[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables DROP packets but Nmap show the ports opened !!


Robin-Vinet Mathieu a écrit :

I've got a question, about how DROPPED packets are shown to TCP scanners
such as Nmap.

With nmap, it seems to depend on the TCP scan type.
My results with nmap 2.54 from Debian Woody :
(better displayed with a fixed-sized font)

Target / TCP scan type  -T(connect) -S(syn)  -F(fin) -X(Xmas) -N(null)
DROP                     filtered  filtered   open     open     open
REJECT icmp-port-unreach  closed   filtered filtered filtered filtered
REJECT tcp-reset          closed    closed   closed   closed   closed

I've done an IPtables script wich does what i want it to do, but even if
unautorised packets are dropped and logged, when i nmap my server,
almost all tcp ports are shown as opened.

Even the ports that are closed (not used by any service) ? It could be that you used a FIN, Xmas Tree or Null scan.

Of course, some of those ports are (eg. TCP 80), but others are not (eg.
TCP 445), i think it is clearly unsafe, cause hackers knows that there
is a server behind those closed ports.

When you DROP incoming packets, an attacker won't be able to know what's behind because there is no reply.

In my mind, a good firewall would show the firewalled TCP ports as
"stealth" or "filtered" or in the last "closed", but i'd prefer

In my mind a good firewall would show firewalled ports as closed on any type of scan, so attackers wouldn't get curious and ask themselves "why are theses ports filtered/stealth and what's behind them ?". The only exception is when no port at all is open, so the machine can appear totally stealth. But mixing open and stealth ports makes no sense.

Reply to: