nmap protection rules

nmap protection rules

[Jorge Agrelo]

Does anyone can help me to write iptables rules to?:

* block IP protocol scans (nmap -sO)
* block UDP scans (nmap -sU)
* block identification via TCP/IP fingerprinting (nmap -O)

Thanks in advance
**********************************
CTO: Eng. Jorge Agrelo O.
WEb: www.novadevices.com
E-Mail: jagrelo@novadevices.com
Phone: (593-2) 225-7711 ext. 105
Av. Brasil N45-08 y Condor, Quito Ecuador
**********************************

Re: nmap protection rules

[Chris Brenton]

On Wed, 2004-12-29 at 18:18, Jorge Agrelo wrote:
> Does anyone can help me to write iptables rules to?:
> 
> * block IP protocol scans (nmap -sO)

When performing a protocol scan, nmap sends an IP packet with no
transport header. So for example to check for AH support, byte 9 in the
IP header is set to "51" but no AH header is included in the packet. The
concept is a system which supports AH will ignore the packet and not
respond. A system that does not support AH will return an ICMP type 3
code 2 (protocol unreachable).

So, provided your iptables default policy is "deny all", you should be
fine.

> * block UDP scans (nmap -sU)

nmap spews out packets to multiple UDP ports. This time it looks for
returning ICMP type 3 code 3 (port unreachable) packets to indicate
which ports are closed. Posts that do not respond are flagged as open.
Again, your best bet is a default "deny all" rule.

> * block identification via TCP/IP fingerprinting (nmap -O)

nmap needs access to one open TCP port, and both a closed TCP and UDP
port to perform a fingerprint attempt. Do not permit access to closed
ports on your system and you should be fine. Again, the default "deny
all" rule is your friend. Only let though the services you plan to
support.

HTH,
Chris

Re: nmap protection rules

[Jose Maria Lopez]

El jue, 30 de 12 de 2004 a las 13:18, Chris Brenton escribió:
> On Wed, 2004-12-29 at 18:18, Jorge Agrelo wrote:
> > Does anyone can help me to write iptables rules to?:
> > 
> > * block IP protocol scans (nmap -sO)
> 
> When performing a protocol scan, nmap sends an IP packet with no
> transport header. So for example to check for AH support, byte 9 in the
> IP header is set to "51" but no AH header is included in the packet. The
> concept is a system which supports AH will ignore the packet and not
> respond. A system that does not support AH will return an ICMP type 3
> code 2 (protocol unreachable).
> 
> So, provided your iptables default policy is "deny all", you should be
> fine.
> 

Unless someone does a completely normal connection to maybe port
80 of your server and uses something like p0f. That's much more
effective that the nmap -s0 command. I agree with all the rest.

I also use this rules to drop some kind of strange tcp flags that
indicates you are having a portscan:

iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL FIN,URG,PSH
-j DROP
ptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP
iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags SYN,FIN SYN,FIN
-j DROP
iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL FIN -j DROP
iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL ALL -j DROP

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"