Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 30 Sep 2014, 18:34
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Portspoof - Tool to provide Snooping/DOS defenses for PUPs
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [37 Posts]   Goto page: 1, 2, 3 Next
Author Message
gcmartin

Joined: 14 Oct 2005
Posts: 4292
Location: Earth

PostPosted: Tue 04 Mar 2014, 05:40    Post subject:  Portspoof - Tool to provide Snooping/DOS defenses for PUPs  

Original Request
Can anyone make a PET for community use of this Defense tool? The Puppy Installation version of this tool is posted by @Musher0, in the very next post.

Description
Quote:
The Portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition.

The general goal of the program is to make the port scanning software process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task.
Please thank @Musher0 for bringing this to Puppyland.

Hope this helps
Edited: Subject and Description Paragraph toward my post's restructure

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile

Last edited by gcmartin on Tue 04 Mar 2014, 13:32; edited 1 time in total
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4245
Location: Gatineau (Qc), Canada

PostPosted: Tue 04 Mar 2014, 09:18    Post subject:  

Hi, gcmartin.

Here you go, portspoof-1.1.pet! (284 Kb)
http://www65.zippyshare.com/v/46304739/file.html (The big red DOWNLOAD NOW button in the upper right, not the green or blue ones.)

Now, it would be great if a proper SysOp could tell us how to configure it properly!
There is an explanation starting at # 2 here:
https://github.com/drk1wi/portspoof/blob/master/DOCS
but it's Martian to me!

Thanks in advance.

BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
gcmartin

Joined: 14 Oct 2005
Posts: 4292
Location: Earth

PostPosted: Tue 04 Mar 2014, 12:58    Post subject: This tool appears to address Denial of Service concerns  

Great!
musher0 wrote:
... it would be great if a proper SysOp could tell us how to configure it properly ...
This should help us.

Here to help

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4245
Location: Gatineau (Qc), Canada

PostPosted: Tue 04 Mar 2014, 18:35    Post subject: Re: This tool appears to address Denial of Service concerns  

gcmartin wrote:
Great!
musher0 wrote:
... it would be great if a proper SysOp could tell us how to configure it properly ...
This should help us.

Here to help


Hi, gcmartin.

Nice little article. Hehe, with this little utility, now the joke's on "them"! Twisted Evil You can set
portspoof so it takes an attacker 30 hours to scan the computer ports: if that's not a deterrent... Smile
And send the wolf a copy of Little Red Riding Hood! Laughing I love this programmer's sense of humour!

My only concern would be how to set up the iptables correctly. I would not want portspoof to
interfere with my regular connection, say, with freesbee.

Thanks for finding this, BTW.

BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
NickAu


Joined: 30 Dec 2013
Posts: 186
Location: Far North Coast NSW ɹǝpunuʍop

PostPosted: Wed 05 Mar 2014, 00:42    Post subject:  

Quote:
Many attackers simply perform a scan, which is easily automated with tools like Nmap. An attacker who discovers a firewall and similar defensive system can often guess which ports and services are worth attacking


So this would be like the second line of defence?

The first. being Stealth, your computer staying silent on the net not responding to any requests. See GRC Shields up https://www.grc.com/default.htm I passed see attachment.

Then this.?

Then my router?

then my firewall?
original.jpeg
Description 
jpeg

 Download 
Filename  original.jpeg 
Filesize  178.72 KB 
Downloaded  135 Time(s) 

_________________
Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4245
Location: Gatineau (Qc), Canada

PostPosted: Wed 05 Mar 2014, 01:14    Post subject:  

Hi, Nick.

I did compile portspoof for Puppy, but I am no SysAdmin. Which is why I hope a proper one will show up on this thread and answer your questions and mine.

BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
NickAu


Joined: 30 Dec 2013
Posts: 186
Location: Far North Coast NSW ɹǝpunuʍop

PostPosted: Wed 05 Mar 2014, 02:02    Post subject:  

No probs musher0.

