Bonjour ? tous,
Je suis inscrit ? la mailing list de nmap, un scanner de ports assez
interressant, et le webmaster du site (qui est aussi le leader du projet
nmap), viens de recevoir un mail plutot sympa.
En clair, si vous mettez ce patch, ben pour le port scan, c' est nickel chrome
:-))
Le gars qui vous scan vois que tout les ports sont ouverts, bref, il voit de
belles conneries :-))
-----FW: <Pine.LNX.4.04.9907191759020.29721-200000@???>-----
Date: Mon, 19 Jul 1999 18:00:55 -0400 (EDT)
From: Fyodor <fyodor@???>
To: nmap-hackers@???
Subject: nmap and a kernel patch (fwd)
I haven't actually tried this patch, but it is an interesting portscan
defense ...
---------- Forwarded message ----------
From: Salvatore Sanfilippo -antirez- <antirez@???>
To: fyodor@???
Subject: nmap and a kernel patch
Hi Fyodor,
three days ago i've posted this message
to bugtraq@???, maybe dropped
by Aleph1. Anyway I think this can interest
you.
---
Hi,
It seems that some bugtraq readers still runs linux 2.0.3[67].
In order to prevent SYN, FIN, Xmas, NULL tcp scan and
maybe connect() scan (for exaple it's true with nmap,
false with strobe) it's possible to apply this kernel patch.
The patch change the sequence
SYN ---> closed port
<--- RST
to
SYN ---> closed port
<--- SYN|ACK
ACK --->
<--- RST
and answers RST to FIN, Xmas and NULL tcp flags even
if the port is open like win*.
If an attacker scans a patched host it gets all
ports are open, to be precise it gets nothing.
bye,
antirez
---
port scanners have different feedbacks if runs in
different SO/kernel version.
For example with 2.2.10 strobe will fail as nmap do.
The problem is the connect().
For example
SYN --->
<--- SYN|ACK
ACK --->
<--- RST
produce this
2.0.36
connect() O_NONBLOCK return 0 connected!
connect() --- return EINPROGRESS
2.2.10
connect() O_NONBLOCK return 0 connected!
connect() ___ retunn 0 connected!
I think this may interest A.Cox and Linux devel.
Patch is attached.
ciao,
antirez
--
Salvatore Sanfilippo - antirez - antirez@???
try hping: http://www.kyuzz.org/antirez antirez@???
--------------End of forwarded message-------------------------
We are the knights who say RTFM !
diff -u -r linux/net/ipv4/tcp_input.c /usr/src/linux-2.0.36/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_input.c Sat Jul 17 12:00:13 1999
@@ -46,6 +46,7 @@
* </RANT>
* George Baeslack : SIGIO delivery on accept() bug that
* affected sun jdk.
+ * Salvatore Sanfilippo : Prevents SYN, FIN, Xmass, NULL scan.
*/
#include <linux/config.h>
@@ -2464,6 +2465,12 @@
}
}
#endif
+ tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
+ }
+
+ /* resets FIN, Xmas, NULL */
+ if (!th->syn && !th->ack && !th->rst && ip_chk_addr(daddr)==IS_MYADDR)
+ {
tcp_send_reset(daddr,saddr,th,sk->prot,opt,dev,0, 255);
}
diff -u -r linux/net/ipv4/tcp_output.c /usr/src/linux-2.0.36/net/ipv4/tcp_output.c
--- linux/net/ipv4/tcp_output.c Sat Jul 17 11:21:01 1999
+++ /usr/src/linux-2.0.36/net/ipv4/tcp_output.c Sat Jul 17 11:56:35 1999
@@ -759,7 +759,7 @@
t1->source = th->dest;
t1->doff = sizeof(*t1)/4;
t1->rst = 1;
-
+
if(th->ack)
{
t1->seq = th->ack_seq;
@@ -770,7 +770,15 @@
if(!th->syn)
t1->ack_seq = th->seq;
else
+ {
t1->ack_seq = htonl(ntohl(th->seq)+1);
+ /* send bogus syn/ack */
+ t1->rst = 0;
+ t1->syn = 1;
+ t1->ack = 1;
+ if (th->fin)
+ t1->fin = 1; /* as 2.0.3x we answer SAF */
+ }
}
tcp_send_check(t1, saddr, daddr, sizeof(*t1), buff);
