[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: How to avoid port scanners

Hi,

that would be portsentry 
http://www.psionic.com/abacus/portsentry/

I also believe that there is a built in function in iptables doing this. 

Kind regards
Robert Karlsson
-----Original Message-----
From: vegard@engen.priv.no [mailto:vegard@engen.priv.no]
Sent: Thursday, January 17, 2002 4:33 PM
To: debian-firewall@lists.debian.org
Subject: Re: How to avoid port scanners


Well. You *could* in theory, I guess, implement something that firewalled
a specific host totally once you discovered that it was in the process of
portscanning. This is not that straightforward, though, and not foolproof,
but you might prevent some portscanning-attacks from discovering your
services,
and failing that due to race conditions (i.e. port 25 already having been
tried before your system blocked the ip-adress), maybe it would be blocked
before it started hammering exploits against it.

I have never tried something like this, though.

- Vegard

On Thu, Jan 17, 2002 at 10:00:04AM -0500, Adam William Lydick wrote:
> That doesn't seem possible to me. NMAP uses, at least for its
> SYN/connect() type scans the same sequence of packets that your mail
> software would have to use, so if you block one sequence of packets, they
> are going to be blocked regardless of the place they are coming from.
> 
> To achieve a similar result, try:
> (1) if you are going to be sending mail from a limited set of IP
> addresses, try filtering all traffic to that port, except your
> "semi-trusted" hosts. This isn't perfect, but will avoid casual scans.
> 
> (2) better yet, set up a VPN between your trusted hosts and your mail
> server and you don't need to have a port open for the public internet.
> 
> On Thu, 17 Jan 2002, [iso-8859-1] Eduardo Gonçalves wrote:
> 
> > Hi all,
> >
> > I have a ipchains rule like this:
> > #ipchais -A input -s 0/0 -p tcp -y -j REJECT
> >
> > so I can block all the SYN packets used by port scanners and avoid
them...
> > but now I run a smtp server (postfix), and my box must accept SYN
packets to
> > port 25.
> >
> > I don't want that anybody knows ( using a scanner ) which is the open
port.
> >
> > My question:
> > How can I block port scanners(like nmap) and run my server without
> > problems?
> >
> >
> > thanks a lot
> > []'s
> > Eduardo
> 
> 
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> 

-- 
- Vegard Engen, member of the first RFC1149 implementation team.


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: