# NetCat



## BillFinkNC (Mar 8, 2012)

I'm researching more server/network monitoring utilities.

I've installed from the ports 'dosdetector' on one of my hosts, and am using NetCat to start a scan from a second host. (Both are using FreeBSD 8.x) I'm telling 'nc' to port-scan the server running 'dosdetector' to see the results.

I'm sure I'm overlooking something but, when I run the scan from the second host, 'dosdetector' reports the source IP of the scan coming from an IP address in Singapore. 39.218.x.x??

The command I'm passing to 'nc' is: [cmd=]nc -z myhost.mydomain.com 1-32768[/cmd]

Shouldn't 'dosdetector' be reporting the warnings as coming from the host that 'nc' has been executed from?

Any suggestions or what am I overlooking? 

:\

Thanks.


----------



## SirDice (Mar 8, 2012)

BillFinkNC said:
			
		

> Shouldn't 'dosdetector' be reporting the warnings as coming from the host that 'nc' has been executed from?


It should indeed.


----------



## BillFinkNC (Mar 8, 2012)

*NC Re-evaluate*

Thanks for your reply - you've confirmed my concerns.

If it's a port issue, who needs to know this is happening?

It could be my host that's reporting the issue incorrectly? Though it's not likely unless it's 'dosdetector' that has some issue.

All were installed from the DVD which was downloaded directly from the home FreeBSD.ORG site and have always been in the ports-tree on my server. Excluding email account holders accessing their email via Squirrellmail, (web-pages) there is absolutely no other accounts that log on locally. I'm very diligent monitoring the security messages and have never been alerted to suspicious behavior.

I consider myself as having a modest background with FreeBSD - is there anyone else reading this thread that would be willing to help with determining which is the culprit? 

'nc' or 'netcat' or 'dosdetector' worse yet, my server? x(


----------



## wblock@ (Mar 8, 2012)

Squirrelmail had a security problem not too long ago.  But before panicking, are you sure the message isn't showing an auto-assigned hostname where the IP values are reversed?  Posting the exact message would be helpful, with the IP address obscured if you like.


----------



## BillFinkNC (Mar 8, 2012)

Thanks for your input - no, no panic (yet) 

I've four FreeBSD servers trying to eliminate any misconfiguration. All four hosts display the same results. One of these two hosts is ~ 3 weeks since I did a complete, off the DVD, clean install - it's never had SquirrelMail nor anything other than what's out-of-box installed on it. (portsentry, that's it.)

Here are my results from two scenarios: (*The "39" IP address you see in the output below are the real IP addresses from the output)

(Scanning Machine Output)

[
	
	



```
root@scanning-host ~]# nc -z scanned-server.dom.com 1-32768

Connection to scanned-server.dom.com 1 port [tcp/tcpmux] succeeded!
Connection to scanned-server.dom.com 7 port [tcp/echo] succeeded!
Connection to scanned-server.dom.com 9 port [tcp/discard] succeeded!
Connection to scanned-server.dom.com 11 port [tcp/systat] succeeded!
Connection to scanned-server.dom.com 15 port [tcp/*] succeeded!
Connection to scanned-server.dom.com 21 port [tcp/ftp] succeeded!
Connection to scanned-server.dom.com 25 port [tcp/smtp] succeeded!
...
```
this goes on

(dosdector's output on the machine that I port-scanned)


```
Using built-in scoring rules table...
Starting capturing engine on dc0...
Thu Mar  8 17:55:03 2012 CRITICAL : 39.218.98.191 got 330 points.
Thu Mar  8 17:55:06 2012 Warning : 39.218.98.191 got 193 points.
Thu Mar  8 17:55:10 2012 Warning : 39.218.98.191 got 185 points.
```

Here is the scenario with exchanging the hosts: (scanner and detector swapped)


```
(scanner)
Connection to scanned-server.com.com 21 port [tcp/ftp] succeeded!
Connection to scanned-server.com 25 port [tcp/smtp] succeeded!
Connection to scanned-server.com 53 port [tcp/domain] succeeded!
Connection to scanned-server.com 80 port [tcp/http] succeeded!
Connection to scanned-server.com 143 port [tcp/imap] succeeded!
Connection to scanned-server.com 465 port [tcp/smtps] succeeded!
...

(detector)

Using built-in scoring rules table...
Starting capturing engine on nfe0...
Thu Mar  8 17:01:35 2012 CRITICAL : 39.218.70.167 got 322 points.
Thu Mar  8 17:01:36 2012 Warning : 39.218.70.167 got 193 points.
Thu Mar  8 17:01:41 2012 Warning : 39.218.70.167 got 191 points.
Thu Mar  8 17:01:42 2012 Warning : 39.218.70.167 got 149 points.
...
```

On the occasions where the scanning machine's IP is NAT'd does 'dosdetector' output no display for the source IP at all. (Blank)


```
Thu Mar  8 17:01:35 2012 CRITICAL : got 322 points.
Thu Mar  8 17:01:36 2012 Warning : got 193 points.
Thu Mar  8 17:01:41 2012 Warning : got 191 points.
Thu Mar  8 17:01:42 2012 Warning : got 149 points.
```
Perhaps it may have something to do with 'built-in scoring rules' vice my not making any of my own? I just find it more concerning the output displays two separate IP addresses from the log but going to the same subnet. (little panic)

(Five minutes after these tests were ran) On the scanned host I just added those IP addresses into the 'black-hole' route - and this has me a little more concerned, dosdetector reports a 'blank' IP address as you see above. (little more panic)

Appreciate someone helping me out here and putting a second set of eyes on this. 

