nixCraft Linux Forum

nixCraft

Linux / UNIX Tech Support Forum

Avoiding nmap service and application version detecion

This is a discussion on Avoiding nmap service and application version detecion within the Networking, Firewalls and Security forums, part of the Mastering Servers category; Is there a way to avoid nmap service and application version detection? I scanned my server with nmap and this ...

Go Back   nixCraft Linux Forum > Mastering Servers > Networking, Firewalls and Security

Avoiding nmap service and application version detecion Avoiding nmap service and application version detecion

Linux answers from nixCraft.

Register FAQ Members List Social Groups Calendar Forgotten your password? Mark Forums Read

Networking, Firewalls and Security No it's not a secret. Talk about firewalls and security issues.

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 12-05-2009, 08:22 PM
Junior Member
User
  
Join Date: Feb 2009
OS: CentOS
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
Cyborg_sa is on a distinguished road
Send a message via MSN to Cyborg_sa
Default Avoiding nmap service and application version detecion
Is there a way to avoid nmap service and application version detection? I scanned my server with nmap and this is the output:

Code:
Interesting ports on 192.168.15.4:
Not shown: 1709 closed ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 2.0.5
22/tcp   open  ssh        OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http       Apache httpd 2.2.3 ((CentOS))
|_ HTML title: Apache HTTP Server Test Page powered by CentOS
111/tcp  open  rpcbind
|  rpcinfo:  

|  100000 2       111/udp rpcbind

|  100024 1       793/udp status

|  100000 2       111/tcp rpcbind

|_ 100024 1       796/tcp status
796/tcp  open  rpcbind
|_ rpcinfo:  
3128/tcp open  http-proxy Squid webproxy 2.6.STABLE21
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.21, Linux 2.6.23
I searched on the internet and found that psad can prevent port scans. Will psad help me in this regard?
I use CentOS 5.3
Last edited by Cyborg_sa; 13-05-2009 at 08:48 AM.
Reply With Quote
  #2 (permalink)  
Old 13-05-2009, 12:36 AM
nixcraft's Avatar
Never say die
User
  
Join Date: Jan 2005
Location: BIOS
OS: RHEL
Scripting language: Bash and Python
Posts: 2,710
Thanks: 11
Thanked 245 Times in 184 Posts
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default
Yes, it can help. See basic getting started tutorial:
  1. psad: Linux Detect And Block Port Scan Attacks In Real Time
__________________
Vivek Gite
Linux Evangelist
Be proud RHEL user, and let the world know about your enterprise choices! Join RedHat user group.
Always use CODE tags for posting system output and commands!
Do you run a Linux? Let's face it, you need help
Reply With Quote
  #3 (permalink)  
Old 13-05-2009, 11:43 AM
Junior Member
User
  
Join Date: Feb 2009
OS: CentOS
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
Cyborg_sa is on a distinguished road
Send a message via MSN to Cyborg_sa
Default
I tried ur getting started tutorial but psad is not picking up anything and that output I coded in my 1st post still comes out using nmap. Again I googled around and found that SELinux may be blocking some part of psad.
Code:
http://wiki.rivalug.org/index.php/Centos5#creating_policy_example:_psad
I tried out the steps here as well carefuly but still it was of no use. I even put SELinux in permissive mode but still no use. This is my psad -S output:
Code:
[root@cybertron Saad]# /usr/sbin/psad -S
[+] psadwatchd (pid: 3787)  %CPU: 0.0  %MEM: 0.0
    Running since: Wed May 13 12:00:14 2009

[+] psad (pid: 3785)  %CPU: 0.0  %MEM: 1.0
    Running since: Wed May 13 12:00:14 2009
    Command line arguments: [none specified]
    Alert email address(es): root@localhost

[+] Version: psad v2.1.5

[+] Top 50 signature matches:
        [NONE]

[+] Top 25 attackers:
        [NONE]

[+] Top 20 scanned ports:
        [NONE]

[+] iptables log prefix counters:
        [NONE]

    Total packet counters: tcp: 0, udp: 0, icmp: 0

[+] IP Status Detail:
        [NONE]

    Total scan sources: 0
    Total scan destinations: 0

[+] These results are available in: /var/log/psad/status.out
Can u help me figure out where does the problem exist?
Reply With Quote
  #4 (permalink)  
Old 13-05-2009, 04:40 PM
nixcraft's Avatar
Never say die
User
  
Join Date: Jan 2005
Location: BIOS
OS: RHEL
Scripting language: Bash and Python
Posts: 2,710
Thanks: 11
Thanked 245 Times in 184 Posts
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default
Did you added the iptables LOG rules to your iptables script?
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
__________________
Vivek Gite
Linux Evangelist
Be proud RHEL user, and let the world know about your enterprise choices! Join RedHat user group.
Always use CODE tags for posting system output and commands!
Do you run a Linux? Let's face it, you need help
Reply With Quote
  #5 (permalink)  
Old 13-05-2009, 06:24 PM
Junior Member
User
  
Join Date: Feb 2009
OS: CentOS
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
Cyborg_sa is on a distinguished road
Send a message via MSN to Cyborg_sa
Default
I did not run ur script. However, I did executed these commands.
Reply With Quote
  #6 (permalink)  
Old 13-05-2009, 06:41 PM
nixcraft's Avatar
Never say die
User
  
Join Date: Jan 2005
Location: BIOS
OS: RHEL
Scripting language: Bash and Python
Posts: 2,710
Thanks: 11
Thanked 245 Times in 184 Posts
Rep Power: 10
nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute nixcraft has a reputation beyond repute
Default
You do need a properly configured firewall along with log rules. Without a firewall it won't work.
__________________
Vivek Gite
Linux Evangelist
Be proud RHEL user, and let the world know about your enterprise choices! Join RedHat user group.
Always use CODE tags for posting system output and commands!
Do you run a Linux? Let's face it, you need help
Reply With Quote
  #7 (permalink)  
Old 14-05-2009, 11:29 PM
Junior Member
User
  
Join Date: Feb 2009
OS: CentOS
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
Cyborg_sa is on a distinguished road
Send a message via MSN to Cyborg_sa
Default
I referred the book in ur tutorial and used the book's rules set with slight changes according to my network. I have only 1 NIC. This is the nmap output was:
Code:
Starting Nmap 4.68 ( http://nmap.org ) at 2009-05-14 22:01 West Asia Standard Time
Initiating ARP Ping Scan at 22:01
Scanning 192.168.15.4 [1 port]
Completed ARP Ping Scan at 22:01, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:01
Completed Parallel DNS resolution of 1 host. at 22:01, 0.09s elapsed
Initiating SYN Stealth Scan at 22:01
Scanning 192.168.15.4 [1715 ports]
Discovered open port 22/tcp on 192.168.15.4
Discovered open port 80/tcp on 192.168.15.4
SYN Stealth Scan Timing: About 40.99% done; ETC: 22:02 (0:00:43 remaining)
Increasing send delay for 192.168.15.4 from 0 to 5 due to 11 out of 13 dropped probes since last increase.
SYN Stealth Scan Timing: About 54.23% done; ETC: 22:03 (0:01:03 remaining)
Increasing send delay for 192.168.15.4 from 5 to 10 due to 11 out of 12 dropped probes since last increase.
SYN Stealth Scan Timing: About 70.85% done; ETC: 22:04 (0:00:57 remaining)
Completed SYN Stealth Scan at 22:05, 245.52s elapsed (1715 total ports)
Initiating Service scan at 22:05
Scanning 2 services on 192.168.15.4
Completed Service scan at 22:05, 5.01s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.15.4
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 22:05
Completed SCRIPT ENGINE at 22:05, 3.03s elapsed
Host 192.168.15.4 appears to be up ... good.
Interesting ports on 192.168.15.4:
Not shown: 1713 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh?
80/tcp open  http?
|_ HTML title: Apache HTTP Server Test Page powered by CentOS
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running: Captor embedded, QNX 4.X
OS details: Captor Omni-Clock (employee timeclock), QNX 4.24
Network Distance: 1 hop

Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 257.174 seconds
           Raw packets sent: 3551 (159.250KB) | Rcvd: 5 (226B)
Here the books rules set with changes (iptables-save generated):
Code:
# Generated by iptables-save v1.3.5 on Thu May 14 22:30:48 2009
*nat
:PREROUTING ACCEPT [4:388]
:POSTROUTING ACCEPT [9:608]
:OUTPUT ACCEPT [49:3008]
COMMIT
# Completed on Thu May 14 22:30:48 2009
# Generated by iptables-save v1.3.5 on Thu May 14 22:30:48 2009
*filter
:INPUT DROP [1:236]
:FORWARD DROP [0:0]
:OUTPUT DROP [16:960]
-A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s ! 192.168.15.0/255.255.255.0 -i eth0 -j LOG --log-prefix "SPOOFED PKT " 
-A INPUT -s ! 192.168.15.0/255.255.255.0 -i eth0 -j DROP 
-A INPUT -s 192.168.15.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A INPUT -s 192.168.15.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options 
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 43 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 4321 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -j LOG
-A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options 
COMMIT
# Completed on Thu May 14 22:30:48 2009
However there is a problem with it. As soon as I initiate an intense scan from nmap, SSH also gets blocked and I cannot reconnect to my server.

Then I tried ur script and again initiated intense scan using namp and the output was:
Code:
Starting Nmap 4.68 ( http://nmap.org ) at 2009-05-14 22:36 West Asia Standard Time
Initiating ARP Ping Scan at 22:36
Scanning 192.168.15.4 [1 port]
Completed ARP Ping Scan at 22:36, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:36
Completed Parallel DNS resolution of 1 host. at 22:36, 0.09s elapsed
Initiating SYN Stealth Scan at 22:36
Scanning 192.168.15.4 [1715 ports]
Discovered open port 22/tcp on 192.168.15.4
Completed SYN Stealth Scan at 22:36, 11.59s elapsed (1715 total ports)
Initiating Service scan at 22:36
Scanning 1 service on 192.168.15.4
Completed Service scan at 22:36, 5.01s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.15.4
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 22:36
Completed SCRIPT ENGINE at 22:37, 51.04s elapsed
Host 192.168.15.4 appears to be up ... good.
Interesting ports on 192.168.15.4:
Not shown: 1714 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose
Running: Captor embedded, QNX 4.X
OS details: Captor Omni-Clock (employee timeclock), QNX 4.24
Network Distance: 1 hop

Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.273 seconds
           Raw packets sent: 3504 (157.182KB) | Rcvd: 3 (160B)
But this time SSH was not blocked. Ofcourse, I have seen there is a lot of difference in ur (iptables-save generated) rules set and the book's rules set. I can understand only some parts of iptables rules but not all.

Can you tell me where in my given rules set should I do what changes so that legitimate connections such as SSH are not blocked.

Also do you have a tutorial on iptables?
Reply With Quote
Reply

Tags
linux , networking , nmap , security

« Reset Router Password / Configuration | Confussion with Squid+Firestarter in Ubuntu »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads

Thread Thread Starter Forum Replies Last Post
Linux Firewall IPTABLES Block nmap scanning jee Networking, Firewalls and Security 2 24-09-2008 11:51 PM
nmap pings capibolso Linux software 1 09-09-2008 01:23 AM
Registering an application as a service on linux verruckt Getting started tutorials 2 01-08-2007 06:48 PM
application usage zafar466 Web servers 1 31-03-2007 12:01 AM
nmap howto and examples sgmsara Linux software 2 12-02-2007 07:59 PM


All times are GMT +5.5. The time now is 07:10 AM.

Contact Us - nixCraft Home - Archive - Privacy Statement - Terms of Service - Top

Powered by vBulletin® Version 3.8.5 - Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.3.2
©2005-2010 nixCraft. All rights reserved

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38