El jue, 30 de 12 de 2004 a las 13:18, Chris Brenton escribiÃ: > On Wed, 2004-12-29 at 18:18, Jorge Agrelo wrote: > > Does anyone can help me to write iptables rules to?: > > > > * block IP protocol scans (nmap -sO) > > When performing a protocol scan, nmap sends an IP packet with no > transport header. So for example to check for AH support, byte 9 in the > IP header is set to "51" but no AH header is included in the packet. The > concept is a system which supports AH will ignore the packet and not > respond. A system that does not support AH will return an ICMP type 3 > code 2 (protocol unreachable). > > So, provided your iptables default policy is "deny all", you should be > fine. > Unless someone does a completely normal connection to maybe port 80 of your server and uses something like p0f. That's much more effective that the nmap -s0 command. I agree with all the rest. I also use this rules to drop some kind of strange tcp flags that indicates you are having a portscan: iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL FIN -j DROP iptables -A PORTSCANDROPLAN -o ppp0 -p tcp --tcp-flags ALL ALL -j DROP -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
