Re: Port 80 is shown open in port scan without any web server running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 30/03/11 16:25, Thomas Bächler wrote:

This comes with our iptables package:

$ cat /etc/iptables/simple_firewall.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT


According to the source from where i got the iptables configuration , the approach is "Block all incoming connections except for established connections, then open only specific ports which you want outside world to connect to".About blocking icmp ping, i quote one website as-is:

Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation
is what they say is true ?

-A INPUT -j REJECT --reject-with icmp-proto-unreachable

isn't this seem redundant ? I mean icmp is allowed, then except for established and related connections, a tcp rst packet is sent for all unwanted tcp traffic and icmp-port-unreachable message is sent for every unwanted udp packets, right ? Then what packets that rule match ?

What is a "malicious port scanner" and how can you stay "secure" from it?

I meant to avoid random packets coming from random machines at random times:

for example:
one random packet from sys.log

IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00 SRC=182.177.140.45 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0


On 30/03/11 16:40, Richard Schütz wrote:
 The output of "ip addr show" would be interesting.

here is the output:

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 20:cf:30:5a:ea:aa brd ff:ff:ff:ff:ff:ff
    inet 172.16.37.164/26 brd 172.16.37.191 scope global eth0
3: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff


On 30/03/11 16:44, Simon Perry wrote:
So your machine is 172.16.37.164, which you have to configure and tell your ISP because they NAT externally from 115.187.45.97 to many internal 172.16.37.* users?

Therefore more than one person could have an external address of 115.187.45.97 mapping back to their 172.16.37.* IP?

Even though only one person could have 115.187.45.97:80 mapped back to them?

Are you sure about how this works?

With my previous dsl provider , an address in the range 59.93.x.x was assigned to ppp0 interface by authenticating with rp-pppoe software.But now i have to provide the private ip to eth0, authenticate and then visit any website to know my public ip.



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux