On Wednesday 2011-05-04 23:16, netfilter@xxxxxxxxxxxxxx wrote: >I have seen these rules used to detect a port scan: > >iptables -A INPUT -i $INTERFACE --proto tcp --tcp-flags SYN,ACK,FIN,RST >RST -j LOG --log-prefix "PORT SCAN: " --log-level 6 >iptables -A INPUT -i $INTERFACE --proto tcp --tcp-flags SYN,ACK,FIN,RST >RST -j DROP > >It seems to me that this is a legitimate TCP flag combination, unless >I'm reading the rule wrong. Bloggers using --tcp-flags to purportedly detect port scans are wasting their time. They could have just used -m conntrack --ctstate INVALID which should catch bogus flag combinations already. Secondly, some scan types can use completely RFC-compliant traffic and therefore need a more sophisticated approach (cf. "Detecting and deceiving network scans" PDF). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
