How to keep a computer from answering to ping?
Goto page Previous  1, 2, 3  :||:
Networking/Security Forums -> UNIX // GNU/Linux

Author: crash-xLocation: my room PostPosted: Sun Dec 08, 2002 9:58 pm    Post subject:
    ----
I added in my httpd.conf this:
Code:

ServerTokens Prod
ServerSignature Off


and in my proftpd.conf this:
Code:

ServerIdent             on      "FTP Server ready"

when i scan the banner i get this:
Quote:

-> starting banner scan for localhost
port 88: 220 FTP Server ready
port 80: Apache

when somebody scanns my ports he gets this:
Quote:

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on pxXxXxXx.dip.t-dialin.net (xx.xxx.xx.xxx):
(The 1599 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
88/tcp open kerberos-sec
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.045 days (since Sun Dec 8 19:17:20 2002)

Nmap run completed -- 1 IP address (1 host up) scanned in 248 seconds
when somebody scanns my ports he gets this:


So what can I do that nmap can't see my OS and uptime?

Author: gigsvoo PostPosted: Tue Dec 10, 2002 3:48 am    Post subject:
    ----
Sorry but I am still wimping after I read all your guys pro's posts. Perhaps I should read some books on UNIX and Linux security.
Smile

Author: browolf PostPosted: Mon Dec 16, 2002 6:12 pm    Post subject:
    ----
browolf wrote:
delete852 wrote:
Well IpSec is just another VPN protocol as I remember, but to block ICMP requests on a win2k Box, as i do in my home do the following:
1)Open up MMC, and add in Ip Security snap in
2)Create a new policy, name it whaever, and give it a description
3)then look at it's properties, click Edit, There you see, which type of packet it sees, and what it does with it on the next tab. I have a Deny action, you might have to make one, I don't remember if it already was there, to create it go to Add, and just follow the boxes, it might seem overwhelming at the begning, but you will get familiar with it soon. As if it will block P2P, I don't really know, it shouldn't really, but I don't know enought to give a 100% advice. Try it, tell me how it goes.


i've managed to do it on my work computer. and nothing seems to have broken. but i dont use p2p on that Smile


it's all gone pear-shaped. i had to disable it cos it seemed to be stopping me accessing printers. I have 20 odd network printers added so i could see when any got crammed up with jobs, trouble is i've removed the ipsec policy so i'm pingable again but all the network printers are still showing "access denied unable to connect" I only had access to the ones i'm connected directly too (ie not thru a server)

aargh.

aha,from google groups, it might be cos i have restrict anonymous in the reg set to 2. I think i read that on a win2k lockdown page around the same time.

tell u what happens when i've rebooted.

Author: browolf PostPosted: Mon Dec 16, 2002 6:18 pm    Post subject:
    ----
phew that fixed it. Very Happy

Author: delete852Location: Washington DC PostPosted: Mon Dec 16, 2002 7:51 pm    Post subject:
    ----
Yea I didn't think that it might be something with IpSec, what protocol is used got printing? I know there for a network printing you assign an Ip address, but is IP binded with something? I also read something about INternet Printing Protocol, where it would give the user a lot of details about the printer, such as physical location, type and color of paper loaded and etc. Any one heared anything on that?

Author: werem00seLocation: U.S.A (west) PostPosted: Tue Dec 17, 2002 3:16 am    Post subject:
    ----
Hey Beo...

restrictanonymous will kill netbios printing functionality since print queues rely partly on null sessions on p445 (MS-ds). It's a decent way to keep out moderately skilled enumerators, but armed with the NTRK, you can still enumerate and even connect to shares via null sessions. I'd have to find the white paper, but it's possible. As for the comment about closing p79 so someone can't fingerprint your OS, your mixing 2 issues, fingerd and os printing for enumerating open/running services on a host. Finger is an actual daemon running on port 79 that allows one person to query a machine for an individual user:
[user@warpig.domain.net~]: $finger jdoe@homegrown
user unknown
[user@warpig.domain.net~]: $

Fingerprinting an operating system is done by systematically opening or attempting to open ports on a remote machine and examining the way in which things are either responded to or denied. I believe it was Bartman (nope, it was ST - my bad) that pointed out the trick of altering the TCP sequence your machine uses to fool NMAP. That's really the only way to do it on a stand alone machine without placing it behind a firewall or other edge device.

Personally, I don't mind responding to ping. There are a few ISP's and stuff that like their DNS servers to ping hosts. If you decide to drop ICMP, there are plenty of tools (HPING) that will allow you to ping via UDP. If you drop UDP, there are tools that will allow you to see if a host is up by the way it responds to dropped packets. (HPING again :p)

Fact of the matter is: If someone want's to find you they will. Blocking ICMP is only going to keep the lazy script kiddies out.

Also the port (?)gigsvoo was asking about getting printer info on is p's 137-9, and 445 (NetBios). NB is notorious for coughing up as much info as you want to dig for. Through null sessions, you don't even have to supply username/passwd to mount the share or print to it, get print info, mount the actual printers volume..the list goes on, and it's not just printers, it's anything NetBios. ./curses M$ !!!



Networking/Security Forums -> UNIX // GNU/Linux


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page Previous  1, 2, 3  :||:
Page 3 of 3

Powered by phpBB 2.0.x © 2001 phpBB Group