Juno.c

TR Sunucularımıza Denediğimizde Farklı Portlarda Çıktı Onlarıda Yazayım Sizlere Kapatırsınız Artık. şaşırdım valla bende abd almanya 1024 - 3072 portu ile giriyor tr farklı demek ki pek kullanmadıgımdan

tcp 0 0 IPADRES:25 85.104.1.112:1098 SYN_RECV
tcp 0 0 IPADRES:25 85.104.1.112:1079 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4919 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1078 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4918 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1077 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4917 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1076 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4916 TIME_WAIT
tcp 0 28 IPADRES:25 85.104.1.112:1075 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:1074 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4914 TIME_WAIT
tcp 0 28 IPADRES:25 85.104.1.112:1073 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4913 TIME_WAIT
tcp 0 0 IPADRES:23838 85.110.153.8:1675 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1072 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4912 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1087 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4927 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1086 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4926 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1085 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:1084 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:1083 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4923 TIME_WAIT
tcp 0 14 IPADRES:25 85.104.1.112:1082 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4922 TIME_WAIT
tcp 0 134 IPADRES:25 85.104.1.112:1081 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4921 TIME_WAIT
tcp 1316 0 IPADRES:25 85.104.1.112:1080 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4920 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4903 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1063 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4902 TIME_WAIT
tcp 0 56 IPADRES:25 85.104.1.112:1062 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4901 TIME_WAIT
tcp 0 42 IPADRES:25 85.104.1.112:1061 FIN_WAIT1
tcp 0 0 IPADRES:25 85.104.1.112:4900 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1060 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4899 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1059 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4898 TIME_WAIT
tcp 0 18 IPADRES:25 85.104.1.112:1058 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4897 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1057 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4896 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1056 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1071 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4910 TIME_WAIT
tcp 0 28 IPADRES:25 85.104.1.112:1070 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4909 TIME_WAIT
tcp 0 28 IPADRES:25 85.104.1.112:1069 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4908 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1068 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4907 TIME_WAIT
tcp 0 42 IPADRES:25 85.104.1.112:1067 FIN_WAIT1
tcp 0 0 IPADRES:25 85.104.1.112:4906 TIME_WAIT
tcp 0 28 IPADRES:25 85.104.1.112:1066 ESTABLISHED
tcp 0 28 IPADRES:25 85.104.1.112:1065 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4904 TIME_WAIT
tcp 0 42 IPADRES:25 85.104.1.112:1064 FIN_WAIT1
tcp 0 0 IPADRES:25 85.104.1.112:4942 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4941 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4940 TIME_WAIT
tcp 0 0 IPADRES:10039 85.110.153.8:1677 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4939 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4938 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4937 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4937 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1097 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4936 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:1096 ESTABLISHED
tcp 0 0 IPADRES:25 85.104.1.112:4791 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4790 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4789 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4788 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4787 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4786 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4785 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4784 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4799 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4798 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4797 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4796 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4795 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4794 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4793 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4792 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4775 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4774 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4773 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4772 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4771 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4770 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4769 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4768 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4783 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4782 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4781 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4780 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4779 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4778 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4778 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4777 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4776 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4759 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4758 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4757 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4756 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4755 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4754 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4753 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4752 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4767 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4766 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4765 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4764 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4763 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4762 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4761 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4760 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4743 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4751 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4750 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4749 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4748 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4747 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4746 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4745 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4744 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4855 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4854 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4853 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4852 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4851 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4850 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4849 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4848 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4863 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4862 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4861 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4860 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4859 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4858 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4857 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4856 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4839 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4838 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4836 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4835 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4834 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4833 TIME_WAIT
tcp 0 1 IPADRES:36976 85.104.1.112:113 SYN_SENT
tcp 0 1 IPADRES:36977 85.104.1.112:113 SYN_SENT
tcp 0 1 IPADRES:36978 85.104.1.112:113 SYN_SENT
tcp 0 0 IPADRES:25 85.104.1.112:4832 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4847 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4846 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4845 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4844 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4843 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4842 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4841 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4840 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4823 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4822 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4821 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4820 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4819 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4818 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4817 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4816 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4831 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4830 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4829 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4828 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4827 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4826 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4825 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4824 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4807 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4806 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4805 TIME_WAIT
tcp 0 0 IPADRES:44512 85.110.153.8:1679 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4804 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4803 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4802 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4801 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4800 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4815 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4814 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4814 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4813 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4812 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4811 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4810 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4809 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4808 TIME_WAIT
tcp 0 0 IPADRES:25 85.104.1.112:4808 TIME_WAIT


Komut ;

iptables -A INPUT -p tcp --dport PORTNUMARASI -j REJECT

Sadece ip'ler değil portlarda random. Çözüm belli "more more more bandwidth".