But you can see why I ask? As a general security tool it would be line 2, If they cant see me ( stealth) they cant target me?

If they can see me this tool will drive them mad

If they get by this tool then they have to breach any router settings and firewall..

After that they need to bypass my software firewall.

I too want more info so i can use it. I love this sort of stuff. Its something that would drive the kids mad next time they TRIED to access my pc thru the network.

ps

and any good firewall will give you stealth ability. your pc should never respond to any ping or unsolicited request

Not good.
Your computer has responded that this port exists but is currently closed to connections.

Good.
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

_________________
Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 4292
Location: Earth

PostPosted: Wed 05 Mar 2014, 06:39    Post subject:  

Hi @NickAu

Unless you're using a Proxy somewhere in the cloud, you are seen. There really is NO WAY to hide because in order to get on the Internet you MUST go thru an ISP who will assign you an IP from the pool he is legally licensed to.

Some of the Security garbage over the years is just that, garbage. And the general user "drinks the kool-aid" so to speak as they believe this. (Understandably so because no one that I know of has read how traffic even flows on the Internet where a good understanding is provided to gleen what is truth versus some of the crap thrown our way. As such if we dont understand, we'll believe anything)

Usually, an attacker has a reason for targeting and its not as random as one has been led to believe. Further, there are all kinds of ways to get/harvest IP addresses. Lastly, harvesting IP is just one step in whatever rationale is used to invade.

This tool should be looked at, not as a specific level of defense, rather, it should be looked at as a response mechanism to something which it is trained to follow once something it notes happens on your specific PC.

Hope this helps.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4245
Location: Gatineau (Qc), Canada

PostPosted: Wed 05 Mar 2014, 11:02    Post subject:  

@NIckAu.

Oh, I do follow your logic! But gcmartin is right, portspoof is a line of counter-attack.
Rather than being only on the defensive, you're taking the "kiddy" for a ride. Also,
back to good old logic, you can't have your ports all closed and all open at the
same time... Entity "A" cannot be entity "A" and entity "non-A" at the same time.

My understanding of it is that you're not flying "stealth" if you're using portspoof, rather
the complete opposite! You've got all flashes on and you're saying: "Right this way,
kiddy-kiddy-kiddy." What you're not telling the kiddy is: "I'll waste 30 hours of your
time!" Twisted Evil "And you'll have to start over pretty soon, because I usually stay on
line only 2-3 hours at a time." (hehe)

