How to defend Nmap

[Tiger Shark]

To be quite honest, (and remain on the topic of "how to defend against scans"), there is no defense against many of the information gathering techniques because, in it's own way, no information is information in itself.

Example. Bill Nasty hates a co-worker and wants to hack into his home computer to get information. Joe Victim has a Linksys BEFSR41 router/firewall, (NAT), in front of his computer. Bill sends an email with an embedded link to his web server and waits for Joe to open it to find Joe's IP address. When it is opened Bill NMap's the reported IP address without even using OS guessing. He gets no response and NMAP indicates that all ports are filtered or that the computer is down. Bill knows it isn't down because Joe told him he leaves it on constantly. Reasonable conclusion: Bill can conclude that the computer is most probably behind a consumer grade router with no ports forwarded to the internal, and therefore, NAT'ed machine.

That's information... Turn on OS Guessing in later versions of NMap and it will include the LinkSys in it's short list guesses of the target machine..... But if Bill is reasonably knowledgeable he didn't really need the OS Guessing ability of NMap. He worked out the consumer grade router pretty much on his own.

If he was smart he would have fired up p0f when he sent the email and waited till he had the IP address of Joe. Then, by looking in the p0f log and matching the IP addresses he would see the operating system of Joe's computer behind the firewall..... Yes, he bypassed the protections that the firewall afforded Joe in protecting his OS type from outside snooping and now has a rather accurate idea of the internal OS right down to the SP level..... The fun thing is that p0f is undetectable.... I use it 24/7 for every incoming connection but you'll never know it's there, the NIC won't respond to any stimulus unless you are on the same subnet.

[EDIT]

Nice post Frosted:

sorry to use the word stealth TS

I don't mind the use of the word "stealth" when it is used appropriately. In the case of a stealth scan you are doing something "magical", (or, at least, you used to be), you were avoiding many logging systems, though this is no longer the case.

As to the effectiveness of NMap Fin, Xmas etc. scans Snort alerts on them very nicely...

[/EDIT]

[Noia]

[Bookmark for later fun and tweakage]

[gore]

Why not just go download a Port Scanner detector like Genius?

You can't defend against a Port Scan itself, really, but you can tell when someone does one and you can put up things so the ports aren't open.

[Tiger Shark]

Snort's portscan preprocessor works just fine.... Why add a level of complexity and therefore add resource use for no reason?

[gore]

If he's a Windows guy and doesn't like configuring Unix tools this is easier.

[Tiger Shark]

*COUGH*

I'm a "Windows guy" and it's a piece of cake...... In Windows.....

Why add the complexity?

[gore]

Dude, I'm trying to be helpful, if he doesn't feel like running Snort, I made it so he knows there is another.

[frostedegg]

alright, i think we pretty much summed up how to "defend" against port scans. There are many many different solutions. You should look at your network, the time/resources you have to defend port scans, and the cost benefits of protection. If you analyze and take some of these things into account, you should be able to come up with an appropriate solution for your needs. Just remember, good hackers always find a way, so don't start thinking once you implement a "solution" that you are now safe. I'm done..