Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Send a bad ip connection back to himself

Linux Kernel, Network, and Services configuration.
Message
Author
Frenki
Posts: 9
Joined: 2017-05-13 06:29

Send a bad ip connection back to himself

#1 Post by Frenki »

Hi,

I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
My server is targeted by this &^%&^% ip which is portscanning every few minutes.

I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible? I'm running UFW as firewall due to the fact that IPTABLES setup is out of my league.

Thanks for reading my question and even bigger thanks if you have a sollution for my problem!

Grtz Frenki

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

#2 Post by debiman »

i think the common practice is to block the %^&%^& IP in question, or ignore its requests.
consider using fail2ban.

if something like what you want is possible, i'd be interested.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Send a bad ip connection back to himself

#3 Post by dasein »

Frenki wrote:I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
Your question assumes that the "true" origin is not subject to spoof. Even if that assumption were correct (and it absolutely isn't), your question further assumes that escalation on your part won't provoke a retaliatory response.

I understand your frustration, but escalation probably isn't the right answer. Just ban the IP and let it go.

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#4 Post by Frenki »

debiman wrote:i think the common practice is to block the %^&%^& IP in question, or ignore its requests.
consider using fail2ban.

if something like what you want is possible, i'd be interested.
I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.
The server has a cron checking what my ip at home is (using ddns).
In case my ip changes it will update the UFW rule remove the old ip and allow my latest ip.

Thanks for your answer.

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#5 Post by Frenki »

dasein wrote:
Frenki wrote:I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
Your question assumes that the "true" origin is not subject to spoof. Even if that assumption were correct (and it absolutely isn't), your question further assumes that escalation on your part won't provoke a retaliatory response.

I understand your frustration, but escalation probably isn't the right answer. Just ban the IP and let it go.
You are right, escalation is never good.
Well i guess the best thing to do is just use:
route add -host this_bad_ip reject

Thanks for your answer

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

#6 Post by debiman »

Frenki wrote:I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.
then how can there be a "bad ip connection"???

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#7 Post by Frenki »

debiman wrote:
Frenki wrote:I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.
then how can there be a "bad ip connection"???
I see them in the firewall log before I reject the connection with route?
this "bad ip" is not just one ip, its a huge list of different ip's I have a 3 strikes out policy before rejecting with route.
So I know that its targeted by the same person / group of persons

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

#8 Post by debiman »

either your setup is open to the wrold or it isn't.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Send a bad ip connection back to himself

#9 Post by GarryRicketson »

Frenki wrote:
I dont use Denyhost /fail2ban----snip
You still should be using fail2ban or something,
Frenki >>> its a huge list of different ip's
Yes , that is normal , there are 100's or more, maybe 1000's and they are
constantly trying to access, they scan for open ports and will try, there is
nothing that can be done to stop that.
I could show a list , and I would bet most of the ones on my list are the same ones you are seeing.
This is not really a Debian issue, it happens to any server no matter what
the OS is.
Frenki >>So I know that its targeted by the same person / group of persons
They are not "persons" nor groups , and your server is not so special that
it has been selected by some one as a "target" , these are "bots', and they scan the IP blocks, or ranges, looking for anything they can connect to, scan the ports, if they do find one open they start trying various passwords ,etc,...
Of course , yes there are people (humans) behind the machines doing the scanning, but what you are seeing is "machines" trying to communicate with other machines.
Try doing some searches , key words: "How to keep a server secure"
to be more specific to Debian, "How to keep a Debian server secure",....
If you want to create a "Honey Pot", the same, "how to create a honey pot on Debian",.... if you really want to do things like this:
Post by Frenki »I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible?
Then instead of "honey pot" use the words "tar pit",.... a "tar pit" really bogs them down, but they never stop trying ....

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Send a bad ip connection back to himself

#10 Post by acewiza »

You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discuss ... dns-server
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#11 Post by Frenki »

debiman wrote:either your setup is open to the wrold or it isn't.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.
What I mean by that is the following (perhaps I used the wrong terminology for that if so, sorry!)

In my UFW I have a rule allowing only my ip.
The rest obviously will be blocked/dropped if that is the correct term.
there is no other rule which opens ports.

I run a cron that checks if my ip has been changed via DDNS.
if so then the rule will be removed and my new ip added so that I can get into the server.

Right now i also have a cron adding: route add -host blocked_ufw_ip reject
If you know how I can do the route the other way arorund would be great.
somehwat like (probably wrong the way I write it in the example below)
route add -host my_ip allow
route add -host all_except_my_ip reject
that means I dont have to go through the logs and reject all connections tryting to get in.

