Port Scanning and Firewall Configuration Exercise is done on your NOC machine 10.X.2.1 1. "tcpdump" is a key network diagnostic tool. Install it. sudo apt-get install tcpdump 2. Now lets see what a port scan looks like. First run the tool and then wait fo the instructor to scan your machines (he uses "nmap") sudo tcpdump -ln dst 10.102.186.147 This means print out any packets destined for IP address 10.102.186.147 (-ln says "line buffer" and do not try to lookup the domain name for them. This saves time while capturing packets) 3. You should see tcpdump display each packet to 10.102.186.147 (the instructor's machine for this class). You see: 14:35:54.169249 IP 10.200.2.1.80 > 10.102.186.147.45824: Flags [S.], seq 2190602485, ack 3057500932, win 28960, options [mss 1460,sackOK, TS val 2188886 ecr 538985142,nop,wscale 7], length 0 14:35:54.209002 IP 10.200.2.1.81 > 10.102.186.147.54062: Flags [R.], seq 0, ack 2605987418, win 0, length 0 showing information about source and destination IP and port number (10.200.2.1 port 80/10.102.186.147 port 45824) as well as other info. The "Flags [S.]" is an acknowledgement to a connection request to port 80. The "Flags [R.]" is a reset response for port 81 effectively letting the attacker know there is no application running on that port. The instructor sees: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http indicating that services on port 22 (SSH) and 80 (WWW) are open on your NOC machines. 4. Lets make the output of tcpdump easier to read by only showing the fields we care about. sudo tcpdump -ln dst 10.102.186.147 | cut -f1 -d',' The instructor will run his port scans again. You should see something like below. ... 10:52:52.595612 IP 10.200.2.1 > 10.102.186.147: ICMP 10.200.2.1 udp port 138 unreachable 10:52:52.595664 IP 10.200.2.1 > 10.102.186.147: ICMP 10.200.2.1 udp port 53 unreachable 10:52:52.595795 IP 10.200.2.1.123 > 10.102.186.147.46088: NTPv4 10:52:52.803765 IP 10.200.2.1.25 > 10.102.186.147.43022: Flags [R.] 10:52:52.803822 IP 10.200.2.1.23 > 10.102.186.147.48766: Flags [R.] 10:52:52.803890 IP 10.200.2.1.22 > 10.102.186.147.37050: Flags [S.] 10:52:52.804066 IP 10.200.2.1.80 > 10.102.186.147.43024: Flags [S.] 10:52:52.804122 IP 10.200.2.1.81 > 10.102.186.147.36290: Flags [R.] ... 5. So how do we not provide any response information to the attacker or control who we do and do not respond to? This can often be done in the router but is often also performed closer to the system we are interested in protecting. This has many valuable aspects including compartmentalizing security. To do this, install the "iptables" firewall (and fw logging). sudo apt-get install iptables ulogd 6. Now create an iptable configuration by cutting and pasting below into a file called "iptables". This can be in your home directory. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT # SSH -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT # NS #-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT # HTTP -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT # NTP #-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -s 10.0.0.0/8 -j ACCEPT # SNMP -A RH-Firewall-1-INPUT -p udp -m udp --dport 161 -j ACCEPT # SYSLOG -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT # NETFLOW -A RH-Firewall-1-INPUT -p udp -m udp --dport 2000 -j ACCEPT # -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Logging - in lxc must use ulogd -N LOGGING -A RH-Firewall-1-INPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j NFLOG --nflog-prefix "IPTables-Dropped: " -A LOGGING -j DROP # #-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited # COMMIT 7. Now run sudo iptables-restore --verbose < iptables to install the new table settings. and sudo tcpdump -n dst 10.102.186.147 to display port scanning packets again. While the instructor runs his scan. What do you see? 8. What if we would like to block access to port 80 (WWW) Make the following edit to the iptables files created above. (commenting out opening the firewall for port 80) # HTTP #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT and update the firewall sudo iptables-restore --verbose < iptables 9. Try going to http://10.X.2.1 from your laptop. It should fail now since the firewall is simply dropping any packets desting for port 80. Since we will need to view web pages later, restore iptables by uncommenting the above change. # HTTP -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT and update the firewall sudo iptables-restore --verbose < iptables or simply "turn off" the firewall by sudo iptables -F Your should now be able to visit http://10.X.2.1