Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Server blocks access of IP after nmap scan

From: Martin Schneider <nighthawk2600 () gmail com>
Date: Wed, 18 May 2011 11:16:31 -0700
On 05/18/2011 10:34 AM, Dan Lynch wrote:

so i guess after the nmap scan the server somehow
protected itself by blocking access to the site for my ip. I
would like to know what I can do in this case, how I can
successfully complete a nmap scan without putting it 'down'.

First make sure this is within the acceptable use guidelines of your ISP and the server owner's ISP. If it's not, you'd 
best knock it off.

But if it is, there's likely an active IPS somewhere in your path to the server. Use nmap's timing options (either -T or -max-rate)to 
go "low-and-slow" and avoid triggering the IPS. You don't know what the IPS thresholds are set to, so be conservative, and be 
patient -- this will take a while.

An idle/zombie scan is inherently slower, but still subject to rate-based IPS alerts. You protect your real IP address 
from the target, but the zombie will get blocked if it triggers the IPS.


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
okay you have to understand firewalls here.. by port scanning his server your connecting at a very high rate. More than likely you are being blocked at because of these high rate connections to his server. I like what Dan Lynch said about using the max-rate going slow and using nmaps timing options. If you are connecting slower than 5 connects a minute you may not be blocked. However, a scan could generate 100s of connections/half connects depending on the scan a minute which is why you are blocked out. Try to also generate different information with traceroute or hping2 which i saw that was already suggested which is a good idea.
using traceroute could locate you to the firewall but more than likely it will be blocked by the firewall so you may have to use different packet sending options to generate different results. 

All right everyone i bid you good day.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: