> The TIS gauntlet firewall modifies the BSDi kernel
> so that when packets are received on unserved ports the
> kernel logs a security alert via syslog. That way you
> don't have to be actively scanning the network for port
> scans and can just scan your syslog instead. I looked
> through the Linux security HOWTO and couldn't find any
> mention of this. Is this possible with the Linux kernel?
Actually I cloned this functionality in a kernel patch a while back, for
pretty much the same reason you're looking (got used to the TIS fw logging
of unserved ports, and missed it). I also added detection of bad/invalid
TCP flag combinations (such as RST+SYN, FIN+SYN, etc). It detects,
confuses, and/or defeats a number of stealth scanning or stack-
identification tools such as nmap, queso, etc. I make no claims that it's
perfect, or cleanly done (or that it works at all, for that matter ;).
Much of my "original" code is inspired by (and some lifted directly from :)
Jesse Off's ktcpd-strobemaster patch from a while ago, see:
http://www.progressive-comp.com/Lists/?l=bugtraq&m=90221104525839
...for his post about that.
My patches are against 2.0.35. Actually I have several things glommed
together - Solar Designer's secure-linux patches, add various other 2.0.35
patches I thought were important (security stuff mostly). Most all of them
are 'make config'-time options. You can find the patches, and read more
about them, at:
http://www.progressive-comp.com/~hlein/hap-linux/
Hank Leininger <hlein@progressive-comp.com>
P.S. Alan: I've thought for a while of pointing you to the above, to see
what you think. I'm sure you will find the code horrid, but I'm curious if
you like the idea. I don't see why some of the stuff - connections to
unserved ports, bad TCP flags, etc - couldn't go into the kernel if Done
Right[TM]. At least as CONFIG options and/or ip(fwadm|chains) rules.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/