GOod AFternoon,
I want to block OS fingerprinting of my server. Is there an iptables rule or something I can implement to stop OS fingerprinting? Thanks in advance!

You really can't block OS fingerprinting-- it's based on how the system responds to TCP packets.

I believe the Linux kernel's TCP sequencing changes A LOT-- and that feature is what allows port scanners to determine what OS is running. There are other factors, I believe, too. But, in a nutshell, you really can't block it.

If you're running a service on the system, you can determine what OS is running. I mean, you wouldn't exactly expect ProFTPd to be running on Windows 2000 Server. Even if you could block OS fingerprinting, someone could just manually determine what OS you're running. That's really a trivial task.

The most important thing is to keep your system updated, and make sure you're not running unneeded services. If you wanted to be a little safer, modify the identifying strings that the daemons provide to remote users. That way, they couldn't perhaps determine if you're running an unpatched version of some system service.

On 2.2.x there where Madcamel's patches, on 2.4.x there's GRSecurity's stack randomisation and there's FPF.

Just a note, hopefully this isn't your only method, but don't rely upon security through obscurity!

obscurity is always good as a finishing touch to confuse people (just be sure the system is actually secure, and not pretending to be)

maybe ippersonality (did i get that right?), but as Alex Cavnar said there are other ways to figure out what OS its running,

id say just tarpit any incoming connections that are not supposed to be there (especially along the M$ windows ports) .. that should help make people think twice before trying to fingerprint you (but they would probably know its linux , at least they would if they knew what was going on)

optionally you can set up a firewall using windows or a mac, set it up right and it should confuse OS detection for your linux boxes

Of course it isn't my only method. I have a linux firewall which works pretty well. I just wanted to throw randomization out there. For example, one time they scan they see linux, other times they see Windows, Mac, something like that.

How do you tarpit TCP connections? Is there a way to do this with iptables?

Ah right I can't imagine you could do that without rewriting how Linux responds to TCP packets, which TCP flags are enabled and its method of generating sequence numbers.

Yep - a little Googling for tarpit iptables gave a very helpful page within the first few results.

http://www.lowth.com/howto/iptables-treasures.php

Scroll half way down and there's a section on it.

Danka!

Technonotice


Many thanks for your TARPIT LINK! This would really BEEF UP things!


BTW. what is DANKA????

__________________________________

I assumed it was a misspelling of the german, "danke" for thank you

The methods you all mentioned are best for active scanning. But there are passive tools (example: p0f). You can still change the signature of your machine (and the results are not fully correct), but you don't know when you're probed (if you're running Apache, only one page needs to be viewed, etc).

The methods you all mentioned are best for active scanning. But there are passive tools (example: p0f).
Sure I got P0f listening. Sigs of my boxen don't go further than P0f saying "Linux 2.4/2.6" and giving link info. For me that's enough.


You can still change the signature of your machine (...), but you don't know when you're probed
You're right about that, and since networking works that way there is nothing you can do to avoid it, you can only try and munge the results.


(if you're running Apache, only one page needs to be viewed, etc).
...and if you're running ftpd then active FTP mode will conveniently supply you with a SYN packet itself.

oops...I mistyped...hehe