Re: Port Scans - grc.com vs pcflank.com Who do I believe?
From: Capps (capps_at_iozone.org)
Date: Thu, 28 Aug 2003 14:51:12 GMT
My two cents,
I don't believe the results from scan.sygatetech.com.
The results change from run to run. The results change
when the network gets busy. The results are just silly
when it returns "Closed" for ports that have identically
the same rules in my firewall.
Scan.sygatetech.com is not anywhere near as good as
running nmap. Not even close.
"beltorak" <firstname.lastname@example.org> wrote in message
> Joe Shmoe <email@example.com> wrote in message
> > Almost typed "Who do I trust?" in the subject; like the man said, "trust
> > yourself."
> > Anyhoo; I have a single machine on the 'net 24/7 and I've used iptables
> > build me a firewall. So, I use grc.com to probe some ports and it tells
> > they're all "stealthed". I then go to pcflank.com and they tell me that
> > ports 1080 and 12345 (among others) are closed. Which scanner should I
> > trusting? Thanks,
> > Joe
> Gibson is a little.... entusiastic about his area of expertise.
> (That's a nice way of putting it, right?). there is a bit of
> controversy over how extensive his expertise really is. But that is
> an aside.
> nmap is an excellent tool; however, if you only have a single machine,
> your firewall will need a bit of modification to get nmap to return
> results closer to what an attacker would see. more on that at the end
> of this post.
> There are other sites (my favorite is http://scan.sygatetech.com/ )
> that do a better job at portscanning (ie: less hype). I am not
> familiar with pcflank -- will check that out. There are a few other
> sites that do nmap requests and email you the results, but alas I seem
> to have forgotten that bookmark.
> As for the firewall; I set up the following main chains in INPUT:
> iptables -A INPUT -i lo -j fi_LOOP
> iptables -A INPUT -i $Ext_Interface -j fi_NET
> iptables -A INPUT -j DROP
> You can do the same with the OUTPUT chain for consistency (replacing
> '-i' with '-o' and 'fi_' with 'fo_', and 'DROP' with 'REJECT' to
> eliminate time-out waits).
> Under fi/fo_LOOP is a simple '-j ACCEPT' (unless you filter traffick
> across the machine's loopback interface for some reason....).
> Under fi/fo_NET goes your current firewall ruleset, but be sure to
> strip the interface test (-i and -o portions). I will call this the
> default state of the firewall.
> To test yourself, point the inbound LOOP chain to the NET chain:
> iptables -R fi_LOOP 1 -j fi_NET
> and run nmap against localhost. That should give you a close
> approximation of what an attacker would see from the outside. Using
> this setup I didn't detect any differences between a local scan and
> one from a website.
> To check for leakages, return the firewall to the default state, and
> replace the outbound LOOP chain with:
> iptables -R fo_LOOP 1 -j fo_NET
> and run nmap agains localhost again.
> hope this helps