[arch-general] Port 80 is shown open in port scan without any web server running
thomas at archlinux.org
Wed Mar 30 10:08:34 EDT 2011
Am 30.03.2011 15:00, schrieb Partha Chowdhury:
> According to the source from where i got the iptables configuration ,
> the approach is "Block all incoming connections except for established
> connections, then open only specific ports which you want outside world
> to connect to".
Exactly my philosophy.
> About blocking icmp ping, i quote one website as-is:
>> Your system REPLIED to our Ping (ICMP Echo) requests, making it
>> visible on the Internet. Most personal firewalls can be configured to
>> block, drop, and ignore such ping requests in order to better hide
>> systems from hackers. This is highly recommended since "Ping" is among
>> the oldest and most common methods used to locate systems prior to
>> further exploitation
> is what they say is true ?
You cannot "hide" yourself on the internet. If you were offline, the
next router would reply that your machine is unreachable. By not
answering, you not only tell the "attacker" that you are online, you
also tell him that you don't know shit about networking.
>> -A INPUT -j REJECT --reject-with icmp-proto-unreachable
> isn't this seem redundant ? I mean icmp is allowed, then except for
> established and related connections, a tcp rst packet is sent for all
> unwanted tcp traffic and icmp-port-unreachable message is sent for
> every unwanted udp packets, right ? Then what packets that rule match ?
This properly rejects packets to your IP that are neither ICMP nor TCP
>> What is a "malicious port scanner" and how can you stay "secure" from it?
> I meant to avoid random packets coming from random machines at random
> for example:
> one random packet from sys.log
>> IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00
>> SRC=18.104.22.168 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103
>> ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0
And how does that harm you? It is rejected, and the sender now knows
that he is sending to the wrong destination (instead of continuously
retrying, which he would probably if you DROPped it).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the arch-general