How to defend against nmap Scanning

Source: Internet
Author: User

Author: dominate00

A few days ago, I saw someone posting for help in a bbs, which means what measures my server can take against or block Nmap scanning. At that time, I had limited ability to reply to the post. I didn't fully understand the principles of nmap functions, so I couldn't help. (After all, this is not a result of reading some materials or passing simple practical tests)

I thought about it last night. nmap scanning methods, whether TCP or SYN, semi-open or full-open, or other more advanced and complex technologies, must follow a principle, that is to create a complete TCP three-way handshake. Because nmap is not like other scanners that only judge whether the port is open, it also reports the complete port/service banner to the user. Without a full TCP three-way handshake, the banner cannot be obtained.

The nmap scan package completely simulates normal connection data packets, that is, it is equal to a completely normal and reasonable TCP connection. If the server needs to open the service, it must open the port. Since the port is opened, it is impossible to reject completely normal connections. Therefore, in theory, it is basically impossible to enable services without being scanned by nmap.

However, you can modify the default port and its banner of each service to cause nmap to report completely incorrect results to the user. For example, if a linux server, vsftpd 2.2.2 on port 21, and banner is changed to ftp 9.9, the user reports are basically worthless. You only know that port 21 is FTP, but you do not know what ftp software is, and the version number is.

The purpose of the hardware firewall is to restrict the source IP address and source port, or the destination IP address and destination port, but always allow connections from normal users. The source IP address is dynamically changed and cannot be limited at all, the source port cannot be used either. The firewall cannot identify the difference between the scan data packets of nmap or other scanners and normal data packets. The so-called "ignore ICMP packet" approach is completely redundant, and a-PN parameter of nmap can be done.

Some people mentioned the built-in ipsec in the bbs. I understand ipsec or iptables, which is basically equivalent to soft defense. The principle is no longer repeated. Nmap scanning is useless.

Therefore, we can only adopt the suggestions I have mentioned.

Of course, the above are the results I have derived from theory, and the actual environment is ever changing. If the error is returned, correct the error :)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.