port scanning and hidden servers

Erik Norgaard norgaard at locolomo.org
Wed Sep 7 08:36:49 PDT 2005


Boris Karloff wrote:
> I have a user on my network with a Linux box that is
> performing a port scan on all the computers in my network
> manually. He's doing this 'because he can'. Although I've
> asked him not to, he continues to do so.
> 
> 1) How can I block or inhibit port scans launched against my
> freeBSD servers from within my network?
> 
> 2) How can I 'hide' my freeBSD servers from users on the
> network? (If they can't see them, then they don't know to
> scan them.)

1st: You can't really block a port scan, you can block your ports for 
incoming connections so you will appear to be offline. You can also 
configure your host to send particular types of icmp responces.

2nd: Ok, so he sends some packets, but does this saturate the connection 
or in other ways interrupt service? Likely not, but if it does it should 
be against the "acceptable use policy" for the network, and complaining 
to the right person should cause his wires to be cut (if it's wired) or 
that he be blocked in the AP. If it's _your_ network then you can make 
it against the AUP and cut him off.

3rd: If you want to some have fun - ok, I don't know how legal this is - 
then you poison his arp cache effectively taking him off the network 
until it clears up.

This may? be done with arp-sk, or other tools are available.

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9


More information about the freebsd-questions mailing list