[gentoo-server] how to stop tracing

public inbox for gentoo-server@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-server] how to stop tracing
@ 2008-01-16 12:36 widyachacra
  2008-01-16 12:44 ` Andrew Gaffney
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: widyachacra @ 2008-01-16 12:36 UTC (permalink / raw
  To: gentoo-server

[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]

Dear List friends,

When i scan my own domain from an out side host using 'nmap' tool it shows
following results. How do i block this kind of tracing using linux. Please
help me.

nmap tracing result,

PORT    STATE SERVICE    VERSION
25/tcp  open  smtp       netqmail smtpd 1.04
53/tcp  open  domain
80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
110/tcp open  pop3       Courier pop3d
119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
209/tcp open  tam?
443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
628/tcp open  tcpwrapped
993/tcp open  ssl/imap   Courier Imapd (released 2005)
995/tcp open  ssl/pop3   Courier pop3d

-- 
---

- Widyachacra Rajapaksha -

*  Lots of people make the mistake of thinking that Microsoft is a software
company. That's wrong. Microsoft is an abuse company that uses software as a
method of delivering abuse.

* Never let a woman know that YOU are interested in her.
Love is a wish that hides in your heart, and nobody knows about it but YOU
Reply With Quote

[-- Attachment #2: Type: text/html, Size: 1397 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 12:36 [gentoo-server] how to stop tracing widyachacra
@ 2008-01-16 12:44 ` Andrew Gaffney
  2008-01-16 18:41 ` Lindsay Haisley
  2008-01-16 21:26 ` Christopher Dale
  2 siblings, 0 replies; 9+ messages in thread
From: Andrew Gaffney @ 2008-01-16 12:44 UTC (permalink / raw
  To: gentoo-server

widyachacra wrote:
> Dear List friends,
> 
> When i scan my own domain from an out side host using 'nmap' tool it 
> shows following results. How do i block this kind of tracing using 
> linux. Please help me.

You don't. There's no difference between a scanner connecting to a particular 
port to determine if something listening on it and a legitimate user connecting 
to that port in order to use that service. However, there are various ways to 
slow it down.

The "easiest" method is to just use -P DROP on your INPUT chain in iptables, 
which causes iptables to simply drop any incoming packets that aren't explicitly 
allowed, which means that the person on the other end has to wait for the TCP 
timeout for each packet sent instead of immediately getting a "there's nothing 
here" response.

Another way is with iptables's limit module. It allows you to only allow a 
certain number of new connection attempts (or any other kind of packet) from a 
certain host (or group of hosts) within a certain time period. This will have a 
similar effect to the previous method.

The only truly effective way (that I'm aware of) to prevent these port scans is 
to have no ports open to scan.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 12:36 [gentoo-server] how to stop tracing widyachacra
  2008-01-16 12:44 ` Andrew Gaffney
@ 2008-01-16 18:41 ` Lindsay Haisley
  2008-01-16 21:26 ` Christopher Dale
  2 siblings, 0 replies; 9+ messages in thread
From: Lindsay Haisley @ 2008-01-16 18:41 UTC (permalink / raw
  To: gentoo-server

Probably the most security-critical information here is version
information.  You can often configure daemons such as the apache server
to hide version information.  See, for instance:

www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html

nmap also, I think, does some fairly intelligent analysis of connection
announcements from servers and compares small details in these against
the responses of known software packages and versions of same.  Courier
pop3d, for instance, doesn't announce that it's the Courier POP3 daemon
when one connects to port 110, but nmap figures this out just the same.

Otherwise, as Andrew says, you're going to have to live with a certain
amount of exposure by virtue of the fact that you're running servers.
Keep up with security updates and don't do anything silly with your
configurations!

On Wed, 2008-01-16 at 18:06 +0530, widyachacra wrote:
> Dear List friends,
> 
> When i scan my own domain from an out side host using 'nmap' tool it
> shows following results. How do i block this kind of tracing using
> linux. Please help me.
> 
> nmap tracing result,
> 
> PORT    STATE SERVICE    VERSION
> 25/tcp  open  smtp       netqmail smtpd 1.04
> 53/tcp  open  domain
> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
> 110/tcp open  pop3       Courier pop3d
> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
> 209/tcp open  tam?
> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
> 628/tcp open  tcpwrapped
> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
> 995/tcp open  ssl/pop3   Courier pop3d 
> 
> 
> -- 
> ---
> 
> - Widyachacra Rajapaksha -
> 
> *  Lots of people make the mistake of thinking that Microsoft is a
> software company. That's wrong. Microsoft is an abuse company that
> uses software as a method of delivering abuse. 
> 
> * Never let a woman know that YOU are interested in her.
> Love is a wish that hides in your heart, and nobody knows about it but
> YOU
> Reply With Quote

