I have about a dozen open ports on my firewall. All other ports are set to Drop.
As I recently setup the firewall, I enabled logging for all dropped connections to see what was hitting the firewall and from what countries.
Now I would like to drop logging for all closed ports. I assume that there is very little point in continuing to log traffic for closed ports? What about DDOS logging or should I reserve that for open ports?
My current rules to log dropped traffic is as follows:
Code:
# Log IPv4 Dropped Traffic
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
Is there any way to log dropped traffic only on open ports and interfaces used. For example port 22 is blocked on eth0, but is open on tun1. So I don't want to log dropped connections on eth0 for port 22.
An even more important point is best practice to dealing with persistent port scanners. Some companies like Digital Ocean are a huge problem like that. Even if 99.9% of my ports are closed they are wasting firewall resources having to constantly drop connections to these scanners. I would like to make them go away as quickly as possible instead of scanning every port I have.
I wondered whether they could be blocked after trying say five ports or is the firewall doing the same computational work blocking the IP address instead of blocking the port? What is best procedure here? Having said that, if they were blocked by IP after scanning say 5 closed ports, then they would also be blocked accessing any open ports! Is there a firewall rule for this? Or perhaps a honeytrap that would focus the port scanner somewhere else?
Nearly all my open ports are restricted to specific source IP Addresses or restricted by country. I am not sure if the ports show as open or closed when the port scanner is using an IP address/country that is not in the allowed list of IP addresses for that port. Even if they can't connect to that open port, I want the port to appear invisible to them.
Does Iptables support any way to list what the ISP is such as Digital Ocean or Ovh.com. I have found trawling the logs of the firewall that the same names (around a dozen) are coming up again and again. So if I can block the known bad ISP's or Hosted Server services, I can better protect my servers against future attacks which will most likely be launched from these known malware/hacker havens. The problem is these guys keep adding new or different IP address ranges.