aeav
12-27-2004, 06:01 PM
I want to know how can I deny nmap scans on my machine, with iptables?
Thank you
Thank you
Click to See Complete Forum and Search --> : how to deny nmap scans?
eskiled
12-27-2004, 06:22 PM
You can't. Well actually I don't really know if you can or not. However if you use this (http://anon.inf.tu-dresden.de/fragen/index_en.html) service, your ip address is hidden, so you are anonymous on the internet. Therefore, when you are nmap-ed it won't matter because the attacker won't be able to see your ip.
Hope that is what you were looking for,
eskiled
Ps. FSCKING WOOT WOOT 100TH POST!!!
Hope that is what you were looking for,
eskiled
Ps. FSCKING WOOT WOOT 100TH POST!!!
aeav
12-27-2004, 06:30 PM
I'll study this tool, thanks eskiled , but I don't can to deny with IPTABLES then?
I don't can to install new software on the server
I don't can to install new software on the server
Loki3
12-27-2004, 06:41 PM
I'm using pf on OpenBSD for my network's gateway/firewall and I'm blocking all packets with the following flags:
flags FUP/FUP
flags SF/SFRA
flags /SFRA
Here's a description regarding the packet flags:
# F : FIN - Finish; end of session
# S : SYN - Synchronize; indicates request to start session
# R : RST - Reset; drop a connection
# P : PUSH - Push; packet is sent immediately
# A : ACK - Acknowledgement
# U : URG - Urgent
# E : ECE - Explicit Congestion Notification Echo
# W : CWR - Congestion Window Reduced
I'm not sure which nmap scans use packets that look like these but I've been told that having a few rules dropping packets with those flags will cut down on the success of nmap scans. I also drop all ICMP packets that are inbound.
Not that any of that really matters, since ALL incoming packets are dropped on my external interface. That works pretty well.
flags FUP/FUP
flags SF/SFRA
flags /SFRA
Here's a description regarding the packet flags:
# F : FIN - Finish; end of session
# S : SYN - Synchronize; indicates request to start session
# R : RST - Reset; drop a connection
# P : PUSH - Push; packet is sent immediately
# A : ACK - Acknowledgement
# U : URG - Urgent
# E : ECE - Explicit Congestion Notification Echo
# W : CWR - Congestion Window Reduced
I'm not sure which nmap scans use packets that look like these but I've been told that having a few rules dropping packets with those flags will cut down on the success of nmap scans. I also drop all ICMP packets that are inbound.
Not that any of that really matters, since ALL incoming packets are dropped on my external interface. That works pretty well.
je_fro
12-27-2004, 06:41 PM
#Catch portscanners
echo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
So for incoming packets, you'll send them to the rule check-flags first, which should stop some nmap scans.
I got that section from the gentoo-security documentation...reading the whole iptables section helped me a lot.http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap13
echo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
So for incoming packets, you'll send them to the rule check-flags first, which should stop some nmap scans.
I got that section from the gentoo-security documentation...reading the whole iptables section helped me a lot.http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap13
aeav
12-27-2004, 07:02 PM
Originally posted by Loki3
I'm using pf on OpenBSD for my network's gateway/firewall and I'm blocking all packets with the following flags:
flags FUP/FUP
flags SF/SFRA
flags /SFRA
Here's a description regarding the packet flags:
# F : FIN - Finish; end of session
# S : SYN - Synchronize; indicates request to start session
# R : RST - Reset; drop a connection
# P : PUSH - Push; packet is sent immediately
# A : ACK - Acknowledgement
# U : URG - Urgent
# E : ECE - Explicit Congestion Notification Echo
# W : CWR - Congestion Window Reduced
I'm not sure which nmap scans use packets that look like these but I've been told that having a few rules dropping packets with those flags will cut down on the success of nmap scans. I also drop all ICMP packets that are inbound.
Not that any of that really matters, since ALL incoming packets are dropped on my external interface. That works pretty well.
Thanks for the list of packets that I can to block, I'll deny some packets
I'm using pf on OpenBSD for my network's gateway/firewall and I'm blocking all packets with the following flags:
flags FUP/FUP
flags SF/SFRA
flags /SFRA
Here's a description regarding the packet flags:
# F : FIN - Finish; end of session
# S : SYN - Synchronize; indicates request to start session
# R : RST - Reset; drop a connection
# P : PUSH - Push; packet is sent immediately
# A : ACK - Acknowledgement
# U : URG - Urgent
# E : ECE - Explicit Congestion Notification Echo
# W : CWR - Congestion Window Reduced
I'm not sure which nmap scans use packets that look like these but I've been told that having a few rules dropping packets with those flags will cut down on the success of nmap scans. I also drop all ICMP packets that are inbound.
Not that any of that really matters, since ALL incoming packets are dropped on my external interface. That works pretty well.
Thanks for the list of packets that I can to block, I'll deny some packets
aeav
12-27-2004, 07:05 PM
Originally posted by je_fro
#Catch portscanners
echo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
So for incoming packets, you'll send them to the rule check-flags first, which should stop some nmap scans.
I got that section from the gentoo-security documentation...reading the whole iptables section helped me a lot.http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap13
Great rules je_fro, I'll test they now.
Thank you so much folks!
#Catch portscanners
echo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
So for incoming packets, you'll send them to the rule check-flags first, which should stop some nmap scans.
I got that section from the gentoo-security documentation...reading the whole iptables section helped me a lot.http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap13
Great rules je_fro, I'll test they now.
Thank you so much folks!
aeav
12-27-2004, 07:44 PM
well I try to search here, but I didn't find what's the instruction:
check-flags
and
--tcp-flags
What this rules does?
check-flags
and
--tcp-flags
What this rules does?
aeav
12-27-2004, 08:07 PM
I already find here:
http://www.netfilter.org
:)
http://www.netfilter.org
:)
bwkaz
12-28-2004, 12:29 AM
But even if you deny all these packet flag combinations, you still can't totally deny nmap scans.
You simply cannot deny packets with only the SYN flag set (the packets that initiate TCP connections) -- and nmap can trivially be told to just use those packets (in fact, that's its normal mode of operation if a nonprivileged user is running it). That is, unless you don't want anyone to be able to make any kind of TCP connection to your machine at all -- then you're better off just dropping all incoming packets (that aren't part of a current TCP connection) on the floor and forgetting about them. But I would assume that since you want to block nmap, you have some ports open, and you just want to prevent people from finding them with nmap, so that's not an option either.
You simply cannot deny packets with only the SYN flag set (the packets that initiate TCP connections) -- and nmap can trivially be told to just use those packets (in fact, that's its normal mode of operation if a nonprivileged user is running it). That is, unless you don't want anyone to be able to make any kind of TCP connection to your machine at all -- then you're better off just dropping all incoming packets (that aren't part of a current TCP connection) on the floor and forgetting about them. But I would assume that since you want to block nmap, you have some ports open, and you just want to prevent people from finding them with nmap, so that's not an option either.
aeav
12-28-2004, 12:35 AM
it can be a solution, but unfortunately I don't can to deny all incoming packets....
But I'm studing how I can block just the nmap scans.
But I'm studing how I can block just the nmap scans.
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.