From owner-freebsd-questions@FreeBSD.ORG Sat Dec 20 23:21:15 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C5A0106564A for ; Sat, 20 Dec 2008 23:21:15 +0000 (UTC) (envelope-from prvs=pauls=2337519ae@utdallas.edu) Received: from ip-relay-001.utdallas.edu (ip-relay-001.utdallas.edu [129.110.20.111]) by mx1.freebsd.org (Postfix) with ESMTP id 1A6BC8FC12 for ; Sat, 20 Dec 2008 23:21:15 +0000 (UTC) (envelope-from prvs=pauls=2337519ae@utdallas.edu) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.36,255,1228111200"; d="scan'208";a="4399995" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-001.utdallas.edu with ESMTP; 20 Dec 2008 16:52:27 -0600 Received: from [192.168.2.102] (cpe-66-25-23-135.tx.res.rr.com [66.25.23.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 3CA758585; Sat, 20 Dec 2008 16:52:27 -0600 (CST) Date: Sat, 20 Dec 2008 16:52:21 -0600 From: Paul Schmehl To: questions@freebsd.org Message-ID: <22AC6248210F377B6C802CED@Macintosh-2.local> In-Reply-To: References: X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========866C85BF041C578F2739==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Richard Yang Subject: Re: nessus report X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2008 23:21:15 -0000 --==========866C85BF041C578F2739========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On December 19, 2008 11:32:51 PM -0600 Richard Yang=20 wrote: > > hi, > when i ran nessus against my bsd box, nessus can detect "the remote host > is > up". > i don't understand how nessus can detect it... > does anyone know how it is done? > thanx > There are several ways to detect if a host is up. Responses to icmp=20 packets is one. Almost all hosts will respond to pings unless they're=20 prevented by a firewall. Another way is the type of response to a probe of a port. Sometimes=20 services will respond differently if they're firewalled than if they're=20 not listening on a particular port. Also, very few computers have no=20 ports at all listening. For example, most unix boxes will be running=20 syslogd and listening on port udp/514. That is the default for that=20 daemon. Unless you reconfigured syslogd to listen on localhost only, it=20 will respond to probes. Sometimes a host will respond to a problem with RSETs. It's very, very=20 hard to configure a box in such a way that it's impossible to detect that=20 it's up and running. Run sockstat and look at what's listening on your computer. Then see if=20 you can figure out how to get it to stop listening on those ports. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========866C85BF041C578F2739==========--