[gentoo-server] how to stop tracing

[gentoo-server] how to stop tracing

[widyachacra]

[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]

Dear List friends,

When i scan my own domain from an out side host using 'nmap' tool it shows
following results. How do i block this kind of tracing using linux. Please
help me.

nmap tracing result,

PORT    STATE SERVICE    VERSION
25/tcp  open  smtp       netqmail smtpd 1.04
53/tcp  open  domain
80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
110/tcp open  pop3       Courier pop3d
119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
209/tcp open  tam?
443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
628/tcp open  tcpwrapped
993/tcp open  ssl/imap   Courier Imapd (released 2005)
995/tcp open  ssl/pop3   Courier pop3d


-- 
---

- Widyachacra Rajapaksha -

*  Lots of people make the mistake of thinking that Microsoft is a software
company. That's wrong. Microsoft is an abuse company that uses software as a
method of delivering abuse.

* Never let a woman know that YOU are interested in her.
Love is a wish that hides in your heart, and nobody knows about it but YOU
Reply With Quote

[-- Attachment #2: Type: text/html, Size: 1397 bytes --]

Re: [gentoo-server] how to stop tracing

[Andrew Gaffney]

widyachacra wrote:
> Dear List friends,
> 
> When i scan my own domain from an out side host using 'nmap' tool it 
> shows following results. How do i block this kind of tracing using 
> linux. Please help me.

You don't. There's no difference between a scanner connecting to a particular 
port to determine if something listening on it and a legitimate user connecting 
to that port in order to use that service. However, there are various ways to 
slow it down.

The "easiest" method is to just use -P DROP on your INPUT chain in iptables, 
which causes iptables to simply drop any incoming packets that aren't explicitly 
allowed, which means that the person on the other end has to wait for the TCP 
timeout for each packet sent instead of immediately getting a "there's nothing 
here" response.

Another way is with iptables's limit module. It allows you to only allow a 
certain number of new connection attempts (or any other kind of packet) from a 
certain host (or group of hosts) within a certain time period. This will have a 
similar effect to the previous method.

The only truly effective way (that I'm aware of) to prevent these port scans is 
to have no ports open to scan.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] how to stop tracing

[Lindsay Haisley]

Probably the most security-critical information here is version
information.  You can often configure daemons such as the apache server
to hide version information.  See, for instance:

www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html

nmap also, I think, does some fairly intelligent analysis of connection
announcements from servers and compares small details in these against
the responses of known software packages and versions of same.  Courier
pop3d, for instance, doesn't announce that it's the Courier POP3 daemon
when one connects to port 110, but nmap figures this out just the same.

Otherwise, as Andrew says, you're going to have to live with a certain
amount of exposure by virtue of the fact that you're running servers.
Keep up with security updates and don't do anything silly with your
configurations!

On Wed, 2008-01-16 at 18:06 +0530, widyachacra wrote:
> Dear List friends,
> 
> When i scan my own domain from an out side host using 'nmap' tool it
> shows following results. How do i block this kind of tracing using
> linux. Please help me.
> 
> nmap tracing result,
> 
> PORT    STATE SERVICE    VERSION
> 25/tcp  open  smtp       netqmail smtpd 1.04
> 53/tcp  open  domain
> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
> 110/tcp open  pop3       Courier pop3d
> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
> 209/tcp open  tam?
> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
> 628/tcp open  tcpwrapped
> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
> 995/tcp open  ssl/pop3   Courier pop3d 
> 
> 
> -- 
> ---
> 
> - Widyachacra Rajapaksha -
> 
> *  Lots of people make the mistake of thinking that Microsoft is a
> software company. That's wrong. Microsoft is an abuse company that
> uses software as a method of delivering abuse. 
> 
> * Never let a woman know that YOU are interested in her.
> Love is a wish that hides in your heart, and nobody knows about it but
> YOU
> Reply With Quote

-- 
gentoo-server@lists.gentoo.org mailing list

RE: [gentoo-server] how to stop tracing

[Tom Grace]

Hello, you could also investigate psad the port scan attack detector. Afaik it will do dynamic firewall configuration. You could block connections from those scanning you. L8r, tom 



---Original Email---
From:Lindsay Haisley <fmouse-gentoo@fmp.com>
Date:16/01/2008 18:41
To:gentoo-server@lists.gentoo.org
Subject: Re: [gentoo-server] how to stop tracing

Probably the most security-critical information here is version
information.  You can often configure daemons such as the apache server
to hide version information.  See, for instance:

www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html

nmap also, I think, does some fairly intelligent analysis of connection
announcements from servers and compares small details in these against
the responses of known software packages and versions of same.  Courier
pop3d, for instance, doesn't announce that it's the Courier POP3 daemon
when one connects to port 110, but nmap figures this out just the same.

Otherwise, as Andrew says, you're going to have to live with a certain
amount of exposure by virtue of the fact that you're running servers.
Keep up with security updates and don't do anything silly with your
configurations!

