Nmap Development mailing list archives
Re: hi there !!!
From: Jeff Nathan <jeff () wwti com>
Date: Sun, 13 Jan 2002 13:36:55 -0800
Josh Steele wrote:
There really is no way to make your server "invisible" persay. You can use firewalling to block certain ports, etc. but say if you cut off ping reply's, there is a chance you might affect other service's ran on the server. As far as OS detection..there are some steps you can take so that (never implemented this) so that say you run FreeBSD 4.4-RELEASE, but if you do an OS detection on the machine it reports back Windows2000, etc. If you are not really concerned with that, but just don't want people scanning you, install a IDS system that will notify you, log, add firewalling, etc. of any scan attempts. Josh
If you're using ipf, (FreeBSD,NetBSD, Solaris, OpenBSD pre 3.0), you can use something like this to make it *very* hard to find a system. (first block IP options and fragments too short to extract a valid network/transport header from) block in quick on fxp0 from any to any with ipopts block in quick on fxp0 from any to any with short (next block TCP flag combinations used in scanning and OS identification) block in quick on fxp0 proto tcp all flags SF/SFRA block in quick on fxp0 proto tcp all flags /SFRA block in quick on fxp0 proto tcp all flags F/SFRA block in quick on fxp0 proto tcp all flags U/SFRAU block in quick on fxp0 proto tcp all flags P
From that point on in your ruleset, you'd probably pass in connections
to whichever ports you want to run services on. Making sure you're careful about when state is established is fairly important as well (with TCP, ensure you're adding new potential state entries based upon SYNs). Beyond that, ensure your firewall passes out acceptable traffic and keeps state. Explicitly passing traffic in and out if the loopback interface without state should be done as well. Complete the ruleset with: block in log quick all block out log quick all Also, the reason an interface is specified within the rules above is to make outbound nmap scanning possible. To adapt the rules above to pf (OpenBSD 3.0 and -current) simply drop the first two rules included above above and replace the explicit drops with these: block in quick on fxp0 inet proto tcp all flags SF/SFRA block in quick on fxp0 inet proto tcp all flags /SFRA block in quick on fxp0 inet proto tcp all flags F/SFRA block in quick on fxp0 inet proto tcp all flags U/SFRAU block in quick on fxp0 inet proto tcp all flags P -Jeff
On Thu, 3 Jan 2002, arendashu ph wrote:hi there,, i am a new member...and i want to ask u if there is a protection against nmap ...i mean like if someone is scaning me with nmap ..is there a way to make my server invisible to nmap ? thnak you !!! PS: please excuse my english !!! __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- hi there !!! arendashu ph (Jan 03)
- Re: hi there !!! Josh Steele (Jan 03)
- Re: hi there !!! Jeff Nathan (Jan 13)
- <Possible follow-ups>
- Re: hi there !!! cyril.perrault (Jan 03)
- RE: hi there !!! Jeremy Brooks (Jan 03)
- RE: hi there !!! Gerald Combs (Jan 03)
- Re: hi there !!! Josh Steele (Jan 03)