Thank you.


----------



## SirDice (Mar 9, 2012)

BillFinkNC said:
			
		

> ```
> root@scanning-host ~]# nc -z scanned-server.dom.com 1-32768
> 
> Connection to scanned-server.dom.com 1 port [tcp/tcpmux] succeeded!
> ...


Are those ports really open? They shouldn't be but you may have enabled them for test. But if the ports aren't open there's something else going on.


----------



## BillFinkNC (Mar 9, 2012)

Thank you, for pointing this out. 

These ports were not opened by me and I'll tend to closing them right-away.

(Another reason I started researching monitoring tools.)

May I ask if there is any application you can recommend that helps discover abnormalities such as this?

Bill


----------



## BillFinkNC (Mar 9, 2012)

In my previous post I neglected to mention what it is that's listening on those ports.

I have 'portsentry' installed on every host I've installed FreeBSD on - which is listening on those ports. On a side note, if any host scans those ports their connection is dropped and the originating IP is added to the black-hole routing table.

I recognize it's not fool-proof but it is another obstacle that helps prevent unacceptable visitors to the box.


----------



## SirDice (Mar 9, 2012)

If you want to scan machines I highly recommend security/nmap. That's pretty much the standard port scanner used by security people.


----------



## BillFinkNC (Mar 9, 2012)

Thanks!

I'm not wanting to scan any machine - I was using 'nc' for testing 'dosdetector' 

My initial objective is to look for a security utility that alerts me (and blocks) all of those FTP script weenies who manage to show up every so often. Until recently I've never enabled the FTP daemon on any of my FreeBSD boxes, but now I need one. 

(you know, those annoying script kiddies that start an FTP scan going through a pre-compiled list of username/password combinations) 

It's more of an annoyance seeing those failed-login entries, I realize they're not going to go away, but I'm hoping to minimize them.

A good example is where 'portsentry' takes care of the port-scanner weenies automatically. If they scan any of those ports: The utility automatically adds the offending host's IP address to the list of those in the black-hole routing table.  

It's a little more complex with FTP logins. i.e. many of the failed logins are legit from people who forget their passwords.  

My thinking is to have a cron entry check every 15 minutes or so for those entries and if xx-failed-login-attempts is => xxx then add that IP to the black-hole table as well.

I'm now in research mode trying to either find a utility or write my own script for parsing the logs and dropping the IP of the culprit(s) by adding their IP to the black-hole routing table.

I'd certainly appreciate any other recommendation anyone has for doing such or knows of a utility that does this out-of-the-box. There are just so many utilities in the ports that I'd be going through - it would save me many hours.

Hope that all makes sense?


----------



## SirDice (Mar 9, 2012)

I use security/sshguard-pf to protect my SSH. It can also be used to protect FTP and a few other services.

SSHGuard works really good and is very simple to set up. It'll automatically block an IP after a few bad attempts. Blocking is done for a certain amount of time then it's released again. This will come in handy if you have butterfingers while trying to login on your own systems. If you get locked out just wait an hour or so and try again. It's enough to thwart those brute-force scans.

Plain port scans I don't care about. I don't even log them. Just make sure ports that aren't used are blocked.


----------



## BillFinkNC (Mar 9, 2012)

There isn't anyone else around here or close-by that's able to help. 

Great and many thanks! Looks like it'll do exactly what I need - you just saved me a bunch of research and time developing something that I should have known that is very likely to already exist.

I just took a look and installed 'sshguard' and it works not only for my initial intent, but I'll be using for the other services that suffer from those annoying scripts' attempts.


----------



## SirDice (Mar 9, 2012)

Example of what it looks like:

```
Mar  9 05:58:05 vps-2417-1 sshd[93054]: Invalid user jaf from 61.19.42.54
Mar  9 08:38:43 vps-2417-1 sshd[93533]: Invalid user cron from 61.7.228.138
Mar  9 08:38:45 vps-2417-1 sshd[93535]: Invalid user cron from 61.7.228.138
Mar  9 08:38:47 vps-2417-1 sshd[93537]: Invalid user test1 from 61.7.228.138
Mar  9 08:38:49 vps-2417-1 sshd[93539]: Invalid user user1 from 61.7.228.138
Mar  9 08:38:49 vps-2417-1 sshguard[92144]: Blocking 61.7.228.138:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Mar  9 09:43:33 vps-2417-1 sshd[93774]: Invalid user oracle from 218.75.172.161
Mar  9 09:43:36 vps-2417-1 sshd[93776]: Invalid user william from 218.75.172.161
Mar  9 09:43:40 vps-2417-1 sshd[93778]: Invalid user william from 218.75.172.161
Mar  9 09:43:43 vps-2417-1 sshd[93780]: Invalid user test from 218.75.172.161
Mar  9 09:43:43 vps-2417-1 sshguard[92144]: Blocking 218.75.172.161:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
```


----------



## BillFinkNC (Mar 9, 2012)

Now I'm needing to test my configuration - Because I don't ever have any ill intentions am I now needing to find a script to test brute-force logins, with. 

:\

As far as I know, 'nc' or 'netcat' just port scans.

I've read on the developer's site that too, the latest 'sshguard' contains 'LogSucker' which appears to make it an even better utility.

I truly appreciate all of your help with this.


----------

