[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] how do I build iptable-protection for scanners like nmap

To: "Paxton, Michael" <michael.paxton@xxxxxxxxxxx>
Subject: Re: [suse-security] how do I build iptable-protection for scanners like nmap
From: "Azman Salleh" <azmansal@xxxxxxxxxx>
Date: Wed, 28 May 2003 13:57:30 +0800
Cc: <suse-security@xxxxxxxx>
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Wed, 28 May 2003 07:57:47 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <A8071D96ACE59F4AA9ECB4713B9759C312B0B3@xxxxxxxxxxxxxxxxxx>

RE: [suse-security] how do I build iptable-protection for scanners like nmapMichael,
Seems to me that ipchains equivalent to "! --syn" is "! -y", but wouldn't
"iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP "
drop ANY incoming connections from internet?
This would even drop valid http requests, not just the stealth portscans.

Thank you,
Azman Salleh
----- Original Message ----- 
  From: Paxton, Michael 
  To: 'Azman Salleh' 
  Sent: 28 May, 2003 11:41 AM
  Subject: RE: [suse-security] how do I build iptable-protection for scanners like nmap


  Hi Azman 
  Basically it says: 
  If you are not establishing a new connection (! --syn) and you are not an established connection (-m state --state NEW) drop the packet.

  The stateful side of things I dont think you can do with ipchains.. 

  Michael 
  > -----Original Message----- 
  > From: Azman Salleh [mailto:azmansal@xxxxxxxxxx] 
  > Sent: Wednesday, 28 May 2003 11:32 AM 
  > To: suse-security@xxxxxxxx 
  > Subject: Re: [suse-security] how do I build iptable-protection for 
  > scanners like nmap 
  > 
  > 
  > Sounds like something I can adapt into my *ipchains* rules. 
  > But why use "!--syn -m state --state"? Anybody can explain? 
  > 
  > Thank you, 
  > Azman Salleh 
  > ----- Original Message ----- 
  > From: "Πλαστήρας Αθανάσιος" <t.plastiras@xxxxxxxxxxx> 
  > To: <suse-security@xxxxxxxx> 
  > Sent: 27 May, 2003 1:27 PM 
  > Subject: Re: [suse-security] how do I build 
  > iptable-protection for scanners 
  > like nmap 
  > 
  > 
  > > 
  > > Good Mornning... 
  > > 
  > > To Drop Stealth Scan like nmap you can use the following 
  > rules in a simple 
  > > firewall with iptables: 
  > > 
  > >       iptables -A INPUT -p tcp ! --syn -m state --state NEW -j 
  > > LOG --log-prefix "Stealth scan" 
  > >       iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 
  > > 
  > > Thanos... 
  > > 
  > > 
  > > Athanasios Plastiras 
  > > Greece 
  > > Athens 
  > > 
  > > 
  > > 
  > > -- 
  > > Check the headers for your unsubscription address 
  > > For additional commands, e-mail: suse-security-help@xxxxxxxx 
  > > Security-related bug reports go to security@xxxxxxx, not here 
  > > 
  > > 
  > > 
  > 
  > 
  > -- 
  > Check the headers for your unsubscription address 
  > For additional commands, e-mail: suse-security-help@xxxxxxxx 
  > Security-related bug reports go to security@xxxxxxx, not here 
  >

Prev by Date: [suse-security] Log/Audit all user commands
Next by Date: Re: [suse-security] how do I build iptable-protection for scanners like nmap
Previous by thread: Re: [suse-security] how do I build iptable-protection for scanners like nmap
Next by thread: [suse-security] host ignores redirects
Index(es):
- Date
- Thread