0

I have blocked all the basic nmap scans using iptables by making a rule in the INPUT chain that if the no of packet send from a particular ip within 10 seconds exceeds a particular limit then put that ip in blacklist and deny the further packets. This way the nmap SYN Stealth Attack, SYN connect, UDP and all other basic scans are blocked Now I want to block nmap xmas scan. Can somebody tell me how to do that.

I have written the following rules:

$ iptables -A INPUT -m state --state NEW -m recent --set --name NEW
$ iptables -A INPUT -m recent --update --seconds 10 --hitcount 5 --rttl --name NEW -j DROP

Thanks in advance

pradeepchhetri
  • 2,698
  • 6
  • 37
  • 47
  • Hiding open ports adds nothing. Security be obscurity is no security at all. – Chris S Sep 28 '11 at 23:32
  • @ChrisS You mean security through obscurity **by itself** is not security. Unless you would like to fork over your passwords, keys, banking credentials, IDs etc.? Remember when `/etc/passwd` actually had the salted+hashed passwords and how easy it was to get a server to send it to you? Even so if the firewall detects a ports can then there's no problem at all blocking all packets from then on. That only makes sense - their intentions are dubious at best. – Pryftan Dec 19 '19 at 14:39

2 Answers2

4

Can you be more specific about the rule that you've configured?

As you've described it, it would block an X-mas scan; a packet lit up with flags like a Christmas tree would still be a packet "sent from a particular IP" - but if that's truly how you've set up your rules, then you're likely going to unintentionally ban hosts sending legitimate traffic at a rate that violates the rule.

Don't put a lot of effort into security by obscurity. You service is open to the internet, and a scanner can simply slow their scan rate to a crawl to defeat your rate limit, or they can randomly hit the open port before the block kicks in. Blocking scans is not a substitute for securing your service.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 5
    +1, although the fact that "Blocking scans is not a substitute for securing your service" doesn't mean scan blocking shouldn't be implemented as well. – John Gardeniers Sep 23 '11 at 04:36
3
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS A: "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix "XMAS B: "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "XMAS C: "
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

nmap -sX sends the xmas type B that I have above (I just made "type b" up).

the canonical xmas is type A.

http://techhelplist.com/index.php/tech-tutorials/43-linux-adventures/120-nmap-linux-iptables-xmas-packets

obviously you can add in the time limit stuff.

user145837
  • 371
  • 5
  • 18
  • Dead link. Internet Wayback Machine to the rescue: https://web.archive.org/web/20130506045630/https://techhelplist.com/index.php/tech-tutorials/43-linux-adventures/120-nmap-linux-iptables-xmas-packets – Pryftan Dec 19 '19 at 14:46