NAME
nullProtect - Script used for intercept attempts of port scanning by Null scan.
SYNOPSIS
nullProtect RANGE EVT_BOUND RED_BOUND FILE_IP_BLOCKED NOTIFY FILTER [FREQ_EMAIL]
DESCRIPTION
It is used for intercept attempts of port scanning that use the tecnic NULL Scan. The attacker must send many package TCP with purpose of obtain informations about ports. Each package hasn't enabled flags. When is reached a particular threshold fixed in the configuration, the source ip is blocked because it's responsable of port scanning.
OPTIONS
- RANGE
-
It is the value, in seconds, of the temporal window to analyze. If N is the value of range, the temporal window to analyze is [ NOW - N , NOW ].
- EVT_BOUND
-
It's the maximun number of times that the found event can verifies inside of temporal window(RANGE). Source ip, findable on log file, is considered responsible. At the overcoming of threshold, depending on configuration, can block source ip or simply notify what is happened. If an ip is blocked, there is also a mark of the moment in which it happens with reference to universal time (UTC) in seconds.
- RED_BOUND
-
It is the number of seconds in which an blocked ip can't communicate through machine where is installed the program. When the redemption's source is reached blocked ip is unlocked. The overcoming is calculated in the following way:
IF ( NOW - BLOCKING_TIME > RED_BOUNG ) UNLOCK BLOCKED IP ELSE BLOCKED IP REMAINS BLOCKED
- FILE_IP_BLOCKED
-
It is used to define a complete path to file, that contains informations about blocked ip.
- NOTIFY
-
There are 4 kinds of notific option: MAIL, LOG, ALL, NOTHING.
-
It sends a notific email to alla addresses specified on file /etc/aLid/email.conf
- LOG
-
It allows to write a line on log file of application.
- ALL
-
Include both notify's typologies MAIL e LOG.
- NOTHING
-
No notification.
- FILTER
-
It specifics the policy to adopt considering ip detected. Options accepted are: DROP and NODROP.
- DROP
-
It blocks detected ip in the firewall applying a specific rule.
- NODROP
-
It doesn't execute a rule of drop in the firewall.
- FREQ_EMAIL
-
It specifics the attendance of send of notifics mail in seconds. It's optional and subordinate at the presence of options MAIL or LOG.
EXAMPLES
- nullProtect 10 5 7 /etc/aLid/ip_blocked_nullprotect all drop 60
-
It executes script using a range of 10 seconds, 5 maximun attempts in the temporal window, 7 seconds as redention's threshold. Ip_blocked_nullprotect is the name of the file utilized, all is the notifics typology, drop is kind of filter, and 60 is mail's frequency.
FILES
REQUIREMENT
- DateTime
-
DateTime - Perl Library of cpan community
SEE ALSO
sharedTail, aLid, aLid.conf
AUTHOR
Andrea Martire (andreamartire@gmail.com)
COPYRIGHT AND LICENSE
Copyright © 2010 Andrea Martire <andreamartire@gmail.com>. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
1 POD Error
The following errors were encountered while parsing the POD:
- Around line 124:
Non-ASCII character seen before =encoding in '©'. Assuming UTF-8