Today I was experimenting with the FreeBSD TCP Stack Parameters with one target in mind: to prevent os guessing through classical port scanners. One of the most classic scanner — the one that appeared in the The Matrix movie as a h4x0r tool — brings me the next piece of output on a Wintendo machine:
Device type: general purpose Running: Microsoft Windows 2000|2003|XP|Vista Too many fingerprints match this host to give specific OS details
With the FreeBSD default parameters, it brings me the next piece of output with some basic pf and ipfw rules:
Device type: general purpose Running: FreeBSD 7.X OS details: FreeBSD 7.0-RELEASE, 7.1-RELEASE
But I’ve successfully prevented the OS guessing from this tool by modifying the stack parameters and random number generation parameters on my machine:
Retrying OS detection (try #2) against quake (XXX.XXX.XXX.XXX) Host quake (XXX.XXX.XXX.XXX) appears to be up ... good. All 80 scanned ports on quake (XXX.XXX.XXX.XXX) are filtered Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: ...
Well, I think that this is a success over this kind of tools. The next and easy to put settings on third party software, such as Apache Web Server, are a merely token on the way securing the operating system.
BSD guys can use the blackhole feature plus some random number generation parameters to prevent the OS guessing… Linux guys seems to need some patches and third party tools, I’m trying to figure on how to apply similar rules in WRT distributions by using the iptables features. Only then I, will release some tips or a well documented paper.
Entries 