[CentOS] Program to ban sniffers
David G. Miller
dave at davenjudy.org
Sun Jun 21 16:31:29 UTC 2009
Bob Hoffman <bob at ...> writes:
> So I have been reading the ssh attack thread and finally want to ask about
> I doubt there is a program like this, but I would love to have a program
> that listens at common ports that I do not use at all...and only allow that
> program to listen to it, especially the usual ssh port (using a different
> one for real ssh)...
> That program would then, upon receiving a 'sniff' or 'user' would then add
> that ip to the deny hosts lists..for either a long or short time.
> Using this would seem like a win as you can easily grab someone before they
> can get somewhere one hopes.
> Also, by opening up a few other ports that are unusual like 8561....well, if
> someone sniffs that it could be a 3 day ban or a month...
> In other words, anyone hitting those ports that are not being used at all
> except by our sniff protector, would allow instant banning.
> So...does something like this exist?
Just in case you want to play around with just the logging port probing
information you can add something like the following rule to your firewall:
-A RH-Firewall-1-INPUT -p tcp -m tcp -j LOG
-A RH-Firewall-1-INPUT -p udp -m udp -j LOG
Add the rules at the bottom of /etc/sysconfig/iptables but before your ultimate
reject rule. Make sure you have enough room in /var/log for the amount of data
you will be collecting. The log entries in /var/log/messages will look like:
Jun 16 00:51:01 bend kernel: IN=eth0 OUT=
MAC=00:0a:5e:1a:ee:4b:00:0a:5e:1a:e9:c8:08:00 SRC=192.168.0.1 DST=192.168.0.2
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP SPT=59356 DPT=17581
WINDOW=17920 RES=0x00 SYN URGP=0
More information about the CentOS