iptables vs. nmap

Post by **bad_brain** » 02 Apr 2006, 06:59

I was playing with my firewall config after I sniffed nmap-packets, target was to confuse the OS fingerprinting.
here´s the result of my redhat home server before the firewall rules:

Code: Select all

Starting Nmap 4.00 ( http://www.insecure.org/nmap ) at 2006-04-01 15:49 Westeuropäische Sommerzeit
Interesting ports on 169.254.246.62:
(The 1666 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
3306/tcp open  mysql
6000/tcp open  X11
MAC Address: 00:11:3B:04:BA:CA (Micronet Communications)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.4.0 - 2.5.20
Uptime 0.045 days (since Sat Apr 01 14:44:15 2006)

Nmap finished: 1 IP address (1 host up) scanned in 2.375 seconds

here´s the result after applying the firewall rules:

Code: Select all

Starting Nmap 4.00 ( http://www.insecure.org/nmap ) at 2006-04-01 15:49 Westeuropäische Sommerzeit
Interesting ports on 169.254.246.62:
(The 1665 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  closed ftp
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  closed domain
80/tcp  open   http
110/tcp closed pop3
MAC Address: 00:11:3B:04:BA:CA (Micronet Communications)
Device type: general purpose|broadband router|firewall
Running: Linux 2.4.X|2.5.X, D-Link embedded, WatchGuard embedded
OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.18 - 2.4.20, Linux 2.4.26, Linux 2.4.27 or D-Link DSL-500T (running linux 2.4), WatchGuard Firebox X700
Uptime 0.046 days (since Sat Apr 01 14:44:16 2006)

Nmap finished: 1 IP address (1 host up) scanned in 22.188 seconds

it´s not really hiding the OS like ip personality does for example, but it´s at least pretty confusing,right? imo a good basic way to increase security on Linux without the need to compile a new kernel.

if anybody is interested in the rule settings let me know...

FrankB · Post by **FrankB** » 02 Apr 2006, 07:35

Aren't toy affraid that your MAC address is so bltaantly and obscenely exposed ?
I hope you are not on a LAN over there...

--FrankB

Mr n00b for Sir l33t.[/code]

Post by **bad_brain** » 02 Apr 2006, 07:55

it´s my home server, no connection to any other network...

egghead4life · Post by **egghead4life** » 24 Jul 2006, 08:59

if you dont knwo what your doing in CUI (sounds like you dont)
use firestarter- its noob frendly.

a REAL HACKER knows that nmap is not trustworty. It doesnt allways work.
Try to telnet to the open port.

Also ipchains is alot more effective

egghead4life · Post by **egghead4life** » 24 Jul 2006, 09:00

telnet localhost 21 for ftp

firewalls are not allways the best. Nmap will not allways work, even though it sends an IMCP ping to its self.

TRY TELNET FROM YOUR COMPUTER. but nice info for n00bz

Post by **bad_brain** » 24 Jul 2006, 12:50

well, the point was to confuse an nmap scan....

to telnet to a server is useless for info gathering if the server admin set fake banners and disabled HELP (or HELP is not even implemented), you should know if you´re at least a little familiar with server configuration....sounds like you aren´t....