How to defend against nmap Scanning

Author: dominate00

A few days ago, I saw someone posting for help in a bbs, which means what measures my server can take against or block Nmap scanning. At that time, I had limited ability to reply to the post. I didn't fully understand the principles of nmap functions, so I couldn't help. (After all, this is not a result of reading some materials or passing simple practical tests)

I thought about it last night. nmap scanning methods, whether TCP or SYN, semi-open or full-open, or other more advanced and complex technologies, must follow a principle, that is to create a complete TCP three-way handshake. Because nmap is not like other scanners that only judge whether the port is open, it also reports the complete port/service banner to the user. Without a full TCP three-way handshake, the banner cannot be obtained.

The nmap scan package completely simulates normal connection data packets, that is, it is equal to a completely normal and reasonable TCP connection. If the server needs to open the service, it must open the port. Since the port is opened, it is impossible to reject completely normal connections. Therefore, in theory, it is basically impossible to enable services without being scanned by nmap.

However, you can modify the default port and its banner of each service to cause nmap to report completely incorrect results to the user. For example, if a linux server, vsftpd 2.2.2 on port 21, and banner is changed to ftp 9.9, the user reports are basically worthless. You only know that port 21 is FTP, but you do not know what ftp software is, and the version number is.

The purpose of the hardware firewall is to restrict the source IP address and source port, or the destination IP address and destination port, but always allow connections from normal users. The source IP address is dynamically changed and cannot be limited at all, the source port cannot be used either. The firewall cannot identify the difference between the scan data packets of nmap or other scanners and normal data packets. The so-called "ignore ICMP packet" approach is completely redundant, and a-PN parameter of nmap can be done.

Some people mentioned the built-in ipsec in the bbs. I understand ipsec or iptables, which is basically equivalent to soft defense. The principle is no longer repeated. Nmap scanning is useless.

Therefore, we can only adopt the suggestions I have mentioned.

Of course, the above are the results I have derived from theory, and the actual environment is ever changing. If the error is returned, correct the error :)