Send a bad ip connection back to himself

Kernels & Hardware, configuring network, installing services

Send a bad ip connection back to himself

Postby Frenki » 2017-05-13 06:35

Hi,

I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
My server is targeted by this &^%&^% ip which is portscanning every few minutes.

I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible? I'm running UFW as firewall due to the fact that IPTABLES setup is out of my league.

Thanks for reading my question and even bigger thanks if you have a sollution for my problem!

Grtz Frenki
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby debiman » 2017-05-13 10:20

i think the common practice is to block the %^&%^& IP in question, or ignore its requests.
consider using fail2ban.

if something like what you want is possible, i'd be interested.
User avatar
debiman
 
Posts: 1524
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

Postby dasein » 2017-05-13 14:09

Frenki wrote:I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?

Your question assumes that the "true" origin is not subject to spoof. Even if that assumption were correct (and it absolutely isn't), your question further assumes that escalation on your part won't provoke a retaliatory response.

I understand your frustration, but escalation probably isn't the right answer. Just ban the IP and let it go.
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-13 23:26

debiman wrote:i think the common practice is to block the %^&%^& IP in question, or ignore its requests.
consider using fail2ban.

if something like what you want is possible, i'd be interested.


I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.
The server has a cron checking what my ip at home is (using ddns).
In case my ip changes it will update the UFW rule remove the old ip and allow my latest ip.

Thanks for your answer.
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-13 23:29

dasein wrote:
Frenki wrote:I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?

Your question assumes that the "true" origin is not subject to spoof. Even if that assumption were correct (and it absolutely isn't), your question further assumes that escalation on your part won't provoke a retaliatory response.

I understand your frustration, but escalation probably isn't the right answer. Just ban the IP and let it go.


You are right, escalation is never good.
Well i guess the best thing to do is just use:
route add -host this_bad_ip reject

Thanks for your answer
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby debiman » 2017-05-14 09:11

Frenki wrote:I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.

then how can there be a "bad ip connection"???
User avatar
debiman
 
Posts: 1524
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-14 10:20

debiman wrote:
Frenki wrote:I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.

then how can there be a "bad ip connection"???


I see them in the firewall log before I reject the connection with route?
this "bad ip" is not just one ip, its a huge list of different ip's I have a 3 strikes out policy before rejecting with route.
So I know that its targeted by the same person / group of persons
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby debiman » 2017-05-14 10:58

either your setup is open to the wrold or it isn't.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.
User avatar
debiman
 
Posts: 1524
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

Postby GarryRicketson » 2017-05-14 11:49

Frenki wrote:
I dont use Denyhost /fail2ban----snip

You still should be using fail2ban or something,
Frenki >>> its a huge list of different ip's

Yes , that is normal , there are 100's or more, maybe 1000's and they are
constantly trying to access, they scan for open ports and will try, there is
nothing that can be done to stop that.
I could show a list , and I would bet most of the ones on my list are the same ones you are seeing.
This is not really a Debian issue, it happens to any server no matter what
the OS is.
Frenki >>So I know that its targeted by the same person / group of persons

They are not "persons" nor groups , and your server is not so special that
it has been selected by some one as a "target" , these are "bots', and they scan the IP blocks, or ranges, looking for anything they can connect to, scan the ports, if they do find one open they start trying various passwords ,etc,...
Of course , yes there are people (humans) behind the machines doing the scanning, but what you are seeing is "machines" trying to communicate with other machines.
Try doing some searches , key words: "How to keep a server secure"
to be more specific to Debian, "How to keep a Debian server secure",....
If you want to create a "Honey Pot", the same, "how to create a honey pot on Debian",.... if you really want to do things like this:
Post by Frenki »I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible?

Then instead of "honey pot" use the words "tar pit",.... a "tar pit" really bogs them down, but they never stop trying ....
"What we expect you have already Done"

Before doing anything, read the Debian documentation:
Debian Documentation
How to ask the smart way
Debian Foro Español
======================
For the Birds
User avatar
GarryRicketson
 
Posts: 4353
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Send a bad ip connection back to himself

Postby acewiza » 2017-05-14 12:36

You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discussion/9349121/isp-dns-server-upd-port-scanning-my-dns-server
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 267
Joined: 2013-05-28 12:38
Location: Out West

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-16 02:24

debiman wrote:either your setup is open to the wrold or it isn't.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.


What I mean by that is the following (perhaps I used the wrong terminology for that if so, sorry!)

In my UFW I have a rule allowing only my ip.
The rest obviously will be blocked/dropped if that is the correct term.
there is no other rule which opens ports.

I run a cron that checks if my ip has been changed via DDNS.
if so then the rule will be removed and my new ip added so that I can get into the server.

Right now i also have a cron adding: route add -host blocked_ufw_ip reject
If you know how I can do the route the other way arorund would be great.
somehwat like (probably wrong the way I write it in the example below)
route add -host my_ip allow
route add -host all_except_my_ip reject
that means I dont have to go through the logs and reject all connections tryting to get in.

I'm new to linux servers but have been using ceveral linux desktops for a while.
I can write bash, python, C#, php, javascript
This server is just for me to experiment and learn about servers.
I'd like to do securing my server manually instead of running packages which obviously I dont really know what they do in the background.
I understand how they work, but I want to learn to do that myself and also preferably not after a log entry is made but instant when a connection comes in my scripts will be triggered.
Later on if I create a production server I want to have the knowledge like using pam.d to validate who is trying to get in then based on the session result: block or allow the connection

So far I have found incron a package that is usefull to act instant when files on the system change
I can grep the sshd session when the auth.log changes to see if it is correct or not, if yes then the ip will be added to safe_list else it will be blocked and added to blocked_ips
bare with me please since I'm new to servers and just want to learn how to secure my server without using premade tools/packages.

Thanks for you answering to my post! :D
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-16 02:27

GarryRicketson wrote:
Frenki wrote:
I dont use Denyhost /fail2ban----snip .


Thanks for the information about Honey pot and Tar pit.
These I will definitly look into :D
Since I'm sure this is somewhat I'd like to do with my learning VPS server.

I've been using pentesting platforms like backtrack and Kali.
So this is really stuff which interests me a lot.

I'm a guy who has passion in learning programming and networking.
So these 2 terms you gave are definitly added to my todo list for digging into!
Again thanks a lot m8. Ceers! 8)
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-16 02:34

acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discussion/9349121/isp-dns-server-upd-port-scanning-my-dns-server


That may be a posibility, yet again.
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

Postby reinob » 2017-05-16 10:34

Frenki wrote:
acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discussion/9349121/isp-dns-server-upd-port-scanning-my-dns-server


That may be a posibility, yet again.
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.


You may also want to read about port knocking.
(since you mentioned you're learning..)
reinob
 
Posts: 520
Joined: 2014-06-30 11:42

Re: Send a bad ip connection back to himself

Postby Frenki » 2017-05-16 11:46

reinob wrote:
Frenki wrote:
acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discussion/9349121/isp-dns-server-upd-port-scanning-my-dns-server


That may be a posibility, yet again.
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.


You may also want to read about port knocking.
(since you mentioned you're learning..)


Well, I've been digging into that before.
I am able to set that up. Using my other webserver.
User clicks a (protected) link on my website.
Then the webserver sends a signal to my ssh server letting know this ip wants access.
add rule to allow that person. And done. That's easy to achieve.

Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's
Frenki
 
Posts: 9
Joined: 2017-05-13 06:29

Next

Return to System configuration

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable