Linux CentOS Server Probe attack - how to detect and block

# or a bit more lazy
Is perhaps on the track...
Pleae explain this command.

However we need a program that automatically can detect and block this type of probing!

I use fail2ban [with iptables].  That's what I would recommend.

If you have your IPtables firewall setup properly, only certain ports (for which you have a service running) will be open...

But you're right if you say "dropping" all the failed requests in a port scan isn't enough... that's why I prefer a "tarpit" approach...


In addition, even though I allow SSH access to my server, I use fail2ban to stop potential attackers from attempting to break in the old-fashoined way (password guessing).

Just my 2-cents worth...

Dan
IT4SOHO

tx for feedback  - investigating...

IIRC fail2ban's main purpose is to detect failed logins and block those IPs, but not to detect portscans or whatever
anyway, step in the right direction ...

Actually there are several tools and several ways, the most important thing is to find out how to make it work for you. For example, with fail2ban you could have a failregex that reads from your syslog/messages all entries with an specific pattern, defined by iptables with its "-j LOG --log-prefix", so when iptables reads a PORT DENIED: it will append it to syslog/messages and fail2ban will detect the ip address and automatically ban it.

In short, in iptables:

"-A <chain_name> -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence"

In fail2ban:

"failregex = PORT DENIED: .* SRC=<HOST>  "

[portscan]  
 enabled = true  
 filter  = portscan  
 action  = iptables[name=portscan]  
 logpath = /var/log/messages  
 maxretry = 3  


P.S.: this was not of my personal knowledge, its just an example I found and documented at: http://www.irrexpr.com/2013/06/using-iptables-logging-and-fail2ban-to.html

tx!