-- 
gentoo-server@lists.gentoo.org mailing list

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 12:36 [gentoo-server] how to stop tracing widyachacra
  2008-01-16 12:44 ` Andrew Gaffney
  2008-01-16 18:41 ` Lindsay Haisley
@ 2008-01-16 21:26 ` Christopher Dale
  2008-01-16 21:52   ` Andrew Gaffney
  2008-01-16 22:00   ` Mark Rudholm
  2 siblings, 2 replies; 9+ messages in thread
From: Christopher Dale @ 2008-01-16 21:26 UTC (permalink / raw
  To: gentoo-server

widyachacra wrote:
> Dear List friends,
>
> When i scan my own domain from an out side host using 'nmap' tool it shows
> following results. How do i block this kind of tracing using linux. Please
> help me.
>
> nmap tracing result,
>
> PORT    STATE SERVICE    VERSION
> 25/tcp  open  smtp       netqmail smtpd 1.04
> 53/tcp  open  domain
> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
> 110/tcp open  pop3       Courier pop3d
> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
> 209/tcp open  tam?
> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
> 628/tcp open  tcpwrapped
> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
> 995/tcp open  ssl/pop3   Courier pop3d
>
>
>   
Hi Widyachacra,

Great question and one that I have had in the past also. In a previous
post to the gentoo mailing list, someone suggested that port knocking be
used as a means of securing through obscurity. After looking at it
(http://www.portknocking.org), I've found that it's a wonderful means to
a personal server's security when exposed to the world wide web.

All the best in your attempts to obfuscate your server's open ports! :)

Chrelad
-- 
gentoo-server@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 21:26 ` Christopher Dale
@ 2008-01-16 21:52   ` Andrew Gaffney
  2008-01-16 22:00   ` Mark Rudholm
  1 sibling, 0 replies; 9+ messages in thread
From: Andrew Gaffney @ 2008-01-16 21:52 UTC (permalink / raw
  To: gentoo-server

Christopher Dale wrote:
> widyachacra wrote:
>> Dear List friends,
>>
>> When i scan my own domain from an out side host using 'nmap' tool it shows
>> following results. How do i block this kind of tracing using linux. Please
>> help me.
>>
>> nmap tracing result,
>>
>> PORT    STATE SERVICE    VERSION
>> 25/tcp  open  smtp       netqmail smtpd 1.04
>> 53/tcp  open  domain
>> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
>> 110/tcp open  pop3       Courier pop3d
>> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
>> 209/tcp open  tam?
>> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
>> 628/tcp open  tcpwrapped
>> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
>> 995/tcp open  ssl/pop3   Courier pop3d
>>
>>
>>   
> Hi Widyachacra,
> 
> Great question and one that I have had in the past also. In a previous
> post to the gentoo mailing list, someone suggested that port knocking be
> used as a means of securing through obscurity. After looking at it
> (http://www.portknocking.org), I've found that it's a wonderful means to
> a personal server's security when exposed to the world wide web.
> 
> All the best in your attempts to obfuscate your server's open ports! :)

Unfortunately, this *only* works when it's a private server. This is not an 
acceptable solution on a server accessed by the "public".

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 21:26 ` Christopher Dale
  2008-01-16 21:52   ` Andrew Gaffney
@ 2008-01-16 22:00   ` Mark Rudholm
  2008-01-16 22:04     ` RijilV
  2008-01-17 21:48     ` A. Khattri
  1 sibling, 2 replies; 9+ messages in thread
From: Mark Rudholm @ 2008-01-16 22:00 UTC (permalink / raw
  To: gentoo-server

Christopher Dale wrote:
> widyachacra wrote:
>> Dear List friends,
>>
>> When i scan my own domain from an out side host using 'nmap' tool it shows
>> following results. How do i block this kind of tracing using linux. Please
>> help me.
>>
>> nmap tracing result,
>>
>> PORT    STATE SERVICE    VERSION
>> 25/tcp  open  smtp       netqmail smtpd 1.04
>> 53/tcp  open  domain
>> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
>> 110/tcp open  pop3       Courier pop3d
>> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
>> 209/tcp open  tam?
>> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
>> 628/tcp open  tcpwrapped
>> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
>> 995/tcp open  ssl/pop3   Courier pop3d
>>
>>
>>   
> Hi Widyachacra,
> 
> Great question and one that I have had in the past also. In a previous
> post to the gentoo mailing list, someone suggested that port knocking be
> used as a means of securing through obscurity. After looking at it
> (http://www.portknocking.org), I've found that it's a wonderful means to
> a personal server's security when exposed to the world wide web.

