From: Patrick Benson (benson@chello.se)
Date: Sat Nov 11 2000 - 15:54:24 PST
Jeremy Brooks wrote:
> thanks, but do you know why the DENY action would be picked up by nmap?
Take a look in the man pages for nmap and you will see that there are
some interesting options that it is capable of doing:
http://lrp.steinkuehler.net/Packages/man/nmap.1.man.htm
In the Description area you will see a short explanation on how ports
are considered as filtered-unfiltered, something that Rick Onanian was
asking about earlier. Then compare the TCP connect scan (-sT) with the
TCP SYN scan (-sS), note that if the -sS option receives a SYN|ACK
packet from the remote host it will immediately send an RST to take the
connection down, thereby trying to avoid detection in the remote host's
logs. If you use the Ping scan option (-sP) you would even be able to
detect if a system is up though it's blocking echo-requests. That's why
you have to be careful not to rely too heavily on packets being denied
by the firewall and not feel to secure, the one that is scanning your
system will notice *responses* and if he is good at it he will be able
to deduce, from these reponses that he is receiving, how your rulesets
are setup. Blocking packets is quite stateless, while there are tools
out there that are capable of eliciting responses which could actually
be useful for hostile attackers. In this case setting up portsentry,
with heavy port monitoring, would be very discouraging for him...
security is a relative issue, it's what you see in your logs that
determines your next course of action.
-- Patrick Benson Stockholm, Sweden **************************************************************************** * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall" * in the message body to majordomo@pointman.org. Please direct other * questions, comments, or problems to pmfirewall-owner@pointman.org. * * Need answers fast? Check the list archive located at: * http://www.pointman.org/PMFirewall/list-archive/ *
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:37:41 PDT