But I'm no expert. Maybe a paradox can exist.

~~~~~~~~~
Anyway, I took the plunge.

Assembled the commands in the article into this little script. (No merit!)

Quote:
#!/bin/sh
# portspoof.sh
# Purpose: Set up and run portspoof
####
iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444

portspoof -c /usr/etc/portspoof.conf -s /usr/etc/portspoof_signatures -D


And I ran it.

iptables tells me it doesn't know "nat" and portspoof tells me there's a segmentation
fault in the signatures file. Not good.

Maybe I can repair the seg fault by recompiling or by borrowing a healthy sig file from
a ready-made package, or simply by running "fsck" (if the file happened to fall on a bad
spot on the disk).

But I don't know how to create the "nat" file iptables need. Heck, I don't even know
what it's for!

Any help will be much appreciated. BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
amigo

Joined: 02 Apr 2007
Posts: 2251

PostPosted: Wed 05 Mar 2014, 14:44    Post subject:  

Yes, it opens all possible ports (65K+), but redirects them (with iptables) to a single port which portspoof listens, and responds, on.
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 4292
Location: Earth

PostPosted: Wed 05 Mar 2014, 14:47    Post subject:  

One manner of Portspoof setup: "linux-1" in this diagram is the firewall and is where all traffic is allowed to enter/leave the LAN behind it. The ISP IP services come from the eth0 and the LAN, where PCs reside exist on eth1. Portspoof, here, would detect and confuse an invading port scanner which originates from the internet.
There is no reason why the "linux-1" service could not be included as a subsystem in either the router or in my LAN PCs. But, it is NOT necessary to do it in both. So this leaves us with 3 options to deploy;namely the one seen in the picture or deploying within the router or on LAN.

One question posted earlier is about NAT:
NAT - a plain language, hi-level, explanation
NAT is a protocol subsystem feature which is commonly employed by routers to map the LAN IP address to one given by the ISP. It does this via an internal algorithm where the LAN PC is assign a given port for the outgoing and expect a return, when appropriate, back along that same port in order to complete delivery to the original LAN PC.

So in essence I think NAT would be appropriate for a PC/router doing Firewall services for a LAN, but not be necessary for a single PC doing a "personal, one PC" firewall effort.

I am currently looking into some measure of describing to PortSpoof how to apply this at the single PC level. And, I am also looking at an implementation similar to the picture, where a low power Motherboard with 2 hi-speed LAN pathways to be employed to handle port scans that my ISP has been seen to do customarily.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile

Last edited by gcmartin on Wed 05 Mar 2014, 14:53; edited 2 times in total
Back to top
View user's profile Send private message 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Wed 05 Mar 2014, 14:48    Post subject:  

Have not installed it yet, but iptables works for me :

# iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444

# type -a iptables
iptables is /sbin/iptables

# file /sbin/iptables
/sbin/iptables: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped

# busybox iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444
iptables: applet not found


But I am using ppp0. eth0 shows up by # ifconfig -a .


# iptables --version
iptables v1.3.8
# uname -r
2.6.37.4-KRG-i486-StagingDrivers-3
Back to top
View user's profile Send private message Visit poster's website 
gcmartin

Joined: 14 Oct 2005
Posts: 4292
Location: Earth

PostPosted: Wed 05 Mar 2014, 15:09    Post subject:  

On one 64bit single MB LAN I get the following:
Code:
sh-4.1#  iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444
iptables v1.4.10: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
sh-4.1# uname -a
Linux studio1337 3.8.4-l0wt3ch-rt2 #1 SMP PREEMPT RT Sat Apr 13 07:46:49 GMT 2013 x86_64 GNU/Linux
Will check others.

2nd 64bit PC - WORKS!
Code:
bash-4.1# iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444
<root> ~
bash-4.1# uname -a
Linux Mariner-desktop 3.8.7 #1 SMP Sun Jun 16 09:49:24 PDT 2013 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ AuthenticAMD GNU/Linux

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile

Last edited by gcmartin on Wed 05 Mar 2014, 16:22; edited 1 time in total
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4245
Location: Gatineau (Qc), Canada

PostPosted: Wed 05 Mar 2014, 15:51    Post subject:  

Hi, folks.

Thanks, all, for your inputs.

I got the script to work even without the "nat" table, when I changed the iptables call to
/sbin/iptables instead of just plain iptables. Proof attached! Also, there's about 10
portspoof entries in htop when it's running. There were no complaints about a seg fault
in the sig file either, this time.

This on UpupRaring 3.992 running on an AMD 2600+ CPU, w/ 2 Gb of RAM, and w/
videotron.ca router & IPS.

Maybe it's just me, but I did notice a tiny decrease in overall Internet speed? Is this
possible? Also, how do we measure performance for the portspoof?

Thanks in advance. BFN.

musher0
portspoof.jpg
 Description   
 Filesize   29.37 KB
 Viewed   352 Time(s)

portspoof.jpg


_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
gcmartin

Joined: 14 Oct 2005
Posts: 4292
Location: Earth

PostPosted: Wed 05 Mar 2014, 16:16    Post subject:  

I wonder what a port scan from another LAN PC would turn up? To test, though, you'lll need to test before start of Portspoof ,,,, then after ... to compare measurements.

I use a JAVA app which is a utility I've used for past 15 years; namely AngryIP, which, to me is the friendliest, most versatile, and fastest IP scanner on the planet. In Puppyland, You can find it here..

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [37 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0990s ][ Queries: 12 (0.0050s) ][ GZIP on ]