Давно не писал сам, хочу исправиться.
Сегодня речь пойдет о детектировании и блокировки аномального сканирования средствами iptables в операционной системе Linux.
Т. к. рецептами моего блога пользуются без указания меня, как первоисточника (и без ссылок на мои статьи), размещая, к тому же, аналогичную информацию задним числом, то обещаю, что это последняя моя помощь вам, любители плагиата.
Нижеописанные правила собраны мною из различных, не русскоязычных, источников, но все вместе, в том виде, в котором они будут приведены мною, вы не найдете ни на одном ресурсе в сети Интернет. Впрочем информация, приведенная по тьюнингу сетевого стека Windows в разделе MS Platforms на данном сайте, также уникальна и нигде не встречается в том виде, в котором она дается мною.
Не буду зазря лить воду, перейдем к делу.
Предлагаю внести следующие изменения в ваши таблицы iptables:
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “Stealth scan: 0STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “Stealth scan: 1STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG –log-prefix “Stealth scan: 2STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-prefix “Stealth scan: 3STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-prefix “Stealth scan: 4STEAL “
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-prefix “Stealth scan: 5STEAL “
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,ACK FIN -j LOG –log-prefix “6Stealth scan”
iptables -A INPUT -p tcp –tcp-flags FIN,ACK FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH PSH -j LOG –log-prefix “7Abnormal steal”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG URG -j LOG –log-prefix “8Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK FIN -j LOG –log-prefix “A9bnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK NONE -j LOG –log-prefix “10Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK NONE -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH SYN,FIN,URG,PSH -j LOG –log-prefix “11Abnormal sc$
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH SYN,FIN,URG,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH FIN,URG,PSH -j LOG –log-prefix “12Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH FIN,URG,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j LOG –log-prefix “13Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “14Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j LOG –log-prefix “15Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j LOG –log-prefix “16Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST SYN -j LOG –log-prefix “17Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST SYN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,URG SYN,URG -j LOG –log-prefix “18Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,URG SYN,URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,ACK SYN -j LOG –log-prefix “19Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,ACK SYN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j LOG –log-prefix “20Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOG –log-prefix “21Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST SYN,FIN,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j LOG –log-prefix “22Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL SYN,PSH -j LOG –log-prefix “23Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL SYN,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL SYN,ACK,PSH -j LOG –log-prefix “24Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL SYN,ACK,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j LOG –log-prefix “25Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL RST -j LOG –log-prefix “26Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL RST,ACK -j LOG –log-prefix “27Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL RST,ACK -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL ACK,PSH,RST -j LOG –log-prefix “28Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL ACK,PSH,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG –log-prefix “29Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j STEAL
Как вы видите всего 29 цепочек. Данный список можно дополнить еще несколькими цепочками, но они нарушат нормальное функционирование сетевого стека вашего пингвина и могут быть использованы только на станции в конфигурации со средствами детектирования и превентивного реагирования сетевого вторжения. Поэтому мною они приводится не будут.
Не стоит также забывать о способах тmюнига сетевого стека средствами sysctrl, которые более богато представлены, по сравнению с возможностями сетевого стека MS Windows. С помощью средств sysctrl вы сможете еще более защитить ваш дефолтный тюкс.
Обещаю вам еще чем-нибудь порадовать в будущем.
Удачи! И до новых встреч!
https://nikitushkinandrey.wordpress.com/2012/07/20/%d0%bc%d0%be%d0%b9-%d1%80%d0%b5%d1%86%d0%b5%d0%bf%d1%82-%d0%bf%d0%be-%d0%b4%d0%b5%d1%82%d0%b5%d0%ba%d1%82%d0%b8%d1%80%d0%be%d0%b2%d0%b0%d0%bd%d0%b8%d1%8e-%d0%b8-%d0%b1%d0%bb%d0%be%d0%ba%d0%b8%d1%80/
Long ago didn’t write itself, I want to be corrected.
Today it will be a question of detecting and blocking of abnormal scanning by means of iptables in the Linux operating system.
Since recipes of my blog use without the instruction me as the primary source (and without references to my articles), placing, besides, similar information backdating, I promise that it is the last my help to you, fans of plagiarism.
Described below rules are collected by me from various, not Russian-speaking, sources, but all together, in that look in which they will be brought by me, you won’t find on one resource in the Internet. However information provided on a tyyuning of a network stack of Windows in the section MS Platforms on this site, is also unique and doesn’t meet anywhere in that look in which it is given by me.
I will not pour to no purpose water, we will pass to business.
I suggest to make the following changes to your tables iptables:
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “Stealth scan: 0STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “Stealth scan: 1STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG –log-prefix “Stealth scan: 2STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-prefix “Stealth scan: 3STEAL “
iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-prefix “Stealth scan: 4STEAL “
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-prefix “Stealth scan: 5STEAL “
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,ACK FIN -j LOG –log-prefix “6Stealth scan”
iptables -A INPUT -p tcp –tcp-flags FIN,ACK FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH PSH -j LOG –log-prefix “7Abnormal steal”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG URG -j LOG –log-prefix “8Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK FIN -j LOG –log-prefix “A9bnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK NONE -j LOG –log-prefix “10Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK NONE -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH SYN,FIN,URG,PSH -j LOG –log-prefix “11Abnormal sc$
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH SYN,FIN,URG,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH FIN,URG,PSH -j LOG –log-prefix “12Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,ACK,URG,PSH FIN,URG,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j LOG –log-prefix “13Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “14Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j LOG –log-prefix “15Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j LOG –log-prefix “16Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST SYN -j LOG –log-prefix “17Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,ACK,FIN,RST SYN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,URG SYN,URG -j LOG –log-prefix “18Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,URG SYN,URG -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,ACK SYN -j LOG –log-prefix “19Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,ACK SYN -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j LOG –log-prefix “20Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOG –log-prefix “21Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST SYN,FIN,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j LOG –log-prefix “22Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL SYN,PSH -j LOG –log-prefix “23Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL SYN,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL SYN,ACK,PSH -j LOG –log-prefix “24Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL SYN,ACK,PSH -j STEAL
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j LOG –log-prefix “25Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL RST -j LOG –log-prefix “26Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL RST,ACK -j LOG –log-prefix “27Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL RST,ACK -j STEAL
iptables -A INPUT -p tcp –tcp-flags ALL ACK,PSH,RST -j LOG –log-prefix “28Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags ALL ACK,PSH,RST -j STEAL
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG –log-prefix “29Abnormal scan”
iptables -A INPUT -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j STEAL
As you see only 29 chains. It is possible to add this list with several more chains, but they will break normal functioning of a network stack of your penguin and can be used only at station in a configuration with means of detecting and preventive reaction of network invasion. Therefore by me they it is brought won’t be.
It is worth to remember also about ways тmюнига a network stack means of sysctrl which are more richly presented, in comparison with possibilities of a network stack of MS Windows. By means of means of sysctrl you can protect even more your defoltny тюкс.
I promise you to please still with something in the future.
Good luck! And to new meetings!
https://nikitushkinandrey.wordpress.com/2012/07/20/my-recipe-on-detecting-and-blocking-of-abnormal-scanning-by-means-of-iptables-in-linux/