Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Tutorial] IPTables GeoIP, Port Knocking and Port Scan Detection
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Tutorial] IPTables GeoIP, Port Knocking and Port Scan Detection

howardsl2howardsl2 Member
edited March 2014 in Tutorials

Here's a quick tutorial on how to enable extra IPTables functionality such as "GeoIP", "Port Knocking" and "Port Scan Detection" using the xtables-addons package. A full list of available modules can be found here.

Note 1: Does NOT work on OpenVZ VPS (unless the host node provides these modules).
Note 2: If you upgrade your Linux kernel later, you must either recompile and reinstall these modules, or comment out the relevant IPTables rules. Otherwise your IPTables will stop loading!

See compile and install instructions for CentOS at the link below. Steps to use GeoIP are also discussed at that link. By the way, I installed "perl-Text-CSV_XS" from "EPEL" instead of "RPMForge", and it worked just fine. See here for how to enable the "EPEL" Repo for CentOS.
http://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering

The latest version (click to download) for 2.6.x kernels is 1.47.1, and for 3.x kernels is 2.4 (as of 03/29/14). If one version does not compile on your kernel, try the other.

For Ubuntu, follow same instructions from link above, but install the required packages with:

apt-get update
apt-get install libtext-csv-xs-perl linux-headers-`uname -r` \
        iptables-dev xz-utils build-essential automake unzip zip

For port scan detection, the actual IPTables rule is, for example (put it before your SSH "ACCEPT" rule):

-A INPUT -m psd --psd-weight-threshold 15 --psd-hi-ports-weight 3 -j DROP

What this means: For connections from any single host, if at least 5 different ports on your server are hit within 3 seconds (default delay), then treat it as a port scan and drop further packets from that host. The parameters are all customizable.

The following is from the man page of "xtables-addons" (for psd module):

 psd
     Attempt to detect TCP and UDP port scans. This match was derived from Solar Designer’s scanlogd.

     --psd-weight-threshold threshold
            Total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence.

     --psd-delay-threshold delay
            Delay (in hundredths of second) for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence.

     --psd-lo-ports-weight weight
            Weight of the packet with privileged (less than or equal to 1024) destination port.

     --psd-hi-ports-weight weight
            Weight of the packet with non-priviliged destination port.

It looks like the default values are:

weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1

If you use this psd module and move your SSH port to a non-standard one (e.g. generate a random port at random.org), it is extremely difficult for an attacker to find your SSH port by port scanning. Don't forget your SSH port number! Or you may lock yourself out ;)

Thanks to Flapadar from VPSBoard for pointing out that for security, you should choose a SSH port smaller than 1024. See also related responses from serverfault.

Besides geoip and psd, the pknock module can be used for EASY port knocking, and tarpit module for keeping TCP connections "open" to waste an attacker's resources (someone even uses it to defend against DDoS). After install, please use command man xtables-addons to view detailed usage instructions on these modules.

The latest version of this tutorial (and others) can be found on my tech blog:
https://blog.ls20.com

Feel free to reply with your question or comments.

Comments

Sign In or Register to comment.