If I wanted to lock down a server so that it's type could not be detected by a port scan, what port would I need to disable?
There are different ways to find out which OS is running, and disabling (certain) port responses is only one of the countermeasures. What you'll need is a default policy of DROP instead of REJECT so responses for closed ports don't make it back to the remote client. This however is a very weak form of "security by obscurity" because you're running a server and so you'll have to allow the remote side to set up a connection with whatever server is running.
If you mean "server signature" as in OS detection reporting back "(DR|MS)DOS 3.0": this is determined by the network stack. You'll have to run something like FPF or "Fingerprint f*cker" kernel patch if you want to mimic another OS, or run Grsecurity.orgs (2.4) or Solar Designer's Open Wall (2.2) or Sean/Camel's kernel patches if you want to randomize values.
If you mean "server signature" as in controlling what Apache sends back, search LQ, there are a few good leads outthere.
|