Re: [PEN-TEST] Undetectible NMAP scans

[Stefan Suurmeijer <stefan () SYMBOLICA NL>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 22 Aug 2000, Steve Cody wrote:

> I was recently testing one of my firewalls using nmap.  I used an option
> that I don't use much, the -sX (XMAS scan).  I noticed that my ipchains
> based (Redhat 6.2) firewall did not make a single log entry during the
> entire scan.  Also, the system that I scanned from was able to identify all
> of the services listening on my system, more importantly, it detected the
> listening, but blocked, ports.  For example, I have port 110 blocked.
> However, on my internal home network, I connect to it for my POP3 mail.  The
> scan was able to determine that port 110 is listening, even though that
> system cannot connect to it.
>
> The thing that disturbs me is that I was able to do a scan of my system and
> have it not be detected at all.  All previous, and subsequent scans from
> that same host, if I did not use the -sX option in NMAP, create many entries
> in my log.

I think it's almost impossible to stop stealth scanning altogether without
giving up needed functionality. Personally, I use scanlogd, which nicely
detects every kind of scan, including X-mas scans.

> Does anyone know what I can do with ipchains to make it more sensitive to
> this type of scan?  I have since installed Port Sentry, so that scan is
> picked up by it, but still, I don't run Port Sentry on all of my systems for
> various reasons.
>
> Any ideas?

You could probably close up ipchains to the point where scanning is
impossible, but only at the expense of making a rule for every single
network connection you want to allow. And even if that's possible, of
which I'm not sure, for most systems that is probably unworkable. I guess
accepting the fact that people can scan you, and making sure you log the
scans is the best course of action. Scanlogd works great for me
(http://www.false.com/security/scanlogd/)

> Steve Cody

Stefan


==========================================
Stefan Suurmeijer
Network Specialist
University of Groningen
tel: (+31) 50 363 3423
fax: (+31) 50 363 7272
E-mail (business): s.m.suurmeijer () let rug nl
E-mail (private):  stefan () symbolica nl
==========================================

Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5o7tZwVt5lhn5J64RAnDQAJ9zZAdbKsCoupUOZxHTchJHOqKu2wCgv6bB
vu/0nQsMYhiHHqQWy8/TFGk=
=lUhQ
-----END PGP SIGNATURE-----