RE: port scan detector problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 

> -----Original Message-----
> From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx 
> [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> afshin lamei
> Sent: Tuesday, October 04, 2005 8:52 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: port scan detector problem
> 
> hi all,
> I am using the "port scan match" with its default values, my 
> rules are like
> this:
> iptables -A INPUT -m psd -j LOG --log-prefix "port scan:"
> iptables -A INPUT -m psd -j DROP // Drop it silently
> 
> one of my DNS servers is 4.2.2.4 <http://4.2.2.4/> , and I'm 
> seeing these logs, which say the 4.2.2.4 <http://4.2.2.4/> is 
> port scanning my box (external interface: 192.168.100.151 
> <http://192.168.100.151/>) !!
> 
> Oct 3 17:23:35 kernel: Port scan:IN=eth0 OUT= SRC=4.2.2.4 
> <http://4.2.2.4/>DST=
> 192.168.100.151 <http://192.168.100.151/> LEN=8 PROTO=UDP 
> SPT=53 DPT=32769 Oct 3 17:23:35 kernel: Port scan:IN=eth0 
> OUT= SRC=4.2.2.4 <http://4.2.2.4/>DST=
> 192.168.100.151 <http://192.168.100.151/> LEN=1 PROTO=UDP 
> SPT=53 DPT=32761 Oct 3 17:23:35 kernel: Port scan:IN=eth0 
> OUT= SRC=4.2.2.4 <http://4.2.2.4/>DST=
> 192.168.100.151 <http://192.168.100.151/> LEN=1 PROTO=UDP 
> SPT=53 DPT=32773 Oct 3 17:23:35 kernel: Port scan:IN=eth0 
> OUT= SRC=4.2.2.4 <http://4.2.2.4/>DST=
> 192.168.100.151 <http://192.168.100.151/> LEN=1 PROTO=UDP 
> SPT=53 DPT=32775 Oct 3 17:23:35 kernel: Port scan:IN=eth0 
> OUT= SRC= 4.2.2.4 <http://4.2.2.4/>DST=
> 192.168.100.151 <http://192.168.100.151/> LEN=1 PROTO=UDP 
> SPT=53 DPT=32780
> 
> I think these are false positives, isn't it? if so, dropping 
> them will cause problems, so what should i do?
> regards,

It probably is a false positive. If you have a mail server, your DNS
server might be working overtime resolving remote MX hosts for domains
(you can fix that by installing a caching-only nameserver on that
machine). As far as I know, Linux hosts do not cache DNS unless you
specifically install a caching-only server on them, so unless you do
they'll be asking for DNS all the time.

To fix your port-scan problem you should insert a rule which allows
outbound traffic from your DNS server using source port 53 before your
port-scanning rules.

Derick Anderson
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux