Re: Port Scans - grc.com vs pcflank.com Who do I believe?
From: beltorak (beltorak_at_yahoo.com)
Date: 08/28/03
- Next message: Neil Sandow: "Re: use ipchains to block all ports > 60,000"
- Previous message: erik: "Re: use ipchains to block all ports > 60,000"
- In reply to: Joe Shmoe: "Port Scans - grc.com vs pcflank.com Who do I believe?"
- Next in thread: Capps: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
- Reply: Capps: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Aug 2003 16:10:28 -0700
Joe Shmoe <shmoe@shmoe.com> wrote in message news:<uYR1b.822193$3C2.18614141@news3.calgary.shaw.ca>...
> Almost typed "Who do I trust?" in the subject; like the man said, "trust
> yourself."
>
> Anyhoo; I have a single machine on the 'net 24/7 and I've used iptables to
> build me a firewall. So, I use grc.com to probe some ports and it tells me
> they're all "stealthed". I then go to pcflank.com and they tell me that
> ports 1080 and 12345 (among others) are closed. Which scanner should I be
> trusting? Thanks,
>
> Joe
Gibson is a little.... entusiastic about his area of expertise.
(That's a nice way of putting it, right?). there is a bit of
controversy over how extensive his expertise really is. But that is
an aside.
nmap is an excellent tool; however, if you only have a single machine,
your firewall will need a bit of modification to get nmap to return
results closer to what an attacker would see. more on that at the end
of this post.
There are other sites (my favorite is http://scan.sygatetech.com/ )
that do a better job at portscanning (ie: less hype). I am not
familiar with pcflank -- will check that out. There are a few other
sites that do nmap requests and email you the results, but alas I seem
to have forgotten that bookmark.
As for the firewall; I set up the following main chains in INPUT:
iptables -A INPUT -i lo -j fi_LOOP
iptables -A INPUT -i $Ext_Interface -j fi_NET
iptables -A INPUT -j DROP
You can do the same with the OUTPUT chain for consistency (replacing
'-i' with '-o' and 'fi_' with 'fo_', and 'DROP' with 'REJECT' to
eliminate time-out waits).
Under fi/fo_LOOP is a simple '-j ACCEPT' (unless you filter traffick
across the machine's loopback interface for some reason....).
Under fi/fo_NET goes your current firewall ruleset, but be sure to
strip the interface test (-i and -o portions). I will call this the
default state of the firewall.
To test yourself, point the inbound LOOP chain to the NET chain:
iptables -R fi_LOOP 1 -j fi_NET
and run nmap against localhost. That should give you a close
approximation of what an attacker would see from the outside. Using
this setup I didn't detect any differences between a local scan and
one from a website.
To check for leakages, return the firewall to the default state, and
replace the outbound LOOP chain with:
iptables -R fo_LOOP 1 -j fo_NET
and run nmap agains localhost again.
hope this helps
-t.
- Next message: Neil Sandow: "Re: use ipchains to block all ports > 60,000"
- Previous message: erik: "Re: use ipchains to block all ports > 60,000"
- In reply to: Joe Shmoe: "Port Scans - grc.com vs pcflank.com Who do I believe?"
- Next in thread: Capps: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
- Reply: Capps: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