On Wed, 2008-01-16 at 18:06 +0530, widyachacra wrote:
> Dear List friends,
> 
> When i scan my own domain from an out side host using 'nmap' tool it
> shows following results. How do i block this kind of tracing using
> linux. Please help me.
> 
> nmap tracing result,
> 
> PORT    STATE SERVICE    VERSION
> 25/tcp  open  smtp       netqmail smtpd 1.04
> 53/tcp  open  domain
> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
> 110/tcp open  pop3       Courier pop3d
> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
> 209/tcp open  tam?
> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
> 628/tcp open  tcpwrapped
> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
> 995/tcp open  ssl/pop3   Courier pop3d 
> 
> 
> -- 
> ---
> 
> - Widyachacra Rajapaksha -
> 
> *  Lots of people make the mistake of thinking that Microsoft is a
> software company. That's wrong. Microsoft is an abuse company that
> uses software as a method of delivering abuse. 
> 
> * Never let a woman know that YOU are interested in her.
> Love is a wish that hides in your heart, and nobody knows about it but
> YOU
> Reply With Quote

-- 
gentoo-server@lists.gentoo.org mailing list

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] how to stop tracing

[Christopher Dale]

widyachacra wrote:
> Dear List friends,
>
> When i scan my own domain from an out side host using 'nmap' tool it shows
> following results. How do i block this kind of tracing using linux. Please
> help me.
>
> nmap tracing result,
>
> PORT    STATE SERVICE    VERSION
> 25/tcp  open  smtp       netqmail smtpd 1.04
> 53/tcp  open  domain
> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
> 110/tcp open  pop3       Courier pop3d
> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
> 209/tcp open  tam?
> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
> 628/tcp open  tcpwrapped
> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
> 995/tcp open  ssl/pop3   Courier pop3d
>
>
>   
Hi Widyachacra,

Great question and one that I have had in the past also. In a previous
post to the gentoo mailing list, someone suggested that port knocking be
used as a means of securing through obscurity. After looking at it
(http://www.portknocking.org), I've found that it's a wonderful means to
a personal server's security when exposed to the world wide web.

All the best in your attempts to obfuscate your server's open ports! :)

Chrelad
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] how to stop tracing

[Andrew Gaffney]

Christopher Dale wrote:
> widyachacra wrote:
>> Dear List friends,
>>
>> When i scan my own domain from an out side host using 'nmap' tool it shows
>> following results. How do i block this kind of tracing using linux. Please
>> help me.
>>
>> nmap tracing result,
>>
>> PORT    STATE SERVICE    VERSION
>> 25/tcp  open  smtp       netqmail smtpd 1.04
>> 53/tcp  open  domain
>> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
>> 110/tcp open  pop3       Courier pop3d
>> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
>> 209/tcp open  tam?
>> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
>> 628/tcp open  tcpwrapped
>> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
>> 995/tcp open  ssl/pop3   Courier pop3d
>>
>>
>>   
> Hi Widyachacra,
> 
> Great question and one that I have had in the past also. In a previous
> post to the gentoo mailing list, someone suggested that port knocking be
> used as a means of securing through obscurity. After looking at it
> (http://www.portknocking.org), I've found that it's a wonderful means to
> a personal server's security when exposed to the world wide web.
> 
> All the best in your attempts to obfuscate your server's open ports! :)

Unfortunately, this *only* works when it's a private server. This is not an 
acceptable solution on a server accessed by the "public".

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] how to stop tracing

[Mark Rudholm]

Christopher Dale wrote:
> widyachacra wrote:
>> Dear List friends,
>>
>> When i scan my own domain from an out side host using 'nmap' tool it shows
>> following results. How do i block this kind of tracing using linux. Please
>> help me.
>>
>> nmap tracing result,
>>
>> PORT    STATE SERVICE    VERSION
>> 25/tcp  open  smtp       netqmail smtpd 1.04
>> 53/tcp  open  domain
>> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
>> 110/tcp open  pop3       Courier pop3d
>> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
>> 209/tcp open  tam?
>> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
>> 628/tcp open  tcpwrapped
>> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
>> 995/tcp open  ssl/pop3   Courier pop3d
>>
>>
>>   
> Hi Widyachacra,
> 
> Great question and one that I have had in the past also. In a previous
> post to the gentoo mailing list, someone suggested that port knocking be
> used as a means of securing through obscurity. After looking at it
> (http://www.portknocking.org), I've found that it's a wonderful means to
> a personal server's security when exposed to the world wide web.

Exposed to the what?
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] how to stop tracing

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 241 bytes --]

On 16/01/2008, Mark Rudholm <rudholm@hyperreal.org> wrote:
>
>
> > a personal server's security when exposed to the world wide web.
>
> Exposed to the what?
> --
>

Haven't you heard?  Its really cool!

http://en.wikipedia.org/wiki/Interweb

[-- Attachment #2: Type: text/html, Size: 593 bytes --]

Re: [gentoo-server] how to stop tracing

[A. Khattri]

On Wed, 16 Jan 2008, Mark Rudholm wrote:

>> (http://www.portknocking.org), I've found that it's a wonderful means to
>> a personal server's security when exposed to the world wide web.
>
> Exposed to the what?

Unbelievable.



-- 
A
-- 
gentoo-server@lists.gentoo.org mailing list