Security Basics mailing list archives
Re: how nmap can know my firewalled servers ?
From: "Alexey Eremenko" <al4321 () gmail com>
Date: Thu, 13 Apr 2006 07:59:43 -0200
I am assuming you are using a DROP rule on your firewall. NMAP knows that if it does not receive a response for a TCP connection then it is firewalled. Dropping traffic at a firewall violates RFC and makes it much easier to know when there is a firewall between the scanner and the end host. I recommend using REJECT -A INPUT -j REJECT --reject-with icmp-host-unreachable That will conform to RFC (I'm pretty sure) and will make it harder to detect a firewall with NMAP.
True, I am using DROP state on my iptables, but even when I changed the state of my firewall to "REJECT --reject-with icmp-host-unreachable" - nmap _still_ knows that my services are running (telnet) and are filtered ! linux:/ # iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with icmp-host-unreachable linux:/ # nmap localhost Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-04-13 12:59 GMT+2 Interesting ports on localhost (127.0.0.1): (The 1648 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 23/tcp filtered telnet ... linux:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-host-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination So how do I fool nmap that my service is really down ?
Current thread:
- how nmap can know my firewalled servers ? Alexey Eremenko (Apr 12)
- Re: how nmap can know my firewalled servers ? ilaiy (Apr 12)
- Re: how nmap can know my firewalled servers ? Alexey Eremenko (Apr 12)
- Re: how nmap can know my firewalled servers ? Harrison Holland (Apr 12)
- Re: how nmap can know my firewalled servers ? Nathaniel Hall (Apr 12)
- Re: how nmap can know my firewalled servers ? Alice Bryson (Apr 13)
- Re: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 13)
- Re: how nmap can know my firewalled servers ? Gregory Boyce (Apr 17)
- Re: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 17)
- Re: how nmap can know my firewalled servers ? Alice Bryson (Apr 13)
- Re: how nmap can know my firewalled servers ? Gregory Boyce (Apr 13)
- Re: how nmap can know my firewalled servers ? ilaiy (Apr 12)
- Re: how nmap can know my firewalled servers ? Alexey Eremenko (Apr 13)
- Re: how nmap can know my firewalled servers ? manu (Apr 13)
- Re: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 13)
- Re[2]: how nmap can know my firewalled servers ? Thierry Zoller (Apr 17)
- Re: Re[2]: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 17)
- Message not available
- Fwd: Re[2]: how nmap can know my firewalled servers ? John Bond (Apr 19)
- Re: Fwd: Re[2]: how nmap can know my firewalled servers ? Ansgar -59cobalt- Wiechers (Apr 21)
- <Possible follow-ups>
- RE: how nmap can know my firewalled servers ? Jay Stapleton (Apr 13)
- Re: how nmap can know my firewalled servers ? Alexey Eremenko (Apr 13)