 |
| Notification of an attempted connection. |
That is okay by me though, I use Ubuntu; meaning I don't get viruses, and the only port I have remotely open is for the IPP because the network is Windows. Recently I have wanted to see all of the garbage that is coming in. I originally hacked something up in nc, but decided that wasn't good enough, here is my solution, that includes notifying you when someone attempts to connect to your port (this is a feature missing in all of the Linux firewalls I have found and seems to be a common complaint) the finished product will look something like the photo above.
Ingredients:
- Ubuntu / Distro of your choice.
- iptables (installed by default in Ubuntu 10.10)
- gufw (sudo apt-get install gufw)
- notify-send / espeak / xmessage / zenity / other communication interface
Instructions:
- Install all of the above.
- Under System > Administration > Firewall Configuration, set Incoming to Reject; and turn on the Firewall.
- Copy the shell script below to your machine:
- For this to work though, you will need the program notify-send, if it is not installed, you could replace it with espeak (to have your computer announce that you dropped a connection), xmessage, or zenity.
- Watch how many times you are attacked. (You might want to consider posting/looking up your findings to dshield)
#!/bin/bash
lastlog=$(dmesg | grep UFW\ BLOCK | tail -1)
while [ 1 -gt 0 ]; do
sleep 1
curlog=$(dmesg | grep UFW\ BLOCK | tail -1)
if [ "$curlog" != "$lastlog" ]; then
#get information.
ip=$( echo $curlog | cut -d = -f5 | cut -d \ -f1)
port=$( echo $curlog | cut -d = -f14 | cut -d \ -f1)
portfrom=$( echo $curlog | cut -d = -f13 | cut -d \ -f1)
lastlog=$(dmesg | grep UFW\ BLOCK | tail -1)
#send message.
notify-send "Src: $ip:$portfrom Dest: $port" -u critical -i security-low
fi
done
