From owner-freebsd-questions@FreeBSD.ORG Mon Sep 22 22:12:19 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0FE7106568E for ; Mon, 22 Sep 2008 22:12:18 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by mx1.freebsd.org (Postfix) with ESMTP id ACBF48FC15 for ; Mon, 22 Sep 2008 22:12:18 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1576305rvf.43 for ; Mon, 22 Sep 2008 15:12:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=6LLwZrw7nXlqVvj+G9Oik4eGIRjMyv/EczAJ+Iz5Ebc=; b=oAJGl24LguT20rL/ulaX0tm/huq7sfri6hskRPwkDpyZVRB6XFl+G2dOSSBOrfM3jD HL9IYdJ8WRqDm6mCJYVoUHIx/IvHy6/beO1/qKsjoFE/TN+A+ZowviOetHMoBeIPoLTi EowotESe4ygml4w7CYGm/AYo+B9VZV9lOPLP0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=cKWpxZXyFwL6Ex08bvDQSR9yA3pWnlF7h53r3oE8gvAQvk6cPdbknR7DerD9p8N9Rh YNYbS47TK5BhgYiqqpimFB01hGlpB0EbsVKOdET8Un6H4eiOmnw4YDd9/1K37oiENQ3g yMxhejdDjwzizncH/4YSXvpZDSWNYylPQ3/x4= Received: by 10.114.178.13 with SMTP id a13mr5333565waf.182.1222121538295; Mon, 22 Sep 2008 15:12:18 -0700 (PDT) Received: by 10.114.47.16 with HTTP; Mon, 22 Sep 2008 15:12:18 -0700 (PDT) Message-ID: <2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66@mail.gmail.com> Date: Mon, 22 Sep 2008 15:12:18 -0700 From: "David Allen" To: freebsd-questions@freebsd.org In-Reply-To: <48D80D54.8060802@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> <48D80D54.8060802@infracaninophile.co.uk> Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 22:12:19 -0000 On 9/22/08, Matthew Seaman wrote: > David Allen wrote: >> On 9/22/08, Ghirai wrote: >>> On Mon, 22 Sep 2008 08:17:02 -0700 >>> "David Allen" wrote: >> However, receiving SYN packets to ports 1024-40000 isn't going to >> match anything than a default "block all" rule, which creates no >> state. That gives you zero such features to work with, but does give >> you 38976 individual log entries. > > Most of this sort of port scanning is automated by infected machines > -- it doesn't indicate a directed attack at you. it's been described as > the 'background radiation of the Internet'. So long as your systems > aren't vulnerable to the specific problems the malware is attempting to > exploit -- and assuming you aren't running windows then you're almost > certainly immune from this automated stuff -- then why bother putting any > effort into blocking the source hosts? Just dump the traffic and ignore. > > Drop the traffic using a 'block log all' default action and 'set > block-policy drop' in pf.conf. I'm not sure I agree that a single host scanning 30K ports can be so easily dismissed as the result of a bot. That said, I agree with your comments generally, but I prefer to log blocked traffic (with the exception of certain categories of "noise"). That means when the "block log all" rule matches, I'm at risk of tens of thousands of Mostly Useless log entries as pointed out earlier. The fact that those log entries or that activity is also Mostly Harmless, could mean that your Don't Panic is the right advice. But then, what if it's someone trying to build an interspace bypass and all I have is a bathrobe and a towel to work with? > Don't open up high-port ranges to incoming traffic, either UDP or TCP > -- if you have to run FTP servers then use ftp/ftp-proxy to avoid having > to open your firewall too much. I could write a rule to explicity block (and not log) high port ranges, but I'd prefer at least to be aware of someone actively scanning my network. Which suggests, at least to me, that limited logging with automagic table creation are the way to go. > Also consider the following sysctls: > > # Blackhole packets to ports without listeners > net.inet.tcp.blackhole=1 > net.inet.udp.blackhole=1 > > although these will be redundant if your firewalling is effective. I wonder, though, would using a block-policy setting of return (which I'm currently using) render the above redundant, or would the above take precedence? I'll have to add that to the list of Stuff to Check. > Cheers, Same to you, mate. and thanks for gracing me with your presence once again.