Date: Wed, 13 Apr 2005 00:54:07 +0200 From: cpghost@cordula.ws To: faisal gillani <fasi_74@yahoo.com> Cc: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: all ports open ? Message-ID: <20050412225407.GA2410@epia2.farid-hajji.net> In-Reply-To: <20050412152651.9286.qmail@web51109.mail.yahoo.com> References: <20050412152651.9286.qmail@web51109.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 12, 2005 at 08:26:50AM -0700, faisal gillani wrote: > Well i port scanned couple of internet websites & got > all ports open from that site , is that a security > measure ? > if yes how can i do that ? First of all, to simulate an open port, all you need is a little program that accept()s connections (on one port) and close()s them immediately thereafter. As far as the scanner is concerned, that port is open, because the peer completed the TCP handshake. The next step is to redirect every connection from blocked ports to that program. This is best done with a firewill, like pf. The firewall will simply pass the connection attempt along to that accept()er/close()er program. The technique of capturing connections and redirecting them to some dummy (logging!) program is often used in honeypots. If the logging program does more than just closing the connections it accepts, it could coax some hints out of the attacker (like logging the attempted infection vector). This is however seldom used. Another use for that program is to be very slow after accepting the connection, resulting in an effective tar pit. Most firewalls simply reset blocked connections (resulting in closed ports reports) or silently drop the packets (resulting in "port firewalled" scan results). > :) > thanks > Faisal Cheers, -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050412225407.GA2410>