Linode Forum

[BipBop]

Hello guys,

I am a new Linode user and need a little help in analyzing my iptables log. :)

Yesterday (April 27) I setup iptables on my linode and decided to leave the linode running to see if the firewall would pick up any action. Today I looked at my log and looks like someone was scanning my ports.

Even though the source ip is different, all the packets are originating from the same mac address and are targeted towards some common ports like 22, 135, 8080 etc.

What would be a good way to deal with these scans? A program that can add rules to iptables to block requests originating from a particular nic or ip? The timing of these attacks/scans is really spread out also so.. I doubt I can capture them using some time limit.

Any help appreciated.

[vonskippy]

Welcome to the internet, don't lose sleep over random port scans, it's a very common event.

[BipBop]

haha no no i am not losing sleep over it. But would be cool to know if the scanning user does turn malicious if it can be dealt with dynamically and all his packets get dropped by my firewall or he gets added to a ignore list or something. :)

I mean his packets are being dropped right now.. but if he tries something different.

[hoopycat]

BipBop wrote: Even though the source ip is different, all the packets are originating from the same mac address and are targeted towards some common ports like 22, 135, 8080 etc.

That's the MAC address of the router between the Internet and you. MAC addresses are only used to identify entities within the same local area network (in the Linode architecture, a /24 subnet). Anything beyond there will (hopefully) have the MAC address of a router.

(Edit: Also, there is no "someone" or "the scanning user"; there's probably hundreds of thousands, if not millions, of computers out there which are doing this continuously in an attempt to bring your computer into their collective. Anthropomorphizing this activity into that of "some guy" is not a good way to think about it.)

[BipBop]

Thank you for that nugget of knowledge hoopycat. My networking knowledge is rudimentary at best.. so I really appreciate that. I knew I would learn a slew of new things trying to run/maintain my own VPS. :)

[hoopycat]

No problem. It's a lot of fun, and there's plenty to learn, especially with networking stuff in general. The Internet isn't magic, but the fact that it actually works is magic :-) -rt

[eld101]

You can install something like OSSEC, which scans your logs and can notify you of port scans, brute force attempts, etc...

[eld101]

eld101 wrote: You can install something like OSSEC, which scans your logs and can notify you of port scans, brute force attempts, etc...

I forgot to mention it can also automatically block the suspect IP for a given amount of time. I think default is 5 minutes.

[haus]

CSF/LFD is another option, a favorite of mine. It will detect portscanning and login failures for various services and temporarily or permanently block them.

Also, while it's not "security", moving services like SSH to higher port numbers will cut down on failed login entries, since they will be less likely to hit the right port.

[eld101]

Just found a guide to install ossec. Its specifically for Centos, but im sure it will work for several others....

http://www.securecentos.com/extra-security/install-ossec/