How to protect from port scanning and smurf attack in Linux Server by iptables

Transcription

1 In thi pot I will hare the iptable cript in which we will learn How to protect from port canning and murf attack in Linux Server Feature Of Script : (1) When a attacker try to port can your erver, firt becaue of iptable attacker will not get any information which port i open Second the Attacking IP addre will be blacklited for 24 Hour (You can change it in cript) Third, after that attacker will not able to open acce anything for eg even attacker will not ee any webite running on erver via web brower, not able to h,telnet alo Mean completely retricted (2) Protect from murf attack (3) Written with the help of IPTABLE hence no Sytem Performance iue like CPU high,memory uage etc No third party tool i ued Note: You can add or remove port no a per your requirement Decription about Server where we will implement IPTABLE cript: Operating Syetem : CentOS 64 (applicable to Red hat and CentOS erver) IP Addre: Now we will create the cript 1 15

2 Step 1: Create a bah cript with the name of cripth vi rootcripth Step 2: Now pate the below given cript content in your bah cript file cripth #!binh # # # Script i for toping Portcan and murf attack ### firt fluh all the Rule F # INPUT Rule # Accept loopback input i lo p all # allow 3 way handhake m tate tate ESTABLISHED, RELATED ### DROPpoofing packet j DROP 2 15

3 j DROP j DROP j DROP j DROP 3 15

4 j DROP d j DROP j DROP d j DROP 4 15

5 j DROP d j DROP d j DROP d j DROP #for SMURF attack protection p icmp m icmp 5 15

6 icmp type addre mak requet j DROP p icmp m icmp icmp type timetamp requet j DROP p icmp m icmp m limit limit 1 econd # Droping all invalid packet m tate 6 15

7 tate INVALID j DROP A FORWARD m tate tate INVALID j DROP m tate tate INVALID j DROP # flooding of RST packet, murf attack Rejection tcp flag RST RST m limit limit 2 econd limit burt 2 # Protecting portcan 7 15

8 # Attacking IP will be locked for 24 hour (3600 x 24 = Second) name portcan rcheck econd j DROP A FORWARD name portcan rcheck econd j DROP # Remove attacking IP after 24 hour name portcan remove A FORWARD name portcan 8 15

9 remove # Thee rule add canner to the portcan lit, and log the attempt 139 name portcan et j LOG log prefix "portcan:" 139 name portcan et j DROP A FORWARD 9 15

10 139 name portcan et j LOG log prefix "portcan:" A FORWARD 139 name portcan et j DROP # Allow the following port through from outide 10 15

11 # Allow ping mean ICMP port i open (If you do not want ping replace ACCEPT with REJECT) p icmp m icmp 11 15

12 icmp type 8 # Latly reject All INPUT traffic j REJECT ################# Below are for OUTPUT rule ############################################# ## Allow loopback OUTPUT o lo m tate tate ESTABLISHED, RELATED # Allow the following port through from outide # SMTP = 25 # DNS =53 # HTTP = 80 # HTTPS = 443 # SSH = 22 ### You can alo add or remove port no a per your requirement 12 15

13 25 p udp m udp

14 22 # Allow ping p icmp m icmp icmp type 8 # Latly Reject all Output traffic j REJECT ## Reject Forwarding traffic A FORWARD j REJECT Step 3: Make the Read Write Execute permiion only to root uer (For ecurity) chmod 700 rootcripth chown root:root rootcripth Step 4 : Now run the cript h rootcripth or rootcripth 14 15

15 Step 6: Now check the IPTABLES rule with following command nl Now we will do teting from remote erver to our erver where we have implemented the iptable Step 7: login into any ytem and try to do port canning nmap T Serveripaddre eg nmap T Step 8: The reult hould be now from your ytem like following type (a) Not getting any output from nmap (b) Not able to do telnet to any port for eg telnet Serveripaddre 22 After running nmap mean port can your ipaddre i blacklited You can find your ytem ip addre in meage log in Server with the keyword called portca n So login back to your erver and check the meage log in varlog Note : how to intall nmap In Red Hat and CentOS yum intall nmap In Debian and Ubuntu aptget intall nmap 15 15