On Monday 16 February 2004 14:08, Galiatsis Sokratis wrote: > I want to know if there is a "special" rule which blocks all nmap > scanning methods. I have something here for fragments, xmas, nmap etc > but whenever i try to test it my server ports are always shown as open > instead of stealth. I tried Online Symantec Security Scan and nmapping > from another host from an external network. Both show the same results. Are these scans coming from places that should be able to access your services or not? The whole point of having your ports open is so that people can access what is behind them, the whole point of using nmap to scan is to see what ports are open. The TCP connect scan in nmap connects exactly the same as any other client application would, therefore you'll never completely stop a scan unless you want to block access totally. Perhaps rate limiting to 5 SYN-only packets (or other, for the special cases) per second might help. This will slow a scan considerably, though you may have to play with the timing:limit ratios. Blocking invalid packets (those unrelated to existing connections) and packets with flags that are bogus (such as SYN and FIN at the same time, to give a poor example) will also block scans. David
