* block nmap info @ 2005-01-27 20:06 Pablo Allietti 2005-01-27 22:07 ` xmaillist 2005-02-05 23:44 ` Martijn Lievaart 0 siblings, 2 replies; 5+ messages in thread From: Pablo Allietti @ 2005-01-27 20:06 UTC (permalink / raw) To: netfilter hi all (again), how can i made a rules for block nmap information? if i do nmap -sT myhost.com from a cybercafe for example, nmap display all ports open. exist any way to block this? something like block scanports? -- Pablo Allietti LACNIC -------------- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: block nmap info 2005-01-27 20:06 block nmap info Pablo Allietti @ 2005-01-27 22:07 ` xmaillist 2005-01-27 22:09 ` Pablo Allietti 2005-02-05 23:44 ` Martijn Lievaart 1 sibling, 1 reply; 5+ messages in thread From: xmaillist @ 2005-01-27 22:07 UTC (permalink / raw) To: Pablo Allietti; +Cc: netfilter Hi, nmap man page: [...] -sT TCP connect() scan: This is the most basic form of TCP scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. Any user on most UNIX boxes is free to use this call. This sort of scan is easily detectable as target host logs will show a bunch of connection and error messages for the services which accept() the connection just to have it immediately shutdown. This is the default scan type for unprivileged users. [...] -sT scan is a full TCP handshake (SYN -> SYN/ACK -> ACK), so you just have to forbid TCP connection on open ports... But, if you block tcp accesses for anybody, nobody could connect to the service associate with the corresponding port. So, you have to use rules that grant access for allow machine, and drop it for the others. Nevertheless, other scans like -sS, -sF, -sX, -sN can still work... Pablo Allietti wrote: > hi all (again), how can i made a rules for block nmap information? > > if i do nmap -sT myhost.com from a cybercafe for example, nmap display > all ports open. exist any way to block this? something like block > scanports? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: block nmap info 2005-01-27 22:07 ` xmaillist @ 2005-01-27 22:09 ` Pablo Allietti 2005-01-27 23:24 ` xa 0 siblings, 1 reply; 5+ messages in thread From: Pablo Allietti @ 2005-01-27 22:09 UTC (permalink / raw) To: xmaillist; +Cc: netfilter, Pablo Allietti On Thu, Jan 27, 2005 at 09:07:17PM -0100, xmaillist wrote: > Hi, > nmap man page: ok. then it is impossible to block nmap and portscanning? > [...] > -sT > TCP connect() scan: This is the most basic form of TCP scanning. The > connect() system call provided by your operating system is used to > open a connection to every interesting port on the machine. If the port > is listening, connect() will succeed, otherwise the port isn't > reachable. One strong advantage to this technique is that you don't need > any special privileges. Any user on most UNIX boxes is free to use this > call. This sort of scan is easily detectable as target host logs will > show a bunch of connection and error messages for the services which > accept() the connection just to have it immediately shutdown. This is > the default scan type for unprivileged users. > [...] > > -sT scan is a full TCP handshake (SYN -> SYN/ACK -> ACK), so you just > have to forbid TCP connection on open ports... > But, if you block tcp accesses for anybody, nobody could connect to the > service associate with the corresponding port. > So, you have to use rules that grant access for allow machine, and drop > it for the others. > Nevertheless, other scans like -sS, -sF, -sX, -sN can still work... > > > Pablo Allietti wrote: > >hi all (again), how can i made a rules for block nmap information? > > > >if i do nmap -sT myhost.com from a cybercafe for example, nmap display > >all ports open. exist any way to block this? something like block > >scanports? > ---end quoted text--- -- Pablo Allietti LACNIC -------------- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: block nmap info 2005-01-27 22:09 ` Pablo Allietti @ 2005-01-27 23:24 ` xa 0 siblings, 0 replies; 5+ messages in thread From: xa @ 2005-01-27 23:24 UTC (permalink / raw) To: Pablo Allietti; +Cc: netfilter Basically, nmap is just a program that send packets. Portscanning is just sending special packets and analysing answer. So, you can drop all packets from unauthorized person and they can't see anything... (or just that they are filtered...) But the others can send packets and see respond, so they can say if a service run on the ports they can access... Pablo Allietti wrote: > On Thu, Jan 27, 2005 at 09:07:17PM -0100, xmaillist wrote: > >>Hi, >>nmap man page: > > > > ok. then it is impossible to block nmap and portscanning? > > > >>[...] >>-sT >>TCP connect() scan: This is the most basic form of TCP scanning. The >>connect() system call provided by your operating system is used to >>open a connection to every interesting port on the machine. If the port >>is listening, connect() will succeed, otherwise the port isn't >>reachable. One strong advantage to this technique is that you don't need >>any special privileges. Any user on most UNIX boxes is free to use this >>call. This sort of scan is easily detectable as target host logs will >>show a bunch of connection and error messages for the services which >>accept() the connection just to have it immediately shutdown. This is >>the default scan type for unprivileged users. >>[...] >> >>-sT scan is a full TCP handshake (SYN -> SYN/ACK -> ACK), so you just >>have to forbid TCP connection on open ports... >>But, if you block tcp accesses for anybody, nobody could connect to the >> service associate with the corresponding port. >>So, you have to use rules that grant access for allow machine, and drop >>it for the others. >>Nevertheless, other scans like -sS, -sF, -sX, -sN can still work... >> >> >>Pablo Allietti wrote: >> >>>hi all (again), how can i made a rules for block nmap information? >>> >>>if i do nmap -sT myhost.com from a cybercafe for example, nmap display >>>all ports open. exist any way to block this? something like block >>>scanports? >> > ---end quoted text--- > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: block nmap info 2005-01-27 20:06 block nmap info Pablo Allietti 2005-01-27 22:07 ` xmaillist @ 2005-02-05 23:44 ` Martijn Lievaart 1 sibling, 0 replies; 5+ messages in thread From: Martijn Lievaart @ 2005-02-05 23:44 UTC (permalink / raw) To: Pablo Allietti; +Cc: netfilter Pablo Allietti wrote: >hi all (again), how can i made a rules for block nmap information? > >if i do nmap -sT myhost.com from a cybercafe for example, nmap display >all ports open. exist any way to block this? something like block >scanports? > > Lookup the psd module in patch-o-matic, it does exactly what you are looking for. M4 ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-02-05 23:44 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-01-27 20:06 block nmap info Pablo Allietti 2005-01-27 22:07 ` xmaillist 2005-01-27 22:09 ` Pablo Allietti 2005-01-27 23:24 ` xa 2005-02-05 23:44 ` Martijn Lievaart
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.