On 8/29/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hello everybody,
OpenBSDs PF is able to block Packets by the passiv OS fingerprint.
For example you can block packets from nmap.
I4ve a little problem witht hat: How to block a host if it does/did a
nmap-Scan?!
I can block the nmap-scan but not automaticly the host because the
overload-rule does not know about blocking by OSs.
I know of only a means to block nmap scans if used with the -i
parameter. It continaully connects to your ident port for each open
port discovered to attempt to identify the owner of the service.
("Does the webserver run as root?")
You could do a 3/30 overload rule on port 113 and add to a table to
drop and log.
Let them scan, what are you worried about? If you have something you
are worried about nmap discovering, blocking an nmap scan isn't going
to help.
If I were a cracker and scanned your netblock, and your host is the
only one that stopped responding half-way through a scan, I would use
other means to begin looking at yours immediatly. (Or you may be a
winbox I just crashed...)
Block drop as a default policy may be better for your needs. It annoys
inpatient nmap scanners to give up quickly. nmap is getting quicker at
scanning hosts that drop blocked packets, especialy when options are
fine-tuned for it.
Also by default nmap skips hosts that don't reply to icmp pings.
Whatever.
