Mitigate port scanning

2018-04-14 13:23:34 +01:00 · 2018-04-14 13:23:34 +01:00 · ff31ff6961
parent 4cad482b5f
commit ff31ff6961
2 changed files with 30 additions and 0 deletions
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@ -465,6 +465,33 @@ function firewall_add_range {
    fi
 }
 function firewall_handle_port_scans {
    if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
        return
    fi
    # only works for high frequency port scanning
    # flooding of RST packets, smurf attack Rejection
    iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    # Protecting portscans
    # Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
    iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
    iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
    # Remove attacking IP after 24 hours
    iptables -A INPUT -m recent --name portscan --remove
    iptables -A FORWARD -m recent --name portscan --remove
    # These rules add scanners to the portscan list, and log the attempt.
    iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
    iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
    iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    save_firewall_settings
    mark_completed "${FUNCNAME[0]}"
 }
 function firewall_remove {
    firewall_port=$1
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@ -700,6 +700,9 @@ function setup_firewall {
    function_check configure_firewall_ping
    configure_firewall_ping
    function_check firewall_handle_port_scans
    firewall_handle_port_scans
    function_check firewall_drop_telnet
    firewall_drop_telnet