İpe yönelik önlem değil port'a yönelik softlayerde 1 gbit cisco arkasındaki sunucuda 1024 3072 portları kapamadan denediğimizde gayet rahat işlem görüyordu kapadıktan sonra her hangi ne ip ne juno diye bişey görmedik.almanya da aynen.

14:29:04.190093 > 208.142.2.122.1030 > my.localhost.111: S 825202549:825202549(0) win 
16384  (DF) (ttl 128, id 56544)			 
                       4500 0030 dce0 4000 8006 cbdd d08e 027a
                       xxxx xxxx 0406 006f 312f 9775 0000 0000
                       7002 4000 2450 0000 0204 05b4 0102 0403 
14:29:04.210093 > 206.58.94.136.1243 > my.localhost.111: S 2834591913:2834591913(0) 
win 16384  (DF) (ttl 128, id 9993)			 
                       4500 0030 2709 4000 8006 27fb ce3a 5e88
                       xxxx xxxx 04db 006f a8f4 70a9 0000 0000			 
                       7002 4000 78c7 0000 0204 05b4 0102 0403
14:29:04.230093 > 210.2.38.193.1165 > my.localhost.111: S 3280166353:3280166353(0) 
win 16384  (DF) (ttl 128, id 50825)			 
                       4500 0030 c689 4000 8006 bc79 d202 26c1
                       xxxx xxxx 048d 006f c383 5dd1 0000 0000			       
                       7002 4000 a55d 0000 0204 05b4 0102 0403
14:29:04.250093 < 129.9.246.243.1025 > my.localhost.111: S 4076280583:4076280583(0) 
win 16384  (DF) (ttl 128, id 27099)			                                       
                       4500 003069db 4000 8006 99ee 8109 f6f3
                       xxxx xxxx 0401 006f f2f7 1b07 0000 0000			 
                       7002 4000 3a06 0000 0204 05b4 0102 0403

juno.c'nin tcpdump analizi securityfocus'da mevcut. Isteyen girip inceleyebilir. Analizi yapan şahıs diyor ki ;

* Source IP addresses are random, as they are spoofed; ( Kaynak IP adresleri rastgele ve spooflanmış halde )
* Sequence Numbers (in bold) are random; and, ( dizin numaraları rastgele)
* Source ports are random as well. ( ve kaynak portları rastgele )

Pardon, portlar rastgele iken belirlediğiniz 2 portu kapamak tam olarak nasıl çözüm olabiliyor ?

TR Harici Almanya ve Abd Sunucularımda 3072 ve 1024 portundan başka her hangi bir porta rastlamadım Bu akşam tr de denediğim sunucumda çıkan diğer portlarıda verdim zaten ilk defa rastladım.

#!/bin/bash
 
INT_IF="eth1" # connected to internet
SERVER_IP="202.54.10.20" # server IP
***_RANGE="192.168.1.0/24" # your *** IP range 
 
# Add your IP range/IPs here,
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
 
IPT="/sbin/iptables" # path to iptables
 
# default action, can be DROP or REJECT
ACTION="DROP"
 
# Drop packet that claiming from our own server
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
 
# Drop packet that claiming from our own internal ***
$IPT -A INPUT -i $INT_IF -s $***_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $***_RANGE -j $ACTION
 
for ip in $SPOOF_IPS
do
 $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
 $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done

Ayrıca /etc/sysctl.conf dosyasına "net.ipv4.conf.all.rp_filter = 1" ekleyin.

Bu konu hakkında birşeyler araştırırken, bu bash scripti buldum. Biri test edebilir mi işe yarayıp yaramadığını ?

Size bir ipucu gelen paketlerin tamamının boyutu aynıdır

Bize bir ara yaptılar 48 paket geliyordu FW ile logladık 58M paket geldi tekilini çıkarttık sonra..

cat /proc/net/ip_conntrack

yazdığınızda bağlantıları detaylı şekilde listelersiniz

awk kullanarak süzme işlemid eyapılabilir

arkadaşım heyecanını takdir ediyorum ancak junoda işletim sistemi bazında ban atarak savunman mümkün değil. o gelen ip leri driver bazında süzmen gerekli çünki header bilgileri tamamen yanlış. bunuda adam akıllı bir firewall alarak halledersin.

Öyleyse gelen paketlerin boyutlarını iptables ile droplamak çözüm olabilir mi ? Atıyorum paket lenght : 1420 bytes .. 1420 byteslık tüm paketler droplansın.