-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 10 January 2002 04:14 pm, martin f krafft wrote: > also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.10.1634 +0100]: > > I'm running a server that's hot to the net, and running some insecure > > services (by necessity), like nfs. Of course, I used iptables to > > block all those ports, using nmap and netstat to double check all my > > open ports. However, what nmap reports back is "filtered" for those > > ports. I would prefer if I could somehow make it so that they are > > "closed" to the outside world, so that random j. hacker doesn't know > > that I'm running that service at all. Is there some way to do that, > > or do I just live with "filtered"? > > you can configure iptables to return ICMP type 3 "port unreachable" > packets, just like the OS would, using the REJECT target. that's what > you want to do. to get your desired effect.
I'll look into that, thanks. > however, DENYing has the advantage of *severly* slowing any portscan, > and because obscurity is not a security measure[1] and REJECT not being > any safer then DENY, you are really not gaining anything... I don't care how long it takes them to scan, I'm more concerned about being "picked up" by a script kiddie looking for people running nfs, or other stuff. And finally, as opposed to common belief, obscurity *is* a security measure. It's just not a complete, or even decent solution by itself. As a first line of defense, I'll use it :-) > [1] because i actually believe that one should be able to post the > entire LAN topology as well as server config and firewall config to the > net, and *still* be secure, When I'm not forced to run inherently insecure services on the box (c.f. nfs), I would agree. When I am, however, I'll take what I can get :-) - -- D.A.Bishop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PvubEHLN/FXAbC0RAolSAKDfPLC/SMxqBInuqyZLj7eznoBsTgCeI7oQ DX09+GIHhDg4Hf6pbT/fQus= =sGPZ -----END PGP SIGNATURE-----