Exposed to the what?
-- 
gentoo-server@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 22:00   ` Mark Rudholm
@ 2008-01-16 22:04     ` RijilV
  2008-01-17 21:48     ` A. Khattri
  1 sibling, 0 replies; 9+ messages in thread
From: RijilV @ 2008-01-16 22:04 UTC (permalink / raw
  To: gentoo-server

[-- Attachment #1: Type: text/plain, Size: 241 bytes --]

On 16/01/2008, Mark Rudholm <rudholm@hyperreal.org> wrote:
>
>
> > a personal server's security when exposed to the world wide web.
>
> Exposed to the what?
> --
>

Haven't you heard?  Its really cool!

http://en.wikipedia.org/wiki/Interweb

[-- Attachment #2: Type: text/html, Size: 593 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-server] how to stop tracing
  2008-01-16 22:00   ` Mark Rudholm
  2008-01-16 22:04     ` RijilV
@ 2008-01-17 21:48     ` A. Khattri
  1 sibling, 0 replies; 9+ messages in thread
From: A. Khattri @ 2008-01-17 21:48 UTC (permalink / raw
  To: gentoo-server

On Wed, 16 Jan 2008, Mark Rudholm wrote:

>> (http://www.portknocking.org), I've found that it's a wonderful means to
>> a personal server's security when exposed to the world wide web.
>
> Exposed to the what?

Unbelievable.



-- 
A
-- 
gentoo-server@lists.gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* RE: [gentoo-server] how to stop tracing
@ 2008-01-16 20:05 Tom Grace
  0 siblings, 0 replies; 9+ messages in thread
From: Tom Grace @ 2008-01-16 20:05 UTC (permalink / raw
  To: gentoo-server

Hello, you could also investigate psad the port scan attack detector. Afaik it will do dynamic firewall configuration. You could block connections from those scanning you. L8r, tom 

---Original Email---
From:Lindsay Haisley <fmouse-gentoo@fmp.com>
Date:16/01/2008 18:41
To:gentoo-server@lists.gentoo.org
Subject: Re: [gentoo-server] how to stop tracing

Probably the most security-critical information here is version
information.  You can often configure daemons such as the apache server
to hide version information.  See, for instance:

www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html

nmap also, I think, does some fairly intelligent analysis of connection
announcements from servers and compares small details in these against
the responses of known software packages and versions of same.  Courier
pop3d, for instance, doesn't announce that it's the Courier POP3 daemon
when one connects to port 110, but nmap figures this out just the same.

Otherwise, as Andrew says, you're going to have to live with a certain
amount of exposure by virtue of the fact that you're running servers.
Keep up with security updates and don't do anything silly with your
configurations!

On Wed, 2008-01-16 at 18:06 +0530, widyachacra wrote:
> Dear List friends,
> 
> When i scan my own domain from an out side host using 'nmap' tool it
> shows following results. How do i block this kind of tracing using
> linux. Please help me.
> 
> nmap tracing result,
> 
> PORT    STATE SERVICE    VERSION
> 25/tcp  open  smtp       netqmail smtpd 1.04
> 53/tcp  open  domain
> 80/tcp  open  http       Apache httpd 2.2.6 ((Gentoo))
> 110/tcp open  pop3       Courier pop3d
> 119/tcp open  ssh        OpenSSH 4.7 (protocol 2.0)
> 209/tcp open  tam?
> 443/tcp open  http       Apache httpd 2.2.6 ((Gentoo))
> 628/tcp open  tcpwrapped
> 993/tcp open  ssl/imap   Courier Imapd (released 2005)
> 995/tcp open  ssl/pop3   Courier pop3d 
> 
> 
> -- 
> ---
> 
> - Widyachacra Rajapaksha -
> 
> *  Lots of people make the mistake of thinking that Microsoft is a
> software company. That's wrong. Microsoft is an abuse company that
> uses software as a method of delivering abuse. 
> 
> * Never let a woman know that YOU are interested in her.
> Love is a wish that hides in your heart, and nobody knows about it but
> YOU
> Reply With Quote

-- 
gentoo-server@lists.gentoo.org mailing list

-- 
gentoo-server@lists.gentoo.org mailing list

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2008-01-17 21:49 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-16 12:36 [gentoo-server] how to stop tracing widyachacra
2008-01-16 12:44 ` Andrew Gaffney
2008-01-16 18:41 ` Lindsay Haisley
2008-01-16 21:26 ` Christopher Dale
2008-01-16 21:52   ` Andrew Gaffney
2008-01-16 22:00   ` Mark Rudholm
2008-01-16 22:04     ` RijilV
2008-01-17 21:48     ` A. Khattri
  -- strict thread matches above, loose matches on Subject: below --
2008-01-16 20:05 Tom Grace

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox