Home page logo

Nmap Announce mailing list archives

Re: how to know scan is correct?
From: Justin <jguyett () andrew cmu edu>
Date: Thu, 10 Feb 2000 01:09:22 -0500 (EST)

On Wed, 9 Feb 2000, Marcy Abene wrote:

You can't avoid a syn scan - what do you think you are
talking about?  Here, look. :->

That's why you have a iptables/whatever module that listens looks for syns
to non-open ports, logs once, then filters the offending ip/netmask for 30
minutes or a few days if you're particularly fascist.  The chance that
they'll hit an important port in a random scan is (open ports) /
everything in /etc/services.  The chance that they'll get a significant
number of open ports before they hit a banned port and are filtered is
just about 0 unless the box is running a stock redhat installation, and in
that case you have more important things to worry about than whether or
not people can find open ports.

Anyway, for people who are or who want to be seen as being really
concerned about security, you can always allow specific hostmasks and deny
everything else.  I always love it when an admin has to add a hostmask to
a box's filter rules before you can ssh in, but has 5 year old exploitable
suid binaries.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]