LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-24-2002, 11:19 AM   #1
Stephanie
LQ Addict
 
Registered: May 2001
Location: Arizona
Distribution: 9.2 Mandy 1.4 Gentoo 5.1 FreeBSD WinXP
Posts: 1,166

Rep: Reputation: 45
Stealthing all ports


Is there a way, and if so how, to stealth all of my TCP/IP ports?

I want the system set up to not send a response to a scan, so it makes a scanner think my IP is not real.

Right now, most are showing closed.
 
Old 07-24-2002, 12:11 PM   #2
SlCKB0Y
Member
 
Registered: Oct 2001
Location: Sydney, Australia
Distribution: Debian Unstable
Posts: 279

Rep: Reputation: 36
Closed is good.
 
Old 07-24-2002, 12:19 PM   #3
Stephanie
LQ Addict
 
Registered: May 2001
Location: Arizona
Distribution: 9.2 Mandy 1.4 Gentoo 5.1 FreeBSD WinXP
Posts: 1,166

Original Poster
Rep: Reputation: 45
But not good enough. I dont want my system to respond at all to any scan.

A closed response will tell a scanner that my IP exists. And a closed port can still by easily compromised, such as buffer overflows and such.
 
Old 07-24-2002, 12:46 PM   #4
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
Hi, Steph, I am using the rule set from stronger firewall, just modified to reflect my system:
http://www.tldp.org/HOWTO/IP-Masquer...-examples.html
I am on DSL - PPPoE, I scan my system with nmap to see what's up, and all the ports are filtered, according to dslreports.com security test my address is not pingable, according to grc.com ShieldsUp all Windows-weak ports are stealth - but I care less about grc goop, nmap shows that all ports are filtered
P.S. When portscanning with nmap make sure you scan from a remote machine.
P.S.2. I just pinged my machine from my another machine and I got network is unreachable response. So it works great
Ooopsie, I was off the net, now when I am on I got 100% packet lost, so it works!!!

Last edited by neo77777; 07-24-2002 at 03:00 PM.
 
Old 07-24-2002, 01:31 PM   #5
Dutch3
Member
 
Registered: Feb 2002
Location: UK
Distribution: Mandriva
Posts: 179

Rep: Reputation: 30
If you are using Mdk 8.2, you can use tinyfirewall that's part of the drakxtools-newt rpm package. It used to be part of Control Centre but although that's not the case now, it's still there.

Type tinyfirewall at the command line to bring up the config window, answer a few questions, save & exit = stealth ports!


Dutch
 
Old 07-24-2002, 11:08 PM   #6
Aussie
Senior Member
 
Registered: Sep 2001
Location: Brisvegas, Antipodes
Distribution: Slackware
Posts: 4,590

Rep: Reputation: 56
Try Portsentry.
 
Old 07-25-2002, 08:31 AM   #7
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Rep: Reputation: 30
i use iptables on my firewall and set it to drop all incoming ICMP packets. if your firewall drops the packets, any machine attempting to connect will get "host unreachable" rather than a port blocked message. try and ping my box: endrium.com. :-)
 
Old 07-25-2002, 08:38 AM   #8
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
You might want to rethink that.Ping and traceroute work like a charm
 
Old 07-26-2002, 05:32 AM   #9
zelgadis
Member
 
Registered: Apr 2002
Location: Venezuela
Distribution: slackware 8.0
Posts: 67

Rep: Reputation: 15
Try this:

http://monmotha.mplug.org/firewall/index.php

"MonMotha's IPTables firewall is a simple shell script written in BASH. It has no extra subs or functions that I define, it's just run from top to bottom. Hopefully this will make it fairly easy to work with. The firewall attempts to make setting up a firewall on a linux system running a 2.4 Linux kernel as easy or easier than installing most other software "

Also i see on a security article, i dont remenber what article, that they recommend install a firewall and Portsentry at the same time.
 
Old 07-26-2002, 07:54 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Originally posted by Stephanie
But not good enough. I dont want my system to respond at all to any scan.
TCP and UDP have distinct responses for reacting to connection requests when a port is open or closed, see for example alt.hacking FAQ, Fyodors The Art of Port Scanning and Phrack nr 49 text 15.

And a closed port can still by easily compromised, such as buffer overflows and such.
Nope :-]
If a skiddie finds a port closed it means there's no daemon to connect to or it's been shielded for (any|their) address or range etc etc. Skiddie needs an established connection (3-way handshake) before being able to inject stuff.

HTH somehow.
 
Old 07-26-2002, 12:00 PM   #11
CARTMAN
Member
 
Registered: Feb 2002
Location: Turkiye
Distribution: Pardus
Posts: 147

Rep: Reputation: 15
As unSpawn says Fyodor's great article is a must to read. You will see that when ping sweep mode is on nmap wont look at ping replies but it will look for a tcp-reset reply from the scanned host and show that port as closed.

With iptables you can trick the scanners. With iptables PSD (Port Scan Detection) module search the google there are lots of nice examples on how to use psd module.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Total stealthing mykrob Linux - Security 23 12-15-2004 06:50 AM
Total stealthing borrrden Linux - Security 1 09-19-2004 08:01 PM
Stealthing Open Router Ports ghight Linux - Security 8 02-19-2004 11:05 AM
stealthing port 113 danielw Linux - Security 4 12-21-2003 04:53 AM
Stealthing port 113 B McHack Linux - Distributions 1 11-16-2003 06:14 PM


All times are GMT -5. The time now is 03:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration