Detecting Suspect Traffic
To illustrate the differences in the output of ipchains and iptables firewalls, we first compare log entries generated by an nmap XMAS scan.
The ipchains messages in Listing 2 were generated by an nmap XMAS scan of TCP ports 79 through 81. Recall that an XMAS scan sets the FIN, URG and PSH flags. First the nmap command and output is listed followed by the corresponding ipchains output. Note that ipchains makes no mention of which TCP flags were set.
Now we perform the same nmap scan (the nmap command line and output is identical to the above ipchains example, so it is not repeated) and display the corresponding iptables output (see Listing 3). This time we can plainly see the FIN, URG and PSH flags set in the packets used in the scan.
Michael Rash works as a senior security engineer for an ASP in Annapolis, Maryland. He holds a Master's in Applied Mathematics from the University of Maryland and has been tinkering with Linux since 1998. He can be reached at firstname.lastname@example.org.
|Non-Linux FOSS: Vienna, Not Just for Sausages||Jun 02, 2015|
|June 2015 Issue of Linux Journal: Networking||Jun 01, 2015|
|June 2015 Video Preview||Jun 01, 2015|
|My Humble Little Game Collection||May 28, 2015|
|New Linux Based OS Brings Internet of Things Closer to Reality||May 27, 2015|
|Non-Linux FOSS: All the Bitcoin, None of the Bloat||May 26, 2015|
- Non-Linux FOSS: Vienna, Not Just for Sausages
- June 2015 Issue of Linux Journal: Networking
- Dr Hjkl on the Command Line
- New Linux Based OS Brings Internet of Things Closer to Reality
- Initializing and Managing Services in Linux: Past, Present and Future
- Using Hiera with Puppet
- My Humble Little Game Collection
- Gartner Dubs DivvyCloud Cool Cloud Management Vendor
- Infinite BusyBox with systemd
- Goodbye, Pi. Hello, C.H.I.P.