Guys and Gals,
Does anyone know how to set TCP's MSS default value, on a Linux 7.x system? I've told my Linux box not to discovery the MTU of the networks path without a MSS value from a responding host. However this doesn't help me. Basically I'm trying to get my Linux box to confuse Nmap's OS fingerprint identification method and to do this I need to change the default MSS that's sent out with the first SYN packet from my box. Thanks /Raz |
its under /proc/sys/net/core/ as rmem and wmem stuff.
|
cheers unSpawn, I'll check it out.
Thanks, Raz |
Nmap fails to fingerprint my machine, its just got most of its ports set to DENY so nmap doesn't get enough back to make a proper fingerprint.
Jamie... |
Yeah same here, when the firewall is up nothing can get a fingerprint on my box as rejected packets don't give enough info.
I'm trying to change this from a non-firewalled box. Cheers, Raz |
Quote:
Cheers. Jamie... |
Jamie,
Ure fw marks itself as "Linux 2.1.122 - 2.2.16" tho. (soz for me pryin around) |
Quote:
Jamie... |
Jamie,
Sorry but I though I would also have a look too. :) Just building on your last comment, if you have any open port like from your httpd, then if you don't get the TCP handshake to show different handshake info, like the stuff I'm attempting to modify on my box, then people will be able to work out the OS. Your box responds with: TSeq(Class=RI%gcd=1%SI=190FDB%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=7F53%ACK=S++%Flags=AS%Ops=MENNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=7F53%ACK=S++%Flags=AS%Ops=MENNTNW) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RIPCK=E%UCK=E%ULEN=134%DAT=E) Which is Linux 2.2.16 Also if you close/filter all the ports then I can still find out the OS type, as your firewall needs to filter out ICMP type 13 requests. "windows boxes don't implement this type" Also you should disable ICMP type 8. "ping requests" Other then that your rules are set-up well. Also don't DENY packets, REJECT them as your can work out the filters your running as the pckets never come back, REJECT makes it look like the port is not used. On a different note there is a server on that same subnet as yours that could cause a DOS attack on your subnet, as it's misconfigured and responded to me when I was asking your firewall to tell me if it was susceptible to broadcast pings. "smurf" /Raz [Edited by razbot on 06-06-2001 at 10:36 AM] |
Quote:
As for the other machine on the Subnet - it does't surprise me! I'm on a Telewest cablemodem and most people just have them hooked straight into a Windows box with no firewall so I imagine they'll soon be getting used for DDoS attacks soon enough :( cheers for the input! Jamie... |
You have a good point, but.
When you use something like nmap to scan, you can start off with the accepted but closed unprivileged ports, then it gets an idea of the timings for DENYed ports, so it's just wizzzzssss through them. also got a cool option called --max_rtt_timeout As for the DOS from the other system, just add these to your firewall script and problem gone. echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects + block incoming type 8 ICMP requests. /Raz |
All times are GMT -5. The time now is 09:06 AM. |