[arch-general] Port 80 is shown open in port scan without any web server running
Thomas Bächler
thomas at archlinux.org
Wed Mar 30 10:08:34 EDT 2011
Am 30.03.2011 15:00, schrieb Partha Chowdhury:
> According to the source from where i got the iptables configuration ,
> the approach is "Block all incoming connections except for established
> connections, then open only specific ports which you want outside world
> to connect to".
Exactly my philosophy.
> About blocking icmp ping, i quote one website as-is:
>
>> Your system REPLIED to our Ping (ICMP Echo) requests, making it
>> visible on the Internet. Most personal firewalls can be configured to
>> block, drop, and ignore such ping requests in order to better hide
>> systems from hackers. This is highly recommended since "Ping" is among
>> the oldest and most common methods used to locate systems prior to
>> further exploitation
> is what they say is true ?
You cannot "hide" yourself on the internet. If you were offline, the
next router would reply that your machine is unreachable. By not
answering, you not only tell the "attacker" that you are online, you
also tell him that you don't know shit about networking.
Google it.
>> -A INPUT -j REJECT --reject-with icmp-proto-unreachable
>
> isn't this seem redundant ? I mean icmp is allowed, then except for
> established and related connections, a tcp rst packet is sent for all
> unwanted tcp traffic and icmp-port-unreachable message is sent for
> every unwanted udp packets, right ? Then what packets that rule match ?
This properly rejects packets to your IP that are neither ICMP nor TCP
nor UDP.
>> What is a "malicious port scanner" and how can you stay "secure" from it?
>>
> I meant to avoid random packets coming from random machines at random
> times:
>
> for example:
> one random packet from sys.log
>
>> IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00
>> SRC=182.177.140.45 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103
>> ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0
And how does that harm you? It is rejected, and the sender now knows
that he is sending to the wrong destination (instead of continuously
retrying, which he would probably if you DROPped it).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20110330/2049df04/attachment.asc>
More information about the arch-general
mailing list