Block nmap port scanning in centos

Support for security such as Firewalls and securing linux
Post Reply
kalyanasundaram
Posts: 22
Joined: 2014/08/20 14:12:58

Block nmap port scanning in centos

Post by kalyanasundaram » 2014/09/22 14:00:58

Hi,

I have tried to block namp port scanning using IP tables, but it's not worthable?

this is my iptables contect.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ICMP -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN: "
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH: "
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG: "
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan: "
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan: "
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan: "
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2: "
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "pscan 2: "
-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN: "
-A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN: "
-A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN: "
-A INPUT -p tcp --tcp-flags ALL FIN -j DROP
-A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID: "
-A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST: "
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 8443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5060 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10000:20000 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 10000:20000 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type port-unreachable -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


after restarted the iptables service.

trying to scan one machine(10.10.1.41) to this machine(10.10.1.161)

[root@localhost ~]# nmap 10.10.1.161

Starting Nmap 5.51 ( http://nmap.org ) at 2014-09-22 19:28 IST
Nmap scan report for 10.10.1.161
Host is up (0.00080s latency).
Not shown: 929 filtered ports, 67 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
MAC Address: 08:00:27:CE:3C:7F (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 3.96 seconds

Could you please assist this an issue ASAP.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Block nmap port scanning in centos

Post by aks » 2014/09/23 20:21:32

Short answer no. The very cool NMAP programs works on the principles of TCP/IP so short of disabling TCP/IP how could you really "disable" NMAP scans? The main reason for NMAP (from a "bad person" viewpoint) is to recon your services. So you could deny all from unknown source IP addresses but that is not scalable.

Some people suggest not sending things like ICMP administravely prohibited et al, but I think that's just dumb and gets in the way of troubleshooting. I guess security through obscurity is no security at all. Most people justify this by arguing that firewalking (mapping your firewall rulesets) is a bad thing. Personally I don't just depend on firewall(s) for my security needs. Most breaches happen from people on the inside.

Just food for thought.

User avatar
jyoung
Posts: 102
Joined: 2014/09/22 13:40:31
Location: Nashville, TN, USA

Re: Block nmap port scanning in centos

Post by jyoung » 2014/09/23 21:20:07

The short answer, as aks has said, is that you can completely prevent a scan of your system without unplugging its network cable. With that said, without knowing your network topology it's hard to answer this question. I see lots of web ports open, so I'm assuming that this server is publicly available, or at least available to some NAT'ed IP range.

Why not adjust your iptables rules so that your default policy is DROP, and only those TCP or UDP packets required for using your server's application(s) are allowed? Filter them by the IP range that will be used to connect to your server (NAT or not). Do you really need the web server ports open to UDP packets?

I'd argue that if you can't SSH to the server for managing it, what good are the ICMP responses that you may still get when trying to ping? Dropping all packets other than those required for your application to run is good security practice, but to completely prevent someone or something from scanning your machine you'll have to turn it off.
-- Jeremy --

toycentos
Posts: 1
Joined: 2015/06/02 01:03:11

Re: Block nmap port scanning in centos

Post by toycentos » 2015/06/02 01:14:43

This nice individual solves your problem. Port scanning is done at a rapid pace, so it is the rate at which connections are being made from an external IP that is central to the iptables rule you want. About half of the way down is:

Code: Select all

# flooding of RST packets, smurf attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
This example is a really robust starting point.

Source:
http://sharadchhetri.com/2013/06/15/how ... -iptables/

kalyanasundaram
Posts: 22
Joined: 2014/08/20 14:12:58

Re: Block nmap port scanning in centos

Post by kalyanasundaram » 2015/06/18 11:02:05

Hi toy,

I will try to do you steps, let you know.

aegersz
Posts: 86
Joined: 2016/04/04 07:42:58

Re: Block nmap port scanning in centos

Post by aegersz » 2016/12/24 23:51:48

It works !

Thank you !!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Block nmap port scanning in centos

Post by TrevorH » 2016/12/26 16:55:51

Port scanning is done at a rapid pace
Well, only if you tell it to. It is configurable and the people you really want to worry about have plenty of time and resources and are willing to wait...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply