Results 1 to 14 of 14

Thread: Security Scan

  1. #1

    Security Scan

    Hello,

    Is it advisable to have someone scan your server setup, ie the firewall? If so, what is used to scan the firewall?

    Thanks

  2. #2
    You can do a port scan from outside your firewall using something like Nmap that will show you what ports are open. And yes, it is advisable to have a reputable company check your server setup if you are not confident in your own security skills. I would recommend more than just a firewall scan as your firewall is only (or should be) the first line of defense.

  3. #3
    I just set up CSF Firewall and I am not sure that it is working. I did the nmap scan and even though I have the iptables set to not allow certain ports, the nmap scan still says they are open. (i.e. port 21)

    When I restarted csf, I get several errors like:
    iptables: Unknown error 4294967295
    LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
    Any idea what is causing the csf firewall error?

  4. #4
    Are you running nmap on the server with the firewall?

  5. #5
    Yes, and no... I set it up nmap on 2 servers, both with csf firewall.

    One of my VPS' doesn't have the error with the firewall. The error was on the server before I installed nmap.

  6. #6
    Ok, but you are using nmap on server "A" to scan the ports on server "B", yes? A quick google shows other people who have had the error, but no solution that I have found. Some have noted that the problem went away on its own. Have you tried rebooting?

  7. #7
    Not to be too confusing, but I have tried scanning server "A" with server "A" and also scan from server "B" also.

    Interestingly, I get the same results. I'll try rebooting to see if anything changes.

    Thanks

  8. #8
    I restarted IPTables then rebooted and the error in csf firewall is still there.

    iptables: Unknown error 4294967295
    LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
    Any help is appreciated getting rid of the firewall error.

  9. #9
    Join Date
    May 2007
    Posts
    442
    Can anybody recommend a good company to scan your firewall/server?
    I'm fairly confident in my setup, but it's better to be safe than sorry.

  10. #10
    Join Date
    Apr 2005
    Posts
    1,767
    Try doing this in another shell session while you csf -r:

    tail -f /var/log/messages | grep -i iptables

  11. #11
    Quote Originally Posted by zacharooni View Post
    Try doing this in another shell session while you csf -r:

    tail -f /var/log/messages | grep -i iptables

    Maybe I didn't understand the syntax (or what you want me to do) of the statement... but this is what I got:
    -bash-3.1# csf -r tail -f /var/log/messages | grep -i iptables
    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    -bash-3.1#

  12. #12
    Join Date
    Apr 2005
    Posts
    1,767
    No no. Open up another PuTTy session, and have this command running first:

    tail -f /var/log/messages | grep -i iptables

    Then, back in the first session while that command is running, type:

    csf -r

  13. #13
    When I do the tail -f /var/log/messages | grep -i iptables nothing happens...

    -bash-3.1# tail -f /var/log/messages | grep -i iptables
    In the other PuTTy session, this is what happens:
    -bash-3.1# csf -r
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `INVALID'
    Flushing chain `INVDROP'
    Flushing chain `LOGDROPIN'
    Flushing chain `LOGDROPOUT'
    Deleting chain `INVALID'
    Deleting chain `INVDROP'
    Deleting chain `LOGDROPIN'
    Deleting chain `LOGDROPOUT'
    Running /etc/csf/csfpre.shACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
    ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
    DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
    DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
    iptables: Unknown error 4294967295
    LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
    iptables: Unknown error 4294967295
    LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
    iptables: Unknown error 4294967295
    LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
    iptables: Unknown error 4294967295
    LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
    iptables: Unknown error 4294967295
    LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
    iptables: Unknown error 4294967295
    LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
    DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
    INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
    INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
    INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
    INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt -- in !lo out * 202.138.152.93 -> 0.0.0.0/0
    DROP all opt -- in * out !lo 0.0.0.0/0 -> 202.138.152.93
    ACCEPT udp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 udp spt:53 dpt:53
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 tcp spt:53 dpt:53
    ACCEPT tcp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
    ACCEPT udp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 tcp spts:1024:65535 dpt:53
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 udp spts:1024:65535 dpt:53
    ACCEPT tcp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
    ACCEPT udp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 tcp spt:53 dpts:1024:65535
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 udp spt:53 dpts:1024:65535
    ACCEPT udp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 udp spt:53 dpt:53
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 tcp spt:53 dpt:53
    ACCEPT tcp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
    ACCEPT udp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 tcp spts:1024:65535 dpt:53
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 udp spts:1024:65535 dpt:53
    ACCEPT tcp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
    ACCEPT udp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 tcp spt:53 dpts:1024:65535
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 udp spt:53 dpts:1024:65535
    ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
    ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:953
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2382
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7776
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7777
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7778
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7779
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8886
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8887
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8888
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8889
    ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:5558
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:113
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:953
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2382
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:9999
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7776
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7777
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7778
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7779
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8886
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8887
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8888
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8889
    ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:5558
    ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
    ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
    ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
    ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:953
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:113
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
    ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:953
    ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
    ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
    LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
    LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
    -bash-3.1#

  14. #14
    Join Date
    Nov 2007
    Location
    Dallas, TX
    Posts
    9,064
    You can use NMAP to determine open ports and other sensitive information, such as footprinting (remote OS detection) and whether or not the remote host is just trying to "filter" the ports. NMAP would be great for scanning systems that have ICMP firewalls (specifically trying to block pings.)

    Once you have a firewall setup and would like to take it further than a simple NMAP scan, I would recommend using Nessus, which is a state of the art/high-speed vulnerability scanner - http://www.nessus.org/ - It won't just find the open ports and report them, but it will find holes in the firewall as well. Which can come in handy.

    There are many comapanies that will scan/test your firewall for you (such as unspecificconsulting.com, though I'm not sure of their present status).

    -mike
    Mike G. - Limestone Networks - Account Specialist
    Cloud - Dedicated - Colocation - Premium Network - Passionate Support
    DDoS Protection Available - Reseller Program @LimestoneInc - 877.586.0555

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •