From owner-freebsd-questions@FreeBSD.ORG Wed Sep 7 15:36:49 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8CCA16A41F for ; Wed, 7 Sep 2005 15:36:49 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (62-15-223-173.inversas.jazztel.es [62.15.223.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2603343D48 for ; Wed, 7 Sep 2005 15:36:48 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.ATOSORIGIN.ES [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id C2D9B2E01B; Wed, 7 Sep 2005 17:36:45 +0200 (CEST) Message-ID: <431F090B.5050307@locolomo.org> Date: Wed, 07 Sep 2005 17:36:43 +0200 From: Erik Norgaard User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050824) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Boris Karloff References: <431f04f6.22c.572a.3251@canada.com> In-Reply-To: <431f04f6.22c.572a.3251@canada.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: port scanning and hidden servers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 15:36:49 -0000 Boris Karloff wrote: > I have a user on my network with a Linux box that is > performing a port scan on all the computers in my network > manually. He's doing this 'because he can'. Although I've > asked him not to, he continues to do so. > > 1) How can I block or inhibit port scans launched against my > freeBSD servers from within my network? > > 2) How can I 'hide' my freeBSD servers from users on the > network? (If they can't see them, then they don't know to > scan them.) 1st: You can't really block a port scan, you can block your ports for incoming connections so you will appear to be offline. You can also configure your host to send particular types of icmp responces. 2nd: Ok, so he sends some packets, but does this saturate the connection or in other ways interrupt service? Likely not, but if it does it should be against the "acceptable use policy" for the network, and complaining to the right person should cause his wires to be cut (if it's wired) or that he be blocked in the AP. If it's _your_ network then you can make it against the AUP and cut him off. 3rd: If you want to some have fun - ok, I don't know how legal this is - then you poison his arp cache effectively taking him off the network until it clears up. This may? be done with arp-sk, or other tools are available. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9