Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
hi... i want to protect any port-scan attacks by iptables... i tried many rules but it doesn't work... whenever an attacker starts to scan ports on my server (for example ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2012
    Posts
    5

    Unhappy port scanning protection


    hi...
    i want to protect any port-scan attacks by iptables...
    i tried many rules but it doesn't work...

    whenever an attacker starts to scan ports on my server (for example by nmap) i want to block the ip for an hour...
    thank you in advaned

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Look at Fail2ban. I don't use it but I am sure you can use it to monitor your logs and block someone port scanning. Be aware that one can port scan you without you knowing it.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Another good one to look into is denyhosts:

    Code:
    # yum info denyhosts
    Available Packages
    Name        : denyhosts
    Arch        : noarch
    Version     : 2.6
    Release     : 26.fc17
    Size        : 90 k
    Repo        : fedora
    Summary     : A script to help thwart ssh server attacks
    URL         : http://denyhosts.sourceforge.net/
    License     : GPLv2
    Description : DenyHosts is a Python script that analyzes the sshd server log
                : messages to determine which hosts are attempting to hack into your
                : system. It also determines what user accounts are being targeted. It
                : keeps track of the frequency of attempts from each host and, upon
                : discovering a repeated attack host, updates the /etc/hosts.deny file
                : to prevent future break-in attempts from that host.  Email reports can
                : be sent to a system admin.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jul 2012
    Posts
    5
    thank you very much...
    but i want to use iptables rules..can you help me on this?

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Fail2ban uses the log files which is populated by iptables log rules to ban ip addresses.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by triumph View Post
    thank you very much...
    but i want to use iptables rules..can you help me on this?
    I use a simple Bash script in conjunction with denyhosts. Probably like what fail2ban does, only it reads /etc/hosts.deny instead of the other (secure) log. Here's an example:
    Code:
    #!/bin/bash
    
    ipt_file='/etc/sysconfig/iptables'
    
    ban_ip() {
      local ip=$1
    
      # here, you should make sure that "$ip" is a valid ip address
      # or hostname and not some weird network declaration
    
      # see if a rule for the ip is already in the file
      grep "\-A INPUT -s $ip -j DROP" $ipt_file
      if [ $? -eq 0 ]; then
        echo "Host $ip is already banned"
      else
    
        # add the rule
        echo "Exercise for you...insert this rule into $ipt_file"
        echo "-A INPUT -s $ip -j DROP"
        restart=1
      fi
    }
    
    # iterate over each line of /etc/hosts.deny
    while read line; do
    
      # only look at the sshd entries
      echo $line|grep -q ^sshd[[:space:]]*: || continue
    
      # get the list of ip addresses, etc on this line (could be more than 1)
      hosts=$(echo $line|awk -F: '{print $2}')
    
      # now loop thru all ip addrs
      for ip in $hosts; do
        ban_ip $ip
      done
    done < <(cat /etc/hosts.deny)
    
    if test $restart; then
      echo -e "\nChanges made, so restart iptables:"
    # systemctl restart iptables.service
    # /etc/init.d/iptables restart
    # etc.
    fi
    Note: I just consider this approach for use on my personal systems. Not for a production server on a corporate website getting hammered by script kiddies and bots.

  8. #7
    Just Joined!
    Join Date
    Jul 2012
    Posts
    5
    thank you very much dear friend...
    I want to set sth on my server.....
    and it is really emergency
    help me guys ...!
    at first I could protect brute-force attacks...
    now i'm trying to find a very good rules on iptables...
    I don't want to use psad...my server is CentOS....

  9. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    As I have stated Fail2ban is pro-active. It monitors your log files and creates rules as needed to block.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #9
    Just Joined!
    Join Date
    Jul 2012
    Posts
    5
    Thank you dear friend ...

  11. #10
    Just Joined!
    Join Date
    May 2008
    Location
    Russia, Far East, Komsomolsk-on-Amur
    Posts
    4
    Do you have the 'recent' iptables module in your distro? Try to use it for this purpose.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •