Home page logo
/

basics logo Security Basics mailing list archives

Re: nmap bloqued
From: rembrandt () jpberlin de
Date: Sun, 5 Feb 2006 02:07:16 +0100 (CET)


Hello,
My question is simple: Can anyone stop scans with nmap in a whole net? I
ask this because i was doing some tests in my net with nmap and only a
pair of them were ok. The other machines returned always down, and i
know this is imposible, because i had scanned them before.

Sorry my speech. I know very few of english language. (If only you could
write in spanish... but that's not imperant :-)

OpenBSDs Firewall (pf) can do this.
It detects nmap-Scans because nmap uses a nearly unique tecnic to generate
packets (if I'm not that wrong, feel free to correct me pls. it's kinda
late here).

PF is able to block hosts by their OS (passive OS fingerprinting) and
they've a fingerprint for nmap too to the rule for blocking a OS or
blocking nmap is the same.

This rule should do the job:
block drop in on $ext_if from any os "nmap"

&ext_if is a variable for your NIC wich handles the external traffic.
More informations about PF (wich is hopefully helpfull) can be found on
the OpenBSD Website www.openbsd.org.

ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt

OpenBSD is also usefull to stop SSH-Bruteforce or any other Bruteforce
attack.
You simply "abuse" the overload rule.

E.g. a rule like this would block every further packets from a host wich
connects faster then 2 times in 15 seconds or wich has more then 10
paralel connections:

table <abusive_hosts> persist
block drop in quick from <abusive_hosts>
pass in on $ext_if proto tcp to $web_server \
   port www flags S/SA keep state \
   (max-src-conn 10, max-src-conn-rate 2/15, overload <abusive_hosts>
flush)


PF is a neat Firewall and (in my oppinion) much better then any (yes any)
other free avaiable Firewall.

Hopefully I didn't told you too much offtopic I just wanted to point out
how other servers may handle stuff like nmap-Scans or SSH-Bruteforcing
without the need to move every service to a port wich is not in the
default nmap-Portlist.

Kind regards,
Rembrandt
-- 
Don't buy anything from YeongYang.
Their Computercases are expensiv, they WTX-powersuplies start burning and
their support refuse any RMA even there's still some warenty.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]