make the server stealth to nmap?

aq_mishu · 03-25-2008, 05:02 AM

okk... nice... any solution so i can make the server stealth to nmap?? some guys are scanning my servers i think and nmap can tell the OS. thus I can set so that they can't check which OS i'm using...

win32sux · 03-25-2008, 12:38 PM

I've moved this post of your from here into a thread of its own.

What does your current iptables setup look like? What about your network setup? I ask because making a server be stealth will involve a little more work than say, making a desktop be stealth - unless you have the ability to make the stealth config apply only to certain IPs. Like, for example, you could make your services only be visible to your client's IPs (such that when any other IPs scans your server all their packets would be sent straight to DROP). If you can't do that, then you'll always have a service available for people to get information from, and addressing that will involve tweaking the way the service works.

It'll be much easier for someone to provide you with suggestions if you can paint a clear picture of what your setup looks like. If you could also post some nmap outputs of tests you've run against your server it would be great.

aq_mishu · 03-25-2008, 01:41 PM

Well, iptables -nvL is:

Code:

Chain INPUT (policy DROP 173 packets, 21686 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3955  471K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
  356 23920 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:53
  256 15120 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW multiport dports 80,443,21,22
   65  4585 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW icmp type 8
   41  2943 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0
    0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0
    0     0 DROP       all  --  eth0   *       202.105.179.9        0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 52 packets, 3668 bytes)
 pkts bytes target     prot opt in     out     source               destination
 4198  747K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
  661 48297 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          state NEW multiport dports 25,80,443,21,22
    0     0 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0          state NEW icmp type 8
   41  2943 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Network setup is:

GW@ISP <---->Server Running Linux RH9.

Nmap output is:
[me@myserver]# nmap -v -O A.B.C.D

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2008-03-26 00:39 BDT
Initiating SYN Stealth Scan against myserver.tld (A.B.C.D) [1663 ports] at 00:39
Discovered open port 443/tcp on A.B.C.D
Discovered open port 21/tcp on A.B.C.D
Discovered open port 53/tcp on A.B.C.D
Discovered open port 80/tcp on A.B.C.D
Discovered open port 22/tcp on A.B.C.D
Discovered open port 3306/tcp on A.B.C.D
Discovered open port 111/tcp on A.B.C.D
Discovered open port 20/tcp on A.B.C.D
The SYN Stealth Scan took 0.06s to scan 1663 total ports.
For OSScan assuming port 20 is open, 1 is closed, and neither are firewalled
Host myserver.tld (A.B.C.D) appears to be up ... good.
Interesting ports on myserver.tld (A.B.C.D):
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.4.0 - 2.5.20
Uptime 0.222 days (since Tue Mar 25 19:20:48 2008)
TCP Sequence Prediction: Class=random positive increments
Difficulty=3467244 (Good luck!)
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 2.311 seconds
Raw packets sent: 1679 (67.4KB) | Rcvd: 3371 (136KB)
[me@myserver]#

Now I dont want ppl to check my open ports and check my OS since recently i'm facing bruteforce attacks and the attacker knows that the system is a linux.

win32sux · 03-25-2008, 02:16 PM

Quote:

Originally Posted by aq_mishu

Now I dont want ppl to check my open ports and check my OS since recently i'm facing bruteforce attacks and the attacker knows that the system is a linux.

That shouldn't really matter, though. I mean, you need to keep your system as tight as possible, regardless of whether or not the attacker knows you're running GNU/Linux. She'll be able to attack you with GNU/Linux exploits regardless of whether she knows you are running GNU/Linux or not. So you wouldn't really be doing anything as far as improving your security IMHO. That said, if you Google about Nmap fingerprints, you'll find some literature regarding different methods you can use to alter the way your TCP/IP stack behaves. For example, a popular paper on the subject was written by David Barroso Berrueta. Although it's several years old, it should give you some insight as to what you're up against.

unSpawn · 03-25-2008, 06:59 PM

Heh. Nice doc. I remember using the Stealth patch on early 2.4 kernels. LAnd lke Win32sux says you can consider it pure obfuscation. It doesn't enhance security in any structural way. Proper system hardening trumps anything touted as "stealth".