In the Linux operating system has a firewall in the deployment, through this firewall can not let other host scanning machine.
If a corporate network are independent firewall, then you can achieve similar restrictions. If some enterprises deploying intrusion detection systems can proactively prevent suspected malicious behavior, such as NMAP scan and so on. But some options with NMAP command, it can be used with the firewall or intrusion detection systems hide-and-seek. Although some administrators questioned NMAP developers with the intent of these options, these options easily exploited. But the tools are not good or bad, depends on how use. Some system administrators often use NMAP command of these options to improve the security of network deployment. As I like to use this command to tell the firewall and other security software to play hide-and-seek game. In other words the author disguised as an attacker, to test the security system can block the attacks or whether the security system log leave my tracks. Another way to think, maybe you can find enterprise security vulnerabilities. Similar options are many. Due to space limitations, can not be too many. I just picked some of the commonly used options for instructions. First, put the message to be fragmented. Like a firewall and other similar security device, you can use to filter to scan messages. But this filter policy is not very secure. If NMAP command now uses the-f option, you can set the Tcp header segment in several packages. Case, the firewall or intrusion detection systems in the packet filter is very difficult to filter this TCP packet. Thus you can let the SNMP scan command with these security measures play a game of hide-and-seek. When you use the-f option, a 20 bytes of the TCP header is divided into three packages, of which there are two packages TCP header eight bytes; other packages that have the TCP header and the rest of four bytes. General security measures adopted by the packet filter will block all IP be queued, and will not directly use these fragmented packets. Due to the packet was divided, as these filters would be very difficult to identify the type of the package. And then the package will be back at the host agency, a legal TCP packets. In most cases these safety measures should prohibit these packages. Because these packages to the enterprise network bring great performance impact, whether it is a firewall or terminal device will be affected. As Linux system firewall has a configuration item, you can ban the IP fragment are queued while the limit on TCP packets are fragmented. Visible for nmap-f command to firewall and other security measures have certain deceptive. We just can use this command to test our security software is really safe. I understand that although this security vulnerability has been present for many years, but now not all security products are capable to effective prevention. So using the-f option can help system administrators the nail on the head of the security products can address the possible attack. If the firewall settings prohibit scanning, and then the system administrator and then use nmap-f command is not received the results, then the firewall policy. But on the contrary it can still be good to return results (may time President), nmap-f command can successfully play the cat with the firewall. System administrators need to watch out for the Linux Firewall security. Second, the use of a fake IP address scanning. Typically like firewalls or the client computer can record the visitor's information, such as IP address, and so on. To do this if you use nmap command to scan, it will be a firewall or left on the client host's IP addresses scanned. Leave this "evidence" for the scan to be very negative. In addition to the firewall configuration, the system administrator may allow a specific IP address to scan job. While other IP address scan packets will be filtered out. In this case, in order to hide their true identities, or the fraudulent use of legitimate address NMAP scans, you need to use something called source address spoofing technology. When it comes to this kind of technology, I have to say that the recent emergence of a new cell phone scams means, with the source address spoofing is very similar. Sometimes we'll get a friend came over the phone or send a short message, ask us to send money in the past. Although the phone shows the friend's cell phone number, in fact, send text messages were not always your friend. Because there is a technique you can attach the sender's phone number. The sender would like to show what number is any number. In fact, the source address spoofing with this mobile phone spoofing is similar. Through the "nmap-s scan, IP addresses are scanned by IP address" in this way, an attacker can make your own IP address is hidden away, but with a fake IP address. Regardless of whether the IP address in the network, you can use. In the firewall or the operating system's log is displayed on the disguised the IP address too. To do this in the purchase of security products, such as firewall, Linux system administrator can use nmap-s command to test the firewall has a corresponding source address spoofing attacks. For this reason some security products need to have some source address spoofing prevention features. III. use of bait for covert scan. Through source address spoofing can hide the identity of the scan, but this technology, in a scan process can pseudoWith an IP address. Currently more popular hide IP address is to use the decoy hosts. Simply put, illegal provider can use the network is in use in several IP addresses as their IP address, host of the network is scanned. And safety equipment, and do not know which IP address is a real IP address. If the firewall might record an IP address for 5-8-port scan. This is a relatively hidden hide their IP address effective means.
No comments:
Post a Comment