Etiquetas

Bloquear escaneos de nmap con iptables y packet filter

Requerimientos

  • iptables
  • packet filter
#!/bin/bash
#=====================
# Habilitamos ip forward
#---------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#=====================
# hacemos un flush
#---------------------
/sbin/iptables -F
/sbin/iptables -t nat -F
#=====================
# empezamos el bloqueo
#---------------------
/sbin/iptables -t filter -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p ICMP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST: "
Enviar entrada por correo electrónico
Etiquetas:

Comentarios

  1. Jose Tapia6 de noviembre de 2013, 12:42

    Hola mi amigo, vieras que lo probe, pero siempre me deja que se escaneen los puertos por ejemplo si hago:
    root@asterisk1:~# nmap -v -f 192.168.1.105

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-06 11:37 CST
    Initiating ARP Ping Scan at 11:37
    Scanning 192.168.1.105 [1 port]
    Completed ARP Ping Scan at 11:37, 0.00s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 11:37
    Completed Parallel DNS resolution of 1 host. at 11:37, 0.05s elapsed
    Initiating SYN Stealth Scan at 11:37
    Scanning 192.168.1.105 [1000 ports]
    Discovered open port 80/tcp on 192.168.1.105
    Discovered open port 22/tcp on 192.168.1.105
    Discovered open port 111/tcp on 192.168.1.105
    Completed SYN Stealth Scan at 11:37, 0.02s elapsed (1000 total ports)
    Nmap scan report for 192.168.1.105
    Host is up (0.00038s latency).
    Not shown: 997 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    MAC Address: 38:60:77:55:A6:2B (Pegatron)

    Read data files from: /usr/bin/../share/nmap
    Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
    Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)

    He probado varios tipos de reglas pero no me sirven para evitar el escaneo, no he probado aun snort, pero por lo que veo es una posible solución, atento a tus comentarios

    Un saludo cordial

    ResponderEliminar

Publicar un comentario

Entradas populares