I'm new to linux servers but have been using ceveral linux desktops for a while.
I can write bash, python, C#, php, javascript
This server is just for me to experiment and learn about servers.
I'd like to do securing my server manually instead of running packages which obviously I dont really know what they do in the background.
I understand how they work, but I want to learn to do that myself and also preferably not after a log entry is made but instant when a connection comes in my scripts will be triggered.
Later on if I create a production server I want to have the knowledge like using pam.d to validate who is trying to get in then based on the session result: block or allow the connection

So far I have found incron a package that is usefull to act instant when files on the system change
I can grep the sshd session when the auth.log changes to see if it is correct or not, if yes then the ip will be added to safe_list else it will be blocked and added to blocked_ips
bare with me please since I'm new to servers and just want to learn how to secure my server without using premade tools/packages.

Thanks for you answering to my post! :D

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#12 Post by Frenki »

GarryRicketson wrote:
Frenki wrote:
I dont use Denyhost /fail2ban----snip .
Thanks for the information about Honey pot and Tar pit.
These I will definitly look into :D
Since I'm sure this is somewhat I'd like to do with my learning VPS server.

I've been using pentesting platforms like backtrack and Kali.
So this is really stuff which interests me a lot.

I'm a guy who has passion in learning programming and networking.
So these 2 terms you gave are definitly added to my todo list for digging into!
Again thanks a lot m8. Ceers! 8)

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#13 Post by Frenki »

acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discuss ... dns-server
That may be a posibility, yet again.
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Send a bad ip connection back to himself

#14 Post by reinob »

Frenki wrote:
acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discuss ... dns-server
That may be a posibility, yet again.
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.
You may also want to read about port knocking.
(since you mentioned you're learning..)

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#15 Post by Frenki »

reinob wrote:
Frenki wrote:
acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:

https://supportforums.cisco.com/discuss ... dns-server
That may be a posibility, yet again.
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.
You may also want to read about port knocking.
(since you mentioned you're learning..)
Well, I've been digging into that before.
I am able to set that up. Using my other webserver.
User clicks a (protected) link on my website.
Then the webserver sends a signal to my ssh server letting know this ip wants access.
add rule to allow that person. And done. That's easy to achieve.

Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Send a bad ip connection back to himself

#16 Post by acewiza »

A good troubleshooting step might be to drop one source you are presently concerned with. No need to send anything anywhere or otherwise muddy the water. Then see what if anything, breaks on your end. This should at least suggest to you if the traffic you seem to be concerned with is either legitimate, anomalous, or (unlikely) nefarious.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Send a bad ip connection back to himself

#17 Post by reinob »

Frenki wrote: Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's
Hmm.. I'm not sure you've understood how a firewall works. Basically, it does exactly what you want :)
You get to decide whether a packet is REJECTed or DROPped. In both cases, your server will see the initial connection attempt (SYN), but the connection will not be established.

You can't just reject a connection before it's even attempted!

Frenki
Posts: 9
Joined: 2017-05-13 06:29

Re: Send a bad ip connection back to himself

#18 Post by Frenki »

reinob wrote:
Frenki wrote: Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's
Hmm.. I'm not sure you've understood how a firewall works. Basically, it does exactly what you want :)
You get to decide whether a packet is REJECTed or DROPped. In both cases, your server will see the initial connection attempt (SYN), but the connection will not be established.

You can't just reject a connection before it's even attempted!
Okay, actually I do understand how firewalls work :D
I'm just trying to achieve this without using 2 servers.
If I use 2 servers I can do that what I want.
Use one server in front of the other which acts like a router.
If the connection is allowed then the routing server sends the connection to the actual sever.
I just wanted to know if this is possible by just using one server who is connected to the internet directly.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Send a bad ip connection back to himself

#19 Post by debiman »

reinob wrote:Hmm.. I'm not sure you've understood how a firewall works. Basically, it does exactly what you want :)
i was going to say the same but didn't feel competent enough to say it. :oops:

it seems to me Frenzi actually WANTS these "bad ip connections", because it's a cool opportunity to learn things.
fine.

if not, they should still use something fairly simple like fail2ban AND configure their firewall properly.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Send a bad ip connection back to himself

#20 Post by reinob »

Frenki wrote: Okay, actually I do understand how firewalls work :D
I'm just trying to achieve this without using 2 servers.
If I use 2 servers I can do that what I want.
Use one server in front of the other which acts like a router.
If the connection is allowed then the routing server sends the connection to the actual sever.
I just wanted to know if this is possible by just using one server who is connected to the internet directly.
A firewall is just some software running on a computer (you can call it "server" if you like).
It will only ever see a packet, i.e. decide on whether to allow, reject or mangle it, once the packet has reached the server.
You cannot prevent a computer from physically receiving the packet. If it's addressed to it, or to the broadcast address, or to a subscribed multicast address, or the network card is in promiscous mode, the software (= firewall) will receive it and it will have to take a decision.

I have now the weirdest deja vu because today, at work, I actually wrote more or less what I've written here, which is kinda spooky.

Post Reply