LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-12-2014, 02:17 AM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
is there a good way to run nmap scans over the public net?


i've heard it's no bueno to do this...
 
Old 04-12-2014, 04:15 AM   #2
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
The net itself doesn't matter or mind, but when you check the ports of a host that you don't own, it can be interpreted as searching for a way to break in.
 
Old 04-12-2014, 01:04 PM   #3
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
should have clarified, most definitely to one of my own hosts
 
Old 05-04-2014, 02:44 PM   #4
turnbui
Member
 
Registered: Jul 2005
Location: UK
Posts: 101

Rep: Reputation: 15
Interesting one. Surely as this is his/her own telephone line there shouldn't be any other traffic but his/hers and his/hers ISPs. Or am I missing something basic?
 
Old 05-04-2014, 03:18 PM   #5
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by turnbui View Post
Interesting one. Surely as this is his/her own telephone line there shouldn't be any other traffic but his/hers and his/hers ISPs. Or am I missing something basic?
it's actually Comcast cable as my ISP on both ends, and yes, theoretically traffic to/from 2 endpoints on the same ISP SHOULD never cross other providers lines, provided the 2 endpoints are geographically close to each other. Going cross-country, i could see you potentially getting routed across peered links of some sort.

But even on the same ISP, i had figured that port scans could potentially violate some sort of terms-of-service, because as berndbausch said, it can be seen as a security circumvention attempt. A cursory glance at Comcasts TOS don't explicity show anything of the sort, but it wouldn't surprise me to find that they'd rather you not do this.
 
Old 05-04-2014, 07:25 PM   #6
turnbui
Member
 
Registered: Jul 2005
Location: UK
Posts: 101

Rep: Reputation: 15
Yes I can appreciate the security concern.

http://serverfault.com/questions/582...ients-from-isp

Last edited by turnbui; 05-04-2014 at 07:30 PM.
 
Old 05-04-2014, 07:45 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by psycroptic View Post
should have clarified, most definitely to one of my own hosts
Apart from TOS etc kind of depends what you can do. Is it to be a targeted scan? Nmap has speed settings. If you target your own machine with specific ports, say "-p21,22,23,25,80,443,993,10000", no excessive retries and try "-T1"? Or a general vulnerability assessment? You know there's sites that can do that for you for free, only requiring registration (added bonus of having a 3rd party to "blame" ;-p)?
 
Old 05-04-2014, 09:22 PM   #8
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Apart from TOS etc kind of depends what you can do. Is it to be a targeted scan? Nmap has speed settings. If you target your own machine with specific ports, say "-p21,22,23,25,80,443,993,10000", no excessive retries and try "-T1"? Or a general vulnerability assessment? You know there's sites that can do that for you for free, only requiring registration (added bonus of having a 3rd party to "blame" ;-p)?
Lol! no i was just gonna do a range of 1-1024 on my own firewall, from my parents house. rather not have to register for yet another site. both locations have comcast.
 
Old 05-05-2014, 02:13 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by psycroptic View Post
i was just gonna do a range of 1-1024 on my own firewall
Post output of 'iptables-save'?
 
Old 05-05-2014, 02:18 AM   #10
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Post output of 'iptables-save'?
why?
 
Old 05-05-2014, 01:47 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by psycroptic View Post
why?
Because we see in one glance if it's worth doing so?
 
Old 05-05-2014, 02:36 PM   #12
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 3/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT

COMMIT
though we're straying from the topic somewhat, marking as solved
 
Old 05-05-2014, 02:43 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You have a default filter table INPUT chain DROP policy and you only allow ingress traffic (any protocol) for existing connections so running nmap should not show any ports open.
 
Old 05-07-2014, 06:13 PM   #14
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
You have a default filter table INPUT chain DROP policy and you only allow ingress traffic (any protocol) for existing connections so running nmap should not show any ports open.
yes. i know

i was more concerned with the TOS/general network courtesy kinds of implications. one thing i do know, i would never in a million years install a firewall without nmap'ing it locally, before putting it out into the wild
 
Old 05-07-2014, 07:20 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by psycroptic View Post
i was more concerned with the TOS/general network courtesy kinds of implications.
Ah, OK.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
public ip X point A (linux box) <-> routed wireless net <-> public ip X point B tkmbe Linux - Wireless Networking 2 12-27-2011 06:03 AM
Conficker scans with nmap brgsousa Linux - Software 3 04-08-2009 08:12 AM
public ip scanned by nmap during private lan scan goober3 Linux - Security 2 09-14-2008 03:45 PM
Decoy Scans w/ Nmap robeb Linux - Networking 1 10-14-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration