LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-19-2002, 03:52 AM   #1
robeb
Member
 
Registered: May 2002
Posts: 113

Rep: Reputation: 15
Question Blocking TCP | SYN scans


Is there anyway to block TCP | SYN scans while keeping some ports open? For example, could you configure your firewall to tell the difference between a SYN scan packet and a SYN packet trying to establish a connection to your web server? I'm using IPTABLES in my script.
 
Old 05-19-2002, 06:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Re: Blocking TCP | SYN scans

For example, could you configure your firewall to tell the difference between a SYN scan packet and a SYN packet trying to establish a connection to your web server?

If it's only got a SYN flag, then you can't, because there is no *difference* between a "scan" and a "regular" SYN packet. You can filter on having "malformed packets" aka weird combination of flags. This is the INVALID classification in Iptables' statefull packet filter (the conn_track gizmo).
 
Old 05-19-2002, 07:40 AM   #3
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
Check out portsentry. That might be in the neighborhood of what you're looking for
 
Old 05-19-2002, 08:41 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Check out portsentry. That might be in the neighborhood of what you're looking for

Using Portsentry to block hosts by adding a null route or adding em to the fw script to block, what does "nmap -T insane -D ${lotsa_decoys} ${any_invalid_flags} ${your_host}" do?

*For ${lotsa_decoys} read linuxquestions.org, slashdot, wired, cnn, freshmeat, your border router, any linux vendor update uri, etc, etc you get it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking outgoing TCP ¿F M J¿ Linux - Networking 13 09-06-2005 12:59 AM
TCP packet flags (SYN, FIN, ACK, etc) and firewall rules TheLinuxDuck Linux - Security 12 04-28-2005 11:30 PM
How linux TCP handle (RST,SYN) at initial connection establishment syseeker Linux - Security 1 01-14-2005 04:20 PM
programming in c, problem TCP -> SYN,... bebe531 Programming 1 05-25-2004 02:58 PM
FYI: increasing amount of port TCP/1433 scans unSpawn Linux - Security 0 05-22-2002 11:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration