Can IPTABLES stop port scans by NMAP?

Can you configure IPTABLES on Fedora to stop port scans that are
performed with nmap?

If the answer is yes how to you do this?

Also can you return bogus data to an nmap scan? If the answer is yes
how do you do this?

thanks for an answer(s)

On 2005-03-15, sylo@perknet.net <sylo@perknet.net> wrote:
> Can you configure IPTABLES on Fedora to stop port scans that are
> performed with nmap?

You can't use iptables to stop nmap from asking your box for a reply,
nor can you detect whether nmap is scanning you or some other (perhaps
legitimate) program is attempting to connect to your box.

Perhaps if you define more clearly what your needs are, someone can
suggest possible solutions.

> Also can you return bogus data to an nmap scan? If the answer is yes
> how do you do this?

Ditto on all of the above. You can return bogus data to a remote host
(depending on your definition of bogus), but you can't detect whether
the remote host attempted to connect using nmap, so you can't base your
decision to send bogus data (or the bogus data itself) based on that
criterion.

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

On 2005-03-15, sylo@perknet.net <sylo@perknet.net> wrote:
> Can you configure IPTABLES on Fedora to stop port scans that are
> performed with nmap?

Yes.

> If the answer is yes how to you do this?

By looking for certain flags which nmap typically sets in the packets and then
dropping those when the patterns match. Something like:

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/min
--limit-burst 5 -j LOG --log-level 7 --log-prefix "Xmas Scan: "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

Record some nmap traffic coming at you and look at the patters it makes.

> Also can you return bogus data to an nmap scan? If the answer is yes
> how do you do this?

I've only seen them dropped, and even then this may not be such a good idea
because the method isn't 100% fail-proof. That is, maybe sometimes you'll drop
"good" packets that appear to be scan probes. But, since iptables gives you
very fine controll over what you take in and what you do with it, I'd think
that maybe there's a way. You'll probably want to check into the Netfilter
Patch'O Matic (http://www.netfilter.org/). It patches your kernel to include
some extra abilities. I use it currently and it works well, just don't try to
enable all of the extras ;) Just pick a couple you'll really use and go with
that. Then recompile your kernel, install the mods, modprobe the mods and
you're ready to go. I build all of mine as kmods to keep the kernel size down.
This way I don't have to load extensions I'm not using at the time.


--
RedHat Linux: How linux would have looked if
Micro$oft had written it.
HP/UX & AIX: What keeps linux users still using
30yr old "compatibility" defaults in our builds

sylo@perknet.net wrote:
> Can you configure IPTABLES on Fedora to stop port scans that are
> performed with nmap?
>
> If the answer is yes how to you do this?
>
> Also can you return bogus data to an nmap scan? If the answer is yes
> how do you do this?
>
> thanks for an answer(s)

RockLinux wrote:
> sylo@perknet.net wrote:
> > Can you configure IPTABLES on Fedora to stop port scans that are
> > performed with nmap?
> >
> > If the answer is yes how to you do this?
> >
> > Also can you return bogus data to an nmap scan? If the answer is
yes
> > how do you do this?
> >
> > thanks for an answer(s)

Surely it can, with that fancy -m limit thing... Yep, you can make your
computer to return bogus data to *any* scanner in the big bad world
which is scanning your machine... I´ve seen machines with 65536 ports
open.. ;). I don´t know how *exactly* they did it (what soft/options),
but i can tell you the theory that stands in the background. So.. when
someone(A) wants to communicate with (B) it sends : (A) -syn-> (B) and
when (B) recieves that syn packet, it sends back a reply (B) -ack->
(A), then (A) -syn+ack-> (B) and the link is up :). Scanners don ´t
reply back (nmap -sS) that syn+ack thing, But more interesting is the
second part: If (A) recieves ack from (B), then scanner deduces scanned
port on (B) for open, so it says it is open. I have to go now, sorry i
can´t give more info... hope this helps :)

On 22 Mar 2005 05:10:45 -0800, voyager123bg@gmail.com wrote:
> RockLinux wrote:
>> sylo@perknet.net wrote:
>>> Can you configure IPTABLES on Fedora to stop port scans that are
>>> performed with nmap?
>>>
>>> If the answer is yes how to you do this?
>
> <snip> ... I´ve seen machines with 65536 ports
> open.. ;). I don´t know how *exactly* they did it <snip>

One way might be to use port forwarding: AFTER all the rules
that allow connections to legitimate ports on the server (FTP,
HTTP, SMTP etc. etc.)... then forward ANY port attempt to a
single port. That port can simply have a DROP, or it can go
to one of those progs that hang on to a connection for HOURS,
by feeding the scanner one byte every 20 seconds or so to keep
the useless connection going and going...

The scan will NEVER finish.