mailing list archives
Re: how to know scan is correct?
From: Bart van Leeuwen <bart () ixori demon nl>
Date: Thu, 10 Feb 2000 16:58:00 +0100
On Wed, 9 Feb 2000, Marcy Abene wrote:
You can't avoid a syn scan - what do you think you are
talking about? Here, look. :->
That's why you have a iptables/whatever module that listens looks for syns
to non-open ports, logs once, then filters the offending ip/netmask for 30
minutes or a few days if you're particularly fascist. The chance that
they'll hit an important port in a random scan is (open ports) /
everything in /etc/services. The chance that they'll get a significant
number of open ports before they hit a banned port and are filtered is
just about 0 unless the box is running a stock redhat installation, and in
that case you have more important things to worry about than whether or
not people can find open ports.
Anyway, for people who are or who want to be seen as being really
concerned about security, you can always allow specific hostmasks and deny
everything else. I always love it when an admin has to add a hostmask to
a box's filter rules before you can ssh in, but has 5 year old exploitable
I think that what Reinoud was talking about is a way to hide filtered
ports from nmap, and not about hiding 'open to everyone' ports from a
As you may know nmap will in many cases report that a port is filtered
when you are not allowed to communicate with it while others are.
Is this usefull? hmm... sometimes it is tho in many cases I would just
close things down for the outside world. Anyway, if you have to filter,
it may be a nice option to make that hard to find, ie, give the outside
world the idea noone can talk imap to your machine, while in fact one
other host on the net really has to be able to talk imap to your host.
Only mildly usefull, but interesting enough I think.
And heh, about those 5 year old suid binaries... no it doesn't do much
good for the security of the box, no discussion about that, but without
those someone who wants to do wrong can still do wrong, while limiting
access to people who do explicitly not want to do wrong makes that the 5
year old suid binary is completely irrelavant. Only problem is how to
limit access to only those people... (note... machine != person so just
an ip filter is usually not enough) and also... how to find such people
;P (when it comes to security of data and computer systens I usually do
not trust anyone ;-)
On another note, it seems to me that if people are going to setup their
routers a bit better (enforcing that packets have a valid source ip for
the port on which the packet enters the router) that this will also make
it a lot harder to use decoys during a scan (since those decoys would
contain source addresses which, acording to your isps router, can not
come from you, and so will be dropped) Any thoughts on this?
Bart van Leeuwen