also sprach David Bishop <tech@bishop.dhs.org> [2002.01.10.1634 +0100]:
> I'm running a server that's hot to the net, and running some insecure
> services (by necessity), like nfs. Of course, I used iptables to
> block all those ports, using nmap and netstat to double check all my
> open ports. However, what nmap reports back is "filtered" for those
> ports. I would prefer if I could somehow make it so that they are
> "closed" to the outside world, so that random j. hacker doesn't know
> that I'm running that service at all. Is there some way to do that,
> or do I just live with "filtered"?
you can configure iptables to return ICMP type 3 "port unreachable"
packets, just like the OS would, using the REJECT target. that's what
you want to do. to get your desired effect.
however, DENYing has the advantage of *severly* slowing any portscan,
and because obscurity is not a security measure[1] and REJECT not being
any safer then DENY, you are really not gaining anything...
[1] because i actually believe that one should be able to post the
entire LAN topology as well as server config and firewall config to the
net, and *still* be secure,
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
there's someone in my head but it's not me.
-- pink floyd, the dark side of the moon, 1972
Attachment:
pgp_h3IhXlCD0.pgp
Description: PGP signature