Stop Scanning - Enabling Fog-of-War

[root@localhost root]# nmap -sT -P0 -p 21 10.0.0.50

Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
Interesting ports on 10.0.0.50:
PORT STATE SERVICE
21/tcp open ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 0.013 seconds

192.168.10.80 -> 10.0.0.50 TCP 32875 > ftp [SYN] Seq=838535498 Ack=0 Win=5840 Len=0
10.0.0.50 -> 192.168.10.80 TCP ftp > 32875 [SYN, ACK] Seq=4073725542 Ack=838535499 Win=32120 Len=0
192.168.10.80 -> 10.0.0.50 TCP 32875 > ftp [ACK] Seq=838535499 Ack=4073725543 Win=5840 Len=0
192.168.10.80 -> 10.0.0.50 TCP 32875 > ftp [RST, ACK] Seq=838535499 Ack=4073725543 Win=5840 Len=0

[root@localhost root]# nmap -sS -P0 -p 21 10.0.0.50

Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
Interesting ports on 10.0.0.50:
PORT STATE SERVICE
21/tcp open ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 0.013 seconds

192.168.10.80 -> 10.0.0.50 TCP 60605 > ftp [SYN] Seq=2118392454 Ack=0 Win=1024 Len=0
10.0.0.50 -> 192.168.10.80 TCP ftp > 60605 [SYN, ACK] Seq=4164665868 Ack=2118392455 Win=32696 Len=0
192.168.10.80 -> 10.0.0.50 TCP 60605 > ftp [RST] Seq=2118392455 Ack=0 Win=0 Len=0

[root@localhost root]# nmap -sF -P0 -p 21 10.0.0.50

Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
Interesting ports on 10.0.0.50:
PORT STATE SERVICE
21/tcp open ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 12.027 seconds

[root@localhost root]# nmap -sX -P0 -p 21 10.0.0.50

Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
Interesting ports on 10.0.0.50:
PORT STATE SERVICE
21/tcp open ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 12.029 seconds

[root@localhost root]# nmap -sN -P0 -p 21 10.0.0.50

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2005-03-08 20:18 SAST
Interesting ports on 10.0.0.50:
PORT STATE SERVICE
21/tcp open ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 12.026 seconds

so that the full first rule looks like...

iptables -t nat -A PREROUTING -p tcp --syn -p tcp --dport 21 -m state --state NEW -j ACCEPT

What the additions do is tell the firewall to also check the traffic so that it only allows SYN packets which are the start of a NEW connection attempt. We are also going to check for other data packets with bad flags in the FORWARD table, just to further make sure that only proper packets are allowed through the firewall.

iptables -A FORWARD -p icmp -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

Scan Type	Snort Log File	Monitored Event
Full TCP Connection Scan	alert	portscan status from 192.168.10.80
SYN Scan	portscan.log	192.168.10.80:36615 -> 10.0.0.50:21 SYN *****S
FIN Scan	portscan.log	192.168.10.80:59047 -> 10.0.0.50:21 FIN *******F
XMAS Scan	portscan.log	192.168.10.80:60003 -> 10.0.0.50:21 XMAS *UP**F
NULL Scan	portscan.log	192.168.10.80:61837 -> 10.0.0.50:1600 NULL ********