block nmap info

block nmap info

[Pablo Allietti]

hi all (again), how can i made a rules for block nmap information?

if i do nmap -sT myhost.com from a cybercafe for example,   nmap display
all ports open. exist any way to block this? something like block
scanports?
-- 


Pablo Allietti
LACNIC
--------------

Re: block nmap info

[xmaillist]

Hi,
nmap man page:
[...]
-sT
TCP connect() scan: This is the most basic form of TCP scanning. The 
connect() system call provided  by  your operating system is used to 
open a connection to every interesting port on the machine. If the port 
is listening, connect() will succeed, otherwise the port isn't 
reachable. One strong advantage to this technique is that you don't need 
any special privileges. Any user on most UNIX boxes is free to use this 
call. This sort of scan is easily detectable as target host logs will 
show a bunch of connection and  error messages for the services which 
accept() the connection just to have it immediately shutdown.  This is 
the default scan type for unprivileged users.
[...]

-sT scan is a full TCP handshake (SYN -> SYN/ACK -> ACK), so you just 
have to forbid TCP connection on open ports...
But, if you block tcp accesses for anybody, nobody could connect to the 
  service associate with the corresponding port.
So, you have to use rules that grant access for allow machine, and drop 
it for the others.
Nevertheless, other scans like -sS, -sF, -sX, -sN can still work...


Pablo Allietti wrote:
> hi all (again), how can i made a rules for block nmap information?
> 
> if i do nmap -sT myhost.com from a cybercafe for example,   nmap display
> all ports open. exist any way to block this? something like block
> scanports?

Re: block nmap info

[Pablo Allietti]

On Thu, Jan 27, 2005 at 09:07:17PM -0100, xmaillist wrote:
> Hi,
> nmap man page:


ok. then it is impossible to block nmap and portscanning? 


> [...]
> -sT
> TCP connect() scan: This is the most basic form of TCP scanning. The 
> connect() system call provided  by  your operating system is used to 
> open a connection to every interesting port on the machine. If the port 
> is listening, connect() will succeed, otherwise the port isn't 
> reachable. One strong advantage to this technique is that you don't need 
> any special privileges. Any user on most UNIX boxes is free to use this 
> call. This sort of scan is easily detectable as target host logs will 
> show a bunch of connection and  error messages for the services which 
> accept() the connection just to have it immediately shutdown.  This is 
> the default scan type for unprivileged users.
> [...]
> 
> -sT scan is a full TCP handshake (SYN -> SYN/ACK -> ACK), so you just 
> have to forbid TCP connection on open ports...
> But, if you block tcp accesses for anybody, nobody could connect to the 
>  service associate with the corresponding port.
> So, you have to use rules that grant access for allow machine, and drop 
> it for the others.
> Nevertheless, other scans like -sS, -sF, -sX, -sN can still work...
> 
> 
> Pablo Allietti wrote:
> >hi all (again), how can i made a rules for block nmap information?
> >
> >if i do nmap -sT myhost.com from a cybercafe for example,   nmap display
> >all ports open. exist any way to block this? something like block
> >scanports?
> 
---end quoted text---

-- 


Pablo Allietti
LACNIC
--------------

Re: block nmap info

[xa]

Basically, nmap is just a program that send packets.
Portscanning is just sending special packets and analysing answer.
So, you can drop all packets from unauthorized person and they can't see 
anything... (or just that they are filtered...)
But the others can send packets and see respond, so they can say if a 
service run on the ports they can access...


Pablo Allietti wrote:
> On Thu, Jan 27, 2005 at 09:07:17PM -0100, xmaillist wrote:
> 
>>Hi,
>>nmap man page:
> 
> 
> 
> ok. then it is impossible to block nmap and portscanning? 
> 
> 
> 
>>[...]
>>-sT
>>TCP connect() scan: This is the most basic form of TCP scanning. The 
>>connect() system call provided  by  your operating system is used to 
>>open a connection to every interesting port on the machine. If the port 
>>is listening, connect() will succeed, otherwise the port isn't 
>>reachable. One strong advantage to this technique is that you don't need 
>>any special privileges. Any user on most UNIX boxes is free to use this 
>>call. This sort of scan is easily detectable as target host logs will 
>>show a bunch of connection and  error messages for the services which 
>>accept() the connection just to have it immediately shutdown.  This is 
>>the default scan type for unprivileged users.
>>[...]
>>
>>-sT scan is a full TCP handshake (SYN -> SYN/ACK -> ACK), so you just 
>>have to forbid TCP connection on open ports...
>>But, if you block tcp accesses for anybody, nobody could connect to the 
>> service associate with the corresponding port.
>>So, you have to use rules that grant access for allow machine, and drop 
>>it for the others.
>>Nevertheless, other scans like -sS, -sF, -sX, -sN can still work...
>>
>>
>>Pablo Allietti wrote:
>>
>>>hi all (again), how can i made a rules for block nmap information?
>>>
>>>if i do nmap -sT myhost.com from a cybercafe for example,   nmap display
>>>all ports open. exist any way to block this? something like block
>>>scanports?
>>
> ---end quoted text---
> 

Re: block nmap info

[Martijn Lievaart]

Pablo Allietti wrote:

>hi all (again), how can i made a rules for block nmap information?
>
>if i do nmap -sT myhost.com from a cybercafe for example,   nmap display
>all ports open. exist any way to block this? something like block
>scanports?
>  
>

Lookup the psd module in patch-o-matic, it does exactly what you are 
looking for.

M4