Jo, On 06-Sep-01 dog@intop.net wrote:
you can use a REJECT instead of DENY for the ipchains rule and your machine will not appear to even be online. if you use the deny rule, they can still tell what ports you have open, but cannot connect to them.
For the records, ipchains REJECT sends out ICMP type 3 (host/port unreachable) messages to the client, telling him to stop sending packets because there would be no service on the port the client is hammering on. DENY silently drops the packet, telling the client nothing, who may keep on scanning and filling your logs. By starting an nmap scan against a target and using tcpdump on another console you would be able to see these port-unreachable messages in case the host you're scanning uses some REJECT. This may indicate an active but firewalled port. Same with DENY; an attacker could measure the timeouts of his scans and do some "comparison scans" as well, finding that he may have hit a firewalled port. If there would be no service/firewall in place, the scan would go much faster. So, neither DENY nor REJECT are capable of "hiding" any of your ports. Use return-rst ( http://www.bellamy.co.nz/section5.html ) for that purpose, which sends a RST packet back to the client, thus cancelling the connection at once.
On Thu, 6 Sep 2001, maf king wrote:
On 2001.09.06 17:06:59 +0100 Radu Anghel wrote:
Hi,
Got an ip witch is scanning during the night (an internet cafe sez pcnet). How can I block all the ports for this IP?
Many thanks,
Radu
1. What kernel version are you using? It makes a difference for the command to use.
2. Make sure you have ipchains (2.2.x) or iptables (2.4.x) installed
issue a command (as root) along the lines of :
iptables -I INPUT 1 -s addr.of.bad.ip -j DROP
(for 2.4.x)
see man iptables for an explanation of this.
if you are on a 2.2.x kernel, use
ipchains -I INPUT 1 -s bad.ip.add.ress -j DENY
NOTE : this doesn't stop them scanning, it just stops you from replying!
[...]
---
Boris Lorenz