LinuxQuestions.org - which is the best practice to block nmap scan on my server using iptables (r) puffy

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - which is the best practice to block nmap scan on my server using iptables (r) puffy (https://www.linuxquestions.org/questions/linux-security-4/which-is-the-best-practice-to-block-nmap-scan-on-my-server-using-iptables-r-puffy-4175431070/)

which is the best practice to block nmap scan on my server using iptables (r) puffy

Hi,

I Read out O'Reilly's Network Security Hacks.The documents mentions nmap scanning of server is security vulnerability.

So im trying to block the nmap scanning on my server .I just want to know, which is the best method, everybody are using to block nmap scan on there server .

I had found two method to block nmap scan using iptables & puffy method.Required advise from security expert which method is better practice to follow.

These the pf.conf file currently im using off.Currently im completely unware of following setting which i had pasted out in my /etc/pf.conf.But it seems to works fine on development machine

Before moving to production i just seek expert advise.Whether the following setting cause any problem in development server

vi /etc/pf.conf

set block-policy return

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

My first comment, or rather question, is in regards to your rules and the mention of PF. PF is the firewall for BSD and these look like rules for it. Are you running BSD or Linux? I am asking because you also mention IPTables, which is the firewall for Linux.

Second, please keep in mind that blocking port scans won't buy you much in terms of security. It is absolutely critical that you still protect any services that you are running. With the above caveat in mind, there are a couple of techniques for blocking scans. Some techniques are designed to counter stealth scan techniques. Personally, I would use rate limiting and if too many connections are established in a short period of time, which indicates a potential scan, I would block their traffic for a period of time. This article has a pretty good discussion of this subject including why the stealth techniques fail against a standard nmap scan.