port scanning protection

[triumph]

hi...
i want to protect any port-scan attacks by iptables...
i tried many rules but it doesn't work...

whenever an attacker starts to scan ports on my server (for example by nmap) i want to block the ip for an hour...
thank you in advaned

[Lazydog]

Look at Fail2ban. I don't use it but I am sure you can use it to monitor your logs and block someone port scanning. Be aware that one can port scan you without you knowing it.

[atreyu]

Another good one to look into is denyhosts:

Code:

# yum info denyhosts
Available Packages
Name        : denyhosts
Arch        : noarch
Version     : 2.6
Release     : 26.fc17
Size        : 90 k
Repo        : fedora
Summary     : A script to help thwart ssh server attacks
URL         : http://denyhosts.sourceforge.net/
License     : GPLv2
Description : DenyHosts is a Python script that analyzes the sshd server log
            : messages to determine which hosts are attempting to hack into your
            : system. It also determines what user accounts are being targeted. It
            : keeps track of the frequency of attempts from each host and, upon
            : discovering a repeated attack host, updates the /etc/hosts.deny file
            : to prevent future break-in attempts from that host.  Email reports can
            : be sent to a system admin.

[triumph]

thank you very much...
but i want to use iptables rules..can you help me on this?

[Lazydog]

Fail2ban uses the log files which is populated by iptables log rules to ban ip addresses.

[atreyu]

thank you very much...
but i want to use iptables rules..can you help me on this?

I use a simple Bash script in conjunction with denyhosts. Probably like what fail2ban does, only it reads /etc/hosts.deny instead of the other (secure) log. Here's an example:

Code:

#!/bin/bash

ipt_file='/etc/sysconfig/iptables'

ban_ip() {
  local ip=$1

  # here, you should make sure that "$ip" is a valid ip address
  # or hostname and not some weird network declaration

  # see if a rule for the ip is already in the file
  grep "\-A INPUT -s $ip -j DROP" $ipt_file
  if [ $? -eq 0 ]; then
    echo "Host $ip is already banned"
  else

    # add the rule
    echo "Exercise for you...insert this rule into $ipt_file"
    echo "-A INPUT -s $ip -j DROP"
    restart=1
  fi
}

# iterate over each line of /etc/hosts.deny
while read line; do

  # only look at the sshd entries
  echo $line|grep -q ^sshd[[:space:]]*: || continue

  # get the list of ip addresses, etc on this line (could be more than 1)
  hosts=$(echo $line|awk -F: '{print $2}')

  # now loop thru all ip addrs
  for ip in $hosts; do
    ban_ip $ip
  done
done < <(cat /etc/hosts.deny)

if test $restart; then
  echo -e "\nChanges made, so restart iptables:"
# systemctl restart iptables.service
# /etc/init.d/iptables restart
# etc.
fi

Note: I just consider this approach for use on my personal systems. Not for a production server on a corporate website getting hammered by script kiddies and bots.

[triumph]

thank you very much dear friend...
I want to set sth on my server.....
and it is really emergency
help me guys ...!
at first I could protect brute-force attacks...
now i'm trying to find a very good rules on iptables...
I don't want to use psad...my server is CentOS....

[Lazydog]

As I have stated Fail2ban is pro-active. It monitors your log files and creates rules as needed to block.

[triumph]

Thank you dear friend ...

[VitalkaDrug]

Do you have the 'recent' iptables module in your distro? Try to use it for this purpose.