Date: Thu, 15 Sep 2005 15:40:12 -0400 From: Charles Swiger <cswiger@mac.com> To: Boris Karloff <modelt20@canada.com> Cc: freebsd-questions@freebsd.org Subject: Re: NMAP probing of network ports Message-ID: <2CCFF297-E085-4F90-A8B4-E9CBA6CECE74@mac.com> In-Reply-To: <4329c0ec.244.232.3162@canada.com> References: <4329c0ec.244.232.3162@canada.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 15, 2005, at 2:43 PM, Boris Karloff wrote:
> How do I cause freeBSD 5.4 to not respond to an nmap
> inquiry? I have already tried creating a line in rc.firewall
> that says:
>
> ${fwcmd} deny all from any to any
> ${fwcmd} drop all from any to any
>
> I know these are active, since 1) I see them on the screen
> at startup, and 2) pinging from any computer to any computer
> results in a timeout.
>
> (both of these should drop all TCP packets; but apparently,
> they cause a RESET message to be sent.)
"Apparently" indicates a lack of reliable information.
You should use tcpdump to see what is really going on.
> I've also tried adding the following to sysctl.conf:
>
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
>
> Again, these don't seem to prevent my freeBSD from sending a
> packet (probably a RESET or UNREACHABLE-HOST ack).
Ditto. Please obtain real data.
> Once the person sending the nmap to this machine has the IP,
> its a simple step for them to ip-flood this machine; or
> worse.
Yes. Only, someone can issue a denial-of-service attack against an
IP without bothering to nmap-scan it, first. Nothing short of
upstream intervention by your ISP can prevent a true DoS attack from
flooding your inbound pipe's bandwidth.
Trying to prevent a DoS is not an especially useful thing to spend
lots of time on, you would be better served by creating an effective
security policy and setting up an appropriate firewall architecture,
including a redundant connection if the cost of downtime justifies
the expense.
> How do I make freeBSD not acknowledge the fingerprint from
> nmap?
Set up a firewall to block access to all ports but the ones you need
for internet-reachable services. You can recognize nmap traffic by
the TCP option string of "WNMTE"; you can recognize nmap OS
identification and the "Xmas" scan variants by TCP flag combinations
of "SE" (SYN | ECE), "FPU" (FIN | PUSH | URG), and "FSPU"...
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2CCFF297-E085-4F90-A8B4-E9CBA6CECE74>