[CentOS] Program to ban sniffers

Sun Jun 21 16:31:29 UTC 2009
David G. Miller <dave at davenjudy.org>

Bob Hoffman <bob at ...> writes:

> 
> So I have been reading the ssh attack thread and finally want to ask about
> something.
> 
> I doubt there is a program like this, but I would love to have a program
> that listens at common ports that I do not use at all...and only allow that
> program to listen to it, especially the usual ssh port (using a different
> one for real ssh)...
> 
> That program would then, upon receiving a 'sniff' or 'user' would then add
> that ip to the deny hosts lists..for either a long or short time.
> 
> Using this would seem like a win as you can easily grab someone before they
> can get somewhere one hopes.
> Also, by opening up a few other ports that are unusual like 8561....well, if
> someone sniffs that it could be a 3 day ban or a month...
> 
> In other words, anyone hitting those ports that are not being used at all
> except by our sniff protector, would allow instant banning.
> 
> So...does something like this exist?
> 
Just in case you want to play around with just the logging port probing
information you can add something like the following rule to your firewall:

-A RH-Firewall-1-INPUT -p tcp -m tcp -j LOG
-A RH-Firewall-1-INPUT -p udp -m udp -j LOG

Add the rules at the bottom of /etc/sysconfig/iptables but before your ultimate
reject rule.  Make sure you have enough room in /var/log for the amount of data
you will be collecting.  The log entries in /var/log/messages will look like:

Jun 16 00:51:01 bend kernel: IN=eth0 OUT=
MAC=00:0a:5e:1a:ee:4b:00:0a:5e:1a:e9:c8:08:00 SRC=192.168.0.1 DST=192.168.0.2
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP SPT=59356 DPT=17581
WINDOW=17920 RES=0x00 SYN URGP=0

Cheers,
Dave