ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

fail to block port scans

https://mail.forum.configserver.com/viewtopic.php?t=8830

Page 1 of 1

fail to block port scans

Posted: 15 Jul 2015, 19:22
by WBA
Hello, I have a Debian 8 VM (Jessie) running on Xen, I can not get it to block port scans.
I have set
PS_INTERVAL = "100"
PS_LIMIT = "10"



All other functions seem to work fine.

/etc/csf# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server



Logging is enabled and blocked ports appear to logged to /var/log/messages and syslog

Jul 15 14:15:41 bud vmunix: [375075.125189] Firewall: *ICMP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=40 TOS=0x00 PREC=0x00 TTL=35 ID=35512 PROTO=ICMP TYPE=13 CODE=0
Jul 15 14:15:41 bud vmunix: [375075.151063] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=6187 PROTO=TCP SPT=54171 DPT=554 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.153487] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=27 ID=52214 PROTO=TCP SPT=54171 DPT=256 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.154514] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=41407 PROTO=TCP SPT=54171 DPT=1025 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.156705] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=29 ID=42469 PROTO=TCP SPT=54171 DPT=8888 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:41 bud vmunix: [375075.157694] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=9276 PROTO=TCP SPT=54171 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:43 bud vmunix: [375077.162779] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=16868 PROTO=TCP SPT=54171 DPT=1048 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:45 bud vmunix: [375079.205202] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=28 ID=17694 PROTO=TCP SPT=54172 DPT=52848 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:47 bud vmunix: [375081.209746] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=46630 PROTO=TCP SPT=54173 DPT=26 WINDOW=1024 RES=0x00 SYN URGP=0
Jul 15 14:15:49 bud vmunix: [375083.150017] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=45292 PROTO=TCP SPT=54172 DPT=2041 WINDOW=1024 RES=0x00 SYN URGP=0



Not sure what else to check, any help would be greatly appreciated.
Thanks,
WBA

Re: fail to block port scans

Posted: 15 Jul 2015, 21:32
by ForumAdmin
That is not in a format recognised by csf, in particular:

Code: Select all

Jul 15 14:15:49 bud vmunix: [375083.150017] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0c:29:29:75:85:4c:5e:0c:4c:ed:02:08:00 SRC=10.10.10.10 DST=123.456.789.123 LEN=44 TOS=0x00 PREC=0x00 TTL=23 ID=45292 PROTO=TCP SPT=54172 DPT=2041 WINDOW=1024 RES=0x00 SYN URGP=0
Where it says "vmunix" it should read "kernel". This is from a standard Debian v8 log that is detected:

Code: Select all

Jul 15 21:29:01 debian kernel: [  518.387135] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=08:00:27:a9:ac:35:d8:50:e6:d4:f7:d4:08:00 SRC=192.168.254.60 DST=192.168.254.203 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=44786 DF PROTO=TCP SPT=46137 DPT=9999 WINDOW=14600 RES=0x00 SYN URGP=0

Re: fail to block port scans

Posted: 16 Jul 2015, 13:32
by WBA
Is there any way to change this?
I notice on the web others have the same problem.
http://serverfault.com/questions/696628 ... ux-systems

I upgraded from Squeeze as well and didn't change anything intentionally.
Thank you for your very quick response,
Bret

Re: fail to block port scans

Posted: 16 Jul 2015, 13:57
by WBA
Ok, I have been able to get it working, I had to completely remove rsyslogd and reinstall.
/etc/init.d/rsyslog stop
apt-get remove --purge rsyslog
apt-get install rsyslog

Must have been a leftover from the upgrade.

Thanks again for pointing me in the right direction.
WBA
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited