Re: Can IPTABLES stop port scans by NMAP?
From: jayjwa (jayjwa_at_atr2.ath.cx)
Date: 03/17/05
- Previous message: jayjwa: "Re: Iptables and Script to make it possible (Help me please)"
- In reply to: sylo_at_perknet.net: "Can IPTABLES stop port scans by NMAP?"
- Next in thread: RockLinux: "Re: Can IPTABLES stop port scans by NMAP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 10:36:29 -0000
On 2005-03-15, sylo@perknet.net <sylo@perknet.net> wrote:
> Can you configure IPTABLES on Fedora to stop port scans that are
> performed with nmap?
Yes.
> If the answer is yes how to you do this?
By looking for certain flags which nmap typically sets in the packets and then
dropping those when the patterns match. Something like:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/min
--limit-burst 5 -j LOG --log-level 7 --log-prefix "Xmas Scan: "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
Record some nmap traffic coming at you and look at the patters it makes.
> Also can you return bogus data to an nmap scan? If the answer is yes
> how do you do this?
I've only seen them dropped, and even then this may not be such a good idea
because the method isn't 100% fail-proof. That is, maybe sometimes you'll drop
"good" packets that appear to be scan probes. But, since iptables gives you
very fine controll over what you take in and what you do with it, I'd think
that maybe there's a way. You'll probably want to check into the Netfilter
Patch'O Matic (http://www.netfilter.org/). It patches your kernel to include
some extra abilities. I use it currently and it works well, just don't try to
enable all of the extras ;) Just pick a couple you'll really use and go with
that. Then recompile your kernel, install the mods, modprobe the mods and
you're ready to go. I build all of mine as kmods to keep the kernel size down.
This way I don't have to load extensions I'm not using at the time.
-- RedHat Linux: How linux would have looked if Micro$oft had written it. HP/UX & AIX: What keeps linux users still using 30yr old "compatibility" defaults in our builds
- Previous message: jayjwa: "Re: Iptables and Script to make it possible (Help me please)"
- In reply to: sylo_at_perknet.net: "Can IPTABLES stop port scans by NMAP?"
- Next in thread: RockLinux: "Re: Can IPTABLES stop port scans by NMAP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
