Salut, Robin-Vinet Mathieu a écrit : > > I've got a question, about how DROPPED packets are shown to TCP scanners > such as Nmap. With nmap, it seems to depend on the TCP scan type. My results with nmap 2.54 from Debian Woody : (better displayed with a fixed-sized font) Target / TCP scan type -T(connect) -S(syn) -F(fin) -X(Xmas) -N(null) DROP filtered filtered open open open REJECT icmp-port-unreach closed filtered filtered filtered filtered REJECT tcp-reset closed closed closed closed closed
Interesting, i've done only a nmap scan like : nmap -sT -PT IPadress
> I've done an IPtables script wich does what i want it to do, but even if > unautorised packets are dropped and logged, when i nmap my server, > almost all tcp ports are shown as opened. Even the ports that are closed (not used by any service) ? It could be that you used a FIN, Xmas Tree or Null scan.
> Of course, some of those ports are (eg. TCP 80), but others are not (eg. > TCP 445), i think it is clearly unsafe, cause hackers knows that there > is a server behind those closed ports. When you DROP incoming packets, an attacker won't be able to know what's behind because there is no reply. > In my mind, a good firewall would show the firewalled TCP ports as > "stealth" or "filtered" or in the last "closed", but i'd prefer > "stealth". In my mind a good firewall would show firewalled ports as closed on any type of scan, so attackers wouldn't get curious and ask themselves "why are theses ports filtered/stealth and what's behind them ?". The only exception is when no port at all is open, so the machine can appear totally stealth. But mixing open and stealth ports makes no sense.
Ok for dropping. And if you want, but i'd like my ports not to show that they are opened when they are closed ;-)
-- Robin-Vinet Mathieu |