LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-05-2008, 08:14 AM   #1
bkcreddy17
Member
 
Registered: Feb 2008
Location: India-Hyderabad
Distribution: RHEL and Fedora
Posts: 171

Rep: Reputation: 15
Block nmap port scan


How to block nmap port scan? I referred this site
http://www.cyberciti.biz/faq/linux-d...-scan-attacks/
I wrote only the following rules for machine 192.168.0.88 and i allowed ports 21,22,80,3306 from my ip 192.168.0.28
Code:
IPT='sudo /sbin/iptables'
PUB_IF='eth0'
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp --syn -j DROP
# Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
# block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
I configure psad.conf file and done the rest. when i used nmap scan from my system it was showing 21,22,3306 ports. What mistakes i have done and what shall i do. Please can any body guide me regarding this?
 
Old 12-05-2008, 08:44 AM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
The number of ports reported by nmap is irrelevant. One has to wonder how it arrived at that number. 21 million is a pretty high number. There are only 65537 possible ports.

The only characteristic in the nmap report that really matters is the number of ports reported to be open. That means that the computer gave a response when nmap sent a connect request to that port. The closed ports are not a problem.
 
Old 12-05-2008, 10:18 AM   #3
dandart
Member
 
Registered: Dec 2005
Posts: 34

Rep: Reputation: 18
No, that's not the number of ports, it's the actual ports.... 21, 22, 3306.

What's the problem with people being able to nmap for your open ports? That's what's supposed to happen.
 
Old 12-05-2008, 10:37 AM   #4
judge312
LQ Newbie
 
Registered: Dec 2008
Distribution: fedora,rhel
Posts: 18

Rep: Reputation: 1
if you want to block an nmap scan ,

use snort in inline mode .
this can recognize nmap signatures and redirect to another code (inline).

if you want to just catch nmap scan , use snort as IDS .

Note: iptables can block certain ports based on criteria. but cannot recognize a nmap ping or so .

To bypass most firewall policies try -T Polite option of nmap .
 
Old 12-05-2008, 11:27 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by dandart View Post
No, that's not the number of ports, it's the actual ports.... 21, 22, 3306.

What's the problem with people being able to nmap for your open ports? That's what's supposed to happen.
I would say that it's not supposed to happen unless you know the admin's intent. Try that at your workplace and see how long you stay employed. I've also seen people lose their internet accounts because they thought that it was OK to conduct nmap scans.

Check your local laws, employer's corporate AUP, and ISP TOS to determine what's allowed and what's not.

Quote:
Originally Posted by judge312 View Post
if you want to block an nmap scan ,

use snort in inline mode .
this can recognize nmap signatures and redirect to another code (inline).

if you want to just catch nmap scan , use snort as IDS .

Note: iptables can block certain ports based on criteria. but cannot recognize a nmap ping or so .

To bypass most firewall policies try -T Polite option of nmap .
If you configure your firewall to deny all and only allow specific traffic, you'll be better off. It's not solid but security by layers is the better option anyways. This means hardening any services that are explosed to the public. Oh, iptables CAN recognize an NMAP ping...its the same ping as any other tool. NMAP does a lot of ennumeration also, which a firewall won't necessarily block (which is why service and server hardening is critical).

Last edited by unixfool; 12-05-2008 at 11:32 AM.
 
Old 12-05-2008, 12:31 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by bkcreddy17
How to block nmap port scan?
More generally, may I ask what the point of this is?

Harden your services and networks appropriately instead of worrying about blocking a "nmap port scan". Using up a lot of brain cycles to focus on blocking a single, popular exploration tool (of many) is probably not worthwhile.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: psad: Linux Detect And Block Port Scan Attacks In Real Time LXer Syndicated Linux News 0 08-12-2008 03:40 PM
LXer: Learn how to use nmap, and nmap GUI, a great port scan tool LXer Syndicated Linux News 0 01-03-2008 10:10 AM
nmap shows port 80 open on WAN IP scan. NuxIT Linux - Security 10 06-24-2006 02:21 AM
Port Scan (nmap -st) TroelsSmit Linux - Newbie 2 05-22-2004 04:13 PM
How can I scan *every* port with nmap? davee Linux - Security 6 12-11-2003 05:44 PM


All times are GMT -5. The time now is 10:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration