Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
Listing your firewall rules with iptables -L is the main tool available for checking for open ports. Open ports are defined to be open by your ACCEPT rules. Beyond the iptables -L command, other tools such as netstat are helpful for finding out what ports are listening on the firewall. netstat has several uses. In the next section, we'll use it to check for active ports so that we can double-check that the TCP and UDP ports in use are the ports that the firewall rules are accounting for. Just because netstat reports the port as listening or open doesn't mean that it's accessible through the firewall rules. Following this, two third-party port-scanning toolsstrobe and nmapare introduced. These tools should be used from an external location to test exactly which ports are listening on the firewall. netstat is a good indicator of services that are running on the machine. Remember, if the service isn't absolutely necessary, you should disable it and consider removing it entirely, especially from a firewall. Let firewalls be firewallsthey shouldn't run extra services. netstat -a [ -n -p -A inet ]
netstat reports various network status information. Quite a few command-line options are documented to select what information netstat reports. The following options are useful for identifying open ports, reporting whether they are in active use and by whom, and reporting which programs and which specific processes are listening on the ports:
The following netstat output is limited to the INET domain sockets. The listing reports all ports being listened to by network services, including the program name and the specific process ID of the listening program: > netstat -a -p -A inet 1. Active Internet connections (servers and established) 2. Proto Recv-Q Send-Q Local Address Foreign Address State PID/ Program name 3. tcp 0 143 internal:ssh netserver:62360 ESTABLISHED 15392/sshd 4. tcp 0 0 *:smtp *:* LISTEN 3674/sendmail: acce 5. tcp 0 0 my.host.domain:www *:* LISTEN 638/httpd 6. tcp 0 0 internal:domain *:* LISTEN 588/named 7. tcp 0 0 localhost:domain *:* LISTEN 588/named 8. tcp 0 0 *:pop-3 *:* LISTEN 574/xinetd 9. udp 0 0 *:domain *:* 588/named 10. udp 0 0 internal:domain *:* 588/named 11. udp 0 0 localhost:domain *:* 588/named
Line 1 identifies the listing as including local servers and active Internet connections. This selection was indicated with the -A inet option to netstat. Line 2 contains these column headings:
Line 3 shows that an SSH connection is established over the internal LAN network interface from a machine known as netserver. The netstat command was typed from this connection. Line 4 is a sendmail listening for incoming mail on the SMTP port associated with all network interfaces, including the external interface connected to the Internet, the internal LAN interface, and the loopback, localhost interface. Line 5 shows that a local web server is listening for connections on the external interface to the Internet. Line 6 shows that the name server is listening on the internal LAN interface for DNS lookup connection requests from local machines over TCP. Line 7 shows that the name server is listening on the loopback interface for DNS lookup connection requests from clients on this machine over TCP. Line 8 shows that xinetd is listening for connections on the POP port associated with all interfaces on behalf of popd. (xinetd is listening on all interfaces for incoming POP connections. If a connection request arrives, xinetd starts a popd server to service the request.) The firewall and higher-level security mechanisms at the tcp_wrappers level and the popd configuration level limit incoming connections to the LAN machines. Line 9 shows that the name server is listening on all interfaces for DNS server-to-server communications and is accepting local lookup requests over UDP. Line 10 shows that the name server is listening on the internal LAN network interface for DNS server-to-server communications and lookup requests over UDP. Line 11 shows that the name server is listening on the loopback interface for DNS lookup requests from local clients on this machine over UDP.
Idle servers listening over the TCP protocol are reported as listening for a connection request. Idle servers listening over the UDP protocol are reported as blank. UDP has no statethe netstat output is simply making a distinction between stateful TCP and stateless UDP. Checking a Process Bound to a Particular Port with fuser
The fuser command identifies which processes are using a particular file, filesystem, or network port. netstat -a -A inet will report a port number rather than a service name if the port doesn't have an entry in /etc/services. fuser can be useful to determine which program is bound to that port. The general fuser command format to identify which program is bound to a given port is as follows: fuser -n tcp|udp -v <port number>[,<remote address>[,<remote port>] For example, > fuser -n tcp -v 515
produces the following output: USER PID ACCESS COMMAND 515/tcp root 718 f.... lpd The -v option produces the USER, ACCESS, and COMMAND fields. Without the -v option, the port/protocol and PID would be reported. You would need to use ps to identify the program assigned that process id. The access field codes refer to the type of access that the file or filesystem is being accessed by the process as. The f indicates that the object is open. The next two sections describe two third-party tools available from the Internet: strobe and nmap. strobe
strobe is a simple TCP port scanner. Use it to report which TCP ports are open on your network interfaces. strobe is available at http://metalab.unc.edu/pub/Linux/ system/ network/admin. The following sample strobe output reports the TCP ports where strobe has found servers listening. strobe's default output includes the scanned hostname and the entry from /etc/services describing the port. With a firewall installed, additional servers could be running on the machine, as well, hidden behind publicly blocked ports: > strobe firewall strobe 1.04 (c) 1995-1997 Julian Assange (proff@suburbia.net). firewall ssh 22/tcp # SSH Remote Login Protocol firewall smtp 25/tcp mail firewall domain 53/tcp nameserver # name-domain server firewall http 80/tcp www www-http # WorldWideWeb HTTP firewall auth 113/tcp authentication tap ident nmap
nmap is a much more powerful network security auditing tool that includes many of the newer stealth scanning techniques in use today. You should check your system security with nmap; it's a given that other people will. nmap is available at http://www.insecure.org/nmap/. You should use nmap from a host outside of your firewall to check that the firewall isn't listening on unexpected ports. The following sample nmap output reports the state of all TCP and UDP ports. Because the verbose option isn't used, nmap reports only the ports that are open and that have servers listening on them. nmap output includes the scanned hostname, IP address, port, open or closed state, transport protocol in use on that port, and symbolic service port name from /etc/ services. Because choke is an internal host, additional ssh and ftp ports are open for internal LAN access: > nmap -sT router Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on choke.private.lan (192.168.1.2): (The 3100 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 236 seconds
|
Категории