From owner-freebsd-questions@FreeBSD.ORG Tue Apr 12 22:52:53 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C31716A4CE for ; Tue, 12 Apr 2005 22:52:53 +0000 (GMT) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D533D43D7C for ; Tue, 12 Apr 2005 22:52:52 +0000 (GMT) (envelope-from cpghost@cordula.ws) Received: from epia2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id 20EE94AD96; Wed, 13 Apr 2005 00:53:33 +0200 (CEST) Date: Wed, 13 Apr 2005 00:54:07 +0200 From: cpghost@cordula.ws To: faisal gillani Message-ID: <20050412225407.GA2410@epia2.farid-hajji.net> References: <20050412152651.9286.qmail@web51109.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050412152651.9286.qmail@web51109.mail.yahoo.com> User-Agent: Mutt/1.5.6i cc: FreeBSD Subject: Re: all ports open ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 22:52:53 -0000 On Tue, Apr 12, 2005 at 08:26:50AM -0700, faisal gillani wrote: > Well i port scanned couple of internet websites & got > all ports open from that site , is that a security > measure ? > if yes how can i do that ? First of all, to simulate an open port, all you need is a little program that accept()s connections (on one port) and close()s them immediately thereafter. As far as the scanner is concerned, that port is open, because the peer completed the TCP handshake. The next step is to redirect every connection from blocked ports to that program. This is best done with a firewill, like pf. The firewall will simply pass the connection attempt along to that accept()er/close()er program. The technique of capturing connections and redirecting them to some dummy (logging!) program is often used in honeypots. If the logging program does more than just closing the connections it accepts, it could coax some hints out of the attacker (like logging the attempted infection vector). This is however seldom used. Another use for that program is to be very slow after accepting the connection, resulting in an effective tar pit. Most firewalls simply reset blocked connections (resulting in closed ports reports) or silently drop the packets (resulting in "port firewalled" scan results). > :) > thanks > Faisal Cheers, -cpghost. -- Cordula's Web. http://www.cordula.ws/