Re: Port Scans - grc.com vs pcflank.com Who do I believe?

• Previous message: Jem Berkes: "Re: A request to all mail admins"
• In reply to: Capps: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
• Next in thread: beltorak: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Aug 2003 15:41:58 GMT

Capps wrote:

> My two cents,
>
> I don't believe the results from scan.sygatetech.com.
> The results change from run to run. The results change
> when the network gets busy. The results are just silly
> when it returns "Closed" for ports that have identically
> the same rules in my firewall.
>
> Scan.sygatetech.com is not anywhere near as good as
> running nmap. Not even close.
>
> Enjoy,
> Don
>
> "beltorak" <beltorak@yahoo.com> wrote in message
> news:367f16b.0308271510.71a0d8f1@posting.google.com...
>> Joe Shmoe <shmoe@shmoe.com> wrote in message
> news:<uYR1b.822193$3C2.18614141@news3.calgary.shaw.ca>...
>> > Almost typed "Who do I trust?" in the subject; like the man said,
>> > "trust yourself."
>> >
>> > Anyhoo; I have a single machine on the 'net 24/7 and I've used iptables
> to
>> > build me a firewall. So, I use grc.com to probe some ports and it tells
> me
>> > they're all "stealthed". I then go to pcflank.com and they tell me
>> > that ports 1080 and 12345 (among others) are closed. Which scanner
>> > should I
> be
>> > trusting? Thanks,
>> >
>> > Joe
>>
>> Gibson is a little.... entusiastic about his area of expertise.
>> (That's a nice way of putting it, right?). there is a bit of
>> controversy over how extensive his expertise really is. But that is
>> an aside.
>>
>> nmap is an excellent tool; however, if you only have a single machine,
>> your firewall will need a bit of modification to get nmap to return
>> results closer to what an attacker would see. more on that at the end
>> of this post.
>>
>> There are other sites (my favorite is http://scan.sygatetech.com/ )
>> that do a better job at portscanning (ie: less hype). I am not
>> familiar with pcflank -- will check that out. There are a few other
>> sites that do nmap requests and email you the results, but alas I seem
>> to have forgotten that bookmark.
>>
>> As for the firewall; I set up the following main chains in INPUT:
>> iptables -A INPUT -i lo -j fi_LOOP
>> iptables -A INPUT -i $Ext_Interface -j fi_NET
>> iptables -A INPUT -j DROP
>>
>> You can do the same with the OUTPUT chain for consistency (replacing
>> '-i' with '-o' and 'fi_' with 'fo_', and 'DROP' with 'REJECT' to
>> eliminate time-out waits).
>>
>> Under fi/fo_LOOP is a simple '-j ACCEPT' (unless you filter traffick
>> across the machine's loopback interface for some reason....).
>>
>> Under fi/fo_NET goes your current firewall ruleset, but be sure to
>> strip the interface test (-i and -o portions). I will call this the
>> default state of the firewall.
>>
>> To test yourself, point the inbound LOOP chain to the NET chain:
>> iptables -R fi_LOOP 1 -j fi_NET
>> and run nmap against localhost. That should give you a close
>> approximation of what an attacker would see from the outside. Using
>> this setup I didn't detect any differences between a local scan and
>> one from a website.
>>
>> To check for leakages, return the firewall to the default state, and
>> replace the outbound LOOP chain with:
>> iptables -R fo_LOOP 1 -j fo_NET
>> and run nmap agains localhost again.
>>
>> hope this helps
>>
>> -t.

Thanks for all the advice. As soon as I get to another computer I'll be
running nmap on my home machine. I'll keep you posted.

• Previous message: Jem Berkes: "Re: A request to all mail admins"
• In reply to: Capps: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
• Next in thread: beltorak: "Re: Port Scans - grc.com vs pcflank.com Who do I believe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]