• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

block IPs that connect to certain ports?

Red Squirrel

Red Squirrel

No Lifer
I had a little idea and I'm sure I'm not the first one to think of this, but say someone port scans my server, chances are they're looking for stuff they can try to exploit so it's the first step in trying to potentially compromise the server.

Is there a way in iptables to actually set a temp rule (ex: 15 minutes) if a client connects to a certain port? Basically I could add that as one of my last rules that if a client connects to any other port this gets triggered.

Of course, if I have any security issues those should be fixed regardless, but figured this could be useful to at least slow down a potential attack.

Or would this just be a total waste of resources due to the high volume of port scans online?
 
Why bother trying to react to port scans when you can just have a DROP rule be the last in the chain and only ACCEPT on ports you expect traffic? Then you only need to worry about the ports that are open. Try and run as few services as root as possible, unless you are going to chroot them. I only do ICMP flood detections with the following rules.


$IPTABLES -N ICMPFLOOD
$IPTABLES -A ICMPFLOOD -m recent --set --name ICMP --rsource
$IPTABLES -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ICMPFLOOD: "
$IPTABLES -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
$IPTABLES -A ICMPFLOOD -j ACCEPT

$IPTABLES -A icmpin -p ICMP --icmp-type 8 -j ICMPFLOOD

That will log anyone that sends more then 6 ICMP floods in 1 second, and then proceed to drop the traffic, it helps against some DoS attacks.

I also do the same for SSH(which should not be running on port 22). There's a script out there called bfd that will read the log files on a cron job and detect brute force attempts and can then execute a command on detection. So you could add an IP to /etc/hosts.deny or add an iptables rule that drops all traffic for said IP.

It's all in the man pages, which are long... but they do a good job.
 
Was thinking of just being proactive and do a total block, but guess it would take too much resources, chances are the server get's 100's of probes per minute if more so I can just keep dropping them.

I have fail2ban setup for ssh and it's running on a non standard port. At least it keeps most (100% in my case) bots at bay.

The ICMP "trap" seems like a neat trick though.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top