Defeating Port Scans Using iptables

Introduction

This is designed to show you a method for defeating port scans under Ubuntu 10.04.03 LTS server utilizing iptables. In my opinion one of the most crucial phases of exploiting a “blackbox” system is footprinting. Footprinting is the process by which we determine what processes the server is running, obtaining information about the operating system, patch levels, and possibly even enumerating user accounts. This phase of exploitation gives an attacker an amazing advantage. As we know, you can’t particularly attack a system that isn’t “known”, well you can, but you’re firing exploit code blindly at an unknown machine at that point.

One of the most commonly used tools for footprinting a blackbox system is nmap, so in this discussion we’re going to focus on methods for defeating various nmap scans under Ubuntu 10.04. We’re going to cover two methods, the preferred method is iptables. Another will use a pre-built binary package known as psad. Even still there are other methods, utilizing the xtables addons for iptables as well as other IDS/IPS technologies. Those are outside the scope of this discussion.

The Test Subject

In this discussion we will be using a fairly standard configured Ubuntu 10.04.03 LTS Lucid Lynx Server; running rather ordinary services including a LAMP stack, OpenSSH and ProFTP. The “firewall” will simply be a ufw configured iptables, in a rather default configuration. Nothing special here.

As we can see from the below nmap snippet that this leaves a lot of information available to a potential attacker.
…snip…

oo.JPG

Now , alot of individuals are of the school that security by obscurity is useless. In this particular case I disagree. To illustrate this point we’re going to attempt to exploit our poor vm using the information we gathered from this nmap scan. Doing a quick search we see that the ProFTPD 1.3.2c service is vulnerable to a telnet based buffer overflow.

As seen from the below snippet from Metasploit we have a pre-made exploit module that will exploit this version of ProFTPD for us.
…snip…

00.JPG

Note : There are several things to keep in mind here, this “victim” is not running apparmor, so eventually this exploit will be successful. For some strange reason Ubuntu neither backported the patch to this version of ProFTPD nor is it compiled with Stack Protection (yes there is a bug report).

As we see in this particularly case security through obscurity could save us a decent amount of trouble🙂

The Countermeasures

So now that we’ve illustrated that we need to protect our service versions a little bit better what can we do to defeat nmap scans?

Understanding nmap and port scans

The first thing we need to understand is that not all port scans are created equally. Some port scans are typical ping scans, others simulate  legitimate connections, and there are even more types, such as banner scans. So the age old “just drop icmp packets and you’re good” or, “use a stateful packet inspection firewall and you’re good”. Completely untrue. If you’d like to test that theory, you can determine if a firewall is stateful or stateless by alternating -sS and -sT options in nmap. Additionally if they’re just dropping icmp-echo requests -sS -PN will defeat that. So it becomes clear whatever action we take is going to require a little bit more interactivity.

Method 1 : iptables

We could use an iptables script such as the following for our system to defeat some common types of nmap scanning.

firewall.gif

\0/

Now after implementing this iptables script we notice that with normal scan timings our nmap scans are much less lucrative. Yielding only the information that a host exists and is online at this IP address. We can decrease the aggressiveness of the scan and produce results however the limiting values of –update and –hitcount can be tweaked in our iptables script to mitigate this. Keep in mind, if you narrow the gap too much legitimate traffic will be dropped.

…snip…

 

Method 2 : Applications like Bastille

There are a number of applications available, Bastille and PSAD in particular which provide this functionality in a simple binary package. I will not cover either in great depth as they both include ncurses graphical configuration interfaces.

However, there is a word of caution to be heeded with the use of these applications to defeat port scans. Unlike the iptables method these applications utilize a script which drops the offending IP’s traffic for a predetermined amount of time. Keeping this in mind an attacker, would be able to create a denial of service condition by spoofing their IP address.

If you still wish to use Bastille or PSAD they may be installed via the following methods on Ubuntu.

sudo apt-get install Bastille

or

sudo apt-get install psad

Conclusions

After all of this we begin to realize that sometimes security through obscurity has its purpose. Anyone who has spent time auditing system security will understand that obtaining version information is one of the most crucial steps in the process. So anyone who is securing a system from a potential attacker would be wise to take the appropriate measures to obfuscate such information as much as possible.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s