Results 1 to 14 of 14
Thread: Security Scan
-
06-14-2008, 07:37 PM #1Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
Security Scan
Hello,
Is it advisable to have someone scan your server setup, ie the firewall? If so, what is used to scan the firewall?
Thanks
-
06-14-2008, 08:04 PM #2Web Hosting Guru
- Join Date
- Dec 2002
- Posts
- 308
You can do a port scan from outside your firewall using something like Nmap that will show you what ports are open. And yes, it is advisable to have a reputable company check your server setup if you are not confident in your own security skills. I would recommend more than just a firewall scan as your firewall is only (or should be) the first line of defense.
-
06-14-2008, 09:16 PM #3Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
I just set up CSF Firewall and I am not sure that it is working. I did the nmap scan and even though I have the iptables set to not allow certain ports, the nmap scan still says they are open. (i.e. port 21)
When I restarted csf, I get several errors like:
iptables: Unknown error 4294967295
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
-
06-14-2008, 10:14 PM #4Web Hosting Guru
- Join Date
- Dec 2002
- Posts
- 308
Are you running nmap on the server with the firewall?
-
06-14-2008, 10:19 PM #5Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
Yes, and no... I set it up nmap on 2 servers, both with csf firewall.
One of my VPS' doesn't have the error with the firewall. The error was on the server before I installed nmap.
-
06-14-2008, 10:21 PM #6Web Hosting Guru
- Join Date
- Dec 2002
- Posts
- 308
Ok, but you are using nmap on server "A" to scan the ports on server "B", yes? A quick google shows other people who have had the error, but no solution that I have found. Some have noted that the problem went away on its own. Have you tried rebooting?
-
06-14-2008, 10:24 PM #7Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
Not to be too confusing, but I have tried scanning server "A" with server "A" and also scan from server "B" also.
Interestingly, I get the same results. I'll try rebooting to see if anything changes.
Thanks
-
06-14-2008, 11:02 PM #8Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
I restarted IPTables then rebooted and the error in csf firewall is still there.
iptables: Unknown error 4294967295
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
-
06-14-2008, 11:44 PM #9Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
Can anybody recommend a good company to scan your firewall/server?
I'm fairly confident in my setup, but it's better to be safe than sorry.
-
06-15-2008, 01:40 AM #10Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
Try doing this in another shell session while you csf -r:
tail -f /var/log/messages | grep -i iptables
-
06-15-2008, 09:04 AM #11Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
Maybe I didn't understand the syntax (or what you want me to do) of the statement... but this is what I got:
-bash-3.1# csf -r tail -f /var/log/messages | grep -i iptables
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
-bash-3.1#
-
06-15-2008, 03:23 PM #12Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
No no. Open up another PuTTy session, and have this command running first:
tail -f /var/log/messages | grep -i iptables
Then, back in the first session while that command is running, type:
csf -r
-
06-15-2008, 03:57 PM #13Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 264
When I do the tail -f /var/log/messages | grep -i iptables nothing happens...
-bash-3.1# tail -f /var/log/messages | grep -i iptables
-bash-3.1# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Running /etc/csf/csfpre.shACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:68
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:68
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:111
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:111
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:113
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:113
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:135:139
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:135:139
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:445
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:513
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:513
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
iptables: Unknown error 4294967295
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
iptables: Unknown error 4294967295
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
iptables: Unknown error 4294967295
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
iptables: Unknown error 4294967295
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
iptables: Unknown error 4294967295
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
iptables: Unknown error 4294967295
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x30/0x20
INVDROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in !lo out * 202.138.152.93 -> 0.0.0.0/0
DROP all opt -- in * out !lo 0.0.0.0/0 -> 202.138.152.93
ACCEPT udp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 tcp spt:53 dpt:53
ACCEPT tcp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 udp spts:1024:65535 dpt:53
ACCEPT tcp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 208.67.222.222 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.222.222 udp spt:53 dpts:1024:65535
ACCEPT udp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 tcp spt:53 dpt:53
ACCEPT tcp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 udp spts:1024:65535 dpt:53
ACCEPT tcp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp opt -- in !lo out * 208.67.220.220 -> 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 tcp spt:53 dpts:1024:65535
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 208.67.220.220 udp spt:53 dpts:1024:65535
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2382
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7776
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7777
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7778
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7779
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8886
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8887
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8888
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8889
ACCEPT tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:5558
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:113
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:2382
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:9999
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7776
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7777
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7778
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:7779
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8886
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8887
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8888
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:8889
ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:5558
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:953
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:113
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 1/sec burst 5
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
-bash-3.1#
-
06-17-2008, 01:05 PM #14Web Hosting Master
- Join Date
- Nov 2007
- Location
- Dallas, TX
- Posts
- 9,064
You can use NMAP to determine open ports and other sensitive information, such as footprinting (remote OS detection) and whether or not the remote host is just trying to "filter" the ports. NMAP would be great for scanning systems that have ICMP firewalls (specifically trying to block pings.)
Once you have a firewall setup and would like to take it further than a simple NMAP scan, I would recommend using Nessus, which is a state of the art/high-speed vulnerability scanner - http://www.nessus.org/ - It won't just find the open ports and report them, but it will find holes in the firewall as well. Which can come in handy.
There are many comapanies that will scan/test your firewall for you (such as unspecificconsulting.com, though I'm not sure of their present status).
-mike