Preventing port scans...
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Preventing port scans...

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    214

    Arrow Preventing port scans...

    Hello everyone,
    Is there some way to setup a firewall to stop the box from responding to port scans? Does a port scanner actually initate each TCP connection like it would, say when you're connecting to a regular web page? If it doesn't, then is there some way to recognize that its a port scanner on the other side and stop the response??
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  2. #2
    Deceased x acidreign x's Avatar
    Join Date
    Jul 2002
    Posts
    455
    If I'm not mistaken pretty much any firewall will do exactly that... speaking of which you should really be running a firewall anyway. Any one is better than none.
    :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    I am running a firewall, but I'm talking about services. If I'm running a web server that's availble to the internet, won't a port scanner detect that as well?
    Either get busy living or get busy dying.

    -The Sawshank Redemption

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    109
    From what I have seen most comercial personal firewalls for Windows have rulesets built in to prevent port scanning.

    Any good firewall that uses stateful packet filtering should be able to be configured to block port scanning.

    Port scanners work in many different ways, Nmap's documentation gives a pretty good description on different portscan methods.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    not really, if your running a web server and a scanner sends a request for a tcp connection to port 80, you server is going to respond. theres no way to stop that. thats why you better know how to secure your box if your going to run a server on the internet.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    Tedob1 is right. When you think about it, a port scan is no different to a legitimate TCP connection. What is the difference between the following?

    - Using a port scanner to scan machine x on port 80.
    - Telnetting to machine x on port 80.
    - Using a browser to access machine x on port 80.

    Thats right, Nothing.

    Any firewall configured correctly, wont "prevent" port scanning, but it will certainly drop packets that you havent specifically allowed through. (Thats what firewalls do!!)

    Again, I whole heartedly agree with Tedob1, and think that it is crucially important to learn how to configure Firewall rules, harden machines before placing them in ANY public environment.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I agree with Ted and Soggy - good points both of you. Ok, here's the thing, port scanners such as Nmap take advantage of the inherent "weaknesses" in the TCP/IP stack. For example, it is natural for a host's stack to reply to a SYN packet with an ACK, ...and so on and so forth. A scanner will look for the expected response to whatever type of scan it's doing in order to determine if the port in question is indeed open. I highly recommend reading up on Nmap as suggested since it comes with a "small" plethora of scan types to help probe a host. I hope this helps you understand. If you still need help, let us know. That's what AO is here for.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  8. #8
    Banned
    Join Date
    Sep 2001
    Posts
    853
    http://www.psionic.com/products/

    port sentry

    it will detect port scans even stealth scans and do what you want with the ip
    really easy to set up and pretty good in my eyes hope it helps
    rioter

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Have some sort of active IDS which installs realtime rules in the firewall banning IPs?

    Maybe but this is not a very good idea because a malicious user who knows about it might IP spoof a genuine user's IP address and have them firewalled out for scanning.

    Alternatively, have a firewall with a "fake ack" which responds positively to *any* TCP SYN. That way the scanner cannot tell which ports are open and which merely have a phanton syn ack on them (assuming the initial serial number choosing algorithm it uses is the same as the host's own OS)

    That won't stop "full connect" scans, but it will fool syn scans and greatly slow down true connect scans (because the host scanning will wait for the third part of the TCP setup, which will never arrive)

    I have no idea what programs / products have these features but I believe a few do.

    Oh yes, and if you use a fake ack make sure the scan packets never reach the host OS or its RSTs will give the game away

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There are a couple of things I would recommend, one has already been mentioned:

    psionic portsentry. Set it up to return tons of bogus information, it will not only detect the port scans, but you can set it up to then automatically block that IP (be careful, or you might block yourself). If it returns too much bogus information, the scan is useless.

    Another thing you can do is have a proxying firewall that answers for every port, every IP on your network. AT a minimum it will slow every scan to a crawl and on the up side, it will return every IP is up and every IP has every port open...completely useless to the scanner Of course it is a royal pain in the rear to do that and get it working right, but much more of a pain to the person scanning you (and you might want to just do it for well known ports and deny rest)

    Either way, tons of garbage information will taint the results, possibly so bad that they move on...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •