Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Send a bad ip connection back to himself
Send a bad ip connection back to himself
Hi,
I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
My server is targeted by this &^%&^% ip which is portscanning every few minutes.
I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible? I'm running UFW as firewall due to the fact that IPTABLES setup is out of my league.
Thanks for reading my question and even bigger thanks if you have a sollution for my problem!
Grtz Frenki
I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
My server is targeted by this &^%&^% ip which is portscanning every few minutes.
I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible? I'm running UFW as firewall due to the fact that IPTABLES setup is out of my league.
Thanks for reading my question and even bigger thanks if you have a sollution for my problem!
Grtz Frenki
Re: Send a bad ip connection back to himself
i think the common practice is to block the %^&%^& IP in question, or ignore its requests.
consider using fail2ban.
if something like what you want is possible, i'd be interested.
consider using fail2ban.
if something like what you want is possible, i'd be interested.
Re: Send a bad ip connection back to himself
Your question assumes that the "true" origin is not subject to spoof. Even if that assumption were correct (and it absolutely isn't), your question further assumes that escalation on your part won't provoke a retaliatory response.Frenki wrote:I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
I understand your frustration, but escalation probably isn't the right answer. Just ban the IP and let it go.
Re: Send a bad ip connection back to himself
I dont use Denyhost /fail2ban since the server is not open for connections other then myself.debiman wrote:i think the common practice is to block the %^&%^& IP in question, or ignore its requests.
consider using fail2ban.
if something like what you want is possible, i'd be interested.
All ports are closed. there is only 1 connection allowed.
The server has a cron checking what my ip at home is (using ddns).
In case my ip changes it will update the UFW rule remove the old ip and allow my latest ip.
Thanks for your answer.
Re: Send a bad ip connection back to himself
You are right, escalation is never good.dasein wrote:Your question assumes that the "true" origin is not subject to spoof. Even if that assumption were correct (and it absolutely isn't), your question further assumes that escalation on your part won't provoke a retaliatory response.Frenki wrote:I'd like to know if someone knows a way in which I can reroute an incoming connection on any port back to himself?
I understand your frustration, but escalation probably isn't the right answer. Just ban the IP and let it go.
Well i guess the best thing to do is just use:
route add -host this_bad_ip reject
Thanks for your answer
Re: Send a bad ip connection back to himself
then how can there be a "bad ip connection"???Frenki wrote:I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.
Re: Send a bad ip connection back to himself
I see them in the firewall log before I reject the connection with route?debiman wrote:then how can there be a "bad ip connection"???Frenki wrote:I dont use Denyhost /fail2ban since the server is not open for connections other then myself.
All ports are closed. there is only 1 connection allowed.
this "bad ip" is not just one ip, its a huge list of different ip's I have a 3 strikes out policy before rejecting with route.
So I know that its targeted by the same person / group of persons
Re: Send a bad ip connection back to himself
either your setup is open to the wrold or it isn't.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Send a bad ip connection back to himself
You still should be using fail2ban or something,Frenki wrote:
I dont use Denyhost /fail2ban----snip
Yes , that is normal , there are 100's or more, maybe 1000's and they areFrenki >>> its a huge list of different ip's
constantly trying to access, they scan for open ports and will try, there is
nothing that can be done to stop that.
I could show a list , and I would bet most of the ones on my list are the same ones you are seeing.
This is not really a Debian issue, it happens to any server no matter what
the OS is.
They are not "persons" nor groups , and your server is not so special thatFrenki >>So I know that its targeted by the same person / group of persons
it has been selected by some one as a "target" , these are "bots', and they scan the IP blocks, or ranges, looking for anything they can connect to, scan the ports, if they do find one open they start trying various passwords ,etc,...
Of course , yes there are people (humans) behind the machines doing the scanning, but what you are seeing is "machines" trying to communicate with other machines.
Try doing some searches , key words: "How to keep a server secure"
to be more specific to Debian, "How to keep a Debian server secure",....
If you want to create a "Honey Pot", the same, "how to create a honey pot on Debian",.... if you really want to do things like this:
Then instead of "honey pot" use the words "tar pit",.... a "tar pit" really bogs them down, but they never stop trying ....Post by Frenki »I'd like to send his connection back to himself so that he basically is scanning his own ports.
Is this possible?
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
Re: Send a bad ip connection back to himself
You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:
https://supportforums.cisco.com/discuss ... dns-server
https://supportforums.cisco.com/discuss ... dns-server
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
Re: Send a bad ip connection back to himself
What I mean by that is the following (perhaps I used the wrong terminology for that if so, sorry!)debiman wrote:either your setup is open to the wrold or it isn't.
which one is it?
you said it isn't open to the world (the server is not open for connections other then myself), yet you are getting connection requests from outside?
it can't be both.
In my UFW I have a rule allowing only my ip.
The rest obviously will be blocked/dropped if that is the correct term.
there is no other rule which opens ports.
I run a cron that checks if my ip has been changed via DDNS.
if so then the rule will be removed and my new ip added so that I can get into the server.
Right now i also have a cron adding: route add -host blocked_ufw_ip reject
If you know how I can do the route the other way arorund would be great.
somehwat like (probably wrong the way I write it in the example below)
route add -host my_ip allow
route add -host all_except_my_ip reject
that means I dont have to go through the logs and reject all connections tryting to get in.
I'm new to linux servers but have been using ceveral linux desktops for a while.
I can write bash, python, C#, php, javascript
This server is just for me to experiment and learn about servers.
