Article Title: using NMAP commands and firewalls in linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
A firewall is deployed in the Linux operating system, which prevents other hosts from scanning the local machine. If an enterprise network has an independent firewall, similar restrictions can be implemented. For example, some enterprises have deployed intrusion detection systems to actively prevent suspicious malicious behaviors, such as NMAP scanning. However, the NMAP command can be used in combination with some options, but it can be used with the firewall or intrusion detection system.
Although some administrators question the NMAP developer's intention to provide these options, these options are easily exploited by attackers. But the tool is not good or bad, it depends on how people use it. Some System Administrators often use these NMAP commands to improve the security of network deployment. For example, I like to use this command to play games with security software such as firewalls. That is to say, I pretend to be an attacker to test whether these security systems can block my attacks or leave my traces in the security system logs. From another perspective, you may be able to discover security vulnerabilities in your enterprise.
There are many similar options. Due to space limitations, we cannot elaborate too much. I will illustrate it with some common options.
1. segment packets.
Similar security devices such as firewalls can be used to filter scan packets. However, this filtering policy is not very secure. If you use the-f option of the NMAP command, you can segment the Tcp Header in several packages. In this case, the packet filter in the firewall or intrusion detection system is difficult to filter the TCP packet. In this way, SNMP scan commands can be used with these security measures to play games that hide and hide.
When the-f option is used, a 20-byte TCP header is divided into three packages, two of which have eight bytes of the TCP Header; the other package has the remaining four bytes of the TCP header. Generally, the packet filters used by security measures queue all IP segments, rather than directly using these segments. Because packets are segmented, it is difficult for these filters to identify the packet types. Then these packages will be reintegrated at the host to become a valid TCP packet. In most cases, these security measures should disable these packages. These packages will have a great impact on the performance of the enterprise network, whether it is a firewall or a terminal device. For example, if a configuration item exists in the firewall of a Linux system, you can restrict the TCP packet segmentation by prohibiting the queuing of IP segments.
Visible nmap? The f command is deceptive to firewall and other security measures. We can use this command to test whether the security software we use is truly secure. As far as I know, although this security risk has been around for many years, not all security products can effectively prevent it. Therefore, using this-f option can help the system administrator determine whether the adopted security product can respond to this possible attack. For example, if scanning is disabled on the firewall, then the system administrator can use nmap? If the f command cannot obtain the expected result, it indicates that the firewall policy is valid. But on the contrary, it can still return normal results (may take a little longer), it indicates nmap? The f command can successfully play with the firewall. The system administrator should pay attention to the security of the Linux firewall.
2. Use a fake IP address for scanning.
Generally, information about visitors, such as IP addresses, can be recorded on firewalls or client computers. If the nmap command is used for scanning, the scanned IP address is left on the firewall or client host. Leaving this "evidence" is very unfavorable for scanning. In addition, in the firewall configuration, the system administrator may allow a specific IP address to scan jobs. Scan packets sent from other IP addresses are filtered out. In this case, either to hide your real identity or to use valid addresses for NMAP scanning, a technology called Source Address Spoofing is required.
Speaking of this technology, I have to talk about a recent mobile phone scam, which is very similar to this source address scam. Sometimes we receive a call from a friend or a short message asking us to remit money. Although the phone number of a friend is displayed on the phone at this time, in fact, the person who sends a text message is not necessarily your friend. Because there is now a technology that can modify the sender's mobile phone number. The sender wants to display what number is. In fact, this source address scam is similar to this mobile phone number scam. Through "nmap? In this way, attackers can hide their IP addresses and use a fake IP address. This IP address can be used whether or not it exists in the network. The logs on the firewall or operating system show the disguised IP address.
Therefore, when purchasing security products such as firewalls, the Linux system administrator can use nmap? S command to test whether the firewall can defend against source address spoofing attacks. For example, enable the log function on the firewall first, and then use nmap? S command to scan firewall or other host devices. Check the related logs. Check whether the IP address information recorded in this log is a disguised IP address or the real IP address of the scanner. In this way, you can easily determine whether firewall and other security products can respond to similar source address spoofing attacks. Although the real identity of the log-recorded attackers is a bit like a zombie, it is of great value for us to quickly search for attackers and prevent them from launching attacks again. For this reason, some security products must have some Source Address Fraud Prevention functions.
3. Use bait for concealed scanning.
You can use the source address to hide the identity of the scanner. However, this technology can disguise an IP address during a scan. Currently, the popular method to Hide IP addresses is to use bait hosts. In short, illegal providers can scan network hosts by using several IP addresses in the network as their own IP addresses. The security device does not know which IP address is the real IP address. For example, a firewall may record 5-8 port scans of an IP address. This is an effective way to Hide IP addresses.
[1] [2] Next page