From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 21:26:02 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AEB7106567D for ; Mon, 22 Sep 2008 21:26:02 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id EBBB68FC16 for ; Mon, 22 Sep 2008 21:26:01 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m8MLPmZI044137; Mon, 22 Sep 2008 22:25:55 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m8MLPmZI044137 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1222118755; bh=WULMx+Fiqozdxy DQrzA53SRe1vSDB6L7gPd7vD9eBEA=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48D80D54.8060802@infracaninophile.co.uk>|Date:=20Mon,=2 022=20Sep=202008=2022:25:40=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.16=20(X11/20080726)|MIME-Version:=201 .0|To:=20David=20Allen=20|CC:=20fre ebsd-questions@freebsd.org|Subject:=20Re:=20Dealing=20with=20portsc ans|References:=20<2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mai l.gmail.com>=09<20080922200121.289abdcb.ghirai@ghirai.com>=20<2daa8 b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com>|In-Reply-To :=20<2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com>|X -Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=3B=20m icalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signature "=3B=0D=0A=20boundary=3D"------------enig613BC8491332FE7AF11C3401"; b=Qbgl3Is41zInVr/21qel819Ji7UU2aP6cnrjrg5KEx/K8kj4SsIpETEPj2p93ftzu SmjO1Ze6LJVtLK8Hy10suFML3D7bKHLniizrUvEH2q+ncEOnQtjbuj6CIzZRN3P9RCX xAJVOEKJ9hzMosR3V7vjFUxjzy79XbC/Zjf1pNs= Message-ID: <48D80D54.8060802@infracaninophile.co.uk> Date: Mon, 22 Sep 2008 22:25:40 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.16 (X11/20080726) MIME-Version: 1.0 To: David Allen References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> In-Reply-To: <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig613BC8491332FE7AF11C3401" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Mon, 22 Sep 2008 22:25:55 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8310/Mon Sep 22 19:58:13 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 21:26:02 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig613BC8491332FE7AF11C3401 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable David Allen wrote: > On 9/22/08, Ghirai wrote: >> On Mon, 22 Sep 2008 08:17:02 -0700 >> "David Allen" wrote: >> >>> Over the last few weeks I've been getting numerous ports scans, each >>> from unique hosts. The situation is more of an annoyance than >>> anything else, but I would prefer not seeing or having to deal with >>> an extra 20-30K entries in my logs as was the case recently. >>> >>> I use pf for firewalling, and while it does offer different methods >>> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive >>> hosts, it doesn't seem to offer much in the way of dealing with >>> repeated blocked (non-stateful) connection attempts from a given host= =2E >>> >>> Short of running something like snort, is there a suitable tool for >>> dealing with this? If not, I'll probably resort to running a cronjob= >>> to parse the logfile and add the offending hosts manually. >> Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rat= e, >> etc., then add near the top of your ruleset: >> >> block drop quick from >=20 > You either didn't read my message or have misunderstood pf. >=20 > The features you (and I) mention apply only to rules which create > state. If your rules are written for port 22, 25, and 80 traffic, > for example, you can most certainly can make use of those features. >=20 > However, receiving SYN packets to ports 1024-40000 isn't going to > match anything than a default "block all" rule, which creates no > state. That gives you zero such features to work with, but does give > you 38976 individual log entries. Most of this sort of port scanning is automated by infected machines -- it doesn't indicate a directed attack at you. it's been described as = the 'background radiation of the Internet'. So long as your systems aren't vulnerable to the specific problems the malware is attempting to=20 exploit -- and assuming you aren't running windows then you're almost=20 certainly immune from this automated stuff -- then why bother putting any= =20 effort into blocking the source hosts? Just dump the traffic and ignore.= Drop the traffic using a 'block log all' default action and 'set=20 block-policy drop' in pf.conf. Don't open up high-port ranges to incoming traffic, either UDP or TCP -- if you have to run FTP servers then use ftp/ftp-proxy to avoid having to open your firewall too much. Also consider the following sysctls: # Blackhole packets to ports without listeners net.inet.tcp.blackhole=3D1 net.inet.udp.blackhole=3D1 although these will be redundant if your firewalling is effective. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig613BC8491332FE7AF11C3401 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjYDVwACgkQ8Mjk52CukIzmXACeKzEJ+75aJrqhxb9hr931s+nN ShEAn0OuoA17bXGKhOQc8ggSCIhbjuV5 =M04c -----END PGP SIGNATURE----- --------------enig613BC8491332FE7AF11C3401--