Bugtraq mailing list archives
to prevert port scanning in linux 2.0.x
From: antirez () SPEEDCOM IT (Salvatore Sanfilippo -antirez-)
Date: Sat, 17 Jul 1999 12:48:19 +0200
Hi, It seems that some bugtraq readers still runs linux 2.0.3[67]. In order to prevent SYN, FIN, Xmas, NULL tcp scan and maybe connect() scan (for exaple it's true with nmap, false with strobe) it's possible to apply this kernel patch. This stupid patch change the sequence SYN ---> closed port <--- RST to SYN ---> closed port <--- SYN|ACK ACK ---> <--- RST and answers RST to FIN, Xmas and NULL tcp flags even if the port is open, like win*. If an attacker scans a patched host it gets all ports are open, so it gets nothing. The patch is tested on linux 2.0.36, maybe it's good even for 2.0.37. bye, antirez -- Salvatore Sanfilippo - antirez - antirez () alicomitalia it try hping: http://www.kyuzz.org/antirez antirez () speedcom it diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c --- linux/net/ipv4/tcp_input.c Sat Jul 17 11:21:01 1999 +++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c Sat Jul 17 12:00:13 1999 @@ -46,6 +46,7 @@ * </RANT> * George Baeslack : SIGIO delivery on accept() bug that * affected sun jdk. + * Salvatore Sanfilippo : Prevents SYN, FIN, Xmass, NULL scan. */ #include <linux/config.h> @@ -2464,6 +2465,12 @@ } } #endif + tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255); + } + + /* resets FIN, Xmas, NULL */ + if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR) + { tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255); } diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c --- linux/net/ipv4/tcp_output.c Sat Jul 17 11:21:01 1999 +++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c Sat Jul 17 11:56:35 1999 @@ -759,7 +759,7 @@ t1->source = th->dest; t1->doff = sizeof(*t1)/4; t1->rst = 1; - + if(th->ack) { t1->seq = th->ack_seq; @@ -770,7 +770,15 @@ if(!th->syn) t1->ack_seq = th->seq; else + { t1->ack_seq = htonl(ntohl(th->seq)+1); + /* send bogus syn/ack */ + t1->rst = 0; + t1->syn = 1; + t1->ack = 1; + if (th->fin) + t1->fin = 1; /* as 2.0.3x we answer SAF */ + } } tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff);
Current thread:
- to prevert port scanning in linux 2.0.x Salvatore Sanfilippo -antirez- (Jul 17)