Pages

2011-04-05

Ubuntu Firewall Alerts

Notification of an attempted connection.
At the university I study at, every machine is assigned a net-accessible IP address; as you can imagine this is immensely useful as you don't need to worry about trying to bypass firewalls when you need to SSH somewhere.  There is a catch though, save for torrents (including LiveCDs that take hours to download manually, but minutes by torrent) there is no firewall.

That is okay by me though, I use Ubuntu; meaning I don't get viruses, and the only port I have remotely open is for the IPP because the network is Windows.  Recently I have wanted to see all of the garbage that is coming in.  I originally hacked something up in nc, but decided that wasn't good enough, here is my solution, that includes notifying you when someone attempts to connect to your port (this is a feature missing in all of the Linux firewalls I have found and seems to be a common complaint)  the finished product will look something like the photo above.

Ingredients:
  • Ubuntu / Distro of your choice.
  • iptables (installed by default in Ubuntu 10.10)
  • gufw (sudo apt-get install gufw)
  • notify-send / espeak / xmessage / zenity / other communication interface

Instructions:
  1. Install all of the above.
  2. Under System > Administration > Firewall Configuration, set Incoming to Reject; and turn on the Firewall.
  3. Copy the shell script below to your machine:
  4. #!/bin/bash
    
    lastlog=$(dmesg | grep UFW\ BLOCK | tail -1)
    
    while [ 1 -gt 0 ]; do
     
        sleep 1
        
        curlog=$(dmesg | grep UFW\ BLOCK | tail -1)
        
        if [ "$curlog" != "$lastlog" ]; then
            #get information.
            ip=$( echo $curlog | cut -d = -f5 | cut -d \  -f1)
            port=$( echo $curlog | cut -d = -f14 | cut -d \  -f1)
            portfrom=$( echo $curlog | cut -d = -f13 | cut -d \  -f1)
            lastlog=$(dmesg | grep UFW\ BLOCK | tail -1)
            
            #send message.
            notify-send "Src: $ip:$portfrom Dest: $port" -u critical -i security-low
        fi
    
    done
    
  5. For this to work though, you will need the program notify-send, if it is not installed, you could replace it with espeak (to have your computer announce that you dropped a connection), xmessage, or zenity.
  6. Watch how many times you are attacked.  (You might want to consider posting/looking up your findings to dshield)