problem with nmap

problem with nmap

[Galiatsis Sokratis]

I want to know if there is a "special" rule which blocks all nmap scanning
methods. I have something here for fragments, xmas, nmap etc but whenever i
try to test it my server ports are always shown as open instead of stealth.
I tried Online Symantec Security Scan and nmapping from another host from an
external network. Both show the same results.

Thanx in advance.

P.S: First submission in this mailing-list and I am a little confused to
find answers in the emailed digest i receive. In addition to the
mailing-list please email me for any suggestion you may have.
sokratisg@optusclub.gr

Here are the rules i use for filtering all incoming traffic from ports 0 -
1024. Above 1025 port any incoming (RELATED, ESTABLISHED) is allowed. These
custom chains are inserted first from all in both INPUT and OUTPUT so that
anything incoming not acceptable gets DROPed emmediately.

#BAD_PACKETS CHAIN
$iptables -A bad_packets -p tcp ! --syn -m state --state NEW -j
LOG --log-level crit
$iptables -A bad_packets -p tcp ! --syn -m state --state NEW -m
limit --limit 6/h --limit-burst 5 -j DROP
#SYNFLOOD CHAIN
$iptables -A synflood -m limit --limit 1/s --limit-burst 4 -j RETURN
$iptables -A synflood -j DROP
#FRAGMENTS
$iptables -A INPUT -i $ADSLIF -f  -m limit --limit 6/h -j LOG
$iptables -A INPUT -i $ADSLIF -f -j REJECT
#INVALID TCP PACKETS
$iptables -A bad_packets -p tcp -m state --state INVALID -j LOG --log-level
crit
$iptables -A bad_packets -p tcp -m state --state NEW -m limit --limit
6/h --limit-burst 5 -j DROP

##PORTSCANS CHAIN
# ** FIN **
$iptables -A portscans -p tcp -m tcp --tcp-flags ALL,FIN FIN -j DROP
# ** XMAS Tree **
$iptables -A portscans -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# ** Fin/Syn **
$iptables -A portscans -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# ** ACK **
$iptables -A portscans -p tcp -m tcp --tcp-flags ALL,ACK  ACK -j DROP
# ** NULL **
$iptables -A portscans -p tcp -m tcp --tcp-flags ALL NONE -j DROP

Re: problem with nmap

[David Cannings]

On Monday 16 February 2004 14:08, Galiatsis Sokratis wrote:
> I want to know if there is a "special" rule which blocks all nmap
> scanning methods. I have something here for fragments, xmas, nmap etc
> but whenever i try to test it my server ports are always shown as open
> instead of stealth. I tried Online Symantec Security Scan and nmapping
> from another host from an external network. Both show the same results.

Are these scans coming from places that should be able to access your 
services or not?  The whole point of having your ports open is so that 
people can access what is behind them, the whole point of using nmap to 
scan is to see what ports are open.  The TCP connect scan in nmap 
connects exactly the same as any other client application would, 
therefore you'll never completely stop a scan unless you want to block 
access totally.

Perhaps rate limiting to 5 SYN-only packets (or other, for the special 
cases) per second might help.  This will slow a scan considerably, though 
you may have to play with the timing:limit ratios.  Blocking invalid 
packets (those unrelated to existing connections) and packets with flags 
that are bogus (such as SYN and FIN at the same time, to give a poor 
example) will also block scans.

David