0

In order to block port scanners on Linux, i have found some rules on iptables to block attacker IP address. These rules work correctly and it blocks the attacker, and logs the attacker ip address in the kernel.log file. The questions is, why these rules are blocking TCP port 139(net-bios)port, to prevent the attacker? i have gone through the traffic capture, and there is no evidence that nmap starts port scanning with port 139 on TCP.

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400    -j DROP 
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove



iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Zareh Kasparian
  • 753
  • 5
  • 20
  • 2
    So, you have some random rules someone wrote for his problem and wonder why they don't exactly apply to your situation, which appears to be artificially created anyway? How do you come to the conclusion that every portscan has to look like what `nmap` does? – Sven Nov 28 '18 at 08:50
  • 1
    Rather than a DIY solution you may want to use the xtables-addons `psd` iptables module for port scan detection. – HBruijn Nov 28 '18 at 09:14
  • Thanks for your comment, the problem is the server is an old version and installing psd requires my packages to be totally upgraded. thus i was looking for solution to keep the current version, and look for some way to protect the OS with iptables solution. – Zareh Kasparian Nov 28 '18 at 14:50

1 Answers1

2

Netbios is a LAN protocol, not a WAN protocol and traffic on that port on an internet facing system is almost always going to be suspect/invalid.

Such traffic can therefore be used as indication that a remote system is probing random ports on your internet server. The logic that traffic on one single invalid port equals a portscan is a bit flawed though, in my opinion.

HBruijn
  • 77,029
  • 24
  • 135
  • 201