SYN Stealth Scan

05-02-2004, 09:05 PM

Hi,

I have written a firewall with iptables.
Now I have a question regarding to SYN Stealth Scan!

When I am running Nmap with Syn Stealth Scan he always finds the services
which I am running.
I tried it with the following entry:

iptables -A INPUT -p tcp --sport 22 ! --syn -j DROP.

Nonetheless, it is possible to scan the service.

Is there any possibility to drop this?

When someone can tell me the right entry please!

Thx,
Bernd Roth

05-03-2004, 05:56 AM

On Sun, 02 May 2004 21:05:10 GMT
"Bernd Roth" <(E-Mail Removed)> wrote:

> Hi,
>
> I have written a firewall with iptables.
> Now I have a question regarding to SYN Stealth Scan!
>
> When I am running Nmap with Syn Stealth Scan he always finds the services
> which I am running.
> I tried it with the following entry:
>
> iptables -A INPUT -p tcp --sport 22 ! --syn -j DROP.
>
Looks good

> Nonetheless, it is possible to scan the service.
>
> Is there any possibility to drop this?
>
> When someone can tell me the right entry please!

IMHO, there is no possability to block a scan on certain ports without disabling the service it offers. What you can do is, if a scan is detected, block every connection from there. But be warned, it can be forged, eg with ftp-bounce scan.

Greets
Chris

05-04-2004, 05:53 PM

Bernd Roth wrote:
> Hi,
>
> I have written a firewall with iptables.
> Now I have a question regarding to SYN Stealth Scan!
>
> When I am running Nmap with Syn Stealth Scan he always finds the services
> which I am running.
> I tried it with the following entry:
>
> iptables -A INPUT -p tcp --sport 22 ! --syn -j DROP.
>
> Nonetheless, it is possible to scan the service.
>

You're blocking the source port here. You probably want to
block the connection to the destination port 22 to
keep the service at port 22 undisturbed.

HTH

Tauno Voipio
tauno voipio @ iki fi

05-04-2004, 06:54 PM

On 2004-05-04, Tauno Voipio <(E-Mail Removed)> wrote:
> Bernd Roth wrote:
>> Hi,
>>
>> I have written a firewall with iptables.
>> Now I have a question regarding to SYN Stealth Scan!
>>
>> When I am running Nmap with Syn Stealth Scan he always finds the services
>> which I am running.
>> I tried it with the following entry:
>>
>> iptables -A INPUT -p tcp --sport 22 ! --syn -j DROP.
>>
>> Nonetheless, it is possible to scan the service.
>>
>
> You're blocking the source port here. You probably want to
> block the connection to the destination port 22 to
> keep the service at port 22 undisturbed.
>
just to add my £0.02

http://support.metronet.co.uk/adsl/s...s/security.txt

Something I wrote about stealthing ports.....please consider not doing so.
Some poor tech guy at your ISP is going to get very annoyed.

Cheers

Alex

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Disable the Stealth Mode in Windows Firewall	OgL	Windows Networking	5	11-28-2009 01:13 PM
Stealth Test	Fred	Windows Networking	6	03-29-2007 06:09 AM
How to stealth a linux box using iptables?	recpharm@hotmail.com	Linux Networking	2	11-08-2005 08:09 AM
newbie - stealth ports	David Furness	Home Networking	5	06-30-2004 05:49 PM
mn-100 or mn-700 dont stealth port 113	Ziggy	Broadband Hardware	5	02-06-2004 01:53 AM