This is designed to show you a method for defeating port scans under Ubuntu 10.04.03 LTS server utilizing iptables. In my opinion one of the most crucial phases of exploiting a “blackbox” system is footprinting. Footprinting is the process by which we determine what processes the server is running, obtaining information about the operating system, patch levels, and possibly even enumerating user accounts. This phase of exploitation gives an attacker an amazing advantage. As we know, you can’t particularly attack a system that isn’t “known”, well you can, but you’re firing exploit code blindly at an unknown machine at that point.
One of the most commonly used tools for footprinting a blackbox system is nmap, so in this discussion we’re going to focus on methods for defeating various nmap scans under Ubuntu 10.04. We’re going to cover two methods, the preferred method is iptables. Another will use a pre-built binary package known as psad. Even still there are other methods, utilizing the xtables addons for iptables as well as other IDS/IPS technologies. Those are outside the scope of this discussion.
The Test Subject
In this discussion we will be using a fairly standard configured Ubuntu 10.04.03 LTS Lucid Lynx Server; running rather ordinary services including a LAMP stack, OpenSSH and ProFTP. The “firewall” will simply be a ufw configured iptables, in a rather default configuration. Nothing special here.
As we can see from the below nmap snippet that this leaves a lot of information available to a potential attacker.
Now , alot of individuals are of the school that security by obscurity is useless. In this particular case I disagree. To illustrate this point we’re going to attempt to exploit our poor vm using the information we gathered from this nmap scan. Doing a quick search we see that the ProFTPD 1.3.2c service is vulnerable to a telnet based buffer overflow.
As seen from the below snippet from Metasploit we have a pre-made exploit module that will exploit this version of ProFTPD for us.
Note : There are several things to keep in mind here, this “victim” is not running apparmor, so eventually this exploit will be successful. For some strange reason Ubuntu neither backported the patch to this version of ProFTPD nor is it compiled with Stack Protection (yes there is a bug report).
As we see in this particularly case security through obscurity could save us a decent amount of trouble
So now that we’ve illustrated that we need to protect our service versions a little bit better what can we do to defeat nmap scans?
Understanding nmap and port scans
The first thing we need to understand is that not all port scans are created equally. Some port scans are typical ping scans, others simulate legitimate connections, and there are even more types, such as banner scans. So the age old “just drop icmp packets and you’re good” or, “use a stateful packet inspection firewall and you’re good”. Completely untrue. If you’d like to test that theory, you can determine if a firewall is stateful or stateless by alternating -sS and -sT options in nmap. Additionally if they’re just dropping icmp-echo requests -sS -PN will defeat that. So it becomes clear whatever action we take is going to require a little bit more interactivity.
Method 1 : iptables
We could use an iptables script such as the following for our system to defeat some common types of nmap scanning.
Now after implementing this iptables script we notice that with normal scan timings our nmap scans are much less lucrative. Yielding only the information that a host exists and is online at this IP address. We can decrease the aggressiveness of the scan and produce results however the limiting values of –update and –hitcount can be tweaked in our iptables script to mitigate this. Keep in mind, if you narrow the gap too much legitimate traffic will be dropped.
Method 2 : Applications like Bastille
There are a number of applications available, Bastille and PSAD in particular which provide this functionality in a simple binary package. I will not cover either in great depth as they both include ncurses graphical configuration interfaces.
However, there is a word of caution to be heeded with the use of these applications to defeat port scans. Unlike the iptables method these applications utilize a script which drops the offending IP’s traffic for a predetermined amount of time. Keeping this in mind an attacker, would be able to create a denial of service condition by spoofing their IP address.
If you still wish to use Bastille or PSAD they may be installed via the following methods on Ubuntu.
sudo apt-get install psad
After all of this we begin to realize that sometimes security through obscurity has its purpose. Anyone who has spent time auditing system security will understand that obtaining version information is one of the most crucial steps in the process. So anyone who is securing a system from a potential attacker would be wise to take the appropriate measures to obfuscate such information as much as possible.