Block bots and server scans

Who has not experienced this, just installed a fresh server and made it publicly accessible and already the access log is filled with annoying bots and suspicious requests from script-kiddies.

The usual wordlists are used to find valid ssh access, and nmap scans investigate every port thoroughly to see if there is a service running there that is easy to exploit.

nmap enjoys constant popularity, as it is very easy to use, has an incredible number of sources of good documentation and good strategies for detecting open server ports and other information.

The question remains: What can actually be done against portscans?

Let the firewall join the party

Hopefully this doesn’t sound surprising, but with a very restrictive firewall setting, a whole lot of annoying access attempts can be nipped in the bud.In our example we used the tool iptables, which is an interface to the Netfilter module of the Linux kernel.

On our server, an nginx web server is at work on port 80 and 443. These ports remain publicly accessible, of course, and they also remain accessible to any port scan. This is in the nature of things.

To really annoy the script-kiddies and bots, you can do the following three things:

  • Drop ping packets
  • Change SSH default port
  • Drop all packets that do not reach port 80,443 and the newly assigned SSH port without comment and block the sender IP address for e.g. 24 hours.

I will not give instructions on how to install iptables here. Please do that on your own server.

Drop ICMP ping packets

With the following rule for iptables, all ICMP ping packets are dropped:

iptables -i NETWORK_INTERFACE_NAME -I INPUT -p icmp -m icmp –icmp-type 8 -j DROP

Change SSH port

To change the default SSH port, you must change port 22 in the /etc/ssh/sshd_config file to another, free and arbitrary port.

Block scan traffic and ssh bruteforce attemps

Here we follow a very simple and restrictive strategy: Everything that does not touch port 80, 443 and our new SSH port is discarded and access is blocked for 24 hours. I’ve put the whole configuration together for you in a github repository.

Leave a Reply

Your email address will not be published. Required fields are marked *