Security Basics mailing list archives
RE: Server blocks access of IP after nmap scan
From: Michael Sturtz <Michael.Sturtz () PACCAR com>
Date: Wed, 18 May 2011 12:41:27 -0700
Many firewalls and hosts do this based on heuristics i.e. if you do a progressive port scan then the IPS system (host based or firewall based) detection determines that it is unusual or attack like behavior or if you attempt to open too many connections on too many ports at a time or you send too many TCP SYN packets etc. These types of behavior is associated with either malware or hacking activity. The reaction is usually to block the IP address or addresses the traffic is coming from. Sometimes it is a permanent block until an admin clears the block or other times it is a temporary block for a specific length of time. As to IP Spoofing an IP address while the source IP can be spoofed it kind of breaks IP because in order for a TCP/IP conversation to occur you need a source IP a destination IP and a source port and destination port. If you lie about your source IP (in the IP header) then the return packets would never get to you. The only way to circumvent this is to either use multiple zombie machines or proxy servers. However even then some of intrusion detection systems can detect this and block the IP addresses. Michael ________________________________________ From: listbounce () securityfocus com [listbounce () securityfocus com] On Behalf Of Littlefield, Tyler [tyler () tysdomain com] Sent: Wednesday, May 18, 2011 11:35 AM To: security-basics () securityfocus com Subject: Re: Server blocks access of IP after nmap scan hello: I'm curious what prompted this? How did the firewall block ports from being scanned by nmap? Also:
Good security defense, except if you try to find a way to spoof the ip
=). I'd think this was pretty easily solved? If you have two NIC cards at least, you can limit everything for class_A/B/C to that specific interface, drop everything on the external interface coming from class a,b,c or loopback. But it'd still be possible I suppose to spoof an address when you sent off a packet to get someone else blacklisted; how do people work against that? On 5/18/2011 12:22 PM, amon.amarth9 () gmail com wrote:
I solved the problem - I just used the nmap firewall/IDS/IPS evasion options and I specified fragmented packets, all together with different scan method than the usual SYN scan. Anyway the protection mechanism on the server is pretty good I think, even if you try to connect on some port that is not open it bans your ip address. Good security defense, except if you try to find a way to spoof the ip =). ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- Take care, Ty my website: http://tds-solutions.net my blog: http://tds-solutions.net/blog skype: st8amnd127 My programs don't have bugs; they're randomly added features! ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Server blocks access of IP after nmap scan, (continued)
- Re: Server blocks access of IP after nmap scan Saif El Sherei (May 18)
- RE: Server blocks access of IP after nmap scan Rishi Narang (May 18)
- Re: RE: Server blocks access of IP after nmap scan amon . amarth9 (May 18)
- Re: Server blocks access of IP after nmap scan Joseph Saselli (May 18)
- Re: Server blocks access of IP after nmap scan Luciano Mazzella (May 18)
- Re: RE: Server blocks access of IP after nmap scan phyco . rootelement (May 18)
- Re: RE: Server blocks access of IP after nmap scan TAS (May 18)
- Re: Server blocks access of IP after nmap scan amon . amarth9 (May 18)
- Re: Server blocks access of IP after nmap scan Littlefield, Tyler (May 18)
- Re: Server blocks access of IP after nmap scan Matthew Caron (May 18)
- RE: Server blocks access of IP after nmap scan Michael Sturtz (May 18)
- Re: Server blocks access of IP after nmap scan Littlefield, Tyler (May 18)
- Re: RE: Server blocks access of IP after nmap scan amon . amarth9 (May 18)
- Re: Server blocks access of IP after nmap scan Todd Haverkos (May 20)