I'd like to do securing my server manually instead of running packages which obviously I dont really know what they do in the background.
I understand how they work, but I want to learn to do that myself and also preferably not after a log entry is made but instant when a connection comes in my scripts will be triggered.
Later on if I create a production server I want to have the knowledge like using pam.d to validate who is trying to get in then based on the session result: block or allow the connection
So far I have found incron a package that is usefull to act instant when files on the system change
I can grep the sshd session when the auth.log changes to see if it is correct or not, if yes then the ip will be added to safe_list else it will be blocked and added to blocked_ips
bare with me please since I'm new to servers and just want to learn how to secure my server without using premade tools/packages.
Thanks for you answering to my post!
Re: Send a bad ip connection back to himself
Thanks for the information about Honey pot and Tar pit.GarryRicketson wrote:Frenki wrote:
I dont use Denyhost /fail2ban----snip .
These I will definitly look into
Since I'm sure this is somewhat I'd like to do with my learning VPS server.
I've been using pentesting platforms like backtrack and Kali.
So this is really stuff which interests me a lot.
I'm a guy who has passion in learning programming and networking.
So these 2 terms you gave are definitly added to my todo list for digging into!
Again thanks a lot m8. Ceers!
Re: Send a bad ip connection back to himself
That may be a posibility, yet again.acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:
https://supportforums.cisco.com/discuss ... dns-server
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.
Re: Send a bad ip connection back to himself
You may also want to read about port knocking.Frenki wrote:That may be a posibility, yet again.acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:
https://supportforums.cisco.com/discuss ... dns-server
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.
(since you mentioned you're learning..)
Re: Send a bad ip connection back to himself
Well, I've been digging into that before.reinob wrote:You may also want to read about port knocking.Frenki wrote:That may be a posibility, yet again.acewiza wrote:You are likely perceiving some sort of false positive, DNS echos, or similar other trivial-type network behavior:
https://supportforums.cisco.com/discuss ... dns-server
I want to close anything other then myself connecting to the server or people I give access to.
So no spiders, bots, portscanners, bruteforcers anything you can name willl be allowed connecting to my server.
(since you mentioned you're learning..)
I am able to set that up. Using my other webserver.
User clicks a (protected) link on my website.
Then the webserver sends a signal to my ssh server letting know this ip wants access.
add rule to allow that person. And done. That's easy to achieve.
Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's
Re: Send a bad ip connection back to himself
A good troubleshooting step might be to drop one source you are presently concerned with. No need to send anything anywhere or otherwise muddy the water. Then see what if anything, breaks on your end. This should at least suggest to you if the traffic you seem to be concerned with is either legitimate, anomalous, or (unlikely) nefarious.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
Re: Send a bad ip connection back to himself
Hmm.. I'm not sure you've understood how a firewall works. Basically, it does exactly what you want :)Frenki wrote: Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's
You get to decide whether a packet is REJECTed or DROPped. In both cases, your server will see the initial connection attempt (SYN), but the connection will not be established.
You can't just reject a connection before it's even attempted!
Re: Send a bad ip connection back to himself
Okay, actually I do understand how firewalls workreinob wrote:Hmm.. I'm not sure you've understood how a firewall works. Basically, it does exactly what you wantFrenki wrote: Still I'm searching for a way to totally block connections not filter them with firewall.
Basically just like the route command rejecting a host by ip
but I'd like to allow a host by ip and make a route command to reject all the others.
Can't seem to find that since it's hard for me to formulate what I'd like to achieve in a searchengine.
If i search all i get is IPTABLES.
Yet IPTABLES means they allready connected to the server and then face the firewall.
I dont want them even to reach the firewall. since I know what is allowed to come in.
I'm not sure if that what I want is possible though but I'm certain that if i can use route to reject one connection.
It allmost must be possible to reject all except 1 or more defined ip's
You get to decide whether a packet is REJECTed or DROPped. In both cases, your server will see the initial connection attempt (SYN), but the connection will not be established.
You can't just reject a connection before it's even attempted!
I'm just trying to achieve this without using 2 servers.
If I use 2 servers I can do that what I want.
Use one server in front of the other which acts like a router.
If the connection is allowed then the routing server sends the connection to the actual sever.
I just wanted to know if this is possible by just using one server who is connected to the internet directly.
Re: Send a bad ip connection back to himself
i was going to say the same but didn't feel competent enough to say it.reinob wrote:Hmm.. I'm not sure you've understood how a firewall works. Basically, it does exactly what you want
it seems to me Frenzi actually WANTS these "bad ip connections", because it's a cool opportunity to learn things.
fine.
if not, they should still use something fairly simple like fail2ban AND configure their firewall properly.
Re: Send a bad ip connection back to himself
A firewall is just some software running on a computer (you can call it "server" if you like).Frenki wrote: Okay, actually I do understand how firewalls work :D
I'm just trying to achieve this without using 2 servers.
If I use 2 servers I can do that what I want.
Use one server in front of the other which acts like a router.
If the connection is allowed then the routing server sends the connection to the actual sever.
I just wanted to know if this is possible by just using one server who is connected to the internet directly.
It will only ever see a packet, i.e. decide on whether to allow, reject or mangle it, once the packet has reached the server.
You cannot prevent a computer from physically receiving the packet. If it's addressed to it, or to the broadcast address, or to a subscribed multicast address, or the network card is in promiscous mode, the software (= firewall) will receive it and it will have to take a decision.
I have now the weirdest deja vu because today, at work, I actually wrote more or less what I've written here, which is kinda spooky.