Hello, I have a Debian 8 VM (Jessie) running on Xen, I can not get it to block port scans.
I have set
PS_INTERVAL = "100"
PS_LIMIT = "10"
All other functions seem to work fine.
/etc/csf# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Logging is enabled and blocked ports appear to logged to /var/log/messages and syslog
Jul 15 14:15:41 bud vmunix: [375075.125189] Firewall: *ICMP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=40 TOS=0x00 PREC=0x00 TTL=35 ID=35512 PROTO=ICMP TYPE=13 CODE=0
Jul 15 14:15:41 bud vmunix: [375075.151063] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=6187 PROTO=TCP SPT=54171 DPT=554 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.153487] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=27 ID=52214 PROTO=TCP SPT=54171 DPT=256 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.154514] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=41407 PROTO=TCP SPT=54171 DPT=1025 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.156705] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=29 ID=42469 PROTO=TCP SPT=54171 DPT=8888 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.157694] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=9276 PROTO=TCP SPT=54171 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:43 bud vmunix: [375077.162779] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=16868 PROTO=TCP SPT=54171 DPT=1048 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:45 bud vmunix: [375079.205202] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=17694 PROTO=TCP SPT=54172 DPT=52848 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:47 bud vmunix: [375081.209746] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=46630 PROTO=TCP SPT=54173 DPT=26 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:49 bud vmunix: [375083.150017] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=45292 PROTO=TCP SPT=54172 DPT=2041 WINDOW=1024 RES=0x00 SYN URGP=0
Not sure what else to check, any help would be greatly appreciated.
Thanks,
WBA
fail to block port scans
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: fail to block port scans
That is not in a format recognised by csf, in particular:
Where it says "vmunix" it should read "kernel". This is from a standard Debian v8 log that is detected:
Code: Select all
Jul 15 14:15:49 bud vmunix: [375083.150017] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=45292 PROTO=TCP SPT=54172 DPT=2041 WINDOW=1024 RES=0x00 SYN URGP=0Code: Select all
Jul 15 21:29:01 debian kernel: [ 518.387135] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:00:27:a9:ac:35:d8:50:e6:d4:f7:d4:08:00 SRC=192.168.254.60 DST=192.168.254.203 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=44786 DF PROTO=TCP SPT=46137 DPT=9999 WINDOW=14600 RES=0x00 SYN URGP=0Re: fail to block port scans
Is there any way to change this?
I notice on the web others have the same problem.
http://serverfault.com/questions/696628 ... ux-systems
I upgraded from Squeeze as well and didn't change anything intentionally.
Thank you for your very quick response,
Bret
I notice on the web others have the same problem.
http://serverfault.com/questions/696628 ... ux-systems
I upgraded from Squeeze as well and didn't change anything intentionally.
Thank you for your very quick response,
Bret
Re: fail to block port scans
Ok, I have been able to get it working, I had to completely remove rsyslogd and reinstall.
/etc/init.d/rsyslog stop
apt-get remove --purge rsyslog
apt-get install rsyslog
Must have been a leftover from the upgrade.
Thanks again for pointing me in the right direction.
WBA
/etc/init.d/rsyslog stop
apt-get remove --purge rsyslog
apt-get install rsyslog
Must have been a leftover from the upgrade.
Thanks again for pointing me in the right direction.
WBA