I'm participating in a computer security competition this weekend and I'm trying to make a script that will block an IP address for 5 minutes if I get port scanned. So I decided I could use NCAT and have it execute a iptables script if someone tries to connect to a port I am listening to. The problem is, I don't know how to get the IP address of the client that is connecting. Is this possible to do?
I don't want to use honeypots because they can be detected by many scanners, and any custom scripts I have, I have to write when I'm in the competition room. Can anyone help me out with this?
Thanks
Most portscans won't do a full tcp handshake, they will run a syn scan. So netcat would never recieve a connection. I recommend psad. On debian systems you can get it with:
aptitude install psad
Also, such a question should be asked at https://security.stackexchange.com/
Related
I've set up tailscale and connected to an exit node on my VPS on vultr.com. Predictably, I was kicked out and couldn't reconnect, as the VPS's public IP address has changed.
I can reboot the VPS and try again. What steps will I need to take? Does my VPS running behind an exit node even have a unique public address (which?), or does it need to be set up for something like port forwarding?
From looking at tailscale documentation, it looks like they came up with their own ssh, why? Why is the standard ssh inadequate for the purpose? I am not the admin of my tailscale network, and the admin is swamped right now. What can I do?
SSH uses TCP as transport and therefore requires the (srcaddr, srcport, dstaddr, dstport) tuple to be constant over the connection's lifetime.
I believe that since tailscale rotates connections dynamically, it is more suitable for use by clients than servers in a traditional client-server model, unless it provides an 'internal' virtual network over the distributed transport (which would kind of defeat the purpose of covering your tracks).
If you want to connect to your VPS over tailscale, you need to use their tools probably because of that. You can still connect directly to your VPS, though, through plain Internet, if it has any address of its own, and is not firewalled away (or similarly, NATed away). Your provider should either show you the address, or even better, provide access to out-of-band (like serial-port) command line access, where you can query the current addresses using commands like ip addr show.
In your Tailscale Admin console you should be able to see the machine's IP. Just use normal ssh and login that way.
So instead of ssh user#8.8.8.8 you'd do ssh user#100.64.0.1. Tailscale's own ssh client is useful if you want to hook deeper into their MagicDNS stuff, but it's not meant to be the only way to ssh into your machine.
If you run into errors, ping the machine you want to connect to (tailscale ping vps-machine-name). That should help you debug any tailscale client connection problems.
We have a system that implements reverse ssh tunnel to enable remote port forwarding.
This enables to expose devices on local network via a Public IP.
However, we're achieving this by a static port allocation, i.e. We've mapped Serial No.s of devices to Ports and each time a request comes to our server with Serial No. , we forward it to the designated port.
Obviously this design isn't scalable and we want to replace it with dynamic port allocation, such that the server itself takes care of allocating the port and freeing it once the device goes offline.
It'd be great to have suggestions on how this can be achieved.
Thanks in anticipation and apologies for my lack of knowledge in case I didn't explain it better (I'm new to this)
This can be solved by using a ssh command script in ~/.ssh/authorized_keys on your server.
command="reverse_server.py" ssh-rsa <publicKey>
First, a client has to connect to the script and send it's own serial (in my case a use the MAC-adress of one NIC).
The server looks into a database and tell the assigned port number or creates a new one for an unknown serial.
In the next step, the client can connect, using the reported port number as reverse port.
Btw. You should add some logic to monitor and recreate the tunnel if it disconnects or get stuck.
I have an interesting scenario. I've searched every where, and I have bits and pieces of information, however, I don't have the full picture, and it's driving me nuts.
I also want to mention I'm no where near sysadmin status, however, I can get around my infrastructure with enough to get the job done.
I've got 3 end points. I've got a device inside a network (endpoint#1), that's setup a reverse tunnel to one of my servers (endpoint#2). I've got another server that has to send requests (endpoint#3) to the device (endpoint#1) through the connection server (endpoint#2).
I'm currently able to sustain connections between endpoint#1 and endpoint#2, and send requests from endpoint#2 to endpoint#1 without issue, however, I need endpoint#3 to be able to talk to endpoint#1 through endpoint#2.
I've tried searching for port forwarding scenarios and reverse tunnel scenarios, however, whatever it is that I'm doing is not allowing network traffic through.
How can I set up http traffic to GET/POST from endpoint#3 to endpoint#2 and pass through to endpoint#1 through the specified reverse tunnel (on it's specified port)? HELP!
Found the answer. It's using roughly the same syntax that I'm using on SSH to setup the remote server, however, it's adding the binding ip address (interal ip address of the network that it's on) and using GatewayPorts clientspecified in the sshd_config (although, I'm not 100% I needed this - it is an option I set though).
On endpoint#1:
- ssh -R [endpoint#2.internal.ip.address]:[port]:[localhost]:[port-to-map-to-on-endpoint#1] user#endpoint#2
On endpoint#3:
- curl -X POST -d {data} http://endpoint#2.internal.ip.address/path/to/resource
This will then allow the call on endpoint#3 to be passed through to endpoint#1.
Hi i am creating server/client application using .net.Sockets something like cybercafe software.
Im following this example on codeproject Simple Socket Chat Program
there is no problem i run it on local pc. But when i run the client in the other pc in network i got a problem.
says :
No connection could be made because the target machine actively refused it.
I tried to use netstat -a on cmd and i found out that the portnumbers of all the p.c on our network always changes.
Is there any way to do it without using portnumber and just hostname or ipaddress only.
I need help...
Thanks in Regards
First, the random port numbers under Local Address in netstat are done so that everything gets a unique local port.
Also, a port is necessary for sockets.
The problem you are having is most likely because the firewall where your server software is located is blocking that port. For Windows 7 (and presumably Vista), you can unblock the port by running WF.msc, going to Inbound Rules on the left, clicking New Rule on the right, and adding a new program or port rule. The rest of the steps should be self-explanatory.
I want to drop/block SSL packets between two machines (linux).
I can see the packets using ethereal and use iproute command (linux) to drop these packets.
Is this possible? If yes, what should I use with the iproute command?
Thanks.
You can't identify SSL packets at all by their contents, except for the first one in each direction. You could do it via the port number, as long as no form of START TLS was in use in the protocol, so it wouldn't work for SMTP, LDAP, etc. Otherwise you would have to follow entire TCP streams that start with a ClientHello.
Why do you want to do this?