Security Basics mailing list archives
Re: how nmap can know my firewalled servers ?
From: manu <oystermanu () gmail com>
Date: Thu, 13 Apr 2006 20:40:23 +0200
Hi you are scanning your machine from the "inside". block localhost with iptables (i dont know if that is possible). if you want to know which ports are really reachable from the internet you have to run nmap from another machine and scan over the internet by entering the IP of your machine. (e.g. 87.133.35.76).
I am assuming you are using a DROP rule on your firewall. NMAP knows that if it does not receive a response for a TCP connection then it is firewalled. Dropping traffic at a firewall violates RFC and makes it much easier to know when there is a firewall between the scanner and the end host. I recommend using REJECT -A INPUT -j REJECT --reject-with icmp-host-unreachable That will conform to RFC (I'm pretty sure) and will make it harder to detect a firewall with NMAP.True, I am using DROP state on my iptables, but even when I changed the state of my firewall to "REJECT --reject-with icmp-host-unreachable" - nmap _still_ knows that my services are running (telnet) and are filtered ! linux:/ # iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with icmp-host-unreachable linux:/ # nmap localhost Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-04-13 12:59 GMT+2 Interesting ports on localhost (127.0.0.1): (The 1648 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 23/tcp filtered telnet ... linux:/ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:telnet reject-with icmp-host-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination So how do I fool nmap that my service is really down ?
------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Re: how nmap can know my firewalled servers ?, (continued)
- Re: how nmap can know my firewalled servers ? ilaiy (Apr 12)
- Re: how nmap can know my firewalled servers ? Alexey Eremenko (Apr 12)
- Re: how nmap can know my firewalled servers ? Harrison Holland (Apr 12)
- Re: how nmap can know my firewalled servers ? Nathaniel Hall (Apr 12)
- Re: how nmap can know my firewalled servers ? Alice Bryson (Apr 13)
- Re: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 13)
- Re: how nmap can know my firewalled servers ? Gregory Boyce (Apr 17)
- Re: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 17)
- Re: how nmap can know my firewalled servers ? Alice Bryson (Apr 13)
- Re: how nmap can know my firewalled servers ? Gregory Boyce (Apr 13)
- Re: how nmap can know my firewalled servers ? ilaiy (Apr 12)
- Re: how nmap can know my firewalled servers ? Alexey Eremenko (Apr 13)
- Re: how nmap can know my firewalled servers ? manu (Apr 13)
- Re: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 13)
- Re[2]: how nmap can know my firewalled servers ? Thierry Zoller (Apr 17)
- Re: Re[2]: how nmap can know my firewalled servers ? Arturas Zalenekas (Apr 17)
- Message not available
- Fwd: Re[2]: how nmap can know my firewalled servers ? John Bond (Apr 19)
- Re: Fwd: Re[2]: how nmap can know my firewalled servers ? Ansgar -59cobalt- Wiechers (Apr 21)
- Re: how nmap can know my firewalled servers ? Alexey Eremenko (Apr 13)
- MSN File Upload Monitoring fullsecure (Apr 17)