://harrykar.blogspot.co.uk/2010/...lteringpf.html which shows this as an example: Code:
block in quick proto tcp all flags SF/SFRA block in quick proto tcp all flags SFUP/SFRAU block in quick proto tcp all flags FPU/SFRAUP block in quick proto tcp all flags /SFRA block in quick proto tcp all flags F/SFRA block in quick proto tcp all flags U/SFRAU block in quick proto tcp all flags P Also using an Android based app "Fing" to do a TCP port scan, I am still able to detect "open ports". Though I've got Snort up and running which basically is giving me all kinds of ICMP sweeps and tcp/udp scan types. I'm probably attacking this the wrong way so really the question is; is there a way to do this - or what would be an example of a way to do this? {EDIT} outside of the obvious; closing ports! If one has web services like http or smtp running it really isn't an option :-) Many thanks. |
|
||||
Quote:
--- Disclaimer one: I don't use flags options in any of my own rule definitions. I also don't recommend them to admins who do not have a clear understanding of each flag. Unless you understand each specific flag's specific purpose and role you may block desired traffic or inadvertantly permit undesired traffic. TL;DR - Just because the tool gives you a gun, it does not mean you must pull the trigger. It's usually aimed at your own feet. Disclaimer two: I don't believe blocking scans serves a useful purpose for those of us who use a block all policy and only pass permitted traffic, since only the permitted traffic will pass. I also use the return option with my block rules. I do this because appropriate blocked traffic that is dropped should learn about the drop immediately -- this limits application issues at the client. And I'm nice to the inappropriate traffic as well, because I don't believe dropping packets is useful, as there is no security through obscurity. Bad actors can still find the services I present to the Internet. For those services, I rely on application level protections such as authentication mechanisms. TL;DR - Everything I don't want in is already blocked, whether they scan or not. |
|
||||
Any device exposed to the Internet will be scanned. Welcome to 1992.
You cannot stop scanning from happening. You can only stop your IDS from seeing the scans or screaming about them. In my case, as I noted above, due to block return rules, TCP scans to "closed" ports will receive an RST packet. I'm nice, that way. Mostly, because I want remote applications to be able to act on a connection failure immediately, and not undergo timeout handling, which I consider rude. I'm not worried about the script kiddies, because eveni if I dropped blocked packets the kiddies will still find the services which are exposed. There is no "stealth" mode on the Internet, regardless what you may have read == all ports for all IP addresses are scanned constantly. This is the world we live in. All we can do is try to ensure that all exposed services are as secure as we can make them. And that is an application specific subject. |
|
||||
Quote:
Quote:
Quote:
Actually this all came about as I was trying to integrate Snort into the network. Having tested it for a while I started to see a pattern of "false positives" so I'm currently in the 'tweaking' stage to get what I need out of it. Though it's quite scary to see Snort reporting "Torjan-activity" or "Web application attack".... need to do more reading and more looking at tcpdump/wireshark output. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf block command help | newbsdied | OpenBSD Security | 1 | 7th November 2010 12:50 AM |
Block IDM-DAP-P2P | mohammadreza | OpenBSD Security | 5 | 25th February 2010 09:59 AM |
block spam | milo974 | OpenBSD Security | 1 | 26th May 2009 11:30 AM |
Automaticaly block IPs with PF | DNAeon | FreeBSD Installation and Upgrading | 7 | 20th February 2009 02:06 AM |
nmap scans | hamba | FreeBSD Security | 3 | 2nd February 2009 10:16 AM |