Re: nmap protection rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El jue, 30 de 12 de 2004 a las 13:18, Chris Brenton escribiÃ:
> On Wed, 2004-12-29 at 18:18, Jorge Agrelo wrote:
> > Does anyone can help me to write iptables rules to?:
> > 
> > * block IP protocol scans (nmap -sO)
> 
> When performing a protocol scan, nmap sends an IP packet with no
> transport header. So for example to check for AH support, byte 9 in the
> IP header is set to "51" but no AH header is included in the packet. The
> concept is a system which supports AH will ignore the packet and not
> respond. A system that does not support AH will return an ICMP type 3
> code 2 (protocol unreachable).
> 
> So, provided your iptables default policy is "deny all", you should be
> fine.
> 

Unless someone does a completely normal connection to maybe port
80 of your server and uses something like p0f. That's much more
effective that the nmap -s0 command. I agree with all the rest.

I also use this rules to drop some kind of strange tcp flags that
indicates you are having a portscan:

iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL FIN,URG,PSH
-j DROP
ptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP
iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags SYN,FIN SYN,FIN
-j DROP
iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL FIN -j DROP
iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL ALL -j DROP

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@xxxxxxxxx
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÃA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux