Security Basics mailing list archives
Re: nmap bloqued
From: rembrandt () jpberlin de
Date: Sun, 5 Feb 2006 02:07:16 +0100 (CET)
Hello, My question is simple: Can anyone stop scans with nmap in a whole net? I ask this because i was doing some tests in my net with nmap and only a pair of them were ok. The other machines returned always down, and i know this is imposible, because i had scanned them before. Sorry my speech. I know very few of english language. (If only you could write in spanish... but that's not imperant :-)
OpenBSDs Firewall (pf) can do this. It detects nmap-Scans because nmap uses a nearly unique tecnic to generate packets (if I'm not that wrong, feel free to correct me pls. it's kinda late here). PF is able to block hosts by their OS (passive OS fingerprinting) and they've a fingerprint for nmap too to the rule for blocking a OS or blocking nmap is the same. This rule should do the job: block drop in on $ext_if from any os "nmap" &ext_if is a variable for your NIC wich handles the external traffic. More informations about PF (wich is hopefully helpfull) can be found on the OpenBSD Website www.openbsd.org. ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt OpenBSD is also usefull to stop SSH-Bruteforce or any other Bruteforce attack. You simply "abuse" the overload rule. E.g. a rule like this would block every further packets from a host wich connects faster then 2 times in 15 seconds or wich has more then 10 paralel connections: table <abusive_hosts> persist block drop in quick from <abusive_hosts> pass in on $ext_if proto tcp to $web_server \ port www flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 2/15, overload <abusive_hosts> flush) PF is a neat Firewall and (in my oppinion) much better then any (yes any) other free avaiable Firewall. Hopefully I didn't told you too much offtopic I just wanted to point out how other servers may handle stuff like nmap-Scans or SSH-Bruteforcing without the need to move every service to a port wich is not in the default nmap-Portlist. Kind regards, Rembrandt -- Don't buy anything from YeongYang. Their Computercases are expensiv, they WTX-powersuplies start burning and their support refuse any RMA even there's still some warenty. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- nmap bloqued Oscar AceƱa (Feb 04)
- Re: nmap bloqued Ansgar -59cobalt- Wiechers (Feb 06)
- Re: nmap bloqued Neil (Feb 06)
- Re: nmap bloqued rembrandt (Feb 06)
- Re: nmap bloqued Leif Ericksen (Feb 06)