Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
--- on one host, say 192.168.168.192 ---
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
from another host
#nmap -sO -P0 192.168.168.192
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-25 08:34 IST
Interesting protocols on 192.168.168.192:
PROTOCOL STATE SERVICE
0 open hopopt
1 open icmp
2 open igmp
3 open ggp
4 open ip
5 open st
6 open tcp
7 open cbt
8 open egp
9 open igp
10 open bbn-rcc-mon
11 open nvp-ii
12 open pup
13 open argus
14 open emcon
15 open xnet
16 open chaos
17 open udp
18 open mux
19 open dcn-meas
20 open hmp
21 open prm
22 open xns-idp
23 open trunk-1
24 open trunk-2
25 open leaf-1
26 open leaf-2
27 open rdp
28 open irtp
29 open iso-tp4
30 open netblt
31 open mfe-nsp
32 open merit-inp
33 open sep
34 open 3pc
35 open idpr
36 open xtp
37 open ddp
38 open idpr-cmtp
39 open tp++
40 open il
41 open ipv6
42 open sdrp
<rest snipped>
Is there even a remote chance that these could get exploited? If they can, how can it be thwarted.
If an attack (if possible) is directed towards the upper layers (of the OSI stack), would/wouldn't the iptables rules block them?
I believe the -sO scan (IP protocol scan) is one of those "no reply from host == open" type of scans. The theory being that if you send a packet to a host with a protocol type that is un-supported, it will send back an error message. If the protocol is supported, then the remote host doesn't send back anything. So I guess it's almost like a "reverse"-type of scan. Fire up tcpdump when you do a -sO scan and you'll see that the remote host isn't sending any packets back at all. The problem with this scan (as you observed) is that if the host isn't replying then the scan thinks all the protocol types are supported.
So the scan packets are still getting dropped early on by iptables and aren't even touching those OSI layers yet.
Last edited by Capt_Caveman; 06-25-2004 at 12:22 AM.
-sO IP protocol scans: This method is used to determine which IP
protocols are supported on a host. The technique is to send raw
IP packets without any further protocol header to each specified
protocol on the target machine. If we receive an ICMP protocol
unreachable message, then the protocol is not in use. Otherwise
we assume it is open. Note that some hosts (AIX, HP-UX, Digital
UNIX) and firewalls may not send protocol unreachable messages.
This causes all of the protocols to appear "open".
Because the implemented technique is very similar to UDP port
scanning, ICMP rate limit might apply too. But the IP protocol
field has only 8 bits, so at most 256 protocols can be probed
which should be possible in reasonable time